projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add l2cap_chan_ops abstraction
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57
bb58f747 58int disable_ertm;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
1890d36b
GP		 63static struct workqueue_struct *_busy_wq;
64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1890d36b
GP		 68static void l2cap_busy_work(struct work_struct *work);
69
1da177e4
LT		 70static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 72static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
73 void *data);
710f9b0a 74static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 75static void l2cap_send_disconn_req(struct l2cap_conn *conn,
76 struct l2cap_chan *chan, int err);
1da177e4 77
218bb9df
GP		 78static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
79
0139418c 80/* ---- L2CAP channels ---- */
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
48454079 83 struct l2cap_chan *c;
baa7e1fa
GP		 84
85 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 86 if (c->dcid == cid)
baa7e1fa 87 return c;
0139418c 88 }
baa7e1fa
GP		 89 return NULL;
90
0139418c
MH		 91}
92
baa7e1fa 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 94{
48454079 95 struct l2cap_chan *c;
baa7e1fa
GP		 96
97 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 98 if (c->scid == cid)
baa7e1fa 99 return c;
0139418c 100 }
baa7e1fa 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
105 * Returns locked socket */
baa7e1fa 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 107{
48454079 108 struct l2cap_chan *c;
baa7e1fa
GP		 109
110 read_lock(&conn->chan_lock);
111 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 112 if (c)
113 bh_lock_sock(c->sk);
baa7e1fa 114 read_unlock(&conn->chan_lock);
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
48454079 120 struct l2cap_chan *c;
baa7e1fa
GP		 121
122 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 123 if (c->ident == ident)
baa7e1fa 124 return c;
0139418c 125 }
baa7e1fa 126 return NULL;
0139418c
MH		 127}
128
baa7e1fa 129static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 130{
48454079 131 struct l2cap_chan *c;
baa7e1fa
GP		 132
133 read_lock(&conn->chan_lock);
134 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 135 if (c)
136 bh_lock_sock(c->sk);
baa7e1fa 137 read_unlock(&conn->chan_lock);
48454079 138 return c;
0139418c
MH		 139}
140
23691d75 141static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 142{
23691d75 143 struct l2cap_chan *c;
9e4425ff 144
23691d75
GP		 145 list_for_each_entry(c, &chan_list, global_l) {
146 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 147 goto found;
148 }
149
23691d75 150 c = NULL;
9e4425ff 151found:
23691d75 152 return c;
9e4425ff
GP		 153}
154
155int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
156{
73b2ec18
GP		 157 int err;
158
23691d75 159 write_lock_bh(&chan_list_lock);
9e4425ff 160
23691d75 161 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 162 err = -EADDRINUSE;
163 goto done;
9e4425ff
GP		 164 }
165
73b2ec18
GP		 166 if (psm) {
167 chan->psm = psm;
168 chan->sport = psm;
169 err = 0;
170 } else {
171 u16 p;
172
173 err = -EINVAL;
174 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 175 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 176 chan->psm = cpu_to_le16(p);
177 chan->sport = cpu_to_le16(p);
178 err = 0;
179 break;
180 }
181 }
9e4425ff 182
73b2ec18 183done:
23691d75 184 write_unlock_bh(&chan_list_lock);
73b2ec18 185 return err;
9e4425ff
GP		 186}
187
188int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
189{
23691d75 190 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 191
192 chan->scid = scid;
193
23691d75 194 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 195
196 return 0;
197}
198
baa7e1fa 199static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 200{
8db4dc46 201 u16 cid = L2CAP_CID_DYN_START;
0139418c 202
8db4dc46 203 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 204 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 205 return cid;
206 }
207
208 return 0;
209}
210
ab07801d
GP		 211static void l2cap_chan_set_timer(struct l2cap_chan *chan, long timeout)
212{
213 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->sk->sk_state,
214 timeout);
215 if (!mod_timer(&chan->chan_timer, jiffies + timeout))
216 sock_hold(chan->sk);
217}
218
500698d3 219static void l2cap_chan_clear_timer(struct l2cap_chan *chan)
ab07801d
GP		 220{
221 BT_DBG("chan %p state %d", chan, chan->sk->sk_state);
222
223 if (timer_pending(&chan->chan_timer) && del_timer(&chan->chan_timer))
224 __sock_put(chan->sk);
225}
226
227static void l2cap_chan_timeout(unsigned long arg)
228{
229 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
230 struct sock *sk = chan->sk;
231 int reason;
232
233 BT_DBG("chan %p state %d", chan, sk->sk_state);
234
235 bh_lock_sock(sk);
236
237 if (sock_owned_by_user(sk)) {
238 /* sk is owned by user. Try again later */
239 l2cap_chan_set_timer(chan, HZ / 5);
240 bh_unlock_sock(sk);
241 sock_put(sk);
242 return;
243 }
244
245 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
246 reason = ECONNREFUSED;
247 else if (sk->sk_state == BT_CONNECT &&
248 chan->sec_level != BT_SECURITY_SDP)
249 reason = ECONNREFUSED;
250 else
251 reason = ETIMEDOUT;
252
0f852724 253 l2cap_chan_close(chan, reason);
ab07801d
GP		 254
255 bh_unlock_sock(sk);
256
257 l2cap_sock_kill(sk);
258 sock_put(sk);
259}
260
23691d75 261struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 262{
263 struct l2cap_chan *chan;
264
265 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
266 if (!chan)
267 return NULL;
268
269 chan->sk = sk;
270
23691d75
GP		 271 write_lock_bh(&chan_list_lock);
272 list_add(&chan->global_l, &chan_list);
273 write_unlock_bh(&chan_list_lock);
274
ab07801d
GP		 275 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
276
48454079
GP		 277 return chan;
278}
279
23691d75 280void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 281{
23691d75
GP		 282 write_lock_bh(&chan_list_lock);
283 list_del(&chan->global_l);
284 write_unlock_bh(&chan_list_lock);
285
6ff5abbf
GP		 286 kfree(chan);
287}
288
48454079 289static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 290{
48454079 291 struct sock *sk = chan->sk;
0139418c 292
af05b30b 293 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 294 chan->psm, chan->dcid);
0139418c 295
2950f21a
MH		 296 conn->disc_reason = 0x13;
297
8c1d787b 298 chan->conn = conn;
0139418c 299
715ec005 300 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 301 if (conn->hcon->type == LE_LINK) {
302 /* LE connection */
0c1bc5c6 303 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 304 chan->scid = L2CAP_CID_LE_DATA;
305 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 306 } else {
307 /* Alloc CID for connection-oriented socket */
fe4128e0 308 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 309 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 310 }
715ec005 311 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 312 /* Connectionless socket */
fe4128e0
GP		 313 chan->scid = L2CAP_CID_CONN_LESS;
314 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 315 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 316 } else {
317 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 318 chan->scid = L2CAP_CID_SIGNALING;
319 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 320 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 321 }
322
baa7e1fa
GP		 323 sock_hold(sk);
324
325 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 326}
327
8e87d142 328/* Delete channel.
0139418c 329 * Must be called on the locked socket. */
4519de9a 330static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 331{
48454079 332 struct sock *sk = chan->sk;
8c1d787b 333 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 334 struct sock *parent = bt_sk(sk)->parent;
335
ab07801d 336 l2cap_chan_clear_timer(chan);
0139418c 337
49208c9c 338 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 339
8e87d142 340 if (conn) {
baa7e1fa
GP		 341 /* Delete from channel list */
342 write_lock_bh(&conn->chan_lock);
343 list_del(&chan->list);
344 write_unlock_bh(&conn->chan_lock);
345 __sock_put(sk);
346
8c1d787b 347 chan->conn = NULL;
0139418c
MH		 348 hci_conn_put(conn->hcon);
349 }
350
b1235d79 351 sk->sk_state = BT_CLOSED;
0139418c
MH		 352 sock_set_flag(sk, SOCK_ZAPPED);
353
354 if (err)
355 sk->sk_err = err;
356
357 if (parent) {
358 bt_accept_unlink(sk);
359 parent->sk_data_ready(parent, 0);
360 } else
361 sk->sk_state_change(sk);
c13ffa62 362
b4450035
GP		 363 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
364 chan->conf_state & L2CAP_CONF_INPUT_DONE))
6ff5abbf 365 return;
2ead70b8 366
58d35f87 367 skb_queue_purge(&chan->tx_q);
c13ffa62 368
0c1bc5c6 369 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 370 struct srej_list *l, *tmp;
371
e92c8e70
GP		 372 del_timer(&chan->retrans_timer);
373 del_timer(&chan->monitor_timer);
374 del_timer(&chan->ack_timer);
c13ffa62 375
f1c6775b
GP		 376 skb_queue_purge(&chan->srej_q);
377 skb_queue_purge(&chan->busy_q);
c13ffa62 378
39d5a3ee 379 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 380 list_del(&l->list);
381 kfree(l);
382 }
383 }
0139418c
MH		 384}
385
4519de9a
GP		 386static void l2cap_chan_cleanup_listen(struct sock *parent)
387{
388 struct sock *sk;
389
390 BT_DBG("parent %p", parent);
391
392 /* Close not yet accepted channels */
0f852724
GP		 393 while ((sk = bt_accept_dequeue(parent, NULL))) {
394 l2cap_chan_clear_timer(l2cap_pi(sk)->chan);
395 lock_sock(sk);
396 l2cap_chan_close(l2cap_pi(sk)->chan, ECONNRESET);
397 release_sock(sk);
398 l2cap_sock_kill(sk);
399 }
4519de9a
GP		 400
401 parent->sk_state = BT_CLOSED;
402 sock_set_flag(parent, SOCK_ZAPPED);
403}
404
0f852724 405void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 406{
407 struct l2cap_conn *conn = chan->conn;
408 struct sock *sk = chan->sk;
409
410 BT_DBG("chan %p state %d socket %p", chan, sk->sk_state, sk->sk_socket);
411
412 switch (sk->sk_state) {
413 case BT_LISTEN:
414 l2cap_chan_cleanup_listen(sk);
415 break;
416
417 case BT_CONNECTED:
418 case BT_CONFIG:
715ec005 419 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 420 conn->hcon->type == ACL_LINK) {
500698d3 421 l2cap_chan_clear_timer(chan);
ab07801d 422 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 423 l2cap_send_disconn_req(conn, chan, reason);
424 } else
425 l2cap_chan_del(chan, reason);
426 break;
427
428 case BT_CONNECT2:
715ec005 429 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 430 conn->hcon->type == ACL_LINK) {
431 struct l2cap_conn_rsp rsp;
432 __u16 result;
433
434 if (bt_sk(sk)->defer_setup)
435 result = L2CAP_CR_SEC_BLOCK;
436 else
437 result = L2CAP_CR_BAD_PSM;
d8d69c54 438 sk->sk_state = BT_DISCONN;
4519de9a
GP		 439
440 rsp.scid = cpu_to_le16(chan->dcid);
441 rsp.dcid = cpu_to_le16(chan->scid);
442 rsp.result = cpu_to_le16(result);
443 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
444 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
445 sizeof(rsp), &rsp);
446 }
447
448 l2cap_chan_del(chan, reason);
449 break;
450
451 case BT_CONNECT:
452 case BT_DISCONN:
453 l2cap_chan_del(chan, reason);
454 break;
455
456 default:
457 sock_set_flag(sk, SOCK_ZAPPED);
458 break;
459 }
460}
461
4343478f 462static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 463{
715ec005 464 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 465 switch (chan->sec_level) {
8556edd3
JH		 466 case BT_SECURITY_HIGH:
467 return HCI_AT_DEDICATED_BONDING_MITM;
468 case BT_SECURITY_MEDIUM:
469 return HCI_AT_DEDICATED_BONDING;
470 default:
471 return HCI_AT_NO_BONDING;
472 }
fe4128e0 473 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 474 if (chan->sec_level == BT_SECURITY_LOW)
475 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 476
4343478f 477 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 478 return HCI_AT_NO_BONDING_MITM;
00ae4af9 479 else
8556edd3 480 return HCI_AT_NO_BONDING;
00ae4af9 481 } else {
4343478f 482 switch (chan->sec_level) {
00ae4af9 483 case BT_SECURITY_HIGH:
8556edd3 484 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 485 case BT_SECURITY_MEDIUM:
8556edd3 486 return HCI_AT_GENERAL_BONDING;
00ae4af9 487 default:
8556edd3 488 return HCI_AT_NO_BONDING;
00ae4af9 489 }
0684e5f9 490 }
8556edd3
JH		 491}
492
493/* Service level security */
4343478f 494static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 495{
8c1d787b 496 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 497 __u8 auth_type;
498
4343478f 499 auth_type = l2cap_get_auth_type(chan);
79d554a6 500
4343478f 501 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 502}
503
b5ad8b7f 504static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 505{
506 u8 id;
507
508 /* Get next available identificator.
509 * 1 - 128 are used by kernel.
510 * 129 - 199 are reserved.
511 * 200 - 254 are used by utilities like l2ping, etc.
512 */
513
514 spin_lock_bh(&conn->lock);
515
516 if (++conn->tx_ident > 128)
517 conn->tx_ident = 1;
518
519 id = conn->tx_ident;
520
521 spin_unlock_bh(&conn->lock);
522
523 return id;
524}
525
4519de9a 526static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 527{
528 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 529 u8 flags;
4e8402a3
MH		 530
531 BT_DBG("code 0x%2.2x", code);
532
533 if (!skb)
9a9c6a34 534 return;
4e8402a3 535
e702112f
AE		 536 if (lmp_no_flush_capable(conn->hcon->hdev))
537 flags = ACL_START_NO_FLUSH;
538 else
539 flags = ACL_START;
540
14b12d0b
JG		 541 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
542
e702112f 543 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 544}
545
525cd185 546static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
1c2acffb
GP		 547{
548 struct sk_buff *skb;
549 struct l2cap_hdr *lh;
525cd185 550 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
8c1d787b 551 struct l2cap_conn *conn = chan->conn;
c13ffa62 552 struct sock *sk = (struct sock *)pi;
fcc203c3 553 int count, hlen = L2CAP_HDR_SIZE + 2;
e702112f 554 u8 flags;
fcc203c3 555
c13ffa62
GP		 556 if (sk->sk_state != BT_CONNECTED)
557 return;
558
47d1ec61 559 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 560 hlen += 2;
1c2acffb 561
49208c9c 562 BT_DBG("chan %p, control 0x%2.2x", chan, control);
1c2acffb 563
fcc203c3 564 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 565 control |= L2CAP_CTRL_FRAME_TYPE;
566
525cd185 567 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
9e917af1 568 control |= L2CAP_CTRL_FINAL;
525cd185 569 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
9e917af1
GP		 570 }
571
525cd185 572 if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
f0946ccf 573 control |= L2CAP_CTRL_POLL;
525cd185 574 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
f0946ccf
GP		 575 }
576
1c2acffb
GP		 577 skb = bt_skb_alloc(count, GFP_ATOMIC);
578 if (!skb)
9a9c6a34 579 return;
1c2acffb
GP		 580
581 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 582 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 583 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 584 put_unaligned_le16(control, skb_put(skb, 2));
585
47d1ec61 586 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 587 u16 fcs = crc16(0, (u8 *)lh, count - 2);
588 put_unaligned_le16(fcs, skb_put(skb, 2));
589 }
590
e702112f
AE		 591 if (lmp_no_flush_capable(conn->hcon->hdev))
592 flags = ACL_START_NO_FLUSH;
593 else
594 flags = ACL_START;
595
14b12d0b
JG		 596 bt_cb(skb)->force_active = chan->force_active;
597
8c1d787b 598 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 599}
600
525cd185 601static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
7e743090 602{
525cd185 603 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 604 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 605 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 606 } else
7e743090
GP		 607 control |= L2CAP_SUPER_RCV_READY;
608
42e5c802 609 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2ab25cdd 610
525cd185 611 l2cap_send_sframe(chan, control);
7e743090
GP		 612}
613
b4450035 614static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 615{
b4450035 616 return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
e501d055
AE		 617}
618
fc7f8a7e 619static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 620{
8c1d787b 621 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 622
623 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 624 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
625 return;
626
4343478f
GP		 627 if (l2cap_check_security(chan) &&
628 __l2cap_no_conn_pending(chan)) {
b1235d79 629 struct l2cap_conn_req req;
fe4128e0
GP		 630 req.scid = cpu_to_le16(chan->scid);
631 req.psm = chan->psm;
79d554a6 632
fc7f8a7e 633 chan->ident = l2cap_get_ident(conn);
b4450035 634 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 635
fc7f8a7e
GP		 636 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
637 sizeof(req), &req);
b1235d79 638 }
79d554a6
MH		 639 } else {
640 struct l2cap_info_req req;
641 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
642
643 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
644 conn->info_ident = l2cap_get_ident(conn);
645
646 mod_timer(&conn->info_timer, jiffies +
647 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
648
649 l2cap_send_cmd(conn, conn->info_ident,
650 L2CAP_INFO_REQ, sizeof(req), &req);
651 }
652}
653
cf6c2c0b
GP		 654static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
655{
656 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 657 if (!disable_ertm)
cf6c2c0b
GP		 658 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
659
660 switch (mode) {
661 case L2CAP_MODE_ERTM:
662 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
663 case L2CAP_MODE_STREAMING:
664 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
665 default:
666 return 0x00;
667 }
668}
669
4519de9a 670static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 671{
e92c8e70 672 struct sock *sk;
22121fc9
GP		 673 struct l2cap_disconn_req req;
674
c13ffa62
GP		 675 if (!conn)
676 return;
677
e92c8e70
GP		 678 sk = chan->sk;
679
0c1bc5c6 680 if (chan->mode == L2CAP_MODE_ERTM) {
e92c8e70
GP		 681 del_timer(&chan->retrans_timer);
682 del_timer(&chan->monitor_timer);
683 del_timer(&chan->ack_timer);
c13ffa62
GP		 684 }
685
fe4128e0
GP		 686 req.dcid = cpu_to_le16(chan->dcid);
687 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 688 l2cap_send_cmd(conn, l2cap_get_ident(conn),
689 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 690
691 sk->sk_state = BT_DISCONN;
9b108fc0 692 sk->sk_err = err;
22121fc9
GP		 693}
694
1da177e4 695/* ---- L2CAP connections ---- */
4e8402a3
MH		 696static void l2cap_conn_start(struct l2cap_conn *conn)
697{
820ffdb3 698 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 699
700 BT_DBG("conn %p", conn);
701
baa7e1fa 702 read_lock(&conn->chan_lock);
4e8402a3 703
820ffdb3 704 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 705 struct sock *sk = chan->sk;
baa7e1fa 706
4e8402a3
MH		 707 bh_lock_sock(sk);
708
715ec005 709 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 710 bh_unlock_sock(sk);
711 continue;
712 }
713
714 if (sk->sk_state == BT_CONNECT) {
47731de7 715 struct l2cap_conn_req req;
79d554a6 716
4343478f 717 if (!l2cap_check_security(chan) ||
b4450035 718 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 719 bh_unlock_sock(sk);
720 continue;
721 }
79d554a6 722
0c1bc5c6 723 if (!l2cap_mode_supported(chan->mode,
47731de7 724 conn->feat_mask)
b4450035 725 && chan->conf_state &
47731de7 726 L2CAP_CONF_STATE2_DEVICE) {
0f852724 727 /* l2cap_chan_close() calls list_del(chan)
820ffdb3
GP		 728 * so release the lock */
729 read_unlock_bh(&conn->chan_lock);
0f852724 730 l2cap_chan_close(chan, ECONNRESET);
820ffdb3 731 read_lock_bh(&conn->chan_lock);
47731de7
GP		 732 bh_unlock_sock(sk);
733 continue;
b1235d79 734 }
47731de7 735
fe4128e0
GP		 736 req.scid = cpu_to_le16(chan->scid);
737 req.psm = chan->psm;
47731de7 738
fc7f8a7e 739 chan->ident = l2cap_get_ident(conn);
b4450035 740 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
47731de7 741
fc7f8a7e
GP		 742 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
743 sizeof(req), &req);
47731de7 744
79d554a6
MH		 745 } else if (sk->sk_state == BT_CONNECT2) {
746 struct l2cap_conn_rsp rsp;
e9aeb2dd 747 char buf[128];
fe4128e0
GP		 748 rsp.scid = cpu_to_le16(chan->dcid);
749 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 750
4343478f 751 if (l2cap_check_security(chan)) {
f66dc81f
MH		 752 if (bt_sk(sk)->defer_setup) {
753 struct sock *parent = bt_sk(sk)->parent;
754 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
755 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
756 parent->sk_data_ready(parent, 0);
757
758 } else {
759 sk->sk_state = BT_CONFIG;
760 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
761 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
762 }
79d554a6
MH		 763 } else {
764 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
765 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
766 }
767
fc7f8a7e
GP		 768 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
769 sizeof(rsp), &rsp);
e9aeb2dd 770
b4450035 771 if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
e9aeb2dd
GP		 772 rsp.result != L2CAP_CR_SUCCESS) {
773 bh_unlock_sock(sk);
774 continue;
775 }
776
b4450035 777 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 778 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 779 l2cap_build_conf_req(chan, buf), buf);
780 chan->num_conf_req++;
4e8402a3
MH		 781 }
782
783 bh_unlock_sock(sk);
784 }
785
baa7e1fa 786 read_unlock(&conn->chan_lock);
4e8402a3
MH		 787}
788
b62f328b
VT		 789/* Find socket with cid and source bdaddr.
790 * Returns closest match, locked.
791 */
23691d75 792static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 793{
23691d75 794 struct l2cap_chan *c, *c1 = NULL;
b62f328b 795
23691d75 796 read_lock(&chan_list_lock);
b62f328b 797
23691d75
GP		 798 list_for_each_entry(c, &chan_list, global_l) {
799 struct sock *sk = c->sk;
fe4128e0 800
b62f328b
VT		 801 if (state && sk->sk_state != state)
802 continue;
803
23691d75 804 if (c->scid == cid) {
b62f328b 805 /* Exact match. */
23691d75
GP		 806 if (!bacmp(&bt_sk(sk)->src, src)) {
807 read_unlock(&chan_list_lock);
808 return c;
809 }
b62f328b
VT		 810
811 /* Closest match */
812 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 813 c1 = c;
b62f328b
VT		 814 }
815 }
280f294f 816
23691d75 817 read_unlock(&chan_list_lock);
b62f328b 818
23691d75 819 return c1;
b62f328b
VT		 820}
821
822static void l2cap_le_conn_ready(struct l2cap_conn *conn)
823{
c916fbe4 824 struct sock *parent, *sk;
23691d75 825 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 826
827 BT_DBG("");
828
829 /* Check if we have socket listening on cid */
23691d75 830 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 831 conn->src);
23691d75 832 if (!pchan)
b62f328b
VT		 833 return;
834
23691d75
GP		 835 parent = pchan->sk;
836
62f3a2cf
GP		 837 bh_lock_sock(parent);
838
b62f328b
VT		 839 /* Check for backlog size */
840 if (sk_acceptq_is_full(parent)) {
841 BT_DBG("backlog full %d", parent->sk_ack_backlog);
842 goto clean;
843 }
844
80808e43
GP		 845 chan = pchan->ops->new_connection(pchan->data);
846 if (!chan)
b62f328b
VT		 847 goto clean;
848
80808e43 849 sk = chan->sk;
5d41ce1d 850
baa7e1fa 851 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 852
853 hci_conn_hold(conn->hcon);
854
b62f328b
VT		 855 bacpy(&bt_sk(sk)->src, conn->src);
856 bacpy(&bt_sk(sk)->dst, conn->dst);
857
d1010240
GP		 858 bt_accept_enqueue(parent, sk);
859
48454079
GP		 860 __l2cap_chan_add(conn, chan);
861
ab07801d 862 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
b62f328b
VT		 863
864 sk->sk_state = BT_CONNECTED;
865 parent->sk_data_ready(parent, 0);
866
baa7e1fa 867 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 868
869clean:
870 bh_unlock_sock(parent);
871}
872
4e8402a3
MH		 873static void l2cap_conn_ready(struct l2cap_conn *conn)
874{
48454079 875 struct l2cap_chan *chan;
4e8402a3 876
79d554a6 877 BT_DBG("conn %p", conn);
4e8402a3 878
b62f328b
VT		 879 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
880 l2cap_le_conn_ready(conn);
881
baa7e1fa 882 read_lock(&conn->chan_lock);
4e8402a3 883
baa7e1fa 884 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 885 struct sock *sk = chan->sk;
baa7e1fa 886
79d554a6 887 bh_lock_sock(sk);
4e8402a3 888
acd7d370 889 if (conn->hcon->type == LE_LINK) {
ab07801d 890 l2cap_chan_clear_timer(chan);
acd7d370
VT		 891 sk->sk_state = BT_CONNECTED;
892 sk->sk_state_change(sk);
893 }
894
715ec005 895 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 896 l2cap_chan_clear_timer(chan);
79d554a6
MH		 897 sk->sk_state = BT_CONNECTED;
898 sk->sk_state_change(sk);
899 } else if (sk->sk_state == BT_CONNECT)
fc7f8a7e 900 l2cap_do_start(chan);
4e8402a3 901
79d554a6 902 bh_unlock_sock(sk);
4e8402a3 903 }
79d554a6 904
baa7e1fa 905 read_unlock(&conn->chan_lock);
4e8402a3
MH		 906}
907
908/* Notify sockets that we cannot guaranty reliability anymore */
909static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
910{
48454079 911 struct l2cap_chan *chan;
4e8402a3
MH		 912
913 BT_DBG("conn %p", conn);
914
baa7e1fa 915 read_lock(&conn->chan_lock);
4e8402a3 916
baa7e1fa 917 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 918 struct sock *sk = chan->sk;
baa7e1fa 919
4343478f 920 if (chan->force_reliable)
4e8402a3
MH		 921 sk->sk_err = err;
922 }
923
baa7e1fa 924 read_unlock(&conn->chan_lock);
4e8402a3
MH		 925}
926
927static void l2cap_info_timeout(unsigned long arg)
928{
929 struct l2cap_conn *conn = (void *) arg;
930
984947dc 931 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 932 conn->info_ident = 0;
984947dc 933
4e8402a3
MH		 934 l2cap_conn_start(conn);
935}
936
1da177e4
LT		 937static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
938{
0139418c 939 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 940
0139418c 941 if (conn || status)
1da177e4
LT		 942 return conn;
943
0139418c
MH		 944 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
945 if (!conn)
1da177e4 946 return NULL;
1da177e4
LT		 947
948 hcon->l2cap_data = conn;
949 conn->hcon = hcon;
950
0139418c
MH		 951 BT_DBG("hcon %p conn %p", hcon, conn);
952
acd7d370
VT		 953 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
954 conn->mtu = hcon->hdev->le_mtu;
955 else
956 conn->mtu = hcon->hdev->acl_mtu;
957
1da177e4
LT		 958 conn->src = &hcon->hdev->bdaddr;
959 conn->dst = &hcon->dst;
960
4e8402a3
MH		 961 conn->feat_mask = 0;
962
1da177e4 963 spin_lock_init(&conn->lock);
baa7e1fa
GP		 964 rwlock_init(&conn->chan_lock);
965
966 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 967
b62f328b
VT		 968 if (hcon->type != LE_LINK)
969 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 970 (unsigned long) conn);
971
2950f21a
MH		 972 conn->disc_reason = 0x13;
973
1da177e4
LT		 974 return conn;
975}
976
0139418c 977static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 978{
0139418c 979 struct l2cap_conn *conn = hcon->l2cap_data;
baa7e1fa 980 struct l2cap_chan *chan, *l;
1da177e4
LT		 981 struct sock *sk;
982
0139418c
MH		 983 if (!conn)
984 return;
1da177e4
LT		 985
986 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
987
7585b97a 988 kfree_skb(conn->rx_skb);
1da177e4
LT		 989
990 /* Kill channels */
baa7e1fa 991 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
48454079 992 sk = chan->sk;
1da177e4 993 bh_lock_sock(sk);
48454079 994 l2cap_chan_del(chan, err);
1da177e4
LT		 995 bh_unlock_sock(sk);
996 l2cap_sock_kill(sk);
997 }
998
8e8440f5
DY		 999 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1000 del_timer_sync(&conn->info_timer);
3ab22731 1001
1da177e4
LT		 1002 hcon->l2cap_data = NULL;
1003 kfree(conn);
1da177e4
LT		 1004}
1005
48454079 1006static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1007{
baa7e1fa 1008 write_lock_bh(&conn->chan_lock);
48454079 1009 __l2cap_chan_add(conn, chan);
baa7e1fa 1010 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1011}
1012
1da177e4 1013/* ---- Socket interface ---- */
1da177e4
LT		 1014
1015/* Find socket with psm and source bdaddr.
1016 * Returns closest match.
1017 */
23691d75 1018static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1019{
23691d75 1020 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1021
23691d75 1022 read_lock(&chan_list_lock);
e0f0cb56 1023
23691d75
GP		 1024 list_for_each_entry(c, &chan_list, global_l) {
1025 struct sock *sk = c->sk;
fe4128e0 1026
1da177e4
LT		 1027 if (state && sk->sk_state != state)
1028 continue;
1029
23691d75 1030 if (c->psm == psm) {
1da177e4 1031 /* Exact match. */
23691d75 1032 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1033 read_unlock(&chan_list_lock);
23691d75
GP		 1034 return c;
1035 }
1da177e4
LT		 1036
1037 /* Closest match */
1038 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1039 c1 = c;
1da177e4
LT		 1040 }
1041 }
1da177e4 1042
23691d75 1043 read_unlock(&chan_list_lock);
e0f0cb56 1044
23691d75 1045 return c1;
1da177e4
LT		 1046}
1047
77a74c7e 1048int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1049{
5d41ce1d 1050 struct sock *sk = chan->sk;
1da177e4
LT		 1051 bdaddr_t *src = &bt_sk(sk)->src;
1052 bdaddr_t *dst = &bt_sk(sk)->dst;
1053 struct l2cap_conn *conn;
1054 struct hci_conn *hcon;
1055 struct hci_dev *hdev;
09ab6f4c 1056 __u8 auth_type;
44d0e48e 1057 int err;
1da177e4 1058
f29972de 1059 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1060 chan->psm);
1da177e4 1061
af05b30b
GP		 1062 hdev = hci_get_route(dst, src);
1063 if (!hdev)
1da177e4
LT		 1064 return -EHOSTUNREACH;
1065
1066 hci_dev_lock_bh(hdev);
1067
4343478f 1068 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1069
fe4128e0 1070 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1071 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1072 chan->sec_level, auth_type);
acd7d370
VT		 1073 else
1074 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1075 chan->sec_level, auth_type);
acd7d370 1076
30e76272
VT		 1077 if (IS_ERR(hcon)) {
1078 err = PTR_ERR(hcon);
1da177e4 1079 goto done;
30e76272 1080 }
1da177e4
LT		 1081
1082 conn = l2cap_conn_add(hcon, 0);
1083 if (!conn) {
1084 hci_conn_put(hcon);
30e76272 1085 err = -ENOMEM;
1da177e4
LT		 1086 goto done;
1087 }
1088
1da177e4
LT		 1089 /* Update source addr of the socket */
1090 bacpy(src, conn->src);
1091
48454079
GP		 1092 l2cap_chan_add(conn, chan);
1093
1da177e4 1094 sk->sk_state = BT_CONNECT;
ab07801d 1095 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1096
1097 if (hcon->state == BT_CONNECTED) {
715ec005 1098 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
ab07801d 1099 l2cap_chan_clear_timer(chan);
4343478f 1100 if (l2cap_check_security(chan))
d00ef24f 1101 sk->sk_state = BT_CONNECTED;
79d554a6 1102 } else
fc7f8a7e 1103 l2cap_do_start(chan);
1da177e4
LT		 1104 }
1105
30e76272
VT		 1106 err = 0;
1107
1da177e4
LT		 1108done:
1109 hci_dev_unlock_bh(hdev);
1110 hci_dev_put(hdev);
1111 return err;
1112}
1113
dcba0dba 1114int __l2cap_wait_ack(struct sock *sk)
6161c038 1115{
8c1d787b 1116 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1117 DECLARE_WAITQUEUE(wait, current);
1118 int err = 0;
1119 int timeo = HZ/5;
1120
2b0b05dd 1121 add_wait_queue(sk_sleep(sk), &wait);
8c1d787b 1122 while ((chan->unacked_frames > 0 && chan->conn)) {
6161c038
GP		 1123 set_current_state(TASK_INTERRUPTIBLE);
1124
1125 if (!timeo)
1126 timeo = HZ/5;
1127
1128 if (signal_pending(current)) {
1129 err = sock_intr_errno(timeo);
1130 break;
1131 }
1132
1133 release_sock(sk);
1134 timeo = schedule_timeout(timeo);
1135 lock_sock(sk);
1136
1137 err = sock_error(sk);
1138 if (err)
1139 break;
1140 }
1141 set_current_state(TASK_RUNNING);
2b0b05dd 1142 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1143 return err;
1144}
1145
e90bac06
GP		 1146static void l2cap_monitor_timeout(unsigned long arg)
1147{
525cd185
GP		 1148 struct l2cap_chan *chan = (void *) arg;
1149 struct sock *sk = chan->sk;
e90bac06 1150
525cd185 1151 BT_DBG("chan %p", chan);
0e98958d 1152
e686219a 1153 bh_lock_sock(sk);
2c03a7a4 1154 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1155 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1156 bh_unlock_sock(sk);
e90bac06
GP		 1157 return;
1158 }
1159
6a026610 1160 chan->retry_count++;
e90bac06
GP		 1161 __mod_monitor_timer();
1162
525cd185 1163 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1164 bh_unlock_sock(sk);
e90bac06
GP		 1165}
1166
1167static void l2cap_retrans_timeout(unsigned long arg)
1168{
525cd185
GP		 1169 struct l2cap_chan *chan = (void *) arg;
1170 struct sock *sk = chan->sk;
e90bac06 1171
49208c9c 1172 BT_DBG("chan %p", chan);
0e98958d 1173
e686219a 1174 bh_lock_sock(sk);
6a026610 1175 chan->retry_count = 1;
e90bac06
GP		 1176 __mod_monitor_timer();
1177
525cd185 1178 chan->conn_state |= L2CAP_CONN_WAIT_F;
e90bac06 1179
525cd185 1180 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1181 bh_unlock_sock(sk);
e90bac06
GP		 1182}
1183
42e5c802 1184static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1185{
1c2acffb 1186 struct sk_buff *skb;
1da177e4 1187
58d35f87 1188 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1189 chan->unacked_frames) {
42e5c802 1190 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1191 break;
1da177e4 1192
58d35f87 1193 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1194 kfree_skb(skb);
1da177e4 1195
6a026610 1196 chan->unacked_frames--;
1c2acffb 1197 }
1da177e4 1198
6a026610 1199 if (!chan->unacked_frames)
e92c8e70 1200 del_timer(&chan->retrans_timer);
1c2acffb 1201}
1da177e4 1202
4343478f 1203void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1204{
8c1d787b 1205 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1206 u16 flags;
1c2acffb 1207
4343478f 1208 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1209
4343478f 1210 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1211 flags = ACL_START_NO_FLUSH;
1212 else
1213 flags = ACL_START;
1214
14b12d0b 1215 bt_cb(skb)->force_active = chan->force_active;
e702112f 1216 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1217}
1218
42e5c802 1219void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1220{
ccbb84af 1221 struct sk_buff *skb;
fcc203c3 1222 u16 control, fcs;
6840ed07 1223
58d35f87 1224 while ((skb = skb_dequeue(&chan->tx_q))) {
ccbb84af 1225 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
42e5c802 1226 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
ccbb84af 1227 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1228
47d1ec61 1229 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1230 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1231 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1232 }
1233
4343478f 1234 l2cap_do_send(chan, skb);
6840ed07 1235
42e5c802 1236 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1237 }
6840ed07
GP		 1238}
1239
525cd185 1240static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 1241{
8f17154f
GP		 1242 struct sk_buff *skb, *tx_skb;
1243 u16 control, fcs;
8f17154f 1244
58d35f87 1245 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1246 if (!skb)
1247 return;
8f17154f 1248
f11d676d
GP		 1249 do {
1250 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1251 break;
8f17154f 1252
58d35f87 1253 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1254 return;
8f17154f 1255
58d35f87 1256 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1257
2c03a7a4
GP		 1258 if (chan->remote_max_tx &&
1259 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1260 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1261 return;
1262 }
1263
1264 tx_skb = skb_clone(skb, GFP_ATOMIC);
1265 bt_cb(skb)->retries++;
1266 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
a429b519 1267 control &= L2CAP_CTRL_SAR;
3cb123d1 1268
525cd185 1269 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
3cb123d1 1270 control |= L2CAP_CTRL_FINAL;
525cd185 1271 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
3cb123d1 1272 }
95ffa978 1273
42e5c802 1274 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
f11d676d 1275 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1276
f11d676d
GP		 1277 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1278
47d1ec61 1279 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1280 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1281 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1282 }
1283
4343478f 1284 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1285}
1286
525cd185 1287int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1288{
1289 struct sk_buff *skb, *tx_skb;
525cd185 1290 struct sock *sk = chan->sk;
fcc203c3 1291 u16 control, fcs;
9a9c6a34 1292 int nsent = 0;
1c2acffb 1293
c13ffa62
GP		 1294 if (sk->sk_state != BT_CONNECTED)
1295 return -ENOTCONN;
e90bac06 1296
58d35f87 1297 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1298
2c03a7a4
GP		 1299 if (chan->remote_max_tx &&
1300 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1301 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1302 break;
1303 }
1304
e420aba3
AE		 1305 tx_skb = skb_clone(skb, GFP_ATOMIC);
1306
e90bac06
GP		 1307 bt_cb(skb)->retries++;
1308
1c2acffb 1309 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1310 control &= L2CAP_CTRL_SAR;
1311
525cd185 1312 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
d5392c8f 1313 control |= L2CAP_CTRL_FINAL;
525cd185 1314 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
d5392c8f 1315 }
42e5c802
GP		 1316 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1317 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1c2acffb
GP		 1318 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1319
e90bac06 1320
47d1ec61 1321 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1322 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1323 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1324 }
1325
4343478f 1326 l2cap_do_send(chan, tx_skb);
9a9c6a34 1327
e90bac06 1328 __mod_retrans_timer();
1c2acffb 1329
42e5c802
GP		 1330 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1331 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1332
23e9fde2 1333 if (bt_cb(skb)->retries == 1)
6a026610 1334 chan->unacked_frames++;
23e9fde2 1335
6a026610 1336 chan->frames_sent++;
1c2acffb 1337
58d35f87
GP		 1338 if (skb_queue_is_last(&chan->tx_q, skb))
1339 chan->tx_send_head = NULL;
1c2acffb 1340 else
58d35f87 1341 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1342
1343 nsent++;
1c2acffb
GP		 1344 }
1345
9e917af1
GP		 1346 return nsent;
1347}
1348
525cd185 1349static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1350{
dfc909be
GP		 1351 int ret;
1352
58d35f87
GP		 1353 if (!skb_queue_empty(&chan->tx_q))
1354 chan->tx_send_head = chan->tx_q.next;
dfc909be 1355
42e5c802 1356 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1357 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1358 return ret;
1359}
1360
525cd185 1361static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1362{
9e917af1
GP		 1363 u16 control = 0;
1364
42e5c802 1365 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
9e917af1 1366
525cd185 1367 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
9e917af1 1368 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 1369 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1370 l2cap_send_sframe(chan, control);
9a9c6a34 1371 return;
9e917af1 1372 }
dfc909be 1373
525cd185 1374 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1375 return;
1376
1377 control |= L2CAP_SUPER_RCV_READY;
525cd185 1378 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1379}
1380
525cd185 1381static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1382{
1383 struct srej_list *tail;
1384 u16 control;
1385
1386 control = L2CAP_SUPER_SELECT_REJECT;
1387 control |= L2CAP_CTRL_FINAL;
1388
39d5a3ee 1389 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
99b0d4b7
GP		 1390 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1391
525cd185 1392 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1393}
1394
1c2acffb
GP		 1395static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1396{
8c1d787b 1397 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1398 struct sk_buff **frag;
1399 int err, sent = 0;
1da177e4 1400
59203a21 1401 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1402 return -EFAULT;
1da177e4
LT		 1403
1404 sent += count;
1405 len -= count;
1406
1407 /* Continuation fragments (no L2CAP header) */
1408 frag = &skb_shinfo(skb)->frag_list;
1409 while (len) {
1410 count = min_t(unsigned int, conn->mtu, len);
1411
1412 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1413 if (!*frag)
0175d629 1414 return err;
1c2acffb
GP		 1415 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1416 return -EFAULT;
1da177e4
LT		 1417
1418 sent += count;
1419 len -= count;
1420
1421 frag = &(*frag)->next;
1422 }
1da177e4
LT		 1423
1424 return sent;
1c2acffb 1425}
1da177e4 1426
fe4128e0 1427struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1428{
fe4128e0 1429 struct sock *sk = chan->sk;
8c1d787b 1430 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1431 struct sk_buff *skb;
1432 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1433 struct l2cap_hdr *lh;
1434
1435 BT_DBG("sk %p len %d", sk, (int)len);
1436
1437 count = min_t(unsigned int, (conn->mtu - hlen), len);
1438 skb = bt_skb_send_alloc(sk, count + hlen,
1439 msg->msg_flags & MSG_DONTWAIT, &err);
1440 if (!skb)
0175d629 1441 return ERR_PTR(err);
1c2acffb
GP		 1442
1443 /* Create L2CAP header */
1444 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1445 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1446 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1447 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1448
1449 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1450 if (unlikely(err < 0)) {
1451 kfree_skb(skb);
1452 return ERR_PTR(err);
1453 }
1454 return skb;
1455}
1456
fe4128e0 1457struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1458{
fe4128e0 1459 struct sock *sk = chan->sk;
8c1d787b 1460 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1461 struct sk_buff *skb;
1462 int err, count, hlen = L2CAP_HDR_SIZE;
1463 struct l2cap_hdr *lh;
1464
1465 BT_DBG("sk %p len %d", sk, (int)len);
1466
1467 count = min_t(unsigned int, (conn->mtu - hlen), len);
1468 skb = bt_skb_send_alloc(sk, count + hlen,
1469 msg->msg_flags & MSG_DONTWAIT, &err);
1470 if (!skb)
0175d629 1471 return ERR_PTR(err);
1c2acffb
GP		 1472
1473 /* Create L2CAP header */
1474 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1475 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1476 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1477
1478 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1479 if (unlikely(err < 0)) {
1480 kfree_skb(skb);
1481 return ERR_PTR(err);
1482 }
1483 return skb;
1484}
1485
47d1ec61 1486struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb 1487{
47d1ec61 1488 struct sock *sk = chan->sk;
8c1d787b 1489 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1490 struct sk_buff *skb;
1491 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1492 struct l2cap_hdr *lh;
1493
1494 BT_DBG("sk %p len %d", sk, (int)len);
1495
0ee0d208
GP		 1496 if (!conn)
1497 return ERR_PTR(-ENOTCONN);
1498
c74e560c
GP		 1499 if (sdulen)
1500 hlen += 2;
1501
47d1ec61 1502 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1503 hlen += 2;
1504
1c2acffb
GP		 1505 count = min_t(unsigned int, (conn->mtu - hlen), len);
1506 skb = bt_skb_send_alloc(sk, count + hlen,
1507 msg->msg_flags & MSG_DONTWAIT, &err);
1508 if (!skb)
0175d629 1509 return ERR_PTR(err);
1c2acffb
GP		 1510
1511 /* Create L2CAP header */
1512 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1513 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1514 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1515 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1516 if (sdulen)
1517 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1518
1519 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1520 if (unlikely(err < 0)) {
1521 kfree_skb(skb);
1522 return ERR_PTR(err);
1523 }
e90bac06 1524
47d1ec61 1525 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1526 put_unaligned_le16(0, skb_put(skb, 2));
1527
e90bac06 1528 bt_cb(skb)->retries = 0;
1c2acffb 1529 return skb;
1da177e4
LT		 1530}
1531
2c03a7a4 1532int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1533{
c74e560c
GP		 1534 struct sk_buff *skb;
1535 struct sk_buff_head sar_queue;
1536 u16 control;
1537 size_t size = 0;
1538
ff12fd64 1539 skb_queue_head_init(&sar_queue);
c74e560c 1540 control = L2CAP_SDU_START;
47d1ec61 1541 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1542 if (IS_ERR(skb))
1543 return PTR_ERR(skb);
1544
1545 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1546 len -= chan->remote_mps;
1547 size += chan->remote_mps;
c74e560c
GP		 1548
1549 while (len > 0) {
1550 size_t buflen;
1551
2c03a7a4 1552 if (len > chan->remote_mps) {
44651b85 1553 control = L2CAP_SDU_CONTINUE;
2c03a7a4 1554 buflen = chan->remote_mps;
c74e560c 1555 } else {
44651b85 1556 control = L2CAP_SDU_END;
c74e560c
GP		 1557 buflen = len;
1558 }
1559
47d1ec61 1560 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1561 if (IS_ERR(skb)) {
1562 skb_queue_purge(&sar_queue);
1563 return PTR_ERR(skb);
1564 }
1565
1566 __skb_queue_tail(&sar_queue, skb);
1567 len -= buflen;
1568 size += buflen;
c74e560c 1569 }
58d35f87
GP		 1570 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1571 if (chan->tx_send_head == NULL)
1572 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1573
1574 return size;
1575}
1576
9a91a04a
GP		 1577int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1578{
9a91a04a
GP		 1579 struct sk_buff *skb;
1580 u16 control;
1581 int err;
1582
1583 /* Connectionless channel */
715ec005 1584 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1585 skb = l2cap_create_connless_pdu(chan, msg, len);
1586 if (IS_ERR(skb))
1587 return PTR_ERR(skb);
1588
1589 l2cap_do_send(chan, skb);
1590 return len;
1591 }
1592
1593 switch (chan->mode) {
1594 case L2CAP_MODE_BASIC:
1595 /* Check outgoing MTU */
1596 if (len > chan->omtu)
1597 return -EMSGSIZE;
1598
1599 /* Create a basic PDU */
1600 skb = l2cap_create_basic_pdu(chan, msg, len);
1601 if (IS_ERR(skb))
1602 return PTR_ERR(skb);
1603
1604 l2cap_do_send(chan, skb);
1605 err = len;
1606 break;
1607
1608 case L2CAP_MODE_ERTM:
1609 case L2CAP_MODE_STREAMING:
1610 /* Entire SDU fits into one PDU */
1611 if (len <= chan->remote_mps) {
1612 control = L2CAP_SDU_UNSEGMENTED;
1613 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1614 0);
1615 if (IS_ERR(skb))
1616 return PTR_ERR(skb);
1617
1618 __skb_queue_tail(&chan->tx_q, skb);
1619
1620 if (chan->tx_send_head == NULL)
1621 chan->tx_send_head = skb;
1622
1623 } else {
1624 /* Segment SDU into multiples PDUs */
1625 err = l2cap_sar_segment_sdu(chan, msg, len);
1626 if (err < 0)
1627 return err;
1628 }
1629
1630 if (chan->mode == L2CAP_MODE_STREAMING) {
1631 l2cap_streaming_send(chan);
1632 err = len;
1633 break;
1634 }
1635
1636 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
1637 (chan->conn_state & L2CAP_CONN_WAIT_F)) {
1638 err = len;
1639 break;
1640 }
1641
1642 err = l2cap_ertm_send(chan);
1643 if (err >= 0)
1644 err = len;
1645
1646 break;
1647
1648 default:
1649 BT_DBG("bad state %1.1x", chan->mode);
1650 err = -EBADFD;
1651 }
1652
1653 return err;
1654}
1655
1da177e4
LT		 1656static void l2cap_chan_ready(struct sock *sk)
1657{
1658 struct sock *parent = bt_sk(sk)->parent;
b4450035 1659 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1da177e4
LT		 1660
1661 BT_DBG("sk %p, parent %p", sk, parent);
1662
b4450035 1663 chan->conf_state = 0;
ab07801d 1664 l2cap_chan_clear_timer(chan);
1da177e4
LT		 1665
1666 if (!parent) {
1667 /* Outgoing channel.
1668 * Wake up socket sleeping on connect.
1669 */
1670 sk->sk_state = BT_CONNECTED;
1671 sk->sk_state_change(sk);
1672 } else {
1673 /* Incoming channel.
1674 * Wake up socket sleeping on accept.
1675 */
1676 parent->sk_data_ready(parent, 0);
1677 }
1678}
1679
1680/* Copy frame to all raw sockets on that connection */
1681static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1682{
1da177e4 1683 struct sk_buff *nskb;
48454079 1684 struct l2cap_chan *chan;
1da177e4
LT		 1685
1686 BT_DBG("conn %p", conn);
1687
baa7e1fa
GP		 1688 read_lock(&conn->chan_lock);
1689 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1690 struct sock *sk = chan->sk;
715ec005 1691 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1692 continue;
1693
1694 /* Don't send frame to the socket it came from */
1695 if (skb->sk == sk)
1696 continue;
af05b30b
GP		 1697 nskb = skb_clone(skb, GFP_ATOMIC);
1698 if (!nskb)
1da177e4
LT		 1699 continue;
1700
1701 if (sock_queue_rcv_skb(sk, nskb))
1702 kfree_skb(nskb);
1703 }
baa7e1fa 1704 read_unlock(&conn->chan_lock);
1da177e4
LT		 1705}
1706
1707/* ---- L2CAP signalling commands ---- */
1708static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1709 u8 code, u8 ident, u16 dlen, void *data)
1710{
1711 struct sk_buff *skb, **frag;
1712 struct l2cap_cmd_hdr *cmd;
1713 struct l2cap_hdr *lh;
1714 int len, count;
1715
af05b30b
GP		 1716 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1717 conn, code, ident, dlen);
1da177e4
LT		 1718
1719 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1720 count = min_t(unsigned int, conn->mtu, len);
1721
1722 skb = bt_skb_alloc(count, GFP_ATOMIC);
1723 if (!skb)
1724 return NULL;
1725
1726 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1727 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1728
1729 if (conn->hcon->type == LE_LINK)
1730 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1731 else
1732 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1733
1734 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1735 cmd->code = code;
1736 cmd->ident = ident;
aca3192c 1737 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1738
1739 if (dlen) {
1740 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1741 memcpy(skb_put(skb, count), data, count);
1742 data += count;
1743 }
1744
1745 len -= skb->len;
1746
1747 /* Continuation fragments (no L2CAP header) */
1748 frag = &skb_shinfo(skb)->frag_list;
1749 while (len) {
1750 count = min_t(unsigned int, conn->mtu, len);
1751
1752 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1753 if (!*frag)
1754 goto fail;
1755
1756 memcpy(skb_put(*frag, count), data, count);
1757
1758 len -= count;
1759 data += count;
1760
1761 frag = &(*frag)->next;
1762 }
1763
1764 return skb;
1765
1766fail:
1767 kfree_skb(skb);
1768 return NULL;
1769}
1770
1771static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1772{
1773 struct l2cap_conf_opt *opt = *ptr;
1774 int len;
1775
1776 len = L2CAP_CONF_OPT_SIZE + opt->len;
1777 *ptr += len;
1778
1779 *type = opt->type;
1780 *olen = opt->len;
1781
1782 switch (opt->len) {
1783 case 1:
1784 *val = *((u8 *) opt->val);
1785 break;
1786
1787 case 2:
bfaaeb3e 1788 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1789 break;
1790
1791 case 4:
bfaaeb3e 1792 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1793 break;
1794
1795 default:
1796 *val = (unsigned long) opt->val;
1797 break;
1798 }
1799
1800 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1801 return len;
1802}
1803
1da177e4
LT		 1804static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1805{
1806 struct l2cap_conf_opt *opt = *ptr;
1807
1808 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1809
1810 opt->type = type;
1811 opt->len = len;
1812
1813 switch (len) {
1814 case 1:
1815 *((u8 *) opt->val) = val;
1816 break;
1817
1818 case 2:
4f8b691c 1819 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1820 break;
1821
1822 case 4:
4f8b691c 1823 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1824 break;
1825
1826 default:
1827 memcpy(opt->val, (void *) val, len);
1828 break;
1829 }
1830
1831 *ptr += L2CAP_CONF_OPT_SIZE + len;
1832}
1833
c1b4f43b
GP		 1834static void l2cap_ack_timeout(unsigned long arg)
1835{
525cd185 1836 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1837
525cd185
GP		 1838 bh_lock_sock(chan->sk);
1839 l2cap_send_ack(chan);
1840 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1841}
1842
525cd185 1843static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1844{
525cd185
GP		 1845 struct sock *sk = chan->sk;
1846
42e5c802 1847 chan->expected_ack_seq = 0;
6a026610 1848 chan->unacked_frames = 0;
42e5c802 1849 chan->buffer_seq = 0;
6a026610
GP		 1850 chan->num_acked = 0;
1851 chan->frames_sent = 0;
0565c1c2 1852
e92c8e70
GP		 1853 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1854 (unsigned long) chan);
1855 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1856 (unsigned long) chan);
1857 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1858
f1c6775b
GP		 1859 skb_queue_head_init(&chan->srej_q);
1860 skb_queue_head_init(&chan->busy_q);
1890d36b 1861
39d5a3ee
GP		 1862 INIT_LIST_HEAD(&chan->srej_l);
1863
311bb895 1864 INIT_WORK(&chan->busy_work, l2cap_busy_work);
218bb9df
GP		 1865
1866 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1867}
1868
f2fcfcd6
GP		 1869static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1870{
1871 switch (mode) {
1872 case L2CAP_MODE_STREAMING:
1873 case L2CAP_MODE_ERTM:
1874 if (l2cap_mode_supported(mode, remote_feat_mask))
1875 return mode;
1876 /* fall through */
1877 default:
1878 return L2CAP_MODE_BASIC;
1879 }
1880}
1881
710f9b0a 1882static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1883{
1da177e4 1884 struct l2cap_conf_req *req = data;
0c1bc5c6 1885 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1886 void *ptr = req->data;
1887
49208c9c 1888 BT_DBG("chan %p", chan);
1da177e4 1889
73ffa904 1890 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1891 goto done;
1892
0c1bc5c6 1893 switch (chan->mode) {
f2fcfcd6
GP		 1894 case L2CAP_MODE_STREAMING:
1895 case L2CAP_MODE_ERTM:
b4450035 1896 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 1897 break;
85eb53c6 1898
2ba13ed6 1899 /* fall through */
f2fcfcd6 1900 default:
8c1d787b 1901 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 1902 break;
1903 }
1904
1905done:
0c1bc5c6
GP		 1906 if (chan->imtu != L2CAP_DEFAULT_MTU)
1907 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 1908
0c1bc5c6 1909 switch (chan->mode) {
65c7c491 1910 case L2CAP_MODE_BASIC:
8c1d787b
GP		 1911 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1912 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 1913 break;
1914
62547752
GP		 1915 rfc.mode = L2CAP_MODE_BASIC;
1916 rfc.txwin_size = 0;
1917 rfc.max_transmit = 0;
1918 rfc.retrans_timeout = 0;
1919 rfc.monitor_timeout = 0;
1920 rfc.max_pdu_size = 0;
1921
63406504
GP		 1922 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1923 (unsigned long) &rfc);
65c7c491
MH		 1924 break;
1925
1926 case L2CAP_MODE_ERTM:
1927 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61
GP		 1928 rfc.txwin_size = chan->tx_win;
1929 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 1930 rfc.retrans_timeout = 0;
1931 rfc.monitor_timeout = 0;
c74e560c 1932 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1933 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1934 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 1935
63406504
GP		 1936 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1937 (unsigned long) &rfc);
1938
8c1d787b 1939 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1940 break;
1941
47d1ec61 1942 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1943 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1944 chan->fcs = L2CAP_FCS_NONE;
1945 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1946 }
f2fcfcd6
GP		 1947 break;
1948
1949 case L2CAP_MODE_STREAMING:
1950 rfc.mode = L2CAP_MODE_STREAMING;
1951 rfc.txwin_size = 0;
1952 rfc.max_transmit = 0;
1953 rfc.retrans_timeout = 0;
1954 rfc.monitor_timeout = 0;
c74e560c 1955 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 1956 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1957 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 1958
63406504
GP		 1959 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1960 (unsigned long) &rfc);
1961
8c1d787b 1962 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 1963 break;
1964
47d1ec61 1965 if (chan->fcs == L2CAP_FCS_NONE ||
b4450035 1966 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
47d1ec61
GP		 1967 chan->fcs = L2CAP_FCS_NONE;
1968 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 1969 }
65c7c491
MH		 1970 break;
1971 }
1da177e4 1972
fe4128e0 1973 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 1974 req->flags = cpu_to_le16(0);
1da177e4
LT		 1975
1976 return ptr - data;
1977}
1978
73ffa904 1979static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1980{
5dee9e7c
MH		 1981 struct l2cap_conf_rsp *rsp = data;
1982 void *ptr = rsp->data;
73ffa904
GP		 1983 void *req = chan->conf_req;
1984 int len = chan->conf_len;
5dee9e7c
MH		 1985 int type, hint, olen;
1986 unsigned long val;
6464f35f 1987 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 1988 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 1989 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 1990
73ffa904 1991 BT_DBG("chan %p", chan);
820ae1b8 1992
5dee9e7c
MH		 1993 while (len >= L2CAP_CONF_OPT_SIZE) {
1994 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 1995
589d2746 1996 hint = type & L2CAP_CONF_HINT;
47ec1dcd 1997 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 1998
1999 switch (type) {
2000 case L2CAP_CONF_MTU:
861d6882 2001 mtu = val;
5dee9e7c
MH		 2002 break;
2003
2004 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2005 chan->flush_to = val;
5dee9e7c
MH		 2006 break;
2007
2008 case L2CAP_CONF_QOS:
2009 break;
2010
6464f35f
MH		 2011 case L2CAP_CONF_RFC:
2012 if (olen == sizeof(rfc))
2013 memcpy(&rfc, (void *) val, olen);
2014 break;
2015
fcc203c3
GP		 2016 case L2CAP_CONF_FCS:
2017 if (val == L2CAP_FCS_NONE)
b4450035 2018 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
fcc203c3
GP		 2019
2020 break;
2021
5dee9e7c
MH		 2022 default:
2023 if (hint)
2024 break;
2025
2026 result = L2CAP_CONF_UNKNOWN;
2027 *((u8 *) ptr++) = type;
2028 break;
2029 }
2030 }
2031
73ffa904 2032 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2033 goto done;
2034
0c1bc5c6 2035 switch (chan->mode) {
f2fcfcd6
GP		 2036 case L2CAP_MODE_STREAMING:
2037 case L2CAP_MODE_ERTM:
b4450035 2038 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
0c1bc5c6 2039 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2040 chan->conn->feat_mask);
85eb53c6
GP		 2041 break;
2042 }
2043
0c1bc5c6 2044 if (chan->mode != rfc.mode)
f2fcfcd6 2045 return -ECONNREFUSED;
742e519b 2046
f2fcfcd6 2047 break;
f2fcfcd6
GP		 2048 }
2049
2050done:
0c1bc5c6 2051 if (chan->mode != rfc.mode) {
f2fcfcd6 2052 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2053 rfc.mode = chan->mode;
f2fcfcd6 2054
73ffa904 2055 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2056 return -ECONNREFUSED;
2057
2058 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2059 sizeof(rfc), (unsigned long) &rfc);
2060 }
2061
2062
5dee9e7c
MH		 2063 if (result == L2CAP_CONF_SUCCESS) {
2064 /* Configure output options and let the other side know
2065 * which ones we don't like. */
2066
f2fcfcd6
GP		 2067 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2068 result = L2CAP_CONF_UNACCEPT;
2069 else {
0c1bc5c6 2070 chan->omtu = mtu;
b4450035 2071 chan->conf_state |= L2CAP_CONF_MTU_DONE;
f2fcfcd6 2072 }
0c1bc5c6 2073 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2074
f2fcfcd6
GP		 2075 switch (rfc.mode) {
2076 case L2CAP_MODE_BASIC:
47d1ec61 2077 chan->fcs = L2CAP_FCS_NONE;
b4450035 2078 chan->conf_state |= L2CAP_CONF_MODE_DONE;
f2fcfcd6
GP		 2079 break;
2080
2081 case L2CAP_MODE_ERTM:
2c03a7a4
GP		 2082 chan->remote_tx_win = rfc.txwin_size;
2083 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2084
8c1d787b
GP		 2085 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2086 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2087
2c03a7a4 2088 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2089
10467e9e
GP		 2090 rfc.retrans_timeout =
2091 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2092 rfc.monitor_timeout =
2093 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2094
b4450035 2095 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2096
2097 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2098 sizeof(rfc), (unsigned long) &rfc);
2099
f2fcfcd6
GP		 2100 break;
2101
2102 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2103 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2104 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2105
2c03a7a4 2106 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2107
b4450035 2108 chan->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2109
2110 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2111 sizeof(rfc), (unsigned long) &rfc);
2112
f2fcfcd6
GP		 2113 break;
2114
2115 default:
5dee9e7c 2116 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2117
6464f35f 2118 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2119 rfc.mode = chan->mode;
f2fcfcd6 2120 }
6464f35f 2121
f2fcfcd6 2122 if (result == L2CAP_CONF_SUCCESS)
b4450035 2123 chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
f2fcfcd6 2124 }
fe4128e0 2125 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2126 rsp->result = cpu_to_le16(result);
2127 rsp->flags = cpu_to_le16(0x0000);
2128
2129 return ptr - data;
1da177e4
LT		 2130}
2131
b4450035 2132static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2133{
f2fcfcd6
GP		 2134 struct l2cap_conf_req *req = data;
2135 void *ptr = req->data;
2136 int type, olen;
2137 unsigned long val;
2138 struct l2cap_conf_rfc rfc;
2139
fe4128e0 2140 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2141
2142 while (len >= L2CAP_CONF_OPT_SIZE) {
2143 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2144
2145 switch (type) {
2146 case L2CAP_CONF_MTU:
2147 if (val < L2CAP_DEFAULT_MIN_MTU) {
2148 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2149 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2150 } else
0c1bc5c6
GP		 2151 chan->imtu = val;
2152 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2153 break;
2154
2155 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2156 chan->flush_to = val;
f2fcfcd6 2157 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2158 2, chan->flush_to);
f2fcfcd6
GP		 2159 break;
2160
2161 case L2CAP_CONF_RFC:
2162 if (olen == sizeof(rfc))
2163 memcpy(&rfc, (void *)val, olen);
2164
b4450035 2165 if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
0c1bc5c6 2166 rfc.mode != chan->mode)
f2fcfcd6
GP		 2167 return -ECONNREFUSED;
2168
47d1ec61 2169 chan->fcs = 0;
f2fcfcd6
GP		 2170
2171 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2172 sizeof(rfc), (unsigned long) &rfc);
2173 break;
2174 }
2175 }
2176
0c1bc5c6 2177 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2178 return -ECONNREFUSED;
2179
0c1bc5c6 2180 chan->mode = rfc.mode;
6c2ea7a8 2181
f2fcfcd6
GP		 2182 if (*result == L2CAP_CONF_SUCCESS) {
2183 switch (rfc.mode) {
2184 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2185 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2186 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2187 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2188 break;
2189 case L2CAP_MODE_STREAMING:
47d1ec61 2190 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2191 }
2192 }
2193
fe4128e0 2194 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2195 req->flags = cpu_to_le16(0x0000);
2196
2197 return ptr - data;
2198}
2199
fe4128e0 2200static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2201{
2202 struct l2cap_conf_rsp *rsp = data;
2203 void *ptr = rsp->data;
1da177e4 2204
fe4128e0 2205 BT_DBG("chan %p", chan);
1da177e4 2206
fe4128e0 2207 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2208 rsp->result = cpu_to_le16(result);
aca3192c 2209 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2210
2211 return ptr - data;
2212}
2213
8c1d787b 2214void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2215{
2216 struct l2cap_conn_rsp rsp;
8c1d787b 2217 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2218 u8 buf[128];
2219
fe4128e0
GP		 2220 rsp.scid = cpu_to_le16(chan->dcid);
2221 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2222 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2223 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2224 l2cap_send_cmd(conn, chan->ident,
2225 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2226
b4450035 2227 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
710f9b0a
GP		 2228 return;
2229
b4450035 2230 chan->conf_state |= L2CAP_CONF_REQ_SENT;
710f9b0a
GP		 2231 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2232 l2cap_build_conf_req(chan, buf), buf);
2233 chan->num_conf_req++;
2234}
2235
47d1ec61 2236static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2237{
7b1c0049
GP		 2238 int type, olen;
2239 unsigned long val;
2240 struct l2cap_conf_rfc rfc;
2241
47d1ec61 2242 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2243
0c1bc5c6 2244 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2245 return;
2246
2247 while (len >= L2CAP_CONF_OPT_SIZE) {
2248 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2249
2250 switch (type) {
2251 case L2CAP_CONF_RFC:
2252 if (olen == sizeof(rfc))
2253 memcpy(&rfc, (void *)val, olen);
2254 goto done;
2255 }
2256 }
2257
2258done:
2259 switch (rfc.mode) {
2260 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2261 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2262 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2263 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2264 break;
2265 case L2CAP_MODE_STREAMING:
47d1ec61 2266 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2267 }
2268}
2269
4e8402a3
MH		 2270static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2271{
2272 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2273
2274 if (rej->reason != 0x0000)
2275 return 0;
2276
2277 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2278 cmd->ident == conn->info_ident) {
4e8402a3 2279 del_timer(&conn->info_timer);
984947dc
MH		 2280
2281 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2282 conn->info_ident = 0;
984947dc 2283
4e8402a3
MH		 2284 l2cap_conn_start(conn);
2285 }
2286
2287 return 0;
2288}
2289
1da177e4
LT		 2290static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2291{
1da177e4
LT		 2292 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2293 struct l2cap_conn_rsp rsp;
23691d75 2294 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2295 struct sock *parent, *sk = NULL;
e7c29cb1 2296 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2297
2298 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2299 __le16 psm = req->psm;
1da177e4
LT		 2300
2301 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2302
2303 /* Check if we have socket listening on psm */
23691d75
GP		 2304 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2305 if (!pchan) {
1da177e4
LT		 2306 result = L2CAP_CR_BAD_PSM;
2307 goto sendresp;
2308 }
2309
23691d75
GP		 2310 parent = pchan->sk;
2311
e0f0cb56
GP		 2312 bh_lock_sock(parent);
2313
e7c29cb1
MH		 2314 /* Check if the ACL is secure enough (if not SDP) */
2315 if (psm != cpu_to_le16(0x0001) &&
2316 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2317 conn->disc_reason = 0x05;
e7c29cb1
MH		 2318 result = L2CAP_CR_SEC_BLOCK;
2319 goto response;
2320 }
2321
1da177e4
LT		 2322 result = L2CAP_CR_NO_MEM;
2323
2324 /* Check for backlog size */
2325 if (sk_acceptq_is_full(parent)) {
8e87d142 2326 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2327 goto response;
2328 }
2329
80808e43
GP		 2330 chan = pchan->ops->new_connection(pchan->data);
2331 if (!chan)
1da177e4
LT		 2332 goto response;
2333
80808e43
GP		 2334 sk = chan->sk;
2335
baa7e1fa 2336 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2337
2338 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2339 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2340 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2341 sock_set_flag(sk, SOCK_ZAPPED);
2342 l2cap_sock_kill(sk);
2343 goto response;
2344 }
2345
2346 hci_conn_hold(conn->hcon);
2347
1da177e4
LT		 2348 bacpy(&bt_sk(sk)->src, conn->src);
2349 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2350 chan->psm = psm;
2351 chan->dcid = scid;
1da177e4 2352
d1010240
GP		 2353 bt_accept_enqueue(parent, sk);
2354
48454079
GP		 2355 __l2cap_chan_add(conn, chan);
2356
fe4128e0 2357 dcid = chan->scid;
1da177e4 2358
ab07801d 2359 l2cap_chan_set_timer(chan, sk->sk_sndtimeo);
1da177e4 2360
fc7f8a7e 2361 chan->ident = cmd->ident;
1da177e4 2362
984947dc 2363 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2364 if (l2cap_check_security(chan)) {
f66dc81f
MH		 2365 if (bt_sk(sk)->defer_setup) {
2366 sk->sk_state = BT_CONNECT2;
2367 result = L2CAP_CR_PEND;
2368 status = L2CAP_CS_AUTHOR_PEND;
2369 parent->sk_data_ready(parent, 0);
2370 } else {
2371 sk->sk_state = BT_CONFIG;
2372 result = L2CAP_CR_SUCCESS;
2373 status = L2CAP_CS_NO_INFO;
2374 }
79d554a6
MH		 2375 } else {
2376 sk->sk_state = BT_CONNECT2;
2377 result = L2CAP_CR_PEND;
2378 status = L2CAP_CS_AUTHEN_PEND;
2379 }
2380 } else {
2381 sk->sk_state = BT_CONNECT2;
2382 result = L2CAP_CR_PEND;
2383 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2384 }
2385
baa7e1fa 2386 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2387
2388response:
2389 bh_unlock_sock(parent);
2390
2391sendresp:
aca3192c
YH		 2392 rsp.scid = cpu_to_le16(scid);
2393 rsp.dcid = cpu_to_le16(dcid);
2394 rsp.result = cpu_to_le16(result);
2395 rsp.status = cpu_to_le16(status);
1da177e4 2396 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2397
2398 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2399 struct l2cap_info_req info;
2400 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2401
2402 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2403 conn->info_ident = l2cap_get_ident(conn);
2404
2405 mod_timer(&conn->info_timer, jiffies +
2406 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2407
2408 l2cap_send_cmd(conn, conn->info_ident,
2409 L2CAP_INFO_REQ, sizeof(info), &info);
2410 }
2411
b4450035 2412 if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
e9aeb2dd
GP		 2413 result == L2CAP_CR_SUCCESS) {
2414 u8 buf[128];
b4450035 2415 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2416 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2417 l2cap_build_conf_req(chan, buf), buf);
2418 chan->num_conf_req++;
e9aeb2dd
GP		 2419 }
2420
1da177e4
LT		 2421 return 0;
2422}
2423
2424static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2425{
2426 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2427 u16 scid, dcid, result, status;
48454079 2428 struct l2cap_chan *chan;
1da177e4
LT		 2429 struct sock *sk;
2430 u8 req[128];
2431
2432 scid = __le16_to_cpu(rsp->scid);
2433 dcid = __le16_to_cpu(rsp->dcid);
2434 result = __le16_to_cpu(rsp->result);
2435 status = __le16_to_cpu(rsp->status);
2436
2437 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2438
2439 if (scid) {
baa7e1fa 2440 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2441 if (!chan)
57d3b22b 2442 return -EFAULT;
1da177e4 2443 } else {
baa7e1fa 2444 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2445 if (!chan)
57d3b22b 2446 return -EFAULT;
1da177e4
LT		 2447 }
2448
48454079
GP		 2449 sk = chan->sk;
2450
1da177e4
LT		 2451 switch (result) {
2452 case L2CAP_CR_SUCCESS:
2453 sk->sk_state = BT_CONFIG;
fc7f8a7e 2454 chan->ident = 0;
fe4128e0 2455 chan->dcid = dcid;
b4450035 2456 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
6a8d3010 2457
b4450035 2458 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
e9aeb2dd
GP		 2459 break;
2460
b4450035 2461 chan->conf_state |= L2CAP_CONF_REQ_SENT;
e9aeb2dd 2462
1da177e4 2463 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2464 l2cap_build_conf_req(chan, req), req);
2465 chan->num_conf_req++;
1da177e4
LT		 2466 break;
2467
2468 case L2CAP_CR_PEND:
b4450035 2469 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 2470 break;
2471
2472 default:
a49184c2
AE		 2473 /* don't delete l2cap channel if sk is owned by user */
2474 if (sock_owned_by_user(sk)) {
2475 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2476 l2cap_chan_clear_timer(chan);
2477 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2478 break;
2479 }
2480
48454079 2481 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2482 break;
2483 }
2484
2485 bh_unlock_sock(sk);
2486 return 0;
2487}
2488
47d1ec61 2489static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60 2490{
47d1ec61
GP		 2491 struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2492
8c462b60
MM		 2493 /* FCS is enabled only in ERTM or streaming mode, if one or both
2494 * sides request it.
2495 */
0c1bc5c6 2496 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2497 chan->fcs = L2CAP_FCS_NONE;
b4450035 2498 else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
47d1ec61 2499 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2500}
2501
88219a0f 2502static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2503{
2504 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2505 u16 dcid, flags;
2506 u8 rsp[64];
48454079 2507 struct l2cap_chan *chan;
1da177e4 2508 struct sock *sk;
5dee9e7c 2509 int len;
1da177e4
LT		 2510
2511 dcid = __le16_to_cpu(req->dcid);
2512 flags = __le16_to_cpu(req->flags);
2513
2514 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2515
baa7e1fa 2516 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2517 if (!chan)
1da177e4
LT		 2518 return -ENOENT;
2519
48454079
GP		 2520 sk = chan->sk;
2521
df6bd743
GP		 2522 if (sk->sk_state != BT_CONFIG) {
2523 struct l2cap_cmd_rej rej;
2524
2525 rej.reason = cpu_to_le16(0x0002);
2526 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2527 sizeof(rej), &rej);
354f60a9 2528 goto unlock;
df6bd743 2529 }
354f60a9 2530
5dee9e7c 2531 /* Reject if config buffer is too small. */
88219a0f 2532 len = cmd_len - sizeof(*req);
73ffa904 2533 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2534 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2535 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2536 L2CAP_CONF_REJECT, flags), rsp);
2537 goto unlock;
2538 }
2539
2540 /* Store config. */
73ffa904
GP		 2541 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2542 chan->conf_len += len;
1da177e4
LT		 2543
2544 if (flags & 0x0001) {
2545 /* Incomplete config. Send empty response. */
2546 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2547 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2548 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2549 goto unlock;
2550 }
2551
2552 /* Complete config. */
73ffa904 2553 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2554 if (len < 0) {
e92c8e70 2555 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2556 goto unlock;
f2fcfcd6 2557 }
1da177e4 2558
5dee9e7c 2559 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2560 chan->num_conf_rsp++;
5dee9e7c 2561
5dee9e7c 2562 /* Reset config buffer. */
73ffa904 2563 chan->conf_len = 0;
5dee9e7c 2564
b4450035 2565 if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
876d9484
MH		 2566 goto unlock;
2567
b4450035 2568 if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
47d1ec61 2569 set_default_fcs(chan);
fcc203c3 2570
1da177e4 2571 sk->sk_state = BT_CONNECTED;
e90bac06 2572
42e5c802
GP		 2573 chan->next_tx_seq = 0;
2574 chan->expected_tx_seq = 0;
58d35f87 2575 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2576 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2577 l2cap_ertm_init(chan);
0565c1c2 2578
1da177e4 2579 l2cap_chan_ready(sk);
876d9484
MH		 2580 goto unlock;
2581 }
2582
b4450035 2583 if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 2584 u8 buf[64];
b4450035 2585 chan->conf_state |= L2CAP_CONF_REQ_SENT;
1da177e4 2586 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2587 l2cap_build_conf_req(chan, buf), buf);
2588 chan->num_conf_req++;
1da177e4
LT		 2589 }
2590
2591unlock:
2592 bh_unlock_sock(sk);
2593 return 0;
2594}
2595
2596static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2597{
2598 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2599 u16 scid, flags, result;
48454079 2600 struct l2cap_chan *chan;
1da177e4 2601 struct sock *sk;
7b1c0049 2602 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2603
2604 scid = __le16_to_cpu(rsp->scid);
2605 flags = __le16_to_cpu(rsp->flags);
2606 result = __le16_to_cpu(rsp->result);
2607
af05b30b
GP		 2608 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2609 scid, flags, result);
1da177e4 2610
baa7e1fa 2611 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2612 if (!chan)
1da177e4
LT		 2613 return 0;
2614
48454079
GP		 2615 sk = chan->sk;
2616
1da177e4
LT		 2617 switch (result) {
2618 case L2CAP_CONF_SUCCESS:
47d1ec61 2619 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2620 break;
2621
2622 case L2CAP_CONF_UNACCEPT:
73ffa904 2623 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2624 char req[64];
2625
c2c77ec8 2626 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2627 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2628 goto done;
2629 }
2630
f2fcfcd6
GP		 2631 /* throw out any old stored conf requests */
2632 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2633 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2634 req, &result);
f2fcfcd6 2635 if (len < 0) {
e92c8e70 2636 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2637 goto done;
2638 }
2639
2640 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2641 L2CAP_CONF_REQ, len, req);
73ffa904 2642 chan->num_conf_req++;
f2fcfcd6
GP		 2643 if (result != L2CAP_CONF_SUCCESS)
2644 goto done;
2645 break;
1da177e4
LT		 2646 }
2647
8e87d142 2648 default:
b1235d79 2649 sk->sk_err = ECONNRESET;
ab07801d 2650 l2cap_chan_set_timer(chan, HZ * 5);
e92c8e70 2651 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2652 goto done;
2653 }
2654
2655 if (flags & 0x01)
2656 goto done;
2657
b4450035 2658 chan->conf_state |= L2CAP_CONF_INPUT_DONE;
1da177e4 2659
b4450035 2660 if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
47d1ec61 2661 set_default_fcs(chan);
fcc203c3 2662
1da177e4 2663 sk->sk_state = BT_CONNECTED;
42e5c802
GP		 2664 chan->next_tx_seq = 0;
2665 chan->expected_tx_seq = 0;
58d35f87 2666 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2667 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2668 l2cap_ertm_init(chan);
0565c1c2 2669
1da177e4
LT		 2670 l2cap_chan_ready(sk);
2671 }
2672
2673done:
2674 bh_unlock_sock(sk);
2675 return 0;
2676}
2677
2678static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2679{
2680 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2681 struct l2cap_disconn_rsp rsp;
2682 u16 dcid, scid;
48454079 2683 struct l2cap_chan *chan;
1da177e4
LT		 2684 struct sock *sk;
2685
2686 scid = __le16_to_cpu(req->scid);
2687 dcid = __le16_to_cpu(req->dcid);
2688
2689 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2690
baa7e1fa 2691 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2692 if (!chan)
1da177e4
LT		 2693 return 0;
2694
48454079
GP		 2695 sk = chan->sk;
2696
fe4128e0
GP		 2697 rsp.dcid = cpu_to_le16(chan->scid);
2698 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2699 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2700
2701 sk->sk_shutdown = SHUTDOWN_MASK;
2702
a49184c2
AE		 2703 /* don't delete l2cap channel if sk is owned by user */
2704 if (sock_owned_by_user(sk)) {
2705 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2706 l2cap_chan_clear_timer(chan);
2707 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2708 bh_unlock_sock(sk);
2709 return 0;
2710 }
2711
48454079 2712 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2713 bh_unlock_sock(sk);
2714
2715 l2cap_sock_kill(sk);
2716 return 0;
2717}
2718
2719static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2720{
2721 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2722 u16 dcid, scid;
48454079 2723 struct l2cap_chan *chan;
1da177e4
LT		 2724 struct sock *sk;
2725
2726 scid = __le16_to_cpu(rsp->scid);
2727 dcid = __le16_to_cpu(rsp->dcid);
2728
2729 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2730
baa7e1fa 2731 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2732 if (!chan)
1da177e4
LT		 2733 return 0;
2734
48454079
GP		 2735 sk = chan->sk;
2736
a49184c2
AE		 2737 /* don't delete l2cap channel if sk is owned by user */
2738 if (sock_owned_by_user(sk)) {
2739 sk->sk_state = BT_DISCONN;
ab07801d
GP		 2740 l2cap_chan_clear_timer(chan);
2741 l2cap_chan_set_timer(chan, HZ / 5);
a49184c2
AE		 2742 bh_unlock_sock(sk);
2743 return 0;
2744 }
2745
48454079 2746 l2cap_chan_del(chan, 0);
1da177e4
LT		 2747 bh_unlock_sock(sk);
2748
2749 l2cap_sock_kill(sk);
2750 return 0;
2751}
2752
2753static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2754{
2755 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2756 u16 type;
2757
2758 type = __le16_to_cpu(req->type);
2759
2760 BT_DBG("type 0x%4.4x", type);
2761
f0709e03
MH		 2762 if (type == L2CAP_IT_FEAT_MASK) {
2763 u8 buf[8];
44dd46de 2764 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2765 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2766 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2767 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2768 if (!disable_ertm)
fcc203c3
GP		 2769 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2770 | L2CAP_FEAT_FCS;
1b7bf4ed 2771 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2772 l2cap_send_cmd(conn, cmd->ident,
2773 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2774 } else if (type == L2CAP_IT_FIXED_CHAN) {
2775 u8 buf[12];
2776 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2777 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2778 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2779 memcpy(buf + 4, l2cap_fixed_chan, 8);
2780 l2cap_send_cmd(conn, cmd->ident,
2781 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2782 } else {
2783 struct l2cap_info_rsp rsp;
2784 rsp.type = cpu_to_le16(type);
2785 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2786 l2cap_send_cmd(conn, cmd->ident,
2787 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2788 }
1da177e4
LT		 2789
2790 return 0;
2791}
2792
2793static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2794{
2795 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2796 u16 type, result;
2797
2798 type = __le16_to_cpu(rsp->type);
2799 result = __le16_to_cpu(rsp->result);
2800
2801 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2802
e90165be
AE		 2803 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2804 if (cmd->ident != conn->info_ident ||
2805 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2806 return 0;
2807
4e8402a3
MH		 2808 del_timer(&conn->info_timer);
2809
adb08ede
VT		 2810 if (result != L2CAP_IR_SUCCESS) {
2811 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2812 conn->info_ident = 0;
2813
2814 l2cap_conn_start(conn);
2815
2816 return 0;
2817 }
2818
984947dc 2819 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2820 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2821
47ec1dcd 2822 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2823 struct l2cap_info_req req;
2824 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2825
2826 conn->info_ident = l2cap_get_ident(conn);
2827
2828 l2cap_send_cmd(conn, conn->info_ident,
2829 L2CAP_INFO_REQ, sizeof(req), &req);
2830 } else {
2831 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2832 conn->info_ident = 0;
2833
2834 l2cap_conn_start(conn);
2835 }
2836 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2837 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2838 conn->info_ident = 0;
984947dc
MH		 2839
2840 l2cap_conn_start(conn);
2841 }
4e8402a3 2842
1da177e4
LT		 2843 return 0;
2844}
2845
e2174ca4 2846static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2847 u16 to_multiplier)
2848{
2849 u16 max_latency;
2850
2851 if (min > max || min < 6 || max > 3200)
2852 return -EINVAL;
2853
2854 if (to_multiplier < 10 || to_multiplier > 3200)
2855 return -EINVAL;
2856
2857 if (max >= to_multiplier * 8)
2858 return -EINVAL;
2859
2860 max_latency = (to_multiplier * 8 / max) - 1;
2861 if (latency > 499 || latency > max_latency)
2862 return -EINVAL;
2863
2864 return 0;
2865}
2866
2867static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2868 struct l2cap_cmd_hdr *cmd, u8 *data)
2869{
2870 struct hci_conn *hcon = conn->hcon;
2871 struct l2cap_conn_param_update_req *req;
2872 struct l2cap_conn_param_update_rsp rsp;
2873 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 2874 int err;
de73115a
CT		 2875
2876 if (!(hcon->link_mode & HCI_LM_MASTER))
2877 return -EINVAL;
2878
2879 cmd_len = __le16_to_cpu(cmd->len);
2880 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2881 return -EPROTO;
2882
2883 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 2884 min = __le16_to_cpu(req->min);
2885 max = __le16_to_cpu(req->max);
de73115a
CT		 2886 latency = __le16_to_cpu(req->latency);
2887 to_multiplier = __le16_to_cpu(req->to_multiplier);
2888
2889 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2890 min, max, latency, to_multiplier);
2891
2892 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 2893
2894 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2895 if (err)
de73115a
CT		 2896 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2897 else
2898 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2899
2900 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2901 sizeof(rsp), &rsp);
2902
2ce603eb
CT		 2903 if (!err)
2904 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2905
de73115a
CT		 2906 return 0;
2907}
2908
3300d9a9
CT		 2909static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2910 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2911{
2912 int err = 0;
2913
2914 switch (cmd->code) {
2915 case L2CAP_COMMAND_REJ:
2916 l2cap_command_rej(conn, cmd, data);
2917 break;
2918
2919 case L2CAP_CONN_REQ:
2920 err = l2cap_connect_req(conn, cmd, data);
2921 break;
2922
2923 case L2CAP_CONN_RSP:
2924 err = l2cap_connect_rsp(conn, cmd, data);
2925 break;
2926
2927 case L2CAP_CONF_REQ:
2928 err = l2cap_config_req(conn, cmd, cmd_len, data);
2929 break;
2930
2931 case L2CAP_CONF_RSP:
2932 err = l2cap_config_rsp(conn, cmd, data);
2933 break;
2934
2935 case L2CAP_DISCONN_REQ:
2936 err = l2cap_disconnect_req(conn, cmd, data);
2937 break;
2938
2939 case L2CAP_DISCONN_RSP:
2940 err = l2cap_disconnect_rsp(conn, cmd, data);
2941 break;
2942
2943 case L2CAP_ECHO_REQ:
2944 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2945 break;
2946
2947 case L2CAP_ECHO_RSP:
2948 break;
2949
2950 case L2CAP_INFO_REQ:
2951 err = l2cap_information_req(conn, cmd, data);
2952 break;
2953
2954 case L2CAP_INFO_RSP:
2955 err = l2cap_information_rsp(conn, cmd, data);
2956 break;
2957
2958 default:
2959 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2960 err = -EINVAL;
2961 break;
2962 }
2963
2964 return err;
2965}
2966
2967static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2968 struct l2cap_cmd_hdr *cmd, u8 *data)
2969{
2970 switch (cmd->code) {
2971 case L2CAP_COMMAND_REJ:
2972 return 0;
2973
2974 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 2975 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 2976
2977 case L2CAP_CONN_PARAM_UPDATE_RSP:
2978 return 0;
2979
2980 default:
2981 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2982 return -EINVAL;
2983 }
2984}
2985
2986static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2987 struct sk_buff *skb)
1da177e4
LT		 2988{
2989 u8 *data = skb->data;
2990 int len = skb->len;
2991 struct l2cap_cmd_hdr cmd;
3300d9a9 2992 int err;
1da177e4
LT		 2993
2994 l2cap_raw_recv(conn, skb);
2995
2996 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 2997 u16 cmd_len;
1da177e4
LT		 2998 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2999 data += L2CAP_CMD_HDR_SIZE;
3000 len -= L2CAP_CMD_HDR_SIZE;
3001
88219a0f 3002 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3003
88219a0f 3004 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3005
88219a0f 3006 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3007 BT_DBG("corrupted command");
3008 break;
3009 }
3010
3300d9a9
CT		 3011 if (conn->hcon->type == LE_LINK)
3012 err = l2cap_le_sig_cmd(conn, &cmd, data);
3013 else
3014 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3015
3016 if (err) {
3017 struct l2cap_cmd_rej rej;
2c6d1a2e
GP		 3018
3019 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3020
3021 /* FIXME: Map err to a valid reason */
aca3192c 3022 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3023 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3024 }
3025
88219a0f
AV		 3026 data += cmd_len;
3027 len -= cmd_len;
1da177e4
LT		 3028 }
3029
3030 kfree_skb(skb);
3031}
3032
47d1ec61 3033static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3034{
3035 u16 our_fcs, rcv_fcs;
3036 int hdr_size = L2CAP_HDR_SIZE + 2;
3037
47d1ec61 3038 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3039 skb_trim(skb, skb->len - 2);
3040 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3041 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3042
3043 if (our_fcs != rcv_fcs)
7a560e5c 3044 return -EBADMSG;
fcc203c3
GP		 3045 }
3046 return 0;
3047}
3048
525cd185 3049static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3050{
d5392c8f
GP		 3051 u16 control = 0;
3052
6a026610 3053 chan->frames_sent = 0;
d5392c8f 3054
42e5c802 3055 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
d5392c8f 3056
525cd185 3057 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3058 control |= L2CAP_SUPER_RCV_NOT_READY;
525cd185
GP		 3059 l2cap_send_sframe(chan, control);
3060 chan->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3061 }
3062
525cd185
GP		 3063 if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
3064 l2cap_retransmit_frames(chan);
d5392c8f 3065
525cd185 3066 l2cap_ertm_send(chan);
d5392c8f 3067
525cd185 3068 if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
6a026610 3069 chan->frames_sent == 0) {
d5392c8f 3070 control |= L2CAP_SUPER_RCV_READY;
525cd185 3071 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3072 }
3073}
3074
42e5c802 3075static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3076{
3077 struct sk_buff *next_skb;
bfbacc11 3078 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3079
3080 bt_cb(skb)->tx_seq = tx_seq;
3081 bt_cb(skb)->sar = sar;
3082
f1c6775b 3083 next_skb = skb_peek(&chan->srej_q);
8f17154f 3084 if (!next_skb) {
f1c6775b 3085 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3086 return 0;
8f17154f
GP		 3087 }
3088
42e5c802 3089 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3090 if (tx_seq_offset < 0)
3091 tx_seq_offset += 64;
3092
8f17154f 3093 do {
9b53350d
JPRV		 3094 if (bt_cb(next_skb)->tx_seq == tx_seq)
3095 return -EINVAL;
3096
bfbacc11 3097 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3098 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3099 if (next_tx_seq_offset < 0)
3100 next_tx_seq_offset += 64;
3101
3102 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3103 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3104 return 0;
8f17154f
GP		 3105 }
3106
f1c6775b 3107 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3108 break;
3109
f1c6775b 3110 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3111
f1c6775b 3112 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3113
3114 return 0;
8f17154f
GP		 3115}
3116
525cd185 3117static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
18778a63 3118{
18778a63 3119 struct sk_buff *_skb;
1890d36b 3120 int err;
18778a63
GP		 3121
3122 switch (control & L2CAP_CTRL_SAR) {
3123 case L2CAP_SDU_UNSEGMENTED:
525cd185 3124 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3125 goto drop;
3126
224f8af0 3127 return sock_queue_rcv_skb(chan->sk, skb);
18778a63
GP		 3128
3129 case L2CAP_SDU_START:
525cd185 3130 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
18778a63
GP		 3131 goto drop;
3132
6f61fd47 3133 chan->sdu_len = get_unaligned_le16(skb->data);
18778a63 3134
0c1bc5c6 3135 if (chan->sdu_len > chan->imtu)
18778a63
GP		 3136 goto disconnect;
3137
6f61fd47
GP		 3138 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3139 if (!chan->sdu)
1890d36b
GP		 3140 return -ENOMEM;
3141
3142 /* pull sdu_len bytes only after alloc, because of Local Busy
3143 * condition we have to be sure that this will be executed
3144 * only once, i.e., when alloc does not fail */
3145 skb_pull(skb, 2);
18778a63 3146
6f61fd47 3147 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
18778a63 3148
525cd185 3149 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3150 chan->partial_sdu_len = skb->len;
18778a63
GP		 3151 break;
3152
3153 case L2CAP_SDU_CONTINUE:
525cd185 3154 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3155 goto disconnect;
3156
6f61fd47 3157 if (!chan->sdu)
18778a63
GP		 3158 goto disconnect;
3159
6f61fd47
GP		 3160 chan->partial_sdu_len += skb->len;
3161 if (chan->partial_sdu_len > chan->sdu_len)
18778a63
GP		 3162 goto drop;
3163
6f61fd47 3164 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
4178ba46 3165
18778a63
GP		 3166 break;
3167
3168 case L2CAP_SDU_END:
525cd185 3169 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
18778a63
GP		 3170 goto disconnect;
3171
6f61fd47 3172 if (!chan->sdu)
18778a63
GP		 3173 goto disconnect;
3174
525cd185 3175 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
6f61fd47 3176 chan->partial_sdu_len += skb->len;
18778a63 3177
0c1bc5c6 3178 if (chan->partial_sdu_len > chan->imtu)
1890d36b 3179 goto drop;
18778a63 3180
6f61fd47 3181 if (chan->partial_sdu_len != chan->sdu_len)
1890d36b 3182 goto drop;
4178ba46 3183
6f61fd47 3184 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
1890d36b 3185 }
18778a63 3186
6f61fd47 3187 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
1890d36b 3188 if (!_skb) {
525cd185 3189 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3190 return -ENOMEM;
3191 }
3192
525cd185 3193 err = sock_queue_rcv_skb(chan->sk, _skb);
1890d36b 3194 if (err < 0) {
18778a63 3195 kfree_skb(_skb);
525cd185 3196 chan->conn_state |= L2CAP_CONN_SAR_RETRY;
1890d36b
GP		 3197 return err;
3198 }
3199
525cd185
GP		 3200 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3201 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63 3202
6f61fd47 3203 kfree_skb(chan->sdu);
18778a63
GP		 3204 break;
3205 }
3206
3207 kfree_skb(skb);
1890d36b 3208 return 0;
18778a63
GP		 3209
3210drop:
6f61fd47
GP		 3211 kfree_skb(chan->sdu);
3212 chan->sdu = NULL;
18778a63
GP		 3213
3214disconnect:
8c1d787b 3215 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
18778a63
GP		 3216 kfree_skb(skb);
3217 return 0;
3218}
3219
525cd185 3220static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
712132eb 3221{
712132eb
GP		 3222 struct sk_buff *skb;
3223 u16 control;
3224 int err;
3225
f1c6775b 3226 while ((skb = skb_dequeue(&chan->busy_q))) {
712132eb 3227 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3228 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
712132eb 3229 if (err < 0) {
f1c6775b 3230 skb_queue_head(&chan->busy_q, skb);
712132eb
GP		 3231 return -EBUSY;
3232 }
3233
42e5c802 3234 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
712132eb
GP		 3235 }
3236
525cd185 3237 if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
712132eb
GP		 3238 goto done;
3239
42e5c802 3240 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
712132eb 3241 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
525cd185 3242 l2cap_send_sframe(chan, control);
6a026610 3243 chan->retry_count = 1;
712132eb 3244
e92c8e70 3245 del_timer(&chan->retrans_timer);
712132eb
GP		 3246 __mod_monitor_timer();
3247
525cd185 3248 chan->conn_state |= L2CAP_CONN_WAIT_F;
712132eb
GP		 3249
3250done:
525cd185
GP		 3251 chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3252 chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
712132eb 3253
49208c9c 3254 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3255
3256 return 0;
3257}
3258
1890d36b
GP		 3259static void l2cap_busy_work(struct work_struct *work)
3260{
3261 DECLARE_WAITQUEUE(wait, current);
311bb895
GP		 3262 struct l2cap_chan *chan =
3263 container_of(work, struct l2cap_chan, busy_work);
3264 struct sock *sk = chan->sk;
1890d36b
GP		 3265 int n_tries = 0, timeo = HZ/5, err;
3266 struct sk_buff *skb;
1890d36b
GP		 3267
3268 lock_sock(sk);
3269
2b0b05dd 3270 add_wait_queue(sk_sleep(sk), &wait);
311bb895 3271 while ((skb = skb_peek(&chan->busy_q))) {
1890d36b
GP		 3272 set_current_state(TASK_INTERRUPTIBLE);
3273
3274 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3275 err = -EBUSY;
8c1d787b 3276 l2cap_send_disconn_req(chan->conn, chan, EBUSY);
712132eb 3277 break;
1890d36b
GP		 3278 }
3279
3280 if (!timeo)
3281 timeo = HZ/5;
3282
3283 if (signal_pending(current)) {
3284 err = sock_intr_errno(timeo);
712132eb 3285 break;
1890d36b
GP		 3286 }
3287
3288 release_sock(sk);
3289 timeo = schedule_timeout(timeo);
3290 lock_sock(sk);
3291
3292 err = sock_error(sk);
3293 if (err)
712132eb 3294 break;
1890d36b 3295
311bb895 3296 if (l2cap_try_push_rx_skb(chan) == 0)
1890d36b
GP		 3297 break;
3298 }
3299
1890d36b 3300 set_current_state(TASK_RUNNING);
2b0b05dd 3301 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3302
3303 release_sock(sk);
3304}
3305
525cd185 3306static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
1890d36b 3307{
1890d36b
GP		 3308 int sctrl, err;
3309
525cd185 3310 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1890d36b 3311 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3312 __skb_queue_tail(&chan->busy_q, skb);
525cd185 3313 return l2cap_try_push_rx_skb(chan);
712132eb
GP		 3314
3315
1890d36b
GP		 3316 }
3317
525cd185 3318 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
1890d36b 3319 if (err >= 0) {
42e5c802 3320 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
1890d36b
GP		 3321 return err;
3322 }
3323
3324 /* Busy Condition */
311bb895 3325 BT_DBG("chan %p, Enter local busy", chan);
0e98958d 3326
525cd185 3327 chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
1890d36b 3328 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
f1c6775b 3329 __skb_queue_tail(&chan->busy_q, skb);
1890d36b 3330
42e5c802 3331 sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1890d36b 3332 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
525cd185 3333 l2cap_send_sframe(chan, sctrl);
1890d36b 3334
525cd185 3335 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1890d36b 3336
e92c8e70 3337 del_timer(&chan->ack_timer);
7fe9b298 3338
311bb895 3339 queue_work(_busy_wq, &chan->busy_work);
1890d36b
GP		 3340
3341 return err;
3342}
3343
525cd185 3344static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
c74e560c 3345{
c74e560c
GP		 3346 struct sk_buff *_skb;
3347 int err = -EINVAL;
3348
18778a63
GP		 3349 /*
3350 * TODO: We have to notify the userland if some data is lost with the
3351 * Streaming Mode.
3352 */
3353
c74e560c
GP		 3354 switch (control & L2CAP_CTRL_SAR) {
3355 case L2CAP_SDU_UNSEGMENTED:
525cd185 3356 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3357 kfree_skb(chan->sdu);
c74e560c
GP		 3358 break;
3359 }
3360
525cd185 3361 err = sock_queue_rcv_skb(chan->sk, skb);
c74e560c
GP		 3362 if (!err)
3363 return 0;
3364
3365 break;
3366
3367 case L2CAP_SDU_START:
525cd185 3368 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
6f61fd47 3369 kfree_skb(chan->sdu);
c74e560c
GP		 3370 break;
3371 }
3372
6f61fd47 3373 chan->sdu_len = get_unaligned_le16(skb->data);
c74e560c
GP		 3374 skb_pull(skb, 2);
3375
0c1bc5c6 3376 if (chan->sdu_len > chan->imtu) {
052897ca
GP		 3377 err = -EMSGSIZE;
3378 break;
3379 }
3380
6f61fd47
GP		 3381 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3382 if (!chan->sdu) {
c74e560c
GP		 3383 err = -ENOMEM;
3384 break;
3385 }
3386
6f61fd47 3387 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3388
525cd185 3389 chan->conn_state |= L2CAP_CONN_SAR_SDU;
6f61fd47 3390 chan->partial_sdu_len = skb->len;
c74e560c
GP		 3391 err = 0;
3392 break;
3393
3394 case L2CAP_SDU_CONTINUE:
525cd185 3395 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3396 break;
3397
6f61fd47 3398 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3399
6f61fd47
GP		 3400 chan->partial_sdu_len += skb->len;
3401 if (chan->partial_sdu_len > chan->sdu_len)
3402 kfree_skb(chan->sdu);
c74e560c
GP		 3403 else
3404 err = 0;
3405
3406 break;
3407
3408 case L2CAP_SDU_END:
525cd185 3409 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
c74e560c
GP		 3410 break;
3411
6f61fd47 3412 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
c74e560c 3413
525cd185 3414 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
6f61fd47 3415 chan->partial_sdu_len += skb->len;
c74e560c 3416
0c1bc5c6 3417 if (chan->partial_sdu_len > chan->imtu)
36f2fd58
GP		 3418 goto drop;
3419
6f61fd47
GP		 3420 if (chan->partial_sdu_len == chan->sdu_len) {
3421 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
525cd185 3422 err = sock_queue_rcv_skb(chan->sk, _skb);
c74e560c
GP		 3423 if (err < 0)
3424 kfree_skb(_skb);
3425 }
c74e560c
GP		 3426 err = 0;
3427
36f2fd58 3428drop:
6f61fd47 3429 kfree_skb(chan->sdu);
c74e560c
GP		 3430 break;
3431 }
3432
3433 kfree_skb(skb);
3434 return err;
3435}
3436
525cd185 3437static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
8f17154f
GP		 3438{
3439 struct sk_buff *skb;
afefdbc4 3440 u16 control;
8f17154f 3441
f1c6775b 3442 while ((skb = skb_peek(&chan->srej_q))) {
8f17154f
GP		 3443 if (bt_cb(skb)->tx_seq != tx_seq)
3444 break;
3445
f1c6775b 3446 skb = skb_dequeue(&chan->srej_q);
afefdbc4 3447 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
525cd185 3448 l2cap_ertm_reassembly_sdu(chan, skb, control);
42e5c802
GP		 3449 chan->buffer_seq_srej =
3450 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3451 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3452 }
3453}
3454
525cd185 3455static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3456{
8f17154f
GP		 3457 struct srej_list *l, *tmp;
3458 u16 control;
3459
39d5a3ee 3460 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3461 if (l->tx_seq == tx_seq) {
3462 list_del(&l->list);
3463 kfree(l);
3464 return;
3465 }
3466 control = L2CAP_SUPER_SELECT_REJECT;
3467 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3468 l2cap_send_sframe(chan, control);
8f17154f 3469 list_del(&l->list);
39d5a3ee 3470 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3471 }
3472}
3473
525cd185 3474static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
8f17154f 3475{
8f17154f
GP		 3476 struct srej_list *new;
3477 u16 control;
3478
42e5c802 3479 while (tx_seq != chan->expected_tx_seq) {
8f17154f 3480 control = L2CAP_SUPER_SELECT_REJECT;
42e5c802 3481 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
525cd185 3482 l2cap_send_sframe(chan, control);
8f17154f
GP		 3483
3484 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3485 new->tx_seq = chan->expected_tx_seq;
3486 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3487 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3488 }
42e5c802 3489 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3490}
3491
525cd185 3492static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
1c2acffb 3493{
1c2acffb 3494 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3495 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3496 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3497 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3498 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3499 int err = 0;
3500
525cd185
GP		 3501 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3502 tx_seq, rx_control);
1c2acffb 3503
9b16dc65 3504 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3505 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3506 del_timer(&chan->monitor_timer);
6a026610 3507 if (chan->unacked_frames > 0)
1d8f5d16 3508 __mod_retrans_timer();
525cd185 3509 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
1d8f5d16
GP		 3510 }
3511
42e5c802
GP		 3512 chan->expected_ack_seq = req_seq;
3513 l2cap_drop_acked_frames(chan);
9f121a5a 3514
42e5c802 3515 if (tx_seq == chan->expected_tx_seq)
8f17154f 3516 goto expected;
1c2acffb 3517
42e5c802 3518 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3519 if (tx_seq_offset < 0)
3520 tx_seq_offset += 64;
3521
3522 /* invalid tx_seq */
47d1ec61 3523 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3524 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3525 goto drop;
3526 }
3527
e6949280 3528 if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY)
1890d36b
GP		 3529 goto drop;
3530
525cd185 3531 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
8f17154f 3532 struct srej_list *first;
30afb5b2 3533
39d5a3ee 3534 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3535 struct srej_list, list);
3536 if (tx_seq == first->tx_seq) {
42e5c802 3537 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3538 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3539
3540 list_del(&first->list);
3541 kfree(first);
3542
39d5a3ee 3543 if (list_empty(&chan->srej_l)) {
42e5c802 3544 chan->buffer_seq = chan->buffer_seq_srej;
525cd185
GP		 3545 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3546 l2cap_send_ack(chan);
49208c9c 3547 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3548 }
3549 } else {
3550 struct srej_list *l;
9b53350d
JPRV		 3551
3552 /* duplicated tx_seq */
42e5c802 3553 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3554 goto drop;
8f17154f 3555
39d5a3ee 3556 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3557 if (l->tx_seq == tx_seq) {
525cd185 3558 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3559 return 0;
3560 }
3561 }
525cd185 3562 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3563 }
3564 } else {
9b53350d 3565 expected_tx_seq_offset =
42e5c802 3566 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3567 if (expected_tx_seq_offset < 0)
3568 expected_tx_seq_offset += 64;
3569
3570 /* duplicated tx_seq */
3571 if (tx_seq_offset < expected_tx_seq_offset)
3572 goto drop;
3573
525cd185 3574 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3575
49208c9c 3576 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3577
39d5a3ee 3578 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3579 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3580
f1c6775b
GP		 3581 __skb_queue_head_init(&chan->srej_q);
3582 __skb_queue_head_init(&chan->busy_q);
42e5c802 3583 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3584
525cd185 3585 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
ef54fd93 3586
525cd185 3587 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3588
e92c8e70 3589 del_timer(&chan->ack_timer);
1c2acffb 3590 }
30afb5b2
GP		 3591 return 0;
3592
8f17154f 3593expected:
42e5c802 3594 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3595
525cd185 3596 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3597 bt_cb(skb)->tx_seq = tx_seq;
3598 bt_cb(skb)->sar = sar;
f1c6775b 3599 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3600 return 0;
3601 }
3602
525cd185 3603 err = l2cap_push_rx_skb(chan, skb, rx_control);
2ece3684
GP		 3604 if (err < 0)
3605 return 0;
3606
4ec10d97 3607 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3608 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3609 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3610 else
525cd185 3611 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3612 }
3613
c1b4f43b
GP		 3614 __mod_ack_timer();
3615
6a026610
GP		 3616 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3617 if (chan->num_acked == num_to_ack - 1)
525cd185 3618 l2cap_send_ack(chan);
9e917af1 3619
8f17154f 3620 return 0;
9b53350d
JPRV		 3621
3622drop:
3623 kfree_skb(skb);
3624 return 0;
1c2acffb
GP		 3625}
3626
525cd185 3627static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
1c2acffb 3628{
49208c9c 3629 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
0e98958d
GP		 3630 rx_control);
3631
42e5c802
GP		 3632 chan->expected_ack_seq = __get_reqseq(rx_control);
3633 l2cap_drop_acked_frames(chan);
1c2acffb 3634
e072745f 3635 if (rx_control & L2CAP_CTRL_POLL) {
525cd185
GP		 3636 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3637 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3638 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3639 (chan->unacked_frames > 0))
05fbd89d
GP		 3640 __mod_retrans_timer();
3641
525cd185
GP		 3642 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3643 l2cap_send_srejtail(chan);
05fbd89d 3644 } else {
525cd185 3645 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3646 }
1d8f5d16 3647
e072745f 3648 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3649 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 3650
525cd185
GP		 3651 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3652 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3653 else
525cd185 3654 l2cap_retransmit_frames(chan);
2246b2f1 3655
e072745f 3656 } else {
525cd185 3657 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
6a026610 3658 (chan->unacked_frames > 0))
e072745f 3659 __mod_retrans_timer();
1c2acffb 3660
525cd185
GP		 3661 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3662 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3663 l2cap_send_ack(chan);
894718a6 3664 else
525cd185 3665 l2cap_ertm_send(chan);
e072745f
GP		 3666 }
3667}
2246b2f1 3668
525cd185 3669static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3670{
e072745f 3671 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3672
525cd185 3673 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3674
525cd185 3675 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
e072745f 3676
42e5c802
GP		 3677 chan->expected_ack_seq = tx_seq;
3678 l2cap_drop_acked_frames(chan);
e072745f
GP		 3679
3680 if (rx_control & L2CAP_CTRL_FINAL) {
525cd185
GP		 3681 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3682 chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be 3683 else
525cd185 3684 l2cap_retransmit_frames(chan);
e072745f 3685 } else {
525cd185 3686 l2cap_retransmit_frames(chan);
30afb5b2 3687
525cd185
GP		 3688 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3689 chan->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 3690 }
3691}
525cd185 3692static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3693{
e072745f 3694 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 3695
525cd185 3696 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3697
525cd185 3698 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 3699
e072745f 3700 if (rx_control & L2CAP_CTRL_POLL) {
42e5c802
GP		 3701 chan->expected_ack_seq = tx_seq;
3702 l2cap_drop_acked_frames(chan);
3cb123d1 3703
525cd185
GP		 3704 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3705 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3706
525cd185 3707 l2cap_ertm_send(chan);
dfc909be 3708
525cd185 3709 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3710 chan->srej_save_reqseq = tx_seq;
525cd185 3711 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3712 }
e072745f 3713 } else if (rx_control & L2CAP_CTRL_FINAL) {
525cd185 3714 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
6a026610 3715 chan->srej_save_reqseq == tx_seq)
525cd185 3716 chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
e072745f 3717 else
525cd185 3718 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3719 } else {
525cd185
GP		 3720 l2cap_retransmit_one_frame(chan, tx_seq);
3721 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
6a026610 3722 chan->srej_save_reqseq = tx_seq;
525cd185 3723 chan->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 3724 }
e072745f
GP		 3725 }
3726}
3727
525cd185 3728static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
e072745f 3729{
e072745f
GP		 3730 u8 tx_seq = __get_reqseq(rx_control);
3731
525cd185 3732 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
0e98958d 3733
525cd185 3734 chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
42e5c802
GP		 3735 chan->expected_ack_seq = tx_seq;
3736 l2cap_drop_acked_frames(chan);
e072745f 3737
3cb123d1 3738 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3739 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3cb123d1 3740
525cd185 3741 if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
e92c8e70 3742 del_timer(&chan->retrans_timer);
a2e12a2a 3743 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3744 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3745 return;
e072745f 3746 }
99b0d4b7
GP		 3747
3748 if (rx_control & L2CAP_CTRL_POLL)
525cd185 3749 l2cap_send_srejtail(chan);
99b0d4b7 3750 else
525cd185 3751 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
e072745f
GP		 3752}
3753
525cd185 3754static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
e072745f 3755{
525cd185 3756 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
e072745f 3757
9b16dc65 3758 if (L2CAP_CTRL_FINAL & rx_control &&
525cd185 3759 chan->conn_state & L2CAP_CONN_WAIT_F) {
e92c8e70 3760 del_timer(&chan->monitor_timer);
6a026610 3761 if (chan->unacked_frames > 0)
e072745f 3762 __mod_retrans_timer();
525cd185 3763 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
e072745f
GP		 3764 }
3765
3766 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3767 case L2CAP_SUPER_RCV_READY:
525cd185 3768 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3769 break;
3770
e072745f 3771 case L2CAP_SUPER_REJECT:
525cd185 3772 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3773 break;
2246b2f1 3774
e072745f 3775 case L2CAP_SUPER_SELECT_REJECT:
525cd185 3776 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3777 break;
3778
3779 case L2CAP_SUPER_RCV_NOT_READY:
525cd185 3780 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3781 break;
3782 }
3783
faaebd19 3784 kfree_skb(skb);
1c2acffb
GP		 3785 return 0;
3786}
3787
218bb9df
GP		 3788static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3789{
525cd185 3790 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
218bb9df
GP		 3791 u16 control;
3792 u8 req_seq;
3793 int len, next_tx_seq_offset, req_seq_offset;
3794
3795 control = get_unaligned_le16(skb->data);
3796 skb_pull(skb, 2);
3797 len = skb->len;
3798
3799 /*
3800 * We can just drop the corrupted I-frame here.
3801 * Receiver will miss it and start proper recovery
3802 * procedures and ask retransmission.
3803 */
47d1ec61 3804 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3805 goto drop;
3806
3807 if (__is_sar_start(control) && __is_iframe(control))
3808 len -= 2;
3809
47d1ec61 3810 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3811 len -= 2;
3812
47d1ec61 3813 if (len > chan->mps) {
8c1d787b 3814 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3815 goto drop;
3816 }
3817
3818 req_seq = __get_reqseq(control);
42e5c802 3819 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3820 if (req_seq_offset < 0)
3821 req_seq_offset += 64;
3822
3823 next_tx_seq_offset =
42e5c802 3824 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3825 if (next_tx_seq_offset < 0)
3826 next_tx_seq_offset += 64;
3827
3828 /* check for invalid req-seq */
3829 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3830 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3831 goto drop;
3832 }
3833
3834 if (__is_iframe(control)) {
3835 if (len < 0) {
8c1d787b 3836 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3837 goto drop;
3838 }
3839
525cd185 3840 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3841 } else {
3842 if (len != 0) {
3843 BT_ERR("%d", len);
8c1d787b 3844 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3845 goto drop;
3846 }
3847
525cd185 3848 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3849 }
3850
3851 return 0;
3852
3853drop:
3854 kfree_skb(skb);
3855 return 0;
3856}
3857
1da177e4
LT		 3858static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3859{
48454079 3860 struct l2cap_chan *chan;
bf734843 3861 struct sock *sk = NULL;
51893f88 3862 u16 control;
218bb9df
GP		 3863 u8 tx_seq;
3864 int len;
1da177e4 3865
baa7e1fa 3866 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3867 if (!chan) {
1da177e4
LT		 3868 BT_DBG("unknown cid 0x%4.4x", cid);
3869 goto drop;
3870 }
3871
48454079 3872 sk = chan->sk;
6840ed07 3873
49208c9c 3874 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4
LT		 3875
3876 if (sk->sk_state != BT_CONNECTED)
3877 goto drop;
3878
0c1bc5c6 3879 switch (chan->mode) {
1c2acffb
GP		 3880 case L2CAP_MODE_BASIC:
3881 /* If socket recv buffers overflows we drop data here
3882 * which is *bad* because L2CAP has to be reliable.
3883 * But we don't have any other choice. L2CAP doesn't
3884 * provide flow control mechanism. */
1da177e4 3885
0c1bc5c6 3886 if (chan->imtu < skb->len)
1c2acffb 3887 goto drop;
1da177e4 3888
1c2acffb
GP		 3889 if (!sock_queue_rcv_skb(sk, skb))
3890 goto done;
3891 break;
3892
3893 case L2CAP_MODE_ERTM:
218bb9df
GP		 3894 if (!sock_owned_by_user(sk)) {
3895 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3896 } else {
218bb9df 3897 if (sk_add_backlog(sk, skb))
277ffbe3 3898 goto drop;
277ffbe3 3899 }
1c2acffb 3900
fcafde2e 3901 goto done;
1c2acffb 3902
6840ed07
GP		 3903 case L2CAP_MODE_STREAMING:
3904 control = get_unaligned_le16(skb->data);
3905 skb_pull(skb, 2);
3906 len = skb->len;
3907
47d1ec61 3908 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3909 goto drop;
3910
6840ed07
GP		 3911 if (__is_sar_start(control))
3912 len -= 2;
3913
47d1ec61 3914 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3915 len -= 2;
3916
47d1ec61 3917 if (len > chan->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 3918 goto drop;
3919
3920 tx_seq = __get_txseq(control);
3921
42e5c802
GP		 3922 if (chan->expected_tx_seq == tx_seq)
3923 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
6840ed07 3924 else
42e5c802 3925 chan->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 3926
525cd185 3927 l2cap_streaming_reassembly_sdu(chan, skb, control);
6840ed07
GP		 3928
3929 goto done;
3930
1c2acffb 3931 default:
0c1bc5c6 3932 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3933 break;
3934 }
1da177e4
LT		 3935
3936drop:
3937 kfree_skb(skb);
3938
3939done:
0139418c
MH		 3940 if (sk)
3941 bh_unlock_sock(sk);
3942
1da177e4
LT		 3943 return 0;
3944}
3945
8e036fc3 3946static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3947{
6dcae1ea 3948 struct sock *sk = NULL;
23691d75 3949 struct l2cap_chan *chan;
1da177e4 3950
23691d75
GP		 3951 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3952 if (!chan)
1da177e4
LT		 3953 goto drop;
3954
23691d75
GP		 3955 sk = chan->sk;
3956
e0f0cb56
GP		 3957 bh_lock_sock(sk);
3958
1da177e4
LT		 3959 BT_DBG("sk %p, len %d", sk, skb->len);
3960
3961 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3962 goto drop;
3963
0c1bc5c6 3964 if (l2cap_pi(sk)->chan->imtu < skb->len)
1da177e4
LT		 3965 goto drop;
3966
3967 if (!sock_queue_rcv_skb(sk, skb))
3968 goto done;
3969
3970drop:
3971 kfree_skb(skb);
3972
3973done:
af05b30b
GP		 3974 if (sk)
3975 bh_unlock_sock(sk);
1da177e4
LT		 3976 return 0;
3977}
3978
9f69bda6
GP		 3979static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3980{
6dcae1ea 3981 struct sock *sk = NULL;
23691d75 3982 struct l2cap_chan *chan;
9f69bda6 3983
23691d75
GP		 3984 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3985 if (!chan)
9f69bda6
GP		 3986 goto drop;
3987
23691d75
GP		 3988 sk = chan->sk;
3989
9f69bda6
GP		 3990 bh_lock_sock(sk);
3991
3992 BT_DBG("sk %p, len %d", sk, skb->len);
3993
3994 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3995 goto drop;
3996
0c1bc5c6 3997 if (l2cap_pi(sk)->chan->imtu < skb->len)
9f69bda6
GP		 3998 goto drop;
3999
4000 if (!sock_queue_rcv_skb(sk, skb))
4001 goto done;
4002
4003drop:
4004 kfree_skb(skb);
4005
4006done:
4007 if (sk)
4008 bh_unlock_sock(sk);
4009 return 0;
4010}
4011
1da177e4
LT		 4012static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4013{
4014 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4015 u16 cid, len;
4016 __le16 psm;
1da177e4
LT		 4017
4018 skb_pull(skb, L2CAP_HDR_SIZE);
4019 cid = __le16_to_cpu(lh->cid);
4020 len = __le16_to_cpu(lh->len);
4021
1c2acffb
GP		 4022 if (len != skb->len) {
4023 kfree_skb(skb);
4024 return;
4025 }
4026
1da177e4
LT		 4027 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4028
4029 switch (cid) {
3300d9a9 4030 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4031 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4032 l2cap_sig_channel(conn, skb);
4033 break;
4034
8db4dc46 4035 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4036 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4037 skb_pull(skb, 2);
4038 l2cap_conless_channel(conn, psm, skb);
4039 break;
4040
9f69bda6
GP		 4041 case L2CAP_CID_LE_DATA:
4042 l2cap_att_channel(conn, cid, skb);
4043 break;
4044
1da177e4
LT		 4045 default:
4046 l2cap_data_channel(conn, cid, skb);
4047 break;
4048 }
4049}
4050
4051/* ---- L2CAP interface with lower layer (HCI) ---- */
4052
4053static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4054{
4055 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4056 struct l2cap_chan *c;
1da177e4
LT		 4057
4058 if (type != ACL_LINK)
963cf687 4059 return -EINVAL;
1da177e4
LT		 4060
4061 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4062
4063 /* Find listening sockets and check their link_mode */
23691d75
GP		 4064 read_lock(&chan_list_lock);
4065 list_for_each_entry(c, &chan_list, global_l) {
4066 struct sock *sk = c->sk;
4343478f 4067
1da177e4
LT		 4068 if (sk->sk_state != BT_LISTEN)
4069 continue;
4070
4071 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4072 lm1 |= HCI_LM_ACCEPT;
23691d75 4073 if (c->role_switch)
2af6b9d5 4074 lm1 |= HCI_LM_MASTER;
1da177e4 4075 exact++;
2af6b9d5
MH		 4076 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4077 lm2 |= HCI_LM_ACCEPT;
23691d75 4078 if (c->role_switch)
2af6b9d5
MH		 4079 lm2 |= HCI_LM_MASTER;
4080 }
1da177e4 4081 }
23691d75 4082 read_unlock(&chan_list_lock);
1da177e4
LT		 4083
4084 return exact ? lm1 : lm2;
4085}
4086
4087static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4088{
0139418c
MH		 4089 struct l2cap_conn *conn;
4090
1da177e4
LT		 4091 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4092
acd7d370 4093 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4094 return -EINVAL;
1da177e4
LT		 4095
4096 if (!status) {
1da177e4
LT		 4097 conn = l2cap_conn_add(hcon, status);
4098 if (conn)
4099 l2cap_conn_ready(conn);
0139418c 4100 } else
1da177e4
LT		 4101 l2cap_conn_del(hcon, bt_err(status));
4102
4103 return 0;
4104}
4105
2950f21a
MH		 4106static int l2cap_disconn_ind(struct hci_conn *hcon)
4107{
4108 struct l2cap_conn *conn = hcon->l2cap_data;
4109
4110 BT_DBG("hcon %p", hcon);
4111
4112 if (hcon->type != ACL_LINK || !conn)
4113 return 0x13;
4114
4115 return conn->disc_reason;
4116}
4117
4118static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4119{
4120 BT_DBG("hcon %p reason %d", hcon, reason);
4121
acd7d370 4122 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4123 return -EINVAL;
1da177e4
LT		 4124
4125 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4126
1da177e4
LT		 4127 return 0;
4128}
4129
4343478f 4130static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4131{
715ec005 4132 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4133 return;
4134
f62e4323 4135 if (encrypt == 0x00) {
4343478f 4136 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ab07801d
GP		 4137 l2cap_chan_clear_timer(chan);
4138 l2cap_chan_set_timer(chan, HZ * 5);
4343478f 4139 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4140 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4141 } else {
4343478f 4142 if (chan->sec_level == BT_SECURITY_MEDIUM)
ab07801d 4143 l2cap_chan_clear_timer(chan);
f62e4323
MH		 4144 }
4145}
4146
8c1b2355 4147static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4148{
0139418c 4149 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4150 struct l2cap_chan *chan;
1da177e4 4151
0139418c 4152 if (!conn)
1da177e4 4153 return 0;
0139418c 4154
1da177e4
LT		 4155 BT_DBG("conn %p", conn);
4156
baa7e1fa 4157 read_lock(&conn->chan_lock);
1da177e4 4158
baa7e1fa 4159 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4160 struct sock *sk = chan->sk;
baa7e1fa 4161
1da177e4
LT		 4162 bh_lock_sock(sk);
4163
b4450035 4164 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
6a8d3010
MH		 4165 bh_unlock_sock(sk);
4166 continue;
4167 }
4168
f62e4323 4169 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4170 sk->sk_state == BT_CONFIG)) {
4343478f 4171 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4172 bh_unlock_sock(sk);
4173 continue;
4174 }
4175
b1235d79
MH		 4176 if (sk->sk_state == BT_CONNECT) {
4177 if (!status) {
4178 struct l2cap_conn_req req;
fe4128e0
GP		 4179 req.scid = cpu_to_le16(chan->scid);
4180 req.psm = chan->psm;
1da177e4 4181
fc7f8a7e 4182 chan->ident = l2cap_get_ident(conn);
b4450035 4183 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4184
fc7f8a7e 4185 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4186 L2CAP_CONN_REQ, sizeof(req), &req);
4187 } else {
ab07801d
GP		 4188 l2cap_chan_clear_timer(chan);
4189 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4190 }
4191 } else if (sk->sk_state == BT_CONNECT2) {
4192 struct l2cap_conn_rsp rsp;
4193 __u16 result;
1da177e4 4194
b1235d79
MH		 4195 if (!status) {
4196 sk->sk_state = BT_CONFIG;
4197 result = L2CAP_CR_SUCCESS;
4198 } else {
4199 sk->sk_state = BT_DISCONN;
ab07801d 4200 l2cap_chan_set_timer(chan, HZ / 10);
b1235d79
MH		 4201 result = L2CAP_CR_SEC_BLOCK;
4202 }
4203
fe4128e0
GP		 4204 rsp.scid = cpu_to_le16(chan->dcid);
4205 rsp.dcid = cpu_to_le16(chan->scid);
b1235d79 4206 rsp.result = cpu_to_le16(result);
e7c29cb1 4207 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
fc7f8a7e
GP		 4208 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4209 sizeof(rsp), &rsp);
b1235d79 4210 }
1da177e4
LT		 4211
4212 bh_unlock_sock(sk);
4213 }
4214
baa7e1fa 4215 read_unlock(&conn->chan_lock);
b1235d79 4216
1da177e4
LT		 4217 return 0;
4218}
4219
4220static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4221{
4222 struct l2cap_conn *conn = hcon->l2cap_data;
4223
5a08ecce
AE		 4224 if (!conn)
4225 conn = l2cap_conn_add(hcon, 0);
4226
4227 if (!conn)
1da177e4
LT		 4228 goto drop;
4229
4230 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4231
e702112f 4232 if (!(flags & ACL_CONT)) {
1da177e4 4233 struct l2cap_hdr *hdr;
48454079 4234 struct l2cap_chan *chan;
89794813 4235 u16 cid;
1da177e4
LT		 4236 int len;
4237
4238 if (conn->rx_len) {
4239 BT_ERR("Unexpected start frame (len %d)", skb->len);
4240 kfree_skb(conn->rx_skb);
4241 conn->rx_skb = NULL;
4242 conn->rx_len = 0;
4243 l2cap_conn_unreliable(conn, ECOMM);
4244 }
4245
aae7fe22
AE		 4246 /* Start fragment always begin with Basic L2CAP header */
4247 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4248 BT_ERR("Frame is too short (len %d)", skb->len);
4249 l2cap_conn_unreliable(conn, ECOMM);
4250 goto drop;
4251 }
4252
4253 hdr = (struct l2cap_hdr *) skb->data;
4254 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4255 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4256
4257 if (len == skb->len) {
4258 /* Complete frame received */
4259 l2cap_recv_frame(conn, skb);
4260 return 0;
4261 }
4262
4263 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4264
4265 if (skb->len > len) {
4266 BT_ERR("Frame is too long (len %d, expected len %d)",
4267 skb->len, len);
4268 l2cap_conn_unreliable(conn, ECOMM);
4269 goto drop;
4270 }
4271
baa7e1fa 4272 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4273
48454079
GP		 4274 if (chan && chan->sk) {
4275 struct sock *sk = chan->sk;
89794813 4276
0c1bc5c6 4277 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4278 BT_ERR("Frame exceeding recv MTU (len %d, "
4279 "MTU %d)", len,
0c1bc5c6 4280 chan->imtu);
48454079
GP		 4281 bh_unlock_sock(sk);
4282 l2cap_conn_unreliable(conn, ECOMM);
4283 goto drop;
4284 }
89794813 4285 bh_unlock_sock(sk);
48454079 4286 }
89794813 4287
1da177e4 4288 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4289 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4290 if (!conn->rx_skb)
1da177e4
LT		 4291 goto drop;
4292
d626f62b 4293 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4294 skb->len);
1da177e4
LT		 4295 conn->rx_len = len - skb->len;
4296 } else {
4297 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4298
4299 if (!conn->rx_len) {
4300 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4301 l2cap_conn_unreliable(conn, ECOMM);
4302 goto drop;
4303 }
4304
4305 if (skb->len > conn->rx_len) {
4306 BT_ERR("Fragment is too long (len %d, expected %d)",
4307 skb->len, conn->rx_len);
4308 kfree_skb(conn->rx_skb);
4309 conn->rx_skb = NULL;
4310 conn->rx_len = 0;
4311 l2cap_conn_unreliable(conn, ECOMM);
4312 goto drop;
4313 }
4314
d626f62b 4315 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4316 skb->len);
1da177e4
LT		 4317 conn->rx_len -= skb->len;
4318
4319 if (!conn->rx_len) {
4320 /* Complete frame received */
4321 l2cap_recv_frame(conn, conn->rx_skb);
4322 conn->rx_skb = NULL;
4323 }
4324 }
4325
4326drop:
4327 kfree_skb(skb);
4328 return 0;
4329}
4330
aef7d97c 4331static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4332{
23691d75 4333 struct l2cap_chan *c;
1da177e4 4334
23691d75 4335 read_lock_bh(&chan_list_lock);
1da177e4 4336
23691d75
GP		 4337 list_for_each_entry(c, &chan_list, global_l) {
4338 struct sock *sk = c->sk;
101545f6 4339
903d343e 4340 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4341 batostr(&bt_sk(sk)->src),
4342 batostr(&bt_sk(sk)->dst),
23691d75
GP		 4343 sk->sk_state, __le16_to_cpu(c->psm),
4344 c->scid, c->dcid, c->imtu, c->omtu,
4345 c->sec_level, c->mode);
be9d1227 4346 }
1da177e4 4347
23691d75 4348 read_unlock_bh(&chan_list_lock);
1da177e4 4349
aef7d97c 4350 return 0;
1da177e4
LT		 4351}
4352
aef7d97c
MH		 4353static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4354{
4355 return single_open(file, l2cap_debugfs_show, inode->i_private);
4356}
4357
4358static const struct file_operations l2cap_debugfs_fops = {
4359 .open = l2cap_debugfs_open,
4360 .read = seq_read,
4361 .llseek = seq_lseek,
4362 .release = single_release,
4363};
4364
4365static struct dentry *l2cap_debugfs;
1da177e4 4366
1da177e4
LT		 4367static struct hci_proto l2cap_hci_proto = {
4368 .name = "L2CAP",
4369 .id = HCI_PROTO_L2CAP,
4370 .connect_ind = l2cap_connect_ind,
4371 .connect_cfm = l2cap_connect_cfm,
4372 .disconn_ind = l2cap_disconn_ind,
2950f21a 4373 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4374 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4375 .recv_acldata = l2cap_recv_acldata
4376};
4377
64274518 4378int __init l2cap_init(void)
1da177e4
LT		 4379{
4380 int err;
be9d1227 4381
bb58f747 4382 err = l2cap_init_sockets();
1da177e4
LT		 4383 if (err < 0)
4384 return err;
4385
1890d36b 4386 _busy_wq = create_singlethread_workqueue("l2cap");
b78d7b4f 4387 if (!_busy_wq) {
bb58f747 4388 err = -ENOMEM;
1da177e4
LT		 4389 goto error;
4390 }
4391
4392 err = hci_register_proto(&l2cap_hci_proto);
4393 if (err < 0) {
4394 BT_ERR("L2CAP protocol registration failed");
4395 bt_sock_unregister(BTPROTO_L2CAP);
4396 goto error;
4397 }
4398
aef7d97c
MH		 4399 if (bt_debugfs) {
4400 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4401 bt_debugfs, NULL, &l2cap_debugfs_fops);
4402 if (!l2cap_debugfs)
4403 BT_ERR("Failed to create L2CAP debug file");
4404 }
1da177e4 4405
1da177e4
LT		 4406 return 0;
4407
4408error:
b78d7b4f 4409 destroy_workqueue(_busy_wq);
bb58f747 4410 l2cap_cleanup_sockets();
1da177e4
LT		 4411 return err;
4412}
4413
64274518 4414void l2cap_exit(void)
1da177e4 4415{
aef7d97c 4416 debugfs_remove(l2cap_debugfs);
1da177e4 4417
1890d36b
GP		 4418 flush_workqueue(_busy_wq);
4419 destroy_workqueue(_busy_wq);
4420
1da177e4
LT		 4421 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4422 BT_ERR("L2CAP protocol unregistration failed");
4423
bb58f747 4424 l2cap_cleanup_sockets();
1da177e4
LT		 4425}
4426
d1c4a17d
GP		 4427module_param(disable_ertm, bool, 0644);
4428MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 0.986377 seconds and 5 git commands to generate.