mac80211: fix TKIP replay vulnerability
[linux-2.6.git] / net / bluetooth / l2cap_core.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6
7    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License version 2 as
11    published by the Free Software Foundation;
12
13    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
17    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
20    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
22    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
24    SOFTWARE IS DISCLAIMED.
25 */
26
27 /* Bluetooth L2CAP core. */
28
29 #include <linux/module.h>
30
31 #include <linux/types.h>
32 #include <linux/capability.h>
33 #include <linux/errno.h>
34 #include <linux/kernel.h>
35 #include <linux/sched.h>
36 #include <linux/slab.h>
37 #include <linux/poll.h>
38 #include <linux/fcntl.h>
39 #include <linux/init.h>
40 #include <linux/interrupt.h>
41 #include <linux/socket.h>
42 #include <linux/skbuff.h>
43 #include <linux/list.h>
44 #include <linux/device.h>
45 #include <linux/debugfs.h>
46 #include <linux/seq_file.h>
47 #include <linux/uaccess.h>
48 #include <linux/crc16.h>
49 #include <net/sock.h>
50
51 #include <asm/system.h>
52 #include <asm/unaligned.h>
53
54 #include <net/bluetooth/bluetooth.h>
55 #include <net/bluetooth/hci_core.h>
56 #include <net/bluetooth/l2cap.h>
57
58 int disable_ertm;
59
60 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
61 static u8 l2cap_fixed_chan[8] = { 0x02, };
62
63 static struct workqueue_struct *_busy_wq;
64
65 LIST_HEAD(chan_list);
66 DEFINE_RWLOCK(chan_list_lock);
67
68 static void l2cap_busy_work(struct work_struct *work);
69
70 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
71                                 u8 code, u8 ident, u16 dlen, void *data);
72 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73
74 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
75
76 /* ---- L2CAP channels ---- */
77 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
78 {
79         struct l2cap_chan *c;
80
81         list_for_each_entry(c, &conn->chan_l, list) {
82                 if (c->dcid == cid)
83                         return c;
84         }
85         return NULL;
86
87 }
88
89 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
90 {
91         struct l2cap_chan *c;
92
93         list_for_each_entry(c, &conn->chan_l, list) {
94                 if (c->scid == cid)
95                         return c;
96         }
97         return NULL;
98 }
99
100 /* Find channel with given SCID.
101  * Returns locked socket */
102 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
103 {
104         struct l2cap_chan *c;
105
106         read_lock(&conn->chan_lock);
107         c = __l2cap_get_chan_by_scid(conn, cid);
108         if (c)
109                 bh_lock_sock(c->sk);
110         read_unlock(&conn->chan_lock);
111         return c;
112 }
113
114 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
115 {
116         struct l2cap_chan *c;
117
118         list_for_each_entry(c, &conn->chan_l, list) {
119                 if (c->ident == ident)
120                         return c;
121         }
122         return NULL;
123 }
124
125 static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
126 {
127         struct l2cap_chan *c;
128
129         read_lock(&conn->chan_lock);
130         c = __l2cap_get_chan_by_ident(conn, ident);
131         if (c)
132                 bh_lock_sock(c->sk);
133         read_unlock(&conn->chan_lock);
134         return c;
135 }
136
137 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
138 {
139         struct l2cap_chan *c;
140
141         list_for_each_entry(c, &chan_list, global_l) {
142                 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
143                         goto found;
144         }
145
146         c = NULL;
147 found:
148         return c;
149 }
150
151 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
152 {
153         int err;
154
155         write_lock_bh(&chan_list_lock);
156
157         if (psm && __l2cap_global_chan_by_addr(psm, src)) {
158                 err = -EADDRINUSE;
159                 goto done;
160         }
161
162         if (psm) {
163                 chan->psm = psm;
164                 chan->sport = psm;
165                 err = 0;
166         } else {
167                 u16 p;
168
169                 err = -EINVAL;
170                 for (p = 0x1001; p < 0x1100; p += 2)
171                         if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
172                                 chan->psm   = cpu_to_le16(p);
173                                 chan->sport = cpu_to_le16(p);
174                                 err = 0;
175                                 break;
176                         }
177         }
178
179 done:
180         write_unlock_bh(&chan_list_lock);
181         return err;
182 }
183
184 int l2cap_add_scid(struct l2cap_chan *chan,  __u16 scid)
185 {
186         write_lock_bh(&chan_list_lock);
187
188         chan->scid = scid;
189
190         write_unlock_bh(&chan_list_lock);
191
192         return 0;
193 }
194
195 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
196 {
197         u16 cid = L2CAP_CID_DYN_START;
198
199         for (; cid < L2CAP_CID_DYN_END; cid++) {
200                 if (!__l2cap_get_chan_by_scid(conn, cid))
201                         return cid;
202         }
203
204         return 0;
205 }
206
207 struct l2cap_chan *l2cap_chan_create(struct sock *sk)
208 {
209         struct l2cap_chan *chan;
210
211         chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
212         if (!chan)
213                 return NULL;
214
215         chan->sk = sk;
216
217         write_lock_bh(&chan_list_lock);
218         list_add(&chan->global_l, &chan_list);
219         write_unlock_bh(&chan_list_lock);
220
221         return chan;
222 }
223
224 void l2cap_chan_destroy(struct l2cap_chan *chan)
225 {
226         write_lock_bh(&chan_list_lock);
227         list_del(&chan->global_l);
228         write_unlock_bh(&chan_list_lock);
229
230         kfree(chan);
231 }
232
233 static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
234 {
235         struct sock *sk = chan->sk;
236
237         BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
238                         chan->psm, chan->dcid);
239
240         conn->disc_reason = 0x13;
241
242         chan->conn = conn;
243
244         if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
245                 if (conn->hcon->type == LE_LINK) {
246                         /* LE connection */
247                         chan->omtu = L2CAP_LE_DEFAULT_MTU;
248                         chan->scid = L2CAP_CID_LE_DATA;
249                         chan->dcid = L2CAP_CID_LE_DATA;
250                 } else {
251                         /* Alloc CID for connection-oriented socket */
252                         chan->scid = l2cap_alloc_cid(conn);
253                         chan->omtu = L2CAP_DEFAULT_MTU;
254                 }
255         } else if (sk->sk_type == SOCK_DGRAM) {
256                 /* Connectionless socket */
257                 chan->scid = L2CAP_CID_CONN_LESS;
258                 chan->dcid = L2CAP_CID_CONN_LESS;
259                 chan->omtu = L2CAP_DEFAULT_MTU;
260         } else {
261                 /* Raw socket can send/recv signalling messages only */
262                 chan->scid = L2CAP_CID_SIGNALING;
263                 chan->dcid = L2CAP_CID_SIGNALING;
264                 chan->omtu = L2CAP_DEFAULT_MTU;
265         }
266
267         sock_hold(sk);
268
269         list_add(&chan->list, &conn->chan_l);
270 }
271
272 /* Delete channel.
273  * Must be called on the locked socket. */
274 void l2cap_chan_del(struct l2cap_chan *chan, int err)
275 {
276         struct sock *sk = chan->sk;
277         struct l2cap_conn *conn = chan->conn;
278         struct sock *parent = bt_sk(sk)->parent;
279
280         l2cap_sock_clear_timer(sk);
281
282         BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
283
284         if (conn) {
285                 /* Delete from channel list */
286                 write_lock_bh(&conn->chan_lock);
287                 list_del(&chan->list);
288                 write_unlock_bh(&conn->chan_lock);
289                 __sock_put(sk);
290
291                 chan->conn = NULL;
292                 hci_conn_put(conn->hcon);
293         }
294
295         sk->sk_state = BT_CLOSED;
296         sock_set_flag(sk, SOCK_ZAPPED);
297
298         if (err)
299                 sk->sk_err = err;
300
301         if (parent) {
302                 bt_accept_unlink(sk);
303                 parent->sk_data_ready(parent, 0);
304         } else
305                 sk->sk_state_change(sk);
306
307         if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
308                         chan->conf_state & L2CAP_CONF_INPUT_DONE))
309                 return;
310
311         skb_queue_purge(&chan->tx_q);
312
313         if (chan->mode == L2CAP_MODE_ERTM) {
314                 struct srej_list *l, *tmp;
315
316                 del_timer(&chan->retrans_timer);
317                 del_timer(&chan->monitor_timer);
318                 del_timer(&chan->ack_timer);
319
320                 skb_queue_purge(&chan->srej_q);
321                 skb_queue_purge(&chan->busy_q);
322
323                 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
324                         list_del(&l->list);
325                         kfree(l);
326                 }
327         }
328 }
329
330 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
331 {
332         struct sock *sk = chan->sk;
333
334         if (sk->sk_type == SOCK_RAW) {
335                 switch (chan->sec_level) {
336                 case BT_SECURITY_HIGH:
337                         return HCI_AT_DEDICATED_BONDING_MITM;
338                 case BT_SECURITY_MEDIUM:
339                         return HCI_AT_DEDICATED_BONDING;
340                 default:
341                         return HCI_AT_NO_BONDING;
342                 }
343         } else if (chan->psm == cpu_to_le16(0x0001)) {
344                 if (chan->sec_level == BT_SECURITY_LOW)
345                         chan->sec_level = BT_SECURITY_SDP;
346
347                 if (chan->sec_level == BT_SECURITY_HIGH)
348                         return HCI_AT_NO_BONDING_MITM;
349                 else
350                         return HCI_AT_NO_BONDING;
351         } else {
352                 switch (chan->sec_level) {
353                 case BT_SECURITY_HIGH:
354                         return HCI_AT_GENERAL_BONDING_MITM;
355                 case BT_SECURITY_MEDIUM:
356                         return HCI_AT_GENERAL_BONDING;
357                 default:
358                         return HCI_AT_NO_BONDING;
359                 }
360         }
361 }
362
363 /* Service level security */
364 static inline int l2cap_check_security(struct l2cap_chan *chan)
365 {
366         struct l2cap_conn *conn = chan->conn;
367         __u8 auth_type;
368
369         auth_type = l2cap_get_auth_type(chan);
370
371         return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
372 }
373
374 u8 l2cap_get_ident(struct l2cap_conn *conn)
375 {
376         u8 id;
377
378         /* Get next available identificator.
379          *    1 - 128 are used by kernel.
380          *  129 - 199 are reserved.
381          *  200 - 254 are used by utilities like l2ping, etc.
382          */
383
384         spin_lock_bh(&conn->lock);
385
386         if (++conn->tx_ident > 128)
387                 conn->tx_ident = 1;
388
389         id = conn->tx_ident;
390
391         spin_unlock_bh(&conn->lock);
392
393         return id;
394 }
395
396 void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
397 {
398         struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
399         u8 flags;
400
401         BT_DBG("code 0x%2.2x", code);
402
403         if (!skb)
404                 return;
405
406         if (lmp_no_flush_capable(conn->hcon->hdev))
407                 flags = ACL_START_NO_FLUSH;
408         else
409                 flags = ACL_START;
410
411         hci_send_acl(conn->hcon, skb, flags);
412 }
413
414 static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
415 {
416         struct sk_buff *skb;
417         struct l2cap_hdr *lh;
418         struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
419         struct l2cap_conn *conn = chan->conn;
420         struct sock *sk = (struct sock *)pi;
421         int count, hlen = L2CAP_HDR_SIZE + 2;
422         u8 flags;
423
424         if (sk->sk_state != BT_CONNECTED)
425                 return;
426
427         if (chan->fcs == L2CAP_FCS_CRC16)
428                 hlen += 2;
429
430         BT_DBG("chan %p, control 0x%2.2x", chan, control);
431
432         count = min_t(unsigned int, conn->mtu, hlen);
433         control |= L2CAP_CTRL_FRAME_TYPE;
434
435         if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
436                 control |= L2CAP_CTRL_FINAL;
437                 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
438         }
439
440         if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
441                 control |= L2CAP_CTRL_POLL;
442                 chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
443         }
444
445         skb = bt_skb_alloc(count, GFP_ATOMIC);
446         if (!skb)
447                 return;
448
449         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
450         lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
451         lh->cid = cpu_to_le16(chan->dcid);
452         put_unaligned_le16(control, skb_put(skb, 2));
453
454         if (chan->fcs == L2CAP_FCS_CRC16) {
455                 u16 fcs = crc16(0, (u8 *)lh, count - 2);
456                 put_unaligned_le16(fcs, skb_put(skb, 2));
457         }
458
459         if (lmp_no_flush_capable(conn->hcon->hdev))
460                 flags = ACL_START_NO_FLUSH;
461         else
462                 flags = ACL_START;
463
464         hci_send_acl(chan->conn->hcon, skb, flags);
465 }
466
467 static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
468 {
469         if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
470                 control |= L2CAP_SUPER_RCV_NOT_READY;
471                 chan->conn_state |= L2CAP_CONN_RNR_SENT;
472         } else
473                 control |= L2CAP_SUPER_RCV_READY;
474
475         control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
476
477         l2cap_send_sframe(chan, control);
478 }
479
480 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
481 {
482         return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
483 }
484
485 static void l2cap_do_start(struct l2cap_chan *chan)
486 {
487         struct l2cap_conn *conn = chan->conn;
488
489         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
490                 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
491                         return;
492
493                 if (l2cap_check_security(chan) &&
494                                 __l2cap_no_conn_pending(chan)) {
495                         struct l2cap_conn_req req;
496                         req.scid = cpu_to_le16(chan->scid);
497                         req.psm  = chan->psm;
498
499                         chan->ident = l2cap_get_ident(conn);
500                         chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
501
502                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
503                                                         sizeof(req), &req);
504                 }
505         } else {
506                 struct l2cap_info_req req;
507                 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
508
509                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
510                 conn->info_ident = l2cap_get_ident(conn);
511
512                 mod_timer(&conn->info_timer, jiffies +
513                                         msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
514
515                 l2cap_send_cmd(conn, conn->info_ident,
516                                         L2CAP_INFO_REQ, sizeof(req), &req);
517         }
518 }
519
520 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
521 {
522         u32 local_feat_mask = l2cap_feat_mask;
523         if (!disable_ertm)
524                 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
525
526         switch (mode) {
527         case L2CAP_MODE_ERTM:
528                 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
529         case L2CAP_MODE_STREAMING:
530                 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
531         default:
532                 return 0x00;
533         }
534 }
535
536 void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
537 {
538         struct sock *sk;
539         struct l2cap_disconn_req req;
540
541         if (!conn)
542                 return;
543
544         sk = chan->sk;
545
546         if (chan->mode == L2CAP_MODE_ERTM) {
547                 del_timer(&chan->retrans_timer);
548                 del_timer(&chan->monitor_timer);
549                 del_timer(&chan->ack_timer);
550         }
551
552         req.dcid = cpu_to_le16(chan->dcid);
553         req.scid = cpu_to_le16(chan->scid);
554         l2cap_send_cmd(conn, l2cap_get_ident(conn),
555                         L2CAP_DISCONN_REQ, sizeof(req), &req);
556
557         sk->sk_state = BT_DISCONN;
558         sk->sk_err = err;
559 }
560
561 /* ---- L2CAP connections ---- */
562 static void l2cap_conn_start(struct l2cap_conn *conn)
563 {
564         struct l2cap_chan *chan, *tmp;
565
566         BT_DBG("conn %p", conn);
567
568         read_lock(&conn->chan_lock);
569
570         list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
571                 struct sock *sk = chan->sk;
572
573                 bh_lock_sock(sk);
574
575                 if (sk->sk_type != SOCK_SEQPACKET &&
576                                 sk->sk_type != SOCK_STREAM) {
577                         bh_unlock_sock(sk);
578                         continue;
579                 }
580
581                 if (sk->sk_state == BT_CONNECT) {
582                         struct l2cap_conn_req req;
583
584                         if (!l2cap_check_security(chan) ||
585                                         !__l2cap_no_conn_pending(chan)) {
586                                 bh_unlock_sock(sk);
587                                 continue;
588                         }
589
590                         if (!l2cap_mode_supported(chan->mode,
591                                         conn->feat_mask)
592                                         && chan->conf_state &
593                                         L2CAP_CONF_STATE2_DEVICE) {
594                                 /* __l2cap_sock_close() calls list_del(chan)
595                                  * so release the lock */
596                                 read_unlock_bh(&conn->chan_lock);
597                                  __l2cap_sock_close(sk, ECONNRESET);
598                                 read_lock_bh(&conn->chan_lock);
599                                 bh_unlock_sock(sk);
600                                 continue;
601                         }
602
603                         req.scid = cpu_to_le16(chan->scid);
604                         req.psm  = chan->psm;
605
606                         chan->ident = l2cap_get_ident(conn);
607                         chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
608
609                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
610                                                         sizeof(req), &req);
611
612                 } else if (sk->sk_state == BT_CONNECT2) {
613                         struct l2cap_conn_rsp rsp;
614                         char buf[128];
615                         rsp.scid = cpu_to_le16(chan->dcid);
616                         rsp.dcid = cpu_to_le16(chan->scid);
617
618                         if (l2cap_check_security(chan)) {
619                                 if (bt_sk(sk)->defer_setup) {
620                                         struct sock *parent = bt_sk(sk)->parent;
621                                         rsp.result = cpu_to_le16(L2CAP_CR_PEND);
622                                         rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
623                                         parent->sk_data_ready(parent, 0);
624
625                                 } else {
626                                         sk->sk_state = BT_CONFIG;
627                                         rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
628                                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
629                                 }
630                         } else {
631                                 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
632                                 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
633                         }
634
635                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
636                                                         sizeof(rsp), &rsp);
637
638                         if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
639                                         rsp.result != L2CAP_CR_SUCCESS) {
640                                 bh_unlock_sock(sk);
641                                 continue;
642                         }
643
644                         chan->conf_state |= L2CAP_CONF_REQ_SENT;
645                         l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
646                                                 l2cap_build_conf_req(chan, buf), buf);
647                         chan->num_conf_req++;
648                 }
649
650                 bh_unlock_sock(sk);
651         }
652
653         read_unlock(&conn->chan_lock);
654 }
655
656 /* Find socket with cid and source bdaddr.
657  * Returns closest match, locked.
658  */
659 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
660 {
661         struct l2cap_chan *c, *c1 = NULL;
662
663         read_lock(&chan_list_lock);
664
665         list_for_each_entry(c, &chan_list, global_l) {
666                 struct sock *sk = c->sk;
667
668                 if (state && sk->sk_state != state)
669                         continue;
670
671                 if (c->scid == cid) {
672                         /* Exact match. */
673                         if (!bacmp(&bt_sk(sk)->src, src)) {
674                                 read_unlock(&chan_list_lock);
675                                 return c;
676                         }
677
678                         /* Closest match */
679                         if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
680                                 c1 = c;
681                 }
682         }
683
684         read_unlock(&chan_list_lock);
685
686         return c1;
687 }
688
689 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
690 {
691         struct sock *parent, *sk;
692         struct l2cap_chan *chan, *pchan;
693
694         BT_DBG("");
695
696         /* Check if we have socket listening on cid */
697         pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
698                                                         conn->src);
699         if (!pchan)
700                 return;
701
702         parent = pchan->sk;
703
704         bh_lock_sock(parent);
705
706         /* Check for backlog size */
707         if (sk_acceptq_is_full(parent)) {
708                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
709                 goto clean;
710         }
711
712         sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
713         if (!sk)
714                 goto clean;
715
716         chan = l2cap_chan_create(sk);
717         if (!chan) {
718                 l2cap_sock_kill(sk);
719                 goto clean;
720         }
721
722         l2cap_pi(sk)->chan = chan;
723
724         write_lock_bh(&conn->chan_lock);
725
726         hci_conn_hold(conn->hcon);
727
728         l2cap_sock_init(sk, parent);
729
730         bacpy(&bt_sk(sk)->src, conn->src);
731         bacpy(&bt_sk(sk)->dst, conn->dst);
732
733         bt_accept_enqueue(parent, sk);
734
735         __l2cap_chan_add(conn, chan);
736
737         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
738
739         sk->sk_state = BT_CONNECTED;
740         parent->sk_data_ready(parent, 0);
741
742         write_unlock_bh(&conn->chan_lock);
743
744 clean:
745         bh_unlock_sock(parent);
746 }
747
748 static void l2cap_conn_ready(struct l2cap_conn *conn)
749 {
750         struct l2cap_chan *chan;
751
752         BT_DBG("conn %p", conn);
753
754         if (!conn->hcon->out && conn->hcon->type == LE_LINK)
755                 l2cap_le_conn_ready(conn);
756
757         read_lock(&conn->chan_lock);
758
759         list_for_each_entry(chan, &conn->chan_l, list) {
760                 struct sock *sk = chan->sk;
761
762                 bh_lock_sock(sk);
763
764                 if (conn->hcon->type == LE_LINK) {
765                         l2cap_sock_clear_timer(sk);
766                         sk->sk_state = BT_CONNECTED;
767                         sk->sk_state_change(sk);
768                 }
769
770                 if (sk->sk_type != SOCK_SEQPACKET &&
771                                 sk->sk_type != SOCK_STREAM) {
772                         l2cap_sock_clear_timer(sk);
773                         sk->sk_state = BT_CONNECTED;
774                         sk->sk_state_change(sk);
775                 } else if (sk->sk_state == BT_CONNECT)
776                         l2cap_do_start(chan);
777
778                 bh_unlock_sock(sk);
779         }
780
781         read_unlock(&conn->chan_lock);
782 }
783
784 /* Notify sockets that we cannot guaranty reliability anymore */
785 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
786 {
787         struct l2cap_chan *chan;
788
789         BT_DBG("conn %p", conn);
790
791         read_lock(&conn->chan_lock);
792
793         list_for_each_entry(chan, &conn->chan_l, list) {
794                 struct sock *sk = chan->sk;
795
796                 if (chan->force_reliable)
797                         sk->sk_err = err;
798         }
799
800         read_unlock(&conn->chan_lock);
801 }
802
803 static void l2cap_info_timeout(unsigned long arg)
804 {
805         struct l2cap_conn *conn = (void *) arg;
806
807         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
808         conn->info_ident = 0;
809
810         l2cap_conn_start(conn);
811 }
812
813 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
814 {
815         struct l2cap_conn *conn = hcon->l2cap_data;
816
817         if (conn || status)
818                 return conn;
819
820         conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
821         if (!conn)
822                 return NULL;
823
824         hcon->l2cap_data = conn;
825         conn->hcon = hcon;
826
827         BT_DBG("hcon %p conn %p", hcon, conn);
828
829         if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
830                 conn->mtu = hcon->hdev->le_mtu;
831         else
832                 conn->mtu = hcon->hdev->acl_mtu;
833
834         conn->src = &hcon->hdev->bdaddr;
835         conn->dst = &hcon->dst;
836
837         conn->feat_mask = 0;
838
839         spin_lock_init(&conn->lock);
840         rwlock_init(&conn->chan_lock);
841
842         INIT_LIST_HEAD(&conn->chan_l);
843
844         if (hcon->type != LE_LINK)
845                 setup_timer(&conn->info_timer, l2cap_info_timeout,
846                                                 (unsigned long) conn);
847
848         conn->disc_reason = 0x13;
849
850         return conn;
851 }
852
853 static void l2cap_conn_del(struct hci_conn *hcon, int err)
854 {
855         struct l2cap_conn *conn = hcon->l2cap_data;
856         struct l2cap_chan *chan, *l;
857         struct sock *sk;
858
859         if (!conn)
860                 return;
861
862         BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
863
864         kfree_skb(conn->rx_skb);
865
866         /* Kill channels */
867         list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
868                 sk = chan->sk;
869                 bh_lock_sock(sk);
870                 l2cap_chan_del(chan, err);
871                 bh_unlock_sock(sk);
872                 l2cap_sock_kill(sk);
873         }
874
875         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
876                 del_timer_sync(&conn->info_timer);
877
878         hcon->l2cap_data = NULL;
879         kfree(conn);
880 }
881
882 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
883 {
884         write_lock_bh(&conn->chan_lock);
885         __l2cap_chan_add(conn, chan);
886         write_unlock_bh(&conn->chan_lock);
887 }
888
889 /* ---- Socket interface ---- */
890
891 /* Find socket with psm and source bdaddr.
892  * Returns closest match.
893  */
894 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
895 {
896         struct l2cap_chan *c, *c1 = NULL;
897
898         read_lock(&chan_list_lock);
899
900         list_for_each_entry(c, &chan_list, global_l) {
901                 struct sock *sk = c->sk;
902
903                 if (state && sk->sk_state != state)
904                         continue;
905
906                 if (c->psm == psm) {
907                         /* Exact match. */
908                         if (!bacmp(&bt_sk(sk)->src, src)) {
909                                 read_unlock(&chan_list_lock);
910                                 return c;
911                         }
912
913                         /* Closest match */
914                         if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
915                                 c1 = c;
916                 }
917         }
918
919         read_unlock(&chan_list_lock);
920
921         return c1;
922 }
923
924 int l2cap_chan_connect(struct l2cap_chan *chan)
925 {
926         struct sock *sk = chan->sk;
927         bdaddr_t *src = &bt_sk(sk)->src;
928         bdaddr_t *dst = &bt_sk(sk)->dst;
929         struct l2cap_conn *conn;
930         struct hci_conn *hcon;
931         struct hci_dev *hdev;
932         __u8 auth_type;
933         int err;
934
935         BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
936                                                         chan->psm);
937
938         hdev = hci_get_route(dst, src);
939         if (!hdev)
940                 return -EHOSTUNREACH;
941
942         hci_dev_lock_bh(hdev);
943
944         auth_type = l2cap_get_auth_type(chan);
945
946         if (chan->dcid == L2CAP_CID_LE_DATA)
947                 hcon = hci_connect(hdev, LE_LINK, dst,
948                                         chan->sec_level, auth_type);
949         else
950                 hcon = hci_connect(hdev, ACL_LINK, dst,
951                                         chan->sec_level, auth_type);
952
953         if (IS_ERR(hcon)) {
954                 err = PTR_ERR(hcon);
955                 goto done;
956         }
957
958         conn = l2cap_conn_add(hcon, 0);
959         if (!conn) {
960                 hci_conn_put(hcon);
961                 err = -ENOMEM;
962                 goto done;
963         }
964
965         /* Update source addr of the socket */
966         bacpy(src, conn->src);
967
968         l2cap_chan_add(conn, chan);
969
970         sk->sk_state = BT_CONNECT;
971         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
972
973         if (hcon->state == BT_CONNECTED) {
974                 if (sk->sk_type != SOCK_SEQPACKET &&
975                                 sk->sk_type != SOCK_STREAM) {
976                         l2cap_sock_clear_timer(sk);
977                         if (l2cap_check_security(chan))
978                                 sk->sk_state = BT_CONNECTED;
979                 } else
980                         l2cap_do_start(chan);
981         }
982
983         err = 0;
984
985 done:
986         hci_dev_unlock_bh(hdev);
987         hci_dev_put(hdev);
988         return err;
989 }
990
991 int __l2cap_wait_ack(struct sock *sk)
992 {
993         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
994         DECLARE_WAITQUEUE(wait, current);
995         int err = 0;
996         int timeo = HZ/5;
997
998         add_wait_queue(sk_sleep(sk), &wait);
999         while ((chan->unacked_frames > 0 && chan->conn)) {
1000                 set_current_state(TASK_INTERRUPTIBLE);
1001
1002                 if (!timeo)
1003                         timeo = HZ/5;
1004
1005                 if (signal_pending(current)) {
1006                         err = sock_intr_errno(timeo);
1007                         break;
1008                 }
1009
1010                 release_sock(sk);
1011                 timeo = schedule_timeout(timeo);
1012                 lock_sock(sk);
1013
1014                 err = sock_error(sk);
1015                 if (err)
1016                         break;
1017         }
1018         set_current_state(TASK_RUNNING);
1019         remove_wait_queue(sk_sleep(sk), &wait);
1020         return err;
1021 }
1022
1023 static void l2cap_monitor_timeout(unsigned long arg)
1024 {
1025         struct l2cap_chan *chan = (void *) arg;
1026         struct sock *sk = chan->sk;
1027
1028         BT_DBG("chan %p", chan);
1029
1030         bh_lock_sock(sk);
1031         if (chan->retry_count >= chan->remote_max_tx) {
1032                 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1033                 bh_unlock_sock(sk);
1034                 return;
1035         }
1036
1037         chan->retry_count++;
1038         __mod_monitor_timer();
1039
1040         l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1041         bh_unlock_sock(sk);
1042 }
1043
1044 static void l2cap_retrans_timeout(unsigned long arg)
1045 {
1046         struct l2cap_chan *chan = (void *) arg;
1047         struct sock *sk = chan->sk;
1048
1049         BT_DBG("chan %p", chan);
1050
1051         bh_lock_sock(sk);
1052         chan->retry_count = 1;
1053         __mod_monitor_timer();
1054
1055         chan->conn_state |= L2CAP_CONN_WAIT_F;
1056
1057         l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1058         bh_unlock_sock(sk);
1059 }
1060
1061 static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1062 {
1063         struct sk_buff *skb;
1064
1065         while ((skb = skb_peek(&chan->tx_q)) &&
1066                         chan->unacked_frames) {
1067                 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1068                         break;
1069
1070                 skb = skb_dequeue(&chan->tx_q);
1071                 kfree_skb(skb);
1072
1073                 chan->unacked_frames--;
1074         }
1075
1076         if (!chan->unacked_frames)
1077                 del_timer(&chan->retrans_timer);
1078 }
1079
1080 void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1081 {
1082         struct hci_conn *hcon = chan->conn->hcon;
1083         u16 flags;
1084
1085         BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1086
1087         if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
1088                 flags = ACL_START_NO_FLUSH;
1089         else
1090                 flags = ACL_START;
1091
1092         hci_send_acl(hcon, skb, flags);
1093 }
1094
1095 void l2cap_streaming_send(struct l2cap_chan *chan)
1096 {
1097         struct sk_buff *skb;
1098         u16 control, fcs;
1099
1100         while ((skb = skb_dequeue(&chan->tx_q))) {
1101                 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
1102                 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1103                 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
1104
1105                 if (chan->fcs == L2CAP_FCS_CRC16) {
1106                         fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1107                         put_unaligned_le16(fcs, skb->data + skb->len - 2);
1108                 }
1109
1110                 l2cap_do_send(chan, skb);
1111
1112                 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1113         }
1114 }
1115
1116 static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1117 {
1118         struct sk_buff *skb, *tx_skb;
1119         u16 control, fcs;
1120
1121         skb = skb_peek(&chan->tx_q);
1122         if (!skb)
1123                 return;
1124
1125         do {
1126                 if (bt_cb(skb)->tx_seq == tx_seq)
1127                         break;
1128
1129                 if (skb_queue_is_last(&chan->tx_q, skb))
1130                         return;
1131
1132         } while ((skb = skb_queue_next(&chan->tx_q, skb)));
1133
1134         if (chan->remote_max_tx &&
1135                         bt_cb(skb)->retries == chan->remote_max_tx) {
1136                 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1137                 return;
1138         }
1139
1140         tx_skb = skb_clone(skb, GFP_ATOMIC);
1141         bt_cb(skb)->retries++;
1142         control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1143         control &= L2CAP_CTRL_SAR;
1144
1145         if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
1146                 control |= L2CAP_CTRL_FINAL;
1147                 chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1148         }
1149
1150         control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1151                         | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1152
1153         put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1154
1155         if (chan->fcs == L2CAP_FCS_CRC16) {
1156                 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1157                 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1158         }
1159
1160         l2cap_do_send(chan, tx_skb);
1161 }
1162
1163 int l2cap_ertm_send(struct l2cap_chan *chan)
1164 {
1165         struct sk_buff *skb, *tx_skb;
1166         struct sock *sk = chan->sk;
1167         u16 control, fcs;
1168         int nsent = 0;
1169
1170         if (sk->sk_state != BT_CONNECTED)
1171                 return -ENOTCONN;
1172
1173         while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1174
1175                 if (chan->remote_max_tx &&
1176                                 bt_cb(skb)->retries == chan->remote_max_tx) {
1177                         l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1178                         break;
1179                 }
1180
1181                 tx_skb = skb_clone(skb, GFP_ATOMIC);
1182
1183                 bt_cb(skb)->retries++;
1184
1185                 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1186                 control &= L2CAP_CTRL_SAR;
1187
1188                 if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
1189                         control |= L2CAP_CTRL_FINAL;
1190                         chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1191                 }
1192                 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1193                                 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1194                 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1195
1196
1197                 if (chan->fcs == L2CAP_FCS_CRC16) {
1198                         fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1199                         put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1200                 }
1201
1202                 l2cap_do_send(chan, tx_skb);
1203
1204                 __mod_retrans_timer();
1205
1206                 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1207                 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1208
1209                 if (bt_cb(skb)->retries == 1)
1210                         chan->unacked_frames++;
1211
1212                 chan->frames_sent++;
1213
1214                 if (skb_queue_is_last(&chan->tx_q, skb))
1215                         chan->tx_send_head = NULL;
1216                 else
1217                         chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1218
1219                 nsent++;
1220         }
1221
1222         return nsent;
1223 }
1224
1225 static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1226 {
1227         int ret;
1228
1229         if (!skb_queue_empty(&chan->tx_q))
1230                 chan->tx_send_head = chan->tx_q.next;
1231
1232         chan->next_tx_seq = chan->expected_ack_seq;
1233         ret = l2cap_ertm_send(chan);
1234         return ret;
1235 }
1236
1237 static void l2cap_send_ack(struct l2cap_chan *chan)
1238 {
1239         u16 control = 0;
1240
1241         control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1242
1243         if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1244                 control |= L2CAP_SUPER_RCV_NOT_READY;
1245                 chan->conn_state |= L2CAP_CONN_RNR_SENT;
1246                 l2cap_send_sframe(chan, control);
1247                 return;
1248         }
1249
1250         if (l2cap_ertm_send(chan) > 0)
1251                 return;
1252
1253         control |= L2CAP_SUPER_RCV_READY;
1254         l2cap_send_sframe(chan, control);
1255 }
1256
1257 static void l2cap_send_srejtail(struct l2cap_chan *chan)
1258 {
1259         struct srej_list *tail;
1260         u16 control;
1261
1262         control = L2CAP_SUPER_SELECT_REJECT;
1263         control |= L2CAP_CTRL_FINAL;
1264
1265         tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1266         control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1267
1268         l2cap_send_sframe(chan, control);
1269 }
1270
1271 static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1272 {
1273         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1274         struct sk_buff **frag;
1275         int err, sent = 0;
1276
1277         if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1278                 return -EFAULT;
1279
1280         sent += count;
1281         len  -= count;
1282
1283         /* Continuation fragments (no L2CAP header) */
1284         frag = &skb_shinfo(skb)->frag_list;
1285         while (len) {
1286                 count = min_t(unsigned int, conn->mtu, len);
1287
1288                 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1289                 if (!*frag)
1290                         return err;
1291                 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1292                         return -EFAULT;
1293
1294                 sent += count;
1295                 len  -= count;
1296
1297                 frag = &(*frag)->next;
1298         }
1299
1300         return sent;
1301 }
1302
1303 struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1304 {
1305         struct sock *sk = chan->sk;
1306         struct l2cap_conn *conn = chan->conn;
1307         struct sk_buff *skb;
1308         int err, count, hlen = L2CAP_HDR_SIZE + 2;
1309         struct l2cap_hdr *lh;
1310
1311         BT_DBG("sk %p len %d", sk, (int)len);
1312
1313         count = min_t(unsigned int, (conn->mtu - hlen), len);
1314         skb = bt_skb_send_alloc(sk, count + hlen,
1315                         msg->msg_flags & MSG_DONTWAIT, &err);
1316         if (!skb)
1317                 return ERR_PTR(err);
1318
1319         /* Create L2CAP header */
1320         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1321         lh->cid = cpu_to_le16(chan->dcid);
1322         lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1323         put_unaligned_le16(chan->psm, skb_put(skb, 2));
1324
1325         err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1326         if (unlikely(err < 0)) {
1327                 kfree_skb(skb);
1328                 return ERR_PTR(err);
1329         }
1330         return skb;
1331 }
1332
1333 struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1334 {
1335         struct sock *sk = chan->sk;
1336         struct l2cap_conn *conn = chan->conn;
1337         struct sk_buff *skb;
1338         int err, count, hlen = L2CAP_HDR_SIZE;
1339         struct l2cap_hdr *lh;
1340
1341         BT_DBG("sk %p len %d", sk, (int)len);
1342
1343         count = min_t(unsigned int, (conn->mtu - hlen), len);
1344         skb = bt_skb_send_alloc(sk, count + hlen,
1345                         msg->msg_flags & MSG_DONTWAIT, &err);
1346         if (!skb)
1347                 return ERR_PTR(err);
1348
1349         /* Create L2CAP header */
1350         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1351         lh->cid = cpu_to_le16(chan->dcid);
1352         lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1353
1354         err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1355         if (unlikely(err < 0)) {
1356                 kfree_skb(skb);
1357                 return ERR_PTR(err);
1358         }
1359         return skb;
1360 }
1361
1362 struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1363 {
1364         struct sock *sk = chan->sk;
1365         struct l2cap_conn *conn = chan->conn;
1366         struct sk_buff *skb;
1367         int err, count, hlen = L2CAP_HDR_SIZE + 2;
1368         struct l2cap_hdr *lh;
1369
1370         BT_DBG("sk %p len %d", sk, (int)len);
1371
1372         if (!conn)
1373                 return ERR_PTR(-ENOTCONN);
1374
1375         if (sdulen)
1376                 hlen += 2;
1377
1378         if (chan->fcs == L2CAP_FCS_CRC16)
1379                 hlen += 2;
1380
1381         count = min_t(unsigned int, (conn->mtu - hlen), len);
1382         skb = bt_skb_send_alloc(sk, count + hlen,
1383                         msg->msg_flags & MSG_DONTWAIT, &err);
1384         if (!skb)
1385                 return ERR_PTR(err);
1386
1387         /* Create L2CAP header */
1388         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1389         lh->cid = cpu_to_le16(chan->dcid);
1390         lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1391         put_unaligned_le16(control, skb_put(skb, 2));
1392         if (sdulen)
1393                 put_unaligned_le16(sdulen, skb_put(skb, 2));
1394
1395         err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1396         if (unlikely(err < 0)) {
1397                 kfree_skb(skb);
1398                 return ERR_PTR(err);
1399         }
1400
1401         if (chan->fcs == L2CAP_FCS_CRC16)
1402                 put_unaligned_le16(0, skb_put(skb, 2));
1403
1404         bt_cb(skb)->retries = 0;
1405         return skb;
1406 }
1407
1408 int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1409 {
1410         struct sk_buff *skb;
1411         struct sk_buff_head sar_queue;
1412         u16 control;
1413         size_t size = 0;
1414
1415         skb_queue_head_init(&sar_queue);
1416         control = L2CAP_SDU_START;
1417         skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
1418         if (IS_ERR(skb))
1419                 return PTR_ERR(skb);
1420
1421         __skb_queue_tail(&sar_queue, skb);
1422         len -= chan->remote_mps;
1423         size += chan->remote_mps;
1424
1425         while (len > 0) {
1426                 size_t buflen;
1427
1428                 if (len > chan->remote_mps) {
1429                         control = L2CAP_SDU_CONTINUE;
1430                         buflen = chan->remote_mps;
1431                 } else {
1432                         control = L2CAP_SDU_END;
1433                         buflen = len;
1434                 }
1435
1436                 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
1437                 if (IS_ERR(skb)) {
1438                         skb_queue_purge(&sar_queue);
1439                         return PTR_ERR(skb);
1440                 }
1441
1442                 __skb_queue_tail(&sar_queue, skb);
1443                 len -= buflen;
1444                 size += buflen;
1445         }
1446         skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1447         if (chan->tx_send_head == NULL)
1448                 chan->tx_send_head = sar_queue.next;
1449
1450         return size;
1451 }
1452
1453 static void l2cap_chan_ready(struct sock *sk)
1454 {
1455         struct sock *parent = bt_sk(sk)->parent;
1456         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1457
1458         BT_DBG("sk %p, parent %p", sk, parent);
1459
1460         chan->conf_state = 0;
1461         l2cap_sock_clear_timer(sk);
1462
1463         if (!parent) {
1464                 /* Outgoing channel.
1465                  * Wake up socket sleeping on connect.
1466                  */
1467                 sk->sk_state = BT_CONNECTED;
1468                 sk->sk_state_change(sk);
1469         } else {
1470                 /* Incoming channel.
1471                  * Wake up socket sleeping on accept.
1472                  */
1473                 parent->sk_data_ready(parent, 0);
1474         }
1475 }
1476
1477 /* Copy frame to all raw sockets on that connection */
1478 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1479 {
1480         struct sk_buff *nskb;
1481         struct l2cap_chan *chan;
1482
1483         BT_DBG("conn %p", conn);
1484
1485         read_lock(&conn->chan_lock);
1486         list_for_each_entry(chan, &conn->chan_l, list) {
1487                 struct sock *sk = chan->sk;
1488                 if (sk->sk_type != SOCK_RAW)
1489                         continue;
1490
1491                 /* Don't send frame to the socket it came from */
1492                 if (skb->sk == sk)
1493                         continue;
1494                 nskb = skb_clone(skb, GFP_ATOMIC);
1495                 if (!nskb)
1496                         continue;
1497
1498                 if (sock_queue_rcv_skb(sk, nskb))
1499                         kfree_skb(nskb);
1500         }
1501         read_unlock(&conn->chan_lock);
1502 }
1503
1504 /* ---- L2CAP signalling commands ---- */
1505 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1506                                 u8 code, u8 ident, u16 dlen, void *data)
1507 {
1508         struct sk_buff *skb, **frag;
1509         struct l2cap_cmd_hdr *cmd;
1510         struct l2cap_hdr *lh;
1511         int len, count;
1512
1513         BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1514                         conn, code, ident, dlen);
1515
1516         len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1517         count = min_t(unsigned int, conn->mtu, len);
1518
1519         skb = bt_skb_alloc(count, GFP_ATOMIC);
1520         if (!skb)
1521                 return NULL;
1522
1523         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1524         lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1525
1526         if (conn->hcon->type == LE_LINK)
1527                 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1528         else
1529                 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1530
1531         cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1532         cmd->code  = code;
1533         cmd->ident = ident;
1534         cmd->len   = cpu_to_le16(dlen);
1535
1536         if (dlen) {
1537                 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1538                 memcpy(skb_put(skb, count), data, count);
1539                 data += count;
1540         }
1541
1542         len -= skb->len;
1543
1544         /* Continuation fragments (no L2CAP header) */
1545         frag = &skb_shinfo(skb)->frag_list;
1546         while (len) {
1547                 count = min_t(unsigned int, conn->mtu, len);
1548
1549                 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1550                 if (!*frag)
1551                         goto fail;
1552
1553                 memcpy(skb_put(*frag, count), data, count);
1554
1555                 len  -= count;
1556                 data += count;
1557
1558                 frag = &(*frag)->next;
1559         }
1560
1561         return skb;
1562
1563 fail:
1564         kfree_skb(skb);
1565         return NULL;
1566 }
1567
1568 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1569 {
1570         struct l2cap_conf_opt *opt = *ptr;
1571         int len;
1572
1573         len = L2CAP_CONF_OPT_SIZE + opt->len;
1574         *ptr += len;
1575
1576         *type = opt->type;
1577         *olen = opt->len;
1578
1579         switch (opt->len) {
1580         case 1:
1581                 *val = *((u8 *) opt->val);
1582                 break;
1583
1584         case 2:
1585                 *val = get_unaligned_le16(opt->val);
1586                 break;
1587
1588         case 4:
1589                 *val = get_unaligned_le32(opt->val);
1590                 break;
1591
1592         default:
1593                 *val = (unsigned long) opt->val;
1594                 break;
1595         }
1596
1597         BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1598         return len;
1599 }
1600
1601 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1602 {
1603         struct l2cap_conf_opt *opt = *ptr;
1604
1605         BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1606
1607         opt->type = type;
1608         opt->len  = len;
1609
1610         switch (len) {
1611         case 1:
1612                 *((u8 *) opt->val)  = val;
1613                 break;
1614
1615         case 2:
1616                 put_unaligned_le16(val, opt->val);
1617                 break;
1618
1619         case 4:
1620                 put_unaligned_le32(val, opt->val);
1621                 break;
1622
1623         default:
1624                 memcpy(opt->val, (void *) val, len);
1625                 break;
1626         }
1627
1628         *ptr += L2CAP_CONF_OPT_SIZE + len;
1629 }
1630
1631 static void l2cap_ack_timeout(unsigned long arg)
1632 {
1633         struct l2cap_chan *chan = (void *) arg;
1634
1635         bh_lock_sock(chan->sk);
1636         l2cap_send_ack(chan);
1637         bh_unlock_sock(chan->sk);
1638 }
1639
1640 static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1641 {
1642         struct sock *sk = chan->sk;
1643
1644         chan->expected_ack_seq = 0;
1645         chan->unacked_frames = 0;
1646         chan->buffer_seq = 0;
1647         chan->num_acked = 0;
1648         chan->frames_sent = 0;
1649
1650         setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1651                                                         (unsigned long) chan);
1652         setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1653                                                         (unsigned long) chan);
1654         setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1655
1656         skb_queue_head_init(&chan->srej_q);
1657         skb_queue_head_init(&chan->busy_q);
1658
1659         INIT_LIST_HEAD(&chan->srej_l);
1660
1661         INIT_WORK(&chan->busy_work, l2cap_busy_work);
1662
1663         sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1664 }
1665
1666 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1667 {
1668         switch (mode) {
1669         case L2CAP_MODE_STREAMING:
1670         case L2CAP_MODE_ERTM:
1671                 if (l2cap_mode_supported(mode, remote_feat_mask))
1672                         return mode;
1673                 /* fall through */
1674         default:
1675                 return L2CAP_MODE_BASIC;
1676         }
1677 }
1678
1679 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1680 {
1681         struct l2cap_conf_req *req = data;
1682         struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1683         void *ptr = req->data;
1684
1685         BT_DBG("chan %p", chan);
1686
1687         if (chan->num_conf_req || chan->num_conf_rsp)
1688                 goto done;
1689
1690         switch (chan->mode) {
1691         case L2CAP_MODE_STREAMING:
1692         case L2CAP_MODE_ERTM:
1693                 if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
1694                         break;
1695
1696                 /* fall through */
1697         default:
1698                 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
1699                 break;
1700         }
1701
1702 done:
1703         if (chan->imtu != L2CAP_DEFAULT_MTU)
1704                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
1705
1706         switch (chan->mode) {
1707         case L2CAP_MODE_BASIC:
1708                 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1709                                 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
1710                         break;
1711
1712                 rfc.mode            = L2CAP_MODE_BASIC;
1713                 rfc.txwin_size      = 0;
1714                 rfc.max_transmit    = 0;
1715                 rfc.retrans_timeout = 0;
1716                 rfc.monitor_timeout = 0;
1717                 rfc.max_pdu_size    = 0;
1718
1719                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1720                                                         (unsigned long) &rfc);
1721                 break;
1722
1723         case L2CAP_MODE_ERTM:
1724                 rfc.mode            = L2CAP_MODE_ERTM;
1725                 rfc.txwin_size      = chan->tx_win;
1726                 rfc.max_transmit    = chan->max_tx;
1727                 rfc.retrans_timeout = 0;
1728                 rfc.monitor_timeout = 0;
1729                 rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
1730                 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1731                         rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1732
1733                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1734                                                         (unsigned long) &rfc);
1735
1736                 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
1737                         break;
1738
1739                 if (chan->fcs == L2CAP_FCS_NONE ||
1740                                 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
1741                         chan->fcs = L2CAP_FCS_NONE;
1742                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1743                 }
1744                 break;
1745
1746         case L2CAP_MODE_STREAMING:
1747                 rfc.mode            = L2CAP_MODE_STREAMING;
1748                 rfc.txwin_size      = 0;
1749                 rfc.max_transmit    = 0;
1750                 rfc.retrans_timeout = 0;
1751                 rfc.monitor_timeout = 0;
1752                 rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
1753                 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1754                         rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1755
1756                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1757                                                         (unsigned long) &rfc);
1758
1759                 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
1760                         break;
1761
1762                 if (chan->fcs == L2CAP_FCS_NONE ||
1763                                 chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
1764                         chan->fcs = L2CAP_FCS_NONE;
1765                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1766                 }
1767                 break;
1768         }
1769
1770         req->dcid  = cpu_to_le16(chan->dcid);
1771         req->flags = cpu_to_le16(0);
1772
1773         return ptr - data;
1774 }
1775
1776 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1777 {
1778         struct l2cap_conf_rsp *rsp = data;
1779         void *ptr = rsp->data;
1780         void *req = chan->conf_req;
1781         int len = chan->conf_len;
1782         int type, hint, olen;
1783         unsigned long val;
1784         struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1785         u16 mtu = L2CAP_DEFAULT_MTU;
1786         u16 result = L2CAP_CONF_SUCCESS;
1787
1788         BT_DBG("chan %p", chan);
1789
1790         while (len >= L2CAP_CONF_OPT_SIZE) {
1791                 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1792
1793                 hint  = type & L2CAP_CONF_HINT;
1794                 type &= L2CAP_CONF_MASK;
1795
1796                 switch (type) {
1797                 case L2CAP_CONF_MTU:
1798                         mtu = val;
1799                         break;
1800
1801                 case L2CAP_CONF_FLUSH_TO:
1802                         chan->flush_to = val;
1803                         break;
1804
1805                 case L2CAP_CONF_QOS:
1806                         break;
1807
1808                 case L2CAP_CONF_RFC:
1809                         if (olen == sizeof(rfc))
1810                                 memcpy(&rfc, (void *) val, olen);
1811                         break;
1812
1813                 case L2CAP_CONF_FCS:
1814                         if (val == L2CAP_FCS_NONE)
1815                                 chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
1816
1817                         break;
1818
1819                 default:
1820                         if (hint)
1821                                 break;
1822
1823                         result = L2CAP_CONF_UNKNOWN;
1824                         *((u8 *) ptr++) = type;
1825                         break;
1826                 }
1827         }
1828
1829         if (chan->num_conf_rsp || chan->num_conf_req > 1)
1830                 goto done;
1831
1832         switch (chan->mode) {
1833         case L2CAP_MODE_STREAMING:
1834         case L2CAP_MODE_ERTM:
1835                 if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
1836                         chan->mode = l2cap_select_mode(rfc.mode,
1837                                         chan->conn->feat_mask);
1838                         break;
1839                 }
1840
1841                 if (chan->mode != rfc.mode)
1842                         return -ECONNREFUSED;
1843
1844                 break;
1845         }
1846
1847 done:
1848         if (chan->mode != rfc.mode) {
1849                 result = L2CAP_CONF_UNACCEPT;
1850                 rfc.mode = chan->mode;
1851
1852                 if (chan->num_conf_rsp == 1)
1853                         return -ECONNREFUSED;
1854
1855                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1856                                         sizeof(rfc), (unsigned long) &rfc);
1857         }
1858
1859
1860         if (result == L2CAP_CONF_SUCCESS) {
1861                 /* Configure output options and let the other side know
1862                  * which ones we don't like. */
1863
1864                 if (mtu < L2CAP_DEFAULT_MIN_MTU)
1865                         result = L2CAP_CONF_UNACCEPT;
1866                 else {
1867                         chan->omtu = mtu;
1868                         chan->conf_state |= L2CAP_CONF_MTU_DONE;
1869                 }
1870                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
1871
1872                 switch (rfc.mode) {
1873                 case L2CAP_MODE_BASIC:
1874                         chan->fcs = L2CAP_FCS_NONE;
1875                         chan->conf_state |= L2CAP_CONF_MODE_DONE;
1876                         break;
1877
1878                 case L2CAP_MODE_ERTM:
1879                         chan->remote_tx_win = rfc.txwin_size;
1880                         chan->remote_max_tx = rfc.max_transmit;
1881
1882                         if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
1883                                 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1884
1885                         chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1886
1887                         rfc.retrans_timeout =
1888                                 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
1889                         rfc.monitor_timeout =
1890                                 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
1891
1892                         chan->conf_state |= L2CAP_CONF_MODE_DONE;
1893
1894                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1895                                         sizeof(rfc), (unsigned long) &rfc);
1896
1897                         break;
1898
1899                 case L2CAP_MODE_STREAMING:
1900                         if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
1901                                 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1902
1903                         chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1904
1905                         chan->conf_state |= L2CAP_CONF_MODE_DONE;
1906
1907                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1908                                         sizeof(rfc), (unsigned long) &rfc);
1909
1910                         break;
1911
1912                 default:
1913                         result = L2CAP_CONF_UNACCEPT;
1914
1915                         memset(&rfc, 0, sizeof(rfc));
1916                         rfc.mode = chan->mode;
1917                 }
1918
1919                 if (result == L2CAP_CONF_SUCCESS)
1920                         chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1921         }
1922         rsp->scid   = cpu_to_le16(chan->dcid);
1923         rsp->result = cpu_to_le16(result);
1924         rsp->flags  = cpu_to_le16(0x0000);
1925
1926         return ptr - data;
1927 }
1928
1929 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
1930 {
1931         struct l2cap_conf_req *req = data;
1932         void *ptr = req->data;
1933         int type, olen;
1934         unsigned long val;
1935         struct l2cap_conf_rfc rfc;
1936
1937         BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
1938
1939         while (len >= L2CAP_CONF_OPT_SIZE) {
1940                 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
1941
1942                 switch (type) {
1943                 case L2CAP_CONF_MTU:
1944                         if (val < L2CAP_DEFAULT_MIN_MTU) {
1945                                 *result = L2CAP_CONF_UNACCEPT;
1946                                 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
1947                         } else
1948                                 chan->imtu = val;
1949                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
1950                         break;
1951
1952                 case L2CAP_CONF_FLUSH_TO:
1953                         chan->flush_to = val;
1954                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
1955                                                         2, chan->flush_to);
1956                         break;
1957
1958                 case L2CAP_CONF_RFC:
1959                         if (olen == sizeof(rfc))
1960                                 memcpy(&rfc, (void *)val, olen);
1961
1962                         if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
1963                                                         rfc.mode != chan->mode)
1964                                 return -ECONNREFUSED;
1965
1966                         chan->fcs = 0;
1967
1968                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
1969                                         sizeof(rfc), (unsigned long) &rfc);
1970                         break;
1971                 }
1972         }
1973
1974         if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
1975                 return -ECONNREFUSED;
1976
1977         chan->mode = rfc.mode;
1978
1979         if (*result == L2CAP_CONF_SUCCESS) {
1980                 switch (rfc.mode) {
1981                 case L2CAP_MODE_ERTM:
1982                         chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
1983                         chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1984                         chan->mps    = le16_to_cpu(rfc.max_pdu_size);
1985                         break;
1986                 case L2CAP_MODE_STREAMING:
1987                         chan->mps    = le16_to_cpu(rfc.max_pdu_size);
1988                 }
1989         }
1990
1991         req->dcid   = cpu_to_le16(chan->dcid);
1992         req->flags  = cpu_to_le16(0x0000);
1993
1994         return ptr - data;
1995 }
1996
1997 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1998 {
1999         struct l2cap_conf_rsp *rsp = data;
2000         void *ptr = rsp->data;
2001
2002         BT_DBG("chan %p", chan);
2003
2004         rsp->scid   = cpu_to_le16(chan->dcid);
2005         rsp->result = cpu_to_le16(result);
2006         rsp->flags  = cpu_to_le16(flags);
2007
2008         return ptr - data;
2009 }
2010
2011 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2012 {
2013         struct l2cap_conn_rsp rsp;
2014         struct l2cap_conn *conn = chan->conn;
2015         u8 buf[128];
2016
2017         rsp.scid   = cpu_to_le16(chan->dcid);
2018         rsp.dcid   = cpu_to_le16(chan->scid);
2019         rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2020         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2021         l2cap_send_cmd(conn, chan->ident,
2022                                 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2023
2024         if (chan->conf_state & L2CAP_CONF_REQ_SENT)
2025                 return;
2026
2027         chan->conf_state |= L2CAP_CONF_REQ_SENT;
2028         l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2029                         l2cap_build_conf_req(chan, buf), buf);
2030         chan->num_conf_req++;
2031 }
2032
2033 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2034 {
2035         int type, olen;
2036         unsigned long val;
2037         struct l2cap_conf_rfc rfc;
2038
2039         BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2040
2041         if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2042                 return;
2043
2044         while (len >= L2CAP_CONF_OPT_SIZE) {
2045                 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2046
2047                 switch (type) {
2048                 case L2CAP_CONF_RFC:
2049                         if (olen == sizeof(rfc))
2050                                 memcpy(&rfc, (void *)val, olen);
2051                         goto done;
2052                 }
2053         }
2054
2055 done:
2056         switch (rfc.mode) {
2057         case L2CAP_MODE_ERTM:
2058                 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2059                 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2060                 chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2061                 break;
2062         case L2CAP_MODE_STREAMING:
2063                 chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2064         }
2065 }
2066
2067 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2068 {
2069         struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2070
2071         if (rej->reason != 0x0000)
2072                 return 0;
2073
2074         if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2075                                         cmd->ident == conn->info_ident) {
2076                 del_timer(&conn->info_timer);
2077
2078                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2079                 conn->info_ident = 0;
2080
2081                 l2cap_conn_start(conn);
2082         }
2083
2084         return 0;
2085 }
2086
2087 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2088 {
2089         struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2090         struct l2cap_conn_rsp rsp;
2091         struct l2cap_chan *chan = NULL, *pchan;
2092         struct sock *parent, *sk = NULL;
2093         int result, status = L2CAP_CS_NO_INFO;
2094
2095         u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2096         __le16 psm = req->psm;
2097
2098         BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2099
2100         /* Check if we have socket listening on psm */
2101         pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2102         if (!pchan) {
2103                 result = L2CAP_CR_BAD_PSM;
2104                 goto sendresp;
2105         }
2106
2107         parent = pchan->sk;
2108
2109         bh_lock_sock(parent);
2110
2111         /* Check if the ACL is secure enough (if not SDP) */
2112         if (psm != cpu_to_le16(0x0001) &&
2113                                 !hci_conn_check_link_mode(conn->hcon)) {
2114                 conn->disc_reason = 0x05;
2115                 result = L2CAP_CR_SEC_BLOCK;
2116                 goto response;
2117         }
2118
2119         result = L2CAP_CR_NO_MEM;
2120
2121         /* Check for backlog size */
2122         if (sk_acceptq_is_full(parent)) {
2123                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2124                 goto response;
2125         }
2126
2127         sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
2128         if (!sk)
2129                 goto response;
2130
2131         chan = l2cap_chan_create(sk);
2132         if (!chan) {
2133                 l2cap_sock_kill(sk);
2134                 goto response;
2135         }
2136
2137         l2cap_pi(sk)->chan = chan;
2138
2139         write_lock_bh(&conn->chan_lock);
2140
2141         /* Check if we already have channel with that dcid */
2142         if (__l2cap_get_chan_by_dcid(conn, scid)) {
2143                 write_unlock_bh(&conn->chan_lock);
2144                 sock_set_flag(sk, SOCK_ZAPPED);
2145                 l2cap_sock_kill(sk);
2146                 goto response;
2147         }
2148
2149         hci_conn_hold(conn->hcon);
2150
2151         l2cap_sock_init(sk, parent);
2152         bacpy(&bt_sk(sk)->src, conn->src);
2153         bacpy(&bt_sk(sk)->dst, conn->dst);
2154         chan->psm  = psm;
2155         chan->dcid = scid;
2156
2157         bt_accept_enqueue(parent, sk);
2158
2159         __l2cap_chan_add(conn, chan);
2160
2161         dcid = chan->scid;
2162
2163         l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2164
2165         chan->ident = cmd->ident;
2166
2167         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2168                 if (l2cap_check_security(chan)) {
2169                         if (bt_sk(sk)->defer_setup) {
2170                                 sk->sk_state = BT_CONNECT2;
2171                                 result = L2CAP_CR_PEND;
2172                                 status = L2CAP_CS_AUTHOR_PEND;
2173                                 parent->sk_data_ready(parent, 0);
2174                         } else {
2175                                 sk->sk_state = BT_CONFIG;
2176                                 result = L2CAP_CR_SUCCESS;
2177                                 status = L2CAP_CS_NO_INFO;
2178                         }
2179                 } else {
2180                         sk->sk_state = BT_CONNECT2;
2181                         result = L2CAP_CR_PEND;
2182                         status = L2CAP_CS_AUTHEN_PEND;
2183                 }
2184         } else {
2185                 sk->sk_state = BT_CONNECT2;
2186                 result = L2CAP_CR_PEND;
2187                 status = L2CAP_CS_NO_INFO;
2188         }
2189
2190         write_unlock_bh(&conn->chan_lock);
2191
2192 response:
2193         bh_unlock_sock(parent);
2194
2195 sendresp:
2196         rsp.scid   = cpu_to_le16(scid);
2197         rsp.dcid   = cpu_to_le16(dcid);
2198         rsp.result = cpu_to_le16(result);
2199         rsp.status = cpu_to_le16(status);
2200         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2201
2202         if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2203                 struct l2cap_info_req info;
2204                 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2205
2206                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2207                 conn->info_ident = l2cap_get_ident(conn);
2208
2209                 mod_timer(&conn->info_timer, jiffies +
2210                                         msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2211
2212                 l2cap_send_cmd(conn, conn->info_ident,
2213                                         L2CAP_INFO_REQ, sizeof(info), &info);
2214         }
2215
2216         if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
2217                                 result == L2CAP_CR_SUCCESS) {
2218                 u8 buf[128];
2219                 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2220                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2221                                         l2cap_build_conf_req(chan, buf), buf);
2222                 chan->num_conf_req++;
2223         }
2224
2225         return 0;
2226 }
2227
2228 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2229 {
2230         struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2231         u16 scid, dcid, result, status;
2232         struct l2cap_chan *chan;
2233         struct sock *sk;
2234         u8 req[128];
2235
2236         scid   = __le16_to_cpu(rsp->scid);
2237         dcid   = __le16_to_cpu(rsp->dcid);
2238         result = __le16_to_cpu(rsp->result);
2239         status = __le16_to_cpu(rsp->status);
2240
2241         BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2242
2243         if (scid) {
2244                 chan = l2cap_get_chan_by_scid(conn, scid);
2245                 if (!chan)
2246                         return -EFAULT;
2247         } else {
2248                 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
2249                 if (!chan)
2250                         return -EFAULT;
2251         }
2252
2253         sk = chan->sk;
2254
2255         switch (result) {
2256         case L2CAP_CR_SUCCESS:
2257                 sk->sk_state = BT_CONFIG;
2258                 chan->ident = 0;
2259                 chan->dcid = dcid;
2260                 chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2261
2262                 if (chan->conf_state & L2CAP_CONF_REQ_SENT)
2263                         break;
2264
2265                 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2266
2267                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2268                                         l2cap_build_conf_req(chan, req), req);
2269                 chan->num_conf_req++;
2270                 break;
2271
2272         case L2CAP_CR_PEND:
2273                 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
2274                 break;
2275
2276         default:
2277                 /* don't delete l2cap channel if sk is owned by user */
2278                 if (sock_owned_by_user(sk)) {
2279                         sk->sk_state = BT_DISCONN;
2280                         l2cap_sock_clear_timer(sk);
2281                         l2cap_sock_set_timer(sk, HZ / 5);
2282                         break;
2283                 }
2284
2285                 l2cap_chan_del(chan, ECONNREFUSED);
2286                 break;
2287         }
2288
2289         bh_unlock_sock(sk);
2290         return 0;
2291 }
2292
2293 static inline void set_default_fcs(struct l2cap_chan *chan)
2294 {
2295         struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
2296
2297         /* FCS is enabled only in ERTM or streaming mode, if one or both
2298          * sides request it.
2299          */
2300         if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2301                 chan->fcs = L2CAP_FCS_NONE;
2302         else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
2303                 chan->fcs = L2CAP_FCS_CRC16;
2304 }
2305
2306 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2307 {
2308         struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2309         u16 dcid, flags;
2310         u8 rsp[64];
2311         struct l2cap_chan *chan;
2312         struct sock *sk;
2313         int len;
2314
2315         dcid  = __le16_to_cpu(req->dcid);
2316         flags = __le16_to_cpu(req->flags);
2317
2318         BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2319
2320         chan = l2cap_get_chan_by_scid(conn, dcid);
2321         if (!chan)
2322                 return -ENOENT;
2323
2324         sk = chan->sk;
2325
2326         if ((bt_sk(sk)->defer_setup && sk->sk_state != BT_CONNECT2) ||
2327                  (!bt_sk(sk)->defer_setup && sk->sk_state != BT_CONFIG)) {
2328                 struct l2cap_cmd_rej rej;
2329
2330                 rej.reason = cpu_to_le16(0x0002);
2331                 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2332                                 sizeof(rej), &rej);
2333                 goto unlock;
2334         }
2335
2336         /* Reject if config buffer is too small. */
2337         len = cmd_len - sizeof(*req);
2338         if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
2339                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2340                                 l2cap_build_conf_rsp(chan, rsp,
2341                                         L2CAP_CONF_REJECT, flags), rsp);
2342                 goto unlock;
2343         }
2344
2345         /* Store config. */
2346         memcpy(chan->conf_req + chan->conf_len, req->data, len);
2347         chan->conf_len += len;
2348
2349         if (flags & 0x0001) {
2350                 /* Incomplete config. Send empty response. */
2351                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2352                                 l2cap_build_conf_rsp(chan, rsp,
2353                                         L2CAP_CONF_SUCCESS, 0x0001), rsp);
2354                 goto unlock;
2355         }
2356
2357         /* Complete config. */
2358         len = l2cap_parse_conf_req(chan, rsp);
2359         if (len < 0) {
2360                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2361                 goto unlock;
2362         }
2363
2364         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2365         chan->num_conf_rsp++;
2366
2367         /* Reset config buffer. */
2368         chan->conf_len = 0;
2369
2370         if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
2371                 goto unlock;
2372
2373         if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
2374                 set_default_fcs(chan);
2375
2376                 sk->sk_state = BT_CONNECTED;
2377
2378                 chan->next_tx_seq = 0;
2379                 chan->expected_tx_seq = 0;
2380                 skb_queue_head_init(&chan->tx_q);
2381                 if (chan->mode == L2CAP_MODE_ERTM)
2382                         l2cap_ertm_init(chan);
2383
2384                 l2cap_chan_ready(sk);
2385                 goto unlock;
2386         }
2387
2388         if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
2389                 u8 buf[64];
2390                 chan->conf_state |= L2CAP_CONF_REQ_SENT;
2391                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2392                                         l2cap_build_conf_req(chan, buf), buf);
2393                 chan->num_conf_req++;
2394         }
2395
2396 unlock:
2397         bh_unlock_sock(sk);
2398         return 0;
2399 }
2400
2401 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2402 {
2403         struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2404         u16 scid, flags, result;
2405         struct l2cap_chan *chan;
2406         struct sock *sk;
2407         int len = cmd->len - sizeof(*rsp);
2408
2409         scid   = __le16_to_cpu(rsp->scid);
2410         flags  = __le16_to_cpu(rsp->flags);
2411         result = __le16_to_cpu(rsp->result);
2412
2413         BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2414                         scid, flags, result);
2415
2416         chan = l2cap_get_chan_by_scid(conn, scid);
2417         if (!chan)
2418                 return 0;
2419
2420         sk = chan->sk;
2421
2422         switch (result) {
2423         case L2CAP_CONF_SUCCESS:
2424                 l2cap_conf_rfc_get(chan, rsp->data, len);
2425                 break;
2426
2427         case L2CAP_CONF_UNACCEPT:
2428                 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2429                         char req[64];
2430
2431                         if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2432                                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2433                                 goto done;
2434                         }
2435
2436                         /* throw out any old stored conf requests */
2437                         result = L2CAP_CONF_SUCCESS;
2438                         len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2439                                                                 req, &result);
2440                         if (len < 0) {
2441                                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2442                                 goto done;
2443                         }
2444
2445                         l2cap_send_cmd(conn, l2cap_get_ident(conn),
2446                                                 L2CAP_CONF_REQ, len, req);
2447                         chan->num_conf_req++;
2448                         if (result != L2CAP_CONF_SUCCESS)
2449                                 goto done;
2450                         break;
2451                 }
2452
2453         default:
2454                 sk->sk_err = ECONNRESET;
2455                 l2cap_sock_set_timer(sk, HZ * 5);
2456                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2457                 goto done;
2458         }
2459
2460         if (flags & 0x01)
2461                 goto done;
2462
2463         chan->conf_state |= L2CAP_CONF_INPUT_DONE;
2464
2465         if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2466                 set_default_fcs(chan);
2467
2468                 sk->sk_state = BT_CONNECTED;
2469                 chan->next_tx_seq = 0;
2470                 chan->expected_tx_seq = 0;
2471                 skb_queue_head_init(&chan->tx_q);
2472                 if (chan->mode ==  L2CAP_MODE_ERTM)
2473                         l2cap_ertm_init(chan);
2474
2475                 l2cap_chan_ready(sk);
2476         }
2477
2478 done:
2479         bh_unlock_sock(sk);
2480         return 0;
2481 }
2482
2483 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2484 {
2485         struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2486         struct l2cap_disconn_rsp rsp;
2487         u16 dcid, scid;
2488         struct l2cap_chan *chan;
2489         struct sock *sk;
2490
2491         scid = __le16_to_cpu(req->scid);
2492         dcid = __le16_to_cpu(req->dcid);
2493
2494         BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2495
2496         chan = l2cap_get_chan_by_scid(conn, dcid);
2497         if (!chan)
2498                 return 0;
2499
2500         sk = chan->sk;
2501
2502         rsp.dcid = cpu_to_le16(chan->scid);
2503         rsp.scid = cpu_to_le16(chan->dcid);
2504         l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2505
2506         sk->sk_shutdown = SHUTDOWN_MASK;
2507
2508         /* don't delete l2cap channel if sk is owned by user */
2509         if (sock_owned_by_user(sk)) {
2510                 sk->sk_state = BT_DISCONN;
2511                 l2cap_sock_clear_timer(sk);
2512                 l2cap_sock_set_timer(sk, HZ / 5);
2513                 bh_unlock_sock(sk);
2514                 return 0;
2515         }
2516
2517         l2cap_chan_del(chan, ECONNRESET);
2518         bh_unlock_sock(sk);
2519
2520         l2cap_sock_kill(sk);
2521         return 0;
2522 }
2523
2524 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2525 {
2526         struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2527         u16 dcid, scid;
2528         struct l2cap_chan *chan;
2529         struct sock *sk;
2530
2531         scid = __le16_to_cpu(rsp->scid);
2532         dcid = __le16_to_cpu(rsp->dcid);
2533
2534         BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2535
2536         chan = l2cap_get_chan_by_scid(conn, scid);
2537         if (!chan)
2538                 return 0;
2539
2540         sk = chan->sk;
2541
2542         /* don't delete l2cap channel if sk is owned by user */
2543         if (sock_owned_by_user(sk)) {
2544                 sk->sk_state = BT_DISCONN;
2545                 l2cap_sock_clear_timer(sk);
2546                 l2cap_sock_set_timer(sk, HZ / 5);
2547                 bh_unlock_sock(sk);
2548                 return 0;
2549         }
2550
2551         l2cap_chan_del(chan, 0);
2552         bh_unlock_sock(sk);
2553
2554         l2cap_sock_kill(sk);
2555         return 0;
2556 }
2557
2558 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2559 {
2560         struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2561         u16 type;
2562
2563         type = __le16_to_cpu(req->type);
2564
2565         BT_DBG("type 0x%4.4x", type);
2566
2567         if (type == L2CAP_IT_FEAT_MASK) {
2568                 u8 buf[8];
2569                 u32 feat_mask = l2cap_feat_mask;
2570                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2571                 rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2572                 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2573                 if (!disable_ertm)
2574                         feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2575                                                          | L2CAP_FEAT_FCS;
2576                 put_unaligned_le32(feat_mask, rsp->data);
2577                 l2cap_send_cmd(conn, cmd->ident,
2578                                         L2CAP_INFO_RSP, sizeof(buf), buf);
2579         } else if (type == L2CAP_IT_FIXED_CHAN) {
2580                 u8 buf[12];
2581                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2582                 rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2583                 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2584                 memcpy(buf + 4, l2cap_fixed_chan, 8);
2585                 l2cap_send_cmd(conn, cmd->ident,
2586                                         L2CAP_INFO_RSP, sizeof(buf), buf);
2587         } else {
2588                 struct l2cap_info_rsp rsp;
2589                 rsp.type   = cpu_to_le16(type);
2590                 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2591                 l2cap_send_cmd(conn, cmd->ident,
2592                                         L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2593         }
2594
2595         return 0;
2596 }
2597
2598 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2599 {
2600         struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2601         u16 type, result;
2602
2603         type   = __le16_to_cpu(rsp->type);
2604         result = __le16_to_cpu(rsp->result);
2605
2606         BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2607
2608         /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2609         if (cmd->ident != conn->info_ident ||
2610                         conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2611                 return 0;
2612
2613         del_timer(&conn->info_timer);
2614
2615         if (result != L2CAP_IR_SUCCESS) {
2616                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2617                 conn->info_ident = 0;
2618
2619                 l2cap_conn_start(conn);
2620
2621                 return 0;
2622         }
2623
2624         if (type == L2CAP_IT_FEAT_MASK) {
2625                 conn->feat_mask = get_unaligned_le32(rsp->data);
2626
2627                 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
2628                         struct l2cap_info_req req;
2629                         req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2630
2631                         conn->info_ident = l2cap_get_ident(conn);
2632
2633                         l2cap_send_cmd(conn, conn->info_ident,
2634                                         L2CAP_INFO_REQ, sizeof(req), &req);
2635                 } else {
2636                         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2637                         conn->info_ident = 0;
2638
2639                         l2cap_conn_start(conn);
2640                 }
2641         } else if (type == L2CAP_IT_FIXED_CHAN) {
2642                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2643                 conn->info_ident = 0;
2644
2645                 l2cap_conn_start(conn);
2646         }
2647
2648         return 0;
2649 }
2650
2651 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2652                                                         u16 to_multiplier)
2653 {
2654         u16 max_latency;
2655
2656         if (min > max || min < 6 || max > 3200)
2657                 return -EINVAL;
2658
2659         if (to_multiplier < 10 || to_multiplier > 3200)
2660                 return -EINVAL;
2661
2662         if (max >= to_multiplier * 8)
2663                 return -EINVAL;
2664
2665         max_latency = (to_multiplier * 8 / max) - 1;
2666         if (latency > 499 || latency > max_latency)
2667                 return -EINVAL;
2668
2669         return 0;
2670 }
2671
2672 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2673                                         struct l2cap_cmd_hdr *cmd, u8 *data)
2674 {
2675         struct hci_conn *hcon = conn->hcon;
2676         struct l2cap_conn_param_update_req *req;
2677         struct l2cap_conn_param_update_rsp rsp;
2678         u16 min, max, latency, to_multiplier, cmd_len;
2679         int err;
2680
2681         if (!(hcon->link_mode & HCI_LM_MASTER))
2682                 return -EINVAL;
2683
2684         cmd_len = __le16_to_cpu(cmd->len);
2685         if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2686                 return -EPROTO;
2687
2688         req = (struct l2cap_conn_param_update_req *) data;
2689         min             = __le16_to_cpu(req->min);
2690         max             = __le16_to_cpu(req->max);
2691         latency         = __le16_to_cpu(req->latency);
2692         to_multiplier   = __le16_to_cpu(req->to_multiplier);
2693
2694         BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2695                                                 min, max, latency, to_multiplier);
2696
2697         memset(&rsp, 0, sizeof(rsp));
2698
2699         err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2700         if (err)
2701                 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2702         else
2703                 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2704
2705         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2706                                                         sizeof(rsp), &rsp);
2707
2708         if (!err)
2709                 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2710
2711         return 0;
2712 }
2713
2714 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2715                         struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2716 {
2717         int err = 0;
2718
2719         switch (cmd->code) {
2720         case L2CAP_COMMAND_REJ:
2721                 l2cap_command_rej(conn, cmd, data);
2722                 break;
2723
2724         case L2CAP_CONN_REQ:
2725                 err = l2cap_connect_req(conn, cmd, data);
2726                 break;
2727
2728         case L2CAP_CONN_RSP:
2729                 err = l2cap_connect_rsp(conn, cmd, data);
2730                 break;
2731
2732         case L2CAP_CONF_REQ:
2733                 err = l2cap_config_req(conn, cmd, cmd_len, data);
2734                 break;
2735
2736         case L2CAP_CONF_RSP:
2737                 err = l2cap_config_rsp(conn, cmd, data);
2738                 break;
2739
2740         case L2CAP_DISCONN_REQ:
2741                 err = l2cap_disconnect_req(conn, cmd, data);
2742                 break;
2743
2744         case L2CAP_DISCONN_RSP:
2745                 err = l2cap_disconnect_rsp(conn, cmd, data);
2746                 break;
2747
2748         case L2CAP_ECHO_REQ:
2749                 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2750                 break;
2751
2752         case L2CAP_ECHO_RSP:
2753                 break;
2754
2755         case L2CAP_INFO_REQ:
2756                 err = l2cap_information_req(conn, cmd, data);
2757                 break;
2758
2759         case L2CAP_INFO_RSP:
2760                 err = l2cap_information_rsp(conn, cmd, data);
2761                 break;
2762
2763         default:
2764                 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2765                 err = -EINVAL;
2766                 break;
2767         }
2768
2769         return err;
2770 }
2771
2772 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2773                                         struct l2cap_cmd_hdr *cmd, u8 *data)
2774 {
2775         switch (cmd->code) {
2776         case L2CAP_COMMAND_REJ:
2777                 return 0;
2778
2779         case L2CAP_CONN_PARAM_UPDATE_REQ:
2780                 return l2cap_conn_param_update_req(conn, cmd, data);
2781
2782         case L2CAP_CONN_PARAM_UPDATE_RSP:
2783                 return 0;
2784
2785         default:
2786                 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
2787                 return -EINVAL;
2788         }
2789 }
2790
2791 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2792                                                         struct sk_buff *skb)
2793 {
2794         u8 *data = skb->data;
2795         int len = skb->len;
2796         struct l2cap_cmd_hdr cmd;
2797         int err;
2798
2799         l2cap_raw_recv(conn, skb);
2800
2801         while (len >= L2CAP_CMD_HDR_SIZE) {
2802                 u16 cmd_len;
2803                 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
2804                 data += L2CAP_CMD_HDR_SIZE;
2805                 len  -= L2CAP_CMD_HDR_SIZE;
2806
2807                 cmd_len = le16_to_cpu(cmd.len);
2808
2809                 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
2810
2811                 if (cmd_len > len || !cmd.ident) {
2812                         BT_DBG("corrupted command");
2813                         break;
2814                 }
2815
2816                 if (conn->hcon->type == LE_LINK)
2817                         err = l2cap_le_sig_cmd(conn, &cmd, data);
2818                 else
2819                         err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
2820
2821                 if (err) {
2822                         struct l2cap_cmd_rej rej;
2823
2824                         BT_ERR("Wrong link type (%d)", err);
2825
2826                         /* FIXME: Map err to a valid reason */
2827                         rej.reason = cpu_to_le16(0);
2828                         l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
2829                 }
2830
2831                 data += cmd_len;
2832                 len  -= cmd_len;
2833         }
2834
2835         kfree_skb(skb);
2836 }
2837
2838 static int l2cap_check_fcs(struct l2cap_chan *chan,  struct sk_buff *skb)
2839 {
2840         u16 our_fcs, rcv_fcs;
2841         int hdr_size = L2CAP_HDR_SIZE + 2;
2842
2843         if (chan->fcs == L2CAP_FCS_CRC16) {
2844                 skb_trim(skb, skb->len - 2);
2845                 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
2846                 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
2847
2848                 if (our_fcs != rcv_fcs)
2849                         return -EBADMSG;
2850         }
2851         return 0;
2852 }
2853
2854 static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
2855 {
2856         u16 control = 0;
2857
2858         chan->frames_sent = 0;
2859
2860         control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2861
2862         if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
2863                 control |= L2CAP_SUPER_RCV_NOT_READY;
2864                 l2cap_send_sframe(chan, control);
2865                 chan->conn_state |= L2CAP_CONN_RNR_SENT;
2866         }
2867
2868         if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
2869                 l2cap_retransmit_frames(chan);
2870
2871         l2cap_ertm_send(chan);
2872
2873         if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
2874                         chan->frames_sent == 0) {
2875                 control |= L2CAP_SUPER_RCV_READY;
2876                 l2cap_send_sframe(chan, control);
2877         }
2878 }
2879
2880 static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
2881 {
2882         struct sk_buff *next_skb;
2883         int tx_seq_offset, next_tx_seq_offset;
2884
2885         bt_cb(skb)->tx_seq = tx_seq;
2886         bt_cb(skb)->sar = sar;
2887
2888         next_skb = skb_peek(&chan->srej_q);
2889         if (!next_skb) {
2890                 __skb_queue_tail(&chan->srej_q, skb);
2891                 return 0;
2892         }
2893
2894         tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
2895         if (tx_seq_offset < 0)
2896                 tx_seq_offset += 64;
2897
2898         do {
2899                 if (bt_cb(next_skb)->tx_seq == tx_seq)
2900                         return -EINVAL;
2901
2902                 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
2903                                                 chan->buffer_seq) % 64;
2904                 if (next_tx_seq_offset < 0)
2905                         next_tx_seq_offset += 64;
2906
2907                 if (next_tx_seq_offset > tx_seq_offset) {
2908                         __skb_queue_before(&chan->srej_q, next_skb, skb);
2909                         return 0;
2910                 }
2911
2912                 if (skb_queue_is_last(&chan->srej_q, next_skb))
2913                         break;
2914
2915         } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
2916
2917         __skb_queue_tail(&chan->srej_q, skb);
2918
2919         return 0;
2920 }
2921
2922 static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
2923 {
2924         struct sk_buff *_skb;
2925         int err;
2926
2927         switch (control & L2CAP_CTRL_SAR) {
2928         case L2CAP_SDU_UNSEGMENTED:
2929                 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
2930                         goto drop;
2931
2932                 err = sock_queue_rcv_skb(chan->sk, skb);
2933                 if (!err)
2934                         return err;
2935
2936                 break;
2937
2938         case L2CAP_SDU_START:
2939                 if (chan->conn_state & L2CAP_CONN_SAR_SDU)
2940                         goto drop;
2941
2942                 chan->sdu_len = get_unaligned_le16(skb->data);
2943
2944                 if (chan->sdu_len > chan->imtu)
2945                         goto disconnect;
2946
2947                 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
2948                 if (!chan->sdu)
2949                         return -ENOMEM;
2950
2951                 /* pull sdu_len bytes only after alloc, because of Local Busy
2952                  * condition we have to be sure that this will be executed
2953                  * only once, i.e., when alloc does not fail */
2954                 skb_pull(skb, 2);
2955
2956                 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2957
2958                 chan->conn_state |= L2CAP_CONN_SAR_SDU;
2959                 chan->partial_sdu_len = skb->len;
2960                 break;
2961
2962         case L2CAP_SDU_CONTINUE:
2963                 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
2964                         goto disconnect;
2965
2966                 if (!chan->sdu)
2967                         goto disconnect;
2968
2969                 chan->partial_sdu_len += skb->len;
2970                 if (chan->partial_sdu_len > chan->sdu_len)
2971                         goto drop;
2972
2973                 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2974
2975                 break;
2976
2977         case L2CAP_SDU_END:
2978                 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
2979                         goto disconnect;
2980
2981                 if (!chan->sdu)
2982                         goto disconnect;
2983
2984                 if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
2985                         chan->partial_sdu_len += skb->len;
2986
2987                         if (chan->partial_sdu_len > chan->imtu)
2988                                 goto drop;
2989
2990                         if (chan->partial_sdu_len != chan->sdu_len)
2991                                 goto drop;
2992
2993                         memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2994                 }
2995
2996                 _skb = skb_clone(chan->sdu, GFP_ATOMIC);
2997                 if (!_skb) {
2998                         chan->conn_state |= L2CAP_CONN_SAR_RETRY;
2999                         return -ENOMEM;
3000                 }
3001
3002                 err = sock_queue_rcv_skb(chan->sk, _skb);
3003                 if (err < 0) {
3004                         kfree_skb(_skb);
3005                         chan->conn_state |= L2CAP_CONN_SAR_RETRY;
3006                         return err;
3007                 }
3008
3009                 chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3010                 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
3011
3012                 kfree_skb(chan->sdu);
3013                 break;
3014         }
3015
3016         kfree_skb(skb);
3017         return 0;
3018
3019 drop:
3020         kfree_skb(chan->sdu);
3021         chan->sdu = NULL;
3022
3023 disconnect:
3024         l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3025         kfree_skb(skb);
3026         return 0;
3027 }
3028
3029 static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
3030 {
3031         struct sk_buff *skb;
3032         u16 control;
3033         int err;
3034
3035         while ((skb = skb_dequeue(&chan->busy_q))) {
3036                 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3037                 err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3038                 if (err < 0) {
3039                         skb_queue_head(&chan->busy_q, skb);
3040                         return -EBUSY;
3041                 }
3042
3043                 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3044         }
3045
3046         if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
3047                 goto done;
3048
3049         control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3050         control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3051         l2cap_send_sframe(chan, control);
3052         chan->retry_count = 1;
3053
3054         del_timer(&chan->retrans_timer);
3055         __mod_monitor_timer();
3056
3057         chan->conn_state |= L2CAP_CONN_WAIT_F;
3058
3059 done:
3060         chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3061         chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
3062
3063         BT_DBG("chan %p, Exit local busy", chan);
3064
3065         return 0;
3066 }
3067
3068 static void l2cap_busy_work(struct work_struct *work)
3069 {
3070         DECLARE_WAITQUEUE(wait, current);
3071         struct l2cap_chan *chan =
3072                 container_of(work, struct l2cap_chan, busy_work);
3073         struct sock *sk = chan->sk;
3074         int n_tries = 0, timeo = HZ/5, err;
3075         struct sk_buff *skb;
3076
3077         lock_sock(sk);
3078
3079         add_wait_queue(sk_sleep(sk), &wait);
3080         while ((skb = skb_peek(&chan->busy_q))) {
3081                 set_current_state(TASK_INTERRUPTIBLE);
3082
3083                 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3084                         err = -EBUSY;
3085                         l2cap_send_disconn_req(chan->conn, chan, EBUSY);
3086                         break;
3087                 }
3088
3089                 if (!timeo)
3090                         timeo = HZ/5;
3091
3092                 if (signal_pending(current)) {
3093                         err = sock_intr_errno(timeo);
3094                         break;
3095                 }
3096
3097                 release_sock(sk);
3098                 timeo = schedule_timeout(timeo);
3099                 lock_sock(sk);
3100
3101                 err = sock_error(sk);
3102                 if (err)
3103                         break;
3104
3105                 if (l2cap_try_push_rx_skb(chan) == 0)
3106                         break;
3107         }
3108
3109         set_current_state(TASK_RUNNING);
3110         remove_wait_queue(sk_sleep(sk), &wait);
3111
3112         release_sock(sk);
3113 }
3114
3115 static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
3116 {
3117         int sctrl, err;
3118
3119         if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3120                 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3121                 __skb_queue_tail(&chan->busy_q, skb);
3122                 return l2cap_try_push_rx_skb(chan);
3123
3124
3125         }
3126
3127         err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3128         if (err >= 0) {
3129                 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3130                 return err;
3131         }
3132
3133         /* Busy Condition */
3134         BT_DBG("chan %p, Enter local busy", chan);
3135
3136         chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3137         bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3138         __skb_queue_tail(&chan->busy_q, skb);
3139
3140         sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3141         sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3142         l2cap_send_sframe(chan, sctrl);
3143
3144         chan->conn_state |= L2CAP_CONN_RNR_SENT;
3145
3146         del_timer(&chan->ack_timer);
3147
3148         queue_work(_busy_wq, &chan->busy_work);
3149
3150         return err;
3151 }
3152
3153 static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
3154 {
3155         struct sk_buff *_skb;
3156         int err = -EINVAL;
3157
3158         /*
3159          * TODO: We have to notify the userland if some data is lost with the
3160          * Streaming Mode.
3161          */
3162
3163         switch (control & L2CAP_CTRL_SAR) {
3164         case L2CAP_SDU_UNSEGMENTED:
3165                 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
3166                         kfree_skb(chan->sdu);
3167                         break;
3168                 }
3169
3170                 err = sock_queue_rcv_skb(chan->sk, skb);
3171                 if (!err)
3172                         return 0;
3173
3174                 break;
3175
3176         case L2CAP_SDU_START:
3177                 if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
3178                         kfree_skb(chan->sdu);
3179                         break;
3180                 }
3181
3182                 chan->sdu_len = get_unaligned_le16(skb->data);
3183                 skb_pull(skb, 2);
3184
3185                 if (chan->sdu_len > chan->imtu) {
3186                         err = -EMSGSIZE;
3187                         break;
3188                 }
3189
3190                 chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
3191                 if (!chan->sdu) {
3192                         err = -ENOMEM;
3193                         break;
3194                 }
3195
3196                 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3197
3198                 chan->conn_state |= L2CAP_CONN_SAR_SDU;
3199                 chan->partial_sdu_len = skb->len;
3200                 err = 0;
3201                 break;
3202
3203         case L2CAP_SDU_CONTINUE:
3204                 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
3205                         break;
3206
3207                 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3208
3209                 chan->partial_sdu_len += skb->len;
3210                 if (chan->partial_sdu_len > chan->sdu_len)
3211                         kfree_skb(chan->sdu);
3212                 else
3213                         err = 0;
3214
3215                 break;
3216
3217         case L2CAP_SDU_END:
3218                 if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
3219                         break;
3220
3221                 memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3222
3223                 chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
3224                 chan->partial_sdu_len += skb->len;
3225
3226                 if (chan->partial_sdu_len > chan->imtu)
3227                         goto drop;
3228
3229                 if (chan->partial_sdu_len == chan->sdu_len) {
3230                         _skb = skb_clone(chan->sdu, GFP_ATOMIC);
3231                         err = sock_queue_rcv_skb(chan->sk, _skb);
3232                         if (err < 0)
3233                                 kfree_skb(_skb);
3234                 }
3235                 err = 0;
3236
3237 drop:
3238                 kfree_skb(chan->sdu);
3239                 break;
3240         }
3241
3242         kfree_skb(skb);
3243         return err;
3244 }
3245
3246 static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
3247 {
3248         struct sk_buff *skb;
3249         u16 control;
3250
3251         while ((skb = skb_peek(&chan->srej_q))) {
3252                 if (bt_cb(skb)->tx_seq != tx_seq)
3253                         break;
3254
3255                 skb = skb_dequeue(&chan->srej_q);
3256                 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3257                 l2cap_ertm_reassembly_sdu(chan, skb, control);
3258                 chan->buffer_seq_srej =
3259                         (chan->buffer_seq_srej + 1) % 64;
3260                 tx_seq = (tx_seq + 1) % 64;
3261         }
3262 }
3263
3264 static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3265 {
3266         struct srej_list *l, *tmp;
3267         u16 control;
3268
3269         list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3270                 if (l->tx_seq == tx_seq) {
3271                         list_del(&l->list);
3272                         kfree(l);
3273                         return;
3274                 }
3275                 control = L2CAP_SUPER_SELECT_REJECT;
3276                 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3277                 l2cap_send_sframe(chan, control);
3278                 list_del(&l->list);
3279                 list_add_tail(&l->list, &chan->srej_l);
3280         }
3281 }
3282
3283 static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3284 {
3285         struct srej_list *new;
3286         u16 control;
3287
3288         while (tx_seq != chan->expected_tx_seq) {
3289                 control = L2CAP_SUPER_SELECT_REJECT;
3290                 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3291                 l2cap_send_sframe(chan, control);
3292
3293                 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3294                 new->tx_seq = chan->expected_tx_seq;
3295                 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3296                 list_add_tail(&new->list, &chan->srej_l);
3297         }
3298         chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3299 }
3300
3301 static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3302 {
3303         u8 tx_seq = __get_txseq(rx_control);
3304         u8 req_seq = __get_reqseq(rx_control);
3305         u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3306         int tx_seq_offset, expected_tx_seq_offset;
3307         int num_to_ack = (chan->tx_win/6) + 1;
3308         int err = 0;
3309
3310         BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3311                                                         tx_seq, rx_control);
3312
3313         if (L2CAP_CTRL_FINAL & rx_control &&
3314                         chan->conn_state & L2CAP_CONN_WAIT_F) {
3315                 del_timer(&chan->monitor_timer);
3316                 if (chan->unacked_frames > 0)
3317                         __mod_retrans_timer();
3318                 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
3319         }
3320
3321         chan->expected_ack_seq = req_seq;
3322         l2cap_drop_acked_frames(chan);
3323
3324         if (tx_seq == chan->expected_tx_seq)
3325                 goto expected;
3326
3327         tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
3328         if (tx_seq_offset < 0)
3329                 tx_seq_offset += 64;
3330
3331         /* invalid tx_seq */
3332         if (tx_seq_offset >= chan->tx_win) {
3333                 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3334                 goto drop;
3335         }
3336
3337         if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
3338                 goto drop;
3339
3340         if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3341                 struct srej_list *first;
3342
3343                 first = list_first_entry(&chan->srej_l,
3344                                 struct srej_list, list);
3345                 if (tx_seq == first->tx_seq) {
3346                         l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3347                         l2cap_check_srej_gap(chan, tx_seq);
3348
3349                         list_del(&first->list);
3350                         kfree(first);
3351
3352                         if (list_empty(&chan->srej_l)) {
3353                                 chan->buffer_seq = chan->buffer_seq_srej;
3354                                 chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3355                                 l2cap_send_ack(chan);
3356                                 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3357                         }
3358                 } else {
3359                         struct srej_list *l;
3360
3361                         /* duplicated tx_seq */
3362                         if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3363                                 goto drop;
3364
3365                         list_for_each_entry(l, &chan->srej_l, list) {
3366                                 if (l->tx_seq == tx_seq) {
3367                                         l2cap_resend_srejframe(chan, tx_seq);
3368                                         return 0;
3369                                 }
3370                         }
3371                         l2cap_send_srejframe(chan, tx_seq);
3372                 }
3373         } else {
3374                 expected_tx_seq_offset =
3375                         (chan->expected_tx_seq - chan->buffer_seq) % 64;
3376                 if (expected_tx_seq_offset < 0)
3377                         expected_tx_seq_offset += 64;
3378
3379                 /* duplicated tx_seq */
3380                 if (tx_seq_offset < expected_tx_seq_offset)
3381                         goto drop;
3382
3383                 chan->conn_state |= L2CAP_CONN_SREJ_SENT;
3384
3385                 BT_DBG("chan %p, Enter SREJ", chan);
3386
3387                 INIT_LIST_HEAD(&chan->srej_l);
3388                 chan->buffer_seq_srej = chan->buffer_seq;
3389
3390                 __skb_queue_head_init(&chan->srej_q);
3391                 __skb_queue_head_init(&chan->busy_q);
3392                 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3393
3394                 chan->conn_state |= L2CAP_CONN_SEND_PBIT;
3395
3396                 l2cap_send_srejframe(chan, tx_seq);
3397
3398                 del_timer(&chan->ack_timer);
3399         }
3400         return 0;
3401
3402 expected:
3403         chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3404
3405         if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3406                 bt_cb(skb)->tx_seq = tx_seq;
3407                 bt_cb(skb)->sar = sar;
3408                 __skb_queue_tail(&chan->srej_q, skb);
3409                 return 0;
3410         }
3411
3412         err = l2cap_push_rx_skb(chan, skb, rx_control);
3413         if (err < 0)
3414                 return 0;
3415
3416         if (rx_control & L2CAP_CTRL_FINAL) {
3417                 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3418                         chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3419                 else
3420                         l2cap_retransmit_frames(chan);
3421         }
3422
3423         __mod_ack_timer();
3424
3425         chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3426         if (chan->num_acked == num_to_ack - 1)
3427                 l2cap_send_ack(chan);
3428
3429         return 0;
3430
3431 drop:
3432         kfree_skb(skb);
3433         return 0;
3434 }
3435
3436 static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
3437 {
3438         BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
3439                                                 rx_control);
3440
3441         chan->expected_ack_seq = __get_reqseq(rx_control);
3442         l2cap_drop_acked_frames(chan);
3443
3444         if (rx_control & L2CAP_CTRL_POLL) {
3445                 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3446                 if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3447                         if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3448                                         (chan->unacked_frames > 0))
3449                                 __mod_retrans_timer();
3450
3451                         chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3452                         l2cap_send_srejtail(chan);
3453                 } else {
3454                         l2cap_send_i_or_rr_or_rnr(chan);
3455                 }
3456
3457         } else if (rx_control & L2CAP_CTRL_FINAL) {
3458                 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3459
3460                 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3461                         chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3462                 else
3463                         l2cap_retransmit_frames(chan);
3464
3465         } else {
3466                 if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3467                                 (chan->unacked_frames > 0))
3468                         __mod_retrans_timer();
3469
3470                 chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3471                 if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
3472                         l2cap_send_ack(chan);
3473                 else
3474                         l2cap_ertm_send(chan);
3475         }
3476 }
3477
3478 static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
3479 {
3480         u8 tx_seq = __get_reqseq(rx_control);
3481
3482         BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3483
3484         chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3485
3486         chan->expected_ack_seq = tx_seq;
3487         l2cap_drop_acked_frames(chan);
3488
3489         if (rx_control & L2CAP_CTRL_FINAL) {
3490                 if (chan->conn_state & L2CAP_CONN_REJ_ACT)
3491                         chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3492                 else
3493                         l2cap_retransmit_frames(chan);
3494         } else {
3495                 l2cap_retransmit_frames(chan);
3496
3497                 if (chan->conn_state & L2CAP_CONN_WAIT_F)
3498                         chan->conn_state |= L2CAP_CONN_REJ_ACT;
3499         }
3500 }
3501 static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
3502 {
3503         u8 tx_seq = __get_reqseq(rx_control);
3504
3505         BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3506
3507         chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3508
3509         if (rx_control & L2CAP_CTRL_POLL) {
3510                 chan->expected_ack_seq = tx_seq;
3511                 l2cap_drop_acked_frames(chan);
3512
3513                 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3514                 l2cap_retransmit_one_frame(chan, tx_seq);
3515
3516                 l2cap_ertm_send(chan);
3517
3518                 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
3519                         chan->srej_save_reqseq = tx_seq;
3520                         chan->conn_state |= L2CAP_CONN_SREJ_ACT;
3521                 }
3522         } else if (rx_control & L2CAP_CTRL_FINAL) {
3523                 if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
3524                                 chan->srej_save_reqseq == tx_seq)
3525                         chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3526                 else
3527                         l2cap_retransmit_one_frame(chan, tx_seq);
3528         } else {
3529                 l2cap_retransmit_one_frame(chan, tx_seq);
3530                 if (chan->conn_state & L2CAP_CONN_WAIT_F) {
3531                         chan->srej_save_reqseq = tx_seq;
3532                         chan->conn_state |= L2CAP_CONN_SREJ_ACT;
3533                 }
3534         }
3535 }
3536
3537 static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
3538 {
3539         u8 tx_seq = __get_reqseq(rx_control);
3540
3541         BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3542
3543         chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3544         chan->expected_ack_seq = tx_seq;
3545         l2cap_drop_acked_frames(chan);
3546
3547         if (rx_control & L2CAP_CTRL_POLL)
3548                 chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3549
3550         if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
3551                 del_timer(&chan->retrans_timer);
3552                 if (rx_control & L2CAP_CTRL_POLL)
3553                         l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3554                 return;
3555         }
3556
3557         if (rx_control & L2CAP_CTRL_POLL)
3558                 l2cap_send_srejtail(chan);
3559         else
3560                 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
3561 }
3562
3563 static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3564 {
3565         BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3566
3567         if (L2CAP_CTRL_FINAL & rx_control &&
3568                         chan->conn_state & L2CAP_CONN_WAIT_F) {
3569                 del_timer(&chan->monitor_timer);
3570                 if (chan->unacked_frames > 0)
3571                         __mod_retrans_timer();
3572                 chan->conn_state &= ~L2CAP_CONN_WAIT_F;
3573         }
3574
3575         switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3576         case L2CAP_SUPER_RCV_READY:
3577                 l2cap_data_channel_rrframe(chan, rx_control);
3578                 break;
3579
3580         case L2CAP_SUPER_REJECT:
3581                 l2cap_data_channel_rejframe(chan, rx_control);
3582                 break;
3583
3584         case L2CAP_SUPER_SELECT_REJECT:
3585                 l2cap_data_channel_srejframe(chan, rx_control);
3586                 break;
3587
3588         case L2CAP_SUPER_RCV_NOT_READY:
3589                 l2cap_data_channel_rnrframe(chan, rx_control);
3590                 break;
3591         }
3592
3593         kfree_skb(skb);
3594         return 0;
3595 }
3596
3597 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3598 {
3599         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3600         u16 control;
3601         u8 req_seq;
3602         int len, next_tx_seq_offset, req_seq_offset;
3603
3604         control = get_unaligned_le16(skb->data);
3605         skb_pull(skb, 2);
3606         len = skb->len;
3607
3608         /*
3609          * We can just drop the corrupted I-frame here.
3610          * Receiver will miss it and start proper recovery
3611          * procedures and ask retransmission.
3612          */
3613         if (l2cap_check_fcs(chan, skb))
3614                 goto drop;
3615
3616         if (__is_sar_start(control) && __is_iframe(control))
3617                 len -= 2;
3618
3619         if (chan->fcs == L2CAP_FCS_CRC16)
3620                 len -= 2;
3621
3622         if (len > chan->mps) {
3623                 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3624                 goto drop;
3625         }
3626
3627         req_seq = __get_reqseq(control);
3628         req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
3629         if (req_seq_offset < 0)
3630                 req_seq_offset += 64;
3631
3632         next_tx_seq_offset =
3633                 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
3634         if (next_tx_seq_offset < 0)
3635                 next_tx_seq_offset += 64;
3636
3637         /* check for invalid req-seq */
3638         if (req_seq_offset > next_tx_seq_offset) {
3639                 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3640                 goto drop;
3641         }
3642
3643         if (__is_iframe(control)) {
3644                 if (len < 0) {
3645                         l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3646                         goto drop;
3647                 }
3648
3649                 l2cap_data_channel_iframe(chan, control, skb);
3650         } else {
3651                 if (len != 0) {
3652                         BT_ERR("%d", len);
3653                         l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3654                         goto drop;
3655                 }
3656
3657                 l2cap_data_channel_sframe(chan, control, skb);
3658         }
3659
3660         return 0;
3661
3662 drop:
3663         kfree_skb(skb);
3664         return 0;
3665 }
3666
3667 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3668 {
3669         struct l2cap_chan *chan;
3670         struct sock *sk = NULL;
3671         struct l2cap_pinfo *pi;
3672         u16 control;
3673         u8 tx_seq;
3674         int len;
3675
3676         chan = l2cap_get_chan_by_scid(conn, cid);
3677         if (!chan) {
3678                 BT_DBG("unknown cid 0x%4.4x", cid);
3679                 goto drop;
3680         }
3681
3682         sk = chan->sk;
3683         pi = l2cap_pi(sk);
3684
3685         BT_DBG("chan %p, len %d", chan, skb->len);
3686
3687         if (sk->sk_state != BT_CONNECTED)
3688                 goto drop;
3689
3690         switch (chan->mode) {
3691         case L2CAP_MODE_BASIC:
3692                 /* If socket recv buffers overflows we drop data here
3693                  * which is *bad* because L2CAP has to be reliable.
3694                  * But we don't have any other choice. L2CAP doesn't
3695                  * provide flow control mechanism. */
3696
3697                 if (chan->imtu < skb->len)
3698                         goto drop;
3699
3700                 if (!sock_queue_rcv_skb(sk, skb))
3701                         goto done;
3702                 break;
3703
3704         case L2CAP_MODE_ERTM:
3705                 if (!sock_owned_by_user(sk)) {
3706                         l2cap_ertm_data_rcv(sk, skb);
3707                 } else {
3708                         if (sk_add_backlog(sk, skb))
3709                                 goto drop;
3710                 }
3711
3712                 goto done;
3713
3714         case L2CAP_MODE_STREAMING:
3715                 control = get_unaligned_le16(skb->data);
3716                 skb_pull(skb, 2);
3717                 len = skb->len;
3718
3719                 if (l2cap_check_fcs(chan, skb))
3720                         goto drop;
3721
3722                 if (__is_sar_start(control))
3723                         len -= 2;
3724
3725                 if (chan->fcs == L2CAP_FCS_CRC16)
3726                         len -= 2;
3727
3728                 if (len > chan->mps || len < 0 || __is_sframe(control))
3729                         goto drop;
3730
3731                 tx_seq = __get_txseq(control);
3732
3733                 if (chan->expected_tx_seq == tx_seq)
3734                         chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3735                 else
3736                         chan->expected_tx_seq = (tx_seq + 1) % 64;
3737
3738                 l2cap_streaming_reassembly_sdu(chan, skb, control);
3739
3740                 goto done;
3741
3742         default:
3743                 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
3744                 break;
3745         }
3746
3747 drop:
3748         kfree_skb(skb);
3749
3750 done:
3751         if (sk)
3752                 bh_unlock_sock(sk);
3753
3754         return 0;
3755 }
3756
3757 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
3758 {
3759         struct sock *sk = NULL;
3760         struct l2cap_chan *chan;
3761
3762         chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3763         if (!chan)
3764                 goto drop;
3765
3766         sk = chan->sk;
3767
3768         bh_lock_sock(sk);
3769
3770         BT_DBG("sk %p, len %d", sk, skb->len);
3771
3772         if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3773                 goto drop;
3774
3775         if (l2cap_pi(sk)->chan->imtu < skb->len)
3776                 goto drop;
3777
3778         if (!sock_queue_rcv_skb(sk, skb))
3779                 goto done;
3780
3781 drop:
3782         kfree_skb(skb);
3783
3784 done:
3785         if (sk)
3786                 bh_unlock_sock(sk);
3787         return 0;
3788 }
3789
3790 static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3791 {
3792         struct sock *sk = NULL;
3793         struct l2cap_chan *chan;
3794
3795         chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3796         if (!chan)
3797                 goto drop;
3798
3799         sk = chan->sk;
3800
3801         bh_lock_sock(sk);
3802
3803         BT_DBG("sk %p, len %d", sk, skb->len);
3804
3805         if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3806                 goto drop;
3807
3808         if (l2cap_pi(sk)->chan->imtu < skb->len)
3809                 goto drop;
3810
3811         if (!sock_queue_rcv_skb(sk, skb))
3812                 goto done;
3813
3814 drop:
3815         kfree_skb(skb);
3816
3817 done:
3818         if (sk)
3819                 bh_unlock_sock(sk);
3820         return 0;
3821 }
3822
3823 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3824 {
3825         struct l2cap_hdr *lh = (void *) skb->data;
3826         u16 cid, len;
3827         __le16 psm;
3828
3829         skb_pull(skb, L2CAP_HDR_SIZE);
3830         cid = __le16_to_cpu(lh->cid);
3831         len = __le16_to_cpu(lh->len);
3832
3833         if (len != skb->len) {
3834                 kfree_skb(skb);
3835                 return;
3836         }
3837
3838         BT_DBG("len %d, cid 0x%4.4x", len, cid);
3839
3840         switch (cid) {
3841         case L2CAP_CID_LE_SIGNALING:
3842         case L2CAP_CID_SIGNALING:
3843                 l2cap_sig_channel(conn, skb);
3844                 break;
3845
3846         case L2CAP_CID_CONN_LESS:
3847                 psm = get_unaligned_le16(skb->data);
3848                 skb_pull(skb, 2);
3849                 l2cap_conless_channel(conn, psm, skb);
3850                 break;
3851
3852         case L2CAP_CID_LE_DATA:
3853                 l2cap_att_channel(conn, cid, skb);
3854                 break;
3855
3856         default:
3857                 l2cap_data_channel(conn, cid, skb);
3858                 break;
3859         }
3860 }
3861
3862 /* ---- L2CAP interface with lower layer (HCI) ---- */
3863
3864 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3865 {
3866         int exact = 0, lm1 = 0, lm2 = 0;
3867         struct l2cap_chan *c;
3868
3869         if (type != ACL_LINK)
3870                 return -EINVAL;
3871
3872         BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3873
3874         /* Find listening sockets and check their link_mode */
3875         read_lock(&chan_list_lock);
3876         list_for_each_entry(c, &chan_list, global_l) {
3877                 struct sock *sk = c->sk;
3878
3879                 if (sk->sk_state != BT_LISTEN)
3880                         continue;
3881
3882                 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
3883                         lm1 |= HCI_LM_ACCEPT;
3884                         if (c->role_switch)
3885                                 lm1 |= HCI_LM_MASTER;
3886                         exact++;
3887                 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3888                         lm2 |= HCI_LM_ACCEPT;
3889                         if (c->role_switch)
3890                                 lm2 |= HCI_LM_MASTER;
3891                 }
3892         }
3893         read_unlock(&chan_list_lock);
3894
3895         return exact ? lm1 : lm2;
3896 }
3897
3898 static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3899 {
3900         struct l2cap_conn *conn;
3901
3902         BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3903
3904         if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
3905                 return -EINVAL;
3906
3907         if (!status) {
3908                 conn = l2cap_conn_add(hcon, status);
3909                 if (conn)
3910                         l2cap_conn_ready(conn);
3911         } else
3912                 l2cap_conn_del(hcon, bt_err(status));
3913
3914         return 0;
3915 }
3916
3917 static int l2cap_disconn_ind(struct hci_conn *hcon)
3918 {
3919         struct l2cap_conn *conn = hcon->l2cap_data;
3920
3921         BT_DBG("hcon %p", hcon);
3922
3923         if (hcon->type != ACL_LINK || !conn)
3924                 return 0x13;
3925
3926         return conn->disc_reason;
3927 }
3928
3929 static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3930 {
3931         BT_DBG("hcon %p reason %d", hcon, reason);
3932
3933         if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
3934                 return -EINVAL;
3935
3936         l2cap_conn_del(hcon, bt_err(reason));
3937
3938         return 0;
3939 }
3940
3941 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
3942 {
3943         struct sock *sk = chan->sk;
3944
3945         if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
3946                 return;
3947
3948         if (encrypt == 0x00) {
3949                 if (chan->sec_level == BT_SECURITY_MEDIUM) {
3950                         l2cap_sock_clear_timer(sk);
3951                         l2cap_sock_set_timer(sk, HZ * 5);
3952                 } else if (chan->sec_level == BT_SECURITY_HIGH)
3953                         __l2cap_sock_close(sk, ECONNREFUSED);
3954         } else {
3955                 if (chan->sec_level == BT_SECURITY_MEDIUM)
3956                         l2cap_sock_clear_timer(sk);
3957         }
3958 }
3959
3960 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3961 {
3962         struct l2cap_conn *conn = hcon->l2cap_data;
3963         struct l2cap_chan *chan;
3964
3965         if (!conn)
3966                 return 0;
3967
3968         BT_DBG("conn %p", conn);
3969
3970         read_lock(&conn->chan_lock);
3971
3972         list_for_each_entry(chan, &conn->chan_l, list) {
3973                 struct sock *sk = chan->sk;
3974
3975                 bh_lock_sock(sk);
3976
3977                 if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
3978                         bh_unlock_sock(sk);
3979                         continue;
3980                 }
3981
3982                 if (!status && (sk->sk_state == BT_CONNECTED ||
3983                                                 sk->sk_state == BT_CONFIG)) {
3984                         l2cap_check_encryption(chan, encrypt);
3985                         bh_unlock_sock(sk);
3986                         continue;
3987                 }
3988
3989                 if (sk->sk_state == BT_CONNECT) {
3990                         if (!status) {
3991                                 struct l2cap_conn_req req;
3992                                 req.scid = cpu_to_le16(chan->scid);
3993                                 req.psm  = chan->psm;
3994
3995                                 chan->ident = l2cap_get_ident(conn);
3996                                 chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
3997
3998                                 l2cap_send_cmd(conn, chan->ident,
3999                                         L2CAP_CONN_REQ, sizeof(req), &req);
4000                         } else {
4001                                 l2cap_sock_clear_timer(sk);
4002                                 l2cap_sock_set_timer(sk, HZ / 10);
4003                         }
4004                 } else if (sk->sk_state == BT_CONNECT2) {
4005                         struct l2cap_conn_rsp rsp;
4006                         __u16 res, stat;
4007
4008                         if (!status) {
4009                                 if (bt_sk(sk)->defer_setup) {
4010                                         struct sock *parent = bt_sk(sk)->parent;
4011                                         res = L2CAP_CR_PEND;
4012                                         stat = L2CAP_CS_AUTHOR_PEND;
4013                                         parent->sk_data_ready(parent, 0);
4014                                 } else {
4015                                         sk->sk_state = BT_CONFIG;
4016                                         res = L2CAP_CR_SUCCESS;
4017                                         stat = L2CAP_CS_NO_INFO;
4018                                 }
4019                         } else {
4020                                 sk->sk_state = BT_DISCONN;
4021                                 l2cap_sock_set_timer(sk, HZ / 10);
4022                                 res = L2CAP_CR_SEC_BLOCK;
4023                                 stat = L2CAP_CS_NO_INFO;
4024                         }
4025
4026                         rsp.scid   = cpu_to_le16(chan->dcid);
4027                         rsp.dcid   = cpu_to_le16(chan->scid);
4028                         rsp.result = cpu_to_le16(res);
4029                         rsp.status = cpu_to_le16(stat);
4030                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4031                                                         sizeof(rsp), &rsp);
4032                 }
4033
4034                 bh_unlock_sock(sk);
4035         }
4036
4037         read_unlock(&conn->chan_lock);
4038
4039         return 0;
4040 }
4041
4042 static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4043 {
4044         struct l2cap_conn *conn = hcon->l2cap_data;
4045
4046         if (!conn)
4047                 conn = l2cap_conn_add(hcon, 0);
4048
4049         if (!conn)
4050                 goto drop;
4051
4052         BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4053
4054         if (!(flags & ACL_CONT)) {
4055                 struct l2cap_hdr *hdr;
4056                 struct l2cap_chan *chan;
4057                 u16 cid;
4058                 int len;
4059
4060                 if (conn->rx_len) {
4061                         BT_ERR("Unexpected start frame (len %d)", skb->len);
4062                         kfree_skb(conn->rx_skb);
4063                         conn->rx_skb = NULL;
4064                         conn->rx_len = 0;
4065                         l2cap_conn_unreliable(conn, ECOMM);
4066                 }
4067
4068                 /* Start fragment always begin with Basic L2CAP header */
4069                 if (skb->len < L2CAP_HDR_SIZE) {
4070                         BT_ERR("Frame is too short (len %d)", skb->len);
4071                         l2cap_conn_unreliable(conn, ECOMM);
4072                         goto drop;
4073                 }
4074
4075                 hdr = (struct l2cap_hdr *) skb->data;
4076                 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4077                 cid = __le16_to_cpu(hdr->cid);
4078
4079                 if (len == skb->len) {
4080                         /* Complete frame received */
4081                         l2cap_recv_frame(conn, skb);
4082                         return 0;
4083                 }
4084
4085                 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4086
4087                 if (skb->len > len) {
4088                         BT_ERR("Frame is too long (len %d, expected len %d)",
4089                                 skb->len, len);
4090                         l2cap_conn_unreliable(conn, ECOMM);
4091                         goto drop;
4092                 }
4093
4094                 chan = l2cap_get_chan_by_scid(conn, cid);
4095
4096                 if (chan && chan->sk) {
4097                         struct sock *sk = chan->sk;
4098
4099                         if (chan->imtu < len - L2CAP_HDR_SIZE) {
4100                                 BT_ERR("Frame exceeding recv MTU (len %d, "
4101                                                         "MTU %d)", len,
4102                                                         chan->imtu);
4103                                 bh_unlock_sock(sk);
4104                                 l2cap_conn_unreliable(conn, ECOMM);
4105                                 goto drop;
4106                         }
4107                         bh_unlock_sock(sk);
4108                 }
4109
4110                 /* Allocate skb for the complete frame (with header) */
4111                 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4112                 if (!conn->rx_skb)
4113                         goto drop;
4114
4115                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4116                                                                 skb->len);
4117                 conn->rx_len = len - skb->len;
4118         } else {
4119                 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4120
4121                 if (!conn->rx_len) {
4122                         BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4123                         l2cap_conn_unreliable(conn, ECOMM);
4124                         goto drop;
4125                 }
4126
4127                 if (skb->len > conn->rx_len) {
4128                         BT_ERR("Fragment is too long (len %d, expected %d)",
4129                                         skb->len, conn->rx_len);
4130                         kfree_skb(conn->rx_skb);
4131                         conn->rx_skb = NULL;
4132                         conn->rx_len = 0;
4133                         l2cap_conn_unreliable(conn, ECOMM);
4134                         goto drop;
4135                 }
4136
4137                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4138                                                                 skb->len);
4139                 conn->rx_len -= skb->len;
4140
4141                 if (!conn->rx_len) {
4142                         /* Complete frame received */
4143                         l2cap_recv_frame(conn, conn->rx_skb);
4144                         conn->rx_skb = NULL;
4145                 }
4146         }
4147
4148 drop:
4149         kfree_skb(skb);
4150         return 0;
4151 }
4152
4153 static int l2cap_debugfs_show(struct seq_file *f, void *p)
4154 {
4155         struct l2cap_chan *c;
4156
4157         read_lock_bh(&chan_list_lock);
4158
4159         list_for_each_entry(c, &chan_list, global_l) {
4160                 struct sock *sk = c->sk;
4161
4162                 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4163                                         batostr(&bt_sk(sk)->src),
4164                                         batostr(&bt_sk(sk)->dst),
4165                                         sk->sk_state, __le16_to_cpu(c->psm),
4166                                         c->scid, c->dcid, c->imtu, c->omtu,
4167                                         c->sec_level, c->mode);
4168         }
4169
4170         read_unlock_bh(&chan_list_lock);
4171
4172         return 0;
4173 }
4174
4175 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4176 {
4177         return single_open(file, l2cap_debugfs_show, inode->i_private);
4178 }
4179
4180 static const struct file_operations l2cap_debugfs_fops = {
4181         .open           = l2cap_debugfs_open,
4182         .read           = seq_read,
4183         .llseek         = seq_lseek,
4184         .release        = single_release,
4185 };
4186
4187 static struct dentry *l2cap_debugfs;
4188
4189 static struct hci_proto l2cap_hci_proto = {
4190         .name           = "L2CAP",
4191         .id             = HCI_PROTO_L2CAP,
4192         .connect_ind    = l2cap_connect_ind,
4193         .connect_cfm    = l2cap_connect_cfm,
4194         .disconn_ind    = l2cap_disconn_ind,
4195         .disconn_cfm    = l2cap_disconn_cfm,
4196         .security_cfm   = l2cap_security_cfm,
4197         .recv_acldata   = l2cap_recv_acldata
4198 };
4199
4200 int __init l2cap_init(void)
4201 {
4202         int err;
4203
4204         err = l2cap_init_sockets();
4205         if (err < 0)
4206                 return err;
4207
4208         _busy_wq = create_singlethread_workqueue("l2cap");
4209         if (!_busy_wq) {
4210                 err = -ENOMEM;
4211                 goto error;
4212         }
4213
4214         err = hci_register_proto(&l2cap_hci_proto);
4215         if (err < 0) {
4216                 BT_ERR("L2CAP protocol registration failed");
4217                 bt_sock_unregister(BTPROTO_L2CAP);
4218                 goto error;
4219         }
4220
4221         if (bt_debugfs) {
4222                 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4223                                         bt_debugfs, NULL, &l2cap_debugfs_fops);
4224                 if (!l2cap_debugfs)
4225                         BT_ERR("Failed to create L2CAP debug file");
4226         }
4227
4228         return 0;
4229
4230 error:
4231         destroy_workqueue(_busy_wq);
4232         l2cap_cleanup_sockets();
4233         return err;
4234 }
4235
4236 void l2cap_exit(void)
4237 {
4238         debugfs_remove(l2cap_debugfs);
4239
4240         flush_workqueue(_busy_wq);
4241         destroy_workqueue(_busy_wq);
4242
4243         if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4244                 BT_ERR("L2CAP protocol unregistration failed");
4245
4246         l2cap_cleanup_sockets();
4247 }
4248
4249 module_param(disable_ertm, bool, 0644);
4250 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");