projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: invert locking order in connect path
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 62static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 63
b5ad8b7f
JB		 64static LIST_HEAD(chan_list);
65static DEFINE_RWLOCK(chan_list_lock);
1da177e4 66
1da177e4
LT		 67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
710f9b0a 71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
1da177e4 74
218bb9df
GP		 75static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
76
0139418c 77/* ---- L2CAP channels ---- */
71ba0e56
GP		 78
79static inline void chan_hold(struct l2cap_chan *c)
80{
81 atomic_inc(&c->refcnt);
82}
83
84static inline void chan_put(struct l2cap_chan *c)
85{
86 if (atomic_dec_and_test(&c->refcnt))
87 kfree(c);
88}
89
baa7e1fa 90static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa
GP		 93
94 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 95 if (c->dcid == cid)
baa7e1fa 96 return c;
0139418c 97 }
baa7e1fa 98 return NULL;
0139418c
MH		 99}
100
baa7e1fa 101static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 102{
48454079 103 struct l2cap_chan *c;
baa7e1fa
GP		 104
105 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 106 if (c->scid == cid)
baa7e1fa 107 return c;
0139418c 108 }
baa7e1fa 109 return NULL;
0139418c
MH		 110}
111
112/* Find channel with given SCID.
113 * Returns locked socket */
baa7e1fa 114static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 115{
48454079 116 struct l2cap_chan *c;
baa7e1fa 117
d01b2ff4 118 mutex_lock(&conn->chan_lock);
baa7e1fa 119 c = __l2cap_get_chan_by_scid(conn, cid);
48454079 120 if (c)
aa2ac881 121 lock_sock(c->sk);
d01b2ff4 122 mutex_unlock(&conn->chan_lock);
48454079 123 return c;
0139418c
MH		 124}
125
baa7e1fa 126static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 127{
48454079 128 struct l2cap_chan *c;
baa7e1fa
GP		 129
130 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 131 if (c->ident == ident)
baa7e1fa 132 return c;
0139418c 133 }
baa7e1fa 134 return NULL;
0139418c
MH		 135}
136
baa7e1fa 137static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 138{
48454079 139 struct l2cap_chan *c;
baa7e1fa 140
d01b2ff4 141 mutex_lock(&conn->chan_lock);
baa7e1fa 142 c = __l2cap_get_chan_by_ident(conn, ident);
48454079 143 if (c)
aa2ac881 144 lock_sock(c->sk);
d01b2ff4 145 mutex_unlock(&conn->chan_lock);
48454079 146 return c;
0139418c
MH		 147}
148
23691d75 149static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 150{
23691d75 151 struct l2cap_chan *c;
9e4425ff 152
23691d75
GP		 153 list_for_each_entry(c, &chan_list, global_l) {
154 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 155 return c;
9e4425ff 156 }
250938cb 157 return NULL;
9e4425ff
GP		 158}
159
160int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
161{
73b2ec18
GP		 162 int err;
163
23691d75 164 write_lock_bh(&chan_list_lock);
9e4425ff 165
23691d75 166 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 167 err = -EADDRINUSE;
168 goto done;
9e4425ff
GP		 169 }
170
73b2ec18
GP		 171 if (psm) {
172 chan->psm = psm;
173 chan->sport = psm;
174 err = 0;
175 } else {
176 u16 p;
177
178 err = -EINVAL;
179 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 180 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 181 chan->psm = cpu_to_le16(p);
182 chan->sport = cpu_to_le16(p);
183 err = 0;
184 break;
185 }
186 }
9e4425ff 187
73b2ec18 188done:
23691d75 189 write_unlock_bh(&chan_list_lock);
73b2ec18 190 return err;
9e4425ff
GP		 191}
192
193int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
194{
23691d75 195 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 196
197 chan->scid = scid;
198
23691d75 199 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 200
201 return 0;
202}
203
baa7e1fa 204static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 205{
8db4dc46 206 u16 cid = L2CAP_CID_DYN_START;
0139418c 207
8db4dc46 208 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 209 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 210 return cid;
211 }
212
213 return 0;
214}
215
721c4181 216static void l2cap_set_timer(struct l2cap_chan *chan, struct delayed_work *work, long timeout)
ab07801d 217{
457f4850 218 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
89bc500e 219
721c4181
GP		 220 cancel_delayed_work_sync(work);
221
222 schedule_delayed_work(work, timeout);
ab07801d
GP		 223}
224
721c4181 225static void l2cap_clear_timer(struct delayed_work *work)
ab07801d 226{
721c4181 227 cancel_delayed_work_sync(work);
ab07801d
GP		 228}
229
badaaa00
GP		 230static char *state_to_string(int state)
231{
232 switch(state) {
233 case BT_CONNECTED:
234 return "BT_CONNECTED";
235 case BT_OPEN:
236 return "BT_OPEN";
237 case BT_BOUND:
238 return "BT_BOUND";
239 case BT_LISTEN:
240 return "BT_LISTEN";
241 case BT_CONNECT:
242 return "BT_CONNECT";
243 case BT_CONNECT2:
244 return "BT_CONNECT2";
245 case BT_CONFIG:
246 return "BT_CONFIG";
247 case BT_DISCONN:
248 return "BT_DISCONN";
249 case BT_CLOSED:
250 return "BT_CLOSED";
251 }
252
253 return "invalid state";
254}
255
89bc500e
GP		 256static void l2cap_state_change(struct l2cap_chan *chan, int state)
257{
badaaa00
GP		 258 BT_DBG("%p %s -> %s", chan, state_to_string(chan->state),
259 state_to_string(state));
260
89bc500e
GP		 261 chan->state = state;
262 chan->ops->state_change(chan->data, state);
263}
264
721c4181 265static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 266{
721c4181
GP		 267 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
268 chan_timer.work);
ab07801d
GP		 269 struct sock *sk = chan->sk;
270 int reason;
271
89bc500e 272 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 273
721c4181 274 lock_sock(sk);
ab07801d 275
89bc500e 276 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 277 reason = ECONNREFUSED;
89bc500e 278 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 279 chan->sec_level != BT_SECURITY_SDP)
280 reason = ECONNREFUSED;
281 else
282 reason = ETIMEDOUT;
283
0f852724 284 l2cap_chan_close(chan, reason);
ab07801d 285
721c4181 286 release_sock(sk);
ab07801d 287
ba3bd0ee 288 chan->ops->close(chan->data);
71ba0e56 289 chan_put(chan);
ab07801d
GP		 290}
291
23691d75 292struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 293{
294 struct l2cap_chan *chan;
295
296 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
297 if (!chan)
298 return NULL;
299
300 chan->sk = sk;
301
23691d75
GP		 302 write_lock_bh(&chan_list_lock);
303 list_add(&chan->global_l, &chan_list);
304 write_unlock_bh(&chan_list_lock);
305
721c4181 306 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 307
89bc500e
GP		 308 chan->state = BT_OPEN;
309
71ba0e56
GP		 310 atomic_set(&chan->refcnt, 1);
311
abc545b8
SJ		 312 BT_DBG("sk %p chan %p", sk, chan);
313
48454079
GP		 314 return chan;
315}
316
23691d75 317void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 318{
23691d75
GP		 319 write_lock_bh(&chan_list_lock);
320 list_del(&chan->global_l);
321 write_unlock_bh(&chan_list_lock);
322
71ba0e56 323 chan_put(chan);
6ff5abbf
GP		 324}
325
48454079 326static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 327{
af05b30b 328 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 329 chan->psm, chan->dcid);
0139418c 330
9f5a0d7b 331 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 332
8c1d787b 333 chan->conn = conn;
0139418c 334
715ec005 335 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 336 if (conn->hcon->type == LE_LINK) {
337 /* LE connection */
0c1bc5c6 338 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 339 chan->scid = L2CAP_CID_LE_DATA;
340 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 341 } else {
342 /* Alloc CID for connection-oriented socket */
fe4128e0 343 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 344 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 345 }
715ec005 346 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 347 /* Connectionless socket */
fe4128e0
GP		 348 chan->scid = L2CAP_CID_CONN_LESS;
349 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 350 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 351 } else {
352 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 353 chan->scid = L2CAP_CID_SIGNALING;
354 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 355 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 356 }
357
8f7975b1
AE		 358 chan->local_id = L2CAP_BESTEFFORT_ID;
359 chan->local_stype = L2CAP_SERV_BESTEFFORT;
360 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
361 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
362 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
363 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
364
71ba0e56 365 chan_hold(chan);
baa7e1fa
GP		 366
367 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 368}
369
8e87d142 370/* Delete channel.
0139418c 371 * Must be called on the locked socket. */
4519de9a 372static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 373{
48454079 374 struct sock *sk = chan->sk;
8c1d787b 375 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 376 struct sock *parent = bt_sk(sk)->parent;
377
c9b66675 378 __clear_chan_timer(chan);
0139418c 379
49208c9c 380 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 381
8e87d142 382 if (conn) {
baa7e1fa 383 /* Delete from channel list */
d01b2ff4 384 mutex_lock(&conn->chan_lock);
baa7e1fa 385 list_del(&chan->list);
d01b2ff4 386 mutex_unlock(&conn->chan_lock);
71ba0e56 387 chan_put(chan);
baa7e1fa 388
8c1d787b 389 chan->conn = NULL;
0139418c
MH		 390 hci_conn_put(conn->hcon);
391 }
392
89bc500e 393 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 394 sock_set_flag(sk, SOCK_ZAPPED);
395
396 if (err)
397 sk->sk_err = err;
398
399 if (parent) {
400 bt_accept_unlink(sk);
401 parent->sk_data_ready(parent, 0);
402 } else
403 sk->sk_state_change(sk);
c13ffa62 404
c1360a1c
GP		 405 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
406 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 407 return;
2ead70b8 408
58d35f87 409 skb_queue_purge(&chan->tx_q);
c13ffa62 410
0c1bc5c6 411 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 412 struct srej_list *l, *tmp;
413
1a09bcb9
GP		 414 __clear_retrans_timer(chan);
415 __clear_monitor_timer(chan);
416 __clear_ack_timer(chan);
c13ffa62 417
f1c6775b 418 skb_queue_purge(&chan->srej_q);
c13ffa62 419
39d5a3ee 420 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 421 list_del(&l->list);
422 kfree(l);
423 }
424 }
0139418c
MH		 425}
426
4519de9a
GP		 427static void l2cap_chan_cleanup_listen(struct sock *parent)
428{
429 struct sock *sk;
430
431 BT_DBG("parent %p", parent);
432
433 /* Close not yet accepted channels */
0f852724 434 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 435 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 436 __clear_chan_timer(chan);
0f852724 437 lock_sock(sk);
ba3bd0ee 438 l2cap_chan_close(chan, ECONNRESET);
0f852724 439 release_sock(sk);
ba3bd0ee 440 chan->ops->close(chan->data);
0f852724 441 }
4519de9a
GP		 442}
443
0f852724 444void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 445{
446 struct l2cap_conn *conn = chan->conn;
447 struct sock *sk = chan->sk;
448
89bc500e 449 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 450
89bc500e 451 switch (chan->state) {
4519de9a
GP		 452 case BT_LISTEN:
453 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 454
455 l2cap_state_change(chan, BT_CLOSED);
456 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 457 break;
458
459 case BT_CONNECTED:
460 case BT_CONFIG:
715ec005 461 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 462 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 463 __clear_chan_timer(chan);
464 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 465 l2cap_send_disconn_req(conn, chan, reason);
466 } else
467 l2cap_chan_del(chan, reason);
468 break;
469
470 case BT_CONNECT2:
715ec005 471 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 472 conn->hcon->type == ACL_LINK) {
473 struct l2cap_conn_rsp rsp;
474 __u16 result;
475
476 if (bt_sk(sk)->defer_setup)
477 result = L2CAP_CR_SEC_BLOCK;
478 else
479 result = L2CAP_CR_BAD_PSM;
89bc500e 480 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 481
482 rsp.scid = cpu_to_le16(chan->dcid);
483 rsp.dcid = cpu_to_le16(chan->scid);
484 rsp.result = cpu_to_le16(result);
485 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
486 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
487 sizeof(rsp), &rsp);
488 }
489
490 l2cap_chan_del(chan, reason);
491 break;
492
493 case BT_CONNECT:
494 case BT_DISCONN:
495 l2cap_chan_del(chan, reason);
496 break;
497
498 default:
499 sock_set_flag(sk, SOCK_ZAPPED);
500 break;
501 }
502}
503
4343478f 504static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 505{
715ec005 506 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 507 switch (chan->sec_level) {
8556edd3
JH		 508 case BT_SECURITY_HIGH:
509 return HCI_AT_DEDICATED_BONDING_MITM;
510 case BT_SECURITY_MEDIUM:
511 return HCI_AT_DEDICATED_BONDING;
512 default:
513 return HCI_AT_NO_BONDING;
514 }
fe4128e0 515 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 516 if (chan->sec_level == BT_SECURITY_LOW)
517 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 518
4343478f 519 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 520 return HCI_AT_NO_BONDING_MITM;
00ae4af9 521 else
8556edd3 522 return HCI_AT_NO_BONDING;
00ae4af9 523 } else {
4343478f 524 switch (chan->sec_level) {
00ae4af9 525 case BT_SECURITY_HIGH:
8556edd3 526 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 527 case BT_SECURITY_MEDIUM:
8556edd3 528 return HCI_AT_GENERAL_BONDING;
00ae4af9 529 default:
8556edd3 530 return HCI_AT_NO_BONDING;
00ae4af9 531 }
0684e5f9 532 }
8556edd3
JH		 533}
534
535/* Service level security */
d45fc423 536int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 537{
8c1d787b 538 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 539 __u8 auth_type;
540
4343478f 541 auth_type = l2cap_get_auth_type(chan);
79d554a6 542
4343478f 543 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 544}
545
b5ad8b7f 546static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 547{
548 u8 id;
549
550 /* Get next available identificator.
551 * 1 - 128 are used by kernel.
552 * 129 - 199 are reserved.
553 * 200 - 254 are used by utilities like l2ping, etc.
554 */
555
556 spin_lock_bh(&conn->lock);
557
558 if (++conn->tx_ident > 128)
559 conn->tx_ident = 1;
560
561 id = conn->tx_ident;
562
563 spin_unlock_bh(&conn->lock);
564
565 return id;
566}
567
4519de9a 568static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 569{
570 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 571 u8 flags;
4e8402a3
MH		 572
573 BT_DBG("code 0x%2.2x", code);
574
575 if (!skb)
9a9c6a34 576 return;
4e8402a3 577
e702112f
AE		 578 if (lmp_no_flush_capable(conn->hcon->hdev))
579 flags = ACL_START_NO_FLUSH;
580 else
581 flags = ACL_START;
582
14b12d0b 583 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 584 skb->priority = HCI_PRIO_MAX;
14b12d0b 585
73d80deb
LAD		 586 hci_send_acl(conn->hchan, skb, flags);
587}
588
589static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
590{
591 struct hci_conn *hcon = chan->conn->hcon;
592 u16 flags;
593
594 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
595 skb->priority);
596
597 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
598 lmp_no_flush_capable(hcon->hdev))
599 flags = ACL_START_NO_FLUSH;
600 else
601 flags = ACL_START;
14b12d0b 602
73d80deb
LAD		 603 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
604 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 605}
606
88843ab0 607static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 608{
609 struct sk_buff *skb;
610 struct l2cap_hdr *lh;
8c1d787b 611 struct l2cap_conn *conn = chan->conn;
e4ca6d98 612 int count, hlen;
fcc203c3 613
89bc500e 614 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 615 return;
616
e4ca6d98
AE		 617 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
618 hlen = L2CAP_EXT_HDR_SIZE;
619 else
620 hlen = L2CAP_ENH_HDR_SIZE;
621
47d1ec61 622 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 623 hlen += L2CAP_FCS_SIZE;
1c2acffb 624
88843ab0 625 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 626
fcc203c3 627 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 628
629 control |= __set_sframe(chan);
1c2acffb 630
e2ab4353 631 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 632 control |= __set_ctrl_final(chan);
9e917af1 633
e2ab4353 634 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 635 control |= __set_ctrl_poll(chan);
f0946ccf 636
1c2acffb
GP		 637 skb = bt_skb_alloc(count, GFP_ATOMIC);
638 if (!skb)
9a9c6a34 639 return;
1c2acffb
GP		 640
641 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 642 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 643 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 644
645 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 646
47d1ec61 647 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 648 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
649 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 650 }
651
73d80deb
LAD		 652 skb->priority = HCI_PRIO_MAX;
653 l2cap_do_send(chan, skb);
1c2acffb
GP		 654}
655
88843ab0 656static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 657{
e2ab4353 658 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 659 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 660 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 661 } else
ab784b73 662 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 663
0b209fae 664 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 665
525cd185 666 l2cap_send_sframe(chan, control);
7e743090
GP		 667}
668
b4450035 669static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 670{
c1360a1c 671 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 672}
673
fc7f8a7e 674static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 675{
8c1d787b 676 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 677
678 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 679 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
680 return;
681
d45fc423 682 if (l2cap_chan_check_security(chan) &&
4343478f 683 __l2cap_no_conn_pending(chan)) {
b1235d79 684 struct l2cap_conn_req req;
fe4128e0
GP		 685 req.scid = cpu_to_le16(chan->scid);
686 req.psm = chan->psm;
79d554a6 687
fc7f8a7e 688 chan->ident = l2cap_get_ident(conn);
c1360a1c 689 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 690
fc7f8a7e
GP		 691 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
692 sizeof(req), &req);
b1235d79 693 }
79d554a6
MH		 694 } else {
695 struct l2cap_info_req req;
696 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
697
698 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
699 conn->info_ident = l2cap_get_ident(conn);
700
f878fcad 701 schedule_delayed_work(&conn->info_work,
79d554a6
MH		 702 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
703
704 l2cap_send_cmd(conn, conn->info_ident,
705 L2CAP_INFO_REQ, sizeof(req), &req);
706 }
707}
708
cf6c2c0b
GP		 709static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
710{
711 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 712 if (!disable_ertm)
cf6c2c0b
GP		 713 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
714
715 switch (mode) {
716 case L2CAP_MODE_ERTM:
717 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
718 case L2CAP_MODE_STREAMING:
719 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
720 default:
721 return 0x00;
722 }
723}
724
4519de9a 725static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 726{
e92c8e70 727 struct sock *sk;
22121fc9
GP		 728 struct l2cap_disconn_req req;
729
c13ffa62
GP		 730 if (!conn)
731 return;
732
e92c8e70
GP		 733 sk = chan->sk;
734
0c1bc5c6 735 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 736 __clear_retrans_timer(chan);
737 __clear_monitor_timer(chan);
738 __clear_ack_timer(chan);
c13ffa62
GP		 739 }
740
fe4128e0
GP		 741 req.dcid = cpu_to_le16(chan->dcid);
742 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 743 l2cap_send_cmd(conn, l2cap_get_ident(conn),
744 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 745
89bc500e 746 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 747 sk->sk_err = err;
22121fc9
GP		 748}
749
1da177e4 750/* ---- L2CAP connections ---- */
4e8402a3
MH		 751static void l2cap_conn_start(struct l2cap_conn *conn)
752{
820ffdb3 753 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 754
755 BT_DBG("conn %p", conn);
756
d01b2ff4 757 mutex_lock(&conn->chan_lock);
4e8402a3 758
820ffdb3 759 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 760 struct sock *sk = chan->sk;
baa7e1fa 761
4e8402a3
MH		 762 bh_lock_sock(sk);
763
715ec005 764 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 765 bh_unlock_sock(sk);
766 continue;
767 }
768
89bc500e 769 if (chan->state == BT_CONNECT) {
47731de7 770 struct l2cap_conn_req req;
79d554a6 771
d45fc423 772 if (!l2cap_chan_check_security(chan) ||
b4450035 773 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 774 bh_unlock_sock(sk);
775 continue;
776 }
79d554a6 777
c1360a1c
GP		 778 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
779 && test_bit(CONF_STATE2_DEVICE,
780 &chan->conf_state)) {
0f852724 781 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 782 * so release the lock */
d01b2ff4 783 mutex_unlock(&conn->chan_lock);
89bc500e 784 l2cap_chan_close(chan, ECONNRESET);
d01b2ff4 785 utex_lock(&conn->chan_lock);
47731de7
GP		 786 bh_unlock_sock(sk);
787 continue;
b1235d79 788 }
47731de7 789
fe4128e0
GP		 790 req.scid = cpu_to_le16(chan->scid);
791 req.psm = chan->psm;
47731de7 792
fc7f8a7e 793 chan->ident = l2cap_get_ident(conn);
c1360a1c 794 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 795
fc7f8a7e
GP		 796 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
797 sizeof(req), &req);
47731de7 798
89bc500e 799 } else if (chan->state == BT_CONNECT2) {
79d554a6 800 struct l2cap_conn_rsp rsp;
e9aeb2dd 801 char buf[128];
fe4128e0
GP		 802 rsp.scid = cpu_to_le16(chan->dcid);
803 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 804
d45fc423 805 if (l2cap_chan_check_security(chan)) {
f66dc81f
MH		 806 if (bt_sk(sk)->defer_setup) {
807 struct sock *parent = bt_sk(sk)->parent;
808 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
809 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 810 if (parent)
811 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 812
813 } else {
89bc500e 814 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 815 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
816 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
817 }
79d554a6
MH		 818 } else {
819 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
820 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
821 }
822
fc7f8a7e
GP		 823 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
824 sizeof(rsp), &rsp);
e9aeb2dd 825
c1360a1c 826 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 827 rsp.result != L2CAP_CR_SUCCESS) {
828 bh_unlock_sock(sk);
829 continue;
830 }
831
c1360a1c 832 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 833 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 834 l2cap_build_conf_req(chan, buf), buf);
835 chan->num_conf_req++;
4e8402a3
MH		 836 }
837
838 bh_unlock_sock(sk);
839 }
840
d01b2ff4 841 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 842}
843
b62f328b
VT		 844/* Find socket with cid and source bdaddr.
845 * Returns closest match, locked.
846 */
23691d75 847static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 848{
23691d75 849 struct l2cap_chan *c, *c1 = NULL;
b62f328b 850
23691d75 851 read_lock(&chan_list_lock);
b62f328b 852
23691d75
GP		 853 list_for_each_entry(c, &chan_list, global_l) {
854 struct sock *sk = c->sk;
fe4128e0 855
89bc500e 856 if (state && c->state != state)
b62f328b
VT		 857 continue;
858
23691d75 859 if (c->scid == cid) {
b62f328b 860 /* Exact match. */
23691d75
GP		 861 if (!bacmp(&bt_sk(sk)->src, src)) {
862 read_unlock(&chan_list_lock);
863 return c;
864 }
b62f328b
VT		 865
866 /* Closest match */
867 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 868 c1 = c;
b62f328b
VT		 869 }
870 }
280f294f 871
23691d75 872 read_unlock(&chan_list_lock);
b62f328b 873
23691d75 874 return c1;
b62f328b
VT		 875}
876
877static void l2cap_le_conn_ready(struct l2cap_conn *conn)
878{
c916fbe4 879 struct sock *parent, *sk;
23691d75 880 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 881
882 BT_DBG("");
883
884 /* Check if we have socket listening on cid */
23691d75 885 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 886 conn->src);
23691d75 887 if (!pchan)
b62f328b
VT		 888 return;
889
23691d75
GP		 890 parent = pchan->sk;
891
aa2ac881 892 lock_sock(parent);
62f3a2cf 893
b62f328b
VT		 894 /* Check for backlog size */
895 if (sk_acceptq_is_full(parent)) {
896 BT_DBG("backlog full %d", parent->sk_ack_backlog);
897 goto clean;
898 }
899
80808e43
GP		 900 chan = pchan->ops->new_connection(pchan->data);
901 if (!chan)
b62f328b
VT		 902 goto clean;
903
80808e43 904 sk = chan->sk;
5d41ce1d 905
d01b2ff4 906 mutex_lock(&conn->chan_lock);
b62f328b
VT		 907
908 hci_conn_hold(conn->hcon);
909
b62f328b
VT		 910 bacpy(&bt_sk(sk)->src, conn->src);
911 bacpy(&bt_sk(sk)->dst, conn->dst);
912
d1010240
GP		 913 bt_accept_enqueue(parent, sk);
914
48454079
GP		 915 __l2cap_chan_add(conn, chan);
916
c9b66675 917 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 918
89bc500e 919 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 920 parent->sk_data_ready(parent, 0);
921
d01b2ff4 922 mutex_unlock(&conn->chan_lock);
b62f328b
VT		 923
924clean:
aa2ac881 925 release_sock(parent);
b62f328b
VT		 926}
927
f1cb9af5
VCG		 928static void l2cap_chan_ready(struct sock *sk)
929{
930 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
931 struct sock *parent = bt_sk(sk)->parent;
932
933 BT_DBG("sk %p, parent %p", sk, parent);
934
935 chan->conf_state = 0;
936 __clear_chan_timer(chan);
937
43f3dc41 938 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 939 sk->sk_state_change(sk);
940
941 if (parent)
942 parent->sk_data_ready(parent, 0);
943}
944
4e8402a3
MH		 945static void l2cap_conn_ready(struct l2cap_conn *conn)
946{
48454079 947 struct l2cap_chan *chan;
4e8402a3 948
79d554a6 949 BT_DBG("conn %p", conn);
4e8402a3 950
b62f328b
VT		 951 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
952 l2cap_le_conn_ready(conn);
953
160dc6ac
VCG		 954 if (conn->hcon->out && conn->hcon->type == LE_LINK)
955 smp_conn_security(conn, conn->hcon->pending_sec_level);
956
d01b2ff4 957 mutex_lock(&conn->chan_lock);
4e8402a3 958
baa7e1fa 959 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 960 struct sock *sk = chan->sk;
baa7e1fa 961
79d554a6 962 bh_lock_sock(sk);
4e8402a3 963
63128451 964 if (conn->hcon->type == LE_LINK) {
b501d6a1 965 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 966 l2cap_chan_ready(sk);
acd7d370 967
63128451 968 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 969 __clear_chan_timer(chan);
89bc500e 970 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 971 sk->sk_state_change(sk);
b501d6a1 972
89bc500e 973 } else if (chan->state == BT_CONNECT)
fc7f8a7e 974 l2cap_do_start(chan);
4e8402a3 975
79d554a6 976 bh_unlock_sock(sk);
4e8402a3 977 }
79d554a6 978
d01b2ff4 979 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 980}
981
982/* Notify sockets that we cannot guaranty reliability anymore */
983static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
984{
48454079 985 struct l2cap_chan *chan;
4e8402a3
MH		 986
987 BT_DBG("conn %p", conn);
988
d01b2ff4 989 mutex_lock(&conn->chan_lock);
4e8402a3 990
baa7e1fa 991 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 992 struct sock *sk = chan->sk;
baa7e1fa 993
ecf61bdb 994 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 995 sk->sk_err = err;
996 }
997
d01b2ff4 998 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 999}
1000
f878fcad 1001static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1002{
f878fcad
GP		 1003 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1004 info_work.work);
4e8402a3 1005
984947dc 1006 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1007 conn->info_ident = 0;
984947dc 1008
4e8402a3
MH		 1009 l2cap_conn_start(conn);
1010}
1011
5d3de7df
VCG		 1012static void l2cap_conn_del(struct hci_conn *hcon, int err)
1013{
1014 struct l2cap_conn *conn = hcon->l2cap_data;
1015 struct l2cap_chan *chan, *l;
1016 struct sock *sk;
1017
1018 if (!conn)
1019 return;
1020
1021 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1022
1023 kfree_skb(conn->rx_skb);
1024
1025 /* Kill channels */
1026 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1027 sk = chan->sk;
aa2ac881 1028 lock_sock(sk);
5d3de7df 1029 l2cap_chan_del(chan, err);
aa2ac881 1030 release_sock(sk);
5d3de7df
VCG		 1031 chan->ops->close(chan->data);
1032 }
1033
73d80deb
LAD		 1034 hci_chan_del(conn->hchan);
1035
5d3de7df 1036 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
f878fcad 1037 cancel_delayed_work_sync(&conn->info_work);
5d3de7df 1038
d26a2345 1039 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1040 del_timer(&conn->security_timer);
8aab4757 1041 smp_chan_destroy(conn);
d26a2345 1042 }
5d3de7df
VCG		 1043
1044 hcon->l2cap_data = NULL;
1045 kfree(conn);
1046}
1047
1048static void security_timeout(unsigned long arg)
1049{
1050 struct l2cap_conn *conn = (void *) arg;
1051
1052 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1053}
1054
1da177e4
LT		 1055static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1056{
0139418c 1057 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1058 struct hci_chan *hchan;
1da177e4 1059
0139418c 1060 if (conn || status)
1da177e4
LT		 1061 return conn;
1062
73d80deb
LAD		 1063 hchan = hci_chan_create(hcon);
1064 if (!hchan)
1065 return NULL;
1066
0139418c 1067 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1068 if (!conn) {
1069 hci_chan_del(hchan);
1da177e4 1070 return NULL;
73d80deb 1071 }
1da177e4
LT		 1072
1073 hcon->l2cap_data = conn;
1074 conn->hcon = hcon;
73d80deb 1075 conn->hchan = hchan;
1da177e4 1076
73d80deb 1077 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1078
acd7d370
VT		 1079 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1080 conn->mtu = hcon->hdev->le_mtu;
1081 else
1082 conn->mtu = hcon->hdev->acl_mtu;
1083
1da177e4
LT		 1084 conn->src = &hcon->hdev->bdaddr;
1085 conn->dst = &hcon->dst;
1086
4e8402a3
MH		 1087 conn->feat_mask = 0;
1088
1da177e4 1089 spin_lock_init(&conn->lock);
d01b2ff4 1090 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1091
1092 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1093
5d3de7df
VCG		 1094 if (hcon->type == LE_LINK)
1095 setup_timer(&conn->security_timer, security_timeout,
1096 (unsigned long) conn);
1097 else
f878fcad 1098 INIT_DELAYED_WORK(&conn->info_work, l2cap_info_timeout);
45054dc1 1099
9f5a0d7b 1100 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1101
1da177e4
LT		 1102 return conn;
1103}
1104
48454079 1105static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1106{
d01b2ff4 1107 mutex_lock(&conn->chan_lock);
48454079 1108 __l2cap_chan_add(conn, chan);
d01b2ff4 1109 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 1110}
1111
1da177e4 1112/* ---- Socket interface ---- */
1da177e4
LT		 1113
1114/* Find socket with psm and source bdaddr.
1115 * Returns closest match.
1116 */
23691d75 1117static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1118{
23691d75 1119 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1120
23691d75 1121 read_lock(&chan_list_lock);
e0f0cb56 1122
23691d75
GP		 1123 list_for_each_entry(c, &chan_list, global_l) {
1124 struct sock *sk = c->sk;
fe4128e0 1125
89bc500e 1126 if (state && c->state != state)
1da177e4
LT		 1127 continue;
1128
23691d75 1129 if (c->psm == psm) {
1da177e4 1130 /* Exact match. */
23691d75 1131 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1132 read_unlock(&chan_list_lock);
23691d75
GP		 1133 return c;
1134 }
1da177e4
LT		 1135
1136 /* Closest match */
1137 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1138 c1 = c;
1da177e4
LT		 1139 }
1140 }
1da177e4 1141
23691d75 1142 read_unlock(&chan_list_lock);
e0f0cb56 1143
23691d75 1144 return c1;
1da177e4
LT		 1145}
1146
03a00194 1147inline int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1da177e4 1148{
5d41ce1d 1149 struct sock *sk = chan->sk;
1da177e4 1150 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1151 struct l2cap_conn *conn;
1152 struct hci_conn *hcon;
1153 struct hci_dev *hdev;
09ab6f4c 1154 __u8 auth_type;
44d0e48e 1155 int err;
1da177e4 1156
f29972de 1157 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1158 chan->psm);
1da177e4 1159
af05b30b
GP		 1160 hdev = hci_get_route(dst, src);
1161 if (!hdev)
1da177e4
LT		 1162 return -EHOSTUNREACH;
1163
09fd0de5 1164 hci_dev_lock(hdev);
1da177e4 1165
03a00194
GP		 1166 lock_sock(sk);
1167
1168 /* PSM must be odd and lsb of upper byte must be 0 */
1169 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1170 chan->chan_type != L2CAP_CHAN_RAW) {
1171 err = -EINVAL;
1172 goto done;
1173 }
1174
1175 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1176 err = -EINVAL;
1177 goto done;
1178 }
1179
1180 switch (chan->mode) {
1181 case L2CAP_MODE_BASIC:
1182 break;
1183 case L2CAP_MODE_ERTM:
1184 case L2CAP_MODE_STREAMING:
1185 if (!disable_ertm)
1186 break;
1187 /* fall through */
1188 default:
1189 err = -ENOTSUPP;
1190 goto done;
1191 }
1192
1193 switch (sk->sk_state) {
1194 case BT_CONNECT:
1195 case BT_CONNECT2:
1196 case BT_CONFIG:
1197 /* Already connecting */
1198 err = 0;
1199 goto done;
1200
1201 case BT_CONNECTED:
1202 /* Already connected */
1203 err = -EISCONN;
1204 goto done;
1205
1206 case BT_OPEN:
1207 case BT_BOUND:
1208 /* Can connect */
1209 break;
1210
1211 default:
1212 err = -EBADFD;
1213 goto done;
1214 }
1215
1216 /* Set destination address and psm */
1217 bacpy(&bt_sk(sk)->dst, src);
1218 chan->psm = psm;
1219 chan->dcid = cid;
1220
4343478f 1221 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1222
fe4128e0 1223 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1224 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1225 chan->sec_level, auth_type);
acd7d370
VT		 1226 else
1227 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1228 chan->sec_level, auth_type);
acd7d370 1229
30e76272
VT		 1230 if (IS_ERR(hcon)) {
1231 err = PTR_ERR(hcon);
1da177e4 1232 goto done;
30e76272 1233 }
1da177e4
LT		 1234
1235 conn = l2cap_conn_add(hcon, 0);
1236 if (!conn) {
1237 hci_conn_put(hcon);
30e76272 1238 err = -ENOMEM;
1da177e4
LT		 1239 goto done;
1240 }
1241
1da177e4
LT		 1242 /* Update source addr of the socket */
1243 bacpy(src, conn->src);
1244
48454079
GP		 1245 l2cap_chan_add(conn, chan);
1246
89bc500e 1247 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1248 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1249
1250 if (hcon->state == BT_CONNECTED) {
715ec005 1251 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1252 __clear_chan_timer(chan);
d45fc423 1253 if (l2cap_chan_check_security(chan))
89bc500e 1254 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1255 } else
fc7f8a7e 1256 l2cap_do_start(chan);
1da177e4
LT		 1257 }
1258
30e76272
VT		 1259 err = 0;
1260
1da177e4 1261done:
09fd0de5 1262 hci_dev_unlock(hdev);
1da177e4
LT		 1263 hci_dev_put(hdev);
1264 return err;
1265}
1266
dcba0dba 1267int __l2cap_wait_ack(struct sock *sk)
6161c038 1268{
8c1d787b 1269 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1270 DECLARE_WAITQUEUE(wait, current);
1271 int err = 0;
1272 int timeo = HZ/5;
1273
2b0b05dd 1274 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1275 set_current_state(TASK_INTERRUPTIBLE);
1276 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1277 if (!timeo)
1278 timeo = HZ/5;
1279
1280 if (signal_pending(current)) {
1281 err = sock_intr_errno(timeo);
1282 break;
1283 }
1284
1285 release_sock(sk);
1286 timeo = schedule_timeout(timeo);
1287 lock_sock(sk);
a71a0cf4 1288 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1289
1290 err = sock_error(sk);
1291 if (err)
1292 break;
1293 }
1294 set_current_state(TASK_RUNNING);
2b0b05dd 1295 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1296 return err;
1297}
1298
721c4181 1299static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1300{
721c4181
GP		 1301 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1302 monitor_timer.work);
525cd185 1303 struct sock *sk = chan->sk;
e90bac06 1304
525cd185 1305 BT_DBG("chan %p", chan);
0e98958d 1306
721c4181 1307 lock_sock(sk);
2c03a7a4 1308 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1309 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
721c4181 1310 release_sock(sk);
e90bac06
GP		 1311 return;
1312 }
1313
6a026610 1314 chan->retry_count++;
1a09bcb9 1315 __set_monitor_timer(chan);
e90bac06 1316
525cd185 1317 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1318 release_sock(sk);
e90bac06
GP		 1319}
1320
721c4181 1321static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1322{
721c4181
GP		 1323 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1324 retrans_timer.work);
525cd185 1325 struct sock *sk = chan->sk;
e90bac06 1326
49208c9c 1327 BT_DBG("chan %p", chan);
0e98958d 1328
721c4181 1329 lock_sock(sk);
6a026610 1330 chan->retry_count = 1;
1a09bcb9 1331 __set_monitor_timer(chan);
e90bac06 1332
e2ab4353 1333 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1334
525cd185 1335 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1336 release_sock(sk);
e90bac06
GP		 1337}
1338
42e5c802 1339static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1340{
1c2acffb 1341 struct sk_buff *skb;
1da177e4 1342
58d35f87 1343 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1344 chan->unacked_frames) {
42e5c802 1345 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1346 break;
1da177e4 1347
58d35f87 1348 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1349 kfree_skb(skb);
1da177e4 1350
6a026610 1351 chan->unacked_frames--;
1c2acffb 1352 }
1da177e4 1353
6a026610 1354 if (!chan->unacked_frames)
1a09bcb9 1355 __clear_retrans_timer(chan);
1c2acffb 1356}
1da177e4 1357
67c9e840 1358static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1359{
ccbb84af 1360 struct sk_buff *skb;
88843ab0
AE		 1361 u32 control;
1362 u16 fcs;
6840ed07 1363
58d35f87 1364 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1365 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1366 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1367 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1368
47d1ec61 1369 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1370 fcs = crc16(0, (u8 *)skb->data,
1371 skb->len - L2CAP_FCS_SIZE);
1372 put_unaligned_le16(fcs,
1373 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1374 }
1375
4343478f 1376 l2cap_do_send(chan, skb);
6840ed07 1377
836be934 1378 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1379 }
6840ed07
GP		 1380}
1381
fb45de7d 1382static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1383{
8f17154f 1384 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1385 u16 fcs;
1386 u32 control;
8f17154f 1387
58d35f87 1388 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1389 if (!skb)
1390 return;
8f17154f 1391
d1726b6d 1392 while (bt_cb(skb)->tx_seq != tx_seq) {
58d35f87 1393 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1394 return;
8f17154f 1395
d1726b6d
SJ		 1396 skb = skb_queue_next(&chan->tx_q, skb);
1397 }
8f17154f 1398
2c03a7a4
GP		 1399 if (chan->remote_max_tx &&
1400 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1401 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1402 return;
1403 }
1404
1405 tx_skb = skb_clone(skb, GFP_ATOMIC);
1406 bt_cb(skb)->retries++;
88843ab0
AE		 1407
1408 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1409 control &= __get_sar_mask(chan);
3cb123d1 1410
e2ab4353 1411 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1412 control |= __set_ctrl_final(chan);
95ffa978 1413
0b209fae 1414 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1415 control |= __set_txseq(chan, tx_seq);
3cb123d1 1416
88843ab0 1417 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1418
47d1ec61 1419 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1420 fcs = crc16(0, (u8 *)tx_skb->data,
1421 tx_skb->len - L2CAP_FCS_SIZE);
1422 put_unaligned_le16(fcs,
1423 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1424 }
1425
4343478f 1426 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1427}
1428
67c9e840 1429static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1430{
1431 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1432 u16 fcs;
1433 u32 control;
9a9c6a34 1434 int nsent = 0;
1c2acffb 1435
89bc500e 1436 if (chan->state != BT_CONNECTED)
c13ffa62 1437 return -ENOTCONN;
e90bac06 1438
58d35f87 1439 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1440
2c03a7a4
GP		 1441 if (chan->remote_max_tx &&
1442 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1443 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1444 break;
1445 }
1446
e420aba3
AE		 1447 tx_skb = skb_clone(skb, GFP_ATOMIC);
1448
e90bac06
GP		 1449 bt_cb(skb)->retries++;
1450
88843ab0 1451 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1452 control &= __get_sar_mask(chan);
95ffa978 1453
e2ab4353 1454 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1455 control |= __set_ctrl_final(chan);
e2ab4353 1456
0b209fae 1457 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1458 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1459
88843ab0 1460 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1461
47d1ec61 1462 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1463 fcs = crc16(0, (u8 *)skb->data,
1464 tx_skb->len - L2CAP_FCS_SIZE);
1465 put_unaligned_le16(fcs, skb->data +
1466 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1467 }
1468
4343478f 1469 l2cap_do_send(chan, tx_skb);
9a9c6a34 1470
1a09bcb9 1471 __set_retrans_timer(chan);
1c2acffb 1472
42e5c802 1473 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1474
1475 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1476
23e9fde2 1477 if (bt_cb(skb)->retries == 1)
6a026610 1478 chan->unacked_frames++;
23e9fde2 1479
6a026610 1480 chan->frames_sent++;
1c2acffb 1481
58d35f87
GP		 1482 if (skb_queue_is_last(&chan->tx_q, skb))
1483 chan->tx_send_head = NULL;
1c2acffb 1484 else
58d35f87 1485 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1486
1487 nsent++;
1c2acffb
GP		 1488 }
1489
9e917af1
GP		 1490 return nsent;
1491}
1492
525cd185 1493static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1494{
dfc909be
GP		 1495 int ret;
1496
58d35f87
GP		 1497 if (!skb_queue_empty(&chan->tx_q))
1498 chan->tx_send_head = chan->tx_q.next;
dfc909be 1499
42e5c802 1500 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1501 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1502 return ret;
1503}
1504
525cd185 1505static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1506{
88843ab0 1507 u32 control = 0;
9e917af1 1508
0b209fae 1509 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1510
e2ab4353 1511 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1512 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1513 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1514 l2cap_send_sframe(chan, control);
9a9c6a34 1515 return;
9e917af1 1516 }
dfc909be 1517
525cd185 1518 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1519 return;
1520
ab784b73 1521 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1522 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1523}
1524
525cd185 1525static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1526{
1527 struct srej_list *tail;
88843ab0 1528 u32 control;
99b0d4b7 1529
ab784b73 1530 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1531 control |= __set_ctrl_final(chan);
99b0d4b7 1532
39d5a3ee 1533 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1534 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1535
525cd185 1536 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1537}
1538
1c2acffb
GP		 1539static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1540{
8c1d787b 1541 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1542 struct sk_buff **frag;
1543 int err, sent = 0;
1da177e4 1544
59203a21 1545 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1546 return -EFAULT;
1da177e4
LT		 1547
1548 sent += count;
1549 len -= count;
1550
1551 /* Continuation fragments (no L2CAP header) */
1552 frag = &skb_shinfo(skb)->frag_list;
1553 while (len) {
1554 count = min_t(unsigned int, conn->mtu, len);
1555
1556 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1557 if (!*frag)
0175d629 1558 return err;
1c2acffb
GP		 1559 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1560 return -EFAULT;
1da177e4 1561
5e59b791
LAD		 1562 (*frag)->priority = skb->priority;
1563
1da177e4
LT		 1564 sent += count;
1565 len -= count;
1566
1567 frag = &(*frag)->next;
1568 }
1da177e4
LT		 1569
1570 return sent;
1c2acffb 1571}
1da177e4 1572
5e59b791
LAD		 1573static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1574 struct msghdr *msg, size_t len,
1575 u32 priority)
1c2acffb 1576{
fe4128e0 1577 struct sock *sk = chan->sk;
8c1d787b 1578 struct l2cap_conn *conn = chan->conn;
1c2acffb 1579 struct sk_buff *skb;
03a51213 1580 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1581 struct l2cap_hdr *lh;
1582
5e59b791 1583 BT_DBG("sk %p len %d priority %u", sk, (int)len, priority);
1c2acffb
GP		 1584
1585 count = min_t(unsigned int, (conn->mtu - hlen), len);
1586 skb = bt_skb_send_alloc(sk, count + hlen,
1587 msg->msg_flags & MSG_DONTWAIT, &err);
1588 if (!skb)
0175d629 1589 return ERR_PTR(err);
1c2acffb 1590
5e59b791
LAD		 1591 skb->priority = priority;
1592
1c2acffb
GP		 1593 /* Create L2CAP header */
1594 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1595 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1596 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1597 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1598
1599 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1600 if (unlikely(err < 0)) {
1601 kfree_skb(skb);
1602 return ERR_PTR(err);
1603 }
1604 return skb;
1605}
1606
5e59b791
LAD		 1607static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1608 struct msghdr *msg, size_t len,
1609 u32 priority)
1c2acffb 1610{
fe4128e0 1611 struct sock *sk = chan->sk;
8c1d787b 1612 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1613 struct sk_buff *skb;
1614 int err, count, hlen = L2CAP_HDR_SIZE;
1615 struct l2cap_hdr *lh;
1616
1617 BT_DBG("sk %p len %d", sk, (int)len);
1618
1619 count = min_t(unsigned int, (conn->mtu - hlen), len);
1620 skb = bt_skb_send_alloc(sk, count + hlen,
1621 msg->msg_flags & MSG_DONTWAIT, &err);
1622 if (!skb)
0175d629 1623 return ERR_PTR(err);
1c2acffb 1624
5e59b791
LAD		 1625 skb->priority = priority;
1626
1c2acffb
GP		 1627 /* Create L2CAP header */
1628 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1629 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1630 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1631
1632 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1633 if (unlikely(err < 0)) {
1634 kfree_skb(skb);
1635 return ERR_PTR(err);
1636 }
1637 return skb;
1638}
1639
ab0ff76d
LAD		 1640static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1641 struct msghdr *msg, size_t len,
88843ab0 1642 u32 control, u16 sdulen)
1c2acffb 1643{
47d1ec61 1644 struct sock *sk = chan->sk;
8c1d787b 1645 struct l2cap_conn *conn = chan->conn;
1c2acffb 1646 struct sk_buff *skb;
e4ca6d98 1647 int err, count, hlen;
1c2acffb
GP		 1648 struct l2cap_hdr *lh;
1649
1650 BT_DBG("sk %p len %d", sk, (int)len);
1651
0ee0d208
GP		 1652 if (!conn)
1653 return ERR_PTR(-ENOTCONN);
1654
e4ca6d98
AE		 1655 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1656 hlen = L2CAP_EXT_HDR_SIZE;
1657 else
1658 hlen = L2CAP_ENH_HDR_SIZE;
1659
c74e560c 1660 if (sdulen)
03a51213 1661 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1662
47d1ec61 1663 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1664 hlen += L2CAP_FCS_SIZE;
fcc203c3 1665
1c2acffb
GP		 1666 count = min_t(unsigned int, (conn->mtu - hlen), len);
1667 skb = bt_skb_send_alloc(sk, count + hlen,
1668 msg->msg_flags & MSG_DONTWAIT, &err);
1669 if (!skb)
0175d629 1670 return ERR_PTR(err);
1c2acffb
GP		 1671
1672 /* Create L2CAP header */
1673 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1674 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1675 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1676
1677 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1678
c74e560c 1679 if (sdulen)
03a51213 1680 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb
GP		 1681
1682 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1683 if (unlikely(err < 0)) {
1684 kfree_skb(skb);
1685 return ERR_PTR(err);
1686 }
e90bac06 1687
47d1ec61 1688 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1689 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1690
e90bac06 1691 bt_cb(skb)->retries = 0;
1c2acffb 1692 return skb;
1da177e4
LT		 1693}
1694
67c9e840 1695static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1696{
c74e560c
GP		 1697 struct sk_buff *skb;
1698 struct sk_buff_head sar_queue;
88843ab0 1699 u32 control;
c74e560c
GP		 1700 size_t size = 0;
1701
ff12fd64 1702 skb_queue_head_init(&sar_queue);
7e0ef6ee 1703 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1704 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1705 if (IS_ERR(skb))
1706 return PTR_ERR(skb);
1707
1708 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1709 len -= chan->remote_mps;
1710 size += chan->remote_mps;
c74e560c
GP		 1711
1712 while (len > 0) {
1713 size_t buflen;
1714
2c03a7a4 1715 if (len > chan->remote_mps) {
7e0ef6ee 1716 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1717 buflen = chan->remote_mps;
c74e560c 1718 } else {
7e0ef6ee 1719 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1720 buflen = len;
1721 }
1722
47d1ec61 1723 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1724 if (IS_ERR(skb)) {
1725 skb_queue_purge(&sar_queue);
1726 return PTR_ERR(skb);
1727 }
1728
1729 __skb_queue_tail(&sar_queue, skb);
1730 len -= buflen;
1731 size += buflen;
c74e560c 1732 }
58d35f87
GP		 1733 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1734 if (chan->tx_send_head == NULL)
1735 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1736
1737 return size;
1738}
1739
5e59b791
LAD		 1740int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1741 u32 priority)
9a91a04a 1742{
9a91a04a 1743 struct sk_buff *skb;
88843ab0 1744 u32 control;
9a91a04a
GP		 1745 int err;
1746
1747 /* Connectionless channel */
715ec005 1748 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1749 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1750 if (IS_ERR(skb))
1751 return PTR_ERR(skb);
1752
1753 l2cap_do_send(chan, skb);
1754 return len;
1755 }
1756
1757 switch (chan->mode) {
1758 case L2CAP_MODE_BASIC:
1759 /* Check outgoing MTU */
1760 if (len > chan->omtu)
1761 return -EMSGSIZE;
1762
1763 /* Create a basic PDU */
5e59b791 1764 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1765 if (IS_ERR(skb))
1766 return PTR_ERR(skb);
1767
1768 l2cap_do_send(chan, skb);
1769 err = len;
1770 break;
1771
1772 case L2CAP_MODE_ERTM:
1773 case L2CAP_MODE_STREAMING:
1774 /* Entire SDU fits into one PDU */
1775 if (len <= chan->remote_mps) {
7e0ef6ee 1776 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1777 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1778 0);
1779 if (IS_ERR(skb))
1780 return PTR_ERR(skb);
1781
1782 __skb_queue_tail(&chan->tx_q, skb);
1783
1784 if (chan->tx_send_head == NULL)
1785 chan->tx_send_head = skb;
1786
1787 } else {
1788 /* Segment SDU into multiples PDUs */
1789 err = l2cap_sar_segment_sdu(chan, msg, len);
1790 if (err < 0)
1791 return err;
1792 }
1793
1794 if (chan->mode == L2CAP_MODE_STREAMING) {
1795 l2cap_streaming_send(chan);
1796 err = len;
1797 break;
1798 }
1799
e2ab4353
GP		 1800 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1801 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1802 err = len;
1803 break;
1804 }
1805
1806 err = l2cap_ertm_send(chan);
1807 if (err >= 0)
1808 err = len;
1809
1810 break;
1811
1812 default:
1813 BT_DBG("bad state %1.1x", chan->mode);
1814 err = -EBADFD;
1815 }
1816
1817 return err;
1818}
1819
1da177e4
LT		 1820/* Copy frame to all raw sockets on that connection */
1821static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1822{
1da177e4 1823 struct sk_buff *nskb;
48454079 1824 struct l2cap_chan *chan;
1da177e4
LT		 1825
1826 BT_DBG("conn %p", conn);
1827
d01b2ff4 1828 mutex_lock(&conn->chan_lock);
baa7e1fa 1829 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1830 struct sock *sk = chan->sk;
715ec005 1831 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1832 continue;
1833
1834 /* Don't send frame to the socket it came from */
1835 if (skb->sk == sk)
1836 continue;
af05b30b
GP		 1837 nskb = skb_clone(skb, GFP_ATOMIC);
1838 if (!nskb)
1da177e4
LT		 1839 continue;
1840
23070494 1841 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1842 kfree_skb(nskb);
1843 }
d01b2ff4 1844 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 1845}
1846
1847/* ---- L2CAP signalling commands ---- */
1848static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1849 u8 code, u8 ident, u16 dlen, void *data)
1850{
1851 struct sk_buff *skb, **frag;
1852 struct l2cap_cmd_hdr *cmd;
1853 struct l2cap_hdr *lh;
1854 int len, count;
1855
af05b30b
GP		 1856 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1857 conn, code, ident, dlen);
1da177e4
LT		 1858
1859 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1860 count = min_t(unsigned int, conn->mtu, len);
1861
1862 skb = bt_skb_alloc(count, GFP_ATOMIC);
1863 if (!skb)
1864 return NULL;
1865
1866 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1867 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1868
1869 if (conn->hcon->type == LE_LINK)
1870 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1871 else
1872 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1873
1874 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1875 cmd->code = code;
1876 cmd->ident = ident;
aca3192c 1877 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1878
1879 if (dlen) {
1880 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1881 memcpy(skb_put(skb, count), data, count);
1882 data += count;
1883 }
1884
1885 len -= skb->len;
1886
1887 /* Continuation fragments (no L2CAP header) */
1888 frag = &skb_shinfo(skb)->frag_list;
1889 while (len) {
1890 count = min_t(unsigned int, conn->mtu, len);
1891
1892 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1893 if (!*frag)
1894 goto fail;
1895
1896 memcpy(skb_put(*frag, count), data, count);
1897
1898 len -= count;
1899 data += count;
1900
1901 frag = &(*frag)->next;
1902 }
1903
1904 return skb;
1905
1906fail:
1907 kfree_skb(skb);
1908 return NULL;
1909}
1910
1911static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1912{
1913 struct l2cap_conf_opt *opt = *ptr;
1914 int len;
1915
1916 len = L2CAP_CONF_OPT_SIZE + opt->len;
1917 *ptr += len;
1918
1919 *type = opt->type;
1920 *olen = opt->len;
1921
1922 switch (opt->len) {
1923 case 1:
1924 *val = *((u8 *) opt->val);
1925 break;
1926
1927 case 2:
bfaaeb3e 1928 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1929 break;
1930
1931 case 4:
bfaaeb3e 1932 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1933 break;
1934
1935 default:
1936 *val = (unsigned long) opt->val;
1937 break;
1938 }
1939
1940 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1941 return len;
1942}
1943
1da177e4
LT		 1944static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1945{
1946 struct l2cap_conf_opt *opt = *ptr;
1947
1948 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1949
1950 opt->type = type;
1951 opt->len = len;
1952
1953 switch (len) {
1954 case 1:
1955 *((u8 *) opt->val) = val;
1956 break;
1957
1958 case 2:
4f8b691c 1959 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1960 break;
1961
1962 case 4:
4f8b691c 1963 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1964 break;
1965
1966 default:
1967 memcpy(opt->val, (void *) val, len);
1968 break;
1969 }
1970
1971 *ptr += L2CAP_CONF_OPT_SIZE + len;
1972}
1973
f89cef09
AE		 1974static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1975{
1976 struct l2cap_conf_efs efs;
1977
1ec918ce 1978 switch (chan->mode) {
f89cef09
AE		 1979 case L2CAP_MODE_ERTM:
1980 efs.id = chan->local_id;
1981 efs.stype = chan->local_stype;
1982 efs.msdu = cpu_to_le16(chan->local_msdu);
1983 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1984 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1985 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1986 break;
1987
1988 case L2CAP_MODE_STREAMING:
1989 efs.id = 1;
1990 efs.stype = L2CAP_SERV_BESTEFFORT;
1991 efs.msdu = cpu_to_le16(chan->local_msdu);
1992 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1993 efs.acc_lat = 0;
1994 efs.flush_to = 0;
1995 break;
1996
1997 default:
1998 return;
1999 }
2000
2001 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2002 (unsigned long) &efs);
2003}
2004
721c4181 2005static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2006{
721c4181
GP		 2007 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2008 ack_timer.work);
c1b4f43b 2009
721c4181 2010 lock_sock(chan->sk);
525cd185 2011 l2cap_send_ack(chan);
721c4181 2012 release_sock(chan->sk);
c1b4f43b
GP		 2013}
2014
525cd185 2015static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2016{
42e5c802 2017 chan->expected_ack_seq = 0;
6a026610 2018 chan->unacked_frames = 0;
42e5c802 2019 chan->buffer_seq = 0;
6a026610
GP		 2020 chan->num_acked = 0;
2021 chan->frames_sent = 0;
0565c1c2 2022
721c4181
GP		 2023 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2024 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2025 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2026
f1c6775b 2027 skb_queue_head_init(&chan->srej_q);
1890d36b 2028
39d5a3ee 2029 INIT_LIST_HEAD(&chan->srej_l);
0565c1c2
GP		 2030}
2031
f2fcfcd6
GP		 2032static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2033{
2034 switch (mode) {
2035 case L2CAP_MODE_STREAMING:
2036 case L2CAP_MODE_ERTM:
2037 if (l2cap_mode_supported(mode, remote_feat_mask))
2038 return mode;
2039 /* fall through */
2040 default:
2041 return L2CAP_MODE_BASIC;
2042 }
2043}
2044
6327eb98
AE		 2045static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2046{
2047 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2048}
2049
f89cef09
AE		 2050static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2051{
2052 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2053}
2054
6327eb98
AE		 2055static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2056{
2057 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2058 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2059 /* use extended control field */
2060 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2061 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2062 } else {
6327eb98
AE		 2063 chan->tx_win = min_t(u16, chan->tx_win,
2064 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2065 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2066 }
6327eb98
AE		 2067}
2068
710f9b0a 2069static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2070{
1da177e4 2071 struct l2cap_conf_req *req = data;
0c1bc5c6 2072 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2073 void *ptr = req->data;
c8f79162 2074 u16 size;
1da177e4 2075
49208c9c 2076 BT_DBG("chan %p", chan);
1da177e4 2077
73ffa904 2078 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2079 goto done;
2080
0c1bc5c6 2081 switch (chan->mode) {
f2fcfcd6
GP		 2082 case L2CAP_MODE_STREAMING:
2083 case L2CAP_MODE_ERTM:
c1360a1c 2084 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2085 break;
85eb53c6 2086
f89cef09
AE		 2087 if (__l2cap_efs_supported(chan))
2088 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2089
2ba13ed6 2090 /* fall through */
f2fcfcd6 2091 default:
8c1d787b 2092 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2093 break;
2094 }
2095
2096done:
0c1bc5c6
GP		 2097 if (chan->imtu != L2CAP_DEFAULT_MTU)
2098 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2099
0c1bc5c6 2100 switch (chan->mode) {
65c7c491 2101 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2102 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2103 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2104 break;
2105
62547752
GP		 2106 rfc.mode = L2CAP_MODE_BASIC;
2107 rfc.txwin_size = 0;
2108 rfc.max_transmit = 0;
2109 rfc.retrans_timeout = 0;
2110 rfc.monitor_timeout = 0;
2111 rfc.max_pdu_size = 0;
2112
63406504
GP		 2113 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2114 (unsigned long) &rfc);
65c7c491
MH		 2115 break;
2116
2117 case L2CAP_MODE_ERTM:
2118 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2119 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2120 rfc.retrans_timeout = 0;
2121 rfc.monitor_timeout = 0;
c8f79162
AE		 2122
2123 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2124 L2CAP_EXT_HDR_SIZE -
2125 L2CAP_SDULEN_SIZE -
2126 L2CAP_FCS_SIZE);
2127 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2128
6327eb98
AE		 2129 l2cap_txwin_setup(chan);
2130
2131 rfc.txwin_size = min_t(u16, chan->tx_win,
2132 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2133
63406504
GP		 2134 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2135 (unsigned long) &rfc);
2136
f89cef09
AE		 2137 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2138 l2cap_add_opt_efs(&ptr, chan);
2139
8c1d787b 2140 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2141 break;
2142
47d1ec61 2143 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2144 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2145 chan->fcs = L2CAP_FCS_NONE;
2146 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2147 }
6327eb98
AE		 2148
2149 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2150 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2151 chan->tx_win);
f2fcfcd6
GP		 2152 break;
2153
2154 case L2CAP_MODE_STREAMING:
2155 rfc.mode = L2CAP_MODE_STREAMING;
2156 rfc.txwin_size = 0;
2157 rfc.max_transmit = 0;
2158 rfc.retrans_timeout = 0;
2159 rfc.monitor_timeout = 0;
c8f79162
AE		 2160
2161 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2162 L2CAP_EXT_HDR_SIZE -
2163 L2CAP_SDULEN_SIZE -
2164 L2CAP_FCS_SIZE);
2165 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2166
63406504
GP		 2167 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2168 (unsigned long) &rfc);
2169
f89cef09
AE		 2170 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2171 l2cap_add_opt_efs(&ptr, chan);
2172
8c1d787b 2173 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2174 break;
2175
47d1ec61 2176 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2177 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2178 chan->fcs = L2CAP_FCS_NONE;
2179 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2180 }
65c7c491
MH		 2181 break;
2182 }
1da177e4 2183
fe4128e0 2184 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2185 req->flags = cpu_to_le16(0);
1da177e4
LT		 2186
2187 return ptr - data;
2188}
2189
73ffa904 2190static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2191{
5dee9e7c
MH		 2192 struct l2cap_conf_rsp *rsp = data;
2193 void *ptr = rsp->data;
73ffa904
GP		 2194 void *req = chan->conf_req;
2195 int len = chan->conf_len;
5dee9e7c
MH		 2196 int type, hint, olen;
2197 unsigned long val;
6464f35f 2198 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2199 struct l2cap_conf_efs efs;
2200 u8 remote_efs = 0;
861d6882 2201 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2202 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2203 u16 size;
1da177e4 2204
73ffa904 2205 BT_DBG("chan %p", chan);
820ae1b8 2206
5dee9e7c
MH		 2207 while (len >= L2CAP_CONF_OPT_SIZE) {
2208 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2209
589d2746 2210 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2211 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2212
2213 switch (type) {
2214 case L2CAP_CONF_MTU:
861d6882 2215 mtu = val;
5dee9e7c
MH		 2216 break;
2217
2218 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2219 chan->flush_to = val;
5dee9e7c
MH		 2220 break;
2221
2222 case L2CAP_CONF_QOS:
2223 break;
2224
6464f35f
MH		 2225 case L2CAP_CONF_RFC:
2226 if (olen == sizeof(rfc))
2227 memcpy(&rfc, (void *) val, olen);
2228 break;
2229
fcc203c3
GP		 2230 case L2CAP_CONF_FCS:
2231 if (val == L2CAP_FCS_NONE)
c1360a1c 2232 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2233 break;
fcc203c3 2234
42dceae2
AE		 2235 case L2CAP_CONF_EFS:
2236 remote_efs = 1;
2237 if (olen == sizeof(efs))
2238 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2239 break;
2240
6327eb98
AE		 2241 case L2CAP_CONF_EWS:
2242 if (!enable_hs)
2243 return -ECONNREFUSED;
fcc203c3 2244
6327eb98
AE		 2245 set_bit(FLAG_EXT_CTRL, &chan->flags);
2246 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2247 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2248 chan->remote_tx_win = val;
fcc203c3
GP		 2249 break;
2250
5dee9e7c
MH		 2251 default:
2252 if (hint)
2253 break;
2254
2255 result = L2CAP_CONF_UNKNOWN;
2256 *((u8 *) ptr++) = type;
2257 break;
2258 }
2259 }
2260
73ffa904 2261 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2262 goto done;
2263
0c1bc5c6 2264 switch (chan->mode) {
f2fcfcd6
GP		 2265 case L2CAP_MODE_STREAMING:
2266 case L2CAP_MODE_ERTM:
c1360a1c 2267 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2268 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2269 chan->conn->feat_mask);
85eb53c6
GP		 2270 break;
2271 }
2272
42dceae2
AE		 2273 if (remote_efs) {
2274 if (__l2cap_efs_supported(chan))
2275 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2276 else
2277 return -ECONNREFUSED;
2278 }
2279
0c1bc5c6 2280 if (chan->mode != rfc.mode)
f2fcfcd6 2281 return -ECONNREFUSED;
742e519b 2282
f2fcfcd6 2283 break;
f2fcfcd6
GP		 2284 }
2285
2286done:
0c1bc5c6 2287 if (chan->mode != rfc.mode) {
f2fcfcd6 2288 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2289 rfc.mode = chan->mode;
f2fcfcd6 2290
73ffa904 2291 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2292 return -ECONNREFUSED;
2293
2294 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2295 sizeof(rfc), (unsigned long) &rfc);
2296 }
2297
5dee9e7c
MH		 2298 if (result == L2CAP_CONF_SUCCESS) {
2299 /* Configure output options and let the other side know
2300 * which ones we don't like. */
2301
f2fcfcd6
GP		 2302 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2303 result = L2CAP_CONF_UNACCEPT;
2304 else {
0c1bc5c6 2305 chan->omtu = mtu;
c1360a1c 2306 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2307 }
0c1bc5c6 2308 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2309
42dceae2
AE		 2310 if (remote_efs) {
2311 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2312 efs.stype != L2CAP_SERV_NOTRAFIC &&
2313 efs.stype != chan->local_stype) {
2314
2315 result = L2CAP_CONF_UNACCEPT;
2316
2317 if (chan->num_conf_req >= 1)
2318 return -ECONNREFUSED;
2319
2320 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2321 sizeof(efs),
42dceae2 2322 (unsigned long) &efs);
0e8b207e 2323 } else {
3e6b3b95 2324 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2325 result = L2CAP_CONF_PENDING;
2326 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2327 }
2328 }
2329
f2fcfcd6
GP		 2330 switch (rfc.mode) {
2331 case L2CAP_MODE_BASIC:
47d1ec61 2332 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2333 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2334 break;
2335
2336 case L2CAP_MODE_ERTM:
6327eb98
AE		 2337 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2338 chan->remote_tx_win = rfc.txwin_size;
2339 else
2340 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2341
2c03a7a4 2342 chan->remote_max_tx = rfc.max_transmit;
1c762159 2343
c8f79162
AE		 2344 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2345 chan->conn->mtu -
2346 L2CAP_EXT_HDR_SIZE -
2347 L2CAP_SDULEN_SIZE -
2348 L2CAP_FCS_SIZE);
2349 rfc.max_pdu_size = cpu_to_le16(size);
2350 chan->remote_mps = size;
f2fcfcd6 2351
10467e9e
GP		 2352 rfc.retrans_timeout =
2353 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2354 rfc.monitor_timeout =
2355 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2356
c1360a1c 2357 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2358
2359 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2360 sizeof(rfc), (unsigned long) &rfc);
2361
42dceae2
AE		 2362 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2363 chan->remote_id = efs.id;
2364 chan->remote_stype = efs.stype;
2365 chan->remote_msdu = le16_to_cpu(efs.msdu);
2366 chan->remote_flush_to =
2367 le32_to_cpu(efs.flush_to);
2368 chan->remote_acc_lat =
2369 le32_to_cpu(efs.acc_lat);
2370 chan->remote_sdu_itime =
2371 le32_to_cpu(efs.sdu_itime);
2372 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2373 sizeof(efs), (unsigned long) &efs);
2374 }
f2fcfcd6
GP		 2375 break;
2376
2377 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2378 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2379 chan->conn->mtu -
2380 L2CAP_EXT_HDR_SIZE -
2381 L2CAP_SDULEN_SIZE -
2382 L2CAP_FCS_SIZE);
2383 rfc.max_pdu_size = cpu_to_le16(size);
2384 chan->remote_mps = size;
f2fcfcd6 2385
c1360a1c 2386 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2387
2388 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2389 sizeof(rfc), (unsigned long) &rfc);
2390
f2fcfcd6
GP		 2391 break;
2392
2393 default:
5dee9e7c 2394 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2395
6464f35f 2396 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2397 rfc.mode = chan->mode;
f2fcfcd6 2398 }
6464f35f 2399
f2fcfcd6 2400 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2401 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2402 }
fe4128e0 2403 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2404 rsp->result = cpu_to_le16(result);
2405 rsp->flags = cpu_to_le16(0x0000);
2406
2407 return ptr - data;
1da177e4
LT		 2408}
2409
b4450035 2410static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2411{
f2fcfcd6
GP		 2412 struct l2cap_conf_req *req = data;
2413 void *ptr = req->data;
2414 int type, olen;
2415 unsigned long val;
2416 struct l2cap_conf_rfc rfc;
66af7aaf 2417 struct l2cap_conf_efs efs;
f2fcfcd6 2418
fe4128e0 2419 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2420
2421 while (len >= L2CAP_CONF_OPT_SIZE) {
2422 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2423
2424 switch (type) {
2425 case L2CAP_CONF_MTU:
2426 if (val < L2CAP_DEFAULT_MIN_MTU) {
2427 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2428 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2429 } else
0c1bc5c6
GP		 2430 chan->imtu = val;
2431 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2432 break;
2433
2434 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2435 chan->flush_to = val;
f2fcfcd6 2436 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2437 2, chan->flush_to);
f2fcfcd6
GP		 2438 break;
2439
2440 case L2CAP_CONF_RFC:
2441 if (olen == sizeof(rfc))
2442 memcpy(&rfc, (void *)val, olen);
2443
c1360a1c 2444 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2445 rfc.mode != chan->mode)
f2fcfcd6
GP		 2446 return -ECONNREFUSED;
2447
47d1ec61 2448 chan->fcs = 0;
f2fcfcd6
GP		 2449
2450 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2451 sizeof(rfc), (unsigned long) &rfc);
2452 break;
6327eb98
AE		 2453
2454 case L2CAP_CONF_EWS:
2455 chan->tx_win = min_t(u16, val,
2456 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2457 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2458 chan->tx_win);
6327eb98 2459 break;
66af7aaf
AE		 2460
2461 case L2CAP_CONF_EFS:
2462 if (olen == sizeof(efs))
2463 memcpy(&efs, (void *)val, olen);
2464
2465 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2466 efs.stype != L2CAP_SERV_NOTRAFIC &&
2467 efs.stype != chan->local_stype)
2468 return -ECONNREFUSED;
2469
2470 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2471 sizeof(efs), (unsigned long) &efs);
2472 break;
f2fcfcd6
GP		 2473 }
2474 }
2475
0c1bc5c6 2476 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2477 return -ECONNREFUSED;
2478
0c1bc5c6 2479 chan->mode = rfc.mode;
6c2ea7a8 2480
0e8b207e 2481 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2482 switch (rfc.mode) {
2483 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2484 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2485 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2486 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2487
2488 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2489 chan->local_msdu = le16_to_cpu(efs.msdu);
2490 chan->local_sdu_itime =
2491 le32_to_cpu(efs.sdu_itime);
2492 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2493 chan->local_flush_to =
2494 le32_to_cpu(efs.flush_to);
2495 }
f2fcfcd6 2496 break;
66af7aaf 2497
f2fcfcd6 2498 case L2CAP_MODE_STREAMING:
47d1ec61 2499 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2500 }
2501 }
2502
fe4128e0 2503 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2504 req->flags = cpu_to_le16(0x0000);
2505
2506 return ptr - data;
2507}
2508
fe4128e0 2509static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2510{
2511 struct l2cap_conf_rsp *rsp = data;
2512 void *ptr = rsp->data;
1da177e4 2513
fe4128e0 2514 BT_DBG("chan %p", chan);
1da177e4 2515
fe4128e0 2516 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2517 rsp->result = cpu_to_le16(result);
aca3192c 2518 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2519
2520 return ptr - data;
2521}
2522
8c1d787b 2523void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2524{
2525 struct l2cap_conn_rsp rsp;
8c1d787b 2526 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2527 u8 buf[128];
2528
fe4128e0
GP		 2529 rsp.scid = cpu_to_le16(chan->dcid);
2530 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2531 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2532 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2533 l2cap_send_cmd(conn, chan->ident,
2534 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2535
c1360a1c 2536 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2537 return;
2538
710f9b0a
GP		 2539 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2540 l2cap_build_conf_req(chan, buf), buf);
2541 chan->num_conf_req++;
2542}
2543
47d1ec61 2544static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2545{
7b1c0049
GP		 2546 int type, olen;
2547 unsigned long val;
2548 struct l2cap_conf_rfc rfc;
2549
47d1ec61 2550 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2551
0c1bc5c6 2552 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2553 return;
2554
2555 while (len >= L2CAP_CONF_OPT_SIZE) {
2556 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2557
2558 switch (type) {
2559 case L2CAP_CONF_RFC:
2560 if (olen == sizeof(rfc))
2561 memcpy(&rfc, (void *)val, olen);
2562 goto done;
2563 }
2564 }
2565
2566done:
2567 switch (rfc.mode) {
2568 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2569 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2570 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2571 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2572 break;
2573 case L2CAP_MODE_STREAMING:
47d1ec61 2574 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2575 }
2576}
2577
4e8402a3
MH		 2578static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2579{
e2fd318e 2580 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2581
e2fd318e 2582 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2583 return 0;
2584
2585 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2586 cmd->ident == conn->info_ident) {
f878fcad 2587 cancel_delayed_work_sync(&conn->info_work);
984947dc
MH		 2588
2589 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2590 conn->info_ident = 0;
984947dc 2591
4e8402a3
MH		 2592 l2cap_conn_start(conn);
2593 }
2594
2595 return 0;
2596}
2597
1da177e4
LT		 2598static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2599{
1da177e4
LT		 2600 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2601 struct l2cap_conn_rsp rsp;
23691d75 2602 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2603 struct sock *parent, *sk = NULL;
e7c29cb1 2604 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2605
2606 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2607 __le16 psm = req->psm;
1da177e4
LT		 2608
2609 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2610
2611 /* Check if we have socket listening on psm */
23691d75
GP		 2612 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2613 if (!pchan) {
1da177e4
LT		 2614 result = L2CAP_CR_BAD_PSM;
2615 goto sendresp;
2616 }
2617
23691d75
GP		 2618 parent = pchan->sk;
2619
aa2ac881 2620 lock_sock(parent);
e0f0cb56 2621
e7c29cb1
MH		 2622 /* Check if the ACL is secure enough (if not SDP) */
2623 if (psm != cpu_to_le16(0x0001) &&
2624 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2625 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2626 result = L2CAP_CR_SEC_BLOCK;
2627 goto response;
2628 }
2629
1da177e4
LT		 2630 result = L2CAP_CR_NO_MEM;
2631
2632 /* Check for backlog size */
2633 if (sk_acceptq_is_full(parent)) {
8e87d142 2634 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2635 goto response;
2636 }
2637
80808e43
GP		 2638 chan = pchan->ops->new_connection(pchan->data);
2639 if (!chan)
1da177e4
LT		 2640 goto response;
2641
80808e43
GP		 2642 sk = chan->sk;
2643
d01b2ff4 2644 mutex_lock(&conn->chan_lock);
1da177e4
LT		 2645
2646 /* Check if we already have channel with that dcid */
baa7e1fa 2647 if (__l2cap_get_chan_by_dcid(conn, scid)) {
d01b2ff4 2648 mutex_unlock(&conn->chan_lock);
1da177e4 2649 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2650 chan->ops->close(chan->data);
1da177e4
LT		 2651 goto response;
2652 }
2653
2654 hci_conn_hold(conn->hcon);
2655
1da177e4
LT		 2656 bacpy(&bt_sk(sk)->src, conn->src);
2657 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2658 chan->psm = psm;
2659 chan->dcid = scid;
1da177e4 2660
d1010240
GP		 2661 bt_accept_enqueue(parent, sk);
2662
48454079
GP		 2663 __l2cap_chan_add(conn, chan);
2664
fe4128e0 2665 dcid = chan->scid;
1da177e4 2666
c9b66675 2667 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2668
fc7f8a7e 2669 chan->ident = cmd->ident;
1da177e4 2670
984947dc 2671 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2672 if (l2cap_chan_check_security(chan)) {
f66dc81f 2673 if (bt_sk(sk)->defer_setup) {
89bc500e 2674 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2675 result = L2CAP_CR_PEND;
2676 status = L2CAP_CS_AUTHOR_PEND;
2677 parent->sk_data_ready(parent, 0);
2678 } else {
89bc500e 2679 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2680 result = L2CAP_CR_SUCCESS;
2681 status = L2CAP_CS_NO_INFO;
2682 }
79d554a6 2683 } else {
89bc500e 2684 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2685 result = L2CAP_CR_PEND;
2686 status = L2CAP_CS_AUTHEN_PEND;
2687 }
2688 } else {
89bc500e 2689 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2690 result = L2CAP_CR_PEND;
2691 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2692 }
2693
d01b2ff4 2694 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2695
2696response:
aa2ac881 2697 release_sock(parent);
1da177e4
LT		 2698
2699sendresp:
aca3192c
YH		 2700 rsp.scid = cpu_to_le16(scid);
2701 rsp.dcid = cpu_to_le16(dcid);
2702 rsp.result = cpu_to_le16(result);
2703 rsp.status = cpu_to_le16(status);
1da177e4 2704 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2705
2706 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2707 struct l2cap_info_req info;
2708 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2709
2710 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2711 conn->info_ident = l2cap_get_ident(conn);
2712
f878fcad 2713 schedule_delayed_work(&conn->info_work,
79d554a6
MH		 2714 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2715
2716 l2cap_send_cmd(conn, conn->info_ident,
2717 L2CAP_INFO_REQ, sizeof(info), &info);
2718 }
2719
c1360a1c 2720 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2721 result == L2CAP_CR_SUCCESS) {
2722 u8 buf[128];
c1360a1c 2723 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2724 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2725 l2cap_build_conf_req(chan, buf), buf);
2726 chan->num_conf_req++;
e9aeb2dd
GP		 2727 }
2728
1da177e4
LT		 2729 return 0;
2730}
2731
2732static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2733{
2734 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2735 u16 scid, dcid, result, status;
48454079 2736 struct l2cap_chan *chan;
1da177e4
LT		 2737 struct sock *sk;
2738 u8 req[128];
2739
2740 scid = __le16_to_cpu(rsp->scid);
2741 dcid = __le16_to_cpu(rsp->dcid);
2742 result = __le16_to_cpu(rsp->result);
2743 status = __le16_to_cpu(rsp->status);
2744
2745 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2746
2747 if (scid) {
baa7e1fa 2748 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2749 if (!chan)
57d3b22b 2750 return -EFAULT;
1da177e4 2751 } else {
baa7e1fa 2752 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2753 if (!chan)
57d3b22b 2754 return -EFAULT;
1da177e4
LT		 2755 }
2756
48454079
GP		 2757 sk = chan->sk;
2758
1da177e4
LT		 2759 switch (result) {
2760 case L2CAP_CR_SUCCESS:
89bc500e 2761 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2762 chan->ident = 0;
fe4128e0 2763 chan->dcid = dcid;
c1360a1c 2764 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2765
c1360a1c 2766 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2767 break;
2768
1da177e4 2769 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2770 l2cap_build_conf_req(chan, req), req);
2771 chan->num_conf_req++;
1da177e4
LT		 2772 break;
2773
2774 case L2CAP_CR_PEND:
c1360a1c 2775 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2776 break;
2777
2778 default:
48454079 2779 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2780 break;
2781 }
2782
aa2ac881 2783 release_sock(sk);
1da177e4
LT		 2784 return 0;
2785}
2786
47d1ec61 2787static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2788{
2789 /* FCS is enabled only in ERTM or streaming mode, if one or both
2790 * sides request it.
2791 */
0c1bc5c6 2792 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2793 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2794 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2795 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2796}
2797
88219a0f 2798static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2799{
2800 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2801 u16 dcid, flags;
2802 u8 rsp[64];
48454079 2803 struct l2cap_chan *chan;
1da177e4 2804 struct sock *sk;
5dee9e7c 2805 int len;
1da177e4
LT		 2806
2807 dcid = __le16_to_cpu(req->dcid);
2808 flags = __le16_to_cpu(req->flags);
2809
2810 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2811
baa7e1fa 2812 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2813 if (!chan)
1da177e4
LT		 2814 return -ENOENT;
2815
48454079
GP		 2816 sk = chan->sk;
2817
033b1142 2818 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2819 struct l2cap_cmd_rej_cid rej;
2820
2821 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2822 rej.scid = cpu_to_le16(chan->scid);
2823 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2824
df6bd743
GP		 2825 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2826 sizeof(rej), &rej);
354f60a9 2827 goto unlock;
df6bd743 2828 }
354f60a9 2829
5dee9e7c 2830 /* Reject if config buffer is too small. */
88219a0f 2831 len = cmd_len - sizeof(*req);
7ac28817 2832 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2833 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2834 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2835 L2CAP_CONF_REJECT, flags), rsp);
2836 goto unlock;
2837 }
2838
2839 /* Store config. */
73ffa904
GP		 2840 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2841 chan->conf_len += len;
1da177e4
LT		 2842
2843 if (flags & 0x0001) {
2844 /* Incomplete config. Send empty response. */
2845 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2846 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2847 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2848 goto unlock;
2849 }
2850
2851 /* Complete config. */
73ffa904 2852 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2853 if (len < 0) {
e92c8e70 2854 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2855 goto unlock;
f2fcfcd6 2856 }
1da177e4 2857
5dee9e7c 2858 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2859 chan->num_conf_rsp++;
5dee9e7c 2860
5dee9e7c 2861 /* Reset config buffer. */
73ffa904 2862 chan->conf_len = 0;
5dee9e7c 2863
c1360a1c 2864 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2865 goto unlock;
2866
c1360a1c 2867 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2868 set_default_fcs(chan);
fcc203c3 2869
89bc500e 2870 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2871
42e5c802
GP		 2872 chan->next_tx_seq = 0;
2873 chan->expected_tx_seq = 0;
58d35f87 2874 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2875 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2876 l2cap_ertm_init(chan);
0565c1c2 2877
1da177e4 2878 l2cap_chan_ready(sk);
876d9484
MH		 2879 goto unlock;
2880 }
2881
c1360a1c 2882 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2883 u8 buf[64];
1da177e4 2884 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2885 l2cap_build_conf_req(chan, buf), buf);
2886 chan->num_conf_req++;
1da177e4
LT		 2887 }
2888
0e8b207e
AE		 2889 /* Got Conf Rsp PENDING from remote side and asume we sent
2890 Conf Rsp PENDING in the code above */
2891 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2892 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2893
2894 /* check compatibility */
2895
2896 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2897 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2898
2899 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2900 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2901 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2902 }
2903
1da177e4 2904unlock:
aa2ac881 2905 release_sock(sk);
1da177e4
LT		 2906 return 0;
2907}
2908
2909static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2910{
2911 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2912 u16 scid, flags, result;
48454079 2913 struct l2cap_chan *chan;
1da177e4 2914 struct sock *sk;
7b1c0049 2915 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2916
2917 scid = __le16_to_cpu(rsp->scid);
2918 flags = __le16_to_cpu(rsp->flags);
2919 result = __le16_to_cpu(rsp->result);
2920
af05b30b
GP		 2921 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2922 scid, flags, result);
1da177e4 2923
baa7e1fa 2924 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2925 if (!chan)
1da177e4
LT		 2926 return 0;
2927
48454079
GP		 2928 sk = chan->sk;
2929
1da177e4
LT		 2930 switch (result) {
2931 case L2CAP_CONF_SUCCESS:
47d1ec61 2932 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2933 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2934 break;
2935
0e8b207e
AE		 2936 case L2CAP_CONF_PENDING:
2937 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2938
2939 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2940 char buf[64];
2941
2942 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2943 buf, &result);
2944 if (len < 0) {
2945 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2946 goto done;
2947 }
2948
2949 /* check compatibility */
2950
2951 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2952 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2953
2954 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2955 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2956 L2CAP_CONF_SUCCESS, 0x0000), buf);
2957 }
2958 goto done;
2959
1da177e4 2960 case L2CAP_CONF_UNACCEPT:
73ffa904 2961 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2962 char req[64];
2963
c2c77ec8 2964 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2965 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2966 goto done;
2967 }
2968
f2fcfcd6
GP		 2969 /* throw out any old stored conf requests */
2970 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2971 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2972 req, &result);
f2fcfcd6 2973 if (len < 0) {
e92c8e70 2974 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2975 goto done;
2976 }
2977
2978 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2979 L2CAP_CONF_REQ, len, req);
73ffa904 2980 chan->num_conf_req++;
f2fcfcd6
GP		 2981 if (result != L2CAP_CONF_SUCCESS)
2982 goto done;
2983 break;
1da177e4
LT		 2984 }
2985
8e87d142 2986 default:
b1235d79 2987 sk->sk_err = ECONNRESET;
f3f668b0 2988 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 2989 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2990 goto done;
2991 }
2992
2993 if (flags & 0x01)
2994 goto done;
2995
c1360a1c 2996 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2997
c1360a1c 2998 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2999 set_default_fcs(chan);
fcc203c3 3000
89bc500e 3001 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 3002 chan->next_tx_seq = 0;
3003 chan->expected_tx_seq = 0;
58d35f87 3004 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 3005 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 3006 l2cap_ertm_init(chan);
0565c1c2 3007
1da177e4
LT		 3008 l2cap_chan_ready(sk);
3009 }
3010
3011done:
aa2ac881 3012 release_sock(sk);
1da177e4
LT		 3013 return 0;
3014}
3015
3016static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3017{
3018 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3019 struct l2cap_disconn_rsp rsp;
3020 u16 dcid, scid;
48454079 3021 struct l2cap_chan *chan;
1da177e4
LT		 3022 struct sock *sk;
3023
3024 scid = __le16_to_cpu(req->scid);
3025 dcid = __le16_to_cpu(req->dcid);
3026
3027 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3028
baa7e1fa 3029 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3030 if (!chan)
1da177e4
LT		 3031 return 0;
3032
48454079
GP		 3033 sk = chan->sk;
3034
fe4128e0
GP		 3035 rsp.dcid = cpu_to_le16(chan->scid);
3036 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3037 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3038
3039 sk->sk_shutdown = SHUTDOWN_MASK;
3040
48454079 3041 l2cap_chan_del(chan, ECONNRESET);
aa2ac881 3042 release_sock(sk);
1da177e4 3043
ba3bd0ee 3044 chan->ops->close(chan->data);
1da177e4
LT		 3045 return 0;
3046}
3047
3048static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3049{
3050 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3051 u16 dcid, scid;
48454079 3052 struct l2cap_chan *chan;
1da177e4
LT		 3053 struct sock *sk;
3054
3055 scid = __le16_to_cpu(rsp->scid);
3056 dcid = __le16_to_cpu(rsp->dcid);
3057
3058 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3059
baa7e1fa 3060 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3061 if (!chan)
1da177e4
LT		 3062 return 0;
3063
48454079
GP		 3064 sk = chan->sk;
3065
48454079 3066 l2cap_chan_del(chan, 0);
aa2ac881 3067 release_sock(sk);
1da177e4 3068
ba3bd0ee 3069 chan->ops->close(chan->data);
1da177e4
LT		 3070 return 0;
3071}
3072
3073static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3074{
3075 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3076 u16 type;
3077
3078 type = __le16_to_cpu(req->type);
3079
3080 BT_DBG("type 0x%4.4x", type);
3081
f0709e03
MH		 3082 if (type == L2CAP_IT_FEAT_MASK) {
3083 u8 buf[8];
44dd46de 3084 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3085 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3086 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3087 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3088 if (!disable_ertm)
fcc203c3
GP		 3089 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3090 | L2CAP_FEAT_FCS;
a5fd6f30 3091 if (enable_hs)
6327eb98
AE		 3092 feat_mask |= L2CAP_FEAT_EXT_FLOW
3093 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3094
1b7bf4ed 3095 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3096 l2cap_send_cmd(conn, cmd->ident,
3097 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3098 } else if (type == L2CAP_IT_FIXED_CHAN) {
3099 u8 buf[12];
3100 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3101
3102 if (enable_hs)
3103 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3104 else
3105 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3106
e1027a7c
MH		 3107 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3108 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3109 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3110 l2cap_send_cmd(conn, cmd->ident,
3111 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3112 } else {
3113 struct l2cap_info_rsp rsp;
3114 rsp.type = cpu_to_le16(type);
3115 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3116 l2cap_send_cmd(conn, cmd->ident,
3117 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3118 }
1da177e4
LT		 3119
3120 return 0;
3121}
3122
3123static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3124{
3125 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3126 u16 type, result;
3127
3128 type = __le16_to_cpu(rsp->type);
3129 result = __le16_to_cpu(rsp->result);
3130
3131 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3132
e90165be
AE		 3133 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3134 if (cmd->ident != conn->info_ident ||
3135 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3136 return 0;
3137
f878fcad 3138 cancel_delayed_work_sync(&conn->info_work);
4e8402a3 3139
adb08ede
VT		 3140 if (result != L2CAP_IR_SUCCESS) {
3141 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3142 conn->info_ident = 0;
3143
3144 l2cap_conn_start(conn);
3145
3146 return 0;
3147 }
3148
984947dc 3149 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3150 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3151
47ec1dcd 3152 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3153 struct l2cap_info_req req;
3154 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3155
3156 conn->info_ident = l2cap_get_ident(conn);
3157
3158 l2cap_send_cmd(conn, conn->info_ident,
3159 L2CAP_INFO_REQ, sizeof(req), &req);
3160 } else {
3161 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3162 conn->info_ident = 0;
3163
3164 l2cap_conn_start(conn);
3165 }
3166 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3167 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3168 conn->info_ident = 0;
984947dc
MH		 3169
3170 l2cap_conn_start(conn);
3171 }
4e8402a3 3172
1da177e4
LT		 3173 return 0;
3174}
3175
f94ff6ff
MM		 3176static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3177 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3178 void *data)
3179{
3180 struct l2cap_create_chan_req *req = data;
3181 struct l2cap_create_chan_rsp rsp;
3182 u16 psm, scid;
3183
3184 if (cmd_len != sizeof(*req))
3185 return -EPROTO;
3186
3187 if (!enable_hs)
3188 return -EINVAL;
3189
3190 psm = le16_to_cpu(req->psm);
3191 scid = le16_to_cpu(req->scid);
3192
3193 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3194
3195 /* Placeholder: Always reject */
3196 rsp.dcid = 0;
3197 rsp.scid = cpu_to_le16(scid);
3198 rsp.result = L2CAP_CR_NO_MEM;
3199 rsp.status = L2CAP_CS_NO_INFO;
3200
3201 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3202 sizeof(rsp), &rsp);
3203
3204 return 0;
3205}
3206
3207static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3208 struct l2cap_cmd_hdr *cmd, void *data)
3209{
3210 BT_DBG("conn %p", conn);
3211
3212 return l2cap_connect_rsp(conn, cmd, data);
3213}
3214
8d5a04a1
MM		 3215static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3216 u16 icid, u16 result)
3217{
3218 struct l2cap_move_chan_rsp rsp;
3219
3220 BT_DBG("icid %d, result %d", icid, result);
3221
3222 rsp.icid = cpu_to_le16(icid);
3223 rsp.result = cpu_to_le16(result);
3224
3225 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3226}
3227
3228static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3229 struct l2cap_chan *chan, u16 icid, u16 result)
3230{
3231 struct l2cap_move_chan_cfm cfm;
3232 u8 ident;
3233
3234 BT_DBG("icid %d, result %d", icid, result);
3235
3236 ident = l2cap_get_ident(conn);
3237 if (chan)
3238 chan->ident = ident;
3239
3240 cfm.icid = cpu_to_le16(icid);
3241 cfm.result = cpu_to_le16(result);
3242
3243 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3244}
3245
3246static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3247 u16 icid)
3248{
3249 struct l2cap_move_chan_cfm_rsp rsp;
3250
3251 BT_DBG("icid %d", icid);
3252
3253 rsp.icid = cpu_to_le16(icid);
3254 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3255}
3256
3257static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3258 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3259{
3260 struct l2cap_move_chan_req *req = data;
3261 u16 icid = 0;
3262 u16 result = L2CAP_MR_NOT_ALLOWED;
3263
3264 if (cmd_len != sizeof(*req))
3265 return -EPROTO;
3266
3267 icid = le16_to_cpu(req->icid);
3268
3269 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3270
3271 if (!enable_hs)
3272 return -EINVAL;
3273
3274 /* Placeholder: Always refuse */
3275 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3276
3277 return 0;
3278}
3279
3280static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3281 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3282{
3283 struct l2cap_move_chan_rsp *rsp = data;
3284 u16 icid, result;
3285
3286 if (cmd_len != sizeof(*rsp))
3287 return -EPROTO;
3288
3289 icid = le16_to_cpu(rsp->icid);
3290 result = le16_to_cpu(rsp->result);
3291
3292 BT_DBG("icid %d, result %d", icid, result);
3293
3294 /* Placeholder: Always unconfirmed */
3295 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3296
3297 return 0;
3298}
3299
3300static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3301 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3302{
3303 struct l2cap_move_chan_cfm *cfm = data;
3304 u16 icid, result;
3305
3306 if (cmd_len != sizeof(*cfm))
3307 return -EPROTO;
3308
3309 icid = le16_to_cpu(cfm->icid);
3310 result = le16_to_cpu(cfm->result);
3311
3312 BT_DBG("icid %d, result %d", icid, result);
3313
3314 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3315
3316 return 0;
3317}
3318
3319static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3320 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3321{
3322 struct l2cap_move_chan_cfm_rsp *rsp = data;
3323 u16 icid;
3324
3325 if (cmd_len != sizeof(*rsp))
3326 return -EPROTO;
3327
3328 icid = le16_to_cpu(rsp->icid);
3329
3330 BT_DBG("icid %d", icid);
3331
3332 return 0;
3333}
3334
e2174ca4 3335static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3336 u16 to_multiplier)
3337{
3338 u16 max_latency;
3339
3340 if (min > max || min < 6 || max > 3200)
3341 return -EINVAL;
3342
3343 if (to_multiplier < 10 || to_multiplier > 3200)
3344 return -EINVAL;
3345
3346 if (max >= to_multiplier * 8)
3347 return -EINVAL;
3348
3349 max_latency = (to_multiplier * 8 / max) - 1;
3350 if (latency > 499 || latency > max_latency)
3351 return -EINVAL;
3352
3353 return 0;
3354}
3355
3356static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3357 struct l2cap_cmd_hdr *cmd, u8 *data)
3358{
3359 struct hci_conn *hcon = conn->hcon;
3360 struct l2cap_conn_param_update_req *req;
3361 struct l2cap_conn_param_update_rsp rsp;
3362 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3363 int err;
de73115a
CT		 3364
3365 if (!(hcon->link_mode & HCI_LM_MASTER))
3366 return -EINVAL;
3367
3368 cmd_len = __le16_to_cpu(cmd->len);
3369 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3370 return -EPROTO;
3371
3372 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3373 min = __le16_to_cpu(req->min);
3374 max = __le16_to_cpu(req->max);
de73115a
CT		 3375 latency = __le16_to_cpu(req->latency);
3376 to_multiplier = __le16_to_cpu(req->to_multiplier);
3377
3378 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3379 min, max, latency, to_multiplier);
3380
3381 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3382
3383 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3384 if (err)
de73115a
CT		 3385 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3386 else
3387 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3388
3389 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3390 sizeof(rsp), &rsp);
3391
2ce603eb
CT		 3392 if (!err)
3393 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3394
de73115a
CT		 3395 return 0;
3396}
3397
3300d9a9
CT		 3398static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3399 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3400{
3401 int err = 0;
3402
3403 switch (cmd->code) {
3404 case L2CAP_COMMAND_REJ:
3405 l2cap_command_rej(conn, cmd, data);
3406 break;
3407
3408 case L2CAP_CONN_REQ:
3409 err = l2cap_connect_req(conn, cmd, data);
3410 break;
3411
3412 case L2CAP_CONN_RSP:
3413 err = l2cap_connect_rsp(conn, cmd, data);
3414 break;
3415
3416 case L2CAP_CONF_REQ:
3417 err = l2cap_config_req(conn, cmd, cmd_len, data);
3418 break;
3419
3420 case L2CAP_CONF_RSP:
3421 err = l2cap_config_rsp(conn, cmd, data);
3422 break;
3423
3424 case L2CAP_DISCONN_REQ:
3425 err = l2cap_disconnect_req(conn, cmd, data);
3426 break;
3427
3428 case L2CAP_DISCONN_RSP:
3429 err = l2cap_disconnect_rsp(conn, cmd, data);
3430 break;
3431
3432 case L2CAP_ECHO_REQ:
3433 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3434 break;
3435
3436 case L2CAP_ECHO_RSP:
3437 break;
3438
3439 case L2CAP_INFO_REQ:
3440 err = l2cap_information_req(conn, cmd, data);
3441 break;
3442
3443 case L2CAP_INFO_RSP:
3444 err = l2cap_information_rsp(conn, cmd, data);
3445 break;
3446
f94ff6ff
MM		 3447 case L2CAP_CREATE_CHAN_REQ:
3448 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3449 break;
3450
3451 case L2CAP_CREATE_CHAN_RSP:
3452 err = l2cap_create_channel_rsp(conn, cmd, data);
3453 break;
3454
8d5a04a1
MM		 3455 case L2CAP_MOVE_CHAN_REQ:
3456 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3457 break;
3458
3459 case L2CAP_MOVE_CHAN_RSP:
3460 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3461 break;
3462
3463 case L2CAP_MOVE_CHAN_CFM:
3464 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3465 break;
3466
3467 case L2CAP_MOVE_CHAN_CFM_RSP:
3468 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3469 break;
3470
3300d9a9
CT		 3471 default:
3472 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3473 err = -EINVAL;
3474 break;
3475 }
3476
3477 return err;
3478}
3479
3480static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3481 struct l2cap_cmd_hdr *cmd, u8 *data)
3482{
3483 switch (cmd->code) {
3484 case L2CAP_COMMAND_REJ:
3485 return 0;
3486
3487 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3488 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3489
3490 case L2CAP_CONN_PARAM_UPDATE_RSP:
3491 return 0;
3492
3493 default:
3494 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3495 return -EINVAL;
3496 }
3497}
3498
3499static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3500 struct sk_buff *skb)
1da177e4
LT		 3501{
3502 u8 *data = skb->data;
3503 int len = skb->len;
3504 struct l2cap_cmd_hdr cmd;
3300d9a9 3505 int err;
1da177e4
LT		 3506
3507 l2cap_raw_recv(conn, skb);
3508
3509 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3510 u16 cmd_len;
1da177e4
LT		 3511 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3512 data += L2CAP_CMD_HDR_SIZE;
3513 len -= L2CAP_CMD_HDR_SIZE;
3514
88219a0f 3515 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3516
88219a0f 3517 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3518
88219a0f 3519 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3520 BT_DBG("corrupted command");
3521 break;
3522 }
3523
3300d9a9
CT		 3524 if (conn->hcon->type == LE_LINK)
3525 err = l2cap_le_sig_cmd(conn, &cmd, data);
3526 else
3527 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3528
3529 if (err) {
e2fd318e 3530 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3531
3532 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3533
3534 /* FIXME: Map err to a valid reason */
e2fd318e 3535 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3536 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3537 }
3538
88219a0f
AV		 3539 data += cmd_len;
3540 len -= cmd_len;
1da177e4
LT		 3541 }
3542
3543 kfree_skb(skb);
3544}
3545
47d1ec61 3546static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3547{
3548 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3549 int hdr_size;
3550
3551 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3552 hdr_size = L2CAP_EXT_HDR_SIZE;
3553 else
3554 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3555
47d1ec61 3556 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3557 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3558 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3559 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3560
3561 if (our_fcs != rcv_fcs)
7a560e5c 3562 return -EBADMSG;
fcc203c3
GP		 3563 }
3564 return 0;
3565}
3566
525cd185 3567static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3568{
88843ab0 3569 u32 control = 0;
d5392c8f 3570
6a026610 3571 chan->frames_sent = 0;
d5392c8f 3572
0b209fae 3573 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3574
e2ab4353 3575 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3576 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3577 l2cap_send_sframe(chan, control);
e2ab4353 3578 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3579 }
3580
e2ab4353 3581 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3582 l2cap_retransmit_frames(chan);
d5392c8f 3583
525cd185 3584 l2cap_ertm_send(chan);
d5392c8f 3585
e2ab4353 3586 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3587 chan->frames_sent == 0) {
ab784b73 3588 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3589 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3590 }
3591}
3592
fb45de7d 3593static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3594{
3595 struct sk_buff *next_skb;
bfbacc11 3596 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3597
3598 bt_cb(skb)->tx_seq = tx_seq;
3599 bt_cb(skb)->sar = sar;
3600
f1c6775b 3601 next_skb = skb_peek(&chan->srej_q);
8f17154f 3602
836be934 3603 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3604
039d9572 3605 while (next_skb) {
9b53350d
JPRV		 3606 if (bt_cb(next_skb)->tx_seq == tx_seq)
3607 return -EINVAL;
3608
836be934
AE		 3609 next_tx_seq_offset = __seq_offset(chan,
3610 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3611
3612 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3613 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3614 return 0;
8f17154f
GP		 3615 }
3616
f1c6775b 3617 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3618 next_skb = NULL;
3619 else
3620 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3621 }
8f17154f 3622
f1c6775b 3623 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3624
3625 return 0;
8f17154f
GP		 3626}
3627
84084a31
MM		 3628static void append_skb_frag(struct sk_buff *skb,
3629 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3630{
84084a31
MM		 3631 /* skb->len reflects data in skb as well as all fragments
3632 * skb->data_len reflects only data in fragments
3633 */
3634 if (!skb_has_frag_list(skb))
3635 skb_shinfo(skb)->frag_list = new_frag;
3636
3637 new_frag->next = NULL;
3638
3639 (*last_frag)->next = new_frag;
3640 *last_frag = new_frag;
3641
3642 skb->len += new_frag->len;
3643 skb->data_len += new_frag->len;
3644 skb->truesize += new_frag->truesize;
3645}
3646
88843ab0 3647static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3648{
3649 int err = -EINVAL;
18778a63 3650
7e0ef6ee
AE		 3651 switch (__get_ctrl_sar(chan, control)) {
3652 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3653 if (chan->sdu)
3654 break;
18778a63 3655
84084a31
MM		 3656 err = chan->ops->recv(chan->data, skb);
3657 break;
18778a63 3658
7e0ef6ee 3659 case L2CAP_SAR_START:
84084a31
MM		 3660 if (chan->sdu)
3661 break;
18778a63 3662
6f61fd47 3663 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3664 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3665
84084a31
MM		 3666 if (chan->sdu_len > chan->imtu) {
3667 err = -EMSGSIZE;
3668 break;
3669 }
1890d36b 3670
84084a31
MM		 3671 if (skb->len >= chan->sdu_len)
3672 break;
18778a63 3673
84084a31
MM		 3674 chan->sdu = skb;
3675 chan->sdu_last_frag = skb;
18778a63 3676
84084a31
MM		 3677 skb = NULL;
3678 err = 0;
18778a63
GP		 3679 break;
3680
7e0ef6ee 3681 case L2CAP_SAR_CONTINUE:
6f61fd47 3682 if (!chan->sdu)
84084a31 3683 break;
18778a63 3684
84084a31
MM		 3685 append_skb_frag(chan->sdu, skb,
3686 &chan->sdu_last_frag);
3687 skb = NULL;
18778a63 3688
84084a31
MM		 3689 if (chan->sdu->len >= chan->sdu_len)
3690 break;
4178ba46 3691
84084a31 3692 err = 0;
18778a63
GP		 3693 break;
3694
7e0ef6ee 3695 case L2CAP_SAR_END:
6f61fd47 3696 if (!chan->sdu)
84084a31 3697 break;
18778a63 3698
84084a31
MM		 3699 append_skb_frag(chan->sdu, skb,
3700 &chan->sdu_last_frag);
3701 skb = NULL;
4178ba46 3702
84084a31
MM		 3703 if (chan->sdu->len != chan->sdu_len)
3704 break;
18778a63 3705
84084a31 3706 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3707
84084a31
MM		 3708 if (!err) {
3709 /* Reassembly complete */
3710 chan->sdu = NULL;
3711 chan->sdu_last_frag = NULL;
3712 chan->sdu_len = 0;
1890d36b 3713 }
18778a63
GP		 3714 break;
3715 }
3716
84084a31
MM		 3717 if (err) {
3718 kfree_skb(skb);
3719 kfree_skb(chan->sdu);
3720 chan->sdu = NULL;
3721 chan->sdu_last_frag = NULL;
3722 chan->sdu_len = 0;
3723 }
18778a63 3724
84084a31 3725 return err;
18778a63
GP		 3726}
3727
26f880d2 3728static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3729{
88843ab0 3730 u32 control;
712132eb 3731
26f880d2 3732 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3733
26f880d2
MM		 3734 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3735
0b209fae 3736 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3737 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3738 l2cap_send_sframe(chan, control);
3739
3740 set_bit(CONN_RNR_SENT, &chan->conn_state);
3741
3742 __clear_ack_timer(chan);
3743}
3744
3745static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3746{
88843ab0 3747 u32 control;
712132eb 3748
e2ab4353 3749 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3750 goto done;
3751
0b209fae 3752 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3753 control |= __set_ctrl_poll(chan);
ab784b73 3754 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3755 l2cap_send_sframe(chan, control);
6a026610 3756 chan->retry_count = 1;
712132eb 3757
1a09bcb9
GP		 3758 __clear_retrans_timer(chan);
3759 __set_monitor_timer(chan);
712132eb 3760
e2ab4353 3761 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3762
3763done:
e2ab4353
GP		 3764 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3765 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3766
49208c9c 3767 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3768}
3769
e328140f 3770void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3771{
e328140f
MM		 3772 if (chan->mode == L2CAP_MODE_ERTM) {
3773 if (busy)
3774 l2cap_ertm_enter_local_busy(chan);
3775 else
3776 l2cap_ertm_exit_local_busy(chan);
1890d36b 3777 }
1890d36b
GP		 3778}
3779
fb45de7d 3780static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3781{
3782 struct sk_buff *skb;
88843ab0 3783 u32 control;
8f17154f 3784
e328140f
MM		 3785 while ((skb = skb_peek(&chan->srej_q)) &&
3786 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3787 int err;
3788
8f17154f
GP		 3789 if (bt_cb(skb)->tx_seq != tx_seq)
3790 break;
3791
f1c6775b 3792 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3793 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3794 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3795
3796 if (err < 0) {
3797 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3798 break;
3799 }
3800
836be934
AE		 3801 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3802 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3803 }
3804}
3805
fb45de7d 3806static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3807{
8f17154f 3808 struct srej_list *l, *tmp;
88843ab0 3809 u32 control;
8f17154f 3810
39d5a3ee 3811 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3812 if (l->tx_seq == tx_seq) {
3813 list_del(&l->list);
3814 kfree(l);
3815 return;
3816 }
ab784b73 3817 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3818 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3819 l2cap_send_sframe(chan, control);
8f17154f 3820 list_del(&l->list);
39d5a3ee 3821 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3822 }
3823}
3824
aef89f21 3825static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3826{
8f17154f 3827 struct srej_list *new;
88843ab0 3828 u32 control;
8f17154f 3829
42e5c802 3830 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3831 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3832 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3833 l2cap_send_sframe(chan, control);
8f17154f
GP		 3834
3835 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 3836 if (!new)
3837 return -ENOMEM;
3838
42e5c802 3839 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3840
3841 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3842
39d5a3ee 3843 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3844 }
836be934
AE		 3845
3846 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 3847
3848 return 0;
8f17154f
GP		 3849}
3850
88843ab0 3851static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3852{
fb45de7d 3853 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3854 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3855 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3856 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3857 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3858 int err = 0;
3859
88843ab0 3860 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3861 tx_seq, rx_control);
1c2acffb 3862
03f6715d 3863 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3864 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3865 __clear_monitor_timer(chan);
6a026610 3866 if (chan->unacked_frames > 0)
1a09bcb9 3867 __set_retrans_timer(chan);
e2ab4353 3868 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3869 }
3870
42e5c802
GP		 3871 chan->expected_ack_seq = req_seq;
3872 l2cap_drop_acked_frames(chan);
9f121a5a 3873
836be934 3874 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3875
3876 /* invalid tx_seq */
47d1ec61 3877 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3878 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3879 goto drop;
3880 }
3881
e2ab4353 3882 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3883 goto drop;
3884
02f1b641
MM		 3885 if (tx_seq == chan->expected_tx_seq)
3886 goto expected;
3887
e2ab4353 3888 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3889 struct srej_list *first;
30afb5b2 3890
39d5a3ee 3891 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3892 struct srej_list, list);
3893 if (tx_seq == first->tx_seq) {
42e5c802 3894 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3895 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3896
3897 list_del(&first->list);
3898 kfree(first);
3899
39d5a3ee 3900 if (list_empty(&chan->srej_l)) {
42e5c802 3901 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3902 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3903 l2cap_send_ack(chan);
49208c9c 3904 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3905 }
3906 } else {
3907 struct srej_list *l;
9b53350d
JPRV		 3908
3909 /* duplicated tx_seq */
42e5c802 3910 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3911 goto drop;
8f17154f 3912
39d5a3ee 3913 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3914 if (l->tx_seq == tx_seq) {
525cd185 3915 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3916 return 0;
3917 }
3918 }
aef89f21
SJ		 3919
3920 err = l2cap_send_srejframe(chan, tx_seq);
3921 if (err < 0) {
3922 l2cap_send_disconn_req(chan->conn, chan, -err);
3923 return err;
3924 }
30afb5b2
GP		 3925 }
3926 } else {
836be934
AE		 3927 expected_tx_seq_offset = __seq_offset(chan,
3928 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3929
3930 /* duplicated tx_seq */
3931 if (tx_seq_offset < expected_tx_seq_offset)
3932 goto drop;
3933
e2ab4353 3934 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3935
49208c9c 3936 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3937
39d5a3ee 3938 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3939 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3940
f1c6775b 3941 __skb_queue_head_init(&chan->srej_q);
42e5c802 3942 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3943
e2ab4353 3944 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3945
aef89f21
SJ		 3946 err = l2cap_send_srejframe(chan, tx_seq);
3947 if (err < 0) {
3948 l2cap_send_disconn_req(chan->conn, chan, -err);
3949 return err;
3950 }
7fe9b298 3951
1a09bcb9 3952 __clear_ack_timer(chan);
1c2acffb 3953 }
30afb5b2
GP		 3954 return 0;
3955
8f17154f 3956expected:
836be934 3957 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3958
e2ab4353 3959 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3960 bt_cb(skb)->tx_seq = tx_seq;
3961 bt_cb(skb)->sar = sar;
f1c6775b 3962 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3963 return 0;
3964 }
3965
84084a31 3966 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3967 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3968
e328140f
MM		 3969 if (err < 0) {
3970 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3971 return err;
3972 }
2ece3684 3973
03f6715d 3974 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3975 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3976 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3977 }
3978
c1b4f43b 3979
6a026610
GP		 3980 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3981 if (chan->num_acked == num_to_ack - 1)
525cd185 3982 l2cap_send_ack(chan);
4d611e4d
GP		 3983 else
3984 __set_ack_timer(chan);
9e917af1 3985
8f17154f 3986 return 0;
9b53350d
JPRV		 3987
3988drop:
3989 kfree_skb(skb);
3990 return 0;
1c2acffb
GP		 3991}
3992
88843ab0 3993static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3994{
88843ab0 3995 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3996 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3997
0b209fae 3998 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3999 l2cap_drop_acked_frames(chan);
1c2acffb 4000
e3781735 4001 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4002 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4003 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4004 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4005 (chan->unacked_frames > 0))
1a09bcb9 4006 __set_retrans_timer(chan);
05fbd89d 4007
e2ab4353 4008 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4009 l2cap_send_srejtail(chan);
05fbd89d 4010 } else {
525cd185 4011 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4012 }
1d8f5d16 4013
03f6715d 4014 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4015 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4016
e2ab4353 4017 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4018 l2cap_retransmit_frames(chan);
2246b2f1 4019
e072745f 4020 } else {
e2ab4353 4021 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4022 (chan->unacked_frames > 0))
1a09bcb9 4023 __set_retrans_timer(chan);
1c2acffb 4024
e2ab4353
GP		 4025 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4026 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4027 l2cap_send_ack(chan);
894718a6 4028 else
525cd185 4029 l2cap_ertm_send(chan);
e072745f
GP		 4030 }
4031}
2246b2f1 4032
88843ab0 4033static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4034{
0b209fae 4035 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4036
88843ab0 4037 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4038
e2ab4353 4039 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4040
42e5c802
GP		 4041 chan->expected_ack_seq = tx_seq;
4042 l2cap_drop_acked_frames(chan);
e072745f 4043
03f6715d 4044 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4045 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4046 l2cap_retransmit_frames(chan);
e072745f 4047 } else {
525cd185 4048 l2cap_retransmit_frames(chan);
30afb5b2 4049
e2ab4353
GP		 4050 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4051 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4052 }
4053}
88843ab0 4054static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4055{
0b209fae 4056 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4057
88843ab0 4058 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4059
e2ab4353 4060 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4061
e3781735 4062 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4063 chan->expected_ack_seq = tx_seq;
4064 l2cap_drop_acked_frames(chan);
3cb123d1 4065
e2ab4353 4066 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4067 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4068
525cd185 4069 l2cap_ertm_send(chan);
dfc909be 4070
e2ab4353 4071 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4072 chan->srej_save_reqseq = tx_seq;
e2ab4353 4073 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4074 }
03f6715d 4075 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4076 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4077 chan->srej_save_reqseq == tx_seq)
e2ab4353 4078 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4079 else
525cd185 4080 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4081 } else {
525cd185 4082 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4083 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4084 chan->srej_save_reqseq = tx_seq;
e2ab4353 4085 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4086 }
e072745f
GP		 4087 }
4088}
4089
88843ab0 4090static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4091{
0b209fae 4092 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4093
88843ab0 4094 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4095
e2ab4353 4096 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4097 chan->expected_ack_seq = tx_seq;
4098 l2cap_drop_acked_frames(chan);
e072745f 4099
e3781735 4100 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4101 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4102
e2ab4353 4103 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4104 __clear_retrans_timer(chan);
e3781735 4105 if (__is_ctrl_poll(chan, rx_control))
525cd185 4106 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4107 return;
e072745f 4108 }
99b0d4b7 4109
e3781735 4110 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4111 l2cap_send_srejtail(chan);
ab784b73
AE		 4112 } else {
4113 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4114 l2cap_send_sframe(chan, rx_control);
4115 }
e072745f
GP		 4116}
4117
88843ab0 4118static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4119{
88843ab0 4120 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4121
03f6715d 4122 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4123 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4124 __clear_monitor_timer(chan);
6a026610 4125 if (chan->unacked_frames > 0)
1a09bcb9 4126 __set_retrans_timer(chan);
e2ab4353 4127 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4128 }
4129
ab784b73
AE		 4130 switch (__get_ctrl_super(chan, rx_control)) {
4131 case L2CAP_SUPER_RR:
525cd185 4132 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4133 break;
4134
ab784b73 4135 case L2CAP_SUPER_REJ:
525cd185 4136 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4137 break;
2246b2f1 4138
ab784b73 4139 case L2CAP_SUPER_SREJ:
525cd185 4140 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4141 break;
4142
ab784b73 4143 case L2CAP_SUPER_RNR:
525cd185 4144 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4145 break;
4146 }
4147
faaebd19 4148 kfree_skb(skb);
1c2acffb
GP		 4149 return 0;
4150}
4151
218bb9df
GP		 4152static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4153{
525cd185 4154 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 4155 u32 control;
0b209fae 4156 u16 req_seq;
218bb9df
GP		 4157 int len, next_tx_seq_offset, req_seq_offset;
4158
88843ab0
AE		 4159 control = __get_control(chan, skb->data);
4160 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4161 len = skb->len;
4162
4163 /*
4164 * We can just drop the corrupted I-frame here.
4165 * Receiver will miss it and start proper recovery
4166 * procedures and ask retransmission.
4167 */
47d1ec61 4168 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4169 goto drop;
4170
793c2f1c 4171 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4172 len -= L2CAP_SDULEN_SIZE;
218bb9df 4173
47d1ec61 4174 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4175 len -= L2CAP_FCS_SIZE;
218bb9df 4176
47d1ec61 4177 if (len > chan->mps) {
8c1d787b 4178 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4179 goto drop;
4180 }
4181
0b209fae 4182 req_seq = __get_reqseq(chan, control);
218bb9df 4183
836be934
AE		 4184 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4185
4186 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4187 chan->expected_ack_seq);
218bb9df
GP		 4188
4189 /* check for invalid req-seq */
4190 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4191 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4192 goto drop;
4193 }
4194
793c2f1c 4195 if (!__is_sframe(chan, control)) {
218bb9df 4196 if (len < 0) {
8c1d787b 4197 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4198 goto drop;
4199 }
4200
525cd185 4201 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4202 } else {
4203 if (len != 0) {
4204 BT_ERR("%d", len);
8c1d787b 4205 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4206 goto drop;
4207 }
4208
525cd185 4209 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4210 }
4211
4212 return 0;
4213
4214drop:
4215 kfree_skb(skb);
4216 return 0;
4217}
4218
1da177e4
LT		 4219static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4220{
48454079 4221 struct l2cap_chan *chan;
bf734843 4222 struct sock *sk = NULL;
88843ab0 4223 u32 control;
fb45de7d 4224 u16 tx_seq;
218bb9df 4225 int len;
1da177e4 4226
baa7e1fa 4227 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4228 if (!chan) {
1da177e4
LT		 4229 BT_DBG("unknown cid 0x%4.4x", cid);
4230 goto drop;
4231 }
4232
48454079 4233 sk = chan->sk;
6840ed07 4234
49208c9c 4235 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4236
89bc500e 4237 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4238 goto drop;
4239
0c1bc5c6 4240 switch (chan->mode) {
1c2acffb
GP		 4241 case L2CAP_MODE_BASIC:
4242 /* If socket recv buffers overflows we drop data here
4243 * which is *bad* because L2CAP has to be reliable.
4244 * But we don't have any other choice. L2CAP doesn't
4245 * provide flow control mechanism. */
1da177e4 4246
0c1bc5c6 4247 if (chan->imtu < skb->len)
1c2acffb 4248 goto drop;
1da177e4 4249
23070494 4250 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4251 goto done;
4252 break;
4253
4254 case L2CAP_MODE_ERTM:
eb403a1b 4255 l2cap_ertm_data_rcv(sk, skb);
1c2acffb 4256
fcafde2e 4257 goto done;
1c2acffb 4258
6840ed07 4259 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4260 control = __get_control(chan, skb->data);
4261 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4262 len = skb->len;
4263
47d1ec61 4264 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4265 goto drop;
4266
7e0ef6ee 4267 if (__is_sar_start(chan, control))
03a51213 4268 len -= L2CAP_SDULEN_SIZE;
6840ed07 4269
47d1ec61 4270 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4271 len -= L2CAP_FCS_SIZE;
fcc203c3 4272
793c2f1c 4273 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4274 goto drop;
4275
fb45de7d 4276 tx_seq = __get_txseq(chan, control);
6840ed07 4277
84084a31
MM		 4278 if (chan->expected_tx_seq != tx_seq) {
4279 /* Frame(s) missing - must discard partial SDU */
4280 kfree_skb(chan->sdu);
4281 chan->sdu = NULL;
4282 chan->sdu_last_frag = NULL;
4283 chan->sdu_len = 0;
6840ed07 4284
84084a31
MM		 4285 /* TODO: Notify userland of missing data */
4286 }
4287
836be934 4288 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4289
4290 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4291 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4292
4293 goto done;
4294
1c2acffb 4295 default:
0c1bc5c6 4296 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4297 break;
4298 }
1da177e4
LT		 4299
4300drop:
4301 kfree_skb(skb);
4302
4303done:
0139418c 4304 if (sk)
aa2ac881 4305 release_sock(sk);
0139418c 4306
1da177e4
LT		 4307 return 0;
4308}
4309
8e036fc3 4310static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4311{
6dcae1ea 4312 struct sock *sk = NULL;
23691d75 4313 struct l2cap_chan *chan;
1da177e4 4314
23691d75
GP		 4315 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4316 if (!chan)
1da177e4
LT		 4317 goto drop;
4318
23691d75
GP		 4319 sk = chan->sk;
4320
aa2ac881 4321 lock_sock(sk);
e0f0cb56 4322
1da177e4
LT		 4323 BT_DBG("sk %p, len %d", sk, skb->len);
4324
89bc500e 4325 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4326 goto drop;
4327
e13e21dc 4328 if (chan->imtu < skb->len)
1da177e4
LT		 4329 goto drop;
4330
23070494 4331 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4332 goto done;
4333
4334drop:
4335 kfree_skb(skb);
4336
4337done:
af05b30b 4338 if (sk)
aa2ac881 4339 release_sock(sk);
1da177e4
LT		 4340 return 0;
4341}
4342
9f69bda6
GP		 4343static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4344{
6dcae1ea 4345 struct sock *sk = NULL;
23691d75 4346 struct l2cap_chan *chan;
9f69bda6 4347
23691d75
GP		 4348 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4349 if (!chan)
9f69bda6
GP		 4350 goto drop;
4351
23691d75
GP		 4352 sk = chan->sk;
4353
aa2ac881 4354 lock_sock(sk);
9f69bda6
GP		 4355
4356 BT_DBG("sk %p, len %d", sk, skb->len);
4357
89bc500e 4358 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4359 goto drop;
4360
e13e21dc 4361 if (chan->imtu < skb->len)
9f69bda6
GP		 4362 goto drop;
4363
23070494 4364 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4365 goto done;
4366
4367drop:
4368 kfree_skb(skb);
4369
4370done:
4371 if (sk)
aa2ac881 4372 release_sock(sk);
9f69bda6
GP		 4373 return 0;
4374}
4375
1da177e4
LT		 4376static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4377{
4378 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4379 u16 cid, len;
4380 __le16 psm;
1da177e4
LT		 4381
4382 skb_pull(skb, L2CAP_HDR_SIZE);
4383 cid = __le16_to_cpu(lh->cid);
4384 len = __le16_to_cpu(lh->len);
4385
1c2acffb
GP		 4386 if (len != skb->len) {
4387 kfree_skb(skb);
4388 return;
4389 }
4390
1da177e4
LT		 4391 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4392
4393 switch (cid) {
3300d9a9 4394 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4395 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4396 l2cap_sig_channel(conn, skb);
4397 break;
4398
8db4dc46 4399 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4400 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4401 skb_pull(skb, 2);
4402 l2cap_conless_channel(conn, psm, skb);
4403 break;
4404
9f69bda6
GP		 4405 case L2CAP_CID_LE_DATA:
4406 l2cap_att_channel(conn, cid, skb);
4407 break;
4408
b501d6a1
AB		 4409 case L2CAP_CID_SMP:
4410 if (smp_sig_channel(conn, skb))
4411 l2cap_conn_del(conn->hcon, EACCES);
4412 break;
4413
1da177e4
LT		 4414 default:
4415 l2cap_data_channel(conn, cid, skb);
4416 break;
4417 }
4418}
4419
4420/* ---- L2CAP interface with lower layer (HCI) ---- */
4421
4422static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4423{
4424 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4425 struct l2cap_chan *c;
1da177e4
LT		 4426
4427 if (type != ACL_LINK)
963cf687 4428 return -EINVAL;
1da177e4
LT		 4429
4430 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4431
4432 /* Find listening sockets and check their link_mode */
23691d75
GP		 4433 read_lock(&chan_list_lock);
4434 list_for_each_entry(c, &chan_list, global_l) {
4435 struct sock *sk = c->sk;
4343478f 4436
89bc500e 4437 if (c->state != BT_LISTEN)
1da177e4
LT		 4438 continue;
4439
4440 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4441 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4442 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4443 lm1 |= HCI_LM_MASTER;
1da177e4 4444 exact++;
2af6b9d5
MH		 4445 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4446 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4447 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4448 lm2 |= HCI_LM_MASTER;
4449 }
1da177e4 4450 }
23691d75 4451 read_unlock(&chan_list_lock);
1da177e4
LT		 4452
4453 return exact ? lm1 : lm2;
4454}
4455
4456static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4457{
0139418c
MH		 4458 struct l2cap_conn *conn;
4459
1da177e4
LT		 4460 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4461
acd7d370 4462 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4463 return -EINVAL;
1da177e4
LT		 4464
4465 if (!status) {
1da177e4
LT		 4466 conn = l2cap_conn_add(hcon, status);
4467 if (conn)
4468 l2cap_conn_ready(conn);
0139418c 4469 } else
e175072f 4470 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4471
4472 return 0;
4473}
4474
2950f21a
MH		 4475static int l2cap_disconn_ind(struct hci_conn *hcon)
4476{
4477 struct l2cap_conn *conn = hcon->l2cap_data;
4478
4479 BT_DBG("hcon %p", hcon);
4480
b5694506 4481 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
9f5a0d7b 4482 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4483
4484 return conn->disc_reason;
4485}
4486
4487static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4488{
4489 BT_DBG("hcon %p reason %d", hcon, reason);
4490
acd7d370 4491 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4492 return -EINVAL;
1da177e4 4493
e175072f 4494 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4495
1da177e4
LT		 4496 return 0;
4497}
4498
4343478f 4499static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4500{
715ec005 4501 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4502 return;
4503
f62e4323 4504 if (encrypt == 0x00) {
4343478f 4505 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675 4506 __clear_chan_timer(chan);
f3f668b0 4507 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4508 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4509 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4510 } else {
4343478f 4511 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4512 __clear_chan_timer(chan);
f62e4323
MH		 4513 }
4514}
4515
8c1b2355 4516static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4517{
0139418c 4518 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4519 struct l2cap_chan *chan;
1da177e4 4520
0139418c 4521 if (!conn)
1da177e4 4522 return 0;
0139418c 4523
1da177e4
LT		 4524 BT_DBG("conn %p", conn);
4525
160dc6ac
VCG		 4526 if (hcon->type == LE_LINK) {
4527 smp_distribute_keys(conn, 0);
4528 del_timer(&conn->security_timer);
4529 }
4530
d01b2ff4 4531 mutex_lock(&conn->chan_lock);
1da177e4 4532
baa7e1fa 4533 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4534 struct sock *sk = chan->sk;
baa7e1fa 4535
1da177e4
LT		 4536 bh_lock_sock(sk);
4537
f1cb9af5
VCG		 4538 BT_DBG("chan->scid %d", chan->scid);
4539
4540 if (chan->scid == L2CAP_CID_LE_DATA) {
4541 if (!status && encrypt) {
4542 chan->sec_level = hcon->sec_level;
4543 l2cap_chan_ready(sk);
4544 }
4545
4546 bh_unlock_sock(sk);
4547 continue;
4548 }
4549
c1360a1c 4550 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4551 bh_unlock_sock(sk);
4552 continue;
4553 }
4554
89bc500e
GP		 4555 if (!status && (chan->state == BT_CONNECTED ||
4556 chan->state == BT_CONFIG)) {
4343478f 4557 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4558 bh_unlock_sock(sk);
4559 continue;
4560 }
4561
89bc500e 4562 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4563 if (!status) {
4564 struct l2cap_conn_req req;
fe4128e0
GP		 4565 req.scid = cpu_to_le16(chan->scid);
4566 req.psm = chan->psm;
1da177e4 4567
fc7f8a7e 4568 chan->ident = l2cap_get_ident(conn);
c1360a1c 4569 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4570
fc7f8a7e 4571 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4572 L2CAP_CONN_REQ, sizeof(req), &req);
4573 } else {
c9b66675 4574 __clear_chan_timer(chan);
f3f668b0 4575 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4576 }
89bc500e 4577 } else if (chan->state == BT_CONNECT2) {
b1235d79 4578 struct l2cap_conn_rsp rsp;
df3c3931 4579 __u16 res, stat;
1da177e4 4580
b1235d79 4581 if (!status) {
df3c3931
JH		 4582 if (bt_sk(sk)->defer_setup) {
4583 struct sock *parent = bt_sk(sk)->parent;
4584 res = L2CAP_CR_PEND;
4585 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4586 if (parent)
4587 parent->sk_data_ready(parent, 0);
df3c3931 4588 } else {
05558911 4589 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4590 res = L2CAP_CR_SUCCESS;
4591 stat = L2CAP_CS_NO_INFO;
4592 }
b1235d79 4593 } else {
89bc500e 4594 l2cap_state_change(chan, BT_DISCONN);
f3f668b0 4595 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4596 res = L2CAP_CR_SEC_BLOCK;
4597 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4598 }
4599
fe4128e0
GP		 4600 rsp.scid = cpu_to_le16(chan->dcid);
4601 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4602 rsp.result = cpu_to_le16(res);
4603 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4604 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4605 sizeof(rsp), &rsp);
b1235d79 4606 }
1da177e4
LT		 4607
4608 bh_unlock_sock(sk);
4609 }
4610
d01b2ff4 4611 mutex_unlock(&conn->chan_lock);
b1235d79 4612
1da177e4
LT		 4613 return 0;
4614}
4615
4616static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4617{
4618 struct l2cap_conn *conn = hcon->l2cap_data;
4619
5a08ecce
AE		 4620 if (!conn)
4621 conn = l2cap_conn_add(hcon, 0);
4622
4623 if (!conn)
1da177e4
LT		 4624 goto drop;
4625
4626 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4627
e702112f 4628 if (!(flags & ACL_CONT)) {
1da177e4 4629 struct l2cap_hdr *hdr;
48454079 4630 struct l2cap_chan *chan;
89794813 4631 u16 cid;
1da177e4
LT		 4632 int len;
4633
4634 if (conn->rx_len) {
4635 BT_ERR("Unexpected start frame (len %d)", skb->len);
4636 kfree_skb(conn->rx_skb);
4637 conn->rx_skb = NULL;
4638 conn->rx_len = 0;
4639 l2cap_conn_unreliable(conn, ECOMM);
4640 }
4641
aae7fe22
AE		 4642 /* Start fragment always begin with Basic L2CAP header */
4643 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4644 BT_ERR("Frame is too short (len %d)", skb->len);
4645 l2cap_conn_unreliable(conn, ECOMM);
4646 goto drop;
4647 }
4648
4649 hdr = (struct l2cap_hdr *) skb->data;
4650 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4651 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4652
4653 if (len == skb->len) {
4654 /* Complete frame received */
4655 l2cap_recv_frame(conn, skb);
4656 return 0;
4657 }
4658
4659 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4660
4661 if (skb->len > len) {
4662 BT_ERR("Frame is too long (len %d, expected len %d)",
4663 skb->len, len);
4664 l2cap_conn_unreliable(conn, ECOMM);
4665 goto drop;
4666 }
4667
baa7e1fa 4668 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4669
48454079
GP		 4670 if (chan && chan->sk) {
4671 struct sock *sk = chan->sk;
89794813 4672
0c1bc5c6 4673 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4674 BT_ERR("Frame exceeding recv MTU (len %d, "
4675 "MTU %d)", len,
0c1bc5c6 4676 chan->imtu);
aa2ac881 4677 release_sock(sk);
48454079
GP		 4678 l2cap_conn_unreliable(conn, ECOMM);
4679 goto drop;
4680 }
aa2ac881 4681 release_sock(sk);
48454079 4682 }
89794813 4683
1da177e4 4684 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4685 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4686 if (!conn->rx_skb)
1da177e4
LT		 4687 goto drop;
4688
d626f62b 4689 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4690 skb->len);
1da177e4
LT		 4691 conn->rx_len = len - skb->len;
4692 } else {
4693 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4694
4695 if (!conn->rx_len) {
4696 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4697 l2cap_conn_unreliable(conn, ECOMM);
4698 goto drop;
4699 }
4700
4701 if (skb->len > conn->rx_len) {
4702 BT_ERR("Fragment is too long (len %d, expected %d)",
4703 skb->len, conn->rx_len);
4704 kfree_skb(conn->rx_skb);
4705 conn->rx_skb = NULL;
4706 conn->rx_len = 0;
4707 l2cap_conn_unreliable(conn, ECOMM);
4708 goto drop;
4709 }
4710
d626f62b 4711 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4712 skb->len);
1da177e4
LT		 4713 conn->rx_len -= skb->len;
4714
4715 if (!conn->rx_len) {
4716 /* Complete frame received */
4717 l2cap_recv_frame(conn, conn->rx_skb);
4718 conn->rx_skb = NULL;
4719 }
4720 }
4721
4722drop:
4723 kfree_skb(skb);
4724 return 0;
4725}
4726
aef7d97c 4727static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4728{
23691d75 4729 struct l2cap_chan *c;
1da177e4 4730
23691d75 4731 read_lock_bh(&chan_list_lock);
1da177e4 4732
23691d75
GP		 4733 list_for_each_entry(c, &chan_list, global_l) {
4734 struct sock *sk = c->sk;
101545f6 4735
903d343e 4736 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4737 batostr(&bt_sk(sk)->src),
4738 batostr(&bt_sk(sk)->dst),
89bc500e 4739 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4740 c->scid, c->dcid, c->imtu, c->omtu,
4741 c->sec_level, c->mode);
05558911 4742}
1da177e4 4743
23691d75 4744 read_unlock_bh(&chan_list_lock);
1da177e4 4745
aef7d97c 4746 return 0;
1da177e4
LT		 4747}
4748
aef7d97c
MH		 4749static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4750{
4751 return single_open(file, l2cap_debugfs_show, inode->i_private);
4752}
4753
4754static const struct file_operations l2cap_debugfs_fops = {
4755 .open = l2cap_debugfs_open,
4756 .read = seq_read,
4757 .llseek = seq_lseek,
4758 .release = single_release,
4759};
4760
4761static struct dentry *l2cap_debugfs;
1da177e4 4762
1da177e4
LT		 4763static struct hci_proto l2cap_hci_proto = {
4764 .name = "L2CAP",
4765 .id = HCI_PROTO_L2CAP,
4766 .connect_ind = l2cap_connect_ind,
4767 .connect_cfm = l2cap_connect_cfm,
4768 .disconn_ind = l2cap_disconn_ind,
2950f21a 4769 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4770 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4771 .recv_acldata = l2cap_recv_acldata
4772};
4773
64274518 4774int __init l2cap_init(void)
1da177e4
LT		 4775{
4776 int err;
be9d1227 4777
bb58f747 4778 err = l2cap_init_sockets();
1da177e4
LT		 4779 if (err < 0)
4780 return err;
4781
1da177e4
LT		 4782 err = hci_register_proto(&l2cap_hci_proto);
4783 if (err < 0) {
4784 BT_ERR("L2CAP protocol registration failed");
4785 bt_sock_unregister(BTPROTO_L2CAP);
4786 goto error;
4787 }
4788
aef7d97c
MH		 4789 if (bt_debugfs) {
4790 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4791 bt_debugfs, NULL, &l2cap_debugfs_fops);
4792 if (!l2cap_debugfs)
4793 BT_ERR("Failed to create L2CAP debug file");
4794 }
1da177e4 4795
1da177e4
LT		 4796 return 0;
4797
4798error:
bb58f747 4799 l2cap_cleanup_sockets();
1da177e4
LT		 4800 return err;
4801}
4802
64274518 4803void l2cap_exit(void)
1da177e4 4804{
aef7d97c 4805 debugfs_remove(l2cap_debugfs);
1da177e4 4806
1da177e4
LT		 4807 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4808 BT_ERR("L2CAP protocol unregistration failed");
4809
bb58f747 4810 l2cap_cleanup_sockets();
1da177e4
LT		 4811}
4812
d1c4a17d
GP		 4813module_param(disable_ertm, bool, 0644);
4814MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)