Merge branch 'for-3.5/core' of git://git.kernel.dk/linux-block
[platform/adaptation/renesas_rcar/renesas_kernel.git] / net / bluetooth / l2cap_core.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7    Copyright (c) 2012 Code Aurora Forum.  All rights reserved.
8
9    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License version 2 as
13    published by the Free Software Foundation;
14
15    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26    SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/types.h>
34 #include <linux/capability.h>
35 #include <linux/errno.h>
36 #include <linux/kernel.h>
37 #include <linux/sched.h>
38 #include <linux/slab.h>
39 #include <linux/poll.h>
40 #include <linux/fcntl.h>
41 #include <linux/init.h>
42 #include <linux/interrupt.h>
43 #include <linux/socket.h>
44 #include <linux/skbuff.h>
45 #include <linux/list.h>
46 #include <linux/device.h>
47 #include <linux/debugfs.h>
48 #include <linux/seq_file.h>
49 #include <linux/uaccess.h>
50 #include <linux/crc16.h>
51 #include <net/sock.h>
52
53 #include <asm/unaligned.h>
54
55 #include <net/bluetooth/bluetooth.h>
56 #include <net/bluetooth/hci_core.h>
57 #include <net/bluetooth/l2cap.h>
58 #include <net/bluetooth/smp.h>
59
60 bool disable_ertm;
61
62 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
63 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
64
65 static LIST_HEAD(chan_list);
66 static DEFINE_RWLOCK(chan_list_lock);
67
68 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69                                 u8 code, u8 ident, u16 dlen, void *data);
70 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71                                                                 void *data);
72 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73 static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74                                    struct l2cap_chan *chan, int err);
75
76 /* ---- L2CAP channels ---- */
77
78 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
79 {
80         struct l2cap_chan *c;
81
82         list_for_each_entry(c, &conn->chan_l, list) {
83                 if (c->dcid == cid)
84                         return c;
85         }
86         return NULL;
87 }
88
89 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
90 {
91         struct l2cap_chan *c;
92
93         list_for_each_entry(c, &conn->chan_l, list) {
94                 if (c->scid == cid)
95                         return c;
96         }
97         return NULL;
98 }
99
100 /* Find channel with given SCID.
101  * Returns locked channel. */
102 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
103 {
104         struct l2cap_chan *c;
105
106         mutex_lock(&conn->chan_lock);
107         c = __l2cap_get_chan_by_scid(conn, cid);
108         if (c)
109                 l2cap_chan_lock(c);
110         mutex_unlock(&conn->chan_lock);
111
112         return c;
113 }
114
115 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
116 {
117         struct l2cap_chan *c;
118
119         list_for_each_entry(c, &conn->chan_l, list) {
120                 if (c->ident == ident)
121                         return c;
122         }
123         return NULL;
124 }
125
126 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
127 {
128         struct l2cap_chan *c;
129
130         list_for_each_entry(c, &chan_list, global_l) {
131                 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
132                         return c;
133         }
134         return NULL;
135 }
136
137 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
138 {
139         int err;
140
141         write_lock(&chan_list_lock);
142
143         if (psm && __l2cap_global_chan_by_addr(psm, src)) {
144                 err = -EADDRINUSE;
145                 goto done;
146         }
147
148         if (psm) {
149                 chan->psm = psm;
150                 chan->sport = psm;
151                 err = 0;
152         } else {
153                 u16 p;
154
155                 err = -EINVAL;
156                 for (p = 0x1001; p < 0x1100; p += 2)
157                         if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
158                                 chan->psm   = cpu_to_le16(p);
159                                 chan->sport = cpu_to_le16(p);
160                                 err = 0;
161                                 break;
162                         }
163         }
164
165 done:
166         write_unlock(&chan_list_lock);
167         return err;
168 }
169
170 int l2cap_add_scid(struct l2cap_chan *chan,  __u16 scid)
171 {
172         write_lock(&chan_list_lock);
173
174         chan->scid = scid;
175
176         write_unlock(&chan_list_lock);
177
178         return 0;
179 }
180
181 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
182 {
183         u16 cid = L2CAP_CID_DYN_START;
184
185         for (; cid < L2CAP_CID_DYN_END; cid++) {
186                 if (!__l2cap_get_chan_by_scid(conn, cid))
187                         return cid;
188         }
189
190         return 0;
191 }
192
193 static void __l2cap_state_change(struct l2cap_chan *chan, int state)
194 {
195         BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
196                                                 state_to_string(state));
197
198         chan->state = state;
199         chan->ops->state_change(chan->data, state);
200 }
201
202 static void l2cap_state_change(struct l2cap_chan *chan, int state)
203 {
204         struct sock *sk = chan->sk;
205
206         lock_sock(sk);
207         __l2cap_state_change(chan, state);
208         release_sock(sk);
209 }
210
211 static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
212 {
213         struct sock *sk = chan->sk;
214
215         sk->sk_err = err;
216 }
217
218 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
219 {
220         struct sock *sk = chan->sk;
221
222         lock_sock(sk);
223         __l2cap_chan_set_err(chan, err);
224         release_sock(sk);
225 }
226
227 /* ---- L2CAP sequence number lists ---- */
228
229 /* For ERTM, ordered lists of sequence numbers must be tracked for
230  * SREJ requests that are received and for frames that are to be
231  * retransmitted. These seq_list functions implement a singly-linked
232  * list in an array, where membership in the list can also be checked
233  * in constant time. Items can also be added to the tail of the list
234  * and removed from the head in constant time, without further memory
235  * allocs or frees.
236  */
237
238 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
239 {
240         size_t alloc_size, i;
241
242         /* Allocated size is a power of 2 to map sequence numbers
243          * (which may be up to 14 bits) in to a smaller array that is
244          * sized for the negotiated ERTM transmit windows.
245          */
246         alloc_size = roundup_pow_of_two(size);
247
248         seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
249         if (!seq_list->list)
250                 return -ENOMEM;
251
252         seq_list->mask = alloc_size - 1;
253         seq_list->head = L2CAP_SEQ_LIST_CLEAR;
254         seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
255         for (i = 0; i < alloc_size; i++)
256                 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
257
258         return 0;
259 }
260
261 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
262 {
263         kfree(seq_list->list);
264 }
265
266 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
267                                            u16 seq)
268 {
269         /* Constant-time check for list membership */
270         return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
271 }
272
273 static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
274 {
275         u16 mask = seq_list->mask;
276
277         if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
278                 /* In case someone tries to pop the head of an empty list */
279                 return L2CAP_SEQ_LIST_CLEAR;
280         } else if (seq_list->head == seq) {
281                 /* Head can be removed in constant time */
282                 seq_list->head = seq_list->list[seq & mask];
283                 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
284
285                 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
286                         seq_list->head = L2CAP_SEQ_LIST_CLEAR;
287                         seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
288                 }
289         } else {
290                 /* Walk the list to find the sequence number */
291                 u16 prev = seq_list->head;
292                 while (seq_list->list[prev & mask] != seq) {
293                         prev = seq_list->list[prev & mask];
294                         if (prev == L2CAP_SEQ_LIST_TAIL)
295                                 return L2CAP_SEQ_LIST_CLEAR;
296                 }
297
298                 /* Unlink the number from the list and clear it */
299                 seq_list->list[prev & mask] = seq_list->list[seq & mask];
300                 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
301                 if (seq_list->tail == seq)
302                         seq_list->tail = prev;
303         }
304         return seq;
305 }
306
307 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
308 {
309         /* Remove the head in constant time */
310         return l2cap_seq_list_remove(seq_list, seq_list->head);
311 }
312
313 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
314 {
315         u16 i;
316
317         if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
318                 return;
319
320         for (i = 0; i <= seq_list->mask; i++)
321                 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
322
323         seq_list->head = L2CAP_SEQ_LIST_CLEAR;
324         seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
325 }
326
327 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
328 {
329         u16 mask = seq_list->mask;
330
331         /* All appends happen in constant time */
332
333         if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
334                 return;
335
336         if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
337                 seq_list->head = seq;
338         else
339                 seq_list->list[seq_list->tail & mask] = seq;
340
341         seq_list->tail = seq;
342         seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
343 }
344
345 static void l2cap_chan_timeout(struct work_struct *work)
346 {
347         struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
348                                                         chan_timer.work);
349         struct l2cap_conn *conn = chan->conn;
350         int reason;
351
352         BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
353
354         mutex_lock(&conn->chan_lock);
355         l2cap_chan_lock(chan);
356
357         if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
358                 reason = ECONNREFUSED;
359         else if (chan->state == BT_CONNECT &&
360                                         chan->sec_level != BT_SECURITY_SDP)
361                 reason = ECONNREFUSED;
362         else
363                 reason = ETIMEDOUT;
364
365         l2cap_chan_close(chan, reason);
366
367         l2cap_chan_unlock(chan);
368
369         chan->ops->close(chan->data);
370         mutex_unlock(&conn->chan_lock);
371
372         l2cap_chan_put(chan);
373 }
374
375 struct l2cap_chan *l2cap_chan_create(void)
376 {
377         struct l2cap_chan *chan;
378
379         chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
380         if (!chan)
381                 return NULL;
382
383         mutex_init(&chan->lock);
384
385         write_lock(&chan_list_lock);
386         list_add(&chan->global_l, &chan_list);
387         write_unlock(&chan_list_lock);
388
389         INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
390
391         chan->state = BT_OPEN;
392
393         atomic_set(&chan->refcnt, 1);
394
395         BT_DBG("chan %p", chan);
396
397         return chan;
398 }
399
400 void l2cap_chan_destroy(struct l2cap_chan *chan)
401 {
402         write_lock(&chan_list_lock);
403         list_del(&chan->global_l);
404         write_unlock(&chan_list_lock);
405
406         l2cap_chan_put(chan);
407 }
408
409 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
410 {
411         chan->fcs  = L2CAP_FCS_CRC16;
412         chan->max_tx = L2CAP_DEFAULT_MAX_TX;
413         chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
414         chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
415         chan->sec_level = BT_SECURITY_LOW;
416
417         set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
418 }
419
420 static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
421 {
422         BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
423                __le16_to_cpu(chan->psm), chan->dcid);
424
425         conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
426
427         chan->conn = conn;
428
429         switch (chan->chan_type) {
430         case L2CAP_CHAN_CONN_ORIENTED:
431                 if (conn->hcon->type == LE_LINK) {
432                         /* LE connection */
433                         chan->omtu = L2CAP_LE_DEFAULT_MTU;
434                         chan->scid = L2CAP_CID_LE_DATA;
435                         chan->dcid = L2CAP_CID_LE_DATA;
436                 } else {
437                         /* Alloc CID for connection-oriented socket */
438                         chan->scid = l2cap_alloc_cid(conn);
439                         chan->omtu = L2CAP_DEFAULT_MTU;
440                 }
441                 break;
442
443         case L2CAP_CHAN_CONN_LESS:
444                 /* Connectionless socket */
445                 chan->scid = L2CAP_CID_CONN_LESS;
446                 chan->dcid = L2CAP_CID_CONN_LESS;
447                 chan->omtu = L2CAP_DEFAULT_MTU;
448                 break;
449
450         default:
451                 /* Raw socket can send/recv signalling messages only */
452                 chan->scid = L2CAP_CID_SIGNALING;
453                 chan->dcid = L2CAP_CID_SIGNALING;
454                 chan->omtu = L2CAP_DEFAULT_MTU;
455         }
456
457         chan->local_id          = L2CAP_BESTEFFORT_ID;
458         chan->local_stype       = L2CAP_SERV_BESTEFFORT;
459         chan->local_msdu        = L2CAP_DEFAULT_MAX_SDU_SIZE;
460         chan->local_sdu_itime   = L2CAP_DEFAULT_SDU_ITIME;
461         chan->local_acc_lat     = L2CAP_DEFAULT_ACC_LAT;
462         chan->local_flush_to    = L2CAP_DEFAULT_FLUSH_TO;
463
464         l2cap_chan_hold(chan);
465
466         list_add(&chan->list, &conn->chan_l);
467 }
468
469 static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
470 {
471         mutex_lock(&conn->chan_lock);
472         __l2cap_chan_add(conn, chan);
473         mutex_unlock(&conn->chan_lock);
474 }
475
476 static void l2cap_chan_del(struct l2cap_chan *chan, int err)
477 {
478         struct sock *sk = chan->sk;
479         struct l2cap_conn *conn = chan->conn;
480         struct sock *parent = bt_sk(sk)->parent;
481
482         __clear_chan_timer(chan);
483
484         BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
485
486         if (conn) {
487                 /* Delete from channel list */
488                 list_del(&chan->list);
489
490                 l2cap_chan_put(chan);
491
492                 chan->conn = NULL;
493                 hci_conn_put(conn->hcon);
494         }
495
496         lock_sock(sk);
497
498         __l2cap_state_change(chan, BT_CLOSED);
499         sock_set_flag(sk, SOCK_ZAPPED);
500
501         if (err)
502                 __l2cap_chan_set_err(chan, err);
503
504         if (parent) {
505                 bt_accept_unlink(sk);
506                 parent->sk_data_ready(parent, 0);
507         } else
508                 sk->sk_state_change(sk);
509
510         release_sock(sk);
511
512         if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
513                         test_bit(CONF_INPUT_DONE, &chan->conf_state)))
514                 return;
515
516         skb_queue_purge(&chan->tx_q);
517
518         if (chan->mode == L2CAP_MODE_ERTM) {
519                 struct srej_list *l, *tmp;
520
521                 __clear_retrans_timer(chan);
522                 __clear_monitor_timer(chan);
523                 __clear_ack_timer(chan);
524
525                 skb_queue_purge(&chan->srej_q);
526
527                 l2cap_seq_list_free(&chan->srej_list);
528                 l2cap_seq_list_free(&chan->retrans_list);
529                 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
530                         list_del(&l->list);
531                         kfree(l);
532                 }
533         }
534 }
535
536 static void l2cap_chan_cleanup_listen(struct sock *parent)
537 {
538         struct sock *sk;
539
540         BT_DBG("parent %p", parent);
541
542         /* Close not yet accepted channels */
543         while ((sk = bt_accept_dequeue(parent, NULL))) {
544                 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
545
546                 l2cap_chan_lock(chan);
547                 __clear_chan_timer(chan);
548                 l2cap_chan_close(chan, ECONNRESET);
549                 l2cap_chan_unlock(chan);
550
551                 chan->ops->close(chan->data);
552         }
553 }
554
555 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
556 {
557         struct l2cap_conn *conn = chan->conn;
558         struct sock *sk = chan->sk;
559
560         BT_DBG("chan %p state %s sk %p", chan,
561                                         state_to_string(chan->state), sk);
562
563         switch (chan->state) {
564         case BT_LISTEN:
565                 lock_sock(sk);
566                 l2cap_chan_cleanup_listen(sk);
567
568                 __l2cap_state_change(chan, BT_CLOSED);
569                 sock_set_flag(sk, SOCK_ZAPPED);
570                 release_sock(sk);
571                 break;
572
573         case BT_CONNECTED:
574         case BT_CONFIG:
575                 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
576                                         conn->hcon->type == ACL_LINK) {
577                         __set_chan_timer(chan, sk->sk_sndtimeo);
578                         l2cap_send_disconn_req(conn, chan, reason);
579                 } else
580                         l2cap_chan_del(chan, reason);
581                 break;
582
583         case BT_CONNECT2:
584                 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
585                                         conn->hcon->type == ACL_LINK) {
586                         struct l2cap_conn_rsp rsp;
587                         __u16 result;
588
589                         if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
590                                 result = L2CAP_CR_SEC_BLOCK;
591                         else
592                                 result = L2CAP_CR_BAD_PSM;
593                         l2cap_state_change(chan, BT_DISCONN);
594
595                         rsp.scid   = cpu_to_le16(chan->dcid);
596                         rsp.dcid   = cpu_to_le16(chan->scid);
597                         rsp.result = cpu_to_le16(result);
598                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
599                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
600                                                         sizeof(rsp), &rsp);
601                 }
602
603                 l2cap_chan_del(chan, reason);
604                 break;
605
606         case BT_CONNECT:
607         case BT_DISCONN:
608                 l2cap_chan_del(chan, reason);
609                 break;
610
611         default:
612                 lock_sock(sk);
613                 sock_set_flag(sk, SOCK_ZAPPED);
614                 release_sock(sk);
615                 break;
616         }
617 }
618
619 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
620 {
621         if (chan->chan_type == L2CAP_CHAN_RAW) {
622                 switch (chan->sec_level) {
623                 case BT_SECURITY_HIGH:
624                         return HCI_AT_DEDICATED_BONDING_MITM;
625                 case BT_SECURITY_MEDIUM:
626                         return HCI_AT_DEDICATED_BONDING;
627                 default:
628                         return HCI_AT_NO_BONDING;
629                 }
630         } else if (chan->psm == cpu_to_le16(0x0001)) {
631                 if (chan->sec_level == BT_SECURITY_LOW)
632                         chan->sec_level = BT_SECURITY_SDP;
633
634                 if (chan->sec_level == BT_SECURITY_HIGH)
635                         return HCI_AT_NO_BONDING_MITM;
636                 else
637                         return HCI_AT_NO_BONDING;
638         } else {
639                 switch (chan->sec_level) {
640                 case BT_SECURITY_HIGH:
641                         return HCI_AT_GENERAL_BONDING_MITM;
642                 case BT_SECURITY_MEDIUM:
643                         return HCI_AT_GENERAL_BONDING;
644                 default:
645                         return HCI_AT_NO_BONDING;
646                 }
647         }
648 }
649
650 /* Service level security */
651 int l2cap_chan_check_security(struct l2cap_chan *chan)
652 {
653         struct l2cap_conn *conn = chan->conn;
654         __u8 auth_type;
655
656         auth_type = l2cap_get_auth_type(chan);
657
658         return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
659 }
660
661 static u8 l2cap_get_ident(struct l2cap_conn *conn)
662 {
663         u8 id;
664
665         /* Get next available identificator.
666          *    1 - 128 are used by kernel.
667          *  129 - 199 are reserved.
668          *  200 - 254 are used by utilities like l2ping, etc.
669          */
670
671         spin_lock(&conn->lock);
672
673         if (++conn->tx_ident > 128)
674                 conn->tx_ident = 1;
675
676         id = conn->tx_ident;
677
678         spin_unlock(&conn->lock);
679
680         return id;
681 }
682
683 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
684 {
685         struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
686         u8 flags;
687
688         BT_DBG("code 0x%2.2x", code);
689
690         if (!skb)
691                 return;
692
693         if (lmp_no_flush_capable(conn->hcon->hdev))
694                 flags = ACL_START_NO_FLUSH;
695         else
696                 flags = ACL_START;
697
698         bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
699         skb->priority = HCI_PRIO_MAX;
700
701         hci_send_acl(conn->hchan, skb, flags);
702 }
703
704 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
705 {
706         struct hci_conn *hcon = chan->conn->hcon;
707         u16 flags;
708
709         BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
710                                                         skb->priority);
711
712         if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
713                                         lmp_no_flush_capable(hcon->hdev))
714                 flags = ACL_START_NO_FLUSH;
715         else
716                 flags = ACL_START;
717
718         bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
719         hci_send_acl(chan->conn->hchan, skb, flags);
720 }
721
722 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
723 {
724         control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
725         control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
726
727         if (enh & L2CAP_CTRL_FRAME_TYPE) {
728                 /* S-Frame */
729                 control->sframe = 1;
730                 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
731                 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
732
733                 control->sar = 0;
734                 control->txseq = 0;
735         } else {
736                 /* I-Frame */
737                 control->sframe = 0;
738                 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
739                 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
740
741                 control->poll = 0;
742                 control->super = 0;
743         }
744 }
745
746 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
747 {
748         control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
749         control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
750
751         if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
752                 /* S-Frame */
753                 control->sframe = 1;
754                 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
755                 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
756
757                 control->sar = 0;
758                 control->txseq = 0;
759         } else {
760                 /* I-Frame */
761                 control->sframe = 0;
762                 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
763                 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
764
765                 control->poll = 0;
766                 control->super = 0;
767         }
768 }
769
770 static inline void __unpack_control(struct l2cap_chan *chan,
771                                     struct sk_buff *skb)
772 {
773         if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
774                 __unpack_extended_control(get_unaligned_le32(skb->data),
775                                           &bt_cb(skb)->control);
776         } else {
777                 __unpack_enhanced_control(get_unaligned_le16(skb->data),
778                                           &bt_cb(skb)->control);
779         }
780 }
781
782 static u32 __pack_extended_control(struct l2cap_ctrl *control)
783 {
784         u32 packed;
785
786         packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
787         packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
788
789         if (control->sframe) {
790                 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
791                 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
792                 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
793         } else {
794                 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
795                 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
796         }
797
798         return packed;
799 }
800
801 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
802 {
803         u16 packed;
804
805         packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
806         packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
807
808         if (control->sframe) {
809                 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
810                 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
811                 packed |= L2CAP_CTRL_FRAME_TYPE;
812         } else {
813                 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
814                 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
815         }
816
817         return packed;
818 }
819
820 static inline void __pack_control(struct l2cap_chan *chan,
821                                   struct l2cap_ctrl *control,
822                                   struct sk_buff *skb)
823 {
824         if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
825                 put_unaligned_le32(__pack_extended_control(control),
826                                    skb->data + L2CAP_HDR_SIZE);
827         } else {
828                 put_unaligned_le16(__pack_enhanced_control(control),
829                                    skb->data + L2CAP_HDR_SIZE);
830         }
831 }
832
833 static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
834 {
835         struct sk_buff *skb;
836         struct l2cap_hdr *lh;
837         struct l2cap_conn *conn = chan->conn;
838         int count, hlen;
839
840         if (chan->state != BT_CONNECTED)
841                 return;
842
843         if (test_bit(FLAG_EXT_CTRL, &chan->flags))
844                 hlen = L2CAP_EXT_HDR_SIZE;
845         else
846                 hlen = L2CAP_ENH_HDR_SIZE;
847
848         if (chan->fcs == L2CAP_FCS_CRC16)
849                 hlen += L2CAP_FCS_SIZE;
850
851         BT_DBG("chan %p, control 0x%8.8x", chan, control);
852
853         count = min_t(unsigned int, conn->mtu, hlen);
854
855         control |= __set_sframe(chan);
856
857         if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
858                 control |= __set_ctrl_final(chan);
859
860         if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
861                 control |= __set_ctrl_poll(chan);
862
863         skb = bt_skb_alloc(count, GFP_ATOMIC);
864         if (!skb)
865                 return;
866
867         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
868         lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
869         lh->cid = cpu_to_le16(chan->dcid);
870
871         __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
872
873         if (chan->fcs == L2CAP_FCS_CRC16) {
874                 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
875                 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
876         }
877
878         skb->priority = HCI_PRIO_MAX;
879         l2cap_do_send(chan, skb);
880 }
881
882 static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
883 {
884         if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
885                 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
886                 set_bit(CONN_RNR_SENT, &chan->conn_state);
887         } else
888                 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
889
890         control |= __set_reqseq(chan, chan->buffer_seq);
891
892         l2cap_send_sframe(chan, control);
893 }
894
895 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
896 {
897         return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
898 }
899
900 static void l2cap_send_conn_req(struct l2cap_chan *chan)
901 {
902         struct l2cap_conn *conn = chan->conn;
903         struct l2cap_conn_req req;
904
905         req.scid = cpu_to_le16(chan->scid);
906         req.psm  = chan->psm;
907
908         chan->ident = l2cap_get_ident(conn);
909
910         set_bit(CONF_CONNECT_PEND, &chan->conf_state);
911
912         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
913 }
914
915 static void l2cap_chan_ready(struct l2cap_chan *chan)
916 {
917         struct sock *sk = chan->sk;
918         struct sock *parent;
919
920         lock_sock(sk);
921
922         parent = bt_sk(sk)->parent;
923
924         BT_DBG("sk %p, parent %p", sk, parent);
925
926         chan->conf_state = 0;
927         __clear_chan_timer(chan);
928
929         __l2cap_state_change(chan, BT_CONNECTED);
930         sk->sk_state_change(sk);
931
932         if (parent)
933                 parent->sk_data_ready(parent, 0);
934
935         release_sock(sk);
936 }
937
938 static void l2cap_do_start(struct l2cap_chan *chan)
939 {
940         struct l2cap_conn *conn = chan->conn;
941
942         if (conn->hcon->type == LE_LINK) {
943                 l2cap_chan_ready(chan);
944                 return;
945         }
946
947         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
948                 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
949                         return;
950
951                 if (l2cap_chan_check_security(chan) &&
952                                 __l2cap_no_conn_pending(chan))
953                         l2cap_send_conn_req(chan);
954         } else {
955                 struct l2cap_info_req req;
956                 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
957
958                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
959                 conn->info_ident = l2cap_get_ident(conn);
960
961                 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
962
963                 l2cap_send_cmd(conn, conn->info_ident,
964                                         L2CAP_INFO_REQ, sizeof(req), &req);
965         }
966 }
967
968 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
969 {
970         u32 local_feat_mask = l2cap_feat_mask;
971         if (!disable_ertm)
972                 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
973
974         switch (mode) {
975         case L2CAP_MODE_ERTM:
976                 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
977         case L2CAP_MODE_STREAMING:
978                 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
979         default:
980                 return 0x00;
981         }
982 }
983
984 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
985 {
986         struct sock *sk = chan->sk;
987         struct l2cap_disconn_req req;
988
989         if (!conn)
990                 return;
991
992         if (chan->mode == L2CAP_MODE_ERTM) {
993                 __clear_retrans_timer(chan);
994                 __clear_monitor_timer(chan);
995                 __clear_ack_timer(chan);
996         }
997
998         req.dcid = cpu_to_le16(chan->dcid);
999         req.scid = cpu_to_le16(chan->scid);
1000         l2cap_send_cmd(conn, l2cap_get_ident(conn),
1001                         L2CAP_DISCONN_REQ, sizeof(req), &req);
1002
1003         lock_sock(sk);
1004         __l2cap_state_change(chan, BT_DISCONN);
1005         __l2cap_chan_set_err(chan, err);
1006         release_sock(sk);
1007 }
1008
1009 /* ---- L2CAP connections ---- */
1010 static void l2cap_conn_start(struct l2cap_conn *conn)
1011 {
1012         struct l2cap_chan *chan, *tmp;
1013
1014         BT_DBG("conn %p", conn);
1015
1016         mutex_lock(&conn->chan_lock);
1017
1018         list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1019                 struct sock *sk = chan->sk;
1020
1021                 l2cap_chan_lock(chan);
1022
1023                 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1024                         l2cap_chan_unlock(chan);
1025                         continue;
1026                 }
1027
1028                 if (chan->state == BT_CONNECT) {
1029                         if (!l2cap_chan_check_security(chan) ||
1030                                         !__l2cap_no_conn_pending(chan)) {
1031                                 l2cap_chan_unlock(chan);
1032                                 continue;
1033                         }
1034
1035                         if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1036                                         && test_bit(CONF_STATE2_DEVICE,
1037                                         &chan->conf_state)) {
1038                                 l2cap_chan_close(chan, ECONNRESET);
1039                                 l2cap_chan_unlock(chan);
1040                                 continue;
1041                         }
1042
1043                         l2cap_send_conn_req(chan);
1044
1045                 } else if (chan->state == BT_CONNECT2) {
1046                         struct l2cap_conn_rsp rsp;
1047                         char buf[128];
1048                         rsp.scid = cpu_to_le16(chan->dcid);
1049                         rsp.dcid = cpu_to_le16(chan->scid);
1050
1051                         if (l2cap_chan_check_security(chan)) {
1052                                 lock_sock(sk);
1053                                 if (test_bit(BT_SK_DEFER_SETUP,
1054                                              &bt_sk(sk)->flags)) {
1055                                         struct sock *parent = bt_sk(sk)->parent;
1056                                         rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1057                                         rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1058                                         if (parent)
1059                                                 parent->sk_data_ready(parent, 0);
1060
1061                                 } else {
1062                                         __l2cap_state_change(chan, BT_CONFIG);
1063                                         rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1064                                         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1065                                 }
1066                                 release_sock(sk);
1067                         } else {
1068                                 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1069                                 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1070                         }
1071
1072                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1073                                                         sizeof(rsp), &rsp);
1074
1075                         if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1076                                         rsp.result != L2CAP_CR_SUCCESS) {
1077                                 l2cap_chan_unlock(chan);
1078                                 continue;
1079                         }
1080
1081                         set_bit(CONF_REQ_SENT, &chan->conf_state);
1082                         l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1083                                                 l2cap_build_conf_req(chan, buf), buf);
1084                         chan->num_conf_req++;
1085                 }
1086
1087                 l2cap_chan_unlock(chan);
1088         }
1089
1090         mutex_unlock(&conn->chan_lock);
1091 }
1092
1093 /* Find socket with cid and source/destination bdaddr.
1094  * Returns closest match, locked.
1095  */
1096 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1097                                                     bdaddr_t *src,
1098                                                     bdaddr_t *dst)
1099 {
1100         struct l2cap_chan *c, *c1 = NULL;
1101
1102         read_lock(&chan_list_lock);
1103
1104         list_for_each_entry(c, &chan_list, global_l) {
1105                 struct sock *sk = c->sk;
1106
1107                 if (state && c->state != state)
1108                         continue;
1109
1110                 if (c->scid == cid) {
1111                         int src_match, dst_match;
1112                         int src_any, dst_any;
1113
1114                         /* Exact match. */
1115                         src_match = !bacmp(&bt_sk(sk)->src, src);
1116                         dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1117                         if (src_match && dst_match) {
1118                                 read_unlock(&chan_list_lock);
1119                                 return c;
1120                         }
1121
1122                         /* Closest match */
1123                         src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1124                         dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1125                         if ((src_match && dst_any) || (src_any && dst_match) ||
1126                             (src_any && dst_any))
1127                                 c1 = c;
1128                 }
1129         }
1130
1131         read_unlock(&chan_list_lock);
1132
1133         return c1;
1134 }
1135
1136 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1137 {
1138         struct sock *parent, *sk;
1139         struct l2cap_chan *chan, *pchan;
1140
1141         BT_DBG("");
1142
1143         /* Check if we have socket listening on cid */
1144         pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
1145                                           conn->src, conn->dst);
1146         if (!pchan)
1147                 return;
1148
1149         parent = pchan->sk;
1150
1151         lock_sock(parent);
1152
1153         /* Check for backlog size */
1154         if (sk_acceptq_is_full(parent)) {
1155                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1156                 goto clean;
1157         }
1158
1159         chan = pchan->ops->new_connection(pchan->data);
1160         if (!chan)
1161                 goto clean;
1162
1163         sk = chan->sk;
1164
1165         hci_conn_hold(conn->hcon);
1166
1167         bacpy(&bt_sk(sk)->src, conn->src);
1168         bacpy(&bt_sk(sk)->dst, conn->dst);
1169
1170         bt_accept_enqueue(parent, sk);
1171
1172         l2cap_chan_add(conn, chan);
1173
1174         __set_chan_timer(chan, sk->sk_sndtimeo);
1175
1176         __l2cap_state_change(chan, BT_CONNECTED);
1177         parent->sk_data_ready(parent, 0);
1178
1179 clean:
1180         release_sock(parent);
1181 }
1182
1183 static void l2cap_conn_ready(struct l2cap_conn *conn)
1184 {
1185         struct l2cap_chan *chan;
1186
1187         BT_DBG("conn %p", conn);
1188
1189         if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1190                 l2cap_le_conn_ready(conn);
1191
1192         if (conn->hcon->out && conn->hcon->type == LE_LINK)
1193                 smp_conn_security(conn, conn->hcon->pending_sec_level);
1194
1195         mutex_lock(&conn->chan_lock);
1196
1197         list_for_each_entry(chan, &conn->chan_l, list) {
1198
1199                 l2cap_chan_lock(chan);
1200
1201                 if (conn->hcon->type == LE_LINK) {
1202                         if (smp_conn_security(conn, chan->sec_level))
1203                                 l2cap_chan_ready(chan);
1204
1205                 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1206                         struct sock *sk = chan->sk;
1207                         __clear_chan_timer(chan);
1208                         lock_sock(sk);
1209                         __l2cap_state_change(chan, BT_CONNECTED);
1210                         sk->sk_state_change(sk);
1211                         release_sock(sk);
1212
1213                 } else if (chan->state == BT_CONNECT)
1214                         l2cap_do_start(chan);
1215
1216                 l2cap_chan_unlock(chan);
1217         }
1218
1219         mutex_unlock(&conn->chan_lock);
1220 }
1221
1222 /* Notify sockets that we cannot guaranty reliability anymore */
1223 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1224 {
1225         struct l2cap_chan *chan;
1226
1227         BT_DBG("conn %p", conn);
1228
1229         mutex_lock(&conn->chan_lock);
1230
1231         list_for_each_entry(chan, &conn->chan_l, list) {
1232                 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1233                         __l2cap_chan_set_err(chan, err);
1234         }
1235
1236         mutex_unlock(&conn->chan_lock);
1237 }
1238
1239 static void l2cap_info_timeout(struct work_struct *work)
1240 {
1241         struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1242                                                         info_timer.work);
1243
1244         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1245         conn->info_ident = 0;
1246
1247         l2cap_conn_start(conn);
1248 }
1249
1250 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1251 {
1252         struct l2cap_conn *conn = hcon->l2cap_data;
1253         struct l2cap_chan *chan, *l;
1254
1255         if (!conn)
1256                 return;
1257
1258         BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1259
1260         kfree_skb(conn->rx_skb);
1261
1262         mutex_lock(&conn->chan_lock);
1263
1264         /* Kill channels */
1265         list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1266                 l2cap_chan_hold(chan);
1267                 l2cap_chan_lock(chan);
1268
1269                 l2cap_chan_del(chan, err);
1270
1271                 l2cap_chan_unlock(chan);
1272
1273                 chan->ops->close(chan->data);
1274                 l2cap_chan_put(chan);
1275         }
1276
1277         mutex_unlock(&conn->chan_lock);
1278
1279         hci_chan_del(conn->hchan);
1280
1281         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1282                 cancel_delayed_work_sync(&conn->info_timer);
1283
1284         if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1285                 cancel_delayed_work_sync(&conn->security_timer);
1286                 smp_chan_destroy(conn);
1287         }
1288
1289         hcon->l2cap_data = NULL;
1290         kfree(conn);
1291 }
1292
1293 static void security_timeout(struct work_struct *work)
1294 {
1295         struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1296                                                 security_timer.work);
1297
1298         l2cap_conn_del(conn->hcon, ETIMEDOUT);
1299 }
1300
1301 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1302 {
1303         struct l2cap_conn *conn = hcon->l2cap_data;
1304         struct hci_chan *hchan;
1305
1306         if (conn || status)
1307                 return conn;
1308
1309         hchan = hci_chan_create(hcon);
1310         if (!hchan)
1311                 return NULL;
1312
1313         conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1314         if (!conn) {
1315                 hci_chan_del(hchan);
1316                 return NULL;
1317         }
1318
1319         hcon->l2cap_data = conn;
1320         conn->hcon = hcon;
1321         conn->hchan = hchan;
1322
1323         BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1324
1325         if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1326                 conn->mtu = hcon->hdev->le_mtu;
1327         else
1328                 conn->mtu = hcon->hdev->acl_mtu;
1329
1330         conn->src = &hcon->hdev->bdaddr;
1331         conn->dst = &hcon->dst;
1332
1333         conn->feat_mask = 0;
1334
1335         spin_lock_init(&conn->lock);
1336         mutex_init(&conn->chan_lock);
1337
1338         INIT_LIST_HEAD(&conn->chan_l);
1339
1340         if (hcon->type == LE_LINK)
1341                 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1342         else
1343                 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1344
1345         conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1346
1347         return conn;
1348 }
1349
1350 /* ---- Socket interface ---- */
1351
1352 /* Find socket with psm and source / destination bdaddr.
1353  * Returns closest match.
1354  */
1355 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1356                                                    bdaddr_t *src,
1357                                                    bdaddr_t *dst)
1358 {
1359         struct l2cap_chan *c, *c1 = NULL;
1360
1361         read_lock(&chan_list_lock);
1362
1363         list_for_each_entry(c, &chan_list, global_l) {
1364                 struct sock *sk = c->sk;
1365
1366                 if (state && c->state != state)
1367                         continue;
1368
1369                 if (c->psm == psm) {
1370                         int src_match, dst_match;
1371                         int src_any, dst_any;
1372
1373                         /* Exact match. */
1374                         src_match = !bacmp(&bt_sk(sk)->src, src);
1375                         dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1376                         if (src_match && dst_match) {
1377                                 read_unlock(&chan_list_lock);
1378                                 return c;
1379                         }
1380
1381                         /* Closest match */
1382                         src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1383                         dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1384                         if ((src_match && dst_any) || (src_any && dst_match) ||
1385                             (src_any && dst_any))
1386                                 c1 = c;
1387                 }
1388         }
1389
1390         read_unlock(&chan_list_lock);
1391
1392         return c1;
1393 }
1394
1395 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1396                        bdaddr_t *dst, u8 dst_type)
1397 {
1398         struct sock *sk = chan->sk;
1399         bdaddr_t *src = &bt_sk(sk)->src;
1400         struct l2cap_conn *conn;
1401         struct hci_conn *hcon;
1402         struct hci_dev *hdev;
1403         __u8 auth_type;
1404         int err;
1405
1406         BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1407                dst_type, __le16_to_cpu(chan->psm));
1408
1409         hdev = hci_get_route(dst, src);
1410         if (!hdev)
1411                 return -EHOSTUNREACH;
1412
1413         hci_dev_lock(hdev);
1414
1415         l2cap_chan_lock(chan);
1416
1417         /* PSM must be odd and lsb of upper byte must be 0 */
1418         if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1419                                         chan->chan_type != L2CAP_CHAN_RAW) {
1420                 err = -EINVAL;
1421                 goto done;
1422         }
1423
1424         if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1425                 err = -EINVAL;
1426                 goto done;
1427         }
1428
1429         switch (chan->mode) {
1430         case L2CAP_MODE_BASIC:
1431                 break;
1432         case L2CAP_MODE_ERTM:
1433         case L2CAP_MODE_STREAMING:
1434                 if (!disable_ertm)
1435                         break;
1436                 /* fall through */
1437         default:
1438                 err = -ENOTSUPP;
1439                 goto done;
1440         }
1441
1442         lock_sock(sk);
1443
1444         switch (sk->sk_state) {
1445         case BT_CONNECT:
1446         case BT_CONNECT2:
1447         case BT_CONFIG:
1448                 /* Already connecting */
1449                 err = 0;
1450                 release_sock(sk);
1451                 goto done;
1452
1453         case BT_CONNECTED:
1454                 /* Already connected */
1455                 err = -EISCONN;
1456                 release_sock(sk);
1457                 goto done;
1458
1459         case BT_OPEN:
1460         case BT_BOUND:
1461                 /* Can connect */
1462                 break;
1463
1464         default:
1465                 err = -EBADFD;
1466                 release_sock(sk);
1467                 goto done;
1468         }
1469
1470         /* Set destination address and psm */
1471         bacpy(&bt_sk(sk)->dst, dst);
1472
1473         release_sock(sk);
1474
1475         chan->psm = psm;
1476         chan->dcid = cid;
1477
1478         auth_type = l2cap_get_auth_type(chan);
1479
1480         if (chan->dcid == L2CAP_CID_LE_DATA)
1481                 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1482                                    chan->sec_level, auth_type);
1483         else
1484                 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1485                                    chan->sec_level, auth_type);
1486
1487         if (IS_ERR(hcon)) {
1488                 err = PTR_ERR(hcon);
1489                 goto done;
1490         }
1491
1492         conn = l2cap_conn_add(hcon, 0);
1493         if (!conn) {
1494                 hci_conn_put(hcon);
1495                 err = -ENOMEM;
1496                 goto done;
1497         }
1498
1499         if (hcon->type == LE_LINK) {
1500                 err = 0;
1501
1502                 if (!list_empty(&conn->chan_l)) {
1503                         err = -EBUSY;
1504                         hci_conn_put(hcon);
1505                 }
1506
1507                 if (err)
1508                         goto done;
1509         }
1510
1511         /* Update source addr of the socket */
1512         bacpy(src, conn->src);
1513
1514         l2cap_chan_unlock(chan);
1515         l2cap_chan_add(conn, chan);
1516         l2cap_chan_lock(chan);
1517
1518         l2cap_state_change(chan, BT_CONNECT);
1519         __set_chan_timer(chan, sk->sk_sndtimeo);
1520
1521         if (hcon->state == BT_CONNECTED) {
1522                 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1523                         __clear_chan_timer(chan);
1524                         if (l2cap_chan_check_security(chan))
1525                                 l2cap_state_change(chan, BT_CONNECTED);
1526                 } else
1527                         l2cap_do_start(chan);
1528         }
1529
1530         err = 0;
1531
1532 done:
1533         l2cap_chan_unlock(chan);
1534         hci_dev_unlock(hdev);
1535         hci_dev_put(hdev);
1536         return err;
1537 }
1538
1539 int __l2cap_wait_ack(struct sock *sk)
1540 {
1541         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1542         DECLARE_WAITQUEUE(wait, current);
1543         int err = 0;
1544         int timeo = HZ/5;
1545
1546         add_wait_queue(sk_sleep(sk), &wait);
1547         set_current_state(TASK_INTERRUPTIBLE);
1548         while (chan->unacked_frames > 0 && chan->conn) {
1549                 if (!timeo)
1550                         timeo = HZ/5;
1551
1552                 if (signal_pending(current)) {
1553                         err = sock_intr_errno(timeo);
1554                         break;
1555                 }
1556
1557                 release_sock(sk);
1558                 timeo = schedule_timeout(timeo);
1559                 lock_sock(sk);
1560                 set_current_state(TASK_INTERRUPTIBLE);
1561
1562                 err = sock_error(sk);
1563                 if (err)
1564                         break;
1565         }
1566         set_current_state(TASK_RUNNING);
1567         remove_wait_queue(sk_sleep(sk), &wait);
1568         return err;
1569 }
1570
1571 static void l2cap_monitor_timeout(struct work_struct *work)
1572 {
1573         struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1574                                                         monitor_timer.work);
1575
1576         BT_DBG("chan %p", chan);
1577
1578         l2cap_chan_lock(chan);
1579
1580         if (chan->retry_count >= chan->remote_max_tx) {
1581                 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1582                 l2cap_chan_unlock(chan);
1583                 l2cap_chan_put(chan);
1584                 return;
1585         }
1586
1587         chan->retry_count++;
1588         __set_monitor_timer(chan);
1589
1590         l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1591         l2cap_chan_unlock(chan);
1592         l2cap_chan_put(chan);
1593 }
1594
1595 static void l2cap_retrans_timeout(struct work_struct *work)
1596 {
1597         struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1598                                                         retrans_timer.work);
1599
1600         BT_DBG("chan %p", chan);
1601
1602         l2cap_chan_lock(chan);
1603
1604         chan->retry_count = 1;
1605         __set_monitor_timer(chan);
1606
1607         set_bit(CONN_WAIT_F, &chan->conn_state);
1608
1609         l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1610
1611         l2cap_chan_unlock(chan);
1612         l2cap_chan_put(chan);
1613 }
1614
1615 static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1616 {
1617         struct sk_buff *skb;
1618
1619         while ((skb = skb_peek(&chan->tx_q)) &&
1620                         chan->unacked_frames) {
1621                 if (bt_cb(skb)->control.txseq == chan->expected_ack_seq)
1622                         break;
1623
1624                 skb = skb_dequeue(&chan->tx_q);
1625                 kfree_skb(skb);
1626
1627                 chan->unacked_frames--;
1628         }
1629
1630         if (!chan->unacked_frames)
1631                 __clear_retrans_timer(chan);
1632 }
1633
1634 static void l2cap_streaming_send(struct l2cap_chan *chan)
1635 {
1636         struct sk_buff *skb;
1637         u32 control;
1638         u16 fcs;
1639
1640         while ((skb = skb_dequeue(&chan->tx_q))) {
1641                 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
1642                 control |= __set_txseq(chan, chan->next_tx_seq);
1643                 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1644                 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
1645
1646                 if (chan->fcs == L2CAP_FCS_CRC16) {
1647                         fcs = crc16(0, (u8 *)skb->data,
1648                                                 skb->len - L2CAP_FCS_SIZE);
1649                         put_unaligned_le16(fcs,
1650                                         skb->data + skb->len - L2CAP_FCS_SIZE);
1651                 }
1652
1653                 l2cap_do_send(chan, skb);
1654
1655                 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1656         }
1657 }
1658
1659 static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
1660 {
1661         struct sk_buff *skb, *tx_skb;
1662         u16 fcs;
1663         u32 control;
1664
1665         skb = skb_peek(&chan->tx_q);
1666         if (!skb)
1667                 return;
1668
1669         while (bt_cb(skb)->control.txseq != tx_seq) {
1670                 if (skb_queue_is_last(&chan->tx_q, skb))
1671                         return;
1672
1673                 skb = skb_queue_next(&chan->tx_q, skb);
1674         }
1675
1676         if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1677             chan->remote_max_tx) {
1678                 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1679                 return;
1680         }
1681
1682         tx_skb = skb_clone(skb, GFP_ATOMIC);
1683         bt_cb(skb)->control.retries++;
1684
1685         control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1686         control &= __get_sar_mask(chan);
1687
1688         if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1689                 control |= __set_ctrl_final(chan);
1690
1691         control |= __set_reqseq(chan, chan->buffer_seq);
1692         control |= __set_txseq(chan, tx_seq);
1693
1694         __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1695
1696         if (chan->fcs == L2CAP_FCS_CRC16) {
1697                 fcs = crc16(0, (u8 *)tx_skb->data,
1698                                                 tx_skb->len - L2CAP_FCS_SIZE);
1699                 put_unaligned_le16(fcs,
1700                                 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
1701         }
1702
1703         l2cap_do_send(chan, tx_skb);
1704 }
1705
1706 static int l2cap_ertm_send(struct l2cap_chan *chan)
1707 {
1708         struct sk_buff *skb, *tx_skb;
1709         u16 fcs;
1710         u32 control;
1711         int nsent = 0;
1712
1713         if (chan->state != BT_CONNECTED)
1714                 return -ENOTCONN;
1715
1716         if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1717                 return 0;
1718
1719         while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1720
1721                 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1722                     chan->remote_max_tx) {
1723                         l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1724                         break;
1725                 }
1726
1727                 tx_skb = skb_clone(skb, GFP_ATOMIC);
1728
1729                 bt_cb(skb)->control.retries++;
1730
1731                 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1732                 control &= __get_sar_mask(chan);
1733
1734                 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1735                         control |= __set_ctrl_final(chan);
1736
1737                 control |= __set_reqseq(chan, chan->buffer_seq);
1738                 control |= __set_txseq(chan, chan->next_tx_seq);
1739                 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1740
1741                 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1742
1743                 if (chan->fcs == L2CAP_FCS_CRC16) {
1744                         fcs = crc16(0, (u8 *)skb->data,
1745                                                 tx_skb->len - L2CAP_FCS_SIZE);
1746                         put_unaligned_le16(fcs, skb->data +
1747                                                 tx_skb->len - L2CAP_FCS_SIZE);
1748                 }
1749
1750                 l2cap_do_send(chan, tx_skb);
1751
1752                 __set_retrans_timer(chan);
1753
1754                 bt_cb(skb)->control.txseq = chan->next_tx_seq;
1755
1756                 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1757
1758                 if (bt_cb(skb)->control.retries == 1) {
1759                         chan->unacked_frames++;
1760
1761                         if (!nsent++)
1762                                 __clear_ack_timer(chan);
1763                 }
1764
1765                 chan->frames_sent++;
1766
1767                 if (skb_queue_is_last(&chan->tx_q, skb))
1768                         chan->tx_send_head = NULL;
1769                 else
1770                         chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1771         }
1772
1773         return nsent;
1774 }
1775
1776 static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1777 {
1778         int ret;
1779
1780         if (!skb_queue_empty(&chan->tx_q))
1781                 chan->tx_send_head = chan->tx_q.next;
1782
1783         chan->next_tx_seq = chan->expected_ack_seq;
1784         ret = l2cap_ertm_send(chan);
1785         return ret;
1786 }
1787
1788 static void __l2cap_send_ack(struct l2cap_chan *chan)
1789 {
1790         u32 control = 0;
1791
1792         control |= __set_reqseq(chan, chan->buffer_seq);
1793
1794         if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1795                 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
1796                 set_bit(CONN_RNR_SENT, &chan->conn_state);
1797                 l2cap_send_sframe(chan, control);
1798                 return;
1799         }
1800
1801         if (l2cap_ertm_send(chan) > 0)
1802                 return;
1803
1804         control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
1805         l2cap_send_sframe(chan, control);
1806 }
1807
1808 static void l2cap_send_ack(struct l2cap_chan *chan)
1809 {
1810         __clear_ack_timer(chan);
1811         __l2cap_send_ack(chan);
1812 }
1813
1814 static void l2cap_send_srejtail(struct l2cap_chan *chan)
1815 {
1816         struct srej_list *tail;
1817         u32 control;
1818
1819         control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
1820         control |= __set_ctrl_final(chan);
1821
1822         tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1823         control |= __set_reqseq(chan, tail->tx_seq);
1824
1825         l2cap_send_sframe(chan, control);
1826 }
1827
1828 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1829                                          struct msghdr *msg, int len,
1830                                          int count, struct sk_buff *skb)
1831 {
1832         struct l2cap_conn *conn = chan->conn;
1833         struct sk_buff **frag;
1834         int sent = 0;
1835
1836         if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1837                 return -EFAULT;
1838
1839         sent += count;
1840         len  -= count;
1841
1842         /* Continuation fragments (no L2CAP header) */
1843         frag = &skb_shinfo(skb)->frag_list;
1844         while (len) {
1845                 struct sk_buff *tmp;
1846
1847                 count = min_t(unsigned int, conn->mtu, len);
1848
1849                 tmp = chan->ops->alloc_skb(chan, count,
1850                                            msg->msg_flags & MSG_DONTWAIT);
1851                 if (IS_ERR(tmp))
1852                         return PTR_ERR(tmp);
1853
1854                 *frag = tmp;
1855
1856                 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1857                         return -EFAULT;
1858
1859                 (*frag)->priority = skb->priority;
1860
1861                 sent += count;
1862                 len  -= count;
1863
1864                 skb->len += (*frag)->len;
1865                 skb->data_len += (*frag)->len;
1866
1867                 frag = &(*frag)->next;
1868         }
1869
1870         return sent;
1871 }
1872
1873 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1874                                                 struct msghdr *msg, size_t len,
1875                                                 u32 priority)
1876 {
1877         struct l2cap_conn *conn = chan->conn;
1878         struct sk_buff *skb;
1879         int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1880         struct l2cap_hdr *lh;
1881
1882         BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1883
1884         count = min_t(unsigned int, (conn->mtu - hlen), len);
1885
1886         skb = chan->ops->alloc_skb(chan, count + hlen,
1887                                    msg->msg_flags & MSG_DONTWAIT);
1888         if (IS_ERR(skb))
1889                 return skb;
1890
1891         skb->priority = priority;
1892
1893         /* Create L2CAP header */
1894         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1895         lh->cid = cpu_to_le16(chan->dcid);
1896         lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1897         put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1898
1899         err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1900         if (unlikely(err < 0)) {
1901                 kfree_skb(skb);
1902                 return ERR_PTR(err);
1903         }
1904         return skb;
1905 }
1906
1907 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1908                                                 struct msghdr *msg, size_t len,
1909                                                 u32 priority)
1910 {
1911         struct l2cap_conn *conn = chan->conn;
1912         struct sk_buff *skb;
1913         int err, count;
1914         struct l2cap_hdr *lh;
1915
1916         BT_DBG("chan %p len %d", chan, (int)len);
1917
1918         count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
1919
1920         skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
1921                                    msg->msg_flags & MSG_DONTWAIT);
1922         if (IS_ERR(skb))
1923                 return skb;
1924
1925         skb->priority = priority;
1926
1927         /* Create L2CAP header */
1928         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1929         lh->cid = cpu_to_le16(chan->dcid);
1930         lh->len = cpu_to_le16(len);
1931
1932         err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1933         if (unlikely(err < 0)) {
1934                 kfree_skb(skb);
1935                 return ERR_PTR(err);
1936         }
1937         return skb;
1938 }
1939
1940 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1941                                                 struct msghdr *msg, size_t len,
1942                                                 u16 sdulen)
1943 {
1944         struct l2cap_conn *conn = chan->conn;
1945         struct sk_buff *skb;
1946         int err, count, hlen;
1947         struct l2cap_hdr *lh;
1948
1949         BT_DBG("chan %p len %d", chan, (int)len);
1950
1951         if (!conn)
1952                 return ERR_PTR(-ENOTCONN);
1953
1954         if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1955                 hlen = L2CAP_EXT_HDR_SIZE;
1956         else
1957                 hlen = L2CAP_ENH_HDR_SIZE;
1958
1959         if (sdulen)
1960                 hlen += L2CAP_SDULEN_SIZE;
1961
1962         if (chan->fcs == L2CAP_FCS_CRC16)
1963                 hlen += L2CAP_FCS_SIZE;
1964
1965         count = min_t(unsigned int, (conn->mtu - hlen), len);
1966
1967         skb = chan->ops->alloc_skb(chan, count + hlen,
1968                                    msg->msg_flags & MSG_DONTWAIT);
1969         if (IS_ERR(skb))
1970                 return skb;
1971
1972         /* Create L2CAP header */
1973         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1974         lh->cid = cpu_to_le16(chan->dcid);
1975         lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1976
1977         __put_control(chan, 0, skb_put(skb, __ctrl_size(chan)));
1978
1979         if (sdulen)
1980                 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1981
1982         err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1983         if (unlikely(err < 0)) {
1984                 kfree_skb(skb);
1985                 return ERR_PTR(err);
1986         }
1987
1988         if (chan->fcs == L2CAP_FCS_CRC16)
1989                 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
1990
1991         bt_cb(skb)->control.retries = 0;
1992         return skb;
1993 }
1994
1995 static int l2cap_segment_sdu(struct l2cap_chan *chan,
1996                              struct sk_buff_head *seg_queue,
1997                              struct msghdr *msg, size_t len)
1998 {
1999         struct sk_buff *skb;
2000         u16 sdu_len;
2001         size_t pdu_len;
2002         int err = 0;
2003         u8 sar;
2004
2005         BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
2006
2007         /* It is critical that ERTM PDUs fit in a single HCI fragment,
2008          * so fragmented skbs are not used.  The HCI layer's handling
2009          * of fragmented skbs is not compatible with ERTM's queueing.
2010          */
2011
2012         /* PDU size is derived from the HCI MTU */
2013         pdu_len = chan->conn->mtu;
2014
2015         pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2016
2017         /* Adjust for largest possible L2CAP overhead. */
2018         pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2019
2020         /* Remote device may have requested smaller PDUs */
2021         pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2022
2023         if (len <= pdu_len) {
2024                 sar = L2CAP_SAR_UNSEGMENTED;
2025                 sdu_len = 0;
2026                 pdu_len = len;
2027         } else {
2028                 sar = L2CAP_SAR_START;
2029                 sdu_len = len;
2030                 pdu_len -= L2CAP_SDULEN_SIZE;
2031         }
2032
2033         while (len > 0) {
2034                 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2035
2036                 if (IS_ERR(skb)) {
2037                         __skb_queue_purge(seg_queue);
2038                         return PTR_ERR(skb);
2039                 }
2040
2041                 bt_cb(skb)->control.sar = sar;
2042                 __skb_queue_tail(seg_queue, skb);
2043
2044                 len -= pdu_len;
2045                 if (sdu_len) {
2046                         sdu_len = 0;
2047                         pdu_len += L2CAP_SDULEN_SIZE;
2048                 }
2049
2050                 if (len <= pdu_len) {
2051                         sar = L2CAP_SAR_END;
2052                         pdu_len = len;
2053                 } else {
2054                         sar = L2CAP_SAR_CONTINUE;
2055                 }
2056         }
2057
2058         return err;
2059 }
2060
2061 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2062                                                                 u32 priority)
2063 {
2064         struct sk_buff *skb;
2065         int err;
2066         struct sk_buff_head seg_queue;
2067
2068         /* Connectionless channel */
2069         if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2070                 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
2071                 if (IS_ERR(skb))
2072                         return PTR_ERR(skb);
2073
2074                 l2cap_do_send(chan, skb);
2075                 return len;
2076         }
2077
2078         switch (chan->mode) {
2079         case L2CAP_MODE_BASIC:
2080                 /* Check outgoing MTU */
2081                 if (len > chan->omtu)
2082                         return -EMSGSIZE;
2083
2084                 /* Create a basic PDU */
2085                 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
2086                 if (IS_ERR(skb))
2087                         return PTR_ERR(skb);
2088
2089                 l2cap_do_send(chan, skb);
2090                 err = len;
2091                 break;
2092
2093         case L2CAP_MODE_ERTM:
2094         case L2CAP_MODE_STREAMING:
2095                 /* Check outgoing MTU */
2096                 if (len > chan->omtu) {
2097                         err = -EMSGSIZE;
2098                         break;
2099                 }
2100
2101                 __skb_queue_head_init(&seg_queue);
2102
2103                 /* Do segmentation before calling in to the state machine,
2104                  * since it's possible to block while waiting for memory
2105                  * allocation.
2106                  */
2107                 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2108
2109                 /* The channel could have been closed while segmenting,
2110                  * check that it is still connected.
2111                  */
2112                 if (chan->state != BT_CONNECTED) {
2113                         __skb_queue_purge(&seg_queue);
2114                         err = -ENOTCONN;
2115                 }
2116
2117                 if (err)
2118                         break;
2119
2120                 if (chan->mode == L2CAP_MODE_ERTM && chan->tx_send_head == NULL)
2121                         chan->tx_send_head = seg_queue.next;
2122                 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2123
2124                 if (chan->mode == L2CAP_MODE_ERTM)
2125                         err = l2cap_ertm_send(chan);
2126                 else
2127                         l2cap_streaming_send(chan);
2128
2129                 if (err >= 0)
2130                         err = len;
2131
2132                 /* If the skbs were not queued for sending, they'll still be in
2133                  * seg_queue and need to be purged.
2134                  */
2135                 __skb_queue_purge(&seg_queue);
2136                 break;
2137
2138         default:
2139                 BT_DBG("bad state %1.1x", chan->mode);
2140                 err = -EBADFD;
2141         }
2142
2143         return err;
2144 }
2145
2146 /* Copy frame to all raw sockets on that connection */
2147 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2148 {
2149         struct sk_buff *nskb;
2150         struct l2cap_chan *chan;
2151
2152         BT_DBG("conn %p", conn);
2153
2154         mutex_lock(&conn->chan_lock);
2155
2156         list_for_each_entry(chan, &conn->chan_l, list) {
2157                 struct sock *sk = chan->sk;
2158                 if (chan->chan_type != L2CAP_CHAN_RAW)
2159                         continue;
2160
2161                 /* Don't send frame to the socket it came from */
2162                 if (skb->sk == sk)
2163                         continue;
2164                 nskb = skb_clone(skb, GFP_ATOMIC);
2165                 if (!nskb)
2166                         continue;
2167
2168                 if (chan->ops->recv(chan->data, nskb))
2169                         kfree_skb(nskb);
2170         }
2171
2172         mutex_unlock(&conn->chan_lock);
2173 }
2174
2175 /* ---- L2CAP signalling commands ---- */
2176 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2177                                 u8 code, u8 ident, u16 dlen, void *data)
2178 {
2179         struct sk_buff *skb, **frag;
2180         struct l2cap_cmd_hdr *cmd;
2181         struct l2cap_hdr *lh;
2182         int len, count;
2183
2184         BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2185                         conn, code, ident, dlen);
2186
2187         len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2188         count = min_t(unsigned int, conn->mtu, len);
2189
2190         skb = bt_skb_alloc(count, GFP_ATOMIC);
2191         if (!skb)
2192                 return NULL;
2193
2194         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2195         lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2196
2197         if (conn->hcon->type == LE_LINK)
2198                 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2199         else
2200                 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2201
2202         cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2203         cmd->code  = code;
2204         cmd->ident = ident;
2205         cmd->len   = cpu_to_le16(dlen);
2206
2207         if (dlen) {
2208                 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2209                 memcpy(skb_put(skb, count), data, count);
2210                 data += count;
2211         }
2212
2213         len -= skb->len;
2214
2215         /* Continuation fragments (no L2CAP header) */
2216         frag = &skb_shinfo(skb)->frag_list;
2217         while (len) {
2218                 count = min_t(unsigned int, conn->mtu, len);
2219
2220                 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2221                 if (!*frag)
2222                         goto fail;
2223
2224                 memcpy(skb_put(*frag, count), data, count);
2225
2226                 len  -= count;
2227                 data += count;
2228
2229                 frag = &(*frag)->next;
2230         }
2231
2232         return skb;
2233
2234 fail:
2235         kfree_skb(skb);
2236         return NULL;
2237 }
2238
2239 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2240 {
2241         struct l2cap_conf_opt *opt = *ptr;
2242         int len;
2243
2244         len = L2CAP_CONF_OPT_SIZE + opt->len;
2245         *ptr += len;
2246
2247         *type = opt->type;
2248         *olen = opt->len;
2249
2250         switch (opt->len) {
2251         case 1:
2252                 *val = *((u8 *) opt->val);
2253                 break;
2254
2255         case 2:
2256                 *val = get_unaligned_le16(opt->val);
2257                 break;
2258
2259         case 4:
2260                 *val = get_unaligned_le32(opt->val);
2261                 break;
2262
2263         default:
2264                 *val = (unsigned long) opt->val;
2265                 break;
2266         }
2267
2268         BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2269         return len;
2270 }
2271
2272 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2273 {
2274         struct l2cap_conf_opt *opt = *ptr;
2275
2276         BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2277
2278         opt->type = type;
2279         opt->len  = len;
2280
2281         switch (len) {
2282         case 1:
2283                 *((u8 *) opt->val)  = val;
2284                 break;
2285
2286         case 2:
2287                 put_unaligned_le16(val, opt->val);
2288                 break;
2289
2290         case 4:
2291                 put_unaligned_le32(val, opt->val);
2292                 break;
2293
2294         default:
2295                 memcpy(opt->val, (void *) val, len);
2296                 break;
2297         }
2298
2299         *ptr += L2CAP_CONF_OPT_SIZE + len;
2300 }
2301
2302 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2303 {
2304         struct l2cap_conf_efs efs;
2305
2306         switch (chan->mode) {
2307         case L2CAP_MODE_ERTM:
2308                 efs.id          = chan->local_id;
2309                 efs.stype       = chan->local_stype;
2310                 efs.msdu        = cpu_to_le16(chan->local_msdu);
2311                 efs.sdu_itime   = cpu_to_le32(chan->local_sdu_itime);
2312                 efs.acc_lat     = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2313                 efs.flush_to    = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2314                 break;
2315
2316         case L2CAP_MODE_STREAMING:
2317                 efs.id          = 1;
2318                 efs.stype       = L2CAP_SERV_BESTEFFORT;
2319                 efs.msdu        = cpu_to_le16(chan->local_msdu);
2320                 efs.sdu_itime   = cpu_to_le32(chan->local_sdu_itime);
2321                 efs.acc_lat     = 0;
2322                 efs.flush_to    = 0;
2323                 break;
2324
2325         default:
2326                 return;
2327         }
2328
2329         l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2330                                                         (unsigned long) &efs);
2331 }
2332
2333 static void l2cap_ack_timeout(struct work_struct *work)
2334 {
2335         struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2336                                                         ack_timer.work);
2337
2338         BT_DBG("chan %p", chan);
2339
2340         l2cap_chan_lock(chan);
2341
2342         __l2cap_send_ack(chan);
2343
2344         l2cap_chan_unlock(chan);
2345
2346         l2cap_chan_put(chan);
2347 }
2348
2349 static inline int l2cap_ertm_init(struct l2cap_chan *chan)
2350 {
2351         int err;
2352
2353         chan->next_tx_seq = 0;
2354         chan->expected_tx_seq = 0;
2355         chan->expected_ack_seq = 0;
2356         chan->unacked_frames = 0;
2357         chan->buffer_seq = 0;
2358         chan->num_acked = 0;
2359         chan->frames_sent = 0;
2360         chan->last_acked_seq = 0;
2361         chan->sdu = NULL;
2362         chan->sdu_last_frag = NULL;
2363         chan->sdu_len = 0;
2364
2365         skb_queue_head_init(&chan->tx_q);
2366
2367         if (chan->mode != L2CAP_MODE_ERTM)
2368                 return 0;
2369
2370         chan->rx_state = L2CAP_RX_STATE_RECV;
2371         chan->tx_state = L2CAP_TX_STATE_XMIT;
2372
2373         INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2374         INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2375         INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
2376
2377         skb_queue_head_init(&chan->srej_q);
2378
2379         INIT_LIST_HEAD(&chan->srej_l);
2380         err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2381         if (err < 0)
2382                 return err;
2383
2384         return l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2385 }
2386
2387 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2388 {
2389         switch (mode) {
2390         case L2CAP_MODE_STREAMING:
2391         case L2CAP_MODE_ERTM:
2392                 if (l2cap_mode_supported(mode, remote_feat_mask))
2393                         return mode;
2394                 /* fall through */
2395         default:
2396                 return L2CAP_MODE_BASIC;
2397         }
2398 }
2399
2400 static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2401 {
2402         return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2403 }
2404
2405 static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2406 {
2407         return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2408 }
2409
2410 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2411 {
2412         if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2413                                                 __l2cap_ews_supported(chan)) {
2414                 /* use extended control field */
2415                 set_bit(FLAG_EXT_CTRL, &chan->flags);
2416                 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2417         } else {
2418                 chan->tx_win = min_t(u16, chan->tx_win,
2419                                                 L2CAP_DEFAULT_TX_WINDOW);
2420                 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2421         }
2422 }
2423
2424 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
2425 {
2426         struct l2cap_conf_req *req = data;
2427         struct l2cap_conf_rfc rfc = { .mode = chan->mode };
2428         void *ptr = req->data;
2429         u16 size;
2430
2431         BT_DBG("chan %p", chan);
2432
2433         if (chan->num_conf_req || chan->num_conf_rsp)
2434                 goto done;
2435
2436         switch (chan->mode) {
2437         case L2CAP_MODE_STREAMING:
2438         case L2CAP_MODE_ERTM:
2439                 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
2440                         break;
2441
2442                 if (__l2cap_efs_supported(chan))
2443                         set_bit(FLAG_EFS_ENABLE, &chan->flags);
2444
2445                 /* fall through */
2446         default:
2447                 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
2448                 break;
2449         }
2450
2451 done:
2452         if (chan->imtu != L2CAP_DEFAULT_MTU)
2453                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2454
2455         switch (chan->mode) {
2456         case L2CAP_MODE_BASIC:
2457                 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2458                                 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
2459                         break;
2460
2461                 rfc.mode            = L2CAP_MODE_BASIC;
2462                 rfc.txwin_size      = 0;
2463                 rfc.max_transmit    = 0;
2464                 rfc.retrans_timeout = 0;
2465                 rfc.monitor_timeout = 0;
2466                 rfc.max_pdu_size    = 0;
2467
2468                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2469                                                         (unsigned long) &rfc);
2470                 break;
2471
2472         case L2CAP_MODE_ERTM:
2473                 rfc.mode            = L2CAP_MODE_ERTM;
2474                 rfc.max_transmit    = chan->max_tx;
2475                 rfc.retrans_timeout = 0;
2476                 rfc.monitor_timeout = 0;
2477
2478                 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2479                                                 L2CAP_EXT_HDR_SIZE -
2480                                                 L2CAP_SDULEN_SIZE -
2481                                                 L2CAP_FCS_SIZE);
2482                 rfc.max_pdu_size = cpu_to_le16(size);
2483
2484                 l2cap_txwin_setup(chan);
2485
2486                 rfc.txwin_size = min_t(u16, chan->tx_win,
2487                                                 L2CAP_DEFAULT_TX_WINDOW);
2488
2489                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2490                                                         (unsigned long) &rfc);
2491
2492                 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2493                         l2cap_add_opt_efs(&ptr, chan);
2494
2495                 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2496                         break;
2497
2498                 if (chan->fcs == L2CAP_FCS_NONE ||
2499                                 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2500                         chan->fcs = L2CAP_FCS_NONE;
2501                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2502                 }
2503
2504                 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2505                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2506                                                                 chan->tx_win);
2507                 break;
2508
2509         case L2CAP_MODE_STREAMING:
2510                 rfc.mode            = L2CAP_MODE_STREAMING;
2511                 rfc.txwin_size      = 0;
2512                 rfc.max_transmit    = 0;
2513                 rfc.retrans_timeout = 0;
2514                 rfc.monitor_timeout = 0;
2515
2516                 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2517                                                 L2CAP_EXT_HDR_SIZE -
2518                                                 L2CAP_SDULEN_SIZE -
2519                                                 L2CAP_FCS_SIZE);
2520                 rfc.max_pdu_size = cpu_to_le16(size);
2521
2522                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2523                                                         (unsigned long) &rfc);
2524
2525                 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2526                         l2cap_add_opt_efs(&ptr, chan);
2527
2528                 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2529                         break;
2530
2531                 if (chan->fcs == L2CAP_FCS_NONE ||
2532                                 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2533                         chan->fcs = L2CAP_FCS_NONE;
2534                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2535                 }
2536                 break;
2537         }
2538
2539         req->dcid  = cpu_to_le16(chan->dcid);
2540         req->flags = cpu_to_le16(0);
2541
2542         return ptr - data;
2543 }
2544
2545 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
2546 {
2547         struct l2cap_conf_rsp *rsp = data;
2548         void *ptr = rsp->data;
2549         void *req = chan->conf_req;
2550         int len = chan->conf_len;
2551         int type, hint, olen;
2552         unsigned long val;
2553         struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2554         struct l2cap_conf_efs efs;
2555         u8 remote_efs = 0;
2556         u16 mtu = L2CAP_DEFAULT_MTU;
2557         u16 result = L2CAP_CONF_SUCCESS;
2558         u16 size;
2559
2560         BT_DBG("chan %p", chan);
2561
2562         while (len >= L2CAP_CONF_OPT_SIZE) {
2563                 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2564
2565                 hint  = type & L2CAP_CONF_HINT;
2566                 type &= L2CAP_CONF_MASK;
2567
2568                 switch (type) {
2569                 case L2CAP_CONF_MTU:
2570                         mtu = val;
2571                         break;
2572
2573                 case L2CAP_CONF_FLUSH_TO:
2574                         chan->flush_to = val;
2575                         break;
2576
2577                 case L2CAP_CONF_QOS:
2578                         break;
2579
2580                 case L2CAP_CONF_RFC:
2581                         if (olen == sizeof(rfc))
2582                                 memcpy(&rfc, (void *) val, olen);
2583                         break;
2584
2585                 case L2CAP_CONF_FCS:
2586                         if (val == L2CAP_FCS_NONE)
2587                                 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2588                         break;
2589
2590                 case L2CAP_CONF_EFS:
2591                         remote_efs = 1;
2592                         if (olen == sizeof(efs))
2593                                 memcpy(&efs, (void *) val, olen);
2594                         break;
2595
2596                 case L2CAP_CONF_EWS:
2597                         if (!enable_hs)
2598                                 return -ECONNREFUSED;
2599
2600                         set_bit(FLAG_EXT_CTRL, &chan->flags);
2601                         set_bit(CONF_EWS_RECV, &chan->conf_state);
2602                         chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2603                         chan->remote_tx_win = val;
2604                         break;
2605
2606                 default:
2607                         if (hint)
2608                                 break;
2609
2610                         result = L2CAP_CONF_UNKNOWN;
2611                         *((u8 *) ptr++) = type;
2612                         break;
2613                 }
2614         }
2615
2616         if (chan->num_conf_rsp || chan->num_conf_req > 1)
2617                 goto done;
2618
2619         switch (chan->mode) {
2620         case L2CAP_MODE_STREAMING:
2621         case L2CAP_MODE_ERTM:
2622                 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2623                         chan->mode = l2cap_select_mode(rfc.mode,
2624                                         chan->conn->feat_mask);
2625                         break;
2626                 }
2627
2628                 if (remote_efs) {
2629                         if (__l2cap_efs_supported(chan))
2630                                 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2631                         else
2632                                 return -ECONNREFUSED;
2633                 }
2634
2635                 if (chan->mode != rfc.mode)
2636                         return -ECONNREFUSED;
2637
2638                 break;
2639         }
2640
2641 done:
2642         if (chan->mode != rfc.mode) {
2643                 result = L2CAP_CONF_UNACCEPT;
2644                 rfc.mode = chan->mode;
2645
2646                 if (chan->num_conf_rsp == 1)
2647                         return -ECONNREFUSED;
2648
2649                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2650                                         sizeof(rfc), (unsigned long) &rfc);
2651         }
2652
2653         if (result == L2CAP_CONF_SUCCESS) {
2654                 /* Configure output options and let the other side know
2655                  * which ones we don't like. */
2656
2657                 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2658                         result = L2CAP_CONF_UNACCEPT;
2659                 else {
2660                         chan->omtu = mtu;
2661                         set_bit(CONF_MTU_DONE, &chan->conf_state);
2662                 }
2663                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2664
2665                 if (remote_efs) {
2666                         if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2667                                         efs.stype != L2CAP_SERV_NOTRAFIC &&
2668                                         efs.stype != chan->local_stype) {
2669
2670                                 result = L2CAP_CONF_UNACCEPT;
2671
2672                                 if (chan->num_conf_req >= 1)
2673                                         return -ECONNREFUSED;
2674
2675                                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2676                                                         sizeof(efs),
2677                                                         (unsigned long) &efs);
2678                         } else {
2679                                 /* Send PENDING Conf Rsp */
2680                                 result = L2CAP_CONF_PENDING;
2681                                 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2682                         }
2683                 }
2684
2685                 switch (rfc.mode) {
2686                 case L2CAP_MODE_BASIC:
2687                         chan->fcs = L2CAP_FCS_NONE;
2688                         set_bit(CONF_MODE_DONE, &chan->conf_state);
2689                         break;
2690
2691                 case L2CAP_MODE_ERTM:
2692                         if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2693                                 chan->remote_tx_win = rfc.txwin_size;
2694                         else
2695                                 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2696
2697                         chan->remote_max_tx = rfc.max_transmit;
2698
2699                         size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2700                                                 chan->conn->mtu -
2701                                                 L2CAP_EXT_HDR_SIZE -
2702                                                 L2CAP_SDULEN_SIZE -
2703                                                 L2CAP_FCS_SIZE);
2704                         rfc.max_pdu_size = cpu_to_le16(size);
2705                         chan->remote_mps = size;
2706
2707                         rfc.retrans_timeout =
2708                                 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2709                         rfc.monitor_timeout =
2710                                 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2711
2712                         set_bit(CONF_MODE_DONE, &chan->conf_state);
2713
2714                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2715                                         sizeof(rfc), (unsigned long) &rfc);
2716
2717                         if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2718                                 chan->remote_id = efs.id;
2719                                 chan->remote_stype = efs.stype;
2720                                 chan->remote_msdu = le16_to_cpu(efs.msdu);
2721                                 chan->remote_flush_to =
2722                                                 le32_to_cpu(efs.flush_to);
2723                                 chan->remote_acc_lat =
2724                                                 le32_to_cpu(efs.acc_lat);
2725                                 chan->remote_sdu_itime =
2726                                         le32_to_cpu(efs.sdu_itime);
2727                                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2728                                         sizeof(efs), (unsigned long) &efs);
2729                         }
2730                         break;
2731
2732                 case L2CAP_MODE_STREAMING:
2733                         size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2734                                                 chan->conn->mtu -
2735                                                 L2CAP_EXT_HDR_SIZE -
2736                                                 L2CAP_SDULEN_SIZE -
2737                                                 L2CAP_FCS_SIZE);
2738                         rfc.max_pdu_size = cpu_to_le16(size);
2739                         chan->remote_mps = size;
2740
2741                         set_bit(CONF_MODE_DONE, &chan->conf_state);
2742
2743                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2744                                         sizeof(rfc), (unsigned long) &rfc);
2745
2746                         break;
2747
2748                 default:
2749                         result = L2CAP_CONF_UNACCEPT;
2750
2751                         memset(&rfc, 0, sizeof(rfc));
2752                         rfc.mode = chan->mode;
2753                 }
2754
2755                 if (result == L2CAP_CONF_SUCCESS)
2756                         set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2757         }
2758         rsp->scid   = cpu_to_le16(chan->dcid);
2759         rsp->result = cpu_to_le16(result);
2760         rsp->flags  = cpu_to_le16(0x0000);
2761
2762         return ptr - data;
2763 }
2764
2765 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
2766 {
2767         struct l2cap_conf_req *req = data;
2768         void *ptr = req->data;
2769         int type, olen;
2770         unsigned long val;
2771         struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2772         struct l2cap_conf_efs efs;
2773
2774         BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
2775
2776         while (len >= L2CAP_CONF_OPT_SIZE) {
2777                 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2778
2779                 switch (type) {
2780                 case L2CAP_CONF_MTU:
2781                         if (val < L2CAP_DEFAULT_MIN_MTU) {
2782                                 *result = L2CAP_CONF_UNACCEPT;
2783                                 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2784                         } else
2785                                 chan->imtu = val;
2786                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2787                         break;
2788
2789                 case L2CAP_CONF_FLUSH_TO:
2790                         chan->flush_to = val;
2791                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2792                                                         2, chan->flush_to);
2793                         break;
2794
2795                 case L2CAP_CONF_RFC:
2796                         if (olen == sizeof(rfc))
2797                                 memcpy(&rfc, (void *)val, olen);
2798
2799                         if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2800                                                         rfc.mode != chan->mode)
2801                                 return -ECONNREFUSED;
2802
2803                         chan->fcs = 0;
2804
2805                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2806                                         sizeof(rfc), (unsigned long) &rfc);
2807                         break;
2808
2809                 case L2CAP_CONF_EWS:
2810                         chan->tx_win = min_t(u16, val,
2811                                                 L2CAP_DEFAULT_EXT_WINDOW);
2812                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2813                                                         chan->tx_win);
2814                         break;
2815
2816                 case L2CAP_CONF_EFS:
2817                         if (olen == sizeof(efs))
2818                                 memcpy(&efs, (void *)val, olen);
2819
2820                         if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2821                                         efs.stype != L2CAP_SERV_NOTRAFIC &&
2822                                         efs.stype != chan->local_stype)
2823                                 return -ECONNREFUSED;
2824
2825                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2826                                         sizeof(efs), (unsigned long) &efs);
2827                         break;
2828                 }
2829         }
2830
2831         if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
2832                 return -ECONNREFUSED;
2833
2834         chan->mode = rfc.mode;
2835
2836         if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
2837                 switch (rfc.mode) {
2838                 case L2CAP_MODE_ERTM:
2839                         chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2840                         chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2841                         chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2842
2843                         if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2844                                 chan->local_msdu = le16_to_cpu(efs.msdu);
2845                                 chan->local_sdu_itime =
2846                                                 le32_to_cpu(efs.sdu_itime);
2847                                 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2848                                 chan->local_flush_to =
2849                                                 le32_to_cpu(efs.flush_to);
2850                         }
2851                         break;
2852
2853                 case L2CAP_MODE_STREAMING:
2854                         chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2855                 }
2856         }
2857
2858         req->dcid   = cpu_to_le16(chan->dcid);
2859         req->flags  = cpu_to_le16(0x0000);
2860
2861         return ptr - data;
2862 }
2863
2864 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
2865 {
2866         struct l2cap_conf_rsp *rsp = data;
2867         void *ptr = rsp->data;
2868
2869         BT_DBG("chan %p", chan);
2870
2871         rsp->scid   = cpu_to_le16(chan->dcid);
2872         rsp->result = cpu_to_le16(result);
2873         rsp->flags  = cpu_to_le16(flags);
2874
2875         return ptr - data;
2876 }
2877
2878 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2879 {
2880         struct l2cap_conn_rsp rsp;
2881         struct l2cap_conn *conn = chan->conn;
2882         u8 buf[128];
2883
2884         rsp.scid   = cpu_to_le16(chan->dcid);
2885         rsp.dcid   = cpu_to_le16(chan->scid);
2886         rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2887         rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2888         l2cap_send_cmd(conn, chan->ident,
2889                                 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2890
2891         if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2892                 return;
2893
2894         l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2895                         l2cap_build_conf_req(chan, buf), buf);
2896         chan->num_conf_req++;
2897 }
2898
2899 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2900 {
2901         int type, olen;
2902         unsigned long val;
2903         struct l2cap_conf_rfc rfc;
2904
2905         BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2906
2907         if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2908                 return;
2909
2910         while (len >= L2CAP_CONF_OPT_SIZE) {
2911                 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2912
2913                 switch (type) {
2914                 case L2CAP_CONF_RFC:
2915                         if (olen == sizeof(rfc))
2916                                 memcpy(&rfc, (void *)val, olen);
2917                         goto done;
2918                 }
2919         }
2920
2921         /* Use sane default values in case a misbehaving remote device
2922          * did not send an RFC option.
2923          */
2924         rfc.mode = chan->mode;
2925         rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2926         rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2927         rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2928
2929         BT_ERR("Expected RFC option was not found, using defaults");
2930
2931 done:
2932         switch (rfc.mode) {
2933         case L2CAP_MODE_ERTM:
2934                 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2935                 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2936                 chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2937                 break;
2938         case L2CAP_MODE_STREAMING:
2939                 chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2940         }
2941 }
2942
2943 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2944 {
2945         struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2946
2947         if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2948                 return 0;
2949
2950         if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2951                                         cmd->ident == conn->info_ident) {
2952                 cancel_delayed_work(&conn->info_timer);
2953
2954                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2955                 conn->info_ident = 0;
2956
2957                 l2cap_conn_start(conn);
2958         }
2959
2960         return 0;
2961 }
2962
2963 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2964 {
2965         struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2966         struct l2cap_conn_rsp rsp;
2967         struct l2cap_chan *chan = NULL, *pchan;
2968         struct sock *parent, *sk = NULL;
2969         int result, status = L2CAP_CS_NO_INFO;
2970
2971         u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2972         __le16 psm = req->psm;
2973
2974         BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
2975
2976         /* Check if we have socket listening on psm */
2977         pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
2978         if (!pchan) {
2979                 result = L2CAP_CR_BAD_PSM;
2980                 goto sendresp;
2981         }
2982
2983         parent = pchan->sk;
2984
2985         mutex_lock(&conn->chan_lock);
2986         lock_sock(parent);
2987
2988         /* Check if the ACL is secure enough (if not SDP) */
2989         if (psm != cpu_to_le16(0x0001) &&
2990                                 !hci_conn_check_link_mode(conn->hcon)) {
2991                 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
2992                 result = L2CAP_CR_SEC_BLOCK;
2993                 goto response;
2994         }
2995
2996         result = L2CAP_CR_NO_MEM;
2997
2998         /* Check for backlog size */
2999         if (sk_acceptq_is_full(parent)) {
3000                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
3001                 goto response;
3002         }
3003
3004         chan = pchan->ops->new_connection(pchan->data);
3005         if (!chan)
3006                 goto response;
3007
3008         sk = chan->sk;
3009
3010         /* Check if we already have channel with that dcid */
3011         if (__l2cap_get_chan_by_dcid(conn, scid)) {
3012                 sock_set_flag(sk, SOCK_ZAPPED);
3013                 chan->ops->close(chan->data);
3014                 goto response;
3015         }
3016
3017         hci_conn_hold(conn->hcon);
3018
3019         bacpy(&bt_sk(sk)->src, conn->src);
3020         bacpy(&bt_sk(sk)->dst, conn->dst);
3021         chan->psm  = psm;
3022         chan->dcid = scid;
3023
3024         bt_accept_enqueue(parent, sk);
3025
3026         __l2cap_chan_add(conn, chan);
3027
3028         dcid = chan->scid;
3029
3030         __set_chan_timer(chan, sk->sk_sndtimeo);
3031
3032         chan->ident = cmd->ident;
3033
3034         if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3035                 if (l2cap_chan_check_security(chan)) {
3036                         if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
3037                                 __l2cap_state_change(chan, BT_CONNECT2);
3038                                 result = L2CAP_CR_PEND;
3039                                 status = L2CAP_CS_AUTHOR_PEND;
3040                                 parent->sk_data_ready(parent, 0);
3041                         } else {
3042                                 __l2cap_state_change(chan, BT_CONFIG);
3043                                 result = L2CAP_CR_SUCCESS;
3044                                 status = L2CAP_CS_NO_INFO;
3045                         }
3046                 } else {
3047                         __l2cap_state_change(chan, BT_CONNECT2);
3048                         result = L2CAP_CR_PEND;
3049                         status = L2CAP_CS_AUTHEN_PEND;
3050                 }
3051         } else {
3052                 __l2cap_state_change(chan, BT_CONNECT2);
3053                 result = L2CAP_CR_PEND;
3054                 status = L2CAP_CS_NO_INFO;
3055         }
3056
3057 response:
3058         release_sock(parent);
3059         mutex_unlock(&conn->chan_lock);
3060
3061 sendresp:
3062         rsp.scid   = cpu_to_le16(scid);
3063         rsp.dcid   = cpu_to_le16(dcid);
3064         rsp.result = cpu_to_le16(result);
3065         rsp.status = cpu_to_le16(status);
3066         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3067
3068         if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3069                 struct l2cap_info_req info;
3070                 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3071
3072                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3073                 conn->info_ident = l2cap_get_ident(conn);
3074
3075                 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3076
3077                 l2cap_send_cmd(conn, conn->info_ident,
3078                                         L2CAP_INFO_REQ, sizeof(info), &info);
3079         }
3080
3081         if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3082                                 result == L2CAP_CR_SUCCESS) {
3083                 u8 buf[128];
3084                 set_bit(CONF_REQ_SENT, &chan->conf_state);
3085                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3086                                         l2cap_build_conf_req(chan, buf), buf);
3087                 chan->num_conf_req++;
3088         }
3089
3090         return 0;
3091 }
3092
3093 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3094 {
3095         struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3096         u16 scid, dcid, result, status;
3097         struct l2cap_chan *chan;
3098         u8 req[128];
3099         int err;
3100
3101         scid   = __le16_to_cpu(rsp->scid);
3102         dcid   = __le16_to_cpu(rsp->dcid);
3103         result = __le16_to_cpu(rsp->result);
3104         status = __le16_to_cpu(rsp->status);
3105
3106         BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3107                                                 dcid, scid, result, status);
3108
3109         mutex_lock(&conn->chan_lock);
3110
3111         if (scid) {
3112                 chan = __l2cap_get_chan_by_scid(conn, scid);
3113                 if (!chan) {
3114                         err = -EFAULT;
3115                         goto unlock;
3116                 }
3117         } else {
3118                 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3119                 if (!chan) {
3120                         err = -EFAULT;
3121                         goto unlock;
3122                 }
3123         }
3124
3125         err = 0;
3126
3127         l2cap_chan_lock(chan);
3128
3129         switch (result) {
3130         case L2CAP_CR_SUCCESS:
3131                 l2cap_state_change(chan, BT_CONFIG);
3132                 chan->ident = 0;
3133                 chan->dcid = dcid;
3134                 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3135
3136                 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3137                         break;
3138
3139                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3140                                         l2cap_build_conf_req(chan, req), req);
3141                 chan->num_conf_req++;
3142                 break;
3143
3144         case L2CAP_CR_PEND:
3145                 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3146                 break;
3147
3148         default:
3149                 l2cap_chan_del(chan, ECONNREFUSED);
3150                 break;
3151         }
3152
3153         l2cap_chan_unlock(chan);
3154
3155 unlock:
3156         mutex_unlock(&conn->chan_lock);
3157
3158         return err;
3159 }
3160
3161 static inline void set_default_fcs(struct l2cap_chan *chan)
3162 {
3163         /* FCS is enabled only in ERTM or streaming mode, if one or both
3164          * sides request it.
3165          */
3166         if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3167                 chan->fcs = L2CAP_FCS_NONE;
3168         else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
3169                 chan->fcs = L2CAP_FCS_CRC16;
3170 }
3171
3172 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3173 {
3174         struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3175         u16 dcid, flags;
3176         u8 rsp[64];
3177         struct l2cap_chan *chan;
3178         int len, err = 0;
3179
3180         dcid  = __le16_to_cpu(req->dcid);
3181         flags = __le16_to_cpu(req->flags);
3182
3183         BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3184
3185         chan = l2cap_get_chan_by_scid(conn, dcid);
3186         if (!chan)
3187                 return -ENOENT;
3188
3189         if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
3190                 struct l2cap_cmd_rej_cid rej;
3191
3192                 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3193                 rej.scid = cpu_to_le16(chan->scid);
3194                 rej.dcid = cpu_to_le16(chan->dcid);
3195
3196                 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3197                                 sizeof(rej), &rej);
3198                 goto unlock;
3199         }
3200
3201         /* Reject if config buffer is too small. */
3202         len = cmd_len - sizeof(*req);
3203         if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
3204                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3205                                 l2cap_build_conf_rsp(chan, rsp,
3206                                         L2CAP_CONF_REJECT, flags), rsp);
3207                 goto unlock;
3208         }
3209
3210         /* Store config. */
3211         memcpy(chan->conf_req + chan->conf_len, req->data, len);
3212         chan->conf_len += len;
3213
3214         if (flags & 0x0001) {
3215                 /* Incomplete config. Send empty response. */
3216                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3217                                 l2cap_build_conf_rsp(chan, rsp,
3218                                         L2CAP_CONF_SUCCESS, 0x0001), rsp);
3219                 goto unlock;
3220         }
3221
3222         /* Complete config. */
3223         len = l2cap_parse_conf_req(chan, rsp);
3224         if (len < 0) {
3225                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3226                 goto unlock;
3227         }
3228
3229         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
3230         chan->num_conf_rsp++;
3231
3232         /* Reset config buffer. */
3233         chan->conf_len = 0;
3234
3235         if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
3236                 goto unlock;
3237
3238         if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
3239                 set_default_fcs(chan);
3240
3241                 l2cap_state_change(chan, BT_CONNECTED);
3242
3243                 if (chan->mode == L2CAP_MODE_ERTM ||
3244                     chan->mode == L2CAP_MODE_STREAMING)
3245                         err = l2cap_ertm_init(chan);
3246
3247                 if (err < 0)
3248                         l2cap_send_disconn_req(chan->conn, chan, -err);
3249                 else
3250                         l2cap_chan_ready(chan);
3251
3252                 goto unlock;
3253         }
3254
3255         if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
3256                 u8 buf[64];
3257                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3258                                         l2cap_build_conf_req(chan, buf), buf);
3259                 chan->num_conf_req++;
3260         }
3261
3262         /* Got Conf Rsp PENDING from remote side and asume we sent
3263            Conf Rsp PENDING in the code above */
3264         if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3265                         test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3266
3267                 /* check compatibility */
3268
3269                 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3270                 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3271
3272                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3273                                         l2cap_build_conf_rsp(chan, rsp,
3274                                         L2CAP_CONF_SUCCESS, 0x0000), rsp);
3275         }
3276
3277 unlock:
3278         l2cap_chan_unlock(chan);
3279         return err;
3280 }
3281
3282 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3283 {
3284         struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3285         u16 scid, flags, result;
3286         struct l2cap_chan *chan;
3287         int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3288         int err = 0;
3289
3290         scid   = __le16_to_cpu(rsp->scid);
3291         flags  = __le16_to_cpu(rsp->flags);
3292         result = __le16_to_cpu(rsp->result);
3293
3294         BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3295                result, len);
3296
3297         chan = l2cap_get_chan_by_scid(conn, scid);
3298         if (!chan)
3299                 return 0;
3300
3301         switch (result) {
3302         case L2CAP_CONF_SUCCESS:
3303                 l2cap_conf_rfc_get(chan, rsp->data, len);
3304                 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3305                 break;
3306
3307         case L2CAP_CONF_PENDING:
3308                 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3309
3310                 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3311                         char buf[64];
3312
3313                         len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3314                                                                 buf, &result);
3315                         if (len < 0) {
3316                                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3317                                 goto done;
3318                         }
3319
3320                         /* check compatibility */
3321
3322                         clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3323                         set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3324
3325                         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3326                                                 l2cap_build_conf_rsp(chan, buf,
3327                                                 L2CAP_CONF_SUCCESS, 0x0000), buf);
3328                 }
3329                 goto done;
3330
3331         case L2CAP_CONF_UNACCEPT:
3332                 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
3333                         char req[64];
3334
3335                         if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
3336                                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3337                                 goto done;
3338                         }
3339
3340                         /* throw out any old stored conf requests */
3341                         result = L2CAP_CONF_SUCCESS;
3342                         len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3343                                                                 req, &result);
3344                         if (len < 0) {
3345                                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3346                                 goto done;
3347                         }
3348
3349                         l2cap_send_cmd(conn, l2cap_get_ident(conn),
3350                                                 L2CAP_CONF_REQ, len, req);
3351                         chan->num_conf_req++;
3352                         if (result != L2CAP_CONF_SUCCESS)
3353                                 goto done;
3354                         break;
3355                 }
3356
3357         default:
3358                 l2cap_chan_set_err(chan, ECONNRESET);
3359
3360                 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
3361                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3362                 goto done;
3363         }
3364
3365         if (flags & 0x01)
3366                 goto done;
3367
3368         set_bit(CONF_INPUT_DONE, &chan->conf_state);
3369
3370         if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
3371                 set_default_fcs(chan);
3372
3373                 l2cap_state_change(chan, BT_CONNECTED);
3374                 if (chan->mode == L2CAP_MODE_ERTM ||
3375                     chan->mode == L2CAP_MODE_STREAMING)
3376                         err = l2cap_ertm_init(chan);
3377
3378                 if (err < 0)
3379                         l2cap_send_disconn_req(chan->conn, chan, -err);
3380                 else
3381                         l2cap_chan_ready(chan);
3382         }
3383
3384 done:
3385         l2cap_chan_unlock(chan);
3386         return err;
3387 }
3388
3389 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3390 {
3391         struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3392         struct l2cap_disconn_rsp rsp;
3393         u16 dcid, scid;
3394         struct l2cap_chan *chan;
3395         struct sock *sk;
3396
3397         scid = __le16_to_cpu(req->scid);
3398         dcid = __le16_to_cpu(req->dcid);
3399
3400         BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3401
3402         mutex_lock(&conn->chan_lock);
3403
3404         chan = __l2cap_get_chan_by_scid(conn, dcid);
3405         if (!chan) {
3406                 mutex_unlock(&conn->chan_lock);
3407                 return 0;
3408         }
3409
3410         l2cap_chan_lock(chan);
3411
3412         sk = chan->sk;
3413
3414         rsp.dcid = cpu_to_le16(chan->scid);
3415         rsp.scid = cpu_to_le16(chan->dcid);
3416         l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3417
3418         lock_sock(sk);
3419         sk->sk_shutdown = SHUTDOWN_MASK;
3420         release_sock(sk);
3421
3422         l2cap_chan_hold(chan);
3423         l2cap_chan_del(chan, ECONNRESET);
3424
3425         l2cap_chan_unlock(chan);
3426
3427         chan->ops->close(chan->data);
3428         l2cap_chan_put(chan);
3429
3430         mutex_unlock(&conn->chan_lock);
3431
3432         return 0;
3433 }
3434
3435 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3436 {
3437         struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3438         u16 dcid, scid;
3439         struct l2cap_chan *chan;
3440
3441         scid = __le16_to_cpu(rsp->scid);
3442         dcid = __le16_to_cpu(rsp->dcid);
3443
3444         BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3445
3446         mutex_lock(&conn->chan_lock);
3447
3448         chan = __l2cap_get_chan_by_scid(conn, scid);
3449         if (!chan) {
3450                 mutex_unlock(&conn->chan_lock);
3451                 return 0;
3452         }
3453
3454         l2cap_chan_lock(chan);
3455
3456         l2cap_chan_hold(chan);
3457         l2cap_chan_del(chan, 0);
3458
3459         l2cap_chan_unlock(chan);
3460
3461         chan->ops->close(chan->data);
3462         l2cap_chan_put(chan);
3463
3464         mutex_unlock(&conn->chan_lock);
3465
3466         return 0;
3467 }
3468
3469 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3470 {
3471         struct l2cap_info_req *req = (struct l2cap_info_req *) data;
3472         u16 type;
3473
3474         type = __le16_to_cpu(req->type);
3475
3476         BT_DBG("type 0x%4.4x", type);
3477
3478         if (type == L2CAP_IT_FEAT_MASK) {
3479                 u8 buf[8];
3480                 u32 feat_mask = l2cap_feat_mask;
3481                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3482                 rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3483                 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3484                 if (!disable_ertm)
3485                         feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3486                                                          | L2CAP_FEAT_FCS;
3487                 if (enable_hs)
3488                         feat_mask |= L2CAP_FEAT_EXT_FLOW
3489                                                 | L2CAP_FEAT_EXT_WINDOW;
3490
3491                 put_unaligned_le32(feat_mask, rsp->data);
3492                 l2cap_send_cmd(conn, cmd->ident,
3493                                         L2CAP_INFO_RSP, sizeof(buf), buf);
3494         } else if (type == L2CAP_IT_FIXED_CHAN) {
3495                 u8 buf[12];
3496                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3497
3498                 if (enable_hs)
3499                         l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3500                 else
3501                         l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3502
3503                 rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3504                 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3505                 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
3506                 l2cap_send_cmd(conn, cmd->ident,
3507                                         L2CAP_INFO_RSP, sizeof(buf), buf);
3508         } else {
3509                 struct l2cap_info_rsp rsp;
3510                 rsp.type   = cpu_to_le16(type);
3511                 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3512                 l2cap_send_cmd(conn, cmd->ident,
3513                                         L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3514         }
3515
3516         return 0;
3517 }
3518
3519 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3520 {
3521         struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3522         u16 type, result;
3523
3524         type   = __le16_to_cpu(rsp->type);
3525         result = __le16_to_cpu(rsp->result);
3526
3527         BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3528
3529         /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3530         if (cmd->ident != conn->info_ident ||
3531                         conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3532                 return 0;
3533
3534         cancel_delayed_work(&conn->info_timer);
3535
3536         if (result != L2CAP_IR_SUCCESS) {
3537                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3538                 conn->info_ident = 0;
3539
3540                 l2cap_conn_start(conn);
3541
3542                 return 0;
3543         }
3544
3545         switch (type) {
3546         case L2CAP_IT_FEAT_MASK:
3547                 conn->feat_mask = get_unaligned_le32(rsp->data);
3548
3549                 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3550                         struct l2cap_info_req req;
3551                         req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3552
3553                         conn->info_ident = l2cap_get_ident(conn);
3554
3555                         l2cap_send_cmd(conn, conn->info_ident,
3556                                         L2CAP_INFO_REQ, sizeof(req), &req);
3557                 } else {
3558                         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3559                         conn->info_ident = 0;
3560
3561                         l2cap_conn_start(conn);
3562                 }
3563                 break;
3564
3565         case L2CAP_IT_FIXED_CHAN:
3566                 conn->fixed_chan_mask = rsp->data[0];
3567                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3568                 conn->info_ident = 0;
3569
3570                 l2cap_conn_start(conn);
3571                 break;
3572         }
3573
3574         return 0;
3575 }
3576
3577 static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3578                                         struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3579                                         void *data)
3580 {
3581         struct l2cap_create_chan_req *req = data;
3582         struct l2cap_create_chan_rsp rsp;
3583         u16 psm, scid;
3584
3585         if (cmd_len != sizeof(*req))
3586                 return -EPROTO;
3587
3588         if (!enable_hs)
3589                 return -EINVAL;
3590
3591         psm = le16_to_cpu(req->psm);
3592         scid = le16_to_cpu(req->scid);
3593
3594         BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3595
3596         /* Placeholder: Always reject */
3597         rsp.dcid = 0;
3598         rsp.scid = cpu_to_le16(scid);
3599         rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3600         rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
3601
3602         l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3603                        sizeof(rsp), &rsp);
3604
3605         return 0;
3606 }
3607
3608 static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3609                                         struct l2cap_cmd_hdr *cmd, void *data)
3610 {
3611         BT_DBG("conn %p", conn);
3612
3613         return l2cap_connect_rsp(conn, cmd, data);
3614 }
3615
3616 static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3617                                                         u16 icid, u16 result)
3618 {
3619         struct l2cap_move_chan_rsp rsp;
3620
3621         BT_DBG("icid %d, result %d", icid, result);
3622
3623         rsp.icid = cpu_to_le16(icid);
3624         rsp.result = cpu_to_le16(result);
3625
3626         l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3627 }
3628
3629 static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3630                                 struct l2cap_chan *chan, u16 icid, u16 result)
3631 {
3632         struct l2cap_move_chan_cfm cfm;
3633         u8 ident;
3634
3635         BT_DBG("icid %d, result %d", icid, result);
3636
3637         ident = l2cap_get_ident(conn);
3638         if (chan)
3639                 chan->ident = ident;
3640
3641         cfm.icid = cpu_to_le16(icid);
3642         cfm.result = cpu_to_le16(result);
3643
3644         l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3645 }
3646
3647 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3648                                                                 u16 icid)
3649 {
3650         struct l2cap_move_chan_cfm_rsp rsp;
3651
3652         BT_DBG("icid %d", icid);
3653
3654         rsp.icid = cpu_to_le16(icid);
3655         l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3656 }
3657
3658 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3659                         struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3660 {
3661         struct l2cap_move_chan_req *req = data;
3662         u16 icid = 0;
3663         u16 result = L2CAP_MR_NOT_ALLOWED;
3664
3665         if (cmd_len != sizeof(*req))
3666                 return -EPROTO;
3667
3668         icid = le16_to_cpu(req->icid);
3669
3670         BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3671
3672         if (!enable_hs)
3673                 return -EINVAL;
3674
3675         /* Placeholder: Always refuse */
3676         l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3677
3678         return 0;
3679 }
3680
3681 static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3682                         struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3683 {
3684         struct l2cap_move_chan_rsp *rsp = data;
3685         u16 icid, result;
3686
3687         if (cmd_len != sizeof(*rsp))
3688                 return -EPROTO;
3689
3690         icid = le16_to_cpu(rsp->icid);
3691         result = le16_to_cpu(rsp->result);
3692
3693         BT_DBG("icid %d, result %d", icid, result);
3694
3695         /* Placeholder: Always unconfirmed */
3696         l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3697
3698         return 0;
3699 }
3700
3701 static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3702                         struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3703 {
3704         struct l2cap_move_chan_cfm *cfm = data;
3705         u16 icid, result;
3706
3707         if (cmd_len != sizeof(*cfm))
3708                 return -EPROTO;
3709
3710         icid = le16_to_cpu(cfm->icid);
3711         result = le16_to_cpu(cfm->result);
3712
3713         BT_DBG("icid %d, result %d", icid, result);
3714
3715         l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3716
3717         return 0;
3718 }
3719
3720 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3721                         struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3722 {
3723         struct l2cap_move_chan_cfm_rsp *rsp = data;
3724         u16 icid;
3725
3726         if (cmd_len != sizeof(*rsp))
3727                 return -EPROTO;
3728
3729         icid = le16_to_cpu(rsp->icid);
3730
3731         BT_DBG("icid %d", icid);
3732
3733         return 0;
3734 }
3735
3736 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
3737                                                         u16 to_multiplier)
3738 {
3739         u16 max_latency;
3740
3741         if (min > max || min < 6 || max > 3200)
3742                 return -EINVAL;
3743
3744         if (to_multiplier < 10 || to_multiplier > 3200)
3745                 return -EINVAL;
3746
3747         if (max >= to_multiplier * 8)
3748                 return -EINVAL;
3749
3750         max_latency = (to_multiplier * 8 / max) - 1;
3751         if (latency > 499 || latency > max_latency)
3752                 return -EINVAL;
3753
3754         return 0;
3755 }
3756
3757 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3758                                         struct l2cap_cmd_hdr *cmd, u8 *data)
3759 {
3760         struct hci_conn *hcon = conn->hcon;
3761         struct l2cap_conn_param_update_req *req;
3762         struct l2cap_conn_param_update_rsp rsp;
3763         u16 min, max, latency, to_multiplier, cmd_len;
3764         int err;
3765
3766         if (!(hcon->link_mode & HCI_LM_MASTER))
3767                 return -EINVAL;
3768
3769         cmd_len = __le16_to_cpu(cmd->len);
3770         if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3771                 return -EPROTO;
3772
3773         req = (struct l2cap_conn_param_update_req *) data;
3774         min             = __le16_to_cpu(req->min);
3775         max             = __le16_to_cpu(req->max);
3776         latency         = __le16_to_cpu(req->latency);
3777         to_multiplier   = __le16_to_cpu(req->to_multiplier);
3778
3779         BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3780                                                 min, max, latency, to_multiplier);
3781
3782         memset(&rsp, 0, sizeof(rsp));
3783
3784         err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3785         if (err)
3786                 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3787         else
3788                 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3789
3790         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3791                                                         sizeof(rsp), &rsp);
3792
3793         if (!err)
3794                 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3795
3796         return 0;
3797 }
3798
3799 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3800                         struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3801 {
3802         int err = 0;
3803
3804         switch (cmd->code) {
3805         case L2CAP_COMMAND_REJ:
3806                 l2cap_command_rej(conn, cmd, data);
3807                 break;
3808
3809         case L2CAP_CONN_REQ:
3810                 err = l2cap_connect_req(conn, cmd, data);
3811                 break;
3812
3813         case L2CAP_CONN_RSP:
3814                 err = l2cap_connect_rsp(conn, cmd, data);
3815                 break;
3816
3817         case L2CAP_CONF_REQ:
3818                 err = l2cap_config_req(conn, cmd, cmd_len, data);
3819                 break;
3820
3821         case L2CAP_CONF_RSP:
3822                 err = l2cap_config_rsp(conn, cmd, data);
3823                 break;
3824
3825         case L2CAP_DISCONN_REQ:
3826                 err = l2cap_disconnect_req(conn, cmd, data);
3827                 break;
3828
3829         case L2CAP_DISCONN_RSP:
3830                 err = l2cap_disconnect_rsp(conn, cmd, data);
3831                 break;
3832
3833         case L2CAP_ECHO_REQ:
3834                 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3835                 break;
3836
3837         case L2CAP_ECHO_RSP:
3838                 break;
3839
3840         case L2CAP_INFO_REQ:
3841                 err = l2cap_information_req(conn, cmd, data);
3842                 break;
3843
3844         case L2CAP_INFO_RSP:
3845                 err = l2cap_information_rsp(conn, cmd, data);
3846                 break;
3847
3848         case L2CAP_CREATE_CHAN_REQ:
3849                 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3850                 break;
3851
3852         case L2CAP_CREATE_CHAN_RSP:
3853                 err = l2cap_create_channel_rsp(conn, cmd, data);
3854                 break;
3855
3856         case L2CAP_MOVE_CHAN_REQ:
3857                 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3858                 break;
3859
3860         case L2CAP_MOVE_CHAN_RSP:
3861                 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3862                 break;
3863
3864         case L2CAP_MOVE_CHAN_CFM:
3865                 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3866                 break;
3867
3868         case L2CAP_MOVE_CHAN_CFM_RSP:
3869                 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3870                 break;
3871
3872         default:
3873                 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3874                 err = -EINVAL;
3875                 break;
3876         }
3877
3878         return err;
3879 }
3880
3881 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3882                                         struct l2cap_cmd_hdr *cmd, u8 *data)
3883 {
3884         switch (cmd->code) {
3885         case L2CAP_COMMAND_REJ:
3886                 return 0;
3887
3888         case L2CAP_CONN_PARAM_UPDATE_REQ:
3889                 return l2cap_conn_param_update_req(conn, cmd, data);
3890
3891         case L2CAP_CONN_PARAM_UPDATE_RSP:
3892                 return 0;
3893
3894         default:
3895                 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3896                 return -EINVAL;
3897         }
3898 }
3899
3900 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3901                                                         struct sk_buff *skb)
3902 {
3903         u8 *data = skb->data;
3904         int len = skb->len;
3905         struct l2cap_cmd_hdr cmd;
3906         int err;
3907
3908         l2cap_raw_recv(conn, skb);
3909
3910         while (len >= L2CAP_CMD_HDR_SIZE) {
3911                 u16 cmd_len;
3912                 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3913                 data += L2CAP_CMD_HDR_SIZE;
3914                 len  -= L2CAP_CMD_HDR_SIZE;
3915
3916                 cmd_len = le16_to_cpu(cmd.len);
3917
3918                 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3919
3920                 if (cmd_len > len || !cmd.ident) {
3921                         BT_DBG("corrupted command");
3922                         break;
3923                 }
3924
3925                 if (conn->hcon->type == LE_LINK)
3926                         err = l2cap_le_sig_cmd(conn, &cmd, data);
3927                 else
3928                         err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
3929
3930                 if (err) {
3931                         struct l2cap_cmd_rej_unk rej;
3932
3933                         BT_ERR("Wrong link type (%d)", err);
3934
3935                         /* FIXME: Map err to a valid reason */
3936                         rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
3937                         l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3938                 }
3939
3940                 data += cmd_len;
3941                 len  -= cmd_len;
3942         }
3943
3944         kfree_skb(skb);
3945 }
3946
3947 static int l2cap_check_fcs(struct l2cap_chan *chan,  struct sk_buff *skb)
3948 {
3949         u16 our_fcs, rcv_fcs;
3950         int hdr_size;
3951
3952         if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3953                 hdr_size = L2CAP_EXT_HDR_SIZE;
3954         else
3955                 hdr_size = L2CAP_ENH_HDR_SIZE;
3956
3957         if (chan->fcs == L2CAP_FCS_CRC16) {
3958                 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
3959                 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3960                 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3961
3962                 if (our_fcs != rcv_fcs)
3963                         return -EBADMSG;
3964         }
3965         return 0;
3966 }
3967
3968 static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3969 {
3970         u32 control = 0;
3971
3972         chan->frames_sent = 0;
3973
3974         control |= __set_reqseq(chan, chan->buffer_seq);
3975
3976         if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3977                 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3978                 l2cap_send_sframe(chan, control);
3979                 set_bit(CONN_RNR_SENT, &chan->conn_state);
3980         }
3981
3982         if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3983                 l2cap_retransmit_frames(chan);
3984
3985         l2cap_ertm_send(chan);
3986
3987         if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3988                         chan->frames_sent == 0) {
3989                 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3990                 l2cap_send_sframe(chan, control);
3991         }
3992 }
3993
3994 static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
3995 {
3996         struct sk_buff *next_skb;
3997         int tx_seq_offset, next_tx_seq_offset;
3998
3999         bt_cb(skb)->control.txseq = tx_seq;
4000         bt_cb(skb)->control.sar = sar;
4001
4002         next_skb = skb_peek(&chan->srej_q);
4003
4004         tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
4005
4006         while (next_skb) {
4007                 if (bt_cb(next_skb)->control.txseq == tx_seq)
4008                         return -EINVAL;
4009
4010                 next_tx_seq_offset = __seq_offset(chan,
4011                         bt_cb(next_skb)->control.txseq, chan->buffer_seq);
4012
4013                 if (next_tx_seq_offset > tx_seq_offset) {
4014                         __skb_queue_before(&chan->srej_q, next_skb, skb);
4015                         return 0;
4016                 }
4017
4018                 if (skb_queue_is_last(&chan->srej_q, next_skb))
4019                         next_skb = NULL;
4020                 else
4021                         next_skb = skb_queue_next(&chan->srej_q, next_skb);
4022         }
4023
4024         __skb_queue_tail(&chan->srej_q, skb);
4025
4026         return 0;
4027 }
4028
4029 static void append_skb_frag(struct sk_buff *skb,
4030                         struct sk_buff *new_frag, struct sk_buff **last_frag)
4031 {
4032         /* skb->len reflects data in skb as well as all fragments
4033          * skb->data_len reflects only data in fragments
4034          */
4035         if (!skb_has_frag_list(skb))
4036                 skb_shinfo(skb)->frag_list = new_frag;
4037
4038         new_frag->next = NULL;
4039
4040         (*last_frag)->next = new_frag;
4041         *last_frag = new_frag;
4042
4043         skb->len += new_frag->len;
4044         skb->data_len += new_frag->len;
4045         skb->truesize += new_frag->truesize;
4046 }
4047
4048 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
4049 {
4050         int err = -EINVAL;
4051
4052         switch (__get_ctrl_sar(chan, control)) {
4053         case L2CAP_SAR_UNSEGMENTED:
4054                 if (chan->sdu)
4055                         break;
4056
4057                 err = chan->ops->recv(chan->data, skb);
4058                 break;
4059
4060         case L2CAP_SAR_START:
4061                 if (chan->sdu)
4062                         break;
4063
4064                 chan->sdu_len = get_unaligned_le16(skb->data);
4065                 skb_pull(skb, L2CAP_SDULEN_SIZE);
4066
4067                 if (chan->sdu_len > chan->imtu) {
4068                         err = -EMSGSIZE;
4069                         break;
4070                 }
4071
4072                 if (skb->len >= chan->sdu_len)
4073                         break;
4074
4075                 chan->sdu = skb;
4076                 chan->sdu_last_frag = skb;
4077
4078                 skb = NULL;
4079                 err = 0;
4080                 break;
4081
4082         case L2CAP_SAR_CONTINUE:
4083                 if (!chan->sdu)
4084                         break;
4085
4086                 append_skb_frag(chan->sdu, skb,
4087                                 &chan->sdu_last_frag);
4088                 skb = NULL;
4089
4090                 if (chan->sdu->len >= chan->sdu_len)
4091                         break;
4092
4093                 err = 0;
4094                 break;
4095
4096         case L2CAP_SAR_END:
4097                 if (!chan->sdu)
4098                         break;
4099
4100                 append_skb_frag(chan->sdu, skb,
4101                                 &chan->sdu_last_frag);
4102                 skb = NULL;
4103
4104                 if (chan->sdu->len != chan->sdu_len)
4105                         break;
4106
4107                 err = chan->ops->recv(chan->data, chan->sdu);
4108
4109                 if (!err) {
4110                         /* Reassembly complete */
4111                         chan->sdu = NULL;
4112                         chan->sdu_last_frag = NULL;
4113                         chan->sdu_len = 0;
4114                 }
4115                 break;
4116         }
4117
4118         if (err) {
4119                 kfree_skb(skb);
4120                 kfree_skb(chan->sdu);
4121                 chan->sdu = NULL;
4122                 chan->sdu_last_frag = NULL;
4123                 chan->sdu_len = 0;
4124         }
4125
4126         return err;
4127 }
4128
4129 static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
4130 {
4131         BT_DBG("chan %p, Enter local busy", chan);
4132
4133         set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4134         l2cap_seq_list_clear(&chan->srej_list);
4135
4136         __set_ack_timer(chan);
4137 }
4138
4139 static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4140 {
4141         u32 control;
4142
4143         if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4144                 goto done;
4145
4146         control = __set_reqseq(chan, chan->buffer_seq);
4147         control |= __set_ctrl_poll(chan);
4148         control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
4149         l2cap_send_sframe(chan, control);
4150         chan->retry_count = 1;
4151
4152         __clear_retrans_timer(chan);
4153         __set_monitor_timer(chan);
4154
4155         set_bit(CONN_WAIT_F, &chan->conn_state);
4156
4157 done:
4158         clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4159         clear_bit(CONN_RNR_SENT, &chan->conn_state);
4160
4161         BT_DBG("chan %p, Exit local busy", chan);
4162 }
4163
4164 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
4165 {
4166         if (chan->mode == L2CAP_MODE_ERTM) {
4167                 if (busy)
4168                         l2cap_ertm_enter_local_busy(chan);
4169                 else
4170                         l2cap_ertm_exit_local_busy(chan);
4171         }
4172 }
4173
4174 static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
4175 {
4176         struct sk_buff *skb;
4177         u32 control;
4178
4179         while ((skb = skb_peek(&chan->srej_q)) &&
4180                         !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4181                 int err;
4182
4183                 if (bt_cb(skb)->control.txseq != tx_seq)
4184                         break;
4185
4186                 skb = skb_dequeue(&chan->srej_q);
4187                 control = __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
4188                 err = l2cap_reassemble_sdu(chan, skb, control);
4189
4190                 if (err < 0) {
4191                         l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4192                         break;
4193                 }
4194
4195                 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
4196                 tx_seq = __next_seq(chan, tx_seq);
4197         }
4198 }
4199
4200 static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
4201 {
4202         struct srej_list *l, *tmp;
4203         u32 control;
4204
4205         list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
4206                 if (l->tx_seq == tx_seq) {
4207                         list_del(&l->list);
4208                         kfree(l);
4209                         return;
4210                 }
4211                 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
4212                 control |= __set_reqseq(chan, l->tx_seq);
4213                 l2cap_send_sframe(chan, control);
4214                 list_del(&l->list);
4215                 list_add_tail(&l->list, &chan->srej_l);
4216         }
4217 }
4218
4219 static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
4220 {
4221         struct srej_list *new;
4222         u32 control;
4223
4224         while (tx_seq != chan->expected_tx_seq) {
4225                 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
4226                 control |= __set_reqseq(chan, chan->expected_tx_seq);
4227                 l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
4228                 l2cap_send_sframe(chan, control);
4229
4230                 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
4231                 if (!new)
4232                         return -ENOMEM;
4233
4234                 new->tx_seq = chan->expected_tx_seq;
4235
4236                 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4237
4238                 list_add_tail(&new->list, &chan->srej_l);
4239         }
4240
4241         chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4242
4243         return 0;
4244 }
4245
4246 static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4247 {
4248         u16 tx_seq = __get_txseq(chan, rx_control);
4249         u16 req_seq = __get_reqseq(chan, rx_control);
4250         u8 sar = __get_ctrl_sar(chan, rx_control);
4251         int tx_seq_offset, expected_tx_seq_offset;
4252         int num_to_ack = (chan->tx_win/6) + 1;
4253         int err = 0;
4254
4255         BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
4256                                                         tx_seq, rx_control);
4257
4258         if (__is_ctrl_final(chan, rx_control) &&
4259                         test_bit(CONN_WAIT_F, &chan->conn_state)) {
4260                 __clear_monitor_timer(chan);
4261                 if (chan->unacked_frames > 0)
4262                         __set_retrans_timer(chan);
4263                 clear_bit(CONN_WAIT_F, &chan->conn_state);
4264         }
4265
4266         chan->expected_ack_seq = req_seq;
4267         l2cap_drop_acked_frames(chan);
4268
4269         tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
4270
4271         /* invalid tx_seq */
4272         if (tx_seq_offset >= chan->tx_win) {
4273                 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4274                 goto drop;
4275         }
4276
4277         if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4278                 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4279                         l2cap_send_ack(chan);
4280                 goto drop;
4281         }
4282
4283         if (tx_seq == chan->expected_tx_seq)
4284                 goto expected;
4285
4286         if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4287                 struct srej_list *first;
4288
4289                 first = list_first_entry(&chan->srej_l,
4290                                 struct srej_list, list);
4291                 if (tx_seq == first->tx_seq) {
4292                         l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
4293                         l2cap_check_srej_gap(chan, tx_seq);
4294
4295                         list_del(&first->list);
4296                         kfree(first);
4297
4298                         if (list_empty(&chan->srej_l)) {
4299                                 chan->buffer_seq = chan->buffer_seq_srej;
4300                                 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
4301                                 l2cap_send_ack(chan);
4302                                 BT_DBG("chan %p, Exit SREJ_SENT", chan);
4303                         }
4304                 } else {
4305                         struct srej_list *l;
4306
4307                         /* duplicated tx_seq */
4308                         if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
4309                                 goto drop;
4310
4311                         list_for_each_entry(l, &chan->srej_l, list) {
4312                                 if (l->tx_seq == tx_seq) {
4313                                         l2cap_resend_srejframe(chan, tx_seq);
4314                                         return 0;
4315                                 }
4316                         }
4317
4318                         err = l2cap_send_srejframe(chan, tx_seq);
4319                         if (err < 0) {
4320                                 l2cap_send_disconn_req(chan->conn, chan, -err);
4321                                 return err;
4322                         }
4323                 }
4324         } else {
4325                 expected_tx_seq_offset = __seq_offset(chan,
4326                                 chan->expected_tx_seq, chan->buffer_seq);
4327
4328                 /* duplicated tx_seq */
4329                 if (tx_seq_offset < expected_tx_seq_offset)
4330                         goto drop;
4331
4332                 set_bit(CONN_SREJ_SENT, &chan->conn_state);
4333
4334                 BT_DBG("chan %p, Enter SREJ", chan);
4335
4336                 INIT_LIST_HEAD(&chan->srej_l);
4337                 chan->buffer_seq_srej = chan->buffer_seq;
4338
4339                 __skb_queue_head_init(&chan->srej_q);
4340                 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
4341
4342                 /* Set P-bit only if there are some I-frames to ack. */
4343                 if (__clear_ack_timer(chan))
4344                         set_bit(CONN_SEND_PBIT, &chan->conn_state);
4345
4346                 err = l2cap_send_srejframe(chan, tx_seq);
4347                 if (err < 0) {
4348                         l2cap_send_disconn_req(chan->conn, chan, -err);
4349                         return err;
4350                 }
4351         }
4352         return 0;
4353
4354 expected:
4355         chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4356
4357         if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4358                 bt_cb(skb)->control.txseq = tx_seq;
4359                 bt_cb(skb)->control.sar = sar;
4360                 __skb_queue_tail(&chan->srej_q, skb);
4361                 return 0;
4362         }
4363
4364         err = l2cap_reassemble_sdu(chan, skb, rx_control);
4365         chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4366
4367         if (err < 0) {
4368                 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4369                 return err;
4370         }
4371
4372         if (__is_ctrl_final(chan, rx_control)) {
4373                 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4374                         l2cap_retransmit_frames(chan);
4375         }
4376
4377
4378         chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4379         if (chan->num_acked == num_to_ack - 1)
4380                 l2cap_send_ack(chan);
4381         else
4382                 __set_ack_timer(chan);
4383
4384         return 0;
4385
4386 drop:
4387         kfree_skb(skb);
4388         return 0;
4389 }
4390
4391 static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
4392 {
4393         BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
4394                                 __get_reqseq(chan, rx_control), rx_control);
4395
4396         chan->expected_ack_seq = __get_reqseq(chan, rx_control);
4397         l2cap_drop_acked_frames(chan);
4398
4399         if (__is_ctrl_poll(chan, rx_control)) {
4400                 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4401                 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4402                         if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4403                                         (chan->unacked_frames > 0))
4404                                 __set_retrans_timer(chan);
4405
4406                         clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4407                         l2cap_send_srejtail(chan);
4408                 } else {
4409                         l2cap_send_i_or_rr_or_rnr(chan);
4410                 }
4411
4412         } else if (__is_ctrl_final(chan, rx_control)) {
4413                 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4414
4415                 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4416                         l2cap_retransmit_frames(chan);
4417
4418         } else {
4419                 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4420                                 (chan->unacked_frames > 0))
4421                         __set_retrans_timer(chan);
4422
4423                 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4424                 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
4425                         l2cap_send_ack(chan);
4426                 else
4427                         l2cap_ertm_send(chan);
4428         }
4429 }
4430
4431 static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
4432 {
4433         u16 tx_seq = __get_reqseq(chan, rx_control);
4434
4435         BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4436
4437         clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4438
4439         chan->expected_ack_seq = tx_seq;
4440         l2cap_drop_acked_frames(chan);
4441
4442         if (__is_ctrl_final(chan, rx_control)) {
4443                 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4444                         l2cap_retransmit_frames(chan);
4445         } else {
4446                 l2cap_retransmit_frames(chan);
4447
4448                 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4449                         set_bit(CONN_REJ_ACT, &chan->conn_state);
4450         }
4451 }
4452 static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
4453 {
4454         u16 tx_seq = __get_reqseq(chan, rx_control);
4455
4456         BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4457
4458         clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4459
4460         if (__is_ctrl_poll(chan, rx_control)) {
4461                 chan->expected_ack_seq = tx_seq;
4462                 l2cap_drop_acked_frames(chan);
4463
4464                 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4465                 l2cap_retransmit_one_frame(chan, tx_seq);
4466
4467                 l2cap_ertm_send(chan);
4468
4469                 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4470                         chan->srej_save_reqseq = tx_seq;
4471                         set_bit(CONN_SREJ_ACT, &chan->conn_state);
4472                 }
4473         } else if (__is_ctrl_final(chan, rx_control)) {
4474                 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
4475                                 chan->srej_save_reqseq == tx_seq)
4476                         clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4477                 else
4478                         l2cap_retransmit_one_frame(chan, tx_seq);
4479         } else {
4480                 l2cap_retransmit_one_frame(chan, tx_seq);
4481                 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4482                         chan->srej_save_reqseq = tx_seq;
4483                         set_bit(CONN_SREJ_ACT, &chan->conn_state);
4484                 }
4485         }
4486 }
4487
4488 static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
4489 {
4490         u16 tx_seq = __get_reqseq(chan, rx_control);
4491
4492         BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4493
4494         set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4495         chan->expected_ack_seq = tx_seq;
4496         l2cap_drop_acked_frames(chan);
4497
4498         if (__is_ctrl_poll(chan, rx_control))
4499                 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4500
4501         if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4502                 __clear_retrans_timer(chan);
4503                 if (__is_ctrl_poll(chan, rx_control))
4504                         l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
4505                 return;
4506         }
4507
4508         if (__is_ctrl_poll(chan, rx_control)) {
4509                 l2cap_send_srejtail(chan);
4510         } else {
4511                 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4512                 l2cap_send_sframe(chan, rx_control);
4513         }
4514 }
4515
4516 static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4517 {
4518         BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
4519
4520         if (__is_ctrl_final(chan, rx_control) &&
4521                         test_bit(CONN_WAIT_F, &chan->conn_state)) {
4522                 __clear_monitor_timer(chan);
4523                 if (chan->unacked_frames > 0)
4524                         __set_retrans_timer(chan);
4525                 clear_bit(CONN_WAIT_F, &chan->conn_state);
4526         }
4527
4528         switch (__get_ctrl_super(chan, rx_control)) {
4529         case L2CAP_SUPER_RR:
4530                 l2cap_data_channel_rrframe(chan, rx_control);
4531                 break;
4532
4533         case L2CAP_SUPER_REJ:
4534                 l2cap_data_channel_rejframe(chan, rx_control);
4535                 break;
4536
4537         case L2CAP_SUPER_SREJ:
4538                 l2cap_data_channel_srejframe(chan, rx_control);
4539                 break;
4540
4541         case L2CAP_SUPER_RNR:
4542                 l2cap_data_channel_rnrframe(chan, rx_control);
4543                 break;
4544         }
4545
4546         kfree_skb(skb);
4547         return 0;
4548 }
4549
4550 static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4551 {
4552         u32 control;
4553         u16 req_seq;
4554         int len, next_tx_seq_offset, req_seq_offset;
4555
4556         __unpack_control(chan, skb);
4557
4558         control = __get_control(chan, skb->data);
4559         skb_pull(skb, __ctrl_size(chan));
4560         len = skb->len;
4561
4562         /*
4563          * We can just drop the corrupted I-frame here.
4564          * Receiver will miss it and start proper recovery
4565          * procedures and ask retransmission.
4566          */
4567         if (l2cap_check_fcs(chan, skb))
4568                 goto drop;
4569
4570         if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
4571                 len -= L2CAP_SDULEN_SIZE;
4572
4573         if (chan->fcs == L2CAP_FCS_CRC16)
4574                 len -= L2CAP_FCS_SIZE;
4575
4576         if (len > chan->mps) {
4577                 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4578                 goto drop;
4579         }
4580
4581         req_seq = __get_reqseq(chan, control);
4582
4583         req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4584
4585         next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4586                                                 chan->expected_ack_seq);
4587
4588         /* check for invalid req-seq */
4589         if (req_seq_offset > next_tx_seq_offset) {
4590                 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4591                 goto drop;
4592         }
4593
4594         if (!__is_sframe(chan, control)) {
4595                 if (len < 0) {
4596                         l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4597                         goto drop;
4598                 }
4599
4600                 l2cap_data_channel_iframe(chan, control, skb);
4601         } else {
4602                 if (len != 0) {
4603                         BT_ERR("%d", len);
4604                         l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4605                         goto drop;
4606                 }
4607
4608                 l2cap_data_channel_sframe(chan, control, skb);
4609         }
4610
4611         return 0;
4612
4613 drop:
4614         kfree_skb(skb);
4615         return 0;
4616 }
4617
4618 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4619 {
4620         struct l2cap_chan *chan;
4621         u32 control;
4622         u16 tx_seq;
4623         int len;
4624
4625         chan = l2cap_get_chan_by_scid(conn, cid);
4626         if (!chan) {
4627                 BT_DBG("unknown cid 0x%4.4x", cid);
4628                 /* Drop packet and return */
4629                 kfree_skb(skb);
4630                 return 0;
4631         }
4632
4633         BT_DBG("chan %p, len %d", chan, skb->len);
4634
4635         if (chan->state != BT_CONNECTED)
4636                 goto drop;
4637
4638         switch (chan->mode) {
4639         case L2CAP_MODE_BASIC:
4640                 /* If socket recv buffers overflows we drop data here
4641                  * which is *bad* because L2CAP has to be reliable.
4642                  * But we don't have any other choice. L2CAP doesn't
4643                  * provide flow control mechanism. */
4644
4645                 if (chan->imtu < skb->len)
4646                         goto drop;
4647
4648                 if (!chan->ops->recv(chan->data, skb))
4649                         goto done;
4650                 break;
4651
4652         case L2CAP_MODE_ERTM:
4653                 l2cap_ertm_data_rcv(chan, skb);
4654
4655                 goto done;
4656
4657         case L2CAP_MODE_STREAMING:
4658                 control = __get_control(chan, skb->data);
4659                 skb_pull(skb, __ctrl_size(chan));
4660                 len = skb->len;
4661
4662                 if (l2cap_check_fcs(chan, skb))
4663                         goto drop;
4664
4665                 if (__is_sar_start(chan, control))
4666                         len -= L2CAP_SDULEN_SIZE;
4667
4668                 if (chan->fcs == L2CAP_FCS_CRC16)
4669                         len -= L2CAP_FCS_SIZE;
4670
4671                 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
4672                         goto drop;
4673
4674                 tx_seq = __get_txseq(chan, control);
4675
4676                 if (chan->expected_tx_seq != tx_seq) {
4677                         /* Frame(s) missing - must discard partial SDU */
4678                         kfree_skb(chan->sdu);
4679                         chan->sdu = NULL;
4680                         chan->sdu_last_frag = NULL;
4681                         chan->sdu_len = 0;
4682
4683                         /* TODO: Notify userland of missing data */
4684                 }
4685
4686                 chan->expected_tx_seq = __next_seq(chan, tx_seq);
4687
4688                 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4689                         l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4690
4691                 goto done;
4692
4693         default:
4694                 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
4695                 break;
4696         }
4697
4698 drop:
4699         kfree_skb(skb);
4700
4701 done:
4702         l2cap_chan_unlock(chan);
4703
4704         return 0;
4705 }
4706
4707 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
4708 {
4709         struct l2cap_chan *chan;
4710
4711         chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
4712         if (!chan)
4713                 goto drop;
4714
4715         BT_DBG("chan %p, len %d", chan, skb->len);
4716
4717         if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4718                 goto drop;
4719
4720         if (chan->imtu < skb->len)
4721                 goto drop;
4722
4723         if (!chan->ops->recv(chan->data, skb))
4724                 return 0;
4725
4726 drop:
4727         kfree_skb(skb);
4728
4729         return 0;
4730 }
4731
4732 static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4733                                     struct sk_buff *skb)
4734 {
4735         struct l2cap_chan *chan;
4736
4737         chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
4738         if (!chan)
4739                 goto drop;
4740
4741         BT_DBG("chan %p, len %d", chan, skb->len);
4742
4743         if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4744                 goto drop;
4745
4746         if (chan->imtu < skb->len)
4747                 goto drop;
4748
4749         if (!chan->ops->recv(chan->data, skb))
4750                 return 0;
4751
4752 drop:
4753         kfree_skb(skb);
4754
4755         return 0;
4756 }
4757
4758 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4759 {
4760         struct l2cap_hdr *lh = (void *) skb->data;
4761         u16 cid, len;
4762         __le16 psm;
4763
4764         skb_pull(skb, L2CAP_HDR_SIZE);
4765         cid = __le16_to_cpu(lh->cid);
4766         len = __le16_to_cpu(lh->len);
4767
4768         if (len != skb->len) {
4769                 kfree_skb(skb);
4770                 return;
4771         }
4772
4773         BT_DBG("len %d, cid 0x%4.4x", len, cid);
4774
4775         switch (cid) {
4776         case L2CAP_CID_LE_SIGNALING:
4777         case L2CAP_CID_SIGNALING:
4778                 l2cap_sig_channel(conn, skb);
4779                 break;
4780
4781         case L2CAP_CID_CONN_LESS:
4782                 psm = get_unaligned((__le16 *) skb->data);
4783                 skb_pull(skb, 2);
4784                 l2cap_conless_channel(conn, psm, skb);
4785                 break;
4786
4787         case L2CAP_CID_LE_DATA:
4788                 l2cap_att_channel(conn, cid, skb);
4789                 break;
4790
4791         case L2CAP_CID_SMP:
4792                 if (smp_sig_channel(conn, skb))
4793                         l2cap_conn_del(conn->hcon, EACCES);
4794                 break;
4795
4796         default:
4797                 l2cap_data_channel(conn, cid, skb);
4798                 break;
4799         }
4800 }
4801
4802 /* ---- L2CAP interface with lower layer (HCI) ---- */
4803
4804 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
4805 {
4806         int exact = 0, lm1 = 0, lm2 = 0;
4807         struct l2cap_chan *c;
4808
4809         BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4810
4811         /* Find listening sockets and check their link_mode */
4812         read_lock(&chan_list_lock);
4813         list_for_each_entry(c, &chan_list, global_l) {
4814                 struct sock *sk = c->sk;
4815
4816                 if (c->state != BT_LISTEN)
4817                         continue;
4818
4819                 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
4820                         lm1 |= HCI_LM_ACCEPT;
4821                         if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4822                                 lm1 |= HCI_LM_MASTER;
4823                         exact++;
4824                 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4825                         lm2 |= HCI_LM_ACCEPT;
4826                         if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4827                                 lm2 |= HCI_LM_MASTER;
4828                 }
4829         }
4830         read_unlock(&chan_list_lock);
4831
4832         return exact ? lm1 : lm2;
4833 }
4834
4835 int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4836 {
4837         struct l2cap_conn *conn;
4838
4839         BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4840
4841         if (!status) {
4842                 conn = l2cap_conn_add(hcon, status);
4843                 if (conn)
4844                         l2cap_conn_ready(conn);
4845         } else
4846                 l2cap_conn_del(hcon, bt_to_errno(status));
4847
4848         return 0;
4849 }
4850
4851 int l2cap_disconn_ind(struct hci_conn *hcon)
4852 {
4853         struct l2cap_conn *conn = hcon->l2cap_data;
4854
4855         BT_DBG("hcon %p", hcon);
4856
4857         if (!conn)
4858                 return HCI_ERROR_REMOTE_USER_TERM;
4859         return conn->disc_reason;
4860 }
4861
4862 int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4863 {
4864         BT_DBG("hcon %p reason %d", hcon, reason);
4865
4866         l2cap_conn_del(hcon, bt_to_errno(reason));
4867         return 0;
4868 }
4869
4870 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4871 {
4872         if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
4873                 return;
4874
4875         if (encrypt == 0x00) {
4876                 if (chan->sec_level == BT_SECURITY_MEDIUM) {
4877                         __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4878                 } else if (chan->sec_level == BT_SECURITY_HIGH)
4879                         l2cap_chan_close(chan, ECONNREFUSED);
4880         } else {
4881                 if (chan->sec_level == BT_SECURITY_MEDIUM)
4882                         __clear_chan_timer(chan);
4883         }
4884 }
4885
4886 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4887 {
4888         struct l2cap_conn *conn = hcon->l2cap_data;
4889         struct l2cap_chan *chan;
4890
4891         if (!conn)
4892                 return 0;
4893
4894         BT_DBG("conn %p", conn);
4895
4896         if (hcon->type == LE_LINK) {
4897                 if (!status && encrypt)
4898                         smp_distribute_keys(conn, 0);
4899                 cancel_delayed_work(&conn->security_timer);
4900         }
4901
4902         mutex_lock(&conn->chan_lock);
4903
4904         list_for_each_entry(chan, &conn->chan_l, list) {
4905                 l2cap_chan_lock(chan);
4906
4907                 BT_DBG("chan->scid %d", chan->scid);
4908
4909                 if (chan->scid == L2CAP_CID_LE_DATA) {
4910                         if (!status && encrypt) {
4911                                 chan->sec_level = hcon->sec_level;
4912                                 l2cap_chan_ready(chan);
4913                         }
4914
4915                         l2cap_chan_unlock(chan);
4916                         continue;
4917                 }
4918
4919                 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4920                         l2cap_chan_unlock(chan);
4921                         continue;
4922                 }
4923
4924                 if (!status && (chan->state == BT_CONNECTED ||
4925                                                 chan->state == BT_CONFIG)) {
4926                         struct sock *sk = chan->sk;
4927
4928                         clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
4929                         sk->sk_state_change(sk);
4930
4931                         l2cap_check_encryption(chan, encrypt);
4932                         l2cap_chan_unlock(chan);
4933                         continue;
4934                 }
4935
4936                 if (chan->state == BT_CONNECT) {
4937                         if (!status) {
4938                                 l2cap_send_conn_req(chan);
4939                         } else {
4940                                 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4941                         }
4942                 } else if (chan->state == BT_CONNECT2) {
4943                         struct sock *sk = chan->sk;
4944                         struct l2cap_conn_rsp rsp;
4945                         __u16 res, stat;
4946
4947                         lock_sock(sk);
4948
4949                         if (!status) {
4950                                 if (test_bit(BT_SK_DEFER_SETUP,
4951                                              &bt_sk(sk)->flags)) {
4952                                         struct sock *parent = bt_sk(sk)->parent;
4953                                         res = L2CAP_CR_PEND;
4954                                         stat = L2CAP_CS_AUTHOR_PEND;
4955                                         if (parent)
4956                                                 parent->sk_data_ready(parent, 0);
4957                                 } else {
4958                                         __l2cap_state_change(chan, BT_CONFIG);
4959                                         res = L2CAP_CR_SUCCESS;
4960                                         stat = L2CAP_CS_NO_INFO;
4961                                 }
4962                         } else {
4963                                 __l2cap_state_change(chan, BT_DISCONN);
4964                                 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4965                                 res = L2CAP_CR_SEC_BLOCK;
4966                                 stat = L2CAP_CS_NO_INFO;
4967                         }
4968
4969                         release_sock(sk);
4970
4971                         rsp.scid   = cpu_to_le16(chan->dcid);
4972                         rsp.dcid   = cpu_to_le16(chan->scid);
4973                         rsp.result = cpu_to_le16(res);
4974                         rsp.status = cpu_to_le16(stat);
4975                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4976                                                         sizeof(rsp), &rsp);
4977                 }
4978
4979                 l2cap_chan_unlock(chan);
4980         }
4981
4982         mutex_unlock(&conn->chan_lock);
4983
4984         return 0;
4985 }
4986
4987 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4988 {
4989         struct l2cap_conn *conn = hcon->l2cap_data;
4990
4991         if (!conn)
4992                 conn = l2cap_conn_add(hcon, 0);
4993
4994         if (!conn)
4995                 goto drop;
4996
4997         BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4998
4999         if (!(flags & ACL_CONT)) {
5000                 struct l2cap_hdr *hdr;
5001                 int len;
5002
5003                 if (conn->rx_len) {
5004                         BT_ERR("Unexpected start frame (len %d)", skb->len);
5005                         kfree_skb(conn->rx_skb);
5006                         conn->rx_skb = NULL;
5007                         conn->rx_len = 0;
5008                         l2cap_conn_unreliable(conn, ECOMM);
5009                 }
5010
5011                 /* Start fragment always begin with Basic L2CAP header */
5012                 if (skb->len < L2CAP_HDR_SIZE) {
5013                         BT_ERR("Frame is too short (len %d)", skb->len);
5014                         l2cap_conn_unreliable(conn, ECOMM);
5015                         goto drop;
5016                 }
5017
5018                 hdr = (struct l2cap_hdr *) skb->data;
5019                 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5020
5021                 if (len == skb->len) {
5022                         /* Complete frame received */
5023                         l2cap_recv_frame(conn, skb);
5024                         return 0;
5025                 }
5026
5027                 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5028
5029                 if (skb->len > len) {
5030                         BT_ERR("Frame is too long (len %d, expected len %d)",
5031                                 skb->len, len);
5032                         l2cap_conn_unreliable(conn, ECOMM);
5033                         goto drop;
5034                 }
5035
5036                 /* Allocate skb for the complete frame (with header) */
5037                 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5038                 if (!conn->rx_skb)
5039                         goto drop;
5040
5041                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
5042                                                                 skb->len);
5043                 conn->rx_len = len - skb->len;
5044         } else {
5045                 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5046
5047                 if (!conn->rx_len) {
5048                         BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5049                         l2cap_conn_unreliable(conn, ECOMM);
5050                         goto drop;
5051                 }
5052
5053                 if (skb->len > conn->rx_len) {
5054                         BT_ERR("Fragment is too long (len %d, expected %d)",
5055                                         skb->len, conn->rx_len);
5056                         kfree_skb(conn->rx_skb);
5057                         conn->rx_skb = NULL;
5058                         conn->rx_len = 0;
5059                         l2cap_conn_unreliable(conn, ECOMM);
5060                         goto drop;
5061                 }
5062
5063                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
5064                                                                 skb->len);
5065                 conn->rx_len -= skb->len;
5066
5067                 if (!conn->rx_len) {
5068                         /* Complete frame received */
5069                         l2cap_recv_frame(conn, conn->rx_skb);
5070                         conn->rx_skb = NULL;
5071                 }
5072         }
5073
5074 drop:
5075         kfree_skb(skb);
5076         return 0;
5077 }
5078
5079 static int l2cap_debugfs_show(struct seq_file *f, void *p)
5080 {
5081         struct l2cap_chan *c;
5082
5083         read_lock(&chan_list_lock);
5084
5085         list_for_each_entry(c, &chan_list, global_l) {
5086                 struct sock *sk = c->sk;
5087
5088                 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5089                                         batostr(&bt_sk(sk)->src),
5090                                         batostr(&bt_sk(sk)->dst),
5091                                         c->state, __le16_to_cpu(c->psm),
5092                                         c->scid, c->dcid, c->imtu, c->omtu,
5093                                         c->sec_level, c->mode);
5094         }
5095
5096         read_unlock(&chan_list_lock);
5097
5098         return 0;
5099 }
5100
5101 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5102 {
5103         return single_open(file, l2cap_debugfs_show, inode->i_private);
5104 }
5105
5106 static const struct file_operations l2cap_debugfs_fops = {
5107         .open           = l2cap_debugfs_open,
5108         .read           = seq_read,
5109         .llseek         = seq_lseek,
5110         .release        = single_release,
5111 };
5112
5113 static struct dentry *l2cap_debugfs;
5114
5115 int __init l2cap_init(void)
5116 {
5117         int err;
5118
5119         err = l2cap_init_sockets();
5120         if (err < 0)
5121                 return err;
5122
5123         if (bt_debugfs) {
5124                 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5125                                         bt_debugfs, NULL, &l2cap_debugfs_fops);
5126                 if (!l2cap_debugfs)
5127                         BT_ERR("Failed to create L2CAP debug file");
5128         }
5129
5130         return 0;
5131 }
5132
5133 void l2cap_exit(void)
5134 {
5135         debugfs_remove(l2cap_debugfs);
5136         l2cap_cleanup_sockets();
5137 }
5138
5139 module_param(disable_ertm, bool, 0644);
5140 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");