projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix missing cmd_status in mgmt
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP		 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP		 99 return NULL;
100
0139418c
MH		 101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP		 106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH		 112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP		 119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH		 126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH		 137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP		 142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP		 163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP		 167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP		 174 }
175
73b2ec18
GP		 176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP		 196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
774e5651 223 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP		 227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM		 233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP		 235}
236
89bc500e
GP		 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP		 243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
c9b66675 255 __set_chan_timer(chan, HZ / 5);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP		 258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP		 270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP		 275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP		 287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP		 291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP		 293 chan->state = BT_OPEN;
294
71ba0e56
GP		 295 atomic_set(&chan->refcnt, 1);
296
48454079
GP		 297 return chan;
298}
299
23691d75 300void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 301{
23691d75
GP		 302 write_lock_bh(&chan_list_lock);
303 list_del(&chan->global_l);
304 write_unlock_bh(&chan_list_lock);
305
71ba0e56 306 chan_put(chan);
6ff5abbf
GP		 307}
308
48454079 309static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 310{
af05b30b 311 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 312 chan->psm, chan->dcid);
0139418c 313
2950f21a
MH		 314 conn->disc_reason = 0x13;
315
8c1d787b 316 chan->conn = conn;
0139418c 317
715ec005 318 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 319 if (conn->hcon->type == LE_LINK) {
320 /* LE connection */
0c1bc5c6 321 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 322 chan->scid = L2CAP_CID_LE_DATA;
323 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 324 } else {
325 /* Alloc CID for connection-oriented socket */
fe4128e0 326 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 327 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 328 }
715ec005 329 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 330 /* Connectionless socket */
fe4128e0
GP		 331 chan->scid = L2CAP_CID_CONN_LESS;
332 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 333 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 334 } else {
335 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 336 chan->scid = L2CAP_CID_SIGNALING;
337 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 338 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 339 }
340
8f7975b1
AE		 341 chan->local_id = L2CAP_BESTEFFORT_ID;
342 chan->local_stype = L2CAP_SERV_BESTEFFORT;
343 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
344 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
345 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
346 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
347
71ba0e56 348 chan_hold(chan);
baa7e1fa
GP		 349
350 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 351}
352
8e87d142 353/* Delete channel.
0139418c 354 * Must be called on the locked socket. */
4519de9a 355static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 356{
48454079 357 struct sock *sk = chan->sk;
8c1d787b 358 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 359 struct sock *parent = bt_sk(sk)->parent;
360
c9b66675 361 __clear_chan_timer(chan);
0139418c 362
49208c9c 363 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 364
8e87d142 365 if (conn) {
baa7e1fa
GP		 366 /* Delete from channel list */
367 write_lock_bh(&conn->chan_lock);
368 list_del(&chan->list);
369 write_unlock_bh(&conn->chan_lock);
71ba0e56 370 chan_put(chan);
baa7e1fa 371
8c1d787b 372 chan->conn = NULL;
0139418c
MH		 373 hci_conn_put(conn->hcon);
374 }
375
89bc500e 376 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 377 sock_set_flag(sk, SOCK_ZAPPED);
378
379 if (err)
380 sk->sk_err = err;
381
382 if (parent) {
383 bt_accept_unlink(sk);
384 parent->sk_data_ready(parent, 0);
385 } else
386 sk->sk_state_change(sk);
c13ffa62 387
c1360a1c
GP		 388 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
389 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 390 return;
2ead70b8 391
58d35f87 392 skb_queue_purge(&chan->tx_q);
c13ffa62 393
0c1bc5c6 394 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 395 struct srej_list *l, *tmp;
396
1a09bcb9
GP		 397 __clear_retrans_timer(chan);
398 __clear_monitor_timer(chan);
399 __clear_ack_timer(chan);
c13ffa62 400
f1c6775b 401 skb_queue_purge(&chan->srej_q);
c13ffa62 402
39d5a3ee 403 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 404 list_del(&l->list);
405 kfree(l);
406 }
407 }
0139418c
MH		 408}
409
4519de9a
GP		 410static void l2cap_chan_cleanup_listen(struct sock *parent)
411{
412 struct sock *sk;
413
414 BT_DBG("parent %p", parent);
415
416 /* Close not yet accepted channels */
0f852724 417 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 418 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 419 __clear_chan_timer(chan);
0f852724 420 lock_sock(sk);
ba3bd0ee 421 l2cap_chan_close(chan, ECONNRESET);
0f852724 422 release_sock(sk);
ba3bd0ee 423 chan->ops->close(chan->data);
0f852724 424 }
4519de9a
GP		 425}
426
0f852724 427void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 428{
429 struct l2cap_conn *conn = chan->conn;
430 struct sock *sk = chan->sk;
431
89bc500e 432 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 433
89bc500e 434 switch (chan->state) {
4519de9a
GP		 435 case BT_LISTEN:
436 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 437
438 l2cap_state_change(chan, BT_CLOSED);
439 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 440 break;
441
442 case BT_CONNECTED:
443 case BT_CONFIG:
715ec005 444 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 445 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 446 __clear_chan_timer(chan);
447 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 448 l2cap_send_disconn_req(conn, chan, reason);
449 } else
450 l2cap_chan_del(chan, reason);
451 break;
452
453 case BT_CONNECT2:
715ec005 454 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 455 conn->hcon->type == ACL_LINK) {
456 struct l2cap_conn_rsp rsp;
457 __u16 result;
458
459 if (bt_sk(sk)->defer_setup)
460 result = L2CAP_CR_SEC_BLOCK;
461 else
462 result = L2CAP_CR_BAD_PSM;
89bc500e 463 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 464
465 rsp.scid = cpu_to_le16(chan->dcid);
466 rsp.dcid = cpu_to_le16(chan->scid);
467 rsp.result = cpu_to_le16(result);
468 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
470 sizeof(rsp), &rsp);
471 }
472
473 l2cap_chan_del(chan, reason);
474 break;
475
476 case BT_CONNECT:
477 case BT_DISCONN:
478 l2cap_chan_del(chan, reason);
479 break;
480
481 default:
482 sock_set_flag(sk, SOCK_ZAPPED);
483 break;
484 }
485}
486
4343478f 487static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 488{
715ec005 489 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 490 switch (chan->sec_level) {
8556edd3
JH		 491 case BT_SECURITY_HIGH:
492 return HCI_AT_DEDICATED_BONDING_MITM;
493 case BT_SECURITY_MEDIUM:
494 return HCI_AT_DEDICATED_BONDING;
495 default:
496 return HCI_AT_NO_BONDING;
497 }
fe4128e0 498 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 499 if (chan->sec_level == BT_SECURITY_LOW)
500 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 501
4343478f 502 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 503 return HCI_AT_NO_BONDING_MITM;
00ae4af9 504 else
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 } else {
4343478f 507 switch (chan->sec_level) {
00ae4af9 508 case BT_SECURITY_HIGH:
8556edd3 509 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 510 case BT_SECURITY_MEDIUM:
8556edd3 511 return HCI_AT_GENERAL_BONDING;
00ae4af9 512 default:
8556edd3 513 return HCI_AT_NO_BONDING;
00ae4af9 514 }
0684e5f9 515 }
8556edd3
JH		 516}
517
518/* Service level security */
4343478f 519static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 520{
8c1d787b 521 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 522 __u8 auth_type;
523
4343478f 524 auth_type = l2cap_get_auth_type(chan);
79d554a6 525
4343478f 526 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 527}
528
b5ad8b7f 529static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 530{
531 u8 id;
532
533 /* Get next available identificator.
534 * 1 - 128 are used by kernel.
535 * 129 - 199 are reserved.
536 * 200 - 254 are used by utilities like l2ping, etc.
537 */
538
539 spin_lock_bh(&conn->lock);
540
541 if (++conn->tx_ident > 128)
542 conn->tx_ident = 1;
543
544 id = conn->tx_ident;
545
546 spin_unlock_bh(&conn->lock);
547
548 return id;
549}
550
4519de9a 551static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 552{
553 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 554 u8 flags;
4e8402a3
MH		 555
556 BT_DBG("code 0x%2.2x", code);
557
558 if (!skb)
9a9c6a34 559 return;
4e8402a3 560
e702112f
AE		 561 if (lmp_no_flush_capable(conn->hcon->hdev))
562 flags = ACL_START_NO_FLUSH;
563 else
564 flags = ACL_START;
565
14b12d0b
JG		 566 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
567
e702112f 568 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 569}
570
525cd185 571static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 572{
573 struct sk_buff *skb;
574 struct l2cap_hdr *lh;
8c1d787b 575 struct l2cap_conn *conn = chan->conn;
e4ca6d98 576 int count, hlen;
e702112f 577 u8 flags;
fcc203c3 578
89bc500e 579 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 580 return;
581
e4ca6d98
AE		 582 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
583 hlen = L2CAP_EXT_HDR_SIZE;
584 else
585 hlen = L2CAP_ENH_HDR_SIZE;
586
47d1ec61 587 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 588 hlen += 2;
1c2acffb 589
49208c9c 590 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 591
fcc203c3 592 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 593
594 control |= __set_sframe(chan);
1c2acffb 595
e2ab4353 596 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 597 control |= __set_ctrl_final(chan);
9e917af1 598
e2ab4353 599 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 600 control |= __set_ctrl_poll(chan);
f0946ccf 601
1c2acffb
GP		 602 skb = bt_skb_alloc(count, GFP_ATOMIC);
603 if (!skb)
9a9c6a34 604 return;
1c2acffb
GP		 605
606 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 607 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 608 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 609 put_unaligned_le16(control, skb_put(skb, 2));
610
47d1ec61 611 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 612 u16 fcs = crc16(0, (u8 *)lh, count - 2);
613 put_unaligned_le16(fcs, skb_put(skb, 2));
614 }
615
e702112f
AE		 616 if (lmp_no_flush_capable(conn->hcon->hdev))
617 flags = ACL_START_NO_FLUSH;
618 else
619 flags = ACL_START;
620
15770b1a 621 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b 622
8c1d787b 623 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 624}
625
525cd185 626static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 627{
e2ab4353 628 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 629 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 630 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 631 } else
ab784b73 632 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 633
0b209fae 634 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 635
525cd185 636 l2cap_send_sframe(chan, control);
7e743090
GP		 637}
638
b4450035 639static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 640{
c1360a1c 641 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 642}
643
fc7f8a7e 644static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 645{
8c1d787b 646 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 647
648 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 649 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
650 return;
651
4343478f
GP		 652 if (l2cap_check_security(chan) &&
653 __l2cap_no_conn_pending(chan)) {
b1235d79 654 struct l2cap_conn_req req;
fe4128e0
GP		 655 req.scid = cpu_to_le16(chan->scid);
656 req.psm = chan->psm;
79d554a6 657
fc7f8a7e 658 chan->ident = l2cap_get_ident(conn);
c1360a1c 659 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 660
fc7f8a7e
GP		 661 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
662 sizeof(req), &req);
b1235d79 663 }
79d554a6
MH		 664 } else {
665 struct l2cap_info_req req;
666 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
667
668 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
669 conn->info_ident = l2cap_get_ident(conn);
670
671 mod_timer(&conn->info_timer, jiffies +
672 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
673
674 l2cap_send_cmd(conn, conn->info_ident,
675 L2CAP_INFO_REQ, sizeof(req), &req);
676 }
677}
678
cf6c2c0b
GP		 679static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
680{
681 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 682 if (!disable_ertm)
cf6c2c0b
GP		 683 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
684
685 switch (mode) {
686 case L2CAP_MODE_ERTM:
687 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
688 case L2CAP_MODE_STREAMING:
689 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
690 default:
691 return 0x00;
692 }
693}
694
4519de9a 695static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 696{
e92c8e70 697 struct sock *sk;
22121fc9
GP		 698 struct l2cap_disconn_req req;
699
c13ffa62
GP		 700 if (!conn)
701 return;
702
e92c8e70
GP		 703 sk = chan->sk;
704
0c1bc5c6 705 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 706 __clear_retrans_timer(chan);
707 __clear_monitor_timer(chan);
708 __clear_ack_timer(chan);
c13ffa62
GP		 709 }
710
fe4128e0
GP		 711 req.dcid = cpu_to_le16(chan->dcid);
712 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 713 l2cap_send_cmd(conn, l2cap_get_ident(conn),
714 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 715
89bc500e 716 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 717 sk->sk_err = err;
22121fc9
GP		 718}
719
1da177e4 720/* ---- L2CAP connections ---- */
4e8402a3
MH		 721static void l2cap_conn_start(struct l2cap_conn *conn)
722{
820ffdb3 723 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 724
725 BT_DBG("conn %p", conn);
726
baa7e1fa 727 read_lock(&conn->chan_lock);
4e8402a3 728
820ffdb3 729 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 730 struct sock *sk = chan->sk;
baa7e1fa 731
4e8402a3
MH		 732 bh_lock_sock(sk);
733
715ec005 734 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 735 bh_unlock_sock(sk);
736 continue;
737 }
738
89bc500e 739 if (chan->state == BT_CONNECT) {
47731de7 740 struct l2cap_conn_req req;
79d554a6 741
4343478f 742 if (!l2cap_check_security(chan) ||
b4450035 743 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 744 bh_unlock_sock(sk);
745 continue;
746 }
79d554a6 747
c1360a1c
GP		 748 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
749 && test_bit(CONF_STATE2_DEVICE,
750 &chan->conf_state)) {
0f852724 751 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 752 * so release the lock */
2461daac 753 read_unlock(&conn->chan_lock);
89bc500e 754 l2cap_chan_close(chan, ECONNRESET);
2461daac 755 read_lock(&conn->chan_lock);
47731de7
GP		 756 bh_unlock_sock(sk);
757 continue;
b1235d79 758 }
47731de7 759
fe4128e0
GP		 760 req.scid = cpu_to_le16(chan->scid);
761 req.psm = chan->psm;
47731de7 762
fc7f8a7e 763 chan->ident = l2cap_get_ident(conn);
c1360a1c 764 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 765
fc7f8a7e
GP		 766 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
767 sizeof(req), &req);
47731de7 768
89bc500e 769 } else if (chan->state == BT_CONNECT2) {
79d554a6 770 struct l2cap_conn_rsp rsp;
e9aeb2dd 771 char buf[128];
fe4128e0
GP		 772 rsp.scid = cpu_to_le16(chan->dcid);
773 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 774
4343478f 775 if (l2cap_check_security(chan)) {
f66dc81f
MH		 776 if (bt_sk(sk)->defer_setup) {
777 struct sock *parent = bt_sk(sk)->parent;
778 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
779 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 780 if (parent)
781 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 782
783 } else {
89bc500e 784 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 785 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
786 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
787 }
79d554a6
MH		 788 } else {
789 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
790 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
791 }
792
fc7f8a7e
GP		 793 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
794 sizeof(rsp), &rsp);
e9aeb2dd 795
c1360a1c 796 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 797 rsp.result != L2CAP_CR_SUCCESS) {
798 bh_unlock_sock(sk);
799 continue;
800 }
801
c1360a1c 802 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 803 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 804 l2cap_build_conf_req(chan, buf), buf);
805 chan->num_conf_req++;
4e8402a3
MH		 806 }
807
808 bh_unlock_sock(sk);
809 }
810
baa7e1fa 811 read_unlock(&conn->chan_lock);
4e8402a3
MH		 812}
813
b62f328b
VT		 814/* Find socket with cid and source bdaddr.
815 * Returns closest match, locked.
816 */
23691d75 817static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 818{
23691d75 819 struct l2cap_chan *c, *c1 = NULL;
b62f328b 820
23691d75 821 read_lock(&chan_list_lock);
b62f328b 822
23691d75
GP		 823 list_for_each_entry(c, &chan_list, global_l) {
824 struct sock *sk = c->sk;
fe4128e0 825
89bc500e 826 if (state && c->state != state)
b62f328b
VT		 827 continue;
828
23691d75 829 if (c->scid == cid) {
b62f328b 830 /* Exact match. */
23691d75
GP		 831 if (!bacmp(&bt_sk(sk)->src, src)) {
832 read_unlock(&chan_list_lock);
833 return c;
834 }
b62f328b
VT		 835
836 /* Closest match */
837 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 838 c1 = c;
b62f328b
VT		 839 }
840 }
280f294f 841
23691d75 842 read_unlock(&chan_list_lock);
b62f328b 843
23691d75 844 return c1;
b62f328b
VT		 845}
846
847static void l2cap_le_conn_ready(struct l2cap_conn *conn)
848{
c916fbe4 849 struct sock *parent, *sk;
23691d75 850 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 851
852 BT_DBG("");
853
854 /* Check if we have socket listening on cid */
23691d75 855 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 856 conn->src);
23691d75 857 if (!pchan)
b62f328b
VT		 858 return;
859
23691d75
GP		 860 parent = pchan->sk;
861
62f3a2cf
GP		 862 bh_lock_sock(parent);
863
b62f328b
VT		 864 /* Check for backlog size */
865 if (sk_acceptq_is_full(parent)) {
866 BT_DBG("backlog full %d", parent->sk_ack_backlog);
867 goto clean;
868 }
869
80808e43
GP		 870 chan = pchan->ops->new_connection(pchan->data);
871 if (!chan)
b62f328b
VT		 872 goto clean;
873
80808e43 874 sk = chan->sk;
5d41ce1d 875
baa7e1fa 876 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 877
878 hci_conn_hold(conn->hcon);
879
b62f328b
VT		 880 bacpy(&bt_sk(sk)->src, conn->src);
881 bacpy(&bt_sk(sk)->dst, conn->dst);
882
d1010240
GP		 883 bt_accept_enqueue(parent, sk);
884
48454079
GP		 885 __l2cap_chan_add(conn, chan);
886
c9b66675 887 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 888
89bc500e 889 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 890 parent->sk_data_ready(parent, 0);
891
baa7e1fa 892 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 893
894clean:
895 bh_unlock_sock(parent);
896}
897
f1cb9af5
VCG		 898static void l2cap_chan_ready(struct sock *sk)
899{
900 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
901 struct sock *parent = bt_sk(sk)->parent;
902
903 BT_DBG("sk %p, parent %p", sk, parent);
904
905 chan->conf_state = 0;
906 __clear_chan_timer(chan);
907
43f3dc41 908 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 909 sk->sk_state_change(sk);
910
911 if (parent)
912 parent->sk_data_ready(parent, 0);
913}
914
4e8402a3
MH		 915static void l2cap_conn_ready(struct l2cap_conn *conn)
916{
48454079 917 struct l2cap_chan *chan;
4e8402a3 918
79d554a6 919 BT_DBG("conn %p", conn);
4e8402a3 920
b62f328b
VT		 921 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
922 l2cap_le_conn_ready(conn);
923
160dc6ac
VCG		 924 if (conn->hcon->out && conn->hcon->type == LE_LINK)
925 smp_conn_security(conn, conn->hcon->pending_sec_level);
926
baa7e1fa 927 read_lock(&conn->chan_lock);
4e8402a3 928
baa7e1fa 929 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 930 struct sock *sk = chan->sk;
baa7e1fa 931
79d554a6 932 bh_lock_sock(sk);
4e8402a3 933
63128451 934 if (conn->hcon->type == LE_LINK) {
b501d6a1 935 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 936 l2cap_chan_ready(sk);
acd7d370 937
63128451 938 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 939 __clear_chan_timer(chan);
89bc500e 940 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 941 sk->sk_state_change(sk);
b501d6a1 942
89bc500e 943 } else if (chan->state == BT_CONNECT)
fc7f8a7e 944 l2cap_do_start(chan);
4e8402a3 945
79d554a6 946 bh_unlock_sock(sk);
4e8402a3 947 }
79d554a6 948
baa7e1fa 949 read_unlock(&conn->chan_lock);
4e8402a3
MH		 950}
951
952/* Notify sockets that we cannot guaranty reliability anymore */
953static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
954{
48454079 955 struct l2cap_chan *chan;
4e8402a3
MH		 956
957 BT_DBG("conn %p", conn);
958
baa7e1fa 959 read_lock(&conn->chan_lock);
4e8402a3 960
baa7e1fa 961 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 962 struct sock *sk = chan->sk;
baa7e1fa 963
ecf61bdb 964 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 965 sk->sk_err = err;
966 }
967
baa7e1fa 968 read_unlock(&conn->chan_lock);
4e8402a3
MH		 969}
970
971static void l2cap_info_timeout(unsigned long arg)
972{
973 struct l2cap_conn *conn = (void *) arg;
974
984947dc 975 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 976 conn->info_ident = 0;
984947dc 977
4e8402a3
MH		 978 l2cap_conn_start(conn);
979}
980
5d3de7df
VCG		 981static void l2cap_conn_del(struct hci_conn *hcon, int err)
982{
983 struct l2cap_conn *conn = hcon->l2cap_data;
984 struct l2cap_chan *chan, *l;
985 struct sock *sk;
986
987 if (!conn)
988 return;
989
990 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
991
992 kfree_skb(conn->rx_skb);
993
994 /* Kill channels */
995 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
996 sk = chan->sk;
997 bh_lock_sock(sk);
998 l2cap_chan_del(chan, err);
999 bh_unlock_sock(sk);
1000 chan->ops->close(chan->data);
1001 }
1002
1003 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1004 del_timer_sync(&conn->info_timer);
1005
d26a2345 1006 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1007 del_timer(&conn->security_timer);
8aab4757 1008 smp_chan_destroy(conn);
d26a2345 1009 }
5d3de7df
VCG		 1010
1011 hcon->l2cap_data = NULL;
1012 kfree(conn);
1013}
1014
1015static void security_timeout(unsigned long arg)
1016{
1017 struct l2cap_conn *conn = (void *) arg;
1018
1019 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1020}
1021
1da177e4
LT		 1022static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1023{
0139418c 1024 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1025
0139418c 1026 if (conn || status)
1da177e4
LT		 1027 return conn;
1028
0139418c
MH		 1029 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1030 if (!conn)
1da177e4 1031 return NULL;
1da177e4
LT		 1032
1033 hcon->l2cap_data = conn;
1034 conn->hcon = hcon;
1035
0139418c
MH		 1036 BT_DBG("hcon %p conn %p", hcon, conn);
1037
acd7d370
VT		 1038 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1039 conn->mtu = hcon->hdev->le_mtu;
1040 else
1041 conn->mtu = hcon->hdev->acl_mtu;
1042
1da177e4
LT		 1043 conn->src = &hcon->hdev->bdaddr;
1044 conn->dst = &hcon->dst;
1045
4e8402a3
MH		 1046 conn->feat_mask = 0;
1047
1da177e4 1048 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1049 rwlock_init(&conn->chan_lock);
1050
1051 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1052
5d3de7df
VCG		 1053 if (hcon->type == LE_LINK)
1054 setup_timer(&conn->security_timer, security_timeout,
1055 (unsigned long) conn);
1056 else
b62f328b 1057 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1058 (unsigned long) conn);
1059
2950f21a
MH		 1060 conn->disc_reason = 0x13;
1061
1da177e4
LT		 1062 return conn;
1063}
1064
48454079 1065static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1066{
baa7e1fa 1067 write_lock_bh(&conn->chan_lock);
48454079 1068 __l2cap_chan_add(conn, chan);
baa7e1fa 1069 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1070}
1071
1da177e4 1072/* ---- Socket interface ---- */
1da177e4
LT		 1073
1074/* Find socket with psm and source bdaddr.
1075 * Returns closest match.
1076 */
23691d75 1077static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1078{
23691d75 1079 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1080
23691d75 1081 read_lock(&chan_list_lock);
e0f0cb56 1082
23691d75
GP		 1083 list_for_each_entry(c, &chan_list, global_l) {
1084 struct sock *sk = c->sk;
fe4128e0 1085
89bc500e 1086 if (state && c->state != state)
1da177e4
LT		 1087 continue;
1088
23691d75 1089 if (c->psm == psm) {
1da177e4 1090 /* Exact match. */
23691d75 1091 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1092 read_unlock(&chan_list_lock);
23691d75
GP		 1093 return c;
1094 }
1da177e4
LT		 1095
1096 /* Closest match */
1097 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1098 c1 = c;
1da177e4
LT		 1099 }
1100 }
1da177e4 1101
23691d75 1102 read_unlock(&chan_list_lock);
e0f0cb56 1103
23691d75 1104 return c1;
1da177e4
LT		 1105}
1106
77a74c7e 1107int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1108{
5d41ce1d 1109 struct sock *sk = chan->sk;
1da177e4
LT		 1110 bdaddr_t *src = &bt_sk(sk)->src;
1111 bdaddr_t *dst = &bt_sk(sk)->dst;
1112 struct l2cap_conn *conn;
1113 struct hci_conn *hcon;
1114 struct hci_dev *hdev;
09ab6f4c 1115 __u8 auth_type;
44d0e48e 1116 int err;
1da177e4 1117
f29972de 1118 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1119 chan->psm);
1da177e4 1120
af05b30b
GP		 1121 hdev = hci_get_route(dst, src);
1122 if (!hdev)
1da177e4
LT		 1123 return -EHOSTUNREACH;
1124
1125 hci_dev_lock_bh(hdev);
1126
4343478f 1127 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1128
fe4128e0 1129 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1130 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1131 chan->sec_level, auth_type);
acd7d370
VT		 1132 else
1133 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1134 chan->sec_level, auth_type);
acd7d370 1135
30e76272
VT		 1136 if (IS_ERR(hcon)) {
1137 err = PTR_ERR(hcon);
1da177e4 1138 goto done;
30e76272 1139 }
1da177e4
LT		 1140
1141 conn = l2cap_conn_add(hcon, 0);
1142 if (!conn) {
1143 hci_conn_put(hcon);
30e76272 1144 err = -ENOMEM;
1da177e4
LT		 1145 goto done;
1146 }
1147
1da177e4
LT		 1148 /* Update source addr of the socket */
1149 bacpy(src, conn->src);
1150
48454079
GP		 1151 l2cap_chan_add(conn, chan);
1152
89bc500e 1153 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1154 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1155
1156 if (hcon->state == BT_CONNECTED) {
715ec005 1157 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1158 __clear_chan_timer(chan);
4343478f 1159 if (l2cap_check_security(chan))
89bc500e 1160 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1161 } else
fc7f8a7e 1162 l2cap_do_start(chan);
1da177e4
LT		 1163 }
1164
30e76272
VT		 1165 err = 0;
1166
1da177e4
LT		 1167done:
1168 hci_dev_unlock_bh(hdev);
1169 hci_dev_put(hdev);
1170 return err;
1171}
1172
dcba0dba 1173int __l2cap_wait_ack(struct sock *sk)
6161c038 1174{
8c1d787b 1175 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1176 DECLARE_WAITQUEUE(wait, current);
1177 int err = 0;
1178 int timeo = HZ/5;
1179
2b0b05dd 1180 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1181 set_current_state(TASK_INTERRUPTIBLE);
1182 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1183 if (!timeo)
1184 timeo = HZ/5;
1185
1186 if (signal_pending(current)) {
1187 err = sock_intr_errno(timeo);
1188 break;
1189 }
1190
1191 release_sock(sk);
1192 timeo = schedule_timeout(timeo);
1193 lock_sock(sk);
a71a0cf4 1194 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1195
1196 err = sock_error(sk);
1197 if (err)
1198 break;
1199 }
1200 set_current_state(TASK_RUNNING);
2b0b05dd 1201 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1202 return err;
1203}
1204
e90bac06
GP		 1205static void l2cap_monitor_timeout(unsigned long arg)
1206{
525cd185
GP		 1207 struct l2cap_chan *chan = (void *) arg;
1208 struct sock *sk = chan->sk;
e90bac06 1209
525cd185 1210 BT_DBG("chan %p", chan);
0e98958d 1211
e686219a 1212 bh_lock_sock(sk);
2c03a7a4 1213 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1214 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1215 bh_unlock_sock(sk);
e90bac06
GP		 1216 return;
1217 }
1218
6a026610 1219 chan->retry_count++;
1a09bcb9 1220 __set_monitor_timer(chan);
e90bac06 1221
525cd185 1222 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1223 bh_unlock_sock(sk);
e90bac06
GP		 1224}
1225
1226static void l2cap_retrans_timeout(unsigned long arg)
1227{
525cd185
GP		 1228 struct l2cap_chan *chan = (void *) arg;
1229 struct sock *sk = chan->sk;
e90bac06 1230
49208c9c 1231 BT_DBG("chan %p", chan);
0e98958d 1232
e686219a 1233 bh_lock_sock(sk);
6a026610 1234 chan->retry_count = 1;
1a09bcb9 1235 __set_monitor_timer(chan);
e90bac06 1236
e2ab4353 1237 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1238
525cd185 1239 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1240 bh_unlock_sock(sk);
e90bac06
GP		 1241}
1242
42e5c802 1243static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1244{
1c2acffb 1245 struct sk_buff *skb;
1da177e4 1246
58d35f87 1247 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1248 chan->unacked_frames) {
42e5c802 1249 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1250 break;
1da177e4 1251
58d35f87 1252 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1253 kfree_skb(skb);
1da177e4 1254
6a026610 1255 chan->unacked_frames--;
1c2acffb 1256 }
1da177e4 1257
6a026610 1258 if (!chan->unacked_frames)
1a09bcb9 1259 __clear_retrans_timer(chan);
1c2acffb 1260}
1da177e4 1261
67c9e840 1262static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1263{
8c1d787b 1264 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1265 u16 flags;
1c2acffb 1266
4343478f 1267 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1268
d57b0e8b
AE		 1269 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
1270 lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1271 flags = ACL_START_NO_FLUSH;
1272 else
1273 flags = ACL_START;
1274
15770b1a 1275 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
e702112f 1276 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1277}
1278
67c9e840 1279static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1280{
ccbb84af 1281 struct sk_buff *skb;
fcc203c3 1282 u16 control, fcs;
6840ed07 1283
58d35f87 1284 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1285 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
fb45de7d 1286 control |= __set_txseq(chan, chan->next_tx_seq);
ccbb84af 1287 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1288
47d1ec61 1289 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1290 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1291 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1292 }
1293
4343478f 1294 l2cap_do_send(chan, skb);
6840ed07 1295
42e5c802 1296 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1297 }
6840ed07
GP		 1298}
1299
fb45de7d 1300static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1301{
8f17154f
GP		 1302 struct sk_buff *skb, *tx_skb;
1303 u16 control, fcs;
8f17154f 1304
58d35f87 1305 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1306 if (!skb)
1307 return;
8f17154f 1308
f11d676d
GP		 1309 do {
1310 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1311 break;
8f17154f 1312
58d35f87 1313 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1314 return;
8f17154f 1315
58d35f87 1316 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1317
2c03a7a4
GP		 1318 if (chan->remote_max_tx &&
1319 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1320 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1321 return;
1322 }
1323
1324 tx_skb = skb_clone(skb, GFP_ATOMIC);
1325 bt_cb(skb)->retries++;
1326 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1327 control &= __get_sar_mask(chan);
3cb123d1 1328
e2ab4353 1329 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1330 control |= __set_ctrl_final(chan);
95ffa978 1331
0b209fae 1332 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1333 control |= __set_txseq(chan, tx_seq);
3cb123d1 1334
f11d676d
GP		 1335 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1336
47d1ec61 1337 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1338 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1339 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1340 }
1341
4343478f 1342 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1343}
1344
67c9e840 1345static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1346{
1347 struct sk_buff *skb, *tx_skb;
fcc203c3 1348 u16 control, fcs;
9a9c6a34 1349 int nsent = 0;
1c2acffb 1350
89bc500e 1351 if (chan->state != BT_CONNECTED)
c13ffa62 1352 return -ENOTCONN;
e90bac06 1353
58d35f87 1354 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1355
2c03a7a4
GP		 1356 if (chan->remote_max_tx &&
1357 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1358 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1359 break;
1360 }
1361
e420aba3
AE		 1362 tx_skb = skb_clone(skb, GFP_ATOMIC);
1363
e90bac06
GP		 1364 bt_cb(skb)->retries++;
1365
1c2acffb 1366 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1367 control &= __get_sar_mask(chan);
95ffa978 1368
e2ab4353 1369 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1370 control |= __set_ctrl_final(chan);
e2ab4353 1371
0b209fae 1372 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1373 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb
GP		 1374 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1375
e90bac06 1376
47d1ec61 1377 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1378 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1379 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1380 }
1381
4343478f 1382 l2cap_do_send(chan, tx_skb);
9a9c6a34 1383
1a09bcb9 1384 __set_retrans_timer(chan);
1c2acffb 1385
42e5c802
GP		 1386 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1387 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1388
23e9fde2 1389 if (bt_cb(skb)->retries == 1)
6a026610 1390 chan->unacked_frames++;
23e9fde2 1391
6a026610 1392 chan->frames_sent++;
1c2acffb 1393
58d35f87
GP		 1394 if (skb_queue_is_last(&chan->tx_q, skb))
1395 chan->tx_send_head = NULL;
1c2acffb 1396 else
58d35f87 1397 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1398
1399 nsent++;
1c2acffb
GP		 1400 }
1401
9e917af1
GP		 1402 return nsent;
1403}
1404
525cd185 1405static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1406{
dfc909be
GP		 1407 int ret;
1408
58d35f87
GP		 1409 if (!skb_queue_empty(&chan->tx_q))
1410 chan->tx_send_head = chan->tx_q.next;
dfc909be 1411
42e5c802 1412 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1413 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1414 return ret;
1415}
1416
525cd185 1417static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1418{
9e917af1
GP		 1419 u16 control = 0;
1420
0b209fae 1421 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1422
e2ab4353 1423 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1424 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1425 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1426 l2cap_send_sframe(chan, control);
9a9c6a34 1427 return;
9e917af1 1428 }
dfc909be 1429
525cd185 1430 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1431 return;
1432
ab784b73 1433 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1434 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1435}
1436
525cd185 1437static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1438{
1439 struct srej_list *tail;
1440 u16 control;
1441
ab784b73 1442 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1443 control |= __set_ctrl_final(chan);
99b0d4b7 1444
39d5a3ee 1445 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1446 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1447
525cd185 1448 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1449}
1450
1c2acffb
GP		 1451static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1452{
8c1d787b 1453 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1454 struct sk_buff **frag;
1455 int err, sent = 0;
1da177e4 1456
59203a21 1457 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1458 return -EFAULT;
1da177e4
LT		 1459
1460 sent += count;
1461 len -= count;
1462
1463 /* Continuation fragments (no L2CAP header) */
1464 frag = &skb_shinfo(skb)->frag_list;
1465 while (len) {
1466 count = min_t(unsigned int, conn->mtu, len);
1467
1468 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1469 if (!*frag)
0175d629 1470 return err;
1c2acffb
GP		 1471 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1472 return -EFAULT;
1da177e4
LT		 1473
1474 sent += count;
1475 len -= count;
1476
1477 frag = &(*frag)->next;
1478 }
1da177e4
LT		 1479
1480 return sent;
1c2acffb 1481}
1da177e4 1482
67c9e840 1483static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1484{
fe4128e0 1485 struct sock *sk = chan->sk;
8c1d787b 1486 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1487 struct sk_buff *skb;
1488 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1489 struct l2cap_hdr *lh;
1490
1491 BT_DBG("sk %p len %d", sk, (int)len);
1492
1493 count = min_t(unsigned int, (conn->mtu - hlen), len);
1494 skb = bt_skb_send_alloc(sk, count + hlen,
1495 msg->msg_flags & MSG_DONTWAIT, &err);
1496 if (!skb)
0175d629 1497 return ERR_PTR(err);
1c2acffb
GP		 1498
1499 /* Create L2CAP header */
1500 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1501 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1502 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1503 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1504
1505 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1506 if (unlikely(err < 0)) {
1507 kfree_skb(skb);
1508 return ERR_PTR(err);
1509 }
1510 return skb;
1511}
1512
67c9e840 1513static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1514{
fe4128e0 1515 struct sock *sk = chan->sk;
8c1d787b 1516 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1517 struct sk_buff *skb;
1518 int err, count, hlen = L2CAP_HDR_SIZE;
1519 struct l2cap_hdr *lh;
1520
1521 BT_DBG("sk %p len %d", sk, (int)len);
1522
1523 count = min_t(unsigned int, (conn->mtu - hlen), len);
1524 skb = bt_skb_send_alloc(sk, count + hlen,
1525 msg->msg_flags & MSG_DONTWAIT, &err);
1526 if (!skb)
0175d629 1527 return ERR_PTR(err);
1c2acffb
GP		 1528
1529 /* Create L2CAP header */
1530 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1531 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1532 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1533
1534 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1535 if (unlikely(err < 0)) {
1536 kfree_skb(skb);
1537 return ERR_PTR(err);
1538 }
1539 return skb;
1540}
1541
ab0ff76d
LAD		 1542static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1543 struct msghdr *msg, size_t len,
1544 u16 control, u16 sdulen)
1c2acffb 1545{
47d1ec61 1546 struct sock *sk = chan->sk;
8c1d787b 1547 struct l2cap_conn *conn = chan->conn;
1c2acffb 1548 struct sk_buff *skb;
e4ca6d98 1549 int err, count, hlen;
1c2acffb
GP		 1550 struct l2cap_hdr *lh;
1551
1552 BT_DBG("sk %p len %d", sk, (int)len);
1553
0ee0d208
GP		 1554 if (!conn)
1555 return ERR_PTR(-ENOTCONN);
1556
e4ca6d98
AE		 1557 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1558 hlen = L2CAP_EXT_HDR_SIZE;
1559 else
1560 hlen = L2CAP_ENH_HDR_SIZE;
1561
c74e560c
GP		 1562 if (sdulen)
1563 hlen += 2;
1564
47d1ec61 1565 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1566 hlen += 2;
1567
1c2acffb
GP		 1568 count = min_t(unsigned int, (conn->mtu - hlen), len);
1569 skb = bt_skb_send_alloc(sk, count + hlen,
1570 msg->msg_flags & MSG_DONTWAIT, &err);
1571 if (!skb)
0175d629 1572 return ERR_PTR(err);
1c2acffb
GP		 1573
1574 /* Create L2CAP header */
1575 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1576 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1577 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1578 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1579 if (sdulen)
1580 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1581
1582 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1583 if (unlikely(err < 0)) {
1584 kfree_skb(skb);
1585 return ERR_PTR(err);
1586 }
e90bac06 1587
47d1ec61 1588 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1589 put_unaligned_le16(0, skb_put(skb, 2));
1590
e90bac06 1591 bt_cb(skb)->retries = 0;
1c2acffb 1592 return skb;
1da177e4
LT		 1593}
1594
67c9e840 1595static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1596{
c74e560c
GP		 1597 struct sk_buff *skb;
1598 struct sk_buff_head sar_queue;
1599 u16 control;
1600 size_t size = 0;
1601
ff12fd64 1602 skb_queue_head_init(&sar_queue);
7e0ef6ee 1603 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1604 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1605 if (IS_ERR(skb))
1606 return PTR_ERR(skb);
1607
1608 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1609 len -= chan->remote_mps;
1610 size += chan->remote_mps;
c74e560c
GP		 1611
1612 while (len > 0) {
1613 size_t buflen;
1614
2c03a7a4 1615 if (len > chan->remote_mps) {
7e0ef6ee 1616 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1617 buflen = chan->remote_mps;
c74e560c 1618 } else {
7e0ef6ee 1619 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1620 buflen = len;
1621 }
1622
47d1ec61 1623 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1624 if (IS_ERR(skb)) {
1625 skb_queue_purge(&sar_queue);
1626 return PTR_ERR(skb);
1627 }
1628
1629 __skb_queue_tail(&sar_queue, skb);
1630 len -= buflen;
1631 size += buflen;
c74e560c 1632 }
58d35f87
GP		 1633 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1634 if (chan->tx_send_head == NULL)
1635 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1636
1637 return size;
1638}
1639
9a91a04a
GP		 1640int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1641{
9a91a04a
GP		 1642 struct sk_buff *skb;
1643 u16 control;
1644 int err;
1645
1646 /* Connectionless channel */
715ec005 1647 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1648 skb = l2cap_create_connless_pdu(chan, msg, len);
1649 if (IS_ERR(skb))
1650 return PTR_ERR(skb);
1651
1652 l2cap_do_send(chan, skb);
1653 return len;
1654 }
1655
1656 switch (chan->mode) {
1657 case L2CAP_MODE_BASIC:
1658 /* Check outgoing MTU */
1659 if (len > chan->omtu)
1660 return -EMSGSIZE;
1661
1662 /* Create a basic PDU */
1663 skb = l2cap_create_basic_pdu(chan, msg, len);
1664 if (IS_ERR(skb))
1665 return PTR_ERR(skb);
1666
1667 l2cap_do_send(chan, skb);
1668 err = len;
1669 break;
1670
1671 case L2CAP_MODE_ERTM:
1672 case L2CAP_MODE_STREAMING:
1673 /* Entire SDU fits into one PDU */
1674 if (len <= chan->remote_mps) {
7e0ef6ee 1675 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1676 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1677 0);
1678 if (IS_ERR(skb))
1679 return PTR_ERR(skb);
1680
1681 __skb_queue_tail(&chan->tx_q, skb);
1682
1683 if (chan->tx_send_head == NULL)
1684 chan->tx_send_head = skb;
1685
1686 } else {
1687 /* Segment SDU into multiples PDUs */
1688 err = l2cap_sar_segment_sdu(chan, msg, len);
1689 if (err < 0)
1690 return err;
1691 }
1692
1693 if (chan->mode == L2CAP_MODE_STREAMING) {
1694 l2cap_streaming_send(chan);
1695 err = len;
1696 break;
1697 }
1698
e2ab4353
GP		 1699 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1700 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1701 err = len;
1702 break;
1703 }
1704
1705 err = l2cap_ertm_send(chan);
1706 if (err >= 0)
1707 err = len;
1708
1709 break;
1710
1711 default:
1712 BT_DBG("bad state %1.1x", chan->mode);
1713 err = -EBADFD;
1714 }
1715
1716 return err;
1717}
1718
1da177e4
LT		 1719/* Copy frame to all raw sockets on that connection */
1720static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1721{
1da177e4 1722 struct sk_buff *nskb;
48454079 1723 struct l2cap_chan *chan;
1da177e4
LT		 1724
1725 BT_DBG("conn %p", conn);
1726
baa7e1fa
GP		 1727 read_lock(&conn->chan_lock);
1728 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1729 struct sock *sk = chan->sk;
715ec005 1730 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1731 continue;
1732
1733 /* Don't send frame to the socket it came from */
1734 if (skb->sk == sk)
1735 continue;
af05b30b
GP		 1736 nskb = skb_clone(skb, GFP_ATOMIC);
1737 if (!nskb)
1da177e4
LT		 1738 continue;
1739
23070494 1740 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1741 kfree_skb(nskb);
1742 }
baa7e1fa 1743 read_unlock(&conn->chan_lock);
1da177e4
LT		 1744}
1745
1746/* ---- L2CAP signalling commands ---- */
1747static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1748 u8 code, u8 ident, u16 dlen, void *data)
1749{
1750 struct sk_buff *skb, **frag;
1751 struct l2cap_cmd_hdr *cmd;
1752 struct l2cap_hdr *lh;
1753 int len, count;
1754
af05b30b
GP		 1755 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1756 conn, code, ident, dlen);
1da177e4
LT		 1757
1758 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1759 count = min_t(unsigned int, conn->mtu, len);
1760
1761 skb = bt_skb_alloc(count, GFP_ATOMIC);
1762 if (!skb)
1763 return NULL;
1764
1765 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1766 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1767
1768 if (conn->hcon->type == LE_LINK)
1769 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1770 else
1771 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1772
1773 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1774 cmd->code = code;
1775 cmd->ident = ident;
aca3192c 1776 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1777
1778 if (dlen) {
1779 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1780 memcpy(skb_put(skb, count), data, count);
1781 data += count;
1782 }
1783
1784 len -= skb->len;
1785
1786 /* Continuation fragments (no L2CAP header) */
1787 frag = &skb_shinfo(skb)->frag_list;
1788 while (len) {
1789 count = min_t(unsigned int, conn->mtu, len);
1790
1791 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1792 if (!*frag)
1793 goto fail;
1794
1795 memcpy(skb_put(*frag, count), data, count);
1796
1797 len -= count;
1798 data += count;
1799
1800 frag = &(*frag)->next;
1801 }
1802
1803 return skb;
1804
1805fail:
1806 kfree_skb(skb);
1807 return NULL;
1808}
1809
1810static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1811{
1812 struct l2cap_conf_opt *opt = *ptr;
1813 int len;
1814
1815 len = L2CAP_CONF_OPT_SIZE + opt->len;
1816 *ptr += len;
1817
1818 *type = opt->type;
1819 *olen = opt->len;
1820
1821 switch (opt->len) {
1822 case 1:
1823 *val = *((u8 *) opt->val);
1824 break;
1825
1826 case 2:
bfaaeb3e 1827 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1828 break;
1829
1830 case 4:
bfaaeb3e 1831 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1832 break;
1833
1834 default:
1835 *val = (unsigned long) opt->val;
1836 break;
1837 }
1838
1839 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1840 return len;
1841}
1842
1da177e4
LT		 1843static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1844{
1845 struct l2cap_conf_opt *opt = *ptr;
1846
1847 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1848
1849 opt->type = type;
1850 opt->len = len;
1851
1852 switch (len) {
1853 case 1:
1854 *((u8 *) opt->val) = val;
1855 break;
1856
1857 case 2:
4f8b691c 1858 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1859 break;
1860
1861 case 4:
4f8b691c 1862 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1863 break;
1864
1865 default:
1866 memcpy(opt->val, (void *) val, len);
1867 break;
1868 }
1869
1870 *ptr += L2CAP_CONF_OPT_SIZE + len;
1871}
1872
f89cef09
AE		 1873static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1874{
1875 struct l2cap_conf_efs efs;
1876
1877 switch(chan->mode) {
1878 case L2CAP_MODE_ERTM:
1879 efs.id = chan->local_id;
1880 efs.stype = chan->local_stype;
1881 efs.msdu = cpu_to_le16(chan->local_msdu);
1882 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1883 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1884 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1885 break;
1886
1887 case L2CAP_MODE_STREAMING:
1888 efs.id = 1;
1889 efs.stype = L2CAP_SERV_BESTEFFORT;
1890 efs.msdu = cpu_to_le16(chan->local_msdu);
1891 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1892 efs.acc_lat = 0;
1893 efs.flush_to = 0;
1894 break;
1895
1896 default:
1897 return;
1898 }
1899
1900 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1901 (unsigned long) &efs);
1902}
1903
c1b4f43b
GP		 1904static void l2cap_ack_timeout(unsigned long arg)
1905{
525cd185 1906 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1907
525cd185
GP		 1908 bh_lock_sock(chan->sk);
1909 l2cap_send_ack(chan);
1910 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1911}
1912
525cd185 1913static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1914{
525cd185
GP		 1915 struct sock *sk = chan->sk;
1916
42e5c802 1917 chan->expected_ack_seq = 0;
6a026610 1918 chan->unacked_frames = 0;
42e5c802 1919 chan->buffer_seq = 0;
6a026610
GP		 1920 chan->num_acked = 0;
1921 chan->frames_sent = 0;
0565c1c2 1922
e92c8e70
GP		 1923 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1924 (unsigned long) chan);
1925 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1926 (unsigned long) chan);
1927 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1928
f1c6775b 1929 skb_queue_head_init(&chan->srej_q);
1890d36b 1930
39d5a3ee
GP		 1931 INIT_LIST_HEAD(&chan->srej_l);
1932
218bb9df
GP		 1933
1934 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1935}
1936
f2fcfcd6
GP		 1937static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1938{
1939 switch (mode) {
1940 case L2CAP_MODE_STREAMING:
1941 case L2CAP_MODE_ERTM:
1942 if (l2cap_mode_supported(mode, remote_feat_mask))
1943 return mode;
1944 /* fall through */
1945 default:
1946 return L2CAP_MODE_BASIC;
1947 }
1948}
1949
6327eb98
AE		 1950static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1951{
1952 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1953}
1954
f89cef09
AE		 1955static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1956{
1957 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1958}
1959
6327eb98
AE		 1960static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1961{
1962 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
1963 __l2cap_ews_supported(chan))
1964 /* use extended control field */
1965 set_bit(FLAG_EXT_CTRL, &chan->flags);
1966 else
1967 chan->tx_win = min_t(u16, chan->tx_win,
1968 L2CAP_DEFAULT_TX_WINDOW);
1969}
1970
710f9b0a 1971static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1972{
1da177e4 1973 struct l2cap_conf_req *req = data;
0c1bc5c6 1974 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1975 void *ptr = req->data;
1976
49208c9c 1977 BT_DBG("chan %p", chan);
1da177e4 1978
73ffa904 1979 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1980 goto done;
1981
0c1bc5c6 1982 switch (chan->mode) {
f2fcfcd6
GP		 1983 case L2CAP_MODE_STREAMING:
1984 case L2CAP_MODE_ERTM:
c1360a1c 1985 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 1986 break;
85eb53c6 1987
f89cef09
AE		 1988 if (__l2cap_efs_supported(chan))
1989 set_bit(FLAG_EFS_ENABLE, &chan->flags);
1990
2ba13ed6 1991 /* fall through */
f2fcfcd6 1992 default:
8c1d787b 1993 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1994 break;
1995 }
1996
1997done:
0c1bc5c6
GP		 1998 if (chan->imtu != L2CAP_DEFAULT_MTU)
1999 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2000
0c1bc5c6 2001 switch (chan->mode) {
65c7c491 2002 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2003 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2004 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2005 break;
2006
62547752
GP		 2007 rfc.mode = L2CAP_MODE_BASIC;
2008 rfc.txwin_size = 0;
2009 rfc.max_transmit = 0;
2010 rfc.retrans_timeout = 0;
2011 rfc.monitor_timeout = 0;
2012 rfc.max_pdu_size = 0;
2013
63406504
GP		 2014 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2015 (unsigned long) &rfc);
65c7c491
MH		 2016 break;
2017
2018 case L2CAP_MODE_ERTM:
2019 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2020 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2021 rfc.retrans_timeout = 0;
2022 rfc.monitor_timeout = 0;
c74e560c 2023 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 2024 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
2025 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 2026
6327eb98
AE		 2027 l2cap_txwin_setup(chan);
2028
2029 rfc.txwin_size = min_t(u16, chan->tx_win,
2030 L2CAP_DEFAULT_TX_WINDOW);
2031
63406504
GP		 2032 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2033 (unsigned long) &rfc);
2034
f89cef09
AE		 2035 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2036 l2cap_add_opt_efs(&ptr, chan);
2037
8c1d787b 2038 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2039 break;
2040
47d1ec61 2041 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2042 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2043 chan->fcs = L2CAP_FCS_NONE;
2044 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2045 }
6327eb98
AE		 2046
2047 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2048 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2049 chan->tx_win);
f2fcfcd6
GP		 2050 break;
2051
2052 case L2CAP_MODE_STREAMING:
2053 rfc.mode = L2CAP_MODE_STREAMING;
2054 rfc.txwin_size = 0;
2055 rfc.max_transmit = 0;
2056 rfc.retrans_timeout = 0;
2057 rfc.monitor_timeout = 0;
c74e560c 2058 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 2059 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
2060 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 2061
63406504
GP		 2062 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2063 (unsigned long) &rfc);
2064
f89cef09
AE		 2065 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2066 l2cap_add_opt_efs(&ptr, chan);
2067
8c1d787b 2068 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2069 break;
2070
47d1ec61 2071 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2072 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2073 chan->fcs = L2CAP_FCS_NONE;
2074 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2075 }
65c7c491
MH		 2076 break;
2077 }
1da177e4 2078
fe4128e0 2079 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2080 req->flags = cpu_to_le16(0);
1da177e4
LT		 2081
2082 return ptr - data;
2083}
2084
73ffa904 2085static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2086{
5dee9e7c
MH		 2087 struct l2cap_conf_rsp *rsp = data;
2088 void *ptr = rsp->data;
73ffa904
GP		 2089 void *req = chan->conf_req;
2090 int len = chan->conf_len;
5dee9e7c
MH		 2091 int type, hint, olen;
2092 unsigned long val;
6464f35f 2093 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2094 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2095 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2096
73ffa904 2097 BT_DBG("chan %p", chan);
820ae1b8 2098
5dee9e7c
MH		 2099 while (len >= L2CAP_CONF_OPT_SIZE) {
2100 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2101
589d2746 2102 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2103 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2104
2105 switch (type) {
2106 case L2CAP_CONF_MTU:
861d6882 2107 mtu = val;
5dee9e7c
MH		 2108 break;
2109
2110 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2111 chan->flush_to = val;
5dee9e7c
MH		 2112 break;
2113
2114 case L2CAP_CONF_QOS:
2115 break;
2116
6464f35f
MH		 2117 case L2CAP_CONF_RFC:
2118 if (olen == sizeof(rfc))
2119 memcpy(&rfc, (void *) val, olen);
2120 break;
2121
fcc203c3
GP		 2122 case L2CAP_CONF_FCS:
2123 if (val == L2CAP_FCS_NONE)
c1360a1c 2124 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
fcc203c3
GP		 2125
2126 break;
2127
6327eb98
AE		 2128 case L2CAP_CONF_EWS:
2129 if (!enable_hs)
2130 return -ECONNREFUSED;
2131
2132 set_bit(FLAG_EXT_CTRL, &chan->flags);
2133 set_bit(CONF_EWS_RECV, &chan->conf_state);
2134 chan->remote_tx_win = val;
2135 break;
2136
5dee9e7c
MH		 2137 default:
2138 if (hint)
2139 break;
2140
2141 result = L2CAP_CONF_UNKNOWN;
2142 *((u8 *) ptr++) = type;
2143 break;
2144 }
2145 }
2146
73ffa904 2147 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2148 goto done;
2149
0c1bc5c6 2150 switch (chan->mode) {
f2fcfcd6
GP		 2151 case L2CAP_MODE_STREAMING:
2152 case L2CAP_MODE_ERTM:
c1360a1c 2153 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2154 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2155 chan->conn->feat_mask);
85eb53c6
GP		 2156 break;
2157 }
2158
0c1bc5c6 2159 if (chan->mode != rfc.mode)
f2fcfcd6 2160 return -ECONNREFUSED;
742e519b 2161
f2fcfcd6 2162 break;
f2fcfcd6
GP		 2163 }
2164
2165done:
0c1bc5c6 2166 if (chan->mode != rfc.mode) {
f2fcfcd6 2167 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2168 rfc.mode = chan->mode;
f2fcfcd6 2169
73ffa904 2170 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2171 return -ECONNREFUSED;
2172
2173 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2174 sizeof(rfc), (unsigned long) &rfc);
2175 }
2176
2177
5dee9e7c
MH		 2178 if (result == L2CAP_CONF_SUCCESS) {
2179 /* Configure output options and let the other side know
2180 * which ones we don't like. */
2181
f2fcfcd6
GP		 2182 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2183 result = L2CAP_CONF_UNACCEPT;
2184 else {
0c1bc5c6 2185 chan->omtu = mtu;
c1360a1c 2186 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2187 }
0c1bc5c6 2188 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2189
f2fcfcd6
GP		 2190 switch (rfc.mode) {
2191 case L2CAP_MODE_BASIC:
47d1ec61 2192 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2193 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2194 break;
2195
2196 case L2CAP_MODE_ERTM:
6327eb98
AE		 2197 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2198 chan->remote_tx_win = rfc.txwin_size;
2199 else
2200 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2201
2c03a7a4 2202 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2203
8c1d787b
GP		 2204 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2205 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2206
2c03a7a4 2207 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2208
10467e9e
GP		 2209 rfc.retrans_timeout =
2210 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2211 rfc.monitor_timeout =
2212 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2213
c1360a1c 2214 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2215
2216 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2217 sizeof(rfc), (unsigned long) &rfc);
2218
f2fcfcd6
GP		 2219 break;
2220
2221 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2222 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2223 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2224
2c03a7a4 2225 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2226
c1360a1c 2227 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2228
2229 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2230 sizeof(rfc), (unsigned long) &rfc);
2231
f2fcfcd6
GP		 2232 break;
2233
2234 default:
5dee9e7c 2235 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2236
6464f35f 2237 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2238 rfc.mode = chan->mode;
f2fcfcd6 2239 }
6464f35f 2240
f2fcfcd6 2241 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2242 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2243 }
fe4128e0 2244 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2245 rsp->result = cpu_to_le16(result);
2246 rsp->flags = cpu_to_le16(0x0000);
2247
2248 return ptr - data;
1da177e4
LT		 2249}
2250
b4450035 2251static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2252{
f2fcfcd6
GP		 2253 struct l2cap_conf_req *req = data;
2254 void *ptr = req->data;
2255 int type, olen;
2256 unsigned long val;
2257 struct l2cap_conf_rfc rfc;
2258
fe4128e0 2259 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2260
2261 while (len >= L2CAP_CONF_OPT_SIZE) {
2262 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2263
2264 switch (type) {
2265 case L2CAP_CONF_MTU:
2266 if (val < L2CAP_DEFAULT_MIN_MTU) {
2267 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2268 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2269 } else
0c1bc5c6
GP		 2270 chan->imtu = val;
2271 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2272 break;
2273
2274 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2275 chan->flush_to = val;
f2fcfcd6 2276 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2277 2, chan->flush_to);
f2fcfcd6
GP		 2278 break;
2279
2280 case L2CAP_CONF_RFC:
2281 if (olen == sizeof(rfc))
2282 memcpy(&rfc, (void *)val, olen);
2283
c1360a1c 2284 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2285 rfc.mode != chan->mode)
f2fcfcd6
GP		 2286 return -ECONNREFUSED;
2287
47d1ec61 2288 chan->fcs = 0;
f2fcfcd6
GP		 2289
2290 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2291 sizeof(rfc), (unsigned long) &rfc);
2292 break;
6327eb98
AE		 2293
2294 case L2CAP_CONF_EWS:
2295 chan->tx_win = min_t(u16, val,
2296 L2CAP_DEFAULT_EXT_WINDOW);
2297 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS,
2298 2, chan->tx_win);
2299 break;
f2fcfcd6
GP		 2300 }
2301 }
2302
0c1bc5c6 2303 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2304 return -ECONNREFUSED;
2305
0c1bc5c6 2306 chan->mode = rfc.mode;
6c2ea7a8 2307
f2fcfcd6
GP		 2308 if (*result == L2CAP_CONF_SUCCESS) {
2309 switch (rfc.mode) {
2310 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2311 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2312 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2313 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2314 break;
2315 case L2CAP_MODE_STREAMING:
47d1ec61 2316 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2317 }
2318 }
2319
fe4128e0 2320 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2321 req->flags = cpu_to_le16(0x0000);
2322
2323 return ptr - data;
2324}
2325
fe4128e0 2326static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2327{
2328 struct l2cap_conf_rsp *rsp = data;
2329 void *ptr = rsp->data;
1da177e4 2330
fe4128e0 2331 BT_DBG("chan %p", chan);
1da177e4 2332
fe4128e0 2333 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2334 rsp->result = cpu_to_le16(result);
aca3192c 2335 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2336
2337 return ptr - data;
2338}
2339
8c1d787b 2340void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2341{
2342 struct l2cap_conn_rsp rsp;
8c1d787b 2343 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2344 u8 buf[128];
2345
fe4128e0
GP		 2346 rsp.scid = cpu_to_le16(chan->dcid);
2347 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2348 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2349 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2350 l2cap_send_cmd(conn, chan->ident,
2351 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2352
c1360a1c 2353 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2354 return;
2355
710f9b0a
GP		 2356 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2357 l2cap_build_conf_req(chan, buf), buf);
2358 chan->num_conf_req++;
2359}
2360
47d1ec61 2361static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2362{
7b1c0049
GP		 2363 int type, olen;
2364 unsigned long val;
2365 struct l2cap_conf_rfc rfc;
2366
47d1ec61 2367 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2368
0c1bc5c6 2369 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2370 return;
2371
2372 while (len >= L2CAP_CONF_OPT_SIZE) {
2373 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2374
2375 switch (type) {
2376 case L2CAP_CONF_RFC:
2377 if (olen == sizeof(rfc))
2378 memcpy(&rfc, (void *)val, olen);
2379 goto done;
2380 }
2381 }
2382
2383done:
2384 switch (rfc.mode) {
2385 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2386 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2387 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2388 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2389 break;
2390 case L2CAP_MODE_STREAMING:
47d1ec61 2391 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2392 }
2393}
2394
4e8402a3
MH		 2395static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2396{
e2fd318e 2397 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2398
e2fd318e 2399 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2400 return 0;
2401
2402 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2403 cmd->ident == conn->info_ident) {
4e8402a3 2404 del_timer(&conn->info_timer);
984947dc
MH		 2405
2406 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2407 conn->info_ident = 0;
984947dc 2408
4e8402a3
MH		 2409 l2cap_conn_start(conn);
2410 }
2411
2412 return 0;
2413}
2414
1da177e4
LT		 2415static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2416{
1da177e4
LT		 2417 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2418 struct l2cap_conn_rsp rsp;
23691d75 2419 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2420 struct sock *parent, *sk = NULL;
e7c29cb1 2421 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2422
2423 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2424 __le16 psm = req->psm;
1da177e4
LT		 2425
2426 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2427
2428 /* Check if we have socket listening on psm */
23691d75
GP		 2429 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2430 if (!pchan) {
1da177e4
LT		 2431 result = L2CAP_CR_BAD_PSM;
2432 goto sendresp;
2433 }
2434
23691d75
GP		 2435 parent = pchan->sk;
2436
e0f0cb56
GP		 2437 bh_lock_sock(parent);
2438
e7c29cb1
MH		 2439 /* Check if the ACL is secure enough (if not SDP) */
2440 if (psm != cpu_to_le16(0x0001) &&
2441 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2442 conn->disc_reason = 0x05;
e7c29cb1
MH		 2443 result = L2CAP_CR_SEC_BLOCK;
2444 goto response;
2445 }
2446
1da177e4
LT		 2447 result = L2CAP_CR_NO_MEM;
2448
2449 /* Check for backlog size */
2450 if (sk_acceptq_is_full(parent)) {
8e87d142 2451 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2452 goto response;
2453 }
2454
80808e43
GP		 2455 chan = pchan->ops->new_connection(pchan->data);
2456 if (!chan)
1da177e4
LT		 2457 goto response;
2458
80808e43
GP		 2459 sk = chan->sk;
2460
baa7e1fa 2461 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2462
2463 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2464 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2465 write_unlock_bh(&conn->chan_lock);
1da177e4 2466 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2467 chan->ops->close(chan->data);
1da177e4
LT		 2468 goto response;
2469 }
2470
2471 hci_conn_hold(conn->hcon);
2472
1da177e4
LT		 2473 bacpy(&bt_sk(sk)->src, conn->src);
2474 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2475 chan->psm = psm;
2476 chan->dcid = scid;
1da177e4 2477
d1010240
GP		 2478 bt_accept_enqueue(parent, sk);
2479
48454079
GP		 2480 __l2cap_chan_add(conn, chan);
2481
fe4128e0 2482 dcid = chan->scid;
1da177e4 2483
c9b66675 2484 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2485
fc7f8a7e 2486 chan->ident = cmd->ident;
1da177e4 2487
984947dc 2488 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2489 if (l2cap_check_security(chan)) {
f66dc81f 2490 if (bt_sk(sk)->defer_setup) {
89bc500e 2491 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2492 result = L2CAP_CR_PEND;
2493 status = L2CAP_CS_AUTHOR_PEND;
2494 parent->sk_data_ready(parent, 0);
2495 } else {
89bc500e 2496 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2497 result = L2CAP_CR_SUCCESS;
2498 status = L2CAP_CS_NO_INFO;
2499 }
79d554a6 2500 } else {
89bc500e 2501 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2502 result = L2CAP_CR_PEND;
2503 status = L2CAP_CS_AUTHEN_PEND;
2504 }
2505 } else {
89bc500e 2506 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2507 result = L2CAP_CR_PEND;
2508 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2509 }
2510
baa7e1fa 2511 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2512
2513response:
2514 bh_unlock_sock(parent);
2515
2516sendresp:
aca3192c
YH		 2517 rsp.scid = cpu_to_le16(scid);
2518 rsp.dcid = cpu_to_le16(dcid);
2519 rsp.result = cpu_to_le16(result);
2520 rsp.status = cpu_to_le16(status);
1da177e4 2521 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2522
2523 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2524 struct l2cap_info_req info;
2525 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2526
2527 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2528 conn->info_ident = l2cap_get_ident(conn);
2529
2530 mod_timer(&conn->info_timer, jiffies +
2531 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2532
2533 l2cap_send_cmd(conn, conn->info_ident,
2534 L2CAP_INFO_REQ, sizeof(info), &info);
2535 }
2536
c1360a1c 2537 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2538 result == L2CAP_CR_SUCCESS) {
2539 u8 buf[128];
c1360a1c 2540 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2541 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2542 l2cap_build_conf_req(chan, buf), buf);
2543 chan->num_conf_req++;
e9aeb2dd
GP		 2544 }
2545
1da177e4
LT		 2546 return 0;
2547}
2548
2549static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2550{
2551 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2552 u16 scid, dcid, result, status;
48454079 2553 struct l2cap_chan *chan;
1da177e4
LT		 2554 struct sock *sk;
2555 u8 req[128];
2556
2557 scid = __le16_to_cpu(rsp->scid);
2558 dcid = __le16_to_cpu(rsp->dcid);
2559 result = __le16_to_cpu(rsp->result);
2560 status = __le16_to_cpu(rsp->status);
2561
2562 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2563
2564 if (scid) {
baa7e1fa 2565 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2566 if (!chan)
57d3b22b 2567 return -EFAULT;
1da177e4 2568 } else {
baa7e1fa 2569 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2570 if (!chan)
57d3b22b 2571 return -EFAULT;
1da177e4
LT		 2572 }
2573
48454079
GP		 2574 sk = chan->sk;
2575
1da177e4
LT		 2576 switch (result) {
2577 case L2CAP_CR_SUCCESS:
89bc500e 2578 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2579 chan->ident = 0;
fe4128e0 2580 chan->dcid = dcid;
c1360a1c 2581 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2582
c1360a1c 2583 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2584 break;
2585
1da177e4 2586 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2587 l2cap_build_conf_req(chan, req), req);
2588 chan->num_conf_req++;
1da177e4
LT		 2589 break;
2590
2591 case L2CAP_CR_PEND:
c1360a1c 2592 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2593 break;
2594
2595 default:
a49184c2
AE		 2596 /* don't delete l2cap channel if sk is owned by user */
2597 if (sock_owned_by_user(sk)) {
89bc500e 2598 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2599 __clear_chan_timer(chan);
2600 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2601 break;
2602 }
2603
48454079 2604 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2605 break;
2606 }
2607
2608 bh_unlock_sock(sk);
2609 return 0;
2610}
2611
47d1ec61 2612static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2613{
2614 /* FCS is enabled only in ERTM or streaming mode, if one or both
2615 * sides request it.
2616 */
0c1bc5c6 2617 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2618 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2619 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2620 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2621}
2622
88219a0f 2623static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2624{
2625 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2626 u16 dcid, flags;
2627 u8 rsp[64];
48454079 2628 struct l2cap_chan *chan;
1da177e4 2629 struct sock *sk;
5dee9e7c 2630 int len;
1da177e4
LT		 2631
2632 dcid = __le16_to_cpu(req->dcid);
2633 flags = __le16_to_cpu(req->flags);
2634
2635 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2636
baa7e1fa 2637 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2638 if (!chan)
1da177e4
LT		 2639 return -ENOENT;
2640
48454079
GP		 2641 sk = chan->sk;
2642
033b1142 2643 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2644 struct l2cap_cmd_rej_cid rej;
2645
2646 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2647 rej.scid = cpu_to_le16(chan->scid);
2648 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2649
df6bd743
GP		 2650 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2651 sizeof(rej), &rej);
354f60a9 2652 goto unlock;
df6bd743 2653 }
354f60a9 2654
5dee9e7c 2655 /* Reject if config buffer is too small. */
88219a0f 2656 len = cmd_len - sizeof(*req);
7ac28817 2657 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2658 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2659 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2660 L2CAP_CONF_REJECT, flags), rsp);
2661 goto unlock;
2662 }
2663
2664 /* Store config. */
73ffa904
GP		 2665 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2666 chan->conf_len += len;
1da177e4
LT		 2667
2668 if (flags & 0x0001) {
2669 /* Incomplete config. Send empty response. */
2670 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2671 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2672 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2673 goto unlock;
2674 }
2675
2676 /* Complete config. */
73ffa904 2677 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2678 if (len < 0) {
e92c8e70 2679 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2680 goto unlock;
f2fcfcd6 2681 }
1da177e4 2682
5dee9e7c 2683 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2684 chan->num_conf_rsp++;
5dee9e7c 2685
5dee9e7c 2686 /* Reset config buffer. */
73ffa904 2687 chan->conf_len = 0;
5dee9e7c 2688
c1360a1c 2689 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2690 goto unlock;
2691
c1360a1c 2692 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2693 set_default_fcs(chan);
fcc203c3 2694
89bc500e 2695 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2696
42e5c802
GP		 2697 chan->next_tx_seq = 0;
2698 chan->expected_tx_seq = 0;
58d35f87 2699 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2700 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2701 l2cap_ertm_init(chan);
0565c1c2 2702
1da177e4 2703 l2cap_chan_ready(sk);
876d9484
MH		 2704 goto unlock;
2705 }
2706
c1360a1c 2707 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2708 u8 buf[64];
1da177e4 2709 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2710 l2cap_build_conf_req(chan, buf), buf);
2711 chan->num_conf_req++;
1da177e4
LT		 2712 }
2713
2714unlock:
2715 bh_unlock_sock(sk);
2716 return 0;
2717}
2718
2719static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2720{
2721 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2722 u16 scid, flags, result;
48454079 2723 struct l2cap_chan *chan;
1da177e4 2724 struct sock *sk;
7b1c0049 2725 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2726
2727 scid = __le16_to_cpu(rsp->scid);
2728 flags = __le16_to_cpu(rsp->flags);
2729 result = __le16_to_cpu(rsp->result);
2730
af05b30b
GP		 2731 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2732 scid, flags, result);
1da177e4 2733
baa7e1fa 2734 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2735 if (!chan)
1da177e4
LT		 2736 return 0;
2737
48454079
GP		 2738 sk = chan->sk;
2739
1da177e4
LT		 2740 switch (result) {
2741 case L2CAP_CONF_SUCCESS:
47d1ec61 2742 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2743 break;
2744
2745 case L2CAP_CONF_UNACCEPT:
73ffa904 2746 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2747 char req[64];
2748
c2c77ec8 2749 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2750 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2751 goto done;
2752 }
2753
f2fcfcd6
GP		 2754 /* throw out any old stored conf requests */
2755 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2756 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2757 req, &result);
f2fcfcd6 2758 if (len < 0) {
e92c8e70 2759 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2760 goto done;
2761 }
2762
2763 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2764 L2CAP_CONF_REQ, len, req);
73ffa904 2765 chan->num_conf_req++;
f2fcfcd6
GP		 2766 if (result != L2CAP_CONF_SUCCESS)
2767 goto done;
2768 break;
1da177e4
LT		 2769 }
2770
8e87d142 2771 default:
b1235d79 2772 sk->sk_err = ECONNRESET;
c9b66675 2773 __set_chan_timer(chan, HZ * 5);
e92c8e70 2774 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2775 goto done;
2776 }
2777
2778 if (flags & 0x01)
2779 goto done;
2780
c1360a1c 2781 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2782
c1360a1c 2783 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2784 set_default_fcs(chan);
fcc203c3 2785
89bc500e 2786 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2787 chan->next_tx_seq = 0;
2788 chan->expected_tx_seq = 0;
58d35f87 2789 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2790 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2791 l2cap_ertm_init(chan);
0565c1c2 2792
1da177e4
LT		 2793 l2cap_chan_ready(sk);
2794 }
2795
2796done:
2797 bh_unlock_sock(sk);
2798 return 0;
2799}
2800
2801static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2802{
2803 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2804 struct l2cap_disconn_rsp rsp;
2805 u16 dcid, scid;
48454079 2806 struct l2cap_chan *chan;
1da177e4
LT		 2807 struct sock *sk;
2808
2809 scid = __le16_to_cpu(req->scid);
2810 dcid = __le16_to_cpu(req->dcid);
2811
2812 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2813
baa7e1fa 2814 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2815 if (!chan)
1da177e4
LT		 2816 return 0;
2817
48454079
GP		 2818 sk = chan->sk;
2819
fe4128e0
GP		 2820 rsp.dcid = cpu_to_le16(chan->scid);
2821 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2822 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2823
2824 sk->sk_shutdown = SHUTDOWN_MASK;
2825
a49184c2
AE		 2826 /* don't delete l2cap channel if sk is owned by user */
2827 if (sock_owned_by_user(sk)) {
89bc500e 2828 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2829 __clear_chan_timer(chan);
2830 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2831 bh_unlock_sock(sk);
2832 return 0;
2833 }
2834
48454079 2835 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2836 bh_unlock_sock(sk);
2837
ba3bd0ee 2838 chan->ops->close(chan->data);
1da177e4
LT		 2839 return 0;
2840}
2841
2842static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2843{
2844 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2845 u16 dcid, scid;
48454079 2846 struct l2cap_chan *chan;
1da177e4
LT		 2847 struct sock *sk;
2848
2849 scid = __le16_to_cpu(rsp->scid);
2850 dcid = __le16_to_cpu(rsp->dcid);
2851
2852 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2853
baa7e1fa 2854 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2855 if (!chan)
1da177e4
LT		 2856 return 0;
2857
48454079
GP		 2858 sk = chan->sk;
2859
a49184c2
AE		 2860 /* don't delete l2cap channel if sk is owned by user */
2861 if (sock_owned_by_user(sk)) {
89bc500e 2862 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2863 __clear_chan_timer(chan);
2864 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2865 bh_unlock_sock(sk);
2866 return 0;
2867 }
2868
48454079 2869 l2cap_chan_del(chan, 0);
1da177e4
LT		 2870 bh_unlock_sock(sk);
2871
ba3bd0ee 2872 chan->ops->close(chan->data);
1da177e4
LT		 2873 return 0;
2874}
2875
2876static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2877{
2878 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2879 u16 type;
2880
2881 type = __le16_to_cpu(req->type);
2882
2883 BT_DBG("type 0x%4.4x", type);
2884
f0709e03
MH		 2885 if (type == L2CAP_IT_FEAT_MASK) {
2886 u8 buf[8];
44dd46de 2887 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2888 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2889 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2890 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2891 if (!disable_ertm)
fcc203c3
GP		 2892 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2893 | L2CAP_FEAT_FCS;
a5fd6f30 2894 if (enable_hs)
6327eb98
AE		 2895 feat_mask |= L2CAP_FEAT_EXT_FLOW
2896 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 2897
1b7bf4ed 2898 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2899 l2cap_send_cmd(conn, cmd->ident,
2900 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2901 } else if (type == L2CAP_IT_FIXED_CHAN) {
2902 u8 buf[12];
2903 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2904 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2905 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2906 memcpy(buf + 4, l2cap_fixed_chan, 8);
2907 l2cap_send_cmd(conn, cmd->ident,
2908 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2909 } else {
2910 struct l2cap_info_rsp rsp;
2911 rsp.type = cpu_to_le16(type);
2912 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2913 l2cap_send_cmd(conn, cmd->ident,
2914 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2915 }
1da177e4
LT		 2916
2917 return 0;
2918}
2919
2920static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2921{
2922 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2923 u16 type, result;
2924
2925 type = __le16_to_cpu(rsp->type);
2926 result = __le16_to_cpu(rsp->result);
2927
2928 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2929
e90165be
AE		 2930 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2931 if (cmd->ident != conn->info_ident ||
2932 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2933 return 0;
2934
4e8402a3
MH		 2935 del_timer(&conn->info_timer);
2936
adb08ede
VT		 2937 if (result != L2CAP_IR_SUCCESS) {
2938 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2939 conn->info_ident = 0;
2940
2941 l2cap_conn_start(conn);
2942
2943 return 0;
2944 }
2945
984947dc 2946 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2947 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2948
47ec1dcd 2949 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2950 struct l2cap_info_req req;
2951 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2952
2953 conn->info_ident = l2cap_get_ident(conn);
2954
2955 l2cap_send_cmd(conn, conn->info_ident,
2956 L2CAP_INFO_REQ, sizeof(req), &req);
2957 } else {
2958 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2959 conn->info_ident = 0;
2960
2961 l2cap_conn_start(conn);
2962 }
2963 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2964 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2965 conn->info_ident = 0;
984947dc
MH		 2966
2967 l2cap_conn_start(conn);
2968 }
4e8402a3 2969
1da177e4
LT		 2970 return 0;
2971}
2972
e2174ca4 2973static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2974 u16 to_multiplier)
2975{
2976 u16 max_latency;
2977
2978 if (min > max || min < 6 || max > 3200)
2979 return -EINVAL;
2980
2981 if (to_multiplier < 10 || to_multiplier > 3200)
2982 return -EINVAL;
2983
2984 if (max >= to_multiplier * 8)
2985 return -EINVAL;
2986
2987 max_latency = (to_multiplier * 8 / max) - 1;
2988 if (latency > 499 || latency > max_latency)
2989 return -EINVAL;
2990
2991 return 0;
2992}
2993
2994static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2995 struct l2cap_cmd_hdr *cmd, u8 *data)
2996{
2997 struct hci_conn *hcon = conn->hcon;
2998 struct l2cap_conn_param_update_req *req;
2999 struct l2cap_conn_param_update_rsp rsp;
3000 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3001 int err;
de73115a
CT		 3002
3003 if (!(hcon->link_mode & HCI_LM_MASTER))
3004 return -EINVAL;
3005
3006 cmd_len = __le16_to_cpu(cmd->len);
3007 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3008 return -EPROTO;
3009
3010 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3011 min = __le16_to_cpu(req->min);
3012 max = __le16_to_cpu(req->max);
de73115a
CT		 3013 latency = __le16_to_cpu(req->latency);
3014 to_multiplier = __le16_to_cpu(req->to_multiplier);
3015
3016 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3017 min, max, latency, to_multiplier);
3018
3019 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3020
3021 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3022 if (err)
de73115a
CT		 3023 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3024 else
3025 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3026
3027 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3028 sizeof(rsp), &rsp);
3029
2ce603eb
CT		 3030 if (!err)
3031 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3032
de73115a
CT		 3033 return 0;
3034}
3035
3300d9a9
CT		 3036static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3037 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3038{
3039 int err = 0;
3040
3041 switch (cmd->code) {
3042 case L2CAP_COMMAND_REJ:
3043 l2cap_command_rej(conn, cmd, data);
3044 break;
3045
3046 case L2CAP_CONN_REQ:
3047 err = l2cap_connect_req(conn, cmd, data);
3048 break;
3049
3050 case L2CAP_CONN_RSP:
3051 err = l2cap_connect_rsp(conn, cmd, data);
3052 break;
3053
3054 case L2CAP_CONF_REQ:
3055 err = l2cap_config_req(conn, cmd, cmd_len, data);
3056 break;
3057
3058 case L2CAP_CONF_RSP:
3059 err = l2cap_config_rsp(conn, cmd, data);
3060 break;
3061
3062 case L2CAP_DISCONN_REQ:
3063 err = l2cap_disconnect_req(conn, cmd, data);
3064 break;
3065
3066 case L2CAP_DISCONN_RSP:
3067 err = l2cap_disconnect_rsp(conn, cmd, data);
3068 break;
3069
3070 case L2CAP_ECHO_REQ:
3071 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3072 break;
3073
3074 case L2CAP_ECHO_RSP:
3075 break;
3076
3077 case L2CAP_INFO_REQ:
3078 err = l2cap_information_req(conn, cmd, data);
3079 break;
3080
3081 case L2CAP_INFO_RSP:
3082 err = l2cap_information_rsp(conn, cmd, data);
3083 break;
3084
3085 default:
3086 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3087 err = -EINVAL;
3088 break;
3089 }
3090
3091 return err;
3092}
3093
3094static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3095 struct l2cap_cmd_hdr *cmd, u8 *data)
3096{
3097 switch (cmd->code) {
3098 case L2CAP_COMMAND_REJ:
3099 return 0;
3100
3101 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3102 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3103
3104 case L2CAP_CONN_PARAM_UPDATE_RSP:
3105 return 0;
3106
3107 default:
3108 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3109 return -EINVAL;
3110 }
3111}
3112
3113static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3114 struct sk_buff *skb)
1da177e4
LT		 3115{
3116 u8 *data = skb->data;
3117 int len = skb->len;
3118 struct l2cap_cmd_hdr cmd;
3300d9a9 3119 int err;
1da177e4
LT		 3120
3121 l2cap_raw_recv(conn, skb);
3122
3123 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3124 u16 cmd_len;
1da177e4
LT		 3125 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3126 data += L2CAP_CMD_HDR_SIZE;
3127 len -= L2CAP_CMD_HDR_SIZE;
3128
88219a0f 3129 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3130
88219a0f 3131 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3132
88219a0f 3133 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3134 BT_DBG("corrupted command");
3135 break;
3136 }
3137
3300d9a9
CT		 3138 if (conn->hcon->type == LE_LINK)
3139 err = l2cap_le_sig_cmd(conn, &cmd, data);
3140 else
3141 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3142
3143 if (err) {
e2fd318e 3144 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3145
3146 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3147
3148 /* FIXME: Map err to a valid reason */
e2fd318e 3149 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3150 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3151 }
3152
88219a0f
AV		 3153 data += cmd_len;
3154 len -= cmd_len;
1da177e4
LT		 3155 }
3156
3157 kfree_skb(skb);
3158}
3159
47d1ec61 3160static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3161{
3162 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3163 int hdr_size;
3164
3165 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3166 hdr_size = L2CAP_EXT_HDR_SIZE;
3167 else
3168 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3169
47d1ec61 3170 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3171 skb_trim(skb, skb->len - 2);
3172 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3173 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3174
3175 if (our_fcs != rcv_fcs)
7a560e5c 3176 return -EBADMSG;
fcc203c3
GP		 3177 }
3178 return 0;
3179}
3180
525cd185 3181static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3182{
d5392c8f
GP		 3183 u16 control = 0;
3184
6a026610 3185 chan->frames_sent = 0;
d5392c8f 3186
0b209fae 3187 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3188
e2ab4353 3189 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3190 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3191 l2cap_send_sframe(chan, control);
e2ab4353 3192 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3193 }
3194
e2ab4353 3195 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3196 l2cap_retransmit_frames(chan);
d5392c8f 3197
525cd185 3198 l2cap_ertm_send(chan);
d5392c8f 3199
e2ab4353 3200 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3201 chan->frames_sent == 0) {
ab784b73 3202 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3203 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3204 }
3205}
3206
fb45de7d 3207static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3208{
3209 struct sk_buff *next_skb;
bfbacc11 3210 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3211
3212 bt_cb(skb)->tx_seq = tx_seq;
3213 bt_cb(skb)->sar = sar;
3214
f1c6775b 3215 next_skb = skb_peek(&chan->srej_q);
8f17154f 3216 if (!next_skb) {
f1c6775b 3217 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3218 return 0;
8f17154f
GP		 3219 }
3220
42e5c802 3221 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3222 if (tx_seq_offset < 0)
3223 tx_seq_offset += 64;
3224
8f17154f 3225 do {
9b53350d
JPRV		 3226 if (bt_cb(next_skb)->tx_seq == tx_seq)
3227 return -EINVAL;
3228
bfbacc11 3229 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3230 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3231 if (next_tx_seq_offset < 0)
3232 next_tx_seq_offset += 64;
3233
3234 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3235 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3236 return 0;
8f17154f
GP		 3237 }
3238
f1c6775b 3239 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3240 break;
3241
f1c6775b 3242 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3243
f1c6775b 3244 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3245
3246 return 0;
8f17154f
GP		 3247}
3248
84084a31
MM		 3249static void append_skb_frag(struct sk_buff *skb,
3250 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3251{
84084a31
MM		 3252 /* skb->len reflects data in skb as well as all fragments
3253 * skb->data_len reflects only data in fragments
3254 */
3255 if (!skb_has_frag_list(skb))
3256 skb_shinfo(skb)->frag_list = new_frag;
3257
3258 new_frag->next = NULL;
3259
3260 (*last_frag)->next = new_frag;
3261 *last_frag = new_frag;
3262
3263 skb->len += new_frag->len;
3264 skb->data_len += new_frag->len;
3265 skb->truesize += new_frag->truesize;
3266}
3267
3268static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
3269{
3270 int err = -EINVAL;
18778a63 3271
7e0ef6ee
AE		 3272 switch (__get_ctrl_sar(chan, control)) {
3273 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3274 if (chan->sdu)
3275 break;
18778a63 3276
84084a31
MM		 3277 err = chan->ops->recv(chan->data, skb);
3278 break;
18778a63 3279
7e0ef6ee 3280 case L2CAP_SAR_START:
84084a31
MM		 3281 if (chan->sdu)
3282 break;
18778a63 3283
6f61fd47 3284 chan->sdu_len = get_unaligned_le16(skb->data);
84084a31 3285 skb_pull(skb, 2);
18778a63 3286
84084a31
MM		 3287 if (chan->sdu_len > chan->imtu) {
3288 err = -EMSGSIZE;
3289 break;
3290 }
1890d36b 3291
84084a31
MM		 3292 if (skb->len >= chan->sdu_len)
3293 break;
18778a63 3294
84084a31
MM		 3295 chan->sdu = skb;
3296 chan->sdu_last_frag = skb;
18778a63 3297
84084a31
MM		 3298 skb = NULL;
3299 err = 0;
18778a63
GP		 3300 break;
3301
7e0ef6ee 3302 case L2CAP_SAR_CONTINUE:
6f61fd47 3303 if (!chan->sdu)
84084a31 3304 break;
18778a63 3305
84084a31
MM		 3306 append_skb_frag(chan->sdu, skb,
3307 &chan->sdu_last_frag);
3308 skb = NULL;
18778a63 3309
84084a31
MM		 3310 if (chan->sdu->len >= chan->sdu_len)
3311 break;
4178ba46 3312
84084a31 3313 err = 0;
18778a63
GP		 3314 break;
3315
7e0ef6ee 3316 case L2CAP_SAR_END:
6f61fd47 3317 if (!chan->sdu)
84084a31 3318 break;
18778a63 3319
84084a31
MM		 3320 append_skb_frag(chan->sdu, skb,
3321 &chan->sdu_last_frag);
3322 skb = NULL;
4178ba46 3323
84084a31
MM		 3324 if (chan->sdu->len != chan->sdu_len)
3325 break;
18778a63 3326
84084a31 3327 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3328
84084a31
MM		 3329 if (!err) {
3330 /* Reassembly complete */
3331 chan->sdu = NULL;
3332 chan->sdu_last_frag = NULL;
3333 chan->sdu_len = 0;
1890d36b 3334 }
18778a63
GP		 3335 break;
3336 }
3337
84084a31
MM		 3338 if (err) {
3339 kfree_skb(skb);
3340 kfree_skb(chan->sdu);
3341 chan->sdu = NULL;
3342 chan->sdu_last_frag = NULL;
3343 chan->sdu_len = 0;
3344 }
18778a63 3345
84084a31 3346 return err;
18778a63
GP		 3347}
3348
26f880d2 3349static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3350{
712132eb 3351 u16 control;
712132eb 3352
26f880d2 3353 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3354
26f880d2
MM		 3355 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3356
0b209fae 3357 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3358 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3359 l2cap_send_sframe(chan, control);
3360
3361 set_bit(CONN_RNR_SENT, &chan->conn_state);
3362
3363 __clear_ack_timer(chan);
3364}
3365
3366static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3367{
3368 u16 control;
712132eb 3369
e2ab4353 3370 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3371 goto done;
3372
0b209fae 3373 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3374 control |= __set_ctrl_poll(chan);
ab784b73 3375 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3376 l2cap_send_sframe(chan, control);
6a026610 3377 chan->retry_count = 1;
712132eb 3378
1a09bcb9
GP		 3379 __clear_retrans_timer(chan);
3380 __set_monitor_timer(chan);
712132eb 3381
e2ab4353 3382 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3383
3384done:
e2ab4353
GP		 3385 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3386 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3387
49208c9c 3388 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3389}
3390
e328140f 3391void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3392{
e328140f
MM		 3393 if (chan->mode == L2CAP_MODE_ERTM) {
3394 if (busy)
3395 l2cap_ertm_enter_local_busy(chan);
3396 else
3397 l2cap_ertm_exit_local_busy(chan);
1890d36b 3398 }
1890d36b
GP		 3399}
3400
fb45de7d 3401static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3402{
3403 struct sk_buff *skb;
afefdbc4 3404 u16 control;
8f17154f 3405
e328140f
MM		 3406 while ((skb = skb_peek(&chan->srej_q)) &&
3407 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3408 int err;
3409
8f17154f
GP		 3410 if (bt_cb(skb)->tx_seq != tx_seq)
3411 break;
3412
f1c6775b 3413 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3414 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3415 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3416
3417 if (err < 0) {
3418 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3419 break;
3420 }
3421
42e5c802
GP		 3422 chan->buffer_seq_srej =
3423 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3424 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3425 }
3426}
3427
fb45de7d 3428static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3429{
8f17154f
GP		 3430 struct srej_list *l, *tmp;
3431 u16 control;
3432
39d5a3ee 3433 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3434 if (l->tx_seq == tx_seq) {
3435 list_del(&l->list);
3436 kfree(l);
3437 return;
3438 }
ab784b73 3439 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3440 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3441 l2cap_send_sframe(chan, control);
8f17154f 3442 list_del(&l->list);
39d5a3ee 3443 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3444 }
3445}
3446
fb45de7d 3447static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3448{
8f17154f
GP		 3449 struct srej_list *new;
3450 u16 control;
3451
42e5c802 3452 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3453 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3454 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3455 l2cap_send_sframe(chan, control);
8f17154f
GP		 3456
3457 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3458 new->tx_seq = chan->expected_tx_seq;
3459 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3460 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3461 }
42e5c802 3462 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3463}
3464
525cd185 3465static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3466{
fb45de7d 3467 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3468 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3469 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3470 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3471 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3472 int err = 0;
3473
525cd185
GP		 3474 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3475 tx_seq, rx_control);
1c2acffb 3476
03f6715d 3477 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3478 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3479 __clear_monitor_timer(chan);
6a026610 3480 if (chan->unacked_frames > 0)
1a09bcb9 3481 __set_retrans_timer(chan);
e2ab4353 3482 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3483 }
3484
42e5c802
GP		 3485 chan->expected_ack_seq = req_seq;
3486 l2cap_drop_acked_frames(chan);
9f121a5a 3487
42e5c802 3488 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3489 if (tx_seq_offset < 0)
3490 tx_seq_offset += 64;
3491
3492 /* invalid tx_seq */
47d1ec61 3493 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3494 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3495 goto drop;
3496 }
3497
e2ab4353 3498 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3499 goto drop;
3500
02f1b641
MM		 3501 if (tx_seq == chan->expected_tx_seq)
3502 goto expected;
3503
e2ab4353 3504 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3505 struct srej_list *first;
30afb5b2 3506
39d5a3ee 3507 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3508 struct srej_list, list);
3509 if (tx_seq == first->tx_seq) {
42e5c802 3510 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3511 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3512
3513 list_del(&first->list);
3514 kfree(first);
3515
39d5a3ee 3516 if (list_empty(&chan->srej_l)) {
42e5c802 3517 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3518 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3519 l2cap_send_ack(chan);
49208c9c 3520 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3521 }
3522 } else {
3523 struct srej_list *l;
9b53350d
JPRV		 3524
3525 /* duplicated tx_seq */
42e5c802 3526 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3527 goto drop;
8f17154f 3528
39d5a3ee 3529 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3530 if (l->tx_seq == tx_seq) {
525cd185 3531 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3532 return 0;
3533 }
3534 }
525cd185 3535 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3536 }
3537 } else {
9b53350d 3538 expected_tx_seq_offset =
42e5c802 3539 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3540 if (expected_tx_seq_offset < 0)
3541 expected_tx_seq_offset += 64;
3542
3543 /* duplicated tx_seq */
3544 if (tx_seq_offset < expected_tx_seq_offset)
3545 goto drop;
3546
e2ab4353 3547 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3548
49208c9c 3549 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3550
39d5a3ee 3551 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3552 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3553
f1c6775b 3554 __skb_queue_head_init(&chan->srej_q);
42e5c802 3555 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3556
e2ab4353 3557 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3558
525cd185 3559 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3560
1a09bcb9 3561 __clear_ack_timer(chan);
1c2acffb 3562 }
30afb5b2
GP		 3563 return 0;
3564
8f17154f 3565expected:
42e5c802 3566 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3567
e2ab4353 3568 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3569 bt_cb(skb)->tx_seq = tx_seq;
3570 bt_cb(skb)->sar = sar;
f1c6775b 3571 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3572 return 0;
3573 }
3574
84084a31 3575 err = l2cap_reassemble_sdu(chan, skb, rx_control);
fadd192e 3576 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
e328140f
MM		 3577 if (err < 0) {
3578 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3579 return err;
3580 }
2ece3684 3581
03f6715d 3582 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3583 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3584 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3585 }
3586
1a09bcb9 3587 __set_ack_timer(chan);
c1b4f43b 3588
6a026610
GP		 3589 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3590 if (chan->num_acked == num_to_ack - 1)
525cd185 3591 l2cap_send_ack(chan);
9e917af1 3592
8f17154f 3593 return 0;
9b53350d
JPRV		 3594
3595drop:
3596 kfree_skb(skb);
3597 return 0;
1c2acffb
GP		 3598}
3599
525cd185 3600static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3601{
0b209fae
AE		 3602 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan,
3603 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3604
0b209fae 3605 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3606 l2cap_drop_acked_frames(chan);
1c2acffb 3607
e3781735 3608 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3609 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3610 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3611 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3612 (chan->unacked_frames > 0))
1a09bcb9 3613 __set_retrans_timer(chan);
05fbd89d 3614
e2ab4353 3615 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3616 l2cap_send_srejtail(chan);
05fbd89d 3617 } else {
525cd185 3618 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3619 }
1d8f5d16 3620
03f6715d 3621 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3622 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3623
e2ab4353 3624 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3625 l2cap_retransmit_frames(chan);
2246b2f1 3626
e072745f 3627 } else {
e2ab4353 3628 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3629 (chan->unacked_frames > 0))
1a09bcb9 3630 __set_retrans_timer(chan);
1c2acffb 3631
e2ab4353
GP		 3632 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3633 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3634 l2cap_send_ack(chan);
894718a6 3635 else
525cd185 3636 l2cap_ertm_send(chan);
e072745f
GP		 3637 }
3638}
2246b2f1 3639
525cd185 3640static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3641{
0b209fae 3642 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3643
525cd185 3644 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3645
e2ab4353 3646 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3647
42e5c802
GP		 3648 chan->expected_ack_seq = tx_seq;
3649 l2cap_drop_acked_frames(chan);
e072745f 3650
03f6715d 3651 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3652 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3653 l2cap_retransmit_frames(chan);
e072745f 3654 } else {
525cd185 3655 l2cap_retransmit_frames(chan);
30afb5b2 3656
e2ab4353
GP		 3657 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3658 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3659 }
3660}
525cd185 3661static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3662{
0b209fae 3663 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3664
525cd185 3665 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3666
e2ab4353 3667 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3668
e3781735 3669 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 3670 chan->expected_ack_seq = tx_seq;
3671 l2cap_drop_acked_frames(chan);
3cb123d1 3672
e2ab4353 3673 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3674 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3675
525cd185 3676 l2cap_ertm_send(chan);
dfc909be 3677
e2ab4353 3678 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3679 chan->srej_save_reqseq = tx_seq;
e2ab4353 3680 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3681 }
03f6715d 3682 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3683 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3684 chan->srej_save_reqseq == tx_seq)
e2ab4353 3685 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3686 else
525cd185 3687 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3688 } else {
525cd185 3689 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3690 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3691 chan->srej_save_reqseq = tx_seq;
e2ab4353 3692 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3693 }
e072745f
GP		 3694 }
3695}
3696
525cd185 3697static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3698{
0b209fae 3699 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 3700
525cd185 3701 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3702
e2ab4353 3703 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3704 chan->expected_ack_seq = tx_seq;
3705 l2cap_drop_acked_frames(chan);
e072745f 3706
e3781735 3707 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 3708 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3709
e2ab4353 3710 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3711 __clear_retrans_timer(chan);
e3781735 3712 if (__is_ctrl_poll(chan, rx_control))
525cd185 3713 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3714 return;
e072745f 3715 }
99b0d4b7 3716
e3781735 3717 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 3718 l2cap_send_srejtail(chan);
ab784b73
AE		 3719 } else {
3720 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
3721 l2cap_send_sframe(chan, rx_control);
3722 }
e072745f
GP		 3723}
3724
525cd185 3725static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3726{
525cd185 3727 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3728
03f6715d 3729 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3730 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3731 __clear_monitor_timer(chan);
6a026610 3732 if (chan->unacked_frames > 0)
1a09bcb9 3733 __set_retrans_timer(chan);
e2ab4353 3734 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3735 }
3736
ab784b73
AE		 3737 switch (__get_ctrl_super(chan, rx_control)) {
3738 case L2CAP_SUPER_RR:
525cd185 3739 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3740 break;
3741
ab784b73 3742 case L2CAP_SUPER_REJ:
525cd185 3743 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3744 break;
2246b2f1 3745
ab784b73 3746 case L2CAP_SUPER_SREJ:
525cd185 3747 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3748 break;
3749
ab784b73 3750 case L2CAP_SUPER_RNR:
525cd185 3751 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3752 break;
3753 }
3754
faaebd19 3755 kfree_skb(skb);
1c2acffb
GP		 3756 return 0;
3757}
3758
218bb9df
GP		 3759static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3760{
525cd185 3761 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df 3762 u16 control;
0b209fae 3763 u16 req_seq;
218bb9df
GP		 3764 int len, next_tx_seq_offset, req_seq_offset;
3765
3766 control = get_unaligned_le16(skb->data);
3767 skb_pull(skb, 2);
3768 len = skb->len;
3769
3770 /*
3771 * We can just drop the corrupted I-frame here.
3772 * Receiver will miss it and start proper recovery
3773 * procedures and ask retransmission.
3774 */
47d1ec61 3775 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3776 goto drop;
3777
793c2f1c 3778 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
218bb9df
GP		 3779 len -= 2;
3780
47d1ec61 3781 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3782 len -= 2;
3783
47d1ec61 3784 if (len > chan->mps) {
8c1d787b 3785 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3786 goto drop;
3787 }
3788
0b209fae 3789 req_seq = __get_reqseq(chan, control);
42e5c802 3790 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3791 if (req_seq_offset < 0)
3792 req_seq_offset += 64;
3793
3794 next_tx_seq_offset =
42e5c802 3795 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3796 if (next_tx_seq_offset < 0)
3797 next_tx_seq_offset += 64;
3798
3799 /* check for invalid req-seq */
3800 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3801 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3802 goto drop;
3803 }
3804
793c2f1c 3805 if (!__is_sframe(chan, control)) {
218bb9df 3806 if (len < 0) {
8c1d787b 3807 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3808 goto drop;
3809 }
3810
525cd185 3811 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3812 } else {
3813 if (len != 0) {
3814 BT_ERR("%d", len);
8c1d787b 3815 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3816 goto drop;
3817 }
3818
525cd185 3819 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3820 }
3821
3822 return 0;
3823
3824drop:
3825 kfree_skb(skb);
3826 return 0;
3827}
3828
1da177e4
LT		 3829static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3830{
48454079 3831 struct l2cap_chan *chan;
bf734843 3832 struct sock *sk = NULL;
51893f88 3833 u16 control;
fb45de7d 3834 u16 tx_seq;
218bb9df 3835 int len;
1da177e4 3836
baa7e1fa 3837 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3838 if (!chan) {
1da177e4
LT		 3839 BT_DBG("unknown cid 0x%4.4x", cid);
3840 goto drop;
3841 }
3842
48454079 3843 sk = chan->sk;
6840ed07 3844
49208c9c 3845 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3846
89bc500e 3847 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3848 goto drop;
3849
0c1bc5c6 3850 switch (chan->mode) {
1c2acffb
GP		 3851 case L2CAP_MODE_BASIC:
3852 /* If socket recv buffers overflows we drop data here
3853 * which is *bad* because L2CAP has to be reliable.
3854 * But we don't have any other choice. L2CAP doesn't
3855 * provide flow control mechanism. */
1da177e4 3856
0c1bc5c6 3857 if (chan->imtu < skb->len)
1c2acffb 3858 goto drop;
1da177e4 3859
23070494 3860 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3861 goto done;
3862 break;
3863
3864 case L2CAP_MODE_ERTM:
218bb9df
GP		 3865 if (!sock_owned_by_user(sk)) {
3866 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3867 } else {
218bb9df 3868 if (sk_add_backlog(sk, skb))
277ffbe3 3869 goto drop;
277ffbe3 3870 }
1c2acffb 3871
fcafde2e 3872 goto done;
1c2acffb 3873
6840ed07
GP		 3874 case L2CAP_MODE_STREAMING:
3875 control = get_unaligned_le16(skb->data);
3876 skb_pull(skb, 2);
3877 len = skb->len;
3878
47d1ec61 3879 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3880 goto drop;
3881
7e0ef6ee 3882 if (__is_sar_start(chan, control))
6840ed07
GP		 3883 len -= 2;
3884
47d1ec61 3885 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3886 len -= 2;
3887
793c2f1c 3888 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 3889 goto drop;
3890
fb45de7d 3891 tx_seq = __get_txseq(chan, control);
6840ed07 3892
84084a31
MM		 3893 if (chan->expected_tx_seq != tx_seq) {
3894 /* Frame(s) missing - must discard partial SDU */
3895 kfree_skb(chan->sdu);
3896 chan->sdu = NULL;
3897 chan->sdu_last_frag = NULL;
3898 chan->sdu_len = 0;
6840ed07 3899
84084a31
MM		 3900 /* TODO: Notify userland of missing data */
3901 }
3902
3903 chan->expected_tx_seq = (tx_seq + 1) % 64;
3904
3905 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
3906 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 3907
3908 goto done;
3909
1c2acffb 3910 default:
0c1bc5c6 3911 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3912 break;
3913 }
1da177e4
LT		 3914
3915drop:
3916 kfree_skb(skb);
3917
3918done:
0139418c
MH		 3919 if (sk)
3920 bh_unlock_sock(sk);
3921
1da177e4
LT		 3922 return 0;
3923}
3924
8e036fc3 3925static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3926{
6dcae1ea 3927 struct sock *sk = NULL;
23691d75 3928 struct l2cap_chan *chan;
1da177e4 3929
23691d75
GP		 3930 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3931 if (!chan)
1da177e4
LT		 3932 goto drop;
3933
23691d75
GP		 3934 sk = chan->sk;
3935
e0f0cb56
GP		 3936 bh_lock_sock(sk);
3937
1da177e4
LT		 3938 BT_DBG("sk %p, len %d", sk, skb->len);
3939
89bc500e 3940 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3941 goto drop;
3942
e13e21dc 3943 if (chan->imtu < skb->len)
1da177e4
LT		 3944 goto drop;
3945
23070494 3946 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3947 goto done;
3948
3949drop:
3950 kfree_skb(skb);
3951
3952done:
af05b30b
GP		 3953 if (sk)
3954 bh_unlock_sock(sk);
1da177e4
LT		 3955 return 0;
3956}
3957
9f69bda6
GP		 3958static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3959{
6dcae1ea 3960 struct sock *sk = NULL;
23691d75 3961 struct l2cap_chan *chan;
9f69bda6 3962
23691d75
GP		 3963 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3964 if (!chan)
9f69bda6
GP		 3965 goto drop;
3966
23691d75
GP		 3967 sk = chan->sk;
3968
9f69bda6
GP		 3969 bh_lock_sock(sk);
3970
3971 BT_DBG("sk %p, len %d", sk, skb->len);
3972
89bc500e 3973 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 3974 goto drop;
3975
e13e21dc 3976 if (chan->imtu < skb->len)
9f69bda6
GP		 3977 goto drop;
3978
23070494 3979 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 3980 goto done;
3981
3982drop:
3983 kfree_skb(skb);
3984
3985done:
3986 if (sk)
3987 bh_unlock_sock(sk);
3988 return 0;
3989}
3990
1da177e4
LT		 3991static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3992{
3993 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 3994 u16 cid, len;
3995 __le16 psm;
1da177e4
LT		 3996
3997 skb_pull(skb, L2CAP_HDR_SIZE);
3998 cid = __le16_to_cpu(lh->cid);
3999 len = __le16_to_cpu(lh->len);
4000
1c2acffb
GP		 4001 if (len != skb->len) {
4002 kfree_skb(skb);
4003 return;
4004 }
4005
1da177e4
LT		 4006 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4007
4008 switch (cid) {
3300d9a9 4009 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4010 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4011 l2cap_sig_channel(conn, skb);
4012 break;
4013
8db4dc46 4014 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4015 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4016 skb_pull(skb, 2);
4017 l2cap_conless_channel(conn, psm, skb);
4018 break;
4019
9f69bda6
GP		 4020 case L2CAP_CID_LE_DATA:
4021 l2cap_att_channel(conn, cid, skb);
4022 break;
4023
b501d6a1
AB		 4024 case L2CAP_CID_SMP:
4025 if (smp_sig_channel(conn, skb))
4026 l2cap_conn_del(conn->hcon, EACCES);
4027 break;
4028
1da177e4
LT		 4029 default:
4030 l2cap_data_channel(conn, cid, skb);
4031 break;
4032 }
4033}
4034
4035/* ---- L2CAP interface with lower layer (HCI) ---- */
4036
4037static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4038{
4039 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4040 struct l2cap_chan *c;
1da177e4
LT		 4041
4042 if (type != ACL_LINK)
963cf687 4043 return -EINVAL;
1da177e4
LT		 4044
4045 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4046
4047 /* Find listening sockets and check their link_mode */
23691d75
GP		 4048 read_lock(&chan_list_lock);
4049 list_for_each_entry(c, &chan_list, global_l) {
4050 struct sock *sk = c->sk;
4343478f 4051
89bc500e 4052 if (c->state != BT_LISTEN)
1da177e4
LT		 4053 continue;
4054
4055 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4056 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4057 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4058 lm1 |= HCI_LM_MASTER;
1da177e4 4059 exact++;
2af6b9d5
MH		 4060 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4061 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4062 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4063 lm2 |= HCI_LM_MASTER;
4064 }
1da177e4 4065 }
23691d75 4066 read_unlock(&chan_list_lock);
1da177e4
LT		 4067
4068 return exact ? lm1 : lm2;
4069}
4070
4071static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4072{
0139418c
MH		 4073 struct l2cap_conn *conn;
4074
1da177e4
LT		 4075 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4076
acd7d370 4077 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4078 return -EINVAL;
1da177e4
LT		 4079
4080 if (!status) {
1da177e4
LT		 4081 conn = l2cap_conn_add(hcon, status);
4082 if (conn)
4083 l2cap_conn_ready(conn);
0139418c 4084 } else
e175072f 4085 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4086
4087 return 0;
4088}
4089
2950f21a
MH		 4090static int l2cap_disconn_ind(struct hci_conn *hcon)
4091{
4092 struct l2cap_conn *conn = hcon->l2cap_data;
4093
4094 BT_DBG("hcon %p", hcon);
4095
b5694506 4096 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4097 return 0x13;
4098
4099 return conn->disc_reason;
4100}
4101
4102static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4103{
4104 BT_DBG("hcon %p reason %d", hcon, reason);
4105
acd7d370 4106 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4107 return -EINVAL;
1da177e4 4108
e175072f 4109 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4110
1da177e4
LT		 4111 return 0;
4112}
4113
4343478f 4114static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4115{
715ec005 4116 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4117 return;
4118
f62e4323 4119 if (encrypt == 0x00) {
4343478f 4120 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4121 __clear_chan_timer(chan);
4122 __set_chan_timer(chan, HZ * 5);
4343478f 4123 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4124 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4125 } else {
4343478f 4126 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4127 __clear_chan_timer(chan);
f62e4323
MH		 4128 }
4129}
4130
8c1b2355 4131static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4132{
0139418c 4133 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4134 struct l2cap_chan *chan;
1da177e4 4135
0139418c 4136 if (!conn)
1da177e4 4137 return 0;
0139418c 4138
1da177e4
LT		 4139 BT_DBG("conn %p", conn);
4140
160dc6ac
VCG		 4141 if (hcon->type == LE_LINK) {
4142 smp_distribute_keys(conn, 0);
4143 del_timer(&conn->security_timer);
4144 }
4145
baa7e1fa 4146 read_lock(&conn->chan_lock);
1da177e4 4147
baa7e1fa 4148 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4149 struct sock *sk = chan->sk;
baa7e1fa 4150
1da177e4
LT		 4151 bh_lock_sock(sk);
4152
f1cb9af5
VCG		 4153 BT_DBG("chan->scid %d", chan->scid);
4154
4155 if (chan->scid == L2CAP_CID_LE_DATA) {
4156 if (!status && encrypt) {
4157 chan->sec_level = hcon->sec_level;
4158 l2cap_chan_ready(sk);
4159 }
4160
4161 bh_unlock_sock(sk);
4162 continue;
4163 }
4164
c1360a1c 4165 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4166 bh_unlock_sock(sk);
4167 continue;
4168 }
4169
89bc500e
GP		 4170 if (!status && (chan->state == BT_CONNECTED ||
4171 chan->state == BT_CONFIG)) {
4343478f 4172 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4173 bh_unlock_sock(sk);
4174 continue;
4175 }
4176
89bc500e 4177 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4178 if (!status) {
4179 struct l2cap_conn_req req;
fe4128e0
GP		 4180 req.scid = cpu_to_le16(chan->scid);
4181 req.psm = chan->psm;
1da177e4 4182
fc7f8a7e 4183 chan->ident = l2cap_get_ident(conn);
c1360a1c 4184 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4185
fc7f8a7e 4186 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4187 L2CAP_CONN_REQ, sizeof(req), &req);
4188 } else {
c9b66675
GP		 4189 __clear_chan_timer(chan);
4190 __set_chan_timer(chan, HZ / 10);
b1235d79 4191 }
89bc500e 4192 } else if (chan->state == BT_CONNECT2) {
b1235d79 4193 struct l2cap_conn_rsp rsp;
df3c3931 4194 __u16 res, stat;
1da177e4 4195
b1235d79 4196 if (!status) {
df3c3931
JH		 4197 if (bt_sk(sk)->defer_setup) {
4198 struct sock *parent = bt_sk(sk)->parent;
4199 res = L2CAP_CR_PEND;
4200 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4201 if (parent)
4202 parent->sk_data_ready(parent, 0);
df3c3931 4203 } else {
05558911 4204 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4205 res = L2CAP_CR_SUCCESS;
4206 stat = L2CAP_CS_NO_INFO;
4207 }
b1235d79 4208 } else {
89bc500e 4209 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4210 __set_chan_timer(chan, HZ / 10);
df3c3931
JH		 4211 res = L2CAP_CR_SEC_BLOCK;
4212 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4213 }
4214
fe4128e0
GP		 4215 rsp.scid = cpu_to_le16(chan->dcid);
4216 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4217 rsp.result = cpu_to_le16(res);
4218 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4219 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4220 sizeof(rsp), &rsp);
b1235d79 4221 }
1da177e4
LT		 4222
4223 bh_unlock_sock(sk);
4224 }
4225
baa7e1fa 4226 read_unlock(&conn->chan_lock);
b1235d79 4227
1da177e4
LT		 4228 return 0;
4229}
4230
4231static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4232{
4233 struct l2cap_conn *conn = hcon->l2cap_data;
4234
5a08ecce
AE		 4235 if (!conn)
4236 conn = l2cap_conn_add(hcon, 0);
4237
4238 if (!conn)
1da177e4
LT		 4239 goto drop;
4240
4241 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4242
e702112f 4243 if (!(flags & ACL_CONT)) {
1da177e4 4244 struct l2cap_hdr *hdr;
48454079 4245 struct l2cap_chan *chan;
89794813 4246 u16 cid;
1da177e4
LT		 4247 int len;
4248
4249 if (conn->rx_len) {
4250 BT_ERR("Unexpected start frame (len %d)", skb->len);
4251 kfree_skb(conn->rx_skb);
4252 conn->rx_skb = NULL;
4253 conn->rx_len = 0;
4254 l2cap_conn_unreliable(conn, ECOMM);
4255 }
4256
aae7fe22
AE		 4257 /* Start fragment always begin with Basic L2CAP header */
4258 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4259 BT_ERR("Frame is too short (len %d)", skb->len);
4260 l2cap_conn_unreliable(conn, ECOMM);
4261 goto drop;
4262 }
4263
4264 hdr = (struct l2cap_hdr *) skb->data;
4265 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4266 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4267
4268 if (len == skb->len) {
4269 /* Complete frame received */
4270 l2cap_recv_frame(conn, skb);
4271 return 0;
4272 }
4273
4274 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4275
4276 if (skb->len > len) {
4277 BT_ERR("Frame is too long (len %d, expected len %d)",
4278 skb->len, len);
4279 l2cap_conn_unreliable(conn, ECOMM);
4280 goto drop;
4281 }
4282
baa7e1fa 4283 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4284
48454079
GP		 4285 if (chan && chan->sk) {
4286 struct sock *sk = chan->sk;
89794813 4287
0c1bc5c6 4288 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4289 BT_ERR("Frame exceeding recv MTU (len %d, "
4290 "MTU %d)", len,
0c1bc5c6 4291 chan->imtu);
48454079
GP		 4292 bh_unlock_sock(sk);
4293 l2cap_conn_unreliable(conn, ECOMM);
4294 goto drop;
4295 }
89794813 4296 bh_unlock_sock(sk);
48454079 4297 }
89794813 4298
1da177e4 4299 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4300 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4301 if (!conn->rx_skb)
1da177e4
LT		 4302 goto drop;
4303
d626f62b 4304 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4305 skb->len);
1da177e4
LT		 4306 conn->rx_len = len - skb->len;
4307 } else {
4308 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4309
4310 if (!conn->rx_len) {
4311 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4312 l2cap_conn_unreliable(conn, ECOMM);
4313 goto drop;
4314 }
4315
4316 if (skb->len > conn->rx_len) {
4317 BT_ERR("Fragment is too long (len %d, expected %d)",
4318 skb->len, conn->rx_len);
4319 kfree_skb(conn->rx_skb);
4320 conn->rx_skb = NULL;
4321 conn->rx_len = 0;
4322 l2cap_conn_unreliable(conn, ECOMM);
4323 goto drop;
4324 }
4325
d626f62b 4326 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4327 skb->len);
1da177e4
LT		 4328 conn->rx_len -= skb->len;
4329
4330 if (!conn->rx_len) {
4331 /* Complete frame received */
4332 l2cap_recv_frame(conn, conn->rx_skb);
4333 conn->rx_skb = NULL;
4334 }
4335 }
4336
4337drop:
4338 kfree_skb(skb);
4339 return 0;
4340}
4341
aef7d97c 4342static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4343{
23691d75 4344 struct l2cap_chan *c;
1da177e4 4345
23691d75 4346 read_lock_bh(&chan_list_lock);
1da177e4 4347
23691d75
GP		 4348 list_for_each_entry(c, &chan_list, global_l) {
4349 struct sock *sk = c->sk;
101545f6 4350
903d343e 4351 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4352 batostr(&bt_sk(sk)->src),
4353 batostr(&bt_sk(sk)->dst),
89bc500e 4354 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4355 c->scid, c->dcid, c->imtu, c->omtu,
4356 c->sec_level, c->mode);
05558911 4357}
1da177e4 4358
23691d75 4359 read_unlock_bh(&chan_list_lock);
1da177e4 4360
aef7d97c 4361 return 0;
1da177e4
LT		 4362}
4363
aef7d97c
MH		 4364static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4365{
4366 return single_open(file, l2cap_debugfs_show, inode->i_private);
4367}
4368
4369static const struct file_operations l2cap_debugfs_fops = {
4370 .open = l2cap_debugfs_open,
4371 .read = seq_read,
4372 .llseek = seq_lseek,
4373 .release = single_release,
4374};
4375
4376static struct dentry *l2cap_debugfs;
1da177e4 4377
1da177e4
LT		 4378static struct hci_proto l2cap_hci_proto = {
4379 .name = "L2CAP",
4380 .id = HCI_PROTO_L2CAP,
4381 .connect_ind = l2cap_connect_ind,
4382 .connect_cfm = l2cap_connect_cfm,
4383 .disconn_ind = l2cap_disconn_ind,
2950f21a 4384 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4385 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4386 .recv_acldata = l2cap_recv_acldata
4387};
4388
64274518 4389int __init l2cap_init(void)
1da177e4
LT		 4390{
4391 int err;
be9d1227 4392
bb58f747 4393 err = l2cap_init_sockets();
1da177e4
LT		 4394 if (err < 0)
4395 return err;
4396
1da177e4
LT		 4397 err = hci_register_proto(&l2cap_hci_proto);
4398 if (err < 0) {
4399 BT_ERR("L2CAP protocol registration failed");
4400 bt_sock_unregister(BTPROTO_L2CAP);
4401 goto error;
4402 }
4403
aef7d97c
MH		 4404 if (bt_debugfs) {
4405 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4406 bt_debugfs, NULL, &l2cap_debugfs_fops);
4407 if (!l2cap_debugfs)
4408 BT_ERR("Failed to create L2CAP debug file");
4409 }
1da177e4 4410
1da177e4
LT		 4411 return 0;
4412
4413error:
bb58f747 4414 l2cap_cleanup_sockets();
1da177e4
LT		 4415 return err;
4416}
4417
64274518 4418void l2cap_exit(void)
1da177e4 4419{
aef7d97c 4420 debugfs_remove(l2cap_debugfs);
1da177e4 4421
1da177e4
LT		 4422 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4423 BT_ERR("L2CAP protocol unregistration failed");
4424
bb58f747 4425 l2cap_cleanup_sockets();
1da177e4
LT		 4426}
4427
d1c4a17d
GP		 4428module_param(disable_ertm, bool, 0644);
4429MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE		 4430
4431module_param(enable_hs, bool, 0644);
4432MODULE_PARM_DESC(enable_hs, "Enable High Speed");
kernel source for telekom puls (alcatel/mediatek)