projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Restore accidentally-deleted line
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
bb58f747 58int disable_ertm;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
1890d36b
GP		 63static struct workqueue_struct *_busy_wq;
64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1890d36b
GP		 68static void l2cap_busy_work(struct work_struct *work);
69
1da177e4
LT		 70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 72static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
73 void *data);
710f9b0a 74static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 75static void l2cap_send_disconn_req(struct l2cap_conn *conn,
76 struct l2cap_chan *chan, int err);
1da177e4 77
218bb9df
GP		 78static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
79
0139418c 80/* ---- L2CAP channels ---- */
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
48454079 83 struct l2cap_chan *c;
baa7e1fa
GP		 84
85 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 86 if (c->dcid == cid)
baa7e1fa 87 return c;
0139418c 88 }
baa7e1fa
GP		 89 return NULL;
90
0139418c
MH		 91}
92
baa7e1fa 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 94{
48454079 95 struct l2cap_chan *c;
baa7e1fa
GP		 96
97 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 98 if (c->scid == cid)
baa7e1fa 99 return c;
0139418c 100 }
baa7e1fa 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
105 * Returns locked socket */
baa7e1fa 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 read_lock(&conn->chan_lock);
111 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 112 if (c)
113 bh_lock_sock(c->sk);
baa7e1fa 114 read_unlock(&conn->chan_lock);
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
48454079 120 struct l2cap_chan *c;
baa7e1fa
GP		 121
122 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 123 if (c->ident == ident)
baa7e1fa 124 return c;
0139418c 125 }
baa7e1fa 126 return NULL;
0139418c
MH		 127}
128
baa7e1fa 129static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 130{
48454079 131 struct l2cap_chan *c;
baa7e1fa
GP		 132
133 read_lock(&conn->chan_lock);
134 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 135 if (c)
136 bh_lock_sock(c->sk);
baa7e1fa 137 read_unlock(&conn->chan_lock);
48454079 138 return c;
0139418c
MH		 139}
140
23691d75 141static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 142{
23691d75 143 struct l2cap_chan *c;
9e4425ff 144
23691d75
GP		 145 list_for_each_entry(c, &chan_list, global_l) {
146 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 147 goto found;
148 }
149
23691d75 150 c = NULL;
9e4425ff 151found:
23691d75 152 return c;
9e4425ff
GP		 153}
154
155int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
156{
73b2ec18
GP		 157 int err;
158
23691d75 159 write_lock_bh(&chan_list_lock);
9e4425ff 160
23691d75 161 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 162 err = -EADDRINUSE;
163 goto done;
9e4425ff
GP		 164 }
165
73b2ec18
GP		 166 if (psm) {
167 chan->psm = psm;
168 chan->sport = psm;
169 err = 0;
170 } else {
171 u16 p;
172
173 err = -EINVAL;
174 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 175 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 176 chan->psm = cpu_to_le16(p);
177 chan->sport = cpu_to_le16(p);
178 err = 0;
179 break;
180 }
181 }
9e4425ff 182
73b2ec18 183done:
23691d75 184 write_unlock_bh(&chan_list_lock);
73b2ec18 185 return err;
9e4425ff
GP		 186}
187
188int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
189{
23691d75 190 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 191
192 chan->scid = scid;
193
23691d75 194 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 195
196 return 0;
197}
198
baa7e1fa 199static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 200{
8db4dc46 201 u16 cid = L2CAP_CID_DYN_START;
0139418c 202
8db4dc46 203 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 204 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 205 return cid;
206 }
207
208 return 0;
209}
210
ab07801d
GP		 211static void l2cap_chan_set_timer(struct l2cap_chan *chan, long timeout)
212{
213 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->sk->sk_state,
214 timeout);
215 if (!mod_timer(&chan->chan_timer, jiffies + timeout))
216 sock_hold(chan->sk);
217}
218
500698d3 219static void l2cap_chan_clear_timer(struct l2cap_chan *chan)
ab07801d
GP		 220{
221 BT_DBG("chan %p state %d", chan, chan->sk->sk_state);
222
223 if (timer_pending(&chan->chan_timer) && del_timer(&chan->chan_timer))
224 __sock_put(chan->sk);
225}
226
227static void l2cap_chan_timeout(unsigned long arg)
228{
229 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
230 struct sock *sk = chan->sk;
231 int reason;
232
233 BT_DBG("chan %p state %d", chan, sk->sk_state);
234
235 bh_lock_sock(sk);
236
237 if (sock_owned_by_user(sk)) {
238 /* sk is owned by user. Try again later */
239 l2cap_chan_set_timer(chan, HZ / 5);
240 bh_unlock_sock(sk);
241 sock_put(sk);
242 return;
243 }
244
245 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
246 reason = ECONNREFUSED;
247 else if (sk->sk_state == BT_CONNECT &&
248 chan->sec_level != BT_SECURITY_SDP)
249 reason = ECONNREFUSED;
250 else
251 reason = ETIMEDOUT;
252
0f852724 253 l2cap_chan_close(chan, reason);
ab07801d
GP		 254
255 bh_unlock_sock(sk);
256
257 l2cap_sock_kill(sk);
258 sock_put(sk);
259}
260
23691d75 261struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 262{
263 struct l2cap_chan *chan;
264
265 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
266 if (!chan)
267 return NULL;
268
269 chan->sk = sk;
270
23691d75
GP		 271 write_lock_bh(&chan_list_lock);
272 list_add(&chan->global_l, &chan_list);
273 write_unlock_bh(&chan_list_lock);
274
ab07801d
GP		 275 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
276
48454079
GP		 277 return chan;
278}
279
23691d75 280void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 281{
23691d75
GP		 282 write_lock_bh(&chan_list_lock);
283 list_del(&chan->global_l);
284 write_unlock_bh(&chan_list_lock);
285
6ff5abbf
GP		 286 kfree(chan);
287}
288
48454079 289static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 290{
48454079 291 struct sock *sk = chan->sk;
0139418c 292
af05b30b 293 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 294 chan->psm, chan->dcid);
0139418c 295
2950f21a
MH		 296 conn->disc_reason = 0x13;
297
8c1d787b 298 chan->conn = conn;
0139418c 299
715ec005 300 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 301 if (conn->hcon->type == LE_LINK) {
302 /* LE connection */
0c1bc5c6 303 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 304 chan->scid = L2CAP_CID_LE_DATA;
305 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 306 } else {
307 /* Alloc CID for connection-oriented socket */
fe4128e0 308 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 309 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 310 }
715ec005 311 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 312 /* Connectionless socket */
fe4128e0
GP		 313 chan->scid = L2CAP_CID_CONN_LESS;
314 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 315 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 316 } else {
317 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 318 chan->scid = L2CAP_CID_SIGNALING;
319 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 320 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 321 }
322
baa7e1fa
GP		 323 sock_hold(sk);
324
325 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 326}
327
8e87d142 328/* Delete channel.
0139418c 329 * Must be called on the locked socket. */
4519de9a 330static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 331{
48454079 332 struct sock *sk = chan->sk;
8c1d787b 333 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 334 struct sock *parent = bt_sk(sk)->parent;
335
ab07801d 336 l2cap_chan_clear_timer(chan);
0139418c 337
49208c9c 338 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 339
8e87d142 340 if (conn) {
baa7e1fa
GP		 341 /* Delete from channel list */
342 write_lock_bh(&conn->chan_lock);
343 list_del(&chan->list);
344 write_unlock_bh(&conn->chan_lock);
345 __sock_put(sk);
346
8c1d787b 347 chan->conn = NULL;
0139418c
MH		 348 hci_conn_put(conn->hcon);
349 }
350
b1235d79 351 sk->sk_state = BT_CLOSED;
0139418c
MH		 352 sock_set_flag(sk, SOCK_ZAPPED);
353
354 if (err)
355 sk->sk_err = err;
356
357 if (parent) {
358 bt_accept_unlink(sk);
359 parent->sk_data_ready(parent, 0);
360 } else
361 sk->sk_state_change(sk);
c13ffa62 362
b4450035
GP		 363 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
364 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 365 return;
2ead70b8 366
58d35f87 367 skb_queue_purge(&chan->tx_q);
c13ffa62 368
0c1bc5c6 369 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 370 struct srej_list *l, *tmp;
371
e92c8e70
GP		 372 del_timer(&chan->retrans_timer);
373 del_timer(&chan->monitor_timer);
374 del_timer(&chan->ack_timer);
c13ffa62 375
f1c6775b
GP		 376 skb_queue_purge(&chan->srej_q);
377 skb_queue_purge(&chan->busy_q);
c13ffa62 378
39d5a3ee 379 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 380 list_del(&l->list);
381 kfree(l);
382 }
383 }
0139418c
MH		 384}
385
4519de9a
GP		 386static void l2cap_chan_cleanup_listen(struct sock *parent)
387{
388 struct sock *sk;
389
390 BT_DBG("parent %p", parent);
391
392 /* Close not yet accepted channels */
0f852724
GP		 393 while ((sk = bt_accept_dequeue(parent, NULL))) {
394 l2cap_chan_clear_timer(l2cap_pi(sk)->chan);
395 lock_sock(sk);
396 l2cap_chan_close(l2cap_pi(sk)->chan, ECONNRESET);
397 release_sock(sk);
398 l2cap_sock_kill(sk);
399 }
4519de9a
GP		 400
401 parent->sk_state = BT_CLOSED;
402 sock_set_flag(parent, SOCK_ZAPPED);
403}
404
0f852724 405void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 406{
407 struct l2cap_conn *conn = chan->conn;
408 struct sock *sk = chan->sk;
409
410 BT_DBG("chan %p state %d socket %p", chan, sk->sk_state, sk->sk_socket);
411
412 switch (sk->sk_state) {
413 case BT_LISTEN:
414 l2cap_chan_cleanup_listen(sk);
415 break;
416
417 case BT_CONNECTED:
418 case BT_CONFIG:
715ec005 419 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 420 conn->hcon->type == ACL_LINK) {
500698d3 421 l2cap_chan_clear_timer(chan);
ab07801d 422 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 423 l2cap_send_disconn_req(conn, chan, reason);
424 } else
425 l2cap_chan_del(chan, reason);
426 break;
427
428 case BT_CONNECT2:
715ec005 429 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 430 conn->hcon->type == ACL_LINK) {
431 struct l2cap_conn_rsp rsp;
432 __u16 result;
433
434 if (bt_sk(sk)->defer_setup)
435 result = L2CAP_CR_SEC_BLOCK;
436 else
437 result = L2CAP_CR_BAD_PSM;
d8d69c54 438 sk->sk_state = BT_DISCONN;
4519de9a
GP		 439
440 rsp.scid = cpu_to_le16(chan->dcid);
441 rsp.dcid = cpu_to_le16(chan->scid);
442 rsp.result = cpu_to_le16(result);
443 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
444 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
445 sizeof(rsp), &rsp);
446 }
447
448 l2cap_chan_del(chan, reason);
449 break;
450
451 case BT_CONNECT:
452 case BT_DISCONN:
453 l2cap_chan_del(chan, reason);
454 break;
455
456 default:
457 sock_set_flag(sk, SOCK_ZAPPED);
458 break;
459 }
460}
461
4343478f 462static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 463{
715ec005 464 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 465 switch (chan->sec_level) {
8556edd3
JH		 466 case BT_SECURITY_HIGH:
467 return HCI_AT_DEDICATED_BONDING_MITM;
468 case BT_SECURITY_MEDIUM:
469 return HCI_AT_DEDICATED_BONDING;
470 default:
471 return HCI_AT_NO_BONDING;
472 }
fe4128e0 473 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 474 if (chan->sec_level == BT_SECURITY_LOW)
475 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 476
4343478f 477 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 478 return HCI_AT_NO_BONDING_MITM;
00ae4af9 479 else
8556edd3 480 return HCI_AT_NO_BONDING;
00ae4af9 481 } else {
4343478f 482 switch (chan->sec_level) {
00ae4af9 483 case BT_SECURITY_HIGH:
8556edd3 484 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 485 case BT_SECURITY_MEDIUM:
8556edd3 486 return HCI_AT_GENERAL_BONDING;
00ae4af9 487 default:
8556edd3 488 return HCI_AT_NO_BONDING;
00ae4af9 489 }
0684e5f9 490 }
8556edd3
JH		 491}
492
493/* Service level security */
4343478f 494static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 495{
8c1d787b 496 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 497 __u8 auth_type;
498
4343478f 499 auth_type = l2cap_get_auth_type(chan);
79d554a6 500
4343478f 501 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 502}
503
b5ad8b7f 504static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 505{
506 u8 id;
507
508 /* Get next available identificator.
509 * 1 - 128 are used by kernel.
510 * 129 - 199 are reserved.
511 * 200 - 254 are used by utilities like l2ping, etc.
512 */
513
514 spin_lock_bh(&conn->lock);
515
516 if (++conn->tx_ident > 128)
517 conn->tx_ident = 1;
518
519 id = conn->tx_ident;
520
521 spin_unlock_bh(&conn->lock);
522
523 return id;
524}
525
4519de9a 526static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 527{
528 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 529 u8 flags;
4e8402a3
MH		 530
531 BT_DBG("code 0x%2.2x", code);
532
533 if (!skb)
9a9c6a34 534 return;
4e8402a3 535
e702112f
AE		 536 if (lmp_no_flush_capable(conn->hcon->hdev))
537 flags = ACL_START_NO_FLUSH;
538 else
539 flags = ACL_START;
540
14b12d0b
JG		 541 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
542
e702112f 543 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 544}
545
525cd185 546static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 547{
548 struct sk_buff *skb;
549 struct l2cap_hdr *lh;
525cd185 550 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
8c1d787b 551 struct l2cap_conn *conn = chan->conn;
c13ffa62 552 struct sock *sk = (struct sock *)pi;
fcc203c3 553 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 554 u8 flags;
fcc203c3 555
c13ffa62
GP		 556 if (sk->sk_state != BT_CONNECTED)
557 return;
558
47d1ec61 559 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 560 hlen += 2;
1c2acffb 561
49208c9c 562 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 563
fcc203c3 564 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 565 control |= L2CAP_CTRL_FRAME_TYPE;
566
525cd185 567 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 568 control |= L2CAP_CTRL_FINAL;
525cd185 569 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 570 }
571
525cd185 572 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 573 control |= L2CAP_CTRL_POLL;
525cd185 574 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 575 }
576
1c2acffb
GP		 577 skb = bt_skb_alloc(count, GFP_ATOMIC);
578 if (!skb)
9a9c6a34 579 return;
1c2acffb
GP		 580
581 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 582 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 583 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 584 put_unaligned_le16(control, skb_put(skb, 2));
585
47d1ec61 586 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 587 u16 fcs = crc16(0, (u8 *)lh, count - 2);
588 put_unaligned_le16(fcs, skb_put(skb, 2));
589 }
590
e702112f
AE		 591 if (lmp_no_flush_capable(conn->hcon->hdev))
592 flags = ACL_START_NO_FLUSH;
593 else
594 flags = ACL_START;
595
14b12d0b
JG		 596 bt_cb(skb)->force_active = chan->force_active;
597
8c1d787b 598 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 599}
600
525cd185 601static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 602{
525cd185 603 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 604 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 605 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 606 } else
7e743090
GP		 607 control |= L2CAP_SUPER_RCV_READY;
608
42e5c802 609 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 610
525cd185 611 l2cap_send_sframe(chan, control);
7e743090
GP		 612}
613
b4450035 614static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 615{
b4450035 616 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 617}
618
fc7f8a7e 619static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 620{
8c1d787b 621 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 622
623 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 624 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
625 return;
626
4343478f
GP		 627 if (l2cap_check_security(chan) &&
628 __l2cap_no_conn_pending(chan)) {
b1235d79 629 struct l2cap_conn_req req;
fe4128e0
GP		 630 req.scid = cpu_to_le16(chan->scid);
631 req.psm = chan->psm;
79d554a6 632
fc7f8a7e 633 chan->ident = l2cap_get_ident(conn);
b4450035 634 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 635
fc7f8a7e
GP		 636 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
637 sizeof(req), &req);
b1235d79 638 }
79d554a6
MH		 639 } else {
640 struct l2cap_info_req req;
641 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
642
643 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
644 conn->info_ident = l2cap_get_ident(conn);
645
646 mod_timer(&conn->info_timer, jiffies +
647 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
648
649 l2cap_send_cmd(conn, conn->info_ident,
650 L2CAP_INFO_REQ, sizeof(req), &req);
651 }
652}
653
cf6c2c0b
GP		 654static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
655{
656 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 657 if (!disable_ertm)
cf6c2c0b
GP		 658 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
659
660 switch (mode) {
661 case L2CAP_MODE_ERTM:
662 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
663 case L2CAP_MODE_STREAMING:
664 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
665 default:
666 return 0x00;
667 }
668}
669
4519de9a 670static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 671{
e92c8e70 672 struct sock *sk;
22121fc9
GP		 673 struct l2cap_disconn_req req;
674
c13ffa62
GP		 675 if (!conn)
676 return;
677
e92c8e70
GP		 678 sk = chan->sk;
679
0c1bc5c6 680 if (chan->mode == L2CAP_MODE_ERTM) {
e92c8e70
GP		 681 del_timer(&chan->retrans_timer);
682 del_timer(&chan->monitor_timer);
683 del_timer(&chan->ack_timer);
c13ffa62
GP		 684 }
685
fe4128e0
GP		 686 req.dcid = cpu_to_le16(chan->dcid);
687 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 688 l2cap_send_cmd(conn, l2cap_get_ident(conn),
689 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 690
691 sk->sk_state = BT_DISCONN;
9b108fc0 692 sk->sk_err = err;
22121fc9
GP		 693}
694
1da177e4 695/* ---- L2CAP connections ---- */
4e8402a3
MH		 696static void l2cap_conn_start(struct l2cap_conn *conn)
697{
820ffdb3 698 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 699
700 BT_DBG("conn %p", conn);
701
baa7e1fa 702 read_lock(&conn->chan_lock);
4e8402a3 703
820ffdb3 704 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 705 struct sock *sk = chan->sk;
baa7e1fa 706
4e8402a3
MH		 707 bh_lock_sock(sk);
708
715ec005 709 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 710 bh_unlock_sock(sk);
711 continue;
712 }
713
714 if (sk->sk_state == BT_CONNECT) {
47731de7 715 struct l2cap_conn_req req;
79d554a6 716
4343478f 717 if (!l2cap_check_security(chan) ||
b4450035 718 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 719 bh_unlock_sock(sk);
720 continue;
721 }
79d554a6 722
0c1bc5c6 723 if (!l2cap_mode_supported(chan->mode,
47731de7 724 conn->feat_mask)
b4450035 725 && chan->conf_state &
47731de7 726 L2CAP_CONF_STATE2_DEVICE) {
0f852724 727 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 728 * so release the lock */
729 read_unlock_bh(&conn->chan_lock);
0f852724 730 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 731 read_lock_bh(&conn->chan_lock);
47731de7
GP		 732 bh_unlock_sock(sk);
733 continue;
b1235d79 734 }
47731de7 735
fe4128e0
GP		 736 req.scid = cpu_to_le16(chan->scid);
737 req.psm = chan->psm;
47731de7 738
fc7f8a7e 739 chan->ident = l2cap_get_ident(conn);
b4450035 740 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 741
fc7f8a7e
GP		 742 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
743 sizeof(req), &req);
47731de7 744
79d554a6
MH		 745 } else if (sk->sk_state == BT_CONNECT2) {
746 struct l2cap_conn_rsp rsp;
e9aeb2dd 747 char buf[128];
fe4128e0
GP		 748 rsp.scid = cpu_to_le16(chan->dcid);
749 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 750
4343478f 751 if (l2cap_check_security(chan)) {
f66dc81f
MH		 752 if (bt_sk(sk)->defer_setup) {
753 struct sock *parent = bt_sk(sk)->parent;
754 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
755 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
756 parent->sk_data_ready(parent, 0);
757
758 } else {
759 sk->sk_state = BT_CONFIG;
760 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
761 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
762 }
79d554a6
MH		 763 } else {
764 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
765 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
766 }
767
fc7f8a7e
GP		 768 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
769 sizeof(rsp), &rsp);
e9aeb2dd 770
b4450035 771 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 772 rsp.result != L2CAP_CR_SUCCESS) {
773 bh_unlock_sock(sk);
774 continue;
775 }
776
b4450035 777 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 778 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 779 l2cap_build_conf_req(chan, buf), buf);
780 chan->num_conf_req++;
4e8402a3
MH		 781 }
782
783 bh_unlock_sock(sk);
784 }
785
baa7e1fa 786 read_unlock(&conn->chan_lock);
4e8402a3
MH		 787}
788
b62f328b
VT		 789/* Find socket with cid and source bdaddr.
790 * Returns closest match, locked.
791 */
23691d75 792static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 793{
23691d75 794 struct l2cap_chan *c, *c1 = NULL;
b62f328b 795
23691d75 796 read_lock(&chan_list_lock);
b62f328b 797
23691d75
GP		 798 list_for_each_entry(c, &chan_list, global_l) {
799 struct sock *sk = c->sk;
fe4128e0 800
b62f328b
VT		 801 if (state && sk->sk_state != state)
802 continue;
803
23691d75 804 if (c->scid == cid) {
b62f328b 805 /* Exact match. */
23691d75
GP		 806 if (!bacmp(&bt_sk(sk)->src, src)) {
807 read_unlock(&chan_list_lock);
808 return c;
809 }
b62f328b
VT		 810
811 /* Closest match */
812 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 813 c1 = c;
b62f328b
VT		 814 }
815 }
280f294f 816
23691d75 817 read_unlock(&chan_list_lock);
b62f328b 818
23691d75 819 return c1;
b62f328b
VT		 820}
821
822static void l2cap_le_conn_ready(struct l2cap_conn *conn)
823{
c916fbe4 824 struct sock *parent, *sk;
23691d75 825 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 826
827 BT_DBG("");
828
829 /* Check if we have socket listening on cid */
23691d75 830 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 831 conn->src);
23691d75 832 if (!pchan)
b62f328b
VT		 833 return;
834
23691d75
GP		 835 parent = pchan->sk;
836
62f3a2cf
GP		 837 bh_lock_sock(parent);
838
b62f328b
VT		 839 /* Check for backlog size */
840 if (sk_acceptq_is_full(parent)) {
841 BT_DBG("backlog full %d", parent->sk_ack_backlog);
842 goto clean;
843 }
844
845 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
846 if (!sk)
847 goto clean;
848
23691d75 849 chan = l2cap_chan_create(sk);
48454079
GP		 850 if (!chan) {
851 l2cap_sock_kill(sk);
852 goto clean;
853 }
854
5d41ce1d
GP		 855 l2cap_pi(sk)->chan = chan;
856
baa7e1fa 857 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 858
859 hci_conn_hold(conn->hcon);
860
861 l2cap_sock_init(sk, parent);
baa7e1fa 862
b62f328b
VT		 863 bacpy(&bt_sk(sk)->src, conn->src);
864 bacpy(&bt_sk(sk)->dst, conn->dst);
865
d1010240
GP		 866 bt_accept_enqueue(parent, sk);
867
48454079
GP		 868 __l2cap_chan_add(conn, chan);
869
ab07801d 870 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
b62f328b
VT		 871
872 sk->sk_state = BT_CONNECTED;
873 parent->sk_data_ready(parent, 0);
874
baa7e1fa 875 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 876
877clean:
878 bh_unlock_sock(parent);
879}
880
4e8402a3
MH		 881static void l2cap_conn_ready(struct l2cap_conn *conn)
882{
48454079 883 struct l2cap_chan *chan;
4e8402a3 884
79d554a6 885 BT_DBG("conn %p", conn);
4e8402a3 886
b62f328b
VT		 887 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
888 l2cap_le_conn_ready(conn);
889
baa7e1fa 890 read_lock(&conn->chan_lock);
4e8402a3 891
baa7e1fa 892 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 893 struct sock *sk = chan->sk;
baa7e1fa 894
79d554a6 895 bh_lock_sock(sk);
4e8402a3 896
acd7d370 897 if (conn->hcon->type == LE_LINK) {
ab07801d 898 l2cap_chan_clear_timer(chan);
acd7d370
VT		 899 sk->sk_state = BT_CONNECTED;
900 sk->sk_state_change(sk);
901 }
902
715ec005 903 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 904 l2cap_chan_clear_timer(chan);
79d554a6
MH		 905 sk->sk_state = BT_CONNECTED;
906 sk->sk_state_change(sk);
907 } else if (sk->sk_state == BT_CONNECT)
fc7f8a7e 908 l2cap_do_start(chan);
4e8402a3 909
79d554a6 910 bh_unlock_sock(sk);
4e8402a3 911 }
79d554a6 912
baa7e1fa 913 read_unlock(&conn->chan_lock);
4e8402a3
MH		 914}
915
916/* Notify sockets that we cannot guaranty reliability anymore */
917static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
918{
48454079 919 struct l2cap_chan *chan;
4e8402a3
MH		 920
921 BT_DBG("conn %p", conn);
922
baa7e1fa 923 read_lock(&conn->chan_lock);
4e8402a3 924
baa7e1fa 925 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 926 struct sock *sk = chan->sk;
baa7e1fa 927
4343478f 928 if (chan->force_reliable)
4e8402a3
MH		 929 sk->sk_err = err;
930 }
931
baa7e1fa 932 read_unlock(&conn->chan_lock);
4e8402a3
MH		 933}
934
935static void l2cap_info_timeout(unsigned long arg)
936{
937 struct l2cap_conn *conn = (void *) arg;
938
984947dc 939 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 940 conn->info_ident = 0;
984947dc 941
4e8402a3
MH		 942 l2cap_conn_start(conn);
943}
944
1da177e4
LT		 945static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
946{
0139418c 947 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 948
0139418c 949 if (conn || status)
1da177e4
LT		 950 return conn;
951
0139418c
MH		 952 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
953 if (!conn)
1da177e4 954 return NULL;
1da177e4
LT		 955
956 hcon->l2cap_data = conn;
957 conn->hcon = hcon;
958
0139418c
MH		 959 BT_DBG("hcon %p conn %p", hcon, conn);
960
acd7d370
VT		 961 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
962 conn->mtu = hcon->hdev->le_mtu;
963 else
964 conn->mtu = hcon->hdev->acl_mtu;
965
1da177e4
LT		 966 conn->src = &hcon->hdev->bdaddr;
967 conn->dst = &hcon->dst;
968
4e8402a3
MH		 969 conn->feat_mask = 0;
970
1da177e4 971 spin_lock_init(&conn->lock);
baa7e1fa
GP		 972 rwlock_init(&conn->chan_lock);
973
974 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 975
b62f328b
VT		 976 if (hcon->type != LE_LINK)
977 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 978 (unsigned long) conn);
979
2950f21a
MH		 980 conn->disc_reason = 0x13;
981
1da177e4
LT		 982 return conn;
983}
984
0139418c 985static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 986{
0139418c 987 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 988 struct l2cap_chan *chan, *l;
1da177e4
LT		 989 struct sock *sk;
990
0139418c
MH		 991 if (!conn)
992 return;
1da177e4
LT		 993
994 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
995
7585b97a 996 kfree_skb(conn->rx_skb);
1da177e4
LT		 997
998 /* Kill channels */
baa7e1fa 999 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 1000 sk = chan->sk;
1da177e4 1001 bh_lock_sock(sk);
48454079 1002 l2cap_chan_del(chan, err);
1da177e4
LT		 1003 bh_unlock_sock(sk);
1004 l2cap_sock_kill(sk);
1005 }
1006
8e8440f5
DY		 1007 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1008 del_timer_sync(&conn->info_timer);
3ab22731 1009
1da177e4
LT		 1010 hcon->l2cap_data = NULL;
1011 kfree(conn);
1da177e4
LT		 1012}
1013
48454079 1014static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1015{
baa7e1fa 1016 write_lock_bh(&conn->chan_lock);
48454079 1017 __l2cap_chan_add(conn, chan);
baa7e1fa 1018 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1019}
1020
1da177e4 1021/* ---- Socket interface ---- */
1da177e4
LT		 1022
1023/* Find socket with psm and source bdaddr.
1024 * Returns closest match.
1025 */
23691d75 1026static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1027{
23691d75 1028 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1029
23691d75 1030 read_lock(&chan_list_lock);
e0f0cb56 1031
23691d75
GP		 1032 list_for_each_entry(c, &chan_list, global_l) {
1033 struct sock *sk = c->sk;
fe4128e0 1034
1da177e4
LT		 1035 if (state && sk->sk_state != state)
1036 continue;
1037
23691d75 1038 if (c->psm == psm) {
1da177e4 1039 /* Exact match. */
23691d75 1040 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1041 read_unlock(&chan_list_lock);
23691d75
GP		 1042 return c;
1043 }
1da177e4
LT		 1044
1045 /* Closest match */
1046 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1047 c1 = c;
1da177e4
LT		 1048 }
1049 }
1da177e4 1050
23691d75 1051 read_unlock(&chan_list_lock);
e0f0cb56 1052
23691d75 1053 return c1;
1da177e4
LT		 1054}
1055
77a74c7e 1056int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1057{
5d41ce1d 1058 struct sock *sk = chan->sk;
1da177e4
LT		 1059 bdaddr_t *src = &bt_sk(sk)->src;
1060 bdaddr_t *dst = &bt_sk(sk)->dst;
1061 struct l2cap_conn *conn;
1062 struct hci_conn *hcon;
1063 struct hci_dev *hdev;
09ab6f4c 1064 __u8 auth_type;
44d0e48e 1065 int err;
1da177e4 1066
f29972de 1067 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1068 chan->psm);
1da177e4 1069
af05b30b
GP		 1070 hdev = hci_get_route(dst, src);
1071 if (!hdev)
1da177e4
LT		 1072 return -EHOSTUNREACH;
1073
1074 hci_dev_lock_bh(hdev);
1075
4343478f 1076 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1077
fe4128e0 1078 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1079 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1080 chan->sec_level, auth_type);
acd7d370
VT		 1081 else
1082 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1083 chan->sec_level, auth_type);
acd7d370 1084
30e76272
VT		 1085 if (IS_ERR(hcon)) {
1086 err = PTR_ERR(hcon);
1da177e4 1087 goto done;
30e76272 1088 }
1da177e4
LT		 1089
1090 conn = l2cap_conn_add(hcon, 0);
1091 if (!conn) {
1092 hci_conn_put(hcon);
30e76272 1093 err = -ENOMEM;
1da177e4
LT		 1094 goto done;
1095 }
1096
1da177e4
LT		 1097 /* Update source addr of the socket */
1098 bacpy(src, conn->src);
1099
48454079
GP		 1100 l2cap_chan_add(conn, chan);
1101
1da177e4 1102 sk->sk_state = BT_CONNECT;
ab07801d 1103 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1104
1105 if (hcon->state == BT_CONNECTED) {
715ec005 1106 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 1107 l2cap_chan_clear_timer(chan);
4343478f 1108 if (l2cap_check_security(chan))
d00ef24f 1109 sk->sk_state = BT_CONNECTED;
79d554a6 1110 } else
fc7f8a7e 1111 l2cap_do_start(chan);
1da177e4
LT		 1112 }
1113
30e76272
VT		 1114 err = 0;
1115
1da177e4
LT		 1116done:
1117 hci_dev_unlock_bh(hdev);
1118 hci_dev_put(hdev);
1119 return err;
1120}
1121
dcba0dba 1122int __l2cap_wait_ack(struct sock *sk)
6161c038 1123{
8c1d787b 1124 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1125 DECLARE_WAITQUEUE(wait, current);
1126 int err = 0;
1127 int timeo = HZ/5;
1128
2b0b05dd 1129 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1130 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1131 set_current_state(TASK_INTERRUPTIBLE);
1132
1133 if (!timeo)
1134 timeo = HZ/5;
1135
1136 if (signal_pending(current)) {
1137 err = sock_intr_errno(timeo);
1138 break;
1139 }
1140
1141 release_sock(sk);
1142 timeo = schedule_timeout(timeo);
1143 lock_sock(sk);
1144
1145 err = sock_error(sk);
1146 if (err)
1147 break;
1148 }
1149 set_current_state(TASK_RUNNING);
2b0b05dd 1150 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1151 return err;
1152}
1153
e90bac06
GP		 1154static void l2cap_monitor_timeout(unsigned long arg)
1155{
525cd185
GP		 1156 struct l2cap_chan *chan = (void *) arg;
1157 struct sock *sk = chan->sk;
e90bac06 1158
525cd185 1159 BT_DBG("chan %p", chan);
0e98958d 1160
e686219a 1161 bh_lock_sock(sk);
2c03a7a4 1162 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1163 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1164 bh_unlock_sock(sk);
e90bac06
GP		 1165 return;
1166 }
1167
6a026610 1168 chan->retry_count++;
e90bac06
GP		 1169 __mod_monitor_timer();
1170
525cd185 1171 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1172 bh_unlock_sock(sk);
e90bac06
GP		 1173}
1174
1175static void l2cap_retrans_timeout(unsigned long arg)
1176{
525cd185
GP		 1177 struct l2cap_chan *chan = (void *) arg;
1178 struct sock *sk = chan->sk;
e90bac06 1179
49208c9c 1180 BT_DBG("chan %p", chan);
0e98958d 1181
e686219a 1182 bh_lock_sock(sk);
6a026610 1183 chan->retry_count = 1;
e90bac06
GP		 1184 __mod_monitor_timer();
1185
525cd185 1186 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1187
525cd185 1188 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1189 bh_unlock_sock(sk);
e90bac06
GP		 1190}
1191
42e5c802 1192static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1193{
1c2acffb 1194 struct sk_buff *skb;
1da177e4 1195
58d35f87 1196 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1197 chan->unacked_frames) {
42e5c802 1198 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1199 break;
1da177e4 1200
58d35f87 1201 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1202 kfree_skb(skb);
1da177e4 1203
6a026610 1204 chan->unacked_frames--;
1c2acffb 1205 }
1da177e4 1206
6a026610 1207 if (!chan->unacked_frames)
e92c8e70 1208 del_timer(&chan->retrans_timer);
1c2acffb 1209}
1da177e4 1210
4343478f 1211void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1212{
8c1d787b 1213 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1214 u16 flags;
1c2acffb 1215
4343478f 1216 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1217
4343478f 1218 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1219 flags = ACL_START_NO_FLUSH;
1220 else
1221 flags = ACL_START;
1222
14b12d0b 1223 bt_cb(skb)->force_active = chan->force_active;
e702112f 1224 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1225}
1226
42e5c802 1227void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1228{
ccbb84af 1229 struct sk_buff *skb;
fcc203c3 1230 u16 control, fcs;
6840ed07 1231
58d35f87 1232 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1233 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1234 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1235 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1236
47d1ec61 1237 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1238 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1239 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1240 }
1241
4343478f 1242 l2cap_do_send(chan, skb);
6840ed07 1243
42e5c802 1244 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1245 }
6840ed07
GP		 1246}
1247
525cd185 1248static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1249{
8f17154f
GP		 1250 struct sk_buff *skb, *tx_skb;
1251 u16 control, fcs;
8f17154f 1252
58d35f87 1253 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1254 if (!skb)
1255 return;
8f17154f 1256
f11d676d
GP		 1257 do {
1258 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1259 break;
8f17154f 1260
58d35f87 1261 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1262 return;
8f17154f 1263
58d35f87 1264 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1265
2c03a7a4
GP		 1266 if (chan->remote_max_tx &&
1267 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1268 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1269 return;
1270 }
1271
1272 tx_skb = skb_clone(skb, GFP_ATOMIC);
1273 bt_cb(skb)->retries++;
1274 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1275 control &= L2CAP_CTRL_SAR;
3cb123d1 1276
525cd185 1277 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1278 control |= L2CAP_CTRL_FINAL;
525cd185 1279 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1280 }
95ffa978 1281
42e5c802 1282 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1283 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1284
f11d676d
GP		 1285 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1286
47d1ec61 1287 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1288 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1289 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1290 }
1291
4343478f 1292 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1293}
1294
525cd185 1295int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1296{
1297 struct sk_buff *skb, *tx_skb;
525cd185 1298 struct sock *sk = chan->sk;
fcc203c3 1299 u16 control, fcs;
9a9c6a34 1300 int nsent = 0;
1c2acffb 1301
c13ffa62
GP		 1302 if (sk->sk_state != BT_CONNECTED)
1303 return -ENOTCONN;
e90bac06 1304
58d35f87 1305 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1306
2c03a7a4
GP		 1307 if (chan->remote_max_tx &&
1308 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1309 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1310 break;
1311 }
1312
e420aba3
AE		 1313 tx_skb = skb_clone(skb, GFP_ATOMIC);
1314
e90bac06
GP		 1315 bt_cb(skb)->retries++;
1316
1c2acffb 1317 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1318 control &= L2CAP_CTRL_SAR;
1319
525cd185 1320 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1321 control |= L2CAP_CTRL_FINAL;
525cd185 1322 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1323 }
42e5c802
GP		 1324 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1325 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1326 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1327
e90bac06 1328
47d1ec61 1329 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1330 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1331 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1332 }
1333
4343478f 1334 l2cap_do_send(chan, tx_skb);
9a9c6a34 1335
e90bac06 1336 __mod_retrans_timer();
1c2acffb 1337
42e5c802
GP		 1338 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1339 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1340
23e9fde2 1341 if (bt_cb(skb)->retries == 1)
6a026610 1342 chan->unacked_frames++;
23e9fde2 1343
6a026610 1344 chan->frames_sent++;
1c2acffb 1345
58d35f87
GP		 1346 if (skb_queue_is_last(&chan->tx_q, skb))
1347 chan->tx_send_head = NULL;
1c2acffb 1348 else
58d35f87 1349 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1350
1351 nsent++;
1c2acffb
GP		 1352 }
1353
9e917af1
GP		 1354 return nsent;
1355}
1356
525cd185 1357static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1358{
dfc909be
GP		 1359 int ret;
1360
58d35f87
GP		 1361 if (!skb_queue_empty(&chan->tx_q))
1362 chan->tx_send_head = chan->tx_q.next;
dfc909be 1363
42e5c802 1364 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1365 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1366 return ret;
1367}
1368
525cd185 1369static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1370{
9e917af1
GP		 1371 u16 control = 0;
1372
42e5c802 1373 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1374
525cd185 1375 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1376 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1377 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1378 l2cap_send_sframe(chan, control);
9a9c6a34 1379 return;
9e917af1 1380 }
dfc909be 1381
525cd185 1382 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1383 return;
1384
1385 control |= L2CAP_SUPER_RCV_READY;
525cd185 1386 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1387}
1388
525cd185 1389static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1390{
1391 struct srej_list *tail;
1392 u16 control;
1393
1394 control = L2CAP_SUPER_SELECT_REJECT;
1395 control |= L2CAP_CTRL_FINAL;
1396
39d5a3ee 1397 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1398 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1399
525cd185 1400 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1401}
1402
1c2acffb
GP		 1403static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1404{
8c1d787b 1405 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1406 struct sk_buff **frag;
1407 int err, sent = 0;
1da177e4 1408
59203a21 1409 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1410 return -EFAULT;
1da177e4
LT		 1411
1412 sent += count;
1413 len -= count;
1414
1415 /* Continuation fragments (no L2CAP header) */
1416 frag = &skb_shinfo(skb)->frag_list;
1417 while (len) {
1418 count = min_t(unsigned int, conn->mtu, len);
1419
1420 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1421 if (!*frag)
0175d629 1422 return err;
1c2acffb
GP		 1423 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1424 return -EFAULT;
1da177e4
LT		 1425
1426 sent += count;
1427 len -= count;
1428
1429 frag = &(*frag)->next;
1430 }
1da177e4
LT		 1431
1432 return sent;
1c2acffb 1433}
1da177e4 1434
fe4128e0 1435struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1436{
fe4128e0 1437 struct sock *sk = chan->sk;
8c1d787b 1438 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1439 struct sk_buff *skb;
1440 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1441 struct l2cap_hdr *lh;
1442
1443 BT_DBG("sk %p len %d", sk, (int)len);
1444
1445 count = min_t(unsigned int, (conn->mtu - hlen), len);
1446 skb = bt_skb_send_alloc(sk, count + hlen,
1447 msg->msg_flags & MSG_DONTWAIT, &err);
1448 if (!skb)
0175d629 1449 return ERR_PTR(err);
1c2acffb
GP		 1450
1451 /* Create L2CAP header */
1452 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1453 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1454 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1455 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1456
1457 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1458 if (unlikely(err < 0)) {
1459 kfree_skb(skb);
1460 return ERR_PTR(err);
1461 }
1462 return skb;
1463}
1464
fe4128e0 1465struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1466{
fe4128e0 1467 struct sock *sk = chan->sk;
8c1d787b 1468 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1469 struct sk_buff *skb;
1470 int err, count, hlen = L2CAP_HDR_SIZE;
1471 struct l2cap_hdr *lh;
1472
1473 BT_DBG("sk %p len %d", sk, (int)len);
1474
1475 count = min_t(unsigned int, (conn->mtu - hlen), len);
1476 skb = bt_skb_send_alloc(sk, count + hlen,
1477 msg->msg_flags & MSG_DONTWAIT, &err);
1478 if (!skb)
0175d629 1479 return ERR_PTR(err);
1c2acffb
GP		 1480
1481 /* Create L2CAP header */
1482 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1483 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1484 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1485
1486 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1487 if (unlikely(err < 0)) {
1488 kfree_skb(skb);
1489 return ERR_PTR(err);
1490 }
1491 return skb;
1492}
1493
47d1ec61 1494struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1495{
47d1ec61 1496 struct sock *sk = chan->sk;
8c1d787b 1497 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1498 struct sk_buff *skb;
1499 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1500 struct l2cap_hdr *lh;
1501
1502 BT_DBG("sk %p len %d", sk, (int)len);
1503
0ee0d208
GP		 1504 if (!conn)
1505 return ERR_PTR(-ENOTCONN);
1506
c74e560c
GP		 1507 if (sdulen)
1508 hlen += 2;
1509
47d1ec61 1510 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1511 hlen += 2;
1512
1c2acffb
GP		 1513 count = min_t(unsigned int, (conn->mtu - hlen), len);
1514 skb = bt_skb_send_alloc(sk, count + hlen,
1515 msg->msg_flags & MSG_DONTWAIT, &err);
1516 if (!skb)
0175d629 1517 return ERR_PTR(err);
1c2acffb
GP		 1518
1519 /* Create L2CAP header */
1520 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1521 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1522 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1523 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1524 if (sdulen)
1525 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1526
1527 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1528 if (unlikely(err < 0)) {
1529 kfree_skb(skb);
1530 return ERR_PTR(err);
1531 }
e90bac06 1532
47d1ec61 1533 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1534 put_unaligned_le16(0, skb_put(skb, 2));
1535
e90bac06 1536 bt_cb(skb)->retries = 0;
1c2acffb 1537 return skb;
1da177e4
LT		 1538}
1539
2c03a7a4 1540int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1541{
c74e560c
GP		 1542 struct sk_buff *skb;
1543 struct sk_buff_head sar_queue;
1544 u16 control;
1545 size_t size = 0;
1546
ff12fd64 1547 skb_queue_head_init(&sar_queue);
c74e560c 1548 control = L2CAP_SDU_START;
47d1ec61 1549 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1550 if (IS_ERR(skb))
1551 return PTR_ERR(skb);
1552
1553 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1554 len -= chan->remote_mps;
1555 size += chan->remote_mps;
c74e560c
GP		 1556
1557 while (len > 0) {
1558 size_t buflen;
1559
2c03a7a4 1560 if (len > chan->remote_mps) {
44651b85 1561 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1562 buflen = chan->remote_mps;
c74e560c 1563 } else {
44651b85 1564 control = L2CAP_SDU_END;
c74e560c
GP		 1565 buflen = len;
1566 }
1567
47d1ec61 1568 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1569 if (IS_ERR(skb)) {
1570 skb_queue_purge(&sar_queue);
1571 return PTR_ERR(skb);
1572 }
1573
1574 __skb_queue_tail(&sar_queue, skb);
1575 len -= buflen;
1576 size += buflen;
c74e560c 1577 }
58d35f87
GP		 1578 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1579 if (chan->tx_send_head == NULL)
1580 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1581
1582 return size;
1583}
1584
9a91a04a
GP		 1585int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1586{
9a91a04a
GP		 1587 struct sk_buff *skb;
1588 u16 control;
1589 int err;
1590
1591 /* Connectionless channel */
715ec005 1592 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1593 skb = l2cap_create_connless_pdu(chan, msg, len);
1594 if (IS_ERR(skb))
1595 return PTR_ERR(skb);
1596
1597 l2cap_do_send(chan, skb);
1598 return len;
1599 }
1600
1601 switch (chan->mode) {
1602 case L2CAP_MODE_BASIC:
1603 /* Check outgoing MTU */
1604 if (len > chan->omtu)
1605 return -EMSGSIZE;
1606
1607 /* Create a basic PDU */
1608 skb = l2cap_create_basic_pdu(chan, msg, len);
1609 if (IS_ERR(skb))
1610 return PTR_ERR(skb);
1611
1612 l2cap_do_send(chan, skb);
1613 err = len;
1614 break;
1615
1616 case L2CAP_MODE_ERTM:
1617 case L2CAP_MODE_STREAMING:
1618 /* Entire SDU fits into one PDU */
1619 if (len <= chan->remote_mps) {
1620 control = L2CAP_SDU_UNSEGMENTED;
1621 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1622 0);
1623 if (IS_ERR(skb))
1624 return PTR_ERR(skb);
1625
1626 __skb_queue_tail(&chan->tx_q, skb);
1627
1628 if (chan->tx_send_head == NULL)
1629 chan->tx_send_head = skb;
1630
1631 } else {
1632 /* Segment SDU into multiples PDUs */
1633 err = l2cap_sar_segment_sdu(chan, msg, len);
1634 if (err < 0)
1635 return err;
1636 }
1637
1638 if (chan->mode == L2CAP_MODE_STREAMING) {
1639 l2cap_streaming_send(chan);
1640 err = len;
1641 break;
1642 }
1643
1644 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1645 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1646 err = len;
1647 break;
1648 }
1649
1650 err = l2cap_ertm_send(chan);
1651 if (err >= 0)
1652 err = len;
1653
1654 break;
1655
1656 default:
1657 BT_DBG("bad state %1.1x", chan->mode);
1658 err = -EBADFD;
1659 }
1660
1661 return err;
1662}
1663
1da177e4
LT		 1664static void l2cap_chan_ready(struct sock *sk)
1665{
1666 struct sock *parent = bt_sk(sk)->parent;
b4450035 1667 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1668
1669 BT_DBG("sk %p, parent %p", sk, parent);
1670
b4450035 1671 chan->conf_state = 0;
ab07801d 1672 l2cap_chan_clear_timer(chan);
1da177e4
LT		 1673
1674 if (!parent) {
1675 /* Outgoing channel.
1676 * Wake up socket sleeping on connect.
1677 */
1678 sk->sk_state = BT_CONNECTED;
1679 sk->sk_state_change(sk);
1680 } else {
1681 /* Incoming channel.
1682 * Wake up socket sleeping on accept.
1683 */
1684 parent->sk_data_ready(parent, 0);
1685 }
1686}
1687
1688/* Copy frame to all raw sockets on that connection */
1689static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1690{
1da177e4 1691 struct sk_buff *nskb;
48454079 1692 struct l2cap_chan *chan;
1da177e4
LT		 1693
1694 BT_DBG("conn %p", conn);
1695
baa7e1fa
GP		 1696 read_lock(&conn->chan_lock);
1697 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1698 struct sock *sk = chan->sk;
715ec005 1699 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1700 continue;
1701
1702 /* Don't send frame to the socket it came from */
1703 if (skb->sk == sk)
1704 continue;
af05b30b
GP		 1705 nskb = skb_clone(skb, GFP_ATOMIC);
1706 if (!nskb)
1da177e4
LT		 1707 continue;
1708
1709 if (sock_queue_rcv_skb(sk, nskb))
1710 kfree_skb(nskb);
1711 }
baa7e1fa 1712 read_unlock(&conn->chan_lock);
1da177e4
LT		 1713}
1714
1715/* ---- L2CAP signalling commands ---- */
1716static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1717 u8 code, u8 ident, u16 dlen, void *data)
1718{
1719 struct sk_buff *skb, **frag;
1720 struct l2cap_cmd_hdr *cmd;
1721 struct l2cap_hdr *lh;
1722 int len, count;
1723
af05b30b
GP		 1724 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1725 conn, code, ident, dlen);
1da177e4
LT		 1726
1727 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1728 count = min_t(unsigned int, conn->mtu, len);
1729
1730 skb = bt_skb_alloc(count, GFP_ATOMIC);
1731 if (!skb)
1732 return NULL;
1733
1734 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1735 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1736
1737 if (conn->hcon->type == LE_LINK)
1738 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1739 else
1740 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1741
1742 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1743 cmd->code = code;
1744 cmd->ident = ident;
aca3192c 1745 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1746
1747 if (dlen) {
1748 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1749 memcpy(skb_put(skb, count), data, count);
1750 data += count;
1751 }
1752
1753 len -= skb->len;
1754
1755 /* Continuation fragments (no L2CAP header) */
1756 frag = &skb_shinfo(skb)->frag_list;
1757 while (len) {
1758 count = min_t(unsigned int, conn->mtu, len);
1759
1760 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1761 if (!*frag)
1762 goto fail;
1763
1764 memcpy(skb_put(*frag, count), data, count);
1765
1766 len -= count;
1767 data += count;
1768
1769 frag = &(*frag)->next;
1770 }
1771
1772 return skb;
1773
1774fail:
1775 kfree_skb(skb);
1776 return NULL;
1777}
1778
1779static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1780{
1781 struct l2cap_conf_opt *opt = *ptr;
1782 int len;
1783
1784 len = L2CAP_CONF_OPT_SIZE + opt->len;
1785 *ptr += len;
1786
1787 *type = opt->type;
1788 *olen = opt->len;
1789
1790 switch (opt->len) {
1791 case 1:
1792 *val = *((u8 *) opt->val);
1793 break;
1794
1795 case 2:
bfaaeb3e 1796 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1797 break;
1798
1799 case 4:
bfaaeb3e 1800 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1801 break;
1802
1803 default:
1804 *val = (unsigned long) opt->val;
1805 break;
1806 }
1807
1808 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1809 return len;
1810}
1811
1da177e4
LT		 1812static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1813{
1814 struct l2cap_conf_opt *opt = *ptr;
1815
1816 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1817
1818 opt->type = type;
1819 opt->len = len;
1820
1821 switch (len) {
1822 case 1:
1823 *((u8 *) opt->val) = val;
1824 break;
1825
1826 case 2:
4f8b691c 1827 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1828 break;
1829
1830 case 4:
4f8b691c 1831 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1832 break;
1833
1834 default:
1835 memcpy(opt->val, (void *) val, len);
1836 break;
1837 }
1838
1839 *ptr += L2CAP_CONF_OPT_SIZE + len;
1840}
1841
c1b4f43b
GP		 1842static void l2cap_ack_timeout(unsigned long arg)
1843{
525cd185 1844 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1845
525cd185
GP		 1846 bh_lock_sock(chan->sk);
1847 l2cap_send_ack(chan);
1848 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1849}
1850
525cd185 1851static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1852{
525cd185
GP		 1853 struct sock *sk = chan->sk;
1854
42e5c802 1855 chan->expected_ack_seq = 0;
6a026610 1856 chan->unacked_frames = 0;
42e5c802 1857 chan->buffer_seq = 0;
6a026610
GP		 1858 chan->num_acked = 0;
1859 chan->frames_sent = 0;
0565c1c2 1860
e92c8e70
GP		 1861 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1862 (unsigned long) chan);
1863 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1864 (unsigned long) chan);
1865 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1866
f1c6775b
GP		 1867 skb_queue_head_init(&chan->srej_q);
1868 skb_queue_head_init(&chan->busy_q);
1890d36b 1869
39d5a3ee
GP		 1870 INIT_LIST_HEAD(&chan->srej_l);
1871
311bb895 1872 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1873
1874 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1875}
1876
f2fcfcd6
GP		 1877static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1878{
1879 switch (mode) {
1880 case L2CAP_MODE_STREAMING:
1881 case L2CAP_MODE_ERTM:
1882 if (l2cap_mode_supported(mode, remote_feat_mask))
1883 return mode;
1884 /* fall through */
1885 default:
1886 return L2CAP_MODE_BASIC;
1887 }
1888}
1889
710f9b0a 1890static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1891{
1da177e4 1892 struct l2cap_conf_req *req = data;
0c1bc5c6 1893 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1894 void *ptr = req->data;
1895
49208c9c 1896 BT_DBG("chan %p", chan);
1da177e4 1897
73ffa904 1898 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1899 goto done;
1900
0c1bc5c6 1901 switch (chan->mode) {
f2fcfcd6
GP		 1902 case L2CAP_MODE_STREAMING:
1903 case L2CAP_MODE_ERTM:
b4450035 1904 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1905 break;
85eb53c6 1906
2ba13ed6 1907 /* fall through */
f2fcfcd6 1908 default:
8c1d787b 1909 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1910 break;
1911 }
1912
1913done:
0c1bc5c6
GP		 1914 if (chan->imtu != L2CAP_DEFAULT_MTU)
1915 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1916
0c1bc5c6 1917 switch (chan->mode) {
65c7c491 1918 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1919 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1920 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1921 break;
1922
62547752
GP		 1923 rfc.mode = L2CAP_MODE_BASIC;
1924 rfc.txwin_size = 0;
1925 rfc.max_transmit = 0;
1926 rfc.retrans_timeout = 0;
1927 rfc.monitor_timeout = 0;
1928 rfc.max_pdu_size = 0;
1929
63406504
GP		 1930 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1931 (unsigned long) &rfc);
65c7c491
MH		 1932 break;
1933
1934 case L2CAP_MODE_ERTM:
1935 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1936 rfc.txwin_size = chan->tx_win;
1937 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1938 rfc.retrans_timeout = 0;
1939 rfc.monitor_timeout = 0;
c74e560c 1940 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1941 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1942 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1943
63406504
GP		 1944 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1945 (unsigned long) &rfc);
1946
8c1d787b 1947 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1948 break;
1949
47d1ec61 1950 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1951 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1952 chan->fcs = L2CAP_FCS_NONE;
1953 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1954 }
f2fcfcd6
GP		 1955 break;
1956
1957 case L2CAP_MODE_STREAMING:
1958 rfc.mode = L2CAP_MODE_STREAMING;
1959 rfc.txwin_size = 0;
1960 rfc.max_transmit = 0;
1961 rfc.retrans_timeout = 0;
1962 rfc.monitor_timeout = 0;
c74e560c 1963 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1964 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1965 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1966
63406504
GP		 1967 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1968 (unsigned long) &rfc);
1969
8c1d787b 1970 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1971 break;
1972
47d1ec61 1973 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1974 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1975 chan->fcs = L2CAP_FCS_NONE;
1976 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1977 }
65c7c491
MH		 1978 break;
1979 }
1da177e4 1980
fe4128e0 1981 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1982 req->flags = cpu_to_le16(0);
1da177e4
LT		 1983
1984 return ptr - data;
1985}
1986
73ffa904 1987static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1988{
5dee9e7c
MH		 1989 struct l2cap_conf_rsp *rsp = data;
1990 void *ptr = rsp->data;
73ffa904
GP		 1991 void *req = chan->conf_req;
1992 int len = chan->conf_len;
5dee9e7c
MH		 1993 int type, hint, olen;
1994 unsigned long val;
6464f35f 1995 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1996 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1997 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1998
73ffa904 1999 BT_DBG("chan %p", chan);
820ae1b8 2000
5dee9e7c
MH		 2001 while (len >= L2CAP_CONF_OPT_SIZE) {
2002 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2003
589d2746 2004 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2005 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2006
2007 switch (type) {
2008 case L2CAP_CONF_MTU:
861d6882 2009 mtu = val;
5dee9e7c
MH		 2010 break;
2011
2012 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2013 chan->flush_to = val;
5dee9e7c
MH		 2014 break;
2015
2016 case L2CAP_CONF_QOS:
2017 break;
2018
6464f35f
MH		 2019 case L2CAP_CONF_RFC:
2020 if (olen == sizeof(rfc))
2021 memcpy(&rfc, (void *) val, olen);
2022 break;
2023
fcc203c3
GP		 2024 case L2CAP_CONF_FCS:
2025 if (val == L2CAP_FCS_NONE)
b4450035 2026 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2027
2028 break;
2029
5dee9e7c
MH		 2030 default:
2031 if (hint)
2032 break;
2033
2034 result = L2CAP_CONF_UNKNOWN;
2035 *((u8 *) ptr++) = type;
2036 break;
2037 }
2038 }
2039
73ffa904 2040 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2041 goto done;
2042
0c1bc5c6 2043 switch (chan->mode) {
f2fcfcd6
GP		 2044 case L2CAP_MODE_STREAMING:
2045 case L2CAP_MODE_ERTM:
b4450035 2046 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2047 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2048 chan->conn->feat_mask);
85eb53c6
GP		 2049 break;
2050 }
2051
0c1bc5c6 2052 if (chan->mode != rfc.mode)
f2fcfcd6 2053 return -ECONNREFUSED;
742e519b 2054
f2fcfcd6 2055 break;
f2fcfcd6
GP		 2056 }
2057
2058done:
0c1bc5c6 2059 if (chan->mode != rfc.mode) {
f2fcfcd6 2060 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2061 rfc.mode = chan->mode;
f2fcfcd6 2062
73ffa904 2063 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2064 return -ECONNREFUSED;
2065
2066 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2067 sizeof(rfc), (unsigned long) &rfc);
2068 }
2069
2070
5dee9e7c
MH		 2071 if (result == L2CAP_CONF_SUCCESS) {
2072 /* Configure output options and let the other side know
2073 * which ones we don't like. */
2074
f2fcfcd6
GP		 2075 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2076 result = L2CAP_CONF_UNACCEPT;
2077 else {
0c1bc5c6 2078 chan->omtu = mtu;
b4450035 2079 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2080 }
0c1bc5c6 2081 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2082
f2fcfcd6
GP		 2083 switch (rfc.mode) {
2084 case L2CAP_MODE_BASIC:
47d1ec61 2085 chan->fcs = L2CAP_FCS_NONE;
b4450035 2086 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2087 break;
2088
2089 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2090 chan->remote_tx_win = rfc.txwin_size;
2091 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2092
8c1d787b
GP		 2093 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2094 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2095
2c03a7a4 2096 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2097
10467e9e
GP		 2098 rfc.retrans_timeout =
2099 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2100 rfc.monitor_timeout =
2101 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2102
b4450035 2103 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2104
2105 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2106 sizeof(rfc), (unsigned long) &rfc);
2107
f2fcfcd6
GP		 2108 break;
2109
2110 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2111 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2112 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2113
2c03a7a4 2114 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2115
b4450035 2116 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2117
2118 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2119 sizeof(rfc), (unsigned long) &rfc);
2120
f2fcfcd6
GP		 2121 break;
2122
2123 default:
5dee9e7c 2124 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2125
6464f35f 2126 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2127 rfc.mode = chan->mode;
f2fcfcd6 2128 }
6464f35f 2129
f2fcfcd6 2130 if (result == L2CAP_CONF_SUCCESS)
b4450035 2131 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2132 }
fe4128e0 2133 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2134 rsp->result = cpu_to_le16(result);
2135 rsp->flags = cpu_to_le16(0x0000);
2136
2137 return ptr - data;
1da177e4
LT		 2138}
2139
b4450035 2140static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2141{
f2fcfcd6
GP		 2142 struct l2cap_conf_req *req = data;
2143 void *ptr = req->data;
2144 int type, olen;
2145 unsigned long val;
2146 struct l2cap_conf_rfc rfc;
2147
fe4128e0 2148 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2149
2150 while (len >= L2CAP_CONF_OPT_SIZE) {
2151 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2152
2153 switch (type) {
2154 case L2CAP_CONF_MTU:
2155 if (val < L2CAP_DEFAULT_MIN_MTU) {
2156 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2157 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2158 } else
0c1bc5c6
GP		 2159 chan->imtu = val;
2160 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2161 break;
2162
2163 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2164 chan->flush_to = val;
f2fcfcd6 2165 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2166 2, chan->flush_to);
f2fcfcd6
GP		 2167 break;
2168
2169 case L2CAP_CONF_RFC:
2170 if (olen == sizeof(rfc))
2171 memcpy(&rfc, (void *)val, olen);
2172
b4450035 2173 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2174 rfc.mode != chan->mode)
f2fcfcd6
GP		 2175 return -ECONNREFUSED;
2176
47d1ec61 2177 chan->fcs = 0;
f2fcfcd6
GP		 2178
2179 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2180 sizeof(rfc), (unsigned long) &rfc);
2181 break;
2182 }
2183 }
2184
0c1bc5c6 2185 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2186 return -ECONNREFUSED;
2187
0c1bc5c6 2188 chan->mode = rfc.mode;
6c2ea7a8 2189
f2fcfcd6
GP		 2190 if (*result == L2CAP_CONF_SUCCESS) {
2191 switch (rfc.mode) {
2192 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2193 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2194 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2195 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2196 break;
2197 case L2CAP_MODE_STREAMING:
47d1ec61 2198 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2199 }
2200 }
2201
fe4128e0 2202 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2203 req->flags = cpu_to_le16(0x0000);
2204
2205 return ptr - data;
2206}
2207
fe4128e0 2208static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2209{
2210 struct l2cap_conf_rsp *rsp = data;
2211 void *ptr = rsp->data;
1da177e4 2212
fe4128e0 2213 BT_DBG("chan %p", chan);
1da177e4 2214
fe4128e0 2215 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2216 rsp->result = cpu_to_le16(result);
aca3192c 2217 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2218
2219 return ptr - data;
2220}
2221
8c1d787b 2222void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2223{
2224 struct l2cap_conn_rsp rsp;
8c1d787b 2225 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2226 u8 buf[128];
2227
fe4128e0
GP		 2228 rsp.scid = cpu_to_le16(chan->dcid);
2229 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2230 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2231 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2232 l2cap_send_cmd(conn, chan->ident,
2233 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2234
b4450035 2235 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2236 return;
2237
b4450035 2238 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2239 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2240 l2cap_build_conf_req(chan, buf), buf);
2241 chan->num_conf_req++;
2242}
2243
47d1ec61 2244static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2245{
7b1c0049
GP		 2246 int type, olen;
2247 unsigned long val;
2248 struct l2cap_conf_rfc rfc;
2249
47d1ec61 2250 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2251
0c1bc5c6 2252 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2253 return;
2254
2255 while (len >= L2CAP_CONF_OPT_SIZE) {
2256 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2257
2258 switch (type) {
2259 case L2CAP_CONF_RFC:
2260 if (olen == sizeof(rfc))
2261 memcpy(&rfc, (void *)val, olen);
2262 goto done;
2263 }
2264 }
2265
2266done:
2267 switch (rfc.mode) {
2268 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2269 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2270 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2271 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2272 break;
2273 case L2CAP_MODE_STREAMING:
47d1ec61 2274 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2275 }
2276}
2277
4e8402a3
MH		 2278static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2279{
2280 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2281
2282 if (rej->reason != 0x0000)
2283 return 0;
2284
2285 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2286 cmd->ident == conn->info_ident) {
4e8402a3 2287 del_timer(&conn->info_timer);
984947dc
MH		 2288
2289 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2290 conn->info_ident = 0;
984947dc 2291
4e8402a3
MH		 2292 l2cap_conn_start(conn);
2293 }
2294
2295 return 0;
2296}
2297
1da177e4
LT		 2298static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2299{
1da177e4
LT		 2300 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2301 struct l2cap_conn_rsp rsp;
23691d75 2302 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2303 struct sock *parent, *sk = NULL;
e7c29cb1 2304 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2305
2306 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2307 __le16 psm = req->psm;
1da177e4
LT		 2308
2309 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2310
2311 /* Check if we have socket listening on psm */
23691d75
GP		 2312 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2313 if (!pchan) {
1da177e4
LT		 2314 result = L2CAP_CR_BAD_PSM;
2315 goto sendresp;
2316 }
2317
23691d75
GP		 2318 parent = pchan->sk;
2319
e0f0cb56
GP		 2320 bh_lock_sock(parent);
2321
e7c29cb1
MH		 2322 /* Check if the ACL is secure enough (if not SDP) */
2323 if (psm != cpu_to_le16(0x0001) &&
2324 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2325 conn->disc_reason = 0x05;
e7c29cb1
MH		 2326 result = L2CAP_CR_SEC_BLOCK;
2327 goto response;
2328 }
2329
1da177e4
LT		 2330 result = L2CAP_CR_NO_MEM;
2331
2332 /* Check for backlog size */
2333 if (sk_acceptq_is_full(parent)) {
8e87d142 2334 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2335 goto response;
2336 }
2337
3b1e0a65 2338 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2339 if (!sk)
2340 goto response;
2341
23691d75 2342 chan = l2cap_chan_create(sk);
48454079
GP		 2343 if (!chan) {
2344 l2cap_sock_kill(sk);
2345 goto response;
2346 }
2347
5d41ce1d
GP		 2348 l2cap_pi(sk)->chan = chan;
2349
baa7e1fa 2350 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2351
2352 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2353 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2354 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2355 sock_set_flag(sk, SOCK_ZAPPED);
2356 l2cap_sock_kill(sk);
2357 goto response;
2358 }
2359
2360 hci_conn_hold(conn->hcon);
2361
2362 l2cap_sock_init(sk, parent);
2363 bacpy(&bt_sk(sk)->src, conn->src);
2364 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2365 chan->psm = psm;
2366 chan->dcid = scid;
1da177e4 2367
d1010240
GP		 2368 bt_accept_enqueue(parent, sk);
2369
48454079
GP		 2370 __l2cap_chan_add(conn, chan);
2371
fe4128e0 2372 dcid = chan->scid;
1da177e4 2373
ab07801d 2374 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4 2375
fc7f8a7e 2376 chan->ident = cmd->ident;
1da177e4 2377
984947dc 2378 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2379 if (l2cap_check_security(chan)) {
f66dc81f
MH		 2380 if (bt_sk(sk)->defer_setup) {
2381 sk->sk_state = BT_CONNECT2;
2382 result = L2CAP_CR_PEND;
2383 status = L2CAP_CS_AUTHOR_PEND;
2384 parent->sk_data_ready(parent, 0);
2385 } else {
2386 sk->sk_state = BT_CONFIG;
2387 result = L2CAP_CR_SUCCESS;
2388 status = L2CAP_CS_NO_INFO;
2389 }
79d554a6
MH		 2390 } else {
2391 sk->sk_state = BT_CONNECT2;
2392 result = L2CAP_CR_PEND;
2393 status = L2CAP_CS_AUTHEN_PEND;
2394 }
2395 } else {
2396 sk->sk_state = BT_CONNECT2;
2397 result = L2CAP_CR_PEND;
2398 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2399 }
2400
baa7e1fa 2401 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2402
2403response:
2404 bh_unlock_sock(parent);
2405
2406sendresp:
aca3192c
YH		 2407 rsp.scid = cpu_to_le16(scid);
2408 rsp.dcid = cpu_to_le16(dcid);
2409 rsp.result = cpu_to_le16(result);
2410 rsp.status = cpu_to_le16(status);
1da177e4 2411 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2412
2413 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2414 struct l2cap_info_req info;
2415 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2416
2417 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2418 conn->info_ident = l2cap_get_ident(conn);
2419
2420 mod_timer(&conn->info_timer, jiffies +
2421 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2422
2423 l2cap_send_cmd(conn, conn->info_ident,
2424 L2CAP_INFO_REQ, sizeof(info), &info);
2425 }
2426
b4450035 2427 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2428 result == L2CAP_CR_SUCCESS) {
2429 u8 buf[128];
b4450035 2430 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2431 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2432 l2cap_build_conf_req(chan, buf), buf);
2433 chan->num_conf_req++;
e9aeb2dd
GP		 2434 }
2435
1da177e4
LT		 2436 return 0;
2437}
2438
2439static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2440{
2441 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2442 u16 scid, dcid, result, status;
48454079 2443 struct l2cap_chan *chan;
1da177e4
LT		 2444 struct sock *sk;
2445 u8 req[128];
2446
2447 scid = __le16_to_cpu(rsp->scid);
2448 dcid = __le16_to_cpu(rsp->dcid);
2449 result = __le16_to_cpu(rsp->result);
2450 status = __le16_to_cpu(rsp->status);
2451
2452 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2453
2454 if (scid) {
baa7e1fa 2455 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2456 if (!chan)
57d3b22b 2457 return -EFAULT;
1da177e4 2458 } else {
baa7e1fa 2459 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2460 if (!chan)
57d3b22b 2461 return -EFAULT;
1da177e4
LT		 2462 }
2463
48454079
GP		 2464 sk = chan->sk;
2465
1da177e4
LT		 2466 switch (result) {
2467 case L2CAP_CR_SUCCESS:
2468 sk->sk_state = BT_CONFIG;
fc7f8a7e 2469 chan->ident = 0;
fe4128e0 2470 chan->dcid = dcid;
b4450035 2471 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2472
b4450035 2473 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2474 break;
2475
b4450035 2476 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2477
1da177e4 2478 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2479 l2cap_build_conf_req(chan, req), req);
2480 chan->num_conf_req++;
1da177e4
LT		 2481 break;
2482
2483 case L2CAP_CR_PEND:
b4450035 2484 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2485 break;
2486
2487 default:
a49184c2
AE		 2488 /* don't delete l2cap channel if sk is owned by user */
2489 if (sock_owned_by_user(sk)) {
2490 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2491 l2cap_chan_clear_timer(chan);
2492 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2493 break;
2494 }
2495
48454079 2496 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2497 break;
2498 }
2499
2500 bh_unlock_sock(sk);
2501 return 0;
2502}
2503
47d1ec61 2504static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2505{
47d1ec61
GP		 2506 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2507
8c462b60
MM		 2508 /* FCS is enabled only in ERTM or streaming mode, if one or both
2509 * sides request it.
2510 */
0c1bc5c6 2511 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2512 chan->fcs = L2CAP_FCS_NONE;
b4450035 2513 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2514 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2515}
2516
88219a0f 2517static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2518{
2519 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2520 u16 dcid, flags;
2521 u8 rsp[64];
48454079 2522 struct l2cap_chan *chan;
1da177e4 2523 struct sock *sk;
5dee9e7c 2524 int len;
1da177e4
LT		 2525
2526 dcid = __le16_to_cpu(req->dcid);
2527 flags = __le16_to_cpu(req->flags);
2528
2529 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2530
baa7e1fa 2531 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2532 if (!chan)
1da177e4
LT		 2533 return -ENOENT;
2534
48454079
GP		 2535 sk = chan->sk;
2536
df6bd743
GP		 2537 if (sk->sk_state != BT_CONFIG) {
2538 struct l2cap_cmd_rej rej;
2539
2540 rej.reason = cpu_to_le16(0x0002);
2541 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2542 sizeof(rej), &rej);
354f60a9 2543 goto unlock;
df6bd743 2544 }
354f60a9 2545
5dee9e7c 2546 /* Reject if config buffer is too small. */
88219a0f 2547 len = cmd_len - sizeof(*req);
73ffa904 2548 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2549 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2550 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2551 L2CAP_CONF_REJECT, flags), rsp);
2552 goto unlock;
2553 }
2554
2555 /* Store config. */
73ffa904
GP		 2556 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2557 chan->conf_len += len;
1da177e4
LT		 2558
2559 if (flags & 0x0001) {
2560 /* Incomplete config. Send empty response. */
2561 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2562 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2563 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2564 goto unlock;
2565 }
2566
2567 /* Complete config. */
73ffa904 2568 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2569 if (len < 0) {
e92c8e70 2570 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2571 goto unlock;
f2fcfcd6 2572 }
1da177e4 2573
5dee9e7c 2574 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2575 chan->num_conf_rsp++;
5dee9e7c 2576
5dee9e7c 2577 /* Reset config buffer. */
73ffa904 2578 chan->conf_len = 0;
5dee9e7c 2579
b4450035 2580 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2581 goto unlock;
2582
b4450035 2583 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2584 set_default_fcs(chan);
fcc203c3 2585
1da177e4 2586 sk->sk_state = BT_CONNECTED;
e90bac06 2587
42e5c802
GP		 2588 chan->next_tx_seq = 0;
2589 chan->expected_tx_seq = 0;
58d35f87 2590 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2591 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2592 l2cap_ertm_init(chan);
0565c1c2 2593
1da177e4 2594 l2cap_chan_ready(sk);
876d9484
MH		 2595 goto unlock;
2596 }
2597
b4450035 2598 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2599 u8 buf[64];
b4450035 2600 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2601 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2602 l2cap_build_conf_req(chan, buf), buf);
2603 chan->num_conf_req++;
1da177e4
LT		 2604 }
2605
2606unlock:
2607 bh_unlock_sock(sk);
2608 return 0;
2609}
2610
2611static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2612{
2613 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2614 u16 scid, flags, result;
48454079 2615 struct l2cap_chan *chan;
1da177e4 2616 struct sock *sk;
7b1c0049 2617 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2618
2619 scid = __le16_to_cpu(rsp->scid);
2620 flags = __le16_to_cpu(rsp->flags);
2621 result = __le16_to_cpu(rsp->result);
2622
af05b30b
GP		 2623 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2624 scid, flags, result);
1da177e4 2625
baa7e1fa 2626 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2627 if (!chan)
1da177e4
LT		 2628 return 0;
2629
48454079
GP		 2630 sk = chan->sk;
2631
1da177e4
LT		 2632 switch (result) {
2633 case L2CAP_CONF_SUCCESS:
47d1ec61 2634 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2635 break;
2636
2637 case L2CAP_CONF_UNACCEPT:
73ffa904 2638 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2639 char req[64];
2640
c2c77ec8 2641 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2642 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2643 goto done;
2644 }
2645
f2fcfcd6
GP		 2646 /* throw out any old stored conf requests */
2647 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2648 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2649 req, &result);
f2fcfcd6 2650 if (len < 0) {
e92c8e70 2651 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2652 goto done;
2653 }
2654
2655 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2656 L2CAP_CONF_REQ, len, req);
73ffa904 2657 chan->num_conf_req++;
f2fcfcd6
GP		 2658 if (result != L2CAP_CONF_SUCCESS)
2659 goto done;
2660 break;
1da177e4
LT		 2661 }
2662
8e87d142 2663 default:
b1235d79 2664 sk->sk_err = ECONNRESET;
ab07801d 2665 l2cap_chan_set_timer(chan, HZ * 5);
e92c8e70 2666 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2667 goto done;
2668 }
2669
2670 if (flags & 0x01)
2671 goto done;
2672
b4450035 2673 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2674
b4450035 2675 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2676 set_default_fcs(chan);
fcc203c3 2677
1da177e4 2678 sk->sk_state = BT_CONNECTED;
42e5c802
GP		 2679 chan->next_tx_seq = 0;
2680 chan->expected_tx_seq = 0;
58d35f87 2681 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2682 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2683 l2cap_ertm_init(chan);
0565c1c2 2684
1da177e4
LT		 2685 l2cap_chan_ready(sk);
2686 }
2687
2688done:
2689 bh_unlock_sock(sk);
2690 return 0;
2691}
2692
2693static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2694{
2695 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2696 struct l2cap_disconn_rsp rsp;
2697 u16 dcid, scid;
48454079 2698 struct l2cap_chan *chan;
1da177e4
LT		 2699 struct sock *sk;
2700
2701 scid = __le16_to_cpu(req->scid);
2702 dcid = __le16_to_cpu(req->dcid);
2703
2704 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2705
baa7e1fa 2706 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2707 if (!chan)
1da177e4
LT		 2708 return 0;
2709
48454079
GP		 2710 sk = chan->sk;
2711
fe4128e0
GP		 2712 rsp.dcid = cpu_to_le16(chan->scid);
2713 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2714 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2715
2716 sk->sk_shutdown = SHUTDOWN_MASK;
2717
a49184c2
AE		 2718 /* don't delete l2cap channel if sk is owned by user */
2719 if (sock_owned_by_user(sk)) {
2720 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2721 l2cap_chan_clear_timer(chan);
2722 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2723 bh_unlock_sock(sk);
2724 return 0;
2725 }
2726
48454079 2727 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2728 bh_unlock_sock(sk);
2729
2730 l2cap_sock_kill(sk);
2731 return 0;
2732}
2733
2734static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2735{
2736 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2737 u16 dcid, scid;
48454079 2738 struct l2cap_chan *chan;
1da177e4
LT		 2739 struct sock *sk;
2740
2741 scid = __le16_to_cpu(rsp->scid);
2742 dcid = __le16_to_cpu(rsp->dcid);
2743
2744 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2745
baa7e1fa 2746 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2747 if (!chan)
1da177e4
LT		 2748 return 0;
2749
48454079
GP		 2750 sk = chan->sk;
2751
a49184c2
AE		 2752 /* don't delete l2cap channel if sk is owned by user */
2753 if (sock_owned_by_user(sk)) {
2754 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2755 l2cap_chan_clear_timer(chan);
2756 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2757 bh_unlock_sock(sk);
2758 return 0;
2759 }
2760
48454079 2761 l2cap_chan_del(chan, 0);
1da177e4
LT		 2762 bh_unlock_sock(sk);
2763
2764 l2cap_sock_kill(sk);
2765 return 0;
2766}
2767
2768static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2769{
2770 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2771 u16 type;
2772
2773 type = __le16_to_cpu(req->type);
2774
2775 BT_DBG("type 0x%4.4x", type);
2776
f0709e03
MH		 2777 if (type == L2CAP_IT_FEAT_MASK) {
2778 u8 buf[8];
44dd46de 2779 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2780 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2781 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2782 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2783 if (!disable_ertm)
fcc203c3
GP		 2784 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2785 | L2CAP_FEAT_FCS;
1b7bf4ed 2786 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2787 l2cap_send_cmd(conn, cmd->ident,
2788 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2789 } else if (type == L2CAP_IT_FIXED_CHAN) {
2790 u8 buf[12];
2791 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2792 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2793 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2794 memcpy(buf + 4, l2cap_fixed_chan, 8);
2795 l2cap_send_cmd(conn, cmd->ident,
2796 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2797 } else {
2798 struct l2cap_info_rsp rsp;
2799 rsp.type = cpu_to_le16(type);
2800 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2801 l2cap_send_cmd(conn, cmd->ident,
2802 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2803 }
1da177e4
LT		 2804
2805 return 0;
2806}
2807
2808static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2809{
2810 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2811 u16 type, result;
2812
2813 type = __le16_to_cpu(rsp->type);
2814 result = __le16_to_cpu(rsp->result);
2815
2816 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2817
e90165be
AE		 2818 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2819 if (cmd->ident != conn->info_ident ||
2820 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2821 return 0;
2822
4e8402a3
MH		 2823 del_timer(&conn->info_timer);
2824
adb08ede
VT		 2825 if (result != L2CAP_IR_SUCCESS) {
2826 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2827 conn->info_ident = 0;
2828
2829 l2cap_conn_start(conn);
2830
2831 return 0;
2832 }
2833
984947dc 2834 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2835 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2836
47ec1dcd 2837 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2838 struct l2cap_info_req req;
2839 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2840
2841 conn->info_ident = l2cap_get_ident(conn);
2842
2843 l2cap_send_cmd(conn, conn->info_ident,
2844 L2CAP_INFO_REQ, sizeof(req), &req);
2845 } else {
2846 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2847 conn->info_ident = 0;
2848
2849 l2cap_conn_start(conn);
2850 }
2851 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2852 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2853 conn->info_ident = 0;
984947dc
MH		 2854
2855 l2cap_conn_start(conn);
2856 }
4e8402a3 2857
1da177e4
LT		 2858 return 0;
2859}
2860
e2174ca4 2861static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2862 u16 to_multiplier)
2863{
2864 u16 max_latency;
2865
2866 if (min > max || min < 6 || max > 3200)
2867 return -EINVAL;
2868
2869 if (to_multiplier < 10 || to_multiplier > 3200)
2870 return -EINVAL;
2871
2872 if (max >= to_multiplier * 8)
2873 return -EINVAL;
2874
2875 max_latency = (to_multiplier * 8 / max) - 1;
2876 if (latency > 499 || latency > max_latency)
2877 return -EINVAL;
2878
2879 return 0;
2880}
2881
2882static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2883 struct l2cap_cmd_hdr *cmd, u8 *data)
2884{
2885 struct hci_conn *hcon = conn->hcon;
2886 struct l2cap_conn_param_update_req *req;
2887 struct l2cap_conn_param_update_rsp rsp;
2888 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2889 int err;
de73115a
CT		 2890
2891 if (!(hcon->link_mode & HCI_LM_MASTER))
2892 return -EINVAL;
2893
2894 cmd_len = __le16_to_cpu(cmd->len);
2895 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2896 return -EPROTO;
2897
2898 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2899 min = __le16_to_cpu(req->min);
2900 max = __le16_to_cpu(req->max);
de73115a
CT		 2901 latency = __le16_to_cpu(req->latency);
2902 to_multiplier = __le16_to_cpu(req->to_multiplier);
2903
2904 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2905 min, max, latency, to_multiplier);
2906
2907 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2908
2909 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2910 if (err)
de73115a
CT		 2911 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2912 else
2913 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2914
2915 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2916 sizeof(rsp), &rsp);
2917
2ce603eb
CT		 2918 if (!err)
2919 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2920
de73115a
CT		 2921 return 0;
2922}
2923
3300d9a9
CT		 2924static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2925 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2926{
2927 int err = 0;
2928
2929 switch (cmd->code) {
2930 case L2CAP_COMMAND_REJ:
2931 l2cap_command_rej(conn, cmd, data);
2932 break;
2933
2934 case L2CAP_CONN_REQ:
2935 err = l2cap_connect_req(conn, cmd, data);
2936 break;
2937
2938 case L2CAP_CONN_RSP:
2939 err = l2cap_connect_rsp(conn, cmd, data);
2940 break;
2941
2942 case L2CAP_CONF_REQ:
2943 err = l2cap_config_req(conn, cmd, cmd_len, data);
2944 break;
2945
2946 case L2CAP_CONF_RSP:
2947 err = l2cap_config_rsp(conn, cmd, data);
2948 break;
2949
2950 case L2CAP_DISCONN_REQ:
2951 err = l2cap_disconnect_req(conn, cmd, data);
2952 break;
2953
2954 case L2CAP_DISCONN_RSP:
2955 err = l2cap_disconnect_rsp(conn, cmd, data);
2956 break;
2957
2958 case L2CAP_ECHO_REQ:
2959 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2960 break;
2961
2962 case L2CAP_ECHO_RSP:
2963 break;
2964
2965 case L2CAP_INFO_REQ:
2966 err = l2cap_information_req(conn, cmd, data);
2967 break;
2968
2969 case L2CAP_INFO_RSP:
2970 err = l2cap_information_rsp(conn, cmd, data);
2971 break;
2972
2973 default:
2974 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2975 err = -EINVAL;
2976 break;
2977 }
2978
2979 return err;
2980}
2981
2982static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2983 struct l2cap_cmd_hdr *cmd, u8 *data)
2984{
2985 switch (cmd->code) {
2986 case L2CAP_COMMAND_REJ:
2987 return 0;
2988
2989 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2990 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2991
2992 case L2CAP_CONN_PARAM_UPDATE_RSP:
2993 return 0;
2994
2995 default:
2996 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2997 return -EINVAL;
2998 }
2999}
3000
3001static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3002 struct sk_buff *skb)
1da177e4
LT		 3003{
3004 u8 *data = skb->data;
3005 int len = skb->len;
3006 struct l2cap_cmd_hdr cmd;
3300d9a9 3007 int err;
1da177e4
LT		 3008
3009 l2cap_raw_recv(conn, skb);
3010
3011 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3012 u16 cmd_len;
1da177e4
LT		 3013 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3014 data += L2CAP_CMD_HDR_SIZE;
3015 len -= L2CAP_CMD_HDR_SIZE;
3016
88219a0f 3017 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3018
88219a0f 3019 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3020
88219a0f 3021 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3022 BT_DBG("corrupted command");
3023 break;
3024 }
3025
3300d9a9
CT		 3026 if (conn->hcon->type == LE_LINK)
3027 err = l2cap_le_sig_cmd(conn, &cmd, data);
3028 else
3029 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3030
3031 if (err) {
3032 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3033
3034 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3035
3036 /* FIXME: Map err to a valid reason */
aca3192c 3037 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3038 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3039 }
3040
88219a0f
AV		 3041 data += cmd_len;
3042 len -= cmd_len;
1da177e4
LT		 3043 }
3044
3045 kfree_skb(skb);
3046}
3047
47d1ec61 3048static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3049{
3050 u16 our_fcs, rcv_fcs;
3051 int hdr_size = L2CAP_HDR_SIZE + 2;
3052
47d1ec61 3053 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3054 skb_trim(skb, skb->len - 2);
3055 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3056 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3057
3058 if (our_fcs != rcv_fcs)
7a560e5c 3059 return -EBADMSG;
fcc203c3
GP		 3060 }
3061 return 0;
3062}
3063
525cd185 3064static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3065{
d5392c8f
GP		 3066 u16 control = 0;
3067
6a026610 3068 chan->frames_sent = 0;
d5392c8f 3069
42e5c802 3070 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3071
525cd185 3072 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3073 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3074 l2cap_send_sframe(chan, control);
3075 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3076 }
3077
525cd185
GP		 3078 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3079 l2cap_retransmit_frames(chan);
d5392c8f 3080
525cd185 3081 l2cap_ertm_send(chan);
d5392c8f 3082
525cd185 3083 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3084 chan->frames_sent == 0) {
d5392c8f 3085 control |= L2CAP_SUPER_RCV_READY;
525cd185 3086 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3087 }
3088}
3089
42e5c802 3090static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3091{
3092 struct sk_buff *next_skb;
bfbacc11 3093 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3094
3095 bt_cb(skb)->tx_seq = tx_seq;
3096 bt_cb(skb)->sar = sar;
3097
f1c6775b 3098 next_skb = skb_peek(&chan->srej_q);
8f17154f 3099 if (!next_skb) {
f1c6775b 3100 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3101 return 0;
8f17154f
GP		 3102 }
3103
42e5c802 3104 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3105 if (tx_seq_offset < 0)
3106 tx_seq_offset += 64;
3107
8f17154f 3108 do {
9b53350d
JPRV		 3109 if (bt_cb(next_skb)->tx_seq == tx_seq)
3110 return -EINVAL;
3111
bfbacc11 3112 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3113 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3114 if (next_tx_seq_offset < 0)
3115 next_tx_seq_offset += 64;
3116
3117 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3118 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3119 return 0;
8f17154f
GP		 3120 }
3121
f1c6775b 3122 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3123 break;
3124
f1c6775b 3125 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3126
f1c6775b 3127 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3128
3129 return 0;
8f17154f
GP		 3130}
3131
525cd185 3132static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3133{
18778a63 3134 struct sk_buff *_skb;
1890d36b 3135 int err;
18778a63
GP		 3136
3137 switch (control & L2CAP_CTRL_SAR) {
3138 case L2CAP_SDU_UNSEGMENTED:
525cd185 3139 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3140 goto drop;
3141
224f8af0 3142 return sock_queue_rcv_skb(chan->sk, skb);
18778a63
GP		 3143
3144 case L2CAP_SDU_START:
525cd185 3145 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3146 goto drop;
3147
6f61fd47 3148 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3149
0c1bc5c6 3150 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3151 goto disconnect;
3152
6f61fd47
GP		 3153 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3154 if (!chan->sdu)
1890d36b
GP		 3155 return -ENOMEM;
3156
3157 /* pull sdu_len bytes only after alloc, because of Local Busy
3158 * condition we have to be sure that this will be executed
3159 * only once, i.e., when alloc does not fail */
3160 skb_pull(skb, 2);
18778a63 3161
6f61fd47 3162 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3163
525cd185 3164 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3165 chan->partial_sdu_len = skb->len;
18778a63
GP		 3166 break;
3167
3168 case L2CAP_SDU_CONTINUE:
525cd185 3169 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3170 goto disconnect;
3171
6f61fd47 3172 if (!chan->sdu)
18778a63
GP		 3173 goto disconnect;
3174
6f61fd47
GP		 3175 chan->partial_sdu_len += skb->len;
3176 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3177 goto drop;
3178
6f61fd47 3179 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3180
18778a63
GP		 3181 break;
3182
3183 case L2CAP_SDU_END:
525cd185 3184 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3185 goto disconnect;
3186
6f61fd47 3187 if (!chan->sdu)
18778a63
GP		 3188 goto disconnect;
3189
525cd185 3190 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3191 chan->partial_sdu_len += skb->len;
18778a63 3192
0c1bc5c6 3193 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3194 goto drop;
18778a63 3195
6f61fd47 3196 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3197 goto drop;
4178ba46 3198
6f61fd47 3199 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3200 }
18778a63 3201
6f61fd47 3202 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3203 if (!_skb) {
525cd185 3204 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3205 return -ENOMEM;
3206 }
3207
525cd185 3208 err = sock_queue_rcv_skb(chan->sk, _skb);
1890d36b 3209 if (err < 0) {
18778a63 3210 kfree_skb(_skb);
525cd185 3211 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3212 return err;
3213 }
3214
525cd185
GP		 3215 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3216 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3217
6f61fd47 3218 kfree_skb(chan->sdu);
18778a63
GP		 3219 break;
3220 }
3221
3222 kfree_skb(skb);
1890d36b 3223 return 0;
18778a63
GP		 3224
3225drop:
6f61fd47
GP		 3226 kfree_skb(chan->sdu);
3227 chan->sdu = NULL;
18778a63
GP		 3228
3229disconnect:
8c1d787b 3230 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3231 kfree_skb(skb);
3232 return 0;
3233}
3234
525cd185 3235static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3236{
712132eb
GP		 3237 struct sk_buff *skb;
3238 u16 control;
3239 int err;
3240
f1c6775b 3241 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3242 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3243 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3244 if (err < 0) {
f1c6775b 3245 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3246 return -EBUSY;
3247 }
3248
42e5c802 3249 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3250 }
3251
525cd185 3252 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3253 goto done;
3254
42e5c802 3255 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3256 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3257 l2cap_send_sframe(chan, control);
6a026610 3258 chan->retry_count = 1;
712132eb 3259
e92c8e70 3260 del_timer(&chan->retrans_timer);
712132eb
GP		 3261 __mod_monitor_timer();
3262
525cd185 3263 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3264
3265done:
525cd185
GP		 3266 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3267 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3268
49208c9c 3269 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3270
3271 return 0;
3272}
3273
1890d36b
GP		 3274static void l2cap_busy_work(struct work_struct *work)
3275{
3276 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3277 struct l2cap_chan *chan =
3278 container_of(work, struct l2cap_chan, busy_work);
3279 struct sock *sk = chan->sk;
1890d36b
GP		 3280 int n_tries = 0, timeo = HZ/5, err;
3281 struct sk_buff *skb;
1890d36b
GP		 3282
3283 lock_sock(sk);
3284
2b0b05dd 3285 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3286 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3287 set_current_state(TASK_INTERRUPTIBLE);
3288
3289 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3290 err = -EBUSY;
8c1d787b 3291 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3292 break;
1890d36b
GP		 3293 }
3294
3295 if (!timeo)
3296 timeo = HZ/5;
3297
3298 if (signal_pending(current)) {
3299 err = sock_intr_errno(timeo);
712132eb 3300 break;
1890d36b
GP		 3301 }
3302
3303 release_sock(sk);
3304 timeo = schedule_timeout(timeo);
3305 lock_sock(sk);
3306
3307 err = sock_error(sk);
3308 if (err)
712132eb 3309 break;
1890d36b 3310
311bb895 3311 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3312 break;
3313 }
3314
1890d36b 3315 set_current_state(TASK_RUNNING);
2b0b05dd 3316 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3317
3318 release_sock(sk);
3319}
3320
525cd185 3321static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3322{
1890d36b
GP		 3323 int sctrl, err;
3324
525cd185 3325 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3326 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3327 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3328 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3329
3330
1890d36b
GP		 3331 }
3332
525cd185 3333 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3334 if (err >= 0) {
42e5c802 3335 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3336 return err;
3337 }
3338
3339 /* Busy Condition */
311bb895 3340 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3341
525cd185 3342 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3343 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3344 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3345
42e5c802 3346 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3347 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3348 l2cap_send_sframe(chan, sctrl);
1890d36b 3349
525cd185 3350 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3351
e92c8e70 3352 del_timer(&chan->ack_timer);
7fe9b298 3353
311bb895 3354 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3355
3356 return err;
3357}
3358
525cd185 3359static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3360{
c74e560c
GP		 3361 struct sk_buff *_skb;
3362 int err = -EINVAL;
3363
18778a63
GP		 3364 /*
3365 * TODO: We have to notify the userland if some data is lost with the
3366 * Streaming Mode.
3367 */
3368
c74e560c
GP		 3369 switch (control & L2CAP_CTRL_SAR) {
3370 case L2CAP_SDU_UNSEGMENTED:
525cd185 3371 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3372 kfree_skb(chan->sdu);
c74e560c
GP		 3373 break;
3374 }
3375
525cd185 3376 err = sock_queue_rcv_skb(chan->sk, skb);
c74e560c
GP		 3377 if (!err)
3378 return 0;
3379
3380 break;
3381
3382 case L2CAP_SDU_START:
525cd185 3383 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3384 kfree_skb(chan->sdu);
c74e560c
GP		 3385 break;
3386 }
3387
6f61fd47 3388 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3389 skb_pull(skb, 2);
3390
0c1bc5c6 3391 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3392 err = -EMSGSIZE;
3393 break;
3394 }
3395
6f61fd47
GP		 3396 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3397 if (!chan->sdu) {
c74e560c
GP		 3398 err = -ENOMEM;
3399 break;
3400 }
3401
6f61fd47 3402 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3403
525cd185 3404 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3405 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3406 err = 0;
3407 break;
3408
3409 case L2CAP_SDU_CONTINUE:
525cd185 3410 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3411 break;
3412
6f61fd47 3413 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3414
6f61fd47
GP		 3415 chan->partial_sdu_len += skb->len;
3416 if (chan->partial_sdu_len > chan->sdu_len)
3417 kfree_skb(chan->sdu);
c74e560c
GP		 3418 else
3419 err = 0;
3420
3421 break;
3422
3423 case L2CAP_SDU_END:
525cd185 3424 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3425 break;
3426
6f61fd47 3427 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3428
525cd185 3429 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3430 chan->partial_sdu_len += skb->len;
c74e560c 3431
0c1bc5c6 3432 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3433 goto drop;
3434
6f61fd47
GP		 3435 if (chan->partial_sdu_len == chan->sdu_len) {
3436 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
525cd185 3437 err = sock_queue_rcv_skb(chan->sk, _skb);
c74e560c
GP		 3438 if (err < 0)
3439 kfree_skb(_skb);
3440 }
c74e560c
GP		 3441 err = 0;
3442
36f2fd58 3443drop:
6f61fd47 3444 kfree_skb(chan->sdu);
c74e560c
GP		 3445 break;
3446 }
3447
3448 kfree_skb(skb);
3449 return err;
3450}
3451
525cd185 3452static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3453{
3454 struct sk_buff *skb;
afefdbc4 3455 u16 control;
8f17154f 3456
f1c6775b 3457 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3458 if (bt_cb(skb)->tx_seq != tx_seq)
3459 break;
3460
f1c6775b 3461 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3462 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3463 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3464 chan->buffer_seq_srej =
3465 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3466 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3467 }
3468}
3469
525cd185 3470static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3471{
8f17154f
GP		 3472 struct srej_list *l, *tmp;
3473 u16 control;
3474
39d5a3ee 3475 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3476 if (l->tx_seq == tx_seq) {
3477 list_del(&l->list);
3478 kfree(l);
3479 return;
3480 }
3481 control = L2CAP_SUPER_SELECT_REJECT;
3482 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3483 l2cap_send_sframe(chan, control);
8f17154f 3484 list_del(&l->list);
39d5a3ee 3485 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3486 }
3487}
3488
525cd185 3489static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3490{
8f17154f
GP		 3491 struct srej_list *new;
3492 u16 control;
3493
42e5c802 3494 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3495 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3496 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3497 l2cap_send_sframe(chan, control);
8f17154f
GP		 3498
3499 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3500 new->tx_seq = chan->expected_tx_seq;
3501 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3502 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3503 }
42e5c802 3504 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3505}
3506
525cd185 3507static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3508{
1c2acffb 3509 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3510 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3511 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3512 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3513 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3514 int err = 0;
3515
525cd185
GP		 3516 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3517 tx_seq, rx_control);
1c2acffb 3518
9b16dc65 3519 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3520 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3521 del_timer(&chan->monitor_timer);
6a026610 3522 if (chan->unacked_frames > 0)
1d8f5d16 3523 __mod_retrans_timer();
525cd185 3524 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3525 }
3526
42e5c802
GP		 3527 chan->expected_ack_seq = req_seq;
3528 l2cap_drop_acked_frames(chan);
9f121a5a 3529
42e5c802 3530 if (tx_seq == chan->expected_tx_seq)
8f17154f 3531 goto expected;
1c2acffb 3532
42e5c802 3533 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3534 if (tx_seq_offset < 0)
3535 tx_seq_offset += 64;
3536
3537 /* invalid tx_seq */
47d1ec61 3538 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3539 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3540 goto drop;
3541 }
3542
525cd185 3543 if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3544 goto drop;
3545
525cd185 3546 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3547 struct srej_list *first;
30afb5b2 3548
39d5a3ee 3549 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3550 struct srej_list, list);
3551 if (tx_seq == first->tx_seq) {
42e5c802 3552 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3553 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3554
3555 list_del(&first->list);
3556 kfree(first);
3557
39d5a3ee 3558 if (list_empty(&chan->srej_l)) {
42e5c802 3559 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3560 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3561 l2cap_send_ack(chan);
49208c9c 3562 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3563 }
3564 } else {
3565 struct srej_list *l;
9b53350d
JPRV		 3566
3567 /* duplicated tx_seq */
42e5c802 3568 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3569 goto drop;
8f17154f 3570
39d5a3ee 3571 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3572 if (l->tx_seq == tx_seq) {
525cd185 3573 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3574 return 0;
3575 }
3576 }
525cd185 3577 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3578 }
3579 } else {
9b53350d 3580 expected_tx_seq_offset =
42e5c802 3581 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3582 if (expected_tx_seq_offset < 0)
3583 expected_tx_seq_offset += 64;
3584
3585 /* duplicated tx_seq */
3586 if (tx_seq_offset < expected_tx_seq_offset)
3587 goto drop;
3588
525cd185 3589 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3590
49208c9c 3591 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3592
39d5a3ee 3593 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3594 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3595
f1c6775b
GP		 3596 __skb_queue_head_init(&chan->srej_q);
3597 __skb_queue_head_init(&chan->busy_q);
42e5c802 3598 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3599
525cd185 3600 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3601
525cd185 3602 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3603
e92c8e70 3604 del_timer(&chan->ack_timer);
1c2acffb 3605 }
30afb5b2
GP		 3606 return 0;
3607
8f17154f 3608expected:
42e5c802 3609 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3610
525cd185 3611 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3612 bt_cb(skb)->tx_seq = tx_seq;
3613 bt_cb(skb)->sar = sar;
f1c6775b 3614 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3615 return 0;
3616 }
3617
525cd185 3618 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3619 if (err < 0)
3620 return 0;
3621
4ec10d97 3622 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3623 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3624 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3625 else
525cd185 3626 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3627 }
3628
c1b4f43b
GP		 3629 __mod_ack_timer();
3630
6a026610
GP		 3631 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3632 if (chan->num_acked == num_to_ack - 1)
525cd185 3633 l2cap_send_ack(chan);
9e917af1 3634
8f17154f 3635 return 0;
9b53350d
JPRV		 3636
3637drop:
3638 kfree_skb(skb);
3639 return 0;
1c2acffb
GP		 3640}
3641
525cd185 3642static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3643{
49208c9c 3644 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3645 rx_control);
3646
42e5c802
GP		 3647 chan->expected_ack_seq = __get_reqseq(rx_control);
3648 l2cap_drop_acked_frames(chan);
1c2acffb 3649
e072745f 3650 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3651 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3652 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3653 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3654 (chan->unacked_frames > 0))
05fbd89d
GP		 3655 __mod_retrans_timer();
3656
525cd185
GP		 3657 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3658 l2cap_send_srejtail(chan);
05fbd89d 3659 } else {
525cd185 3660 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3661 }
1d8f5d16 3662
e072745f 3663 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3664 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3665
525cd185
GP		 3666 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3667 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3668 else
525cd185 3669 l2cap_retransmit_frames(chan);
2246b2f1 3670
e072745f 3671 } else {
525cd185 3672 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3673 (chan->unacked_frames > 0))
e072745f 3674 __mod_retrans_timer();
1c2acffb 3675
525cd185
GP		 3676 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3677 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3678 l2cap_send_ack(chan);
894718a6 3679 else
525cd185 3680 l2cap_ertm_send(chan);
e072745f
GP		 3681 }
3682}
2246b2f1 3683
525cd185 3684static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3685{
e072745f 3686 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3687
525cd185 3688 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3689
525cd185 3690 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3691
42e5c802
GP		 3692 chan->expected_ack_seq = tx_seq;
3693 l2cap_drop_acked_frames(chan);
e072745f
GP		 3694
3695 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3696 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3697 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3698 else
525cd185 3699 l2cap_retransmit_frames(chan);
e072745f 3700 } else {
525cd185 3701 l2cap_retransmit_frames(chan);
30afb5b2 3702
525cd185
GP		 3703 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3704 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3705 }
3706}
525cd185 3707static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3708{
e072745f 3709 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3710
525cd185 3711 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3712
525cd185 3713 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3714
e072745f 3715 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3716 chan->expected_ack_seq = tx_seq;
3717 l2cap_drop_acked_frames(chan);
3cb123d1 3718
525cd185
GP		 3719 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3720 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3721
525cd185 3722 l2cap_ertm_send(chan);
dfc909be 3723
525cd185 3724 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3725 chan->srej_save_reqseq = tx_seq;
525cd185 3726 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3727 }
e072745f 3728 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3729 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3730 chan->srej_save_reqseq == tx_seq)
525cd185 3731 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3732 else
525cd185 3733 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3734 } else {
525cd185
GP		 3735 l2cap_retransmit_one_frame(chan, tx_seq);
3736 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3737 chan->srej_save_reqseq = tx_seq;
525cd185 3738 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3739 }
e072745f
GP		 3740 }
3741}
3742
525cd185 3743static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3744{
e072745f
GP		 3745 u8 tx_seq = __get_reqseq(rx_control);
3746
525cd185 3747 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3748
525cd185 3749 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3750 chan->expected_ack_seq = tx_seq;
3751 l2cap_drop_acked_frames(chan);
e072745f 3752
3cb123d1 3753 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3754 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3755
525cd185 3756 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
e92c8e70 3757 del_timer(&chan->retrans_timer);
a2e12a2a 3758 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3759 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3760 return;
e072745f 3761 }
99b0d4b7
GP		 3762
3763 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3764 l2cap_send_srejtail(chan);
99b0d4b7 3765 else
525cd185 3766 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3767}
3768
525cd185 3769static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3770{
525cd185 3771 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3772
9b16dc65 3773 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3774 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3775 del_timer(&chan->monitor_timer);
6a026610 3776 if (chan->unacked_frames > 0)
e072745f 3777 __mod_retrans_timer();
525cd185 3778 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3779 }
3780
3781 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3782 case L2CAP_SUPER_RCV_READY:
525cd185 3783 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3784 break;
3785
e072745f 3786 case L2CAP_SUPER_REJECT:
525cd185 3787 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3788 break;
2246b2f1 3789
e072745f 3790 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3791 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3792 break;
3793
3794 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3795 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3796 break;
3797 }
3798
faaebd19 3799 kfree_skb(skb);
1c2acffb
GP		 3800 return 0;
3801}
3802
218bb9df
GP		 3803static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3804{
525cd185 3805 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3806 u16 control;
3807 u8 req_seq;
3808 int len, next_tx_seq_offset, req_seq_offset;
3809
3810 control = get_unaligned_le16(skb->data);
3811 skb_pull(skb, 2);
3812 len = skb->len;
3813
3814 /*
3815 * We can just drop the corrupted I-frame here.
3816 * Receiver will miss it and start proper recovery
3817 * procedures and ask retransmission.
3818 */
47d1ec61 3819 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3820 goto drop;
3821
3822 if (__is_sar_start(control) && __is_iframe(control))
3823 len -= 2;
3824
47d1ec61 3825 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3826 len -= 2;
3827
47d1ec61 3828 if (len > chan->mps) {
8c1d787b 3829 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3830 goto drop;
3831 }
3832
3833 req_seq = __get_reqseq(control);
42e5c802 3834 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3835 if (req_seq_offset < 0)
3836 req_seq_offset += 64;
3837
3838 next_tx_seq_offset =
42e5c802 3839 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3840 if (next_tx_seq_offset < 0)
3841 next_tx_seq_offset += 64;
3842
3843 /* check for invalid req-seq */
3844 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3845 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3846 goto drop;
3847 }
3848
3849 if (__is_iframe(control)) {
3850 if (len < 0) {
8c1d787b 3851 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3852 goto drop;
3853 }
3854
525cd185 3855 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3856 } else {
3857 if (len != 0) {
3858 BT_ERR("%d", len);
8c1d787b 3859 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3860 goto drop;
3861 }
3862
525cd185 3863 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3864 }
3865
3866 return 0;
3867
3868drop:
3869 kfree_skb(skb);
3870 return 0;
3871}
3872
1da177e4
LT		 3873static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3874{
48454079 3875 struct l2cap_chan *chan;
bf734843 3876 struct sock *sk = NULL;
51893f88 3877 u16 control;
218bb9df
GP		 3878 u8 tx_seq;
3879 int len;
1da177e4 3880
baa7e1fa 3881 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3882 if (!chan) {
1da177e4
LT		 3883 BT_DBG("unknown cid 0x%4.4x", cid);
3884 goto drop;
3885 }
3886
48454079 3887 sk = chan->sk;
6840ed07 3888
49208c9c 3889 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4
LT		 3890
3891 if (sk->sk_state != BT_CONNECTED)
3892 goto drop;
3893
0c1bc5c6 3894 switch (chan->mode) {
1c2acffb
GP		 3895 case L2CAP_MODE_BASIC:
3896 /* If socket recv buffers overflows we drop data here
3897 * which is *bad* because L2CAP has to be reliable.
3898 * But we don't have any other choice. L2CAP doesn't
3899 * provide flow control mechanism. */
1da177e4 3900
0c1bc5c6 3901 if (chan->imtu < skb->len)
1c2acffb 3902 goto drop;
1da177e4 3903
1c2acffb
GP		 3904 if (!sock_queue_rcv_skb(sk, skb))
3905 goto done;
3906 break;
3907
3908 case L2CAP_MODE_ERTM:
218bb9df
GP		 3909 if (!sock_owned_by_user(sk)) {
3910 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3911 } else {
218bb9df 3912 if (sk_add_backlog(sk, skb))
277ffbe3 3913 goto drop;
277ffbe3 3914 }
1c2acffb 3915
fcafde2e 3916 goto done;
1c2acffb 3917
6840ed07
GP		 3918 case L2CAP_MODE_STREAMING:
3919 control = get_unaligned_le16(skb->data);
3920 skb_pull(skb, 2);
3921 len = skb->len;
3922
47d1ec61 3923 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3924 goto drop;
3925
6840ed07
GP		 3926 if (__is_sar_start(control))
3927 len -= 2;
3928
47d1ec61 3929 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3930 len -= 2;
3931
47d1ec61 3932 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3933 goto drop;
3934
3935 tx_seq = __get_txseq(control);
3936
42e5c802
GP		 3937 if (chan->expected_tx_seq == tx_seq)
3938 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3939 else
42e5c802 3940 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3941
525cd185 3942 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3943
3944 goto done;
3945
1c2acffb 3946 default:
0c1bc5c6 3947 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3948 break;
3949 }
1da177e4
LT		 3950
3951drop:
3952 kfree_skb(skb);
3953
3954done:
0139418c
MH		 3955 if (sk)
3956 bh_unlock_sock(sk);
3957
1da177e4
LT		 3958 return 0;
3959}
3960
8e036fc3 3961static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3962{
6dcae1ea 3963 struct sock *sk = NULL;
23691d75 3964 struct l2cap_chan *chan;
1da177e4 3965
23691d75
GP		 3966 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3967 if (!chan)
1da177e4
LT		 3968 goto drop;
3969
23691d75
GP		 3970 sk = chan->sk;
3971
e0f0cb56
GP		 3972 bh_lock_sock(sk);
3973
1da177e4
LT		 3974 BT_DBG("sk %p, len %d", sk, skb->len);
3975
3976 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3977 goto drop;
3978
0c1bc5c6 3979 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3980 goto drop;
3981
3982 if (!sock_queue_rcv_skb(sk, skb))
3983 goto done;
3984
3985drop:
3986 kfree_skb(skb);
3987
3988done:
af05b30b
GP		 3989 if (sk)
3990 bh_unlock_sock(sk);
1da177e4
LT		 3991 return 0;
3992}
3993
9f69bda6
GP		 3994static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3995{
6dcae1ea 3996 struct sock *sk = NULL;
23691d75 3997 struct l2cap_chan *chan;
9f69bda6 3998
23691d75
GP		 3999 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4000 if (!chan)
9f69bda6
GP		 4001 goto drop;
4002
23691d75
GP		 4003 sk = chan->sk;
4004
9f69bda6
GP		 4005 bh_lock_sock(sk);
4006
4007 BT_DBG("sk %p, len %d", sk, skb->len);
4008
4009 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4010 goto drop;
4011
0c1bc5c6 4012 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 4013 goto drop;
4014
4015 if (!sock_queue_rcv_skb(sk, skb))
4016 goto done;
4017
4018drop:
4019 kfree_skb(skb);
4020
4021done:
4022 if (sk)
4023 bh_unlock_sock(sk);
4024 return 0;
4025}
4026
1da177e4
LT		 4027static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4028{
4029 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4030 u16 cid, len;
4031 __le16 psm;
1da177e4
LT		 4032
4033 skb_pull(skb, L2CAP_HDR_SIZE);
4034 cid = __le16_to_cpu(lh->cid);
4035 len = __le16_to_cpu(lh->len);
4036
1c2acffb
GP		 4037 if (len != skb->len) {
4038 kfree_skb(skb);
4039 return;
4040 }
4041
1da177e4
LT		 4042 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4043
4044 switch (cid) {
3300d9a9 4045 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4046 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4047 l2cap_sig_channel(conn, skb);
4048 break;
4049
8db4dc46 4050 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4051 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4052 skb_pull(skb, 2);
4053 l2cap_conless_channel(conn, psm, skb);
4054 break;
4055
9f69bda6
GP		 4056 case L2CAP_CID_LE_DATA:
4057 l2cap_att_channel(conn, cid, skb);
4058 break;
4059
1da177e4
LT		 4060 default:
4061 l2cap_data_channel(conn, cid, skb);
4062 break;
4063 }
4064}
4065
4066/* ---- L2CAP interface with lower layer (HCI) ---- */
4067
4068static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4069{
4070 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4071 struct l2cap_chan *c;
1da177e4
LT		 4072
4073 if (type != ACL_LINK)
963cf687 4074 return -EINVAL;
1da177e4
LT		 4075
4076 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4077
4078 /* Find listening sockets and check their link_mode */
23691d75
GP		 4079 read_lock(&chan_list_lock);
4080 list_for_each_entry(c, &chan_list, global_l) {
4081 struct sock *sk = c->sk;
4343478f 4082
1da177e4
LT		 4083 if (sk->sk_state != BT_LISTEN)
4084 continue;
4085
4086 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4087 lm1 |= HCI_LM_ACCEPT;
23691d75 4088 if (c->role_switch)
2af6b9d5 4089 lm1 |= HCI_LM_MASTER;
1da177e4 4090 exact++;
2af6b9d5
MH		 4091 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4092 lm2 |= HCI_LM_ACCEPT;
23691d75 4093 if (c->role_switch)
2af6b9d5
MH		 4094 lm2 |= HCI_LM_MASTER;
4095 }
1da177e4 4096 }
23691d75 4097 read_unlock(&chan_list_lock);
1da177e4
LT		 4098
4099 return exact ? lm1 : lm2;
4100}
4101
4102static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4103{
0139418c
MH		 4104 struct l2cap_conn *conn;
4105
1da177e4
LT		 4106 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4107
acd7d370 4108 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4109 return -EINVAL;
1da177e4
LT		 4110
4111 if (!status) {
1da177e4
LT		 4112 conn = l2cap_conn_add(hcon, status);
4113 if (conn)
4114 l2cap_conn_ready(conn);
0139418c 4115 } else
1da177e4
LT		 4116 l2cap_conn_del(hcon, bt_err(status));
4117
4118 return 0;
4119}
4120
2950f21a
MH		 4121static int l2cap_disconn_ind(struct hci_conn *hcon)
4122{
4123 struct l2cap_conn *conn = hcon->l2cap_data;
4124
4125 BT_DBG("hcon %p", hcon);
4126
4127 if (hcon->type != ACL_LINK || !conn)
4128 return 0x13;
4129
4130 return conn->disc_reason;
4131}
4132
4133static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4134{
4135 BT_DBG("hcon %p reason %d", hcon, reason);
4136
acd7d370 4137 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4138 return -EINVAL;
1da177e4
LT		 4139
4140 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4141
1da177e4
LT		 4142 return 0;
4143}
4144
4343478f 4145static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4146{
715ec005 4147 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4148 return;
4149
f62e4323 4150 if (encrypt == 0x00) {
4343478f 4151 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ab07801d
GP		 4152 l2cap_chan_clear_timer(chan);
4153 l2cap_chan_set_timer(chan, HZ * 5);
4343478f 4154 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4155 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4156 } else {
4343478f 4157 if (chan->sec_level == BT_SECURITY_MEDIUM)
ab07801d 4158 l2cap_chan_clear_timer(chan);
f62e4323
MH		 4159 }
4160}
4161
8c1b2355 4162static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4163{
0139418c 4164 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4165 struct l2cap_chan *chan;
1da177e4 4166
0139418c 4167 if (!conn)
1da177e4 4168 return 0;
0139418c 4169
1da177e4
LT		 4170 BT_DBG("conn %p", conn);
4171
baa7e1fa 4172 read_lock(&conn->chan_lock);
1da177e4 4173
baa7e1fa 4174 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4175 struct sock *sk = chan->sk;
baa7e1fa 4176
1da177e4
LT		 4177 bh_lock_sock(sk);
4178
b4450035 4179 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4180 bh_unlock_sock(sk);
4181 continue;
4182 }
4183
f62e4323 4184 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4185 sk->sk_state == BT_CONFIG)) {
4343478f 4186 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4187 bh_unlock_sock(sk);
4188 continue;
4189 }
4190
b1235d79
MH		 4191 if (sk->sk_state == BT_CONNECT) {
4192 if (!status) {
4193 struct l2cap_conn_req req;
fe4128e0
GP		 4194 req.scid = cpu_to_le16(chan->scid);
4195 req.psm = chan->psm;
1da177e4 4196
fc7f8a7e 4197 chan->ident = l2cap_get_ident(conn);
b4450035 4198 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4199
fc7f8a7e 4200 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4201 L2CAP_CONN_REQ, sizeof(req), &req);
4202 } else {
ab07801d
GP		 4203 l2cap_chan_clear_timer(chan);
4204 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4205 }
4206 } else if (sk->sk_state == BT_CONNECT2) {
4207 struct l2cap_conn_rsp rsp;
4208 __u16 result;
1da177e4 4209
b1235d79
MH		 4210 if (!status) {
4211 sk->sk_state = BT_CONFIG;
4212 result = L2CAP_CR_SUCCESS;
4213 } else {
4214 sk->sk_state = BT_DISCONN;
ab07801d 4215 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4216 result = L2CAP_CR_SEC_BLOCK;
4217 }
4218
fe4128e0
GP		 4219 rsp.scid = cpu_to_le16(chan->dcid);
4220 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4221 rsp.result = cpu_to_le16(result);
e7c29cb1 4222 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4223 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4224 sizeof(rsp), &rsp);
b1235d79 4225 }
1da177e4
LT		 4226
4227 bh_unlock_sock(sk);
4228 }
4229
baa7e1fa 4230 read_unlock(&conn->chan_lock);
b1235d79 4231
1da177e4
LT		 4232 return 0;
4233}
4234
4235static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4236{
4237 struct l2cap_conn *conn = hcon->l2cap_data;
4238
5a08ecce
AE		 4239 if (!conn)
4240 conn = l2cap_conn_add(hcon, 0);
4241
4242 if (!conn)
1da177e4
LT		 4243 goto drop;
4244
4245 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4246
e702112f 4247 if (!(flags & ACL_CONT)) {
1da177e4 4248 struct l2cap_hdr *hdr;
48454079 4249 struct l2cap_chan *chan;
89794813 4250 u16 cid;
1da177e4
LT		 4251 int len;
4252
4253 if (conn->rx_len) {
4254 BT_ERR("Unexpected start frame (len %d)", skb->len);
4255 kfree_skb(conn->rx_skb);
4256 conn->rx_skb = NULL;
4257 conn->rx_len = 0;
4258 l2cap_conn_unreliable(conn, ECOMM);
4259 }
4260
aae7fe22
AE		 4261 /* Start fragment always begin with Basic L2CAP header */
4262 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4263 BT_ERR("Frame is too short (len %d)", skb->len);
4264 l2cap_conn_unreliable(conn, ECOMM);
4265 goto drop;
4266 }
4267
4268 hdr = (struct l2cap_hdr *) skb->data;
4269 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4270 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4271
4272 if (len == skb->len) {
4273 /* Complete frame received */
4274 l2cap_recv_frame(conn, skb);
4275 return 0;
4276 }
4277
4278 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4279
4280 if (skb->len > len) {
4281 BT_ERR("Frame is too long (len %d, expected len %d)",
4282 skb->len, len);
4283 l2cap_conn_unreliable(conn, ECOMM);
4284 goto drop;
4285 }
4286
baa7e1fa 4287 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4288
48454079
GP		 4289 if (chan && chan->sk) {
4290 struct sock *sk = chan->sk;
89794813 4291
0c1bc5c6 4292 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4293 BT_ERR("Frame exceeding recv MTU (len %d, "
4294 "MTU %d)", len,
0c1bc5c6 4295 chan->imtu);
48454079
GP		 4296 bh_unlock_sock(sk);
4297 l2cap_conn_unreliable(conn, ECOMM);
4298 goto drop;
4299 }
89794813 4300 bh_unlock_sock(sk);
48454079 4301 }
89794813 4302
1da177e4 4303 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4304 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4305 if (!conn->rx_skb)
1da177e4
LT		 4306 goto drop;
4307
d626f62b 4308 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4309 skb->len);
1da177e4
LT		 4310 conn->rx_len = len - skb->len;
4311 } else {
4312 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4313
4314 if (!conn->rx_len) {
4315 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4316 l2cap_conn_unreliable(conn, ECOMM);
4317 goto drop;
4318 }
4319
4320 if (skb->len > conn->rx_len) {
4321 BT_ERR("Fragment is too long (len %d, expected %d)",
4322 skb->len, conn->rx_len);
4323 kfree_skb(conn->rx_skb);
4324 conn->rx_skb = NULL;
4325 conn->rx_len = 0;
4326 l2cap_conn_unreliable(conn, ECOMM);
4327 goto drop;
4328 }
4329
d626f62b 4330 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4331 skb->len);
1da177e4
LT		 4332 conn->rx_len -= skb->len;
4333
4334 if (!conn->rx_len) {
4335 /* Complete frame received */
4336 l2cap_recv_frame(conn, conn->rx_skb);
4337 conn->rx_skb = NULL;
4338 }
4339 }
4340
4341drop:
4342 kfree_skb(skb);
4343 return 0;
4344}
4345
aef7d97c 4346static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4347{
23691d75 4348 struct l2cap_chan *c;
1da177e4 4349
23691d75 4350 read_lock_bh(&chan_list_lock);
1da177e4 4351
23691d75
GP		 4352 list_for_each_entry(c, &chan_list, global_l) {
4353 struct sock *sk = c->sk;
101545f6 4354
903d343e 4355 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4356 batostr(&bt_sk(sk)->src),
4357 batostr(&bt_sk(sk)->dst),
23691d75
GP		 4358 sk->sk_state, __le16_to_cpu(c->psm),
4359 c->scid, c->dcid, c->imtu, c->omtu,
4360 c->sec_level, c->mode);
be9d1227 4361 }
1da177e4 4362
23691d75 4363 read_unlock_bh(&chan_list_lock);
1da177e4 4364
aef7d97c 4365 return 0;
1da177e4
LT		 4366}
4367
aef7d97c
MH		 4368static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4369{
4370 return single_open(file, l2cap_debugfs_show, inode->i_private);
4371}
4372
4373static const struct file_operations l2cap_debugfs_fops = {
4374 .open = l2cap_debugfs_open,
4375 .read = seq_read,
4376 .llseek = seq_lseek,
4377 .release = single_release,
4378};
4379
4380static struct dentry *l2cap_debugfs;
1da177e4 4381
1da177e4
LT		 4382static struct hci_proto l2cap_hci_proto = {
4383 .name = "L2CAP",
4384 .id = HCI_PROTO_L2CAP,
4385 .connect_ind = l2cap_connect_ind,
4386 .connect_cfm = l2cap_connect_cfm,
4387 .disconn_ind = l2cap_disconn_ind,
2950f21a 4388 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4389 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4390 .recv_acldata = l2cap_recv_acldata
4391};
4392
64274518 4393int __init l2cap_init(void)
1da177e4
LT		 4394{
4395 int err;
be9d1227 4396
bb58f747 4397 err = l2cap_init_sockets();
1da177e4
LT		 4398 if (err < 0)
4399 return err;
4400
1890d36b 4401 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4402 if (!_busy_wq) {
bb58f747 4403 err = -ENOMEM;
1da177e4
LT		 4404 goto error;
4405 }
4406
4407 err = hci_register_proto(&l2cap_hci_proto);
4408 if (err < 0) {
4409 BT_ERR("L2CAP protocol registration failed");
4410 bt_sock_unregister(BTPROTO_L2CAP);
4411 goto error;
4412 }
4413
aef7d97c
MH		 4414 if (bt_debugfs) {
4415 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4416 bt_debugfs, NULL, &l2cap_debugfs_fops);
4417 if (!l2cap_debugfs)
4418 BT_ERR("Failed to create L2CAP debug file");
4419 }
1da177e4 4420
1da177e4
LT		 4421 return 0;
4422
4423error:
b78d7b4f 4424 destroy_workqueue(_busy_wq);
bb58f747 4425 l2cap_cleanup_sockets();
1da177e4
LT		 4426 return err;
4427}
4428
64274518 4429void l2cap_exit(void)
1da177e4 4430{
aef7d97c 4431 debugfs_remove(l2cap_debugfs);
1da177e4 4432
1890d36b
GP		 4433 flush_workqueue(_busy_wq);
4434 destroy_workqueue(_busy_wq);
4435
1da177e4
LT		 4436 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4437 BT_ERR("L2CAP protocol unregistration failed");
4438
bb58f747 4439 l2cap_cleanup_sockets();
1da177e4
LT		 4440}
4441
d1c4a17d
GP		 4442module_param(disable_ertm, bool, 0644);
4443MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 0.946824 seconds and 5 git commands to generate.