projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix a redundant and problematic incoming MTU check
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
eb939922 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
0139418c 76/* ---- L2CAP channels ---- */
71ba0e56 77
baa7e1fa 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 79{
3df91ea2 80 struct l2cap_chan *c;
3d57dc68 81
3df91ea2
AE		 82 list_for_each_entry(c, &conn->chan_l, list) {
83 if (c->dcid == cid)
84 return c;
0139418c 85 }
3df91ea2 86 return NULL;
0139418c
MH		 87}
88
baa7e1fa 89static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
101 * Returns locked socket */
baa7e1fa 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 103{
48454079 104 struct l2cap_chan *c;
baa7e1fa 105
3df91ea2 106 mutex_lock(&conn->chan_lock);
baa7e1fa 107 c = __l2cap_get_chan_by_scid(conn, cid);
3df91ea2
AE		 108 mutex_unlock(&conn->chan_lock);
109
48454079 110 return c;
0139418c
MH		 111}
112
baa7e1fa 113static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 114{
3df91ea2 115 struct l2cap_chan *c;
3d57dc68 116
3df91ea2
AE		 117 list_for_each_entry(c, &conn->chan_l, list) {
118 if (c->ident == ident)
119 return c;
0139418c 120 }
3df91ea2 121 return NULL;
0139418c
MH		 122}
123
23691d75 124static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 125{
23691d75 126 struct l2cap_chan *c;
9e4425ff 127
23691d75
GP		 128 list_for_each_entry(c, &chan_list, global_l) {
129 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 130 return c;
9e4425ff 131 }
250938cb 132 return NULL;
9e4425ff
GP		 133}
134
135int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
136{
73b2ec18
GP		 137 int err;
138
333055f2 139 write_lock(&chan_list_lock);
9e4425ff 140
23691d75 141 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 142 err = -EADDRINUSE;
143 goto done;
9e4425ff
GP		 144 }
145
73b2ec18
GP		 146 if (psm) {
147 chan->psm = psm;
148 chan->sport = psm;
149 err = 0;
150 } else {
151 u16 p;
152
153 err = -EINVAL;
154 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 155 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 156 chan->psm = cpu_to_le16(p);
157 chan->sport = cpu_to_le16(p);
158 err = 0;
159 break;
160 }
161 }
9e4425ff 162
73b2ec18 163done:
333055f2 164 write_unlock(&chan_list_lock);
73b2ec18 165 return err;
9e4425ff
GP		 166}
167
168int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
169{
333055f2 170 write_lock(&chan_list_lock);
9e4425ff
GP		 171
172 chan->scid = scid;
173
333055f2 174 write_unlock(&chan_list_lock);
9e4425ff
GP		 175
176 return 0;
177}
178
baa7e1fa 179static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 180{
8db4dc46 181 u16 cid = L2CAP_CID_DYN_START;
0139418c 182
8db4dc46 183 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 184 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 185 return cid;
186 }
187
188 return 0;
189}
190
0e587be7 191static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 192{
42d2d87c 193 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 194 state_to_string(state));
195
89bc500e
GP		 196 chan->state = state;
197 chan->ops->state_change(chan->data, state);
198}
199
0e587be7
AE		 200static void l2cap_state_change(struct l2cap_chan *chan, int state)
201{
202 struct sock *sk = chan->sk;
203
204 lock_sock(sk);
205 __l2cap_state_change(chan, state);
206 release_sock(sk);
207}
208
2e0052e4
AE		 209static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
210{
211 struct sock *sk = chan->sk;
212
213 sk->sk_err = err;
214}
215
216static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
217{
218 struct sock *sk = chan->sk;
219
220 lock_sock(sk);
221 __l2cap_chan_set_err(chan, err);
222 release_sock(sk);
223}
224
3c588192
MM		 225/* ---- L2CAP sequence number lists ---- */
226
227/* For ERTM, ordered lists of sequence numbers must be tracked for
228 * SREJ requests that are received and for frames that are to be
229 * retransmitted. These seq_list functions implement a singly-linked
230 * list in an array, where membership in the list can also be checked
231 * in constant time. Items can also be added to the tail of the list
232 * and removed from the head in constant time, without further memory
233 * allocs or frees.
234 */
235
236static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
237{
238 size_t alloc_size, i;
239
240 /* Allocated size is a power of 2 to map sequence numbers
241 * (which may be up to 14 bits) in to a smaller array that is
242 * sized for the negotiated ERTM transmit windows.
243 */
244 alloc_size = roundup_pow_of_two(size);
245
246 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
247 if (!seq_list->list)
248 return -ENOMEM;
249
250 seq_list->mask = alloc_size - 1;
251 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
252 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
253 for (i = 0; i < alloc_size; i++)
254 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
255
256 return 0;
257}
258
259static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
260{
261 kfree(seq_list->list);
262}
263
264static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
265 u16 seq)
266{
267 /* Constant-time check for list membership */
268 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
269}
270
271static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
272{
273 u16 mask = seq_list->mask;
274
275 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
276 /* In case someone tries to pop the head of an empty list */
277 return L2CAP_SEQ_LIST_CLEAR;
278 } else if (seq_list->head == seq) {
279 /* Head can be removed in constant time */
280 seq_list->head = seq_list->list[seq & mask];
281 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
282
283 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
284 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
285 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
286 }
287 } else {
288 /* Walk the list to find the sequence number */
289 u16 prev = seq_list->head;
290 while (seq_list->list[prev & mask] != seq) {
291 prev = seq_list->list[prev & mask];
292 if (prev == L2CAP_SEQ_LIST_TAIL)
293 return L2CAP_SEQ_LIST_CLEAR;
294 }
295
296 /* Unlink the number from the list and clear it */
297 seq_list->list[prev & mask] = seq_list->list[seq & mask];
298 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
299 if (seq_list->tail == seq)
300 seq_list->tail = prev;
301 }
302 return seq;
303}
304
305static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
306{
307 /* Remove the head in constant time */
308 return l2cap_seq_list_remove(seq_list, seq_list->head);
309}
310
311static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
312{
f522ae36 313 u16 i;
3c588192 314
f522ae36
GP		 315 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
316 return;
317
318 for (i = 0; i <= seq_list->mask; i++)
319 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
320
321 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
322 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 323}
324
325static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
326{
327 u16 mask = seq_list->mask;
328
329 /* All appends happen in constant time */
330
f522ae36
GP		 331 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
332 return;
3c588192 333
f522ae36
GP		 334 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
335 seq_list->head = seq;
336 else
337 seq_list->list[seq_list->tail & mask] = seq;
338
339 seq_list->tail = seq;
340 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 341}
342
721c4181 343static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 344{
721c4181
GP		 345 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
346 chan_timer.work);
3df91ea2 347 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 348 int reason;
349
e05dcc32 350 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 351
3df91ea2 352 mutex_lock(&conn->chan_lock);
6be36555 353 l2cap_chan_lock(chan);
ab07801d 354
89bc500e 355 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 356 reason = ECONNREFUSED;
89bc500e 357 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 358 chan->sec_level != BT_SECURITY_SDP)
359 reason = ECONNREFUSED;
360 else
361 reason = ETIMEDOUT;
362
0f852724 363 l2cap_chan_close(chan, reason);
ab07801d 364
6be36555 365 l2cap_chan_unlock(chan);
ab07801d 366
ba3bd0ee 367 chan->ops->close(chan->data);
3df91ea2
AE		 368 mutex_unlock(&conn->chan_lock);
369
371fd835 370 l2cap_chan_put(chan);
ab07801d
GP		 371}
372
eef1d9b6 373struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 374{
375 struct l2cap_chan *chan;
376
377 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
378 if (!chan)
379 return NULL;
380
c03b355e
AE		 381 mutex_init(&chan->lock);
382
333055f2 383 write_lock(&chan_list_lock);
23691d75 384 list_add(&chan->global_l, &chan_list);
333055f2 385 write_unlock(&chan_list_lock);
23691d75 386
721c4181 387 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 388
89bc500e
GP		 389 chan->state = BT_OPEN;
390
71ba0e56
GP		 391 atomic_set(&chan->refcnt, 1);
392
eef1d9b6 393 BT_DBG("chan %p", chan);
abc545b8 394
48454079
GP		 395 return chan;
396}
397
23691d75 398void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 399{
333055f2 400 write_lock(&chan_list_lock);
23691d75 401 list_del(&chan->global_l);
333055f2 402 write_unlock(&chan_list_lock);
23691d75 403
371fd835 404 l2cap_chan_put(chan);
6ff5abbf
GP		 405}
406
bd4b1653
AE		 407void l2cap_chan_set_defaults(struct l2cap_chan *chan)
408{
409 chan->fcs = L2CAP_FCS_CRC16;
410 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
411 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
412 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
413 chan->sec_level = BT_SECURITY_LOW;
414
415 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
416}
417
14a28491 418static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 419{
af05b30b 420 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 421 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 422
9f5a0d7b 423 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 424
8c1d787b 425 chan->conn = conn;
0139418c 426
5491120e
AE		 427 switch (chan->chan_type) {
428 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 429 if (conn->hcon->type == LE_LINK) {
430 /* LE connection */
0c1bc5c6 431 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 432 chan->scid = L2CAP_CID_LE_DATA;
433 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 434 } else {
435 /* Alloc CID for connection-oriented socket */
fe4128e0 436 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 437 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 438 }
5491120e
AE		 439 break;
440
441 case L2CAP_CHAN_CONN_LESS:
0139418c 442 /* Connectionless socket */
fe4128e0
GP		 443 chan->scid = L2CAP_CID_CONN_LESS;
444 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 445 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 446 break;
447
448 default:
0139418c 449 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 450 chan->scid = L2CAP_CID_SIGNALING;
451 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 452 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 453 }
454
8f7975b1
AE		 455 chan->local_id = L2CAP_BESTEFFORT_ID;
456 chan->local_stype = L2CAP_SERV_BESTEFFORT;
457 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
458 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
459 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
460 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
461
371fd835 462 l2cap_chan_hold(chan);
baa7e1fa 463
3df91ea2 464 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 465}
466
14a28491 467static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 468{
469 mutex_lock(&conn->chan_lock);
470 __l2cap_chan_add(conn, chan);
3df91ea2 471 mutex_unlock(&conn->chan_lock);
0139418c
MH		 472}
473
4519de9a 474static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 475{
48454079 476 struct sock *sk = chan->sk;
8c1d787b 477 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 478 struct sock *parent = bt_sk(sk)->parent;
479
c9b66675 480 __clear_chan_timer(chan);
0139418c 481
49208c9c 482 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 483
8e87d142 484 if (conn) {
baa7e1fa 485 /* Delete from channel list */
3df91ea2 486 list_del(&chan->list);
3d57dc68 487
371fd835 488 l2cap_chan_put(chan);
baa7e1fa 489
8c1d787b 490 chan->conn = NULL;
0139418c
MH		 491 hci_conn_put(conn->hcon);
492 }
493
6be36555
AE		 494 lock_sock(sk);
495
0e587be7 496 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 497 sock_set_flag(sk, SOCK_ZAPPED);
498
499 if (err)
2e0052e4 500 __l2cap_chan_set_err(chan, err);
0139418c
MH		 501
502 if (parent) {
503 bt_accept_unlink(sk);
504 parent->sk_data_ready(parent, 0);
505 } else
506 sk->sk_state_change(sk);
c13ffa62 507
6be36555
AE		 508 release_sock(sk);
509
c1360a1c
GP		 510 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
511 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 512 return;
2ead70b8 513
58d35f87 514 skb_queue_purge(&chan->tx_q);
c13ffa62 515
0c1bc5c6 516 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 517 struct srej_list *l, *tmp;
518
1a09bcb9
GP		 519 __clear_retrans_timer(chan);
520 __clear_monitor_timer(chan);
521 __clear_ack_timer(chan);
c13ffa62 522
f1c6775b 523 skb_queue_purge(&chan->srej_q);
c13ffa62 524
3c588192
MM		 525 l2cap_seq_list_free(&chan->srej_list);
526 l2cap_seq_list_free(&chan->retrans_list);
39d5a3ee 527 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 528 list_del(&l->list);
529 kfree(l);
530 }
531 }
0139418c
MH		 532}
533
4519de9a
GP		 534static void l2cap_chan_cleanup_listen(struct sock *parent)
535{
536 struct sock *sk;
537
538 BT_DBG("parent %p", parent);
539
540 /* Close not yet accepted channels */
0f852724 541 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 542 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 543
6be36555 544 l2cap_chan_lock(chan);
c9b66675 545 __clear_chan_timer(chan);
ba3bd0ee 546 l2cap_chan_close(chan, ECONNRESET);
6be36555 547 l2cap_chan_unlock(chan);
3df91ea2 548
ba3bd0ee 549 chan->ops->close(chan->data);
0f852724 550 }
4519de9a
GP		 551}
552
0f852724 553void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 554{
555 struct l2cap_conn *conn = chan->conn;
556 struct sock *sk = chan->sk;
557
e05dcc32
AE		 558 BT_DBG("chan %p state %s sk %p", chan,
559 state_to_string(chan->state), sk);
4519de9a 560
89bc500e 561 switch (chan->state) {
4519de9a 562 case BT_LISTEN:
6be36555 563 lock_sock(sk);
4519de9a 564 l2cap_chan_cleanup_listen(sk);
89bc500e 565
0e587be7 566 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 567 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 568 release_sock(sk);
4519de9a
GP		 569 break;
570
571 case BT_CONNECTED:
572 case BT_CONFIG:
715ec005 573 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 574 conn->hcon->type == ACL_LINK) {
c9b66675 575 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 576 l2cap_send_disconn_req(conn, chan, reason);
577 } else
578 l2cap_chan_del(chan, reason);
579 break;
580
581 case BT_CONNECT2:
715ec005 582 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 583 conn->hcon->type == ACL_LINK) {
584 struct l2cap_conn_rsp rsp;
585 __u16 result;
586
587 if (bt_sk(sk)->defer_setup)
588 result = L2CAP_CR_SEC_BLOCK;
589 else
590 result = L2CAP_CR_BAD_PSM;
89bc500e 591 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 592
593 rsp.scid = cpu_to_le16(chan->dcid);
594 rsp.dcid = cpu_to_le16(chan->scid);
595 rsp.result = cpu_to_le16(result);
596 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
597 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
598 sizeof(rsp), &rsp);
599 }
600
601 l2cap_chan_del(chan, reason);
602 break;
603
604 case BT_CONNECT:
605 case BT_DISCONN:
606 l2cap_chan_del(chan, reason);
607 break;
608
609 default:
6be36555 610 lock_sock(sk);
4519de9a 611 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 612 release_sock(sk);
4519de9a
GP		 613 break;
614 }
615}
616
4343478f 617static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 618{
715ec005 619 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 620 switch (chan->sec_level) {
8556edd3
JH		 621 case BT_SECURITY_HIGH:
622 return HCI_AT_DEDICATED_BONDING_MITM;
623 case BT_SECURITY_MEDIUM:
624 return HCI_AT_DEDICATED_BONDING;
625 default:
626 return HCI_AT_NO_BONDING;
627 }
fe4128e0 628 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 629 if (chan->sec_level == BT_SECURITY_LOW)
630 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 631
4343478f 632 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 633 return HCI_AT_NO_BONDING_MITM;
00ae4af9 634 else
8556edd3 635 return HCI_AT_NO_BONDING;
00ae4af9 636 } else {
4343478f 637 switch (chan->sec_level) {
00ae4af9 638 case BT_SECURITY_HIGH:
8556edd3 639 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 640 case BT_SECURITY_MEDIUM:
8556edd3 641 return HCI_AT_GENERAL_BONDING;
00ae4af9 642 default:
8556edd3 643 return HCI_AT_NO_BONDING;
00ae4af9 644 }
0684e5f9 645 }
8556edd3
JH		 646}
647
648/* Service level security */
d45fc423 649int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 650{
8c1d787b 651 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 652 __u8 auth_type;
653
4343478f 654 auth_type = l2cap_get_auth_type(chan);
79d554a6 655
4343478f 656 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 657}
658
b5ad8b7f 659static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 660{
661 u8 id;
662
663 /* Get next available identificator.
664 * 1 - 128 are used by kernel.
665 * 129 - 199 are reserved.
666 * 200 - 254 are used by utilities like l2ping, etc.
667 */
668
333055f2 669 spin_lock(&conn->lock);
4e8402a3
MH		 670
671 if (++conn->tx_ident > 128)
672 conn->tx_ident = 1;
673
674 id = conn->tx_ident;
675
333055f2 676 spin_unlock(&conn->lock);
4e8402a3
MH		 677
678 return id;
679}
680
4519de9a 681static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 682{
683 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 684 u8 flags;
4e8402a3
MH		 685
686 BT_DBG("code 0x%2.2x", code);
687
688 if (!skb)
9a9c6a34 689 return;
4e8402a3 690
e702112f
AE		 691 if (lmp_no_flush_capable(conn->hcon->hdev))
692 flags = ACL_START_NO_FLUSH;
693 else
694 flags = ACL_START;
695
14b12d0b 696 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 697 skb->priority = HCI_PRIO_MAX;
14b12d0b 698
73d80deb
LAD		 699 hci_send_acl(conn->hchan, skb, flags);
700}
701
702static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
703{
704 struct hci_conn *hcon = chan->conn->hcon;
705 u16 flags;
706
707 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
708 skb->priority);
709
710 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
711 lmp_no_flush_capable(hcon->hdev))
712 flags = ACL_START_NO_FLUSH;
713 else
714 flags = ACL_START;
14b12d0b 715
73d80deb
LAD		 716 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
717 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 718}
719
b76bbd66
MM		 720static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
721{
722 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
723 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
724
725 if (enh & L2CAP_CTRL_FRAME_TYPE) {
726 /* S-Frame */
727 control->sframe = 1;
728 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
729 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
730
731 control->sar = 0;
732 control->txseq = 0;
733 } else {
734 /* I-Frame */
735 control->sframe = 0;
736 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
737 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
738
739 control->poll = 0;
740 control->super = 0;
741 }
742}
743
b76bbd66
MM		 744static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
745{
746 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
747 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
748
749 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
750 /* S-Frame */
751 control->sframe = 1;
752 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
753 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
754
755 control->sar = 0;
756 control->txseq = 0;
757 } else {
758 /* I-Frame */
759 control->sframe = 0;
760 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
761 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
762
763 control->poll = 0;
764 control->super = 0;
765 }
766}
767
768static inline void __unpack_control(struct l2cap_chan *chan,
769 struct sk_buff *skb)
770{
771 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
772 __unpack_extended_control(get_unaligned_le32(skb->data),
773 &bt_cb(skb)->control);
774 } else {
775 __unpack_enhanced_control(get_unaligned_le16(skb->data),
776 &bt_cb(skb)->control);
777 }
778}
779
b5c6aaed
MM		 780static u32 __pack_extended_control(struct l2cap_ctrl *control)
781{
782 u32 packed;
783
784 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
785 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
786
787 if (control->sframe) {
788 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
789 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
790 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
791 } else {
792 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
793 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
794 }
795
796 return packed;
797}
798
799static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
800{
801 u16 packed;
802
803 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
804 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
805
806 if (control->sframe) {
807 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
808 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
809 packed |= L2CAP_CTRL_FRAME_TYPE;
810 } else {
811 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
812 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
813 }
814
815 return packed;
816}
817
b76bbd66
MM		 818static inline void __pack_control(struct l2cap_chan *chan,
819 struct l2cap_ctrl *control,
820 struct sk_buff *skb)
821{
822 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
823 put_unaligned_le32(__pack_extended_control(control),
824 skb->data + L2CAP_HDR_SIZE);
825 } else {
826 put_unaligned_le16(__pack_enhanced_control(control),
827 skb->data + L2CAP_HDR_SIZE);
828 }
829}
830
b5c6aaed
MM		 831static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
832{
833 struct sk_buff *skb;
834 struct l2cap_hdr *lh;
835 struct l2cap_conn *conn = chan->conn;
836 int count, hlen;
837
838 if (chan->state != BT_CONNECTED)
839 return;
840
841 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
842 hlen = L2CAP_EXT_HDR_SIZE;
843 else
844 hlen = L2CAP_ENH_HDR_SIZE;
845
846 if (chan->fcs == L2CAP_FCS_CRC16)
847 hlen += L2CAP_FCS_SIZE;
848
849 BT_DBG("chan %p, control 0x%8.8x", chan, control);
850
851 count = min_t(unsigned int, conn->mtu, hlen);
852
853 control |= __set_sframe(chan);
854
855 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
856 control |= __set_ctrl_final(chan);
857
858 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
859 control |= __set_ctrl_poll(chan);
860
861 skb = bt_skb_alloc(count, GFP_ATOMIC);
862 if (!skb)
863 return;
864
865 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
866 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
867 lh->cid = cpu_to_le16(chan->dcid);
868
869 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
870
871 if (chan->fcs == L2CAP_FCS_CRC16) {
872 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
873 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
874 }
875
876 skb->priority = HCI_PRIO_MAX;
877 l2cap_do_send(chan, skb);
878}
879
880static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
881{
882 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
883 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
884 set_bit(CONN_RNR_SENT, &chan->conn_state);
885 } else
886 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
887
888 control |= __set_reqseq(chan, chan->buffer_seq);
889
890 l2cap_send_sframe(chan, control);
891}
892
b4450035 893static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 894{
c1360a1c 895 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 896}
897
9b27f350
AE		 898static void l2cap_send_conn_req(struct l2cap_chan *chan)
899{
900 struct l2cap_conn *conn = chan->conn;
901 struct l2cap_conn_req req;
902
903 req.scid = cpu_to_le16(chan->scid);
904 req.psm = chan->psm;
905
906 chan->ident = l2cap_get_ident(conn);
907
908 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
909
910 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
911}
912
9f0caeb1
VCG		 913static void l2cap_chan_ready(struct l2cap_chan *chan)
914{
915 struct sock *sk = chan->sk;
916 struct sock *parent;
917
918 lock_sock(sk);
919
920 parent = bt_sk(sk)->parent;
921
922 BT_DBG("sk %p, parent %p", sk, parent);
923
924 chan->conf_state = 0;
925 __clear_chan_timer(chan);
926
927 __l2cap_state_change(chan, BT_CONNECTED);
928 sk->sk_state_change(sk);
929
930 if (parent)
931 parent->sk_data_ready(parent, 0);
932
933 release_sock(sk);
934}
935
fc7f8a7e 936static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 937{
8c1d787b 938 struct l2cap_conn *conn = chan->conn;
79d554a6 939
9f0caeb1
VCG		 940 if (conn->hcon->type == LE_LINK) {
941 l2cap_chan_ready(chan);
942 return;
943 }
944
79d554a6 945 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 946 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
947 return;
948
d45fc423 949 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 950 __l2cap_no_conn_pending(chan))
951 l2cap_send_conn_req(chan);
79d554a6
MH		 952 } else {
953 struct l2cap_info_req req;
954 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
955
956 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
957 conn->info_ident = l2cap_get_ident(conn);
958
ba13ccd9 959 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 960
961 l2cap_send_cmd(conn, conn->info_ident,
962 L2CAP_INFO_REQ, sizeof(req), &req);
963 }
964}
965
cf6c2c0b
GP		 966static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
967{
968 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 969 if (!disable_ertm)
cf6c2c0b
GP		 970 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
971
972 switch (mode) {
973 case L2CAP_MODE_ERTM:
974 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
975 case L2CAP_MODE_STREAMING:
976 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
977 default:
978 return 0x00;
979 }
980}
981
4519de9a 982static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 983{
6be36555 984 struct sock *sk = chan->sk;
22121fc9
GP		 985 struct l2cap_disconn_req req;
986
c13ffa62
GP		 987 if (!conn)
988 return;
989
0c1bc5c6 990 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 991 __clear_retrans_timer(chan);
992 __clear_monitor_timer(chan);
993 __clear_ack_timer(chan);
c13ffa62
GP		 994 }
995
fe4128e0
GP		 996 req.dcid = cpu_to_le16(chan->dcid);
997 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 998 l2cap_send_cmd(conn, l2cap_get_ident(conn),
999 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1000
6be36555 1001 lock_sock(sk);
0e587be7 1002 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1003 __l2cap_chan_set_err(chan, err);
6be36555 1004 release_sock(sk);
22121fc9
GP		 1005}
1006
1da177e4 1007/* ---- L2CAP connections ---- */
4e8402a3
MH		 1008static void l2cap_conn_start(struct l2cap_conn *conn)
1009{
3df91ea2 1010 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1011
1012 BT_DBG("conn %p", conn);
1013
3df91ea2 1014 mutex_lock(&conn->chan_lock);
4e8402a3 1015
3df91ea2 1016 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1017 struct sock *sk = chan->sk;
baa7e1fa 1018
6be36555 1019 l2cap_chan_lock(chan);
4e8402a3 1020
715ec005 1021 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1022 l2cap_chan_unlock(chan);
79d554a6
MH		 1023 continue;
1024 }
1025
89bc500e 1026 if (chan->state == BT_CONNECT) {
d45fc423 1027 if (!l2cap_chan_check_security(chan) ||
b4450035 1028 !__l2cap_no_conn_pending(chan)) {
6be36555 1029 l2cap_chan_unlock(chan);
47731de7
GP		 1030 continue;
1031 }
79d554a6 1032
c1360a1c
GP		 1033 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1034 && test_bit(CONF_STATE2_DEVICE,
1035 &chan->conf_state)) {
89bc500e 1036 l2cap_chan_close(chan, ECONNRESET);
6be36555 1037 l2cap_chan_unlock(chan);
47731de7 1038 continue;
b1235d79 1039 }
47731de7 1040
9b27f350 1041 l2cap_send_conn_req(chan);
47731de7 1042
89bc500e 1043 } else if (chan->state == BT_CONNECT2) {
79d554a6 1044 struct l2cap_conn_rsp rsp;
e9aeb2dd 1045 char buf[128];
fe4128e0
GP		 1046 rsp.scid = cpu_to_le16(chan->dcid);
1047 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1048
d45fc423 1049 if (l2cap_chan_check_security(chan)) {
6be36555 1050 lock_sock(sk);
f66dc81f
MH		 1051 if (bt_sk(sk)->defer_setup) {
1052 struct sock *parent = bt_sk(sk)->parent;
1053 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1054 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1055 if (parent)
1056 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1057
1058 } else {
0e587be7 1059 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1060 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1061 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1062 }
6be36555 1063 release_sock(sk);
79d554a6
MH		 1064 } else {
1065 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1066 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1067 }
1068
fc7f8a7e
GP		 1069 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1070 sizeof(rsp), &rsp);
e9aeb2dd 1071
c1360a1c 1072 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1073 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1074 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1075 continue;
1076 }
1077
c1360a1c 1078 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1079 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1080 l2cap_build_conf_req(chan, buf), buf);
1081 chan->num_conf_req++;
4e8402a3
MH		 1082 }
1083
6be36555 1084 l2cap_chan_unlock(chan);
4e8402a3
MH		 1085 }
1086
3df91ea2 1087 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1088}
1089
c2287681 1090/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1091 * Returns closest match, locked.
1092 */
d9b88702 1093static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1094 bdaddr_t *src,
1095 bdaddr_t *dst)
b62f328b 1096{
23691d75 1097 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1098
23691d75 1099 read_lock(&chan_list_lock);
b62f328b 1100
23691d75
GP		 1101 list_for_each_entry(c, &chan_list, global_l) {
1102 struct sock *sk = c->sk;
fe4128e0 1103
89bc500e 1104 if (state && c->state != state)
b62f328b
VT		 1105 continue;
1106
23691d75 1107 if (c->scid == cid) {
c2287681
IY		 1108 int src_match, dst_match;
1109 int src_any, dst_any;
1110
b62f328b 1111 /* Exact match. */
c2287681
IY		 1112 src_match = !bacmp(&bt_sk(sk)->src, src);
1113 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1114 if (src_match && dst_match) {
23691d75
GP		 1115 read_unlock(&chan_list_lock);
1116 return c;
1117 }
b62f328b
VT		 1118
1119 /* Closest match */
c2287681
IY		 1120 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1121 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1122 if ((src_match && dst_any) || (src_any && dst_match) ||
1123 (src_any && dst_any))
23691d75 1124 c1 = c;
b62f328b
VT		 1125 }
1126 }
280f294f 1127
23691d75 1128 read_unlock(&chan_list_lock);
b62f328b 1129
23691d75 1130 return c1;
b62f328b
VT		 1131}
1132
1133static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1134{
c916fbe4 1135 struct sock *parent, *sk;
23691d75 1136 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1137
1138 BT_DBG("");
1139
1140 /* Check if we have socket listening on cid */
23691d75 1141 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1142 conn->src, conn->dst);
23691d75 1143 if (!pchan)
b62f328b
VT		 1144 return;
1145
23691d75
GP		 1146 parent = pchan->sk;
1147
aa2ac881 1148 lock_sock(parent);
62f3a2cf 1149
b62f328b
VT		 1150 /* Check for backlog size */
1151 if (sk_acceptq_is_full(parent)) {
1152 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1153 goto clean;
1154 }
1155
80808e43
GP		 1156 chan = pchan->ops->new_connection(pchan->data);
1157 if (!chan)
b62f328b
VT		 1158 goto clean;
1159
80808e43 1160 sk = chan->sk;
5d41ce1d 1161
b62f328b
VT		 1162 hci_conn_hold(conn->hcon);
1163
b62f328b
VT		 1164 bacpy(&bt_sk(sk)->src, conn->src);
1165 bacpy(&bt_sk(sk)->dst, conn->dst);
1166
d1010240
GP		 1167 bt_accept_enqueue(parent, sk);
1168
3d57dc68 1169 l2cap_chan_add(conn, chan);
48454079 1170
c9b66675 1171 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1172
0e587be7 1173 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1174 parent->sk_data_ready(parent, 0);
1175
b62f328b 1176clean:
aa2ac881 1177 release_sock(parent);
b62f328b
VT		 1178}
1179
4e8402a3
MH		 1180static void l2cap_conn_ready(struct l2cap_conn *conn)
1181{
48454079 1182 struct l2cap_chan *chan;
4e8402a3 1183
79d554a6 1184 BT_DBG("conn %p", conn);
4e8402a3 1185
b62f328b
VT		 1186 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1187 l2cap_le_conn_ready(conn);
1188
160dc6ac
VCG		 1189 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1190 smp_conn_security(conn, conn->hcon->pending_sec_level);
1191
3df91ea2 1192 mutex_lock(&conn->chan_lock);
4e8402a3 1193
3df91ea2 1194 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1195
6be36555 1196 l2cap_chan_lock(chan);
4e8402a3 1197
63128451 1198 if (conn->hcon->type == LE_LINK) {
b501d6a1 1199 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1200 l2cap_chan_ready(chan);
acd7d370 1201
63128451 1202 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1203 struct sock *sk = chan->sk;
c9b66675 1204 __clear_chan_timer(chan);
6be36555 1205 lock_sock(sk);
0e587be7 1206 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1207 sk->sk_state_change(sk);
6be36555 1208 release_sock(sk);
b501d6a1 1209
89bc500e 1210 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1211 l2cap_do_start(chan);
4e8402a3 1212
6be36555 1213 l2cap_chan_unlock(chan);
4e8402a3 1214 }
79d554a6 1215
3df91ea2 1216 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1217}
1218
1219/* Notify sockets that we cannot guaranty reliability anymore */
1220static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1221{
48454079 1222 struct l2cap_chan *chan;
4e8402a3
MH		 1223
1224 BT_DBG("conn %p", conn);
1225
3df91ea2 1226 mutex_lock(&conn->chan_lock);
4e8402a3 1227
3df91ea2 1228 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1229 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1230 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1231 }
1232
3df91ea2 1233 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1234}
1235
f878fcad 1236static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1237{
f878fcad 1238 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1239 info_timer.work);
4e8402a3 1240
984947dc 1241 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1242 conn->info_ident = 0;
984947dc 1243
4e8402a3
MH		 1244 l2cap_conn_start(conn);
1245}
1246
5d3de7df
VCG		 1247static void l2cap_conn_del(struct hci_conn *hcon, int err)
1248{
1249 struct l2cap_conn *conn = hcon->l2cap_data;
1250 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1251
1252 if (!conn)
1253 return;
1254
1255 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1256
1257 kfree_skb(conn->rx_skb);
1258
3df91ea2
AE		 1259 mutex_lock(&conn->chan_lock);
1260
5d3de7df
VCG		 1261 /* Kill channels */
1262 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1263 l2cap_chan_hold(chan);
6be36555
AE		 1264 l2cap_chan_lock(chan);
1265
5d3de7df 1266 l2cap_chan_del(chan, err);
6be36555
AE		 1267
1268 l2cap_chan_unlock(chan);
1269
5d3de7df 1270 chan->ops->close(chan->data);
61d6ef3e 1271 l2cap_chan_put(chan);
5d3de7df
VCG		 1272 }
1273
3df91ea2
AE		 1274 mutex_unlock(&conn->chan_lock);
1275
73d80deb
LAD		 1276 hci_chan_del(conn->hchan);
1277
5d3de7df 1278 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1279 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1280
51a8efd7 1281 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1282 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1283 smp_chan_destroy(conn);
d26a2345 1284 }
5d3de7df
VCG		 1285
1286 hcon->l2cap_data = NULL;
1287 kfree(conn);
1288}
1289
6c9d42a1 1290static void security_timeout(struct work_struct *work)
5d3de7df 1291{
6c9d42a1
GP		 1292 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1293 security_timer.work);
5d3de7df
VCG		 1294
1295 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1296}
1297
1da177e4
LT		 1298static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1299{
0139418c 1300 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1301 struct hci_chan *hchan;
1da177e4 1302
0139418c 1303 if (conn || status)
1da177e4
LT		 1304 return conn;
1305
73d80deb
LAD		 1306 hchan = hci_chan_create(hcon);
1307 if (!hchan)
1308 return NULL;
1309
0139418c 1310 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1311 if (!conn) {
1312 hci_chan_del(hchan);
1da177e4 1313 return NULL;
73d80deb 1314 }
1da177e4
LT		 1315
1316 hcon->l2cap_data = conn;
1317 conn->hcon = hcon;
73d80deb 1318 conn->hchan = hchan;
1da177e4 1319
73d80deb 1320 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1321
acd7d370
VT		 1322 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1323 conn->mtu = hcon->hdev->le_mtu;
1324 else
1325 conn->mtu = hcon->hdev->acl_mtu;
1326
1da177e4
LT		 1327 conn->src = &hcon->hdev->bdaddr;
1328 conn->dst = &hcon->dst;
1329
4e8402a3
MH		 1330 conn->feat_mask = 0;
1331
1da177e4 1332 spin_lock_init(&conn->lock);
3df91ea2 1333 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1334
1335 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1336
5d3de7df 1337 if (hcon->type == LE_LINK)
6c9d42a1 1338 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1339 else
030013d8 1340 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1341
9f5a0d7b 1342 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1343
1da177e4
LT		 1344 return conn;
1345}
1346
1da177e4 1347/* ---- Socket interface ---- */
1da177e4 1348
c2287681 1349/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1350 * Returns closest match.
1351 */
c2287681
IY		 1352static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1353 bdaddr_t *src,
1354 bdaddr_t *dst)
1da177e4 1355{
23691d75 1356 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1357
23691d75 1358 read_lock(&chan_list_lock);
e0f0cb56 1359
23691d75
GP		 1360 list_for_each_entry(c, &chan_list, global_l) {
1361 struct sock *sk = c->sk;
fe4128e0 1362
89bc500e 1363 if (state && c->state != state)
1da177e4
LT		 1364 continue;
1365
23691d75 1366 if (c->psm == psm) {
c2287681
IY		 1367 int src_match, dst_match;
1368 int src_any, dst_any;
1369
1da177e4 1370 /* Exact match. */
c2287681
IY		 1371 src_match = !bacmp(&bt_sk(sk)->src, src);
1372 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1373 if (src_match && dst_match) {
a7567b20 1374 read_unlock(&chan_list_lock);
23691d75
GP		 1375 return c;
1376 }
1da177e4
LT		 1377
1378 /* Closest match */
c2287681
IY		 1379 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1380 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1381 if ((src_match && dst_any) || (src_any && dst_match) ||
1382 (src_any && dst_any))
23691d75 1383 c1 = c;
1da177e4
LT		 1384 }
1385 }
1da177e4 1386
23691d75 1387 read_unlock(&chan_list_lock);
e0f0cb56 1388
23691d75 1389 return c1;
1da177e4
LT		 1390}
1391
8e9f9892
AG		 1392int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1393 bdaddr_t *dst, u8 dst_type)
1da177e4 1394{
5d41ce1d 1395 struct sock *sk = chan->sk;
1da177e4 1396 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1397 struct l2cap_conn *conn;
1398 struct hci_conn *hcon;
1399 struct hci_dev *hdev;
09ab6f4c 1400 __u8 auth_type;
44d0e48e 1401 int err;
1da177e4 1402
8e9f9892
AG		 1403 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1404 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1405
af05b30b
GP		 1406 hdev = hci_get_route(dst, src);
1407 if (!hdev)
1da177e4
LT		 1408 return -EHOSTUNREACH;
1409
09fd0de5 1410 hci_dev_lock(hdev);
1da177e4 1411
6be36555 1412 l2cap_chan_lock(chan);
03a00194
GP		 1413
1414 /* PSM must be odd and lsb of upper byte must be 0 */
1415 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1416 chan->chan_type != L2CAP_CHAN_RAW) {
1417 err = -EINVAL;
1418 goto done;
1419 }
1420
1421 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1422 err = -EINVAL;
1423 goto done;
1424 }
1425
1426 switch (chan->mode) {
1427 case L2CAP_MODE_BASIC:
1428 break;
1429 case L2CAP_MODE_ERTM:
1430 case L2CAP_MODE_STREAMING:
1431 if (!disable_ertm)
1432 break;
1433 /* fall through */
1434 default:
1435 err = -ENOTSUPP;
1436 goto done;
1437 }
1438
6be36555
AE		 1439 lock_sock(sk);
1440
03a00194
GP		 1441 switch (sk->sk_state) {
1442 case BT_CONNECT:
1443 case BT_CONNECT2:
1444 case BT_CONFIG:
1445 /* Already connecting */
1446 err = 0;
6be36555 1447 release_sock(sk);
03a00194
GP		 1448 goto done;
1449
1450 case BT_CONNECTED:
1451 /* Already connected */
1452 err = -EISCONN;
6be36555 1453 release_sock(sk);
03a00194
GP		 1454 goto done;
1455
1456 case BT_OPEN:
1457 case BT_BOUND:
1458 /* Can connect */
1459 break;
1460
1461 default:
1462 err = -EBADFD;
6be36555 1463 release_sock(sk);
03a00194
GP		 1464 goto done;
1465 }
1466
1467 /* Set destination address and psm */
9219b2a0 1468 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1469
1470 release_sock(sk);
1471
03a00194
GP		 1472 chan->psm = psm;
1473 chan->dcid = cid;
1da177e4 1474
4343478f 1475 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1476
fe4128e0 1477 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1478 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1479 chan->sec_level, auth_type);
acd7d370 1480 else
8e9f9892 1481 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1482 chan->sec_level, auth_type);
acd7d370 1483
30e76272
VT		 1484 if (IS_ERR(hcon)) {
1485 err = PTR_ERR(hcon);
1da177e4 1486 goto done;
30e76272 1487 }
1da177e4
LT		 1488
1489 conn = l2cap_conn_add(hcon, 0);
1490 if (!conn) {
1491 hci_conn_put(hcon);
30e76272 1492 err = -ENOMEM;
1da177e4
LT		 1493 goto done;
1494 }
1495
9f0caeb1
VCG		 1496 if (hcon->type == LE_LINK) {
1497 err = 0;
1498
1499 if (!list_empty(&conn->chan_l)) {
1500 err = -EBUSY;
1501 hci_conn_put(hcon);
1502 }
1503
1504 if (err)
1505 goto done;
1506 }
1507
1da177e4
LT		 1508 /* Update source addr of the socket */
1509 bacpy(src, conn->src);
1510
6be36555 1511 l2cap_chan_unlock(chan);
48454079 1512 l2cap_chan_add(conn, chan);
6be36555 1513 l2cap_chan_lock(chan);
48454079 1514
6be36555 1515 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1516 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1517
1518 if (hcon->state == BT_CONNECTED) {
715ec005 1519 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1520 __clear_chan_timer(chan);
d45fc423 1521 if (l2cap_chan_check_security(chan))
6be36555 1522 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1523 } else
fc7f8a7e 1524 l2cap_do_start(chan);
1da177e4
LT		 1525 }
1526
30e76272
VT		 1527 err = 0;
1528
1da177e4 1529done:
6be36555 1530 l2cap_chan_unlock(chan);
09fd0de5 1531 hci_dev_unlock(hdev);
1da177e4
LT		 1532 hci_dev_put(hdev);
1533 return err;
1534}
1535
dcba0dba 1536int __l2cap_wait_ack(struct sock *sk)
6161c038 1537{
8c1d787b 1538 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1539 DECLARE_WAITQUEUE(wait, current);
1540 int err = 0;
1541 int timeo = HZ/5;
1542
2b0b05dd 1543 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1544 set_current_state(TASK_INTERRUPTIBLE);
1545 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1546 if (!timeo)
1547 timeo = HZ/5;
1548
1549 if (signal_pending(current)) {
1550 err = sock_intr_errno(timeo);
1551 break;
1552 }
1553
1554 release_sock(sk);
1555 timeo = schedule_timeout(timeo);
1556 lock_sock(sk);
a71a0cf4 1557 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1558
1559 err = sock_error(sk);
1560 if (err)
1561 break;
1562 }
1563 set_current_state(TASK_RUNNING);
2b0b05dd 1564 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1565 return err;
1566}
1567
721c4181 1568static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1569{
721c4181
GP		 1570 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1571 monitor_timer.work);
e90bac06 1572
525cd185 1573 BT_DBG("chan %p", chan);
0e98958d 1574
6be36555
AE		 1575 l2cap_chan_lock(chan);
1576
2c03a7a4 1577 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1578 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1579 l2cap_chan_unlock(chan);
8d7e1c7f 1580 l2cap_chan_put(chan);
e90bac06
GP		 1581 return;
1582 }
1583
6a026610 1584 chan->retry_count++;
1a09bcb9 1585 __set_monitor_timer(chan);
e90bac06 1586
525cd185 1587 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1588 l2cap_chan_unlock(chan);
8d7e1c7f 1589 l2cap_chan_put(chan);
e90bac06
GP		 1590}
1591
721c4181 1592static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1593{
721c4181
GP		 1594 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1595 retrans_timer.work);
e90bac06 1596
49208c9c 1597 BT_DBG("chan %p", chan);
0e98958d 1598
6be36555
AE		 1599 l2cap_chan_lock(chan);
1600
6a026610 1601 chan->retry_count = 1;
1a09bcb9 1602 __set_monitor_timer(chan);
e90bac06 1603
e2ab4353 1604 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1605
525cd185 1606 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1607
1608 l2cap_chan_unlock(chan);
8d7e1c7f 1609 l2cap_chan_put(chan);
e90bac06
GP		 1610}
1611
42e5c802 1612static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1613{
1c2acffb 1614 struct sk_buff *skb;
1da177e4 1615
58d35f87 1616 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1617 chan->unacked_frames) {
3ce3514f 1618 if (bt_cb(skb)->control.txseq == chan->expected_ack_seq)
1c2acffb 1619 break;
1da177e4 1620
58d35f87 1621 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1622 kfree_skb(skb);
1da177e4 1623
6a026610 1624 chan->unacked_frames--;
1c2acffb 1625 }
1da177e4 1626
6a026610 1627 if (!chan->unacked_frames)
1a09bcb9 1628 __clear_retrans_timer(chan);
1c2acffb 1629}
1da177e4 1630
67c9e840 1631static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1632{
ccbb84af 1633 struct sk_buff *skb;
88843ab0
AE		 1634 u32 control;
1635 u16 fcs;
6840ed07 1636
58d35f87 1637 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1638 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1639 control |= __set_txseq(chan, chan->next_tx_seq);
94122bbe 1640 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
88843ab0 1641 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1642
47d1ec61 1643 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1644 fcs = crc16(0, (u8 *)skb->data,
1645 skb->len - L2CAP_FCS_SIZE);
1646 put_unaligned_le16(fcs,
1647 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1648 }
1649
4343478f 1650 l2cap_do_send(chan, skb);
6840ed07 1651
836be934 1652 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1653 }
6840ed07
GP		 1654}
1655
fb45de7d 1656static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1657{
8f17154f 1658 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1659 u16 fcs;
1660 u32 control;
8f17154f 1661
58d35f87 1662 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1663 if (!skb)
1664 return;
8f17154f 1665
3ce3514f 1666 while (bt_cb(skb)->control.txseq != tx_seq) {
58d35f87 1667 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1668 return;
8f17154f 1669
d1726b6d
SJ		 1670 skb = skb_queue_next(&chan->tx_q, skb);
1671 }
8f17154f 1672
3ce3514f
MM		 1673 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1674 chan->remote_max_tx) {
8c1d787b 1675 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1676 return;
1677 }
1678
1679 tx_skb = skb_clone(skb, GFP_ATOMIC);
3ce3514f 1680 bt_cb(skb)->control.retries++;
88843ab0
AE		 1681
1682 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1683 control &= __get_sar_mask(chan);
3cb123d1 1684
e2ab4353 1685 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1686 control |= __set_ctrl_final(chan);
95ffa978 1687
0b209fae 1688 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1689 control |= __set_txseq(chan, tx_seq);
3cb123d1 1690
88843ab0 1691 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1692
47d1ec61 1693 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1694 fcs = crc16(0, (u8 *)tx_skb->data,
1695 tx_skb->len - L2CAP_FCS_SIZE);
1696 put_unaligned_le16(fcs,
1697 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1698 }
1699
4343478f 1700 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1701}
1702
67c9e840 1703static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1704{
1705 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1706 u16 fcs;
1707 u32 control;
9a9c6a34 1708 int nsent = 0;
1c2acffb 1709
89bc500e 1710 if (chan->state != BT_CONNECTED)
c13ffa62 1711 return -ENOTCONN;
e90bac06 1712
94122bbe
MM		 1713 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1714 return 0;
1715
58d35f87 1716 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1717
3ce3514f
MM		 1718 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1719 chan->remote_max_tx) {
8c1d787b 1720 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1721 break;
1722 }
1723
e420aba3
AE		 1724 tx_skb = skb_clone(skb, GFP_ATOMIC);
1725
3ce3514f 1726 bt_cb(skb)->control.retries++;
e90bac06 1727
88843ab0 1728 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1729 control &= __get_sar_mask(chan);
95ffa978 1730
e2ab4353 1731 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1732 control |= __set_ctrl_final(chan);
e2ab4353 1733
0b209fae 1734 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1735 control |= __set_txseq(chan, chan->next_tx_seq);
94122bbe 1736 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1c2acffb 1737
88843ab0 1738 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1739
47d1ec61 1740 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1741 fcs = crc16(0, (u8 *)skb->data,
1742 tx_skb->len - L2CAP_FCS_SIZE);
1743 put_unaligned_le16(fcs, skb->data +
1744 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1745 }
1746
4343478f 1747 l2cap_do_send(chan, tx_skb);
9a9c6a34 1748
1a09bcb9 1749 __set_retrans_timer(chan);
1c2acffb 1750
3ce3514f 1751 bt_cb(skb)->control.txseq = chan->next_tx_seq;
836be934
AE		 1752
1753 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1754
3ce3514f 1755 if (bt_cb(skb)->control.retries == 1) {
6a026610 1756 chan->unacked_frames++;
930fa4ae
SJ		 1757
1758 if (!nsent++)
1759 __clear_ack_timer(chan);
8ed7a0ae 1760 }
23e9fde2 1761
6a026610 1762 chan->frames_sent++;
1c2acffb 1763
58d35f87
GP		 1764 if (skb_queue_is_last(&chan->tx_q, skb))
1765 chan->tx_send_head = NULL;
1c2acffb 1766 else
58d35f87 1767 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1768 }
1769
9e917af1
GP		 1770 return nsent;
1771}
1772
525cd185 1773static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1774{
dfc909be
GP		 1775 int ret;
1776
58d35f87
GP		 1777 if (!skb_queue_empty(&chan->tx_q))
1778 chan->tx_send_head = chan->tx_q.next;
dfc909be 1779
42e5c802 1780 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1781 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1782 return ret;
1783}
1784
b17e73bb 1785static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1786{
88843ab0 1787 u32 control = 0;
9e917af1 1788
0b209fae 1789 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1790
e2ab4353 1791 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1792 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1793 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1794 l2cap_send_sframe(chan, control);
9a9c6a34 1795 return;
9e917af1 1796 }
dfc909be 1797
525cd185 1798 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1799 return;
1800
ab784b73 1801 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1802 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1803}
1804
b17e73bb
SJ		 1805static void l2cap_send_ack(struct l2cap_chan *chan)
1806{
1807 __clear_ack_timer(chan);
1808 __l2cap_send_ack(chan);
1809}
1810
525cd185 1811static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1812{
1813 struct srej_list *tail;
88843ab0 1814 u32 control;
99b0d4b7 1815
ab784b73 1816 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1817 control |= __set_ctrl_final(chan);
99b0d4b7 1818
39d5a3ee 1819 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1820 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1821
525cd185 1822 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1823}
1824
04124681
GP		 1825static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1826 struct msghdr *msg, int len,
1827 int count, struct sk_buff *skb)
1c2acffb 1828{
0952a57a 1829 struct l2cap_conn *conn = chan->conn;
1c2acffb 1830 struct sk_buff **frag;
90338947 1831 int sent = 0;
1da177e4 1832
59203a21 1833 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1834 return -EFAULT;
1da177e4
LT		 1835
1836 sent += count;
1837 len -= count;
1838
1839 /* Continuation fragments (no L2CAP header) */
1840 frag = &skb_shinfo(skb)->frag_list;
1841 while (len) {
fbe00700
GP		 1842 struct sk_buff *tmp;
1843
1da177e4
LT		 1844 count = min_t(unsigned int, conn->mtu, len);
1845
fbe00700
GP		 1846 tmp = chan->ops->alloc_skb(chan, count,
1847 msg->msg_flags & MSG_DONTWAIT);
1848 if (IS_ERR(tmp))
1849 return PTR_ERR(tmp);
1850
1851 *frag = tmp;
2f7719ce 1852
1c2acffb
GP		 1853 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1854 return -EFAULT;
1da177e4 1855
5e59b791
LAD		 1856 (*frag)->priority = skb->priority;
1857
1da177e4
LT		 1858 sent += count;
1859 len -= count;
1860
2d0ed3d5
GP		 1861 skb->len += (*frag)->len;
1862 skb->data_len += (*frag)->len;
1863
1da177e4
LT		 1864 frag = &(*frag)->next;
1865 }
1da177e4
LT		 1866
1867 return sent;
1c2acffb 1868}
1da177e4 1869
5e59b791
LAD		 1870static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1871 struct msghdr *msg, size_t len,
1872 u32 priority)
1c2acffb 1873{
8c1d787b 1874 struct l2cap_conn *conn = chan->conn;
1c2acffb 1875 struct sk_buff *skb;
03a51213 1876 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1877 struct l2cap_hdr *lh;
1878
6d5922b0 1879 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1880
1881 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1882
1883 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1884 msg->msg_flags & MSG_DONTWAIT);
1885 if (IS_ERR(skb))
1886 return skb;
1c2acffb 1887
5e59b791
LAD		 1888 skb->priority = priority;
1889
1c2acffb
GP		 1890 /* Create L2CAP header */
1891 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1892 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1893 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1894 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1895
0952a57a 1896 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1897 if (unlikely(err < 0)) {
1898 kfree_skb(skb);
1899 return ERR_PTR(err);
1900 }
1901 return skb;
1902}
1903
5e59b791
LAD		 1904static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1905 struct msghdr *msg, size_t len,
1906 u32 priority)
1c2acffb 1907{
8c1d787b 1908 struct l2cap_conn *conn = chan->conn;
1c2acffb 1909 struct sk_buff *skb;
f2ba7fae 1910 int err, count;
1c2acffb
GP		 1911 struct l2cap_hdr *lh;
1912
6d5922b0 1913 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1914
f2ba7fae 1915 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1916
f2ba7fae 1917 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1918 msg->msg_flags & MSG_DONTWAIT);
1919 if (IS_ERR(skb))
1920 return skb;
1c2acffb 1921
5e59b791
LAD		 1922 skb->priority = priority;
1923
1c2acffb
GP		 1924 /* Create L2CAP header */
1925 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1926 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1927 lh->len = cpu_to_le16(len);
1c2acffb 1928
0952a57a 1929 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1930 if (unlikely(err < 0)) {
1931 kfree_skb(skb);
1932 return ERR_PTR(err);
1933 }
1934 return skb;
1935}
1936
ab0ff76d
LAD		 1937static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1938 struct msghdr *msg, size_t len,
94122bbe 1939 u16 sdulen)
1c2acffb 1940{
8c1d787b 1941 struct l2cap_conn *conn = chan->conn;
1c2acffb 1942 struct sk_buff *skb;
e4ca6d98 1943 int err, count, hlen;
1c2acffb
GP		 1944 struct l2cap_hdr *lh;
1945
6d5922b0 1946 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1947
0ee0d208
GP		 1948 if (!conn)
1949 return ERR_PTR(-ENOTCONN);
1950
e4ca6d98
AE		 1951 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1952 hlen = L2CAP_EXT_HDR_SIZE;
1953 else
1954 hlen = L2CAP_ENH_HDR_SIZE;
1955
c74e560c 1956 if (sdulen)
03a51213 1957 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1958
47d1ec61 1959 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1960 hlen += L2CAP_FCS_SIZE;
fcc203c3 1961
1c2acffb 1962 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1963
1964 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1965 msg->msg_flags & MSG_DONTWAIT);
1966 if (IS_ERR(skb))
1967 return skb;
1c2acffb
GP		 1968
1969 /* Create L2CAP header */
1970 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1971 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1972 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 1973
94122bbe 1974 __put_control(chan, 0, skb_put(skb, __ctrl_size(chan)));
88843ab0 1975
c74e560c 1976 if (sdulen)
03a51213 1977 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1978
0952a57a 1979 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1980 if (unlikely(err < 0)) {
1981 kfree_skb(skb);
1982 return ERR_PTR(err);
1983 }
e90bac06 1984
47d1ec61 1985 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1986 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1987
3ce3514f 1988 bt_cb(skb)->control.retries = 0;
1c2acffb 1989 return skb;
1da177e4
LT		 1990}
1991
94122bbe
MM		 1992static int l2cap_segment_sdu(struct l2cap_chan *chan,
1993 struct sk_buff_head *seg_queue,
1994 struct msghdr *msg, size_t len)
c74e560c 1995{
c74e560c 1996 struct sk_buff *skb;
94122bbe
MM		 1997 u16 sdu_len;
1998 size_t pdu_len;
1999 int err = 0;
2000 u8 sar;
c74e560c 2001
94122bbe 2002 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2003
94122bbe
MM		 2004 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2005 * so fragmented skbs are not used. The HCI layer's handling
2006 * of fragmented skbs is not compatible with ERTM's queueing.
2007 */
c74e560c 2008
94122bbe
MM		 2009 /* PDU size is derived from the HCI MTU */
2010 pdu_len = chan->conn->mtu;
c74e560c 2011
94122bbe
MM		 2012 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2013
2014 /* Adjust for largest possible L2CAP overhead. */
2015 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2016
2017 /* Remote device may have requested smaller PDUs */
2018 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2019
2020 if (len <= pdu_len) {
2021 sar = L2CAP_SAR_UNSEGMENTED;
2022 sdu_len = 0;
2023 pdu_len = len;
2024 } else {
2025 sar = L2CAP_SAR_START;
2026 sdu_len = len;
2027 pdu_len -= L2CAP_SDULEN_SIZE;
2028 }
2029
2030 while (len > 0) {
2031 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2032
c74e560c 2033 if (IS_ERR(skb)) {
94122bbe 2034 __skb_queue_purge(seg_queue);
c74e560c
GP		 2035 return PTR_ERR(skb);
2036 }
2037
94122bbe
MM		 2038 bt_cb(skb)->control.sar = sar;
2039 __skb_queue_tail(seg_queue, skb);
2040
2041 len -= pdu_len;
2042 if (sdu_len) {
2043 sdu_len = 0;
2044 pdu_len += L2CAP_SDULEN_SIZE;
2045 }
2046
2047 if (len <= pdu_len) {
2048 sar = L2CAP_SAR_END;
2049 pdu_len = len;
2050 } else {
2051 sar = L2CAP_SAR_CONTINUE;
2052 }
c74e560c 2053 }
c74e560c 2054
94122bbe 2055 return err;
c74e560c
GP		 2056}
2057
5e59b791
LAD		 2058int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2059 u32 priority)
9a91a04a 2060{
9a91a04a 2061 struct sk_buff *skb;
9a91a04a 2062 int err;
94122bbe 2063 struct sk_buff_head seg_queue;
9a91a04a
GP		 2064
2065 /* Connectionless channel */
715ec005 2066 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2067 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2068 if (IS_ERR(skb))
2069 return PTR_ERR(skb);
2070
2071 l2cap_do_send(chan, skb);
2072 return len;
2073 }
2074
2075 switch (chan->mode) {
2076 case L2CAP_MODE_BASIC:
2077 /* Check outgoing MTU */
2078 if (len > chan->omtu)
2079 return -EMSGSIZE;
2080
2081 /* Create a basic PDU */
5e59b791 2082 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2083 if (IS_ERR(skb))
2084 return PTR_ERR(skb);
2085
2086 l2cap_do_send(chan, skb);
2087 err = len;
2088 break;
2089
2090 case L2CAP_MODE_ERTM:
2091 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2092 /* Check outgoing MTU */
2093 if (len > chan->omtu) {
2094 err = -EMSGSIZE;
2095 break;
2096 }
9a91a04a 2097
94122bbe 2098 __skb_queue_head_init(&seg_queue);
9a91a04a 2099
94122bbe
MM		 2100 /* Do segmentation before calling in to the state machine,
2101 * since it's possible to block while waiting for memory
2102 * allocation.
2103 */
2104 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2105
94122bbe
MM		 2106 /* The channel could have been closed while segmenting,
2107 * check that it is still connected.
2108 */
2109 if (chan->state != BT_CONNECTED) {
2110 __skb_queue_purge(&seg_queue);
2111 err = -ENOTCONN;
9a91a04a
GP		 2112 }
2113
94122bbe 2114 if (err)
9a91a04a 2115 break;
9a91a04a 2116
577cfaeb
MM		 2117 if (chan->mode == L2CAP_MODE_ERTM && chan->tx_send_head == NULL)
2118 chan->tx_send_head = seg_queue.next;
94122bbe 2119 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
577cfaeb 2120
94122bbe
MM		 2121 if (chan->mode == L2CAP_MODE_ERTM)
2122 err = l2cap_ertm_send(chan);
2123 else
2124 l2cap_streaming_send(chan);
9a91a04a 2125
9a91a04a
GP		 2126 if (err >= 0)
2127 err = len;
2128
94122bbe
MM		 2129 /* If the skbs were not queued for sending, they'll still be in
2130 * seg_queue and need to be purged.
2131 */
2132 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2133 break;
2134
2135 default:
2136 BT_DBG("bad state %1.1x", chan->mode);
2137 err = -EBADFD;
2138 }
2139
2140 return err;
2141}
2142
1da177e4
LT		 2143/* Copy frame to all raw sockets on that connection */
2144static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2145{
1da177e4 2146 struct sk_buff *nskb;
48454079 2147 struct l2cap_chan *chan;
1da177e4
LT		 2148
2149 BT_DBG("conn %p", conn);
2150
3df91ea2 2151 mutex_lock(&conn->chan_lock);
3d57dc68 2152
3df91ea2 2153 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2154 struct sock *sk = chan->sk;
715ec005 2155 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2156 continue;
2157
2158 /* Don't send frame to the socket it came from */
2159 if (skb->sk == sk)
2160 continue;
af05b30b
GP		 2161 nskb = skb_clone(skb, GFP_ATOMIC);
2162 if (!nskb)
1da177e4
LT		 2163 continue;
2164
23070494 2165 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2166 kfree_skb(nskb);
2167 }
3d57dc68 2168
3df91ea2 2169 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2170}
2171
2172/* ---- L2CAP signalling commands ---- */
2173static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2174 u8 code, u8 ident, u16 dlen, void *data)
2175{
2176 struct sk_buff *skb, **frag;
2177 struct l2cap_cmd_hdr *cmd;
2178 struct l2cap_hdr *lh;
2179 int len, count;
2180
af05b30b
GP		 2181 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2182 conn, code, ident, dlen);
1da177e4
LT		 2183
2184 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2185 count = min_t(unsigned int, conn->mtu, len);
2186
2187 skb = bt_skb_alloc(count, GFP_ATOMIC);
2188 if (!skb)
2189 return NULL;
2190
2191 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2192 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2193
2194 if (conn->hcon->type == LE_LINK)
2195 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2196 else
2197 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2198
2199 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2200 cmd->code = code;
2201 cmd->ident = ident;
aca3192c 2202 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2203
2204 if (dlen) {
2205 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2206 memcpy(skb_put(skb, count), data, count);
2207 data += count;
2208 }
2209
2210 len -= skb->len;
2211
2212 /* Continuation fragments (no L2CAP header) */
2213 frag = &skb_shinfo(skb)->frag_list;
2214 while (len) {
2215 count = min_t(unsigned int, conn->mtu, len);
2216
2217 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2218 if (!*frag)
2219 goto fail;
2220
2221 memcpy(skb_put(*frag, count), data, count);
2222
2223 len -= count;
2224 data += count;
2225
2226 frag = &(*frag)->next;
2227 }
2228
2229 return skb;
2230
2231fail:
2232 kfree_skb(skb);
2233 return NULL;
2234}
2235
2236static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2237{
2238 struct l2cap_conf_opt *opt = *ptr;
2239 int len;
2240
2241 len = L2CAP_CONF_OPT_SIZE + opt->len;
2242 *ptr += len;
2243
2244 *type = opt->type;
2245 *olen = opt->len;
2246
2247 switch (opt->len) {
2248 case 1:
2249 *val = *((u8 *) opt->val);
2250 break;
2251
2252 case 2:
bfaaeb3e 2253 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2254 break;
2255
2256 case 4:
bfaaeb3e 2257 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2258 break;
2259
2260 default:
2261 *val = (unsigned long) opt->val;
2262 break;
2263 }
2264
2265 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2266 return len;
2267}
2268
1da177e4
LT		 2269static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2270{
2271 struct l2cap_conf_opt *opt = *ptr;
2272
2273 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2274
2275 opt->type = type;
2276 opt->len = len;
2277
2278 switch (len) {
2279 case 1:
2280 *((u8 *) opt->val) = val;
2281 break;
2282
2283 case 2:
4f8b691c 2284 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2285 break;
2286
2287 case 4:
4f8b691c 2288 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2289 break;
2290
2291 default:
2292 memcpy(opt->val, (void *) val, len);
2293 break;
2294 }
2295
2296 *ptr += L2CAP_CONF_OPT_SIZE + len;
2297}
2298
f89cef09
AE		 2299static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2300{
2301 struct l2cap_conf_efs efs;
2302
1ec918ce 2303 switch (chan->mode) {
f89cef09
AE		 2304 case L2CAP_MODE_ERTM:
2305 efs.id = chan->local_id;
2306 efs.stype = chan->local_stype;
2307 efs.msdu = cpu_to_le16(chan->local_msdu);
2308 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2309 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2310 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2311 break;
2312
2313 case L2CAP_MODE_STREAMING:
2314 efs.id = 1;
2315 efs.stype = L2CAP_SERV_BESTEFFORT;
2316 efs.msdu = cpu_to_le16(chan->local_msdu);
2317 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2318 efs.acc_lat = 0;
2319 efs.flush_to = 0;
2320 break;
2321
2322 default:
2323 return;
2324 }
2325
2326 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2327 (unsigned long) &efs);
2328}
2329
721c4181 2330static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2331{
721c4181
GP		 2332 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2333 ack_timer.work);
c1b4f43b 2334
2fb9b3d4
GP		 2335 BT_DBG("chan %p", chan);
2336
6be36555
AE		 2337 l2cap_chan_lock(chan);
2338
b17e73bb 2339 __l2cap_send_ack(chan);
6be36555
AE		 2340
2341 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2342
2343 l2cap_chan_put(chan);
c1b4f43b
GP		 2344}
2345
3c588192 2346static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2347{
3c588192
MM		 2348 int err;
2349
105bdf9e
MM		 2350 chan->next_tx_seq = 0;
2351 chan->expected_tx_seq = 0;
42e5c802 2352 chan->expected_ack_seq = 0;
6a026610 2353 chan->unacked_frames = 0;
42e5c802 2354 chan->buffer_seq = 0;
6a026610
GP		 2355 chan->num_acked = 0;
2356 chan->frames_sent = 0;
105bdf9e
MM		 2357 chan->last_acked_seq = 0;
2358 chan->sdu = NULL;
2359 chan->sdu_last_frag = NULL;
2360 chan->sdu_len = 0;
2361
d34c34fb
MM		 2362 skb_queue_head_init(&chan->tx_q);
2363
105bdf9e
MM		 2364 if (chan->mode != L2CAP_MODE_ERTM)
2365 return 0;
2366
2367 chan->rx_state = L2CAP_RX_STATE_RECV;
2368 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2369
721c4181
GP		 2370 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2371 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2372 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2373
f1c6775b 2374 skb_queue_head_init(&chan->srej_q);
1890d36b 2375
39d5a3ee 2376 INIT_LIST_HEAD(&chan->srej_l);
3c588192
MM		 2377 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2378 if (err < 0)
2379 return err;
2380
2381 return l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
0565c1c2
GP		 2382}
2383
f2fcfcd6
GP		 2384static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2385{
2386 switch (mode) {
2387 case L2CAP_MODE_STREAMING:
2388 case L2CAP_MODE_ERTM:
2389 if (l2cap_mode_supported(mode, remote_feat_mask))
2390 return mode;
2391 /* fall through */
2392 default:
2393 return L2CAP_MODE_BASIC;
2394 }
2395}
2396
6327eb98
AE		 2397static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2398{
2399 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2400}
2401
f89cef09
AE		 2402static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2403{
2404 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2405}
2406
6327eb98
AE		 2407static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2408{
2409 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2410 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2411 /* use extended control field */
2412 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2413 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2414 } else {
6327eb98
AE		 2415 chan->tx_win = min_t(u16, chan->tx_win,
2416 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2417 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2418 }
6327eb98
AE		 2419}
2420
710f9b0a 2421static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2422{
1da177e4 2423 struct l2cap_conf_req *req = data;
0c1bc5c6 2424 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2425 void *ptr = req->data;
c8f79162 2426 u16 size;
1da177e4 2427
49208c9c 2428 BT_DBG("chan %p", chan);
1da177e4 2429
73ffa904 2430 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2431 goto done;
2432
0c1bc5c6 2433 switch (chan->mode) {
f2fcfcd6
GP		 2434 case L2CAP_MODE_STREAMING:
2435 case L2CAP_MODE_ERTM:
c1360a1c 2436 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2437 break;
85eb53c6 2438
f89cef09
AE		 2439 if (__l2cap_efs_supported(chan))
2440 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2441
2ba13ed6 2442 /* fall through */
f2fcfcd6 2443 default:
8c1d787b 2444 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2445 break;
2446 }
2447
2448done:
0c1bc5c6
GP		 2449 if (chan->imtu != L2CAP_DEFAULT_MTU)
2450 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2451
0c1bc5c6 2452 switch (chan->mode) {
65c7c491 2453 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2454 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2455 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2456 break;
2457
62547752
GP		 2458 rfc.mode = L2CAP_MODE_BASIC;
2459 rfc.txwin_size = 0;
2460 rfc.max_transmit = 0;
2461 rfc.retrans_timeout = 0;
2462 rfc.monitor_timeout = 0;
2463 rfc.max_pdu_size = 0;
2464
63406504
GP		 2465 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2466 (unsigned long) &rfc);
65c7c491
MH		 2467 break;
2468
2469 case L2CAP_MODE_ERTM:
2470 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2471 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2472 rfc.retrans_timeout = 0;
2473 rfc.monitor_timeout = 0;
c8f79162
AE		 2474
2475 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2476 L2CAP_EXT_HDR_SIZE -
2477 L2CAP_SDULEN_SIZE -
2478 L2CAP_FCS_SIZE);
2479 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2480
6327eb98
AE		 2481 l2cap_txwin_setup(chan);
2482
2483 rfc.txwin_size = min_t(u16, chan->tx_win,
2484 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2485
63406504
GP		 2486 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2487 (unsigned long) &rfc);
2488
f89cef09
AE		 2489 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2490 l2cap_add_opt_efs(&ptr, chan);
2491
8c1d787b 2492 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2493 break;
2494
47d1ec61 2495 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2496 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2497 chan->fcs = L2CAP_FCS_NONE;
2498 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2499 }
6327eb98
AE		 2500
2501 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2502 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2503 chan->tx_win);
f2fcfcd6
GP		 2504 break;
2505
2506 case L2CAP_MODE_STREAMING:
2507 rfc.mode = L2CAP_MODE_STREAMING;
2508 rfc.txwin_size = 0;
2509 rfc.max_transmit = 0;
2510 rfc.retrans_timeout = 0;
2511 rfc.monitor_timeout = 0;
c8f79162
AE		 2512
2513 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2514 L2CAP_EXT_HDR_SIZE -
2515 L2CAP_SDULEN_SIZE -
2516 L2CAP_FCS_SIZE);
2517 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2518
63406504
GP		 2519 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2520 (unsigned long) &rfc);
2521
f89cef09
AE		 2522 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2523 l2cap_add_opt_efs(&ptr, chan);
2524
8c1d787b 2525 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2526 break;
2527
47d1ec61 2528 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2529 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2530 chan->fcs = L2CAP_FCS_NONE;
2531 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2532 }
65c7c491
MH		 2533 break;
2534 }
1da177e4 2535
fe4128e0 2536 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2537 req->flags = cpu_to_le16(0);
1da177e4
LT		 2538
2539 return ptr - data;
2540}
2541
73ffa904 2542static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2543{
5dee9e7c
MH		 2544 struct l2cap_conf_rsp *rsp = data;
2545 void *ptr = rsp->data;
73ffa904
GP		 2546 void *req = chan->conf_req;
2547 int len = chan->conf_len;
5dee9e7c
MH		 2548 int type, hint, olen;
2549 unsigned long val;
6464f35f 2550 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2551 struct l2cap_conf_efs efs;
2552 u8 remote_efs = 0;
861d6882 2553 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2554 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2555 u16 size;
1da177e4 2556
73ffa904 2557 BT_DBG("chan %p", chan);
820ae1b8 2558
5dee9e7c
MH		 2559 while (len >= L2CAP_CONF_OPT_SIZE) {
2560 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2561
589d2746 2562 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2563 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2564
2565 switch (type) {
2566 case L2CAP_CONF_MTU:
861d6882 2567 mtu = val;
5dee9e7c
MH		 2568 break;
2569
2570 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2571 chan->flush_to = val;
5dee9e7c
MH		 2572 break;
2573
2574 case L2CAP_CONF_QOS:
2575 break;
2576
6464f35f
MH		 2577 case L2CAP_CONF_RFC:
2578 if (olen == sizeof(rfc))
2579 memcpy(&rfc, (void *) val, olen);
2580 break;
2581
fcc203c3
GP		 2582 case L2CAP_CONF_FCS:
2583 if (val == L2CAP_FCS_NONE)
c1360a1c 2584 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2585 break;
fcc203c3 2586
42dceae2
AE		 2587 case L2CAP_CONF_EFS:
2588 remote_efs = 1;
2589 if (olen == sizeof(efs))
2590 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2591 break;
2592
6327eb98
AE		 2593 case L2CAP_CONF_EWS:
2594 if (!enable_hs)
2595 return -ECONNREFUSED;
fcc203c3 2596
6327eb98
AE		 2597 set_bit(FLAG_EXT_CTRL, &chan->flags);
2598 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2599 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2600 chan->remote_tx_win = val;
fcc203c3
GP		 2601 break;
2602
5dee9e7c
MH		 2603 default:
2604 if (hint)
2605 break;
2606
2607 result = L2CAP_CONF_UNKNOWN;
2608 *((u8 *) ptr++) = type;
2609 break;
2610 }
2611 }
2612
73ffa904 2613 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2614 goto done;
2615
0c1bc5c6 2616 switch (chan->mode) {
f2fcfcd6
GP		 2617 case L2CAP_MODE_STREAMING:
2618 case L2CAP_MODE_ERTM:
c1360a1c 2619 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2620 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2621 chan->conn->feat_mask);
85eb53c6
GP		 2622 break;
2623 }
2624
42dceae2
AE		 2625 if (remote_efs) {
2626 if (__l2cap_efs_supported(chan))
2627 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2628 else
2629 return -ECONNREFUSED;
2630 }
2631
0c1bc5c6 2632 if (chan->mode != rfc.mode)
f2fcfcd6 2633 return -ECONNREFUSED;
742e519b 2634
f2fcfcd6 2635 break;
f2fcfcd6
GP		 2636 }
2637
2638done:
0c1bc5c6 2639 if (chan->mode != rfc.mode) {
f2fcfcd6 2640 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2641 rfc.mode = chan->mode;
f2fcfcd6 2642
73ffa904 2643 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2644 return -ECONNREFUSED;
2645
2646 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2647 sizeof(rfc), (unsigned long) &rfc);
2648 }
2649
5dee9e7c
MH		 2650 if (result == L2CAP_CONF_SUCCESS) {
2651 /* Configure output options and let the other side know
2652 * which ones we don't like. */
2653
f2fcfcd6
GP		 2654 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2655 result = L2CAP_CONF_UNACCEPT;
2656 else {
0c1bc5c6 2657 chan->omtu = mtu;
c1360a1c 2658 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2659 }
0c1bc5c6 2660 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2661
42dceae2
AE		 2662 if (remote_efs) {
2663 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2664 efs.stype != L2CAP_SERV_NOTRAFIC &&
2665 efs.stype != chan->local_stype) {
2666
2667 result = L2CAP_CONF_UNACCEPT;
2668
2669 if (chan->num_conf_req >= 1)
2670 return -ECONNREFUSED;
2671
2672 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2673 sizeof(efs),
42dceae2 2674 (unsigned long) &efs);
0e8b207e 2675 } else {
3e6b3b95 2676 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2677 result = L2CAP_CONF_PENDING;
2678 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2679 }
2680 }
2681
f2fcfcd6
GP		 2682 switch (rfc.mode) {
2683 case L2CAP_MODE_BASIC:
47d1ec61 2684 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2685 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2686 break;
2687
2688 case L2CAP_MODE_ERTM:
6327eb98
AE		 2689 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2690 chan->remote_tx_win = rfc.txwin_size;
2691 else
2692 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2693
2c03a7a4 2694 chan->remote_max_tx = rfc.max_transmit;
1c762159 2695
c8f79162
AE		 2696 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2697 chan->conn->mtu -
2698 L2CAP_EXT_HDR_SIZE -
2699 L2CAP_SDULEN_SIZE -
2700 L2CAP_FCS_SIZE);
2701 rfc.max_pdu_size = cpu_to_le16(size);
2702 chan->remote_mps = size;
f2fcfcd6 2703
10467e9e 2704 rfc.retrans_timeout =
4fd21a88 2705 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2706 rfc.monitor_timeout =
4fd21a88 2707 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2708
c1360a1c 2709 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2710
2711 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2712 sizeof(rfc), (unsigned long) &rfc);
2713
42dceae2
AE		 2714 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2715 chan->remote_id = efs.id;
2716 chan->remote_stype = efs.stype;
2717 chan->remote_msdu = le16_to_cpu(efs.msdu);
2718 chan->remote_flush_to =
2719 le32_to_cpu(efs.flush_to);
2720 chan->remote_acc_lat =
2721 le32_to_cpu(efs.acc_lat);
2722 chan->remote_sdu_itime =
2723 le32_to_cpu(efs.sdu_itime);
2724 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2725 sizeof(efs), (unsigned long) &efs);
2726 }
f2fcfcd6
GP		 2727 break;
2728
2729 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2730 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2731 chan->conn->mtu -
2732 L2CAP_EXT_HDR_SIZE -
2733 L2CAP_SDULEN_SIZE -
2734 L2CAP_FCS_SIZE);
2735 rfc.max_pdu_size = cpu_to_le16(size);
2736 chan->remote_mps = size;
f2fcfcd6 2737
c1360a1c 2738 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2739
2740 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2741 sizeof(rfc), (unsigned long) &rfc);
2742
f2fcfcd6
GP		 2743 break;
2744
2745 default:
5dee9e7c 2746 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2747
6464f35f 2748 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2749 rfc.mode = chan->mode;
f2fcfcd6 2750 }
6464f35f 2751
f2fcfcd6 2752 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2753 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2754 }
fe4128e0 2755 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2756 rsp->result = cpu_to_le16(result);
2757 rsp->flags = cpu_to_le16(0x0000);
2758
2759 return ptr - data;
1da177e4
LT		 2760}
2761
b4450035 2762static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2763{
f2fcfcd6
GP		 2764 struct l2cap_conf_req *req = data;
2765 void *ptr = req->data;
2766 int type, olen;
2767 unsigned long val;
36e999a8 2768 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2769 struct l2cap_conf_efs efs;
f2fcfcd6 2770
fe4128e0 2771 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2772
2773 while (len >= L2CAP_CONF_OPT_SIZE) {
2774 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2775
2776 switch (type) {
2777 case L2CAP_CONF_MTU:
2778 if (val < L2CAP_DEFAULT_MIN_MTU) {
2779 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2780 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2781 } else
0c1bc5c6
GP		 2782 chan->imtu = val;
2783 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2784 break;
2785
2786 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2787 chan->flush_to = val;
f2fcfcd6 2788 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2789 2, chan->flush_to);
f2fcfcd6
GP		 2790 break;
2791
2792 case L2CAP_CONF_RFC:
2793 if (olen == sizeof(rfc))
2794 memcpy(&rfc, (void *)val, olen);
2795
c1360a1c 2796 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2797 rfc.mode != chan->mode)
f2fcfcd6
GP		 2798 return -ECONNREFUSED;
2799
47d1ec61 2800 chan->fcs = 0;
f2fcfcd6
GP		 2801
2802 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2803 sizeof(rfc), (unsigned long) &rfc);
2804 break;
6327eb98
AE		 2805
2806 case L2CAP_CONF_EWS:
2807 chan->tx_win = min_t(u16, val,
2808 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2809 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2810 chan->tx_win);
6327eb98 2811 break;
66af7aaf
AE		 2812
2813 case L2CAP_CONF_EFS:
2814 if (olen == sizeof(efs))
2815 memcpy(&efs, (void *)val, olen);
2816
2817 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2818 efs.stype != L2CAP_SERV_NOTRAFIC &&
2819 efs.stype != chan->local_stype)
2820 return -ECONNREFUSED;
2821
2822 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2823 sizeof(efs), (unsigned long) &efs);
2824 break;
f2fcfcd6
GP		 2825 }
2826 }
2827
0c1bc5c6 2828 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2829 return -ECONNREFUSED;
2830
0c1bc5c6 2831 chan->mode = rfc.mode;
6c2ea7a8 2832
0e8b207e 2833 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2834 switch (rfc.mode) {
2835 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2836 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2837 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2838 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2839
2840 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2841 chan->local_msdu = le16_to_cpu(efs.msdu);
2842 chan->local_sdu_itime =
2843 le32_to_cpu(efs.sdu_itime);
2844 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2845 chan->local_flush_to =
2846 le32_to_cpu(efs.flush_to);
2847 }
f2fcfcd6 2848 break;
66af7aaf 2849
f2fcfcd6 2850 case L2CAP_MODE_STREAMING:
47d1ec61 2851 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2852 }
2853 }
2854
fe4128e0 2855 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2856 req->flags = cpu_to_le16(0x0000);
2857
2858 return ptr - data;
2859}
2860
fe4128e0 2861static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2862{
2863 struct l2cap_conf_rsp *rsp = data;
2864 void *ptr = rsp->data;
1da177e4 2865
fe4128e0 2866 BT_DBG("chan %p", chan);
1da177e4 2867
fe4128e0 2868 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2869 rsp->result = cpu_to_le16(result);
aca3192c 2870 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2871
2872 return ptr - data;
2873}
2874
8c1d787b 2875void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2876{
2877 struct l2cap_conn_rsp rsp;
8c1d787b 2878 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2879 u8 buf[128];
2880
fe4128e0
GP		 2881 rsp.scid = cpu_to_le16(chan->dcid);
2882 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2883 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2884 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2885 l2cap_send_cmd(conn, chan->ident,
2886 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2887
c1360a1c 2888 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2889 return;
2890
710f9b0a
GP		 2891 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2892 l2cap_build_conf_req(chan, buf), buf);
2893 chan->num_conf_req++;
2894}
2895
47d1ec61 2896static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2897{
7b1c0049
GP		 2898 int type, olen;
2899 unsigned long val;
2900 struct l2cap_conf_rfc rfc;
2901
47d1ec61 2902 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2903
0c1bc5c6 2904 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2905 return;
2906
2907 while (len >= L2CAP_CONF_OPT_SIZE) {
2908 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2909
2910 switch (type) {
2911 case L2CAP_CONF_RFC:
2912 if (olen == sizeof(rfc))
2913 memcpy(&rfc, (void *)val, olen);
2914 goto done;
2915 }
2916 }
2917
36e999a8
MM		 2918 /* Use sane default values in case a misbehaving remote device
2919 * did not send an RFC option.
2920 */
2921 rfc.mode = chan->mode;
2922 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2923 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2924 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2925
2926 BT_ERR("Expected RFC option was not found, using defaults");
2927
7b1c0049
GP		 2928done:
2929 switch (rfc.mode) {
2930 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2931 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2932 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2933 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2934 break;
2935 case L2CAP_MODE_STREAMING:
47d1ec61 2936 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2937 }
2938}
2939
4e8402a3
MH		 2940static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2941{
e2fd318e 2942 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2943
e2fd318e 2944 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2945 return 0;
2946
2947 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2948 cmd->ident == conn->info_ident) {
17cd3f37 2949 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2950
2951 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2952 conn->info_ident = 0;
984947dc 2953
4e8402a3
MH		 2954 l2cap_conn_start(conn);
2955 }
2956
2957 return 0;
2958}
2959
1da177e4
LT		 2960static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2961{
1da177e4
LT		 2962 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2963 struct l2cap_conn_rsp rsp;
23691d75 2964 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2965 struct sock *parent, *sk = NULL;
e7c29cb1 2966 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2967
2968 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2969 __le16 psm = req->psm;
1da177e4 2970
097db76c 2971 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 2972
2973 /* Check if we have socket listening on psm */
c2287681 2974 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 2975 if (!pchan) {
1da177e4
LT		 2976 result = L2CAP_CR_BAD_PSM;
2977 goto sendresp;
2978 }
2979
23691d75
GP		 2980 parent = pchan->sk;
2981
3df91ea2 2982 mutex_lock(&conn->chan_lock);
aa2ac881 2983 lock_sock(parent);
e0f0cb56 2984
e7c29cb1
MH		 2985 /* Check if the ACL is secure enough (if not SDP) */
2986 if (psm != cpu_to_le16(0x0001) &&
2987 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2988 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2989 result = L2CAP_CR_SEC_BLOCK;
2990 goto response;
2991 }
2992
1da177e4
LT		 2993 result = L2CAP_CR_NO_MEM;
2994
2995 /* Check for backlog size */
2996 if (sk_acceptq_is_full(parent)) {
8e87d142 2997 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2998 goto response;
2999 }
3000
80808e43
GP		 3001 chan = pchan->ops->new_connection(pchan->data);
3002 if (!chan)
1da177e4
LT		 3003 goto response;
3004
80808e43
GP		 3005 sk = chan->sk;
3006
1da177e4 3007 /* Check if we already have channel with that dcid */
baa7e1fa 3008 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3009 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3010 chan->ops->close(chan->data);
1da177e4
LT		 3011 goto response;
3012 }
3013
3014 hci_conn_hold(conn->hcon);
3015
1da177e4
LT		 3016 bacpy(&bt_sk(sk)->src, conn->src);
3017 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3018 chan->psm = psm;
3019 chan->dcid = scid;
1da177e4 3020
d1010240
GP		 3021 bt_accept_enqueue(parent, sk);
3022
6be36555 3023 __l2cap_chan_add(conn, chan);
48454079 3024
fe4128e0 3025 dcid = chan->scid;
1da177e4 3026
c9b66675 3027 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3028
fc7f8a7e 3029 chan->ident = cmd->ident;
1da177e4 3030
984947dc 3031 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3032 if (l2cap_chan_check_security(chan)) {
f66dc81f 3033 if (bt_sk(sk)->defer_setup) {
0e587be7 3034 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3035 result = L2CAP_CR_PEND;
3036 status = L2CAP_CS_AUTHOR_PEND;
3037 parent->sk_data_ready(parent, 0);
3038 } else {
0e587be7 3039 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3040 result = L2CAP_CR_SUCCESS;
3041 status = L2CAP_CS_NO_INFO;
3042 }
79d554a6 3043 } else {
0e587be7 3044 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3045 result = L2CAP_CR_PEND;
3046 status = L2CAP_CS_AUTHEN_PEND;
3047 }
3048 } else {
0e587be7 3049 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3050 result = L2CAP_CR_PEND;
3051 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3052 }
3053
1da177e4 3054response:
aa2ac881 3055 release_sock(parent);
3df91ea2 3056 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3057
3058sendresp:
aca3192c
YH		 3059 rsp.scid = cpu_to_le16(scid);
3060 rsp.dcid = cpu_to_le16(dcid);
3061 rsp.result = cpu_to_le16(result);
3062 rsp.status = cpu_to_le16(status);
1da177e4 3063 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3064
3065 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3066 struct l2cap_info_req info;
3067 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3068
3069 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3070 conn->info_ident = l2cap_get_ident(conn);
3071
ba13ccd9 3072 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3073
3074 l2cap_send_cmd(conn, conn->info_ident,
3075 L2CAP_INFO_REQ, sizeof(info), &info);
3076 }
3077
c1360a1c 3078 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3079 result == L2CAP_CR_SUCCESS) {
3080 u8 buf[128];
c1360a1c 3081 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3082 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3083 l2cap_build_conf_req(chan, buf), buf);
3084 chan->num_conf_req++;
e9aeb2dd
GP		 3085 }
3086
1da177e4
LT		 3087 return 0;
3088}
3089
3090static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3091{
3092 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3093 u16 scid, dcid, result, status;
48454079 3094 struct l2cap_chan *chan;
1da177e4 3095 u8 req[128];
3df91ea2 3096 int err;
1da177e4
LT		 3097
3098 scid = __le16_to_cpu(rsp->scid);
3099 dcid = __le16_to_cpu(rsp->dcid);
3100 result = __le16_to_cpu(rsp->result);
3101 status = __le16_to_cpu(rsp->status);
3102
1b009c98
AE		 3103 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3104 dcid, scid, result, status);
1da177e4 3105
3df91ea2
AE		 3106 mutex_lock(&conn->chan_lock);
3107
1da177e4 3108 if (scid) {
3df91ea2
AE		 3109 chan = __l2cap_get_chan_by_scid(conn, scid);
3110 if (!chan) {
3111 err = -EFAULT;
3112 goto unlock;
3113 }
1da177e4 3114 } else {
3df91ea2
AE		 3115 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3116 if (!chan) {
3117 err = -EFAULT;
3118 goto unlock;
3119 }
1da177e4
LT		 3120 }
3121
3df91ea2
AE		 3122 err = 0;
3123
6be36555 3124 l2cap_chan_lock(chan);
48454079 3125
1da177e4
LT		 3126 switch (result) {
3127 case L2CAP_CR_SUCCESS:
89bc500e 3128 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3129 chan->ident = 0;
fe4128e0 3130 chan->dcid = dcid;
c1360a1c 3131 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3132
c1360a1c 3133 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3134 break;
3135
1da177e4 3136 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3137 l2cap_build_conf_req(chan, req), req);
3138 chan->num_conf_req++;
1da177e4
LT		 3139 break;
3140
3141 case L2CAP_CR_PEND:
c1360a1c 3142 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3143 break;
3144
3145 default:
48454079 3146 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3147 break;
3148 }
3149
6be36555 3150 l2cap_chan_unlock(chan);
3df91ea2
AE		 3151
3152unlock:
3153 mutex_unlock(&conn->chan_lock);
3154
3155 return err;
1da177e4
LT		 3156}
3157
47d1ec61 3158static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3159{
3160 /* FCS is enabled only in ERTM or streaming mode, if one or both
3161 * sides request it.
3162 */
0c1bc5c6 3163 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3164 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3165 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3166 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3167}
3168
88219a0f 3169static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3170{
3171 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3172 u16 dcid, flags;
3173 u8 rsp[64];
48454079 3174 struct l2cap_chan *chan;
3c588192 3175 int len, err = 0;
1da177e4
LT		 3176
3177 dcid = __le16_to_cpu(req->dcid);
3178 flags = __le16_to_cpu(req->flags);
3179
3180 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3181
baa7e1fa 3182 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3183 if (!chan)
1da177e4
LT		 3184 return -ENOENT;
3185
6be36555 3186 l2cap_chan_lock(chan);
48454079 3187
033b1142 3188 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3189 struct l2cap_cmd_rej_cid rej;
3190
3191 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3192 rej.scid = cpu_to_le16(chan->scid);
3193 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3194
df6bd743
GP		 3195 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3196 sizeof(rej), &rej);
354f60a9 3197 goto unlock;
df6bd743 3198 }
354f60a9 3199
5dee9e7c 3200 /* Reject if config buffer is too small. */
88219a0f 3201 len = cmd_len - sizeof(*req);
7ac28817 3202 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3203 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3204 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3205 L2CAP_CONF_REJECT, flags), rsp);
3206 goto unlock;
3207 }
3208
3209 /* Store config. */
73ffa904
GP		 3210 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3211 chan->conf_len += len;
1da177e4
LT		 3212
3213 if (flags & 0x0001) {
3214 /* Incomplete config. Send empty response. */
3215 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3216 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3217 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3218 goto unlock;
3219 }
3220
3221 /* Complete config. */
73ffa904 3222 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3223 if (len < 0) {
e92c8e70 3224 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3225 goto unlock;
f2fcfcd6 3226 }
1da177e4 3227
5dee9e7c 3228 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3229 chan->num_conf_rsp++;
5dee9e7c 3230
5dee9e7c 3231 /* Reset config buffer. */
73ffa904 3232 chan->conf_len = 0;
5dee9e7c 3233
c1360a1c 3234 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3235 goto unlock;
3236
c1360a1c 3237 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3238 set_default_fcs(chan);
fcc203c3 3239
89bc500e 3240 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3241
105bdf9e
MM		 3242 if (chan->mode == L2CAP_MODE_ERTM ||
3243 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3244 err = l2cap_ertm_init(chan);
3245
3246 if (err < 0)
3247 l2cap_send_disconn_req(chan->conn, chan, -err);
3248 else
3249 l2cap_chan_ready(chan);
0565c1c2 3250
876d9484
MH		 3251 goto unlock;
3252 }
3253
c1360a1c 3254 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3255 u8 buf[64];
1da177e4 3256 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3257 l2cap_build_conf_req(chan, buf), buf);
3258 chan->num_conf_req++;
1da177e4
LT		 3259 }
3260
0e8b207e
AE		 3261 /* Got Conf Rsp PENDING from remote side and asume we sent
3262 Conf Rsp PENDING in the code above */
3263 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3264 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3265
3266 /* check compatibility */
3267
3268 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3269 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3270
3271 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3272 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3273 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3274 }
3275
1da177e4 3276unlock:
6be36555 3277 l2cap_chan_unlock(chan);
3c588192 3278 return err;
1da177e4
LT		 3279}
3280
3281static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3282{
3283 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3284 u16 scid, flags, result;
48454079 3285 struct l2cap_chan *chan;
61386cba 3286 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3287 int err = 0;
1da177e4
LT		 3288
3289 scid = __le16_to_cpu(rsp->scid);
3290 flags = __le16_to_cpu(rsp->flags);
3291 result = __le16_to_cpu(rsp->result);
3292
61386cba
AE		 3293 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3294 result, len);
1da177e4 3295
baa7e1fa 3296 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3297 if (!chan)
1da177e4
LT		 3298 return 0;
3299
6be36555 3300 l2cap_chan_lock(chan);
48454079 3301
1da177e4
LT		 3302 switch (result) {
3303 case L2CAP_CONF_SUCCESS:
47d1ec61 3304 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3305 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3306 break;
3307
0e8b207e
AE		 3308 case L2CAP_CONF_PENDING:
3309 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3310
3311 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3312 char buf[64];
3313
3314 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3315 buf, &result);
3316 if (len < 0) {
3317 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3318 goto done;
3319 }
3320
3321 /* check compatibility */
3322
3323 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3324 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3325
3326 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3327 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3328 L2CAP_CONF_SUCCESS, 0x0000), buf);
3329 }
3330 goto done;
3331
1da177e4 3332 case L2CAP_CONF_UNACCEPT:
73ffa904 3333 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3334 char req[64];
3335
c2c77ec8 3336 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3337 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3338 goto done;
3339 }
3340
f2fcfcd6
GP		 3341 /* throw out any old stored conf requests */
3342 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3343 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3344 req, &result);
f2fcfcd6 3345 if (len < 0) {
e92c8e70 3346 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3347 goto done;
3348 }
3349
3350 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3351 L2CAP_CONF_REQ, len, req);
73ffa904 3352 chan->num_conf_req++;
f2fcfcd6
GP		 3353 if (result != L2CAP_CONF_SUCCESS)
3354 goto done;
3355 break;
1da177e4
LT		 3356 }
3357
8e87d142 3358 default:
6be36555 3359 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3360
ba13ccd9 3361 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3362 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3363 goto done;
3364 }
3365
3366 if (flags & 0x01)
3367 goto done;
3368
c1360a1c 3369 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3370
c1360a1c 3371 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3372 set_default_fcs(chan);
fcc203c3 3373
89bc500e 3374 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3375 if (chan->mode == L2CAP_MODE_ERTM ||
3376 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3377 err = l2cap_ertm_init(chan);
0565c1c2 3378
3c588192
MM		 3379 if (err < 0)
3380 l2cap_send_disconn_req(chan->conn, chan, -err);
3381 else
3382 l2cap_chan_ready(chan);
1da177e4
LT		 3383 }
3384
3385done:
6be36555 3386 l2cap_chan_unlock(chan);
3c588192 3387 return err;
1da177e4
LT		 3388}
3389
3390static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3391{
3392 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3393 struct l2cap_disconn_rsp rsp;
3394 u16 dcid, scid;
48454079 3395 struct l2cap_chan *chan;
1da177e4
LT		 3396 struct sock *sk;
3397
3398 scid = __le16_to_cpu(req->scid);
3399 dcid = __le16_to_cpu(req->dcid);
3400
3401 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3402
3df91ea2
AE		 3403 mutex_lock(&conn->chan_lock);
3404
3405 chan = __l2cap_get_chan_by_scid(conn, dcid);
3406 if (!chan) {
3407 mutex_unlock(&conn->chan_lock);
1da177e4 3408 return 0;
3df91ea2 3409 }
1da177e4 3410
6be36555
AE		 3411 l2cap_chan_lock(chan);
3412
48454079
GP		 3413 sk = chan->sk;
3414
fe4128e0
GP		 3415 rsp.dcid = cpu_to_le16(chan->scid);
3416 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3417 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3418
6be36555 3419 lock_sock(sk);
1da177e4 3420 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3421 release_sock(sk);
1da177e4 3422
61d6ef3e 3423 l2cap_chan_hold(chan);
48454079 3424 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3425
3426 l2cap_chan_unlock(chan);
1da177e4 3427
ba3bd0ee 3428 chan->ops->close(chan->data);
61d6ef3e 3429 l2cap_chan_put(chan);
3df91ea2
AE		 3430
3431 mutex_unlock(&conn->chan_lock);
3432
1da177e4
LT		 3433 return 0;
3434}
3435
3436static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3437{
3438 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3439 u16 dcid, scid;
48454079 3440 struct l2cap_chan *chan;
1da177e4
LT		 3441
3442 scid = __le16_to_cpu(rsp->scid);
3443 dcid = __le16_to_cpu(rsp->dcid);
3444
3445 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3446
3df91ea2
AE		 3447 mutex_lock(&conn->chan_lock);
3448
3449 chan = __l2cap_get_chan_by_scid(conn, scid);
3450 if (!chan) {
3451 mutex_unlock(&conn->chan_lock);
1da177e4 3452 return 0;
3df91ea2 3453 }
1da177e4 3454
6be36555 3455 l2cap_chan_lock(chan);
48454079 3456
61d6ef3e 3457 l2cap_chan_hold(chan);
48454079 3458 l2cap_chan_del(chan, 0);
6be36555
AE		 3459
3460 l2cap_chan_unlock(chan);
1da177e4 3461
ba3bd0ee 3462 chan->ops->close(chan->data);
61d6ef3e 3463 l2cap_chan_put(chan);
3df91ea2
AE		 3464
3465 mutex_unlock(&conn->chan_lock);
3466
1da177e4
LT		 3467 return 0;
3468}
3469
3470static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3471{
3472 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3473 u16 type;
3474
3475 type = __le16_to_cpu(req->type);
3476
3477 BT_DBG("type 0x%4.4x", type);
3478
f0709e03
MH		 3479 if (type == L2CAP_IT_FEAT_MASK) {
3480 u8 buf[8];
44dd46de 3481 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3482 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3483 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3484 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3485 if (!disable_ertm)
fcc203c3
GP		 3486 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3487 | L2CAP_FEAT_FCS;
a5fd6f30 3488 if (enable_hs)
6327eb98
AE		 3489 feat_mask |= L2CAP_FEAT_EXT_FLOW
3490 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3491
1b7bf4ed 3492 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3493 l2cap_send_cmd(conn, cmd->ident,
3494 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3495 } else if (type == L2CAP_IT_FIXED_CHAN) {
3496 u8 buf[12];
3497 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3498
3499 if (enable_hs)
3500 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3501 else
3502 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3503
e1027a7c
MH		 3504 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3505 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3506 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3507 l2cap_send_cmd(conn, cmd->ident,
3508 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3509 } else {
3510 struct l2cap_info_rsp rsp;
3511 rsp.type = cpu_to_le16(type);
3512 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3513 l2cap_send_cmd(conn, cmd->ident,
3514 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3515 }
1da177e4
LT		 3516
3517 return 0;
3518}
3519
3520static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3521{
3522 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3523 u16 type, result;
3524
3525 type = __le16_to_cpu(rsp->type);
3526 result = __le16_to_cpu(rsp->result);
3527
3528 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3529
e90165be
AE		 3530 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3531 if (cmd->ident != conn->info_ident ||
3532 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3533 return 0;
3534
17cd3f37 3535 cancel_delayed_work(&conn->info_timer);
4e8402a3 3536
adb08ede
VT		 3537 if (result != L2CAP_IR_SUCCESS) {
3538 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3539 conn->info_ident = 0;
3540
3541 l2cap_conn_start(conn);
3542
3543 return 0;
3544 }
3545
978c93b9
AE		 3546 switch (type) {
3547 case L2CAP_IT_FEAT_MASK:
83985319 3548 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3549
47ec1dcd 3550 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3551 struct l2cap_info_req req;
3552 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3553
3554 conn->info_ident = l2cap_get_ident(conn);
3555
3556 l2cap_send_cmd(conn, conn->info_ident,
3557 L2CAP_INFO_REQ, sizeof(req), &req);
3558 } else {
3559 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3560 conn->info_ident = 0;
3561
3562 l2cap_conn_start(conn);
3563 }
978c93b9
AE		 3564 break;
3565
3566 case L2CAP_IT_FIXED_CHAN:
3567 conn->fixed_chan_mask = rsp->data[0];
984947dc 3568 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3569 conn->info_ident = 0;
984947dc
MH		 3570
3571 l2cap_conn_start(conn);
978c93b9 3572 break;
984947dc 3573 }
4e8402a3 3574
1da177e4
LT		 3575 return 0;
3576}
3577
f94ff6ff
MM		 3578static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3579 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3580 void *data)
3581{
3582 struct l2cap_create_chan_req *req = data;
3583 struct l2cap_create_chan_rsp rsp;
3584 u16 psm, scid;
3585
3586 if (cmd_len != sizeof(*req))
3587 return -EPROTO;
3588
3589 if (!enable_hs)
3590 return -EINVAL;
3591
3592 psm = le16_to_cpu(req->psm);
3593 scid = le16_to_cpu(req->scid);
3594
3595 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3596
3597 /* Placeholder: Always reject */
3598 rsp.dcid = 0;
3599 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3600 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3601 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3602
3603 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3604 sizeof(rsp), &rsp);
3605
3606 return 0;
3607}
3608
3609static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3610 struct l2cap_cmd_hdr *cmd, void *data)
3611{
3612 BT_DBG("conn %p", conn);
3613
3614 return l2cap_connect_rsp(conn, cmd, data);
3615}
3616
8d5a04a1
MM		 3617static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3618 u16 icid, u16 result)
3619{
3620 struct l2cap_move_chan_rsp rsp;
3621
3622 BT_DBG("icid %d, result %d", icid, result);
3623
3624 rsp.icid = cpu_to_le16(icid);
3625 rsp.result = cpu_to_le16(result);
3626
3627 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3628}
3629
3630static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3631 struct l2cap_chan *chan, u16 icid, u16 result)
3632{
3633 struct l2cap_move_chan_cfm cfm;
3634 u8 ident;
3635
3636 BT_DBG("icid %d, result %d", icid, result);
3637
3638 ident = l2cap_get_ident(conn);
3639 if (chan)
3640 chan->ident = ident;
3641
3642 cfm.icid = cpu_to_le16(icid);
3643 cfm.result = cpu_to_le16(result);
3644
3645 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3646}
3647
3648static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3649 u16 icid)
3650{
3651 struct l2cap_move_chan_cfm_rsp rsp;
3652
3653 BT_DBG("icid %d", icid);
3654
3655 rsp.icid = cpu_to_le16(icid);
3656 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3657}
3658
3659static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3660 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3661{
3662 struct l2cap_move_chan_req *req = data;
3663 u16 icid = 0;
3664 u16 result = L2CAP_MR_NOT_ALLOWED;
3665
3666 if (cmd_len != sizeof(*req))
3667 return -EPROTO;
3668
3669 icid = le16_to_cpu(req->icid);
3670
3671 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3672
3673 if (!enable_hs)
3674 return -EINVAL;
3675
3676 /* Placeholder: Always refuse */
3677 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3678
3679 return 0;
3680}
3681
3682static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3683 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3684{
3685 struct l2cap_move_chan_rsp *rsp = data;
3686 u16 icid, result;
3687
3688 if (cmd_len != sizeof(*rsp))
3689 return -EPROTO;
3690
3691 icid = le16_to_cpu(rsp->icid);
3692 result = le16_to_cpu(rsp->result);
3693
3694 BT_DBG("icid %d, result %d", icid, result);
3695
3696 /* Placeholder: Always unconfirmed */
3697 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3698
3699 return 0;
3700}
3701
3702static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3703 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3704{
3705 struct l2cap_move_chan_cfm *cfm = data;
3706 u16 icid, result;
3707
3708 if (cmd_len != sizeof(*cfm))
3709 return -EPROTO;
3710
3711 icid = le16_to_cpu(cfm->icid);
3712 result = le16_to_cpu(cfm->result);
3713
3714 BT_DBG("icid %d, result %d", icid, result);
3715
3716 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3717
3718 return 0;
3719}
3720
3721static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3722 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3723{
3724 struct l2cap_move_chan_cfm_rsp *rsp = data;
3725 u16 icid;
3726
3727 if (cmd_len != sizeof(*rsp))
3728 return -EPROTO;
3729
3730 icid = le16_to_cpu(rsp->icid);
3731
3732 BT_DBG("icid %d", icid);
3733
3734 return 0;
3735}
3736
e2174ca4 3737static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3738 u16 to_multiplier)
3739{
3740 u16 max_latency;
3741
3742 if (min > max || min < 6 || max > 3200)
3743 return -EINVAL;
3744
3745 if (to_multiplier < 10 || to_multiplier > 3200)
3746 return -EINVAL;
3747
3748 if (max >= to_multiplier * 8)
3749 return -EINVAL;
3750
3751 max_latency = (to_multiplier * 8 / max) - 1;
3752 if (latency > 499 || latency > max_latency)
3753 return -EINVAL;
3754
3755 return 0;
3756}
3757
3758static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3759 struct l2cap_cmd_hdr *cmd, u8 *data)
3760{
3761 struct hci_conn *hcon = conn->hcon;
3762 struct l2cap_conn_param_update_req *req;
3763 struct l2cap_conn_param_update_rsp rsp;
3764 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3765 int err;
de73115a
CT		 3766
3767 if (!(hcon->link_mode & HCI_LM_MASTER))
3768 return -EINVAL;
3769
3770 cmd_len = __le16_to_cpu(cmd->len);
3771 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3772 return -EPROTO;
3773
3774 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3775 min = __le16_to_cpu(req->min);
3776 max = __le16_to_cpu(req->max);
de73115a
CT		 3777 latency = __le16_to_cpu(req->latency);
3778 to_multiplier = __le16_to_cpu(req->to_multiplier);
3779
3780 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3781 min, max, latency, to_multiplier);
3782
3783 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3784
3785 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3786 if (err)
de73115a
CT		 3787 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3788 else
3789 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3790
3791 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3792 sizeof(rsp), &rsp);
3793
2ce603eb
CT		 3794 if (!err)
3795 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3796
de73115a
CT		 3797 return 0;
3798}
3799
3300d9a9
CT		 3800static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3801 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3802{
3803 int err = 0;
3804
3805 switch (cmd->code) {
3806 case L2CAP_COMMAND_REJ:
3807 l2cap_command_rej(conn, cmd, data);
3808 break;
3809
3810 case L2CAP_CONN_REQ:
3811 err = l2cap_connect_req(conn, cmd, data);
3812 break;
3813
3814 case L2CAP_CONN_RSP:
3815 err = l2cap_connect_rsp(conn, cmd, data);
3816 break;
3817
3818 case L2CAP_CONF_REQ:
3819 err = l2cap_config_req(conn, cmd, cmd_len, data);
3820 break;
3821
3822 case L2CAP_CONF_RSP:
3823 err = l2cap_config_rsp(conn, cmd, data);
3824 break;
3825
3826 case L2CAP_DISCONN_REQ:
3827 err = l2cap_disconnect_req(conn, cmd, data);
3828 break;
3829
3830 case L2CAP_DISCONN_RSP:
3831 err = l2cap_disconnect_rsp(conn, cmd, data);
3832 break;
3833
3834 case L2CAP_ECHO_REQ:
3835 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3836 break;
3837
3838 case L2CAP_ECHO_RSP:
3839 break;
3840
3841 case L2CAP_INFO_REQ:
3842 err = l2cap_information_req(conn, cmd, data);
3843 break;
3844
3845 case L2CAP_INFO_RSP:
3846 err = l2cap_information_rsp(conn, cmd, data);
3847 break;
3848
f94ff6ff
MM		 3849 case L2CAP_CREATE_CHAN_REQ:
3850 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3851 break;
3852
3853 case L2CAP_CREATE_CHAN_RSP:
3854 err = l2cap_create_channel_rsp(conn, cmd, data);
3855 break;
3856
8d5a04a1
MM		 3857 case L2CAP_MOVE_CHAN_REQ:
3858 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3859 break;
3860
3861 case L2CAP_MOVE_CHAN_RSP:
3862 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3863 break;
3864
3865 case L2CAP_MOVE_CHAN_CFM:
3866 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3867 break;
3868
3869 case L2CAP_MOVE_CHAN_CFM_RSP:
3870 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3871 break;
3872
3300d9a9
CT		 3873 default:
3874 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3875 err = -EINVAL;
3876 break;
3877 }
3878
3879 return err;
3880}
3881
3882static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3883 struct l2cap_cmd_hdr *cmd, u8 *data)
3884{
3885 switch (cmd->code) {
3886 case L2CAP_COMMAND_REJ:
3887 return 0;
3888
3889 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3890 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3891
3892 case L2CAP_CONN_PARAM_UPDATE_RSP:
3893 return 0;
3894
3895 default:
3896 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3897 return -EINVAL;
3898 }
3899}
3900
3901static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3902 struct sk_buff *skb)
1da177e4
LT		 3903{
3904 u8 *data = skb->data;
3905 int len = skb->len;
3906 struct l2cap_cmd_hdr cmd;
3300d9a9 3907 int err;
1da177e4
LT		 3908
3909 l2cap_raw_recv(conn, skb);
3910
3911 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3912 u16 cmd_len;
1da177e4
LT		 3913 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3914 data += L2CAP_CMD_HDR_SIZE;
3915 len -= L2CAP_CMD_HDR_SIZE;
3916
88219a0f 3917 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3918
88219a0f 3919 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3920
88219a0f 3921 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3922 BT_DBG("corrupted command");
3923 break;
3924 }
3925
3300d9a9
CT		 3926 if (conn->hcon->type == LE_LINK)
3927 err = l2cap_le_sig_cmd(conn, &cmd, data);
3928 else
3929 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3930
3931 if (err) {
e2fd318e 3932 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3933
3934 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3935
3936 /* FIXME: Map err to a valid reason */
e2fd318e 3937 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3938 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3939 }
3940
88219a0f
AV		 3941 data += cmd_len;
3942 len -= cmd_len;
1da177e4
LT		 3943 }
3944
3945 kfree_skb(skb);
3946}
3947
47d1ec61 3948static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3949{
3950 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3951 int hdr_size;
3952
3953 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3954 hdr_size = L2CAP_EXT_HDR_SIZE;
3955 else
3956 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3957
47d1ec61 3958 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3959 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3960 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3961 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3962
3963 if (our_fcs != rcv_fcs)
7a560e5c 3964 return -EBADMSG;
fcc203c3
GP		 3965 }
3966 return 0;
3967}
3968
525cd185 3969static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3970{
88843ab0 3971 u32 control = 0;
d5392c8f 3972
6a026610 3973 chan->frames_sent = 0;
d5392c8f 3974
0b209fae 3975 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3976
e2ab4353 3977 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3978 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3979 l2cap_send_sframe(chan, control);
e2ab4353 3980 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3981 }
3982
e2ab4353 3983 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3984 l2cap_retransmit_frames(chan);
d5392c8f 3985
525cd185 3986 l2cap_ertm_send(chan);
d5392c8f 3987
e2ab4353 3988 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3989 chan->frames_sent == 0) {
ab784b73 3990 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3991 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3992 }
3993}
3994
fb45de7d 3995static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3996{
3997 struct sk_buff *next_skb;
bfbacc11 3998 int tx_seq_offset, next_tx_seq_offset;
8f17154f 3999
3ce3514f
MM		 4000 bt_cb(skb)->control.txseq = tx_seq;
4001 bt_cb(skb)->control.sar = sar;
8f17154f 4002
f1c6775b 4003 next_skb = skb_peek(&chan->srej_q);
8f17154f 4004
836be934 4005 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 4006
039d9572 4007 while (next_skb) {
3ce3514f 4008 if (bt_cb(next_skb)->control.txseq == tx_seq)
9b53350d
JPRV		 4009 return -EINVAL;
4010
836be934 4011 next_tx_seq_offset = __seq_offset(chan,
3ce3514f 4012 bt_cb(next_skb)->control.txseq, chan->buffer_seq);
bfbacc11
JPRV		 4013
4014 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 4015 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 4016 return 0;
8f17154f
GP		 4017 }
4018
f1c6775b 4019 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 4020 next_skb = NULL;
4021 else
4022 next_skb = skb_queue_next(&chan->srej_q, next_skb);
4023 }
8f17154f 4024
f1c6775b 4025 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 4026
4027 return 0;
8f17154f
GP		 4028}
4029
84084a31
MM		 4030static void append_skb_frag(struct sk_buff *skb,
4031 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4032{
84084a31
MM		 4033 /* skb->len reflects data in skb as well as all fragments
4034 * skb->data_len reflects only data in fragments
4035 */
4036 if (!skb_has_frag_list(skb))
4037 skb_shinfo(skb)->frag_list = new_frag;
4038
4039 new_frag->next = NULL;
4040
4041 (*last_frag)->next = new_frag;
4042 *last_frag = new_frag;
4043
4044 skb->len += new_frag->len;
4045 skb->data_len += new_frag->len;
4046 skb->truesize += new_frag->truesize;
4047}
4048
88843ab0 4049static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 4050{
4051 int err = -EINVAL;
18778a63 4052
7e0ef6ee
AE		 4053 switch (__get_ctrl_sar(chan, control)) {
4054 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4055 if (chan->sdu)
4056 break;
18778a63 4057
84084a31
MM		 4058 err = chan->ops->recv(chan->data, skb);
4059 break;
18778a63 4060
7e0ef6ee 4061 case L2CAP_SAR_START:
84084a31
MM		 4062 if (chan->sdu)
4063 break;
18778a63 4064
6f61fd47 4065 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4066 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4067
84084a31
MM		 4068 if (chan->sdu_len > chan->imtu) {
4069 err = -EMSGSIZE;
4070 break;
4071 }
1890d36b 4072
84084a31
MM		 4073 if (skb->len >= chan->sdu_len)
4074 break;
18778a63 4075
84084a31
MM		 4076 chan->sdu = skb;
4077 chan->sdu_last_frag = skb;
18778a63 4078
84084a31
MM		 4079 skb = NULL;
4080 err = 0;
18778a63
GP		 4081 break;
4082
7e0ef6ee 4083 case L2CAP_SAR_CONTINUE:
6f61fd47 4084 if (!chan->sdu)
84084a31 4085 break;
18778a63 4086
84084a31
MM		 4087 append_skb_frag(chan->sdu, skb,
4088 &chan->sdu_last_frag);
4089 skb = NULL;
18778a63 4090
84084a31
MM		 4091 if (chan->sdu->len >= chan->sdu_len)
4092 break;
4178ba46 4093
84084a31 4094 err = 0;
18778a63
GP		 4095 break;
4096
7e0ef6ee 4097 case L2CAP_SAR_END:
6f61fd47 4098 if (!chan->sdu)
84084a31 4099 break;
18778a63 4100
84084a31
MM		 4101 append_skb_frag(chan->sdu, skb,
4102 &chan->sdu_last_frag);
4103 skb = NULL;
4178ba46 4104
84084a31
MM		 4105 if (chan->sdu->len != chan->sdu_len)
4106 break;
18778a63 4107
84084a31 4108 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4109
84084a31
MM		 4110 if (!err) {
4111 /* Reassembly complete */
4112 chan->sdu = NULL;
4113 chan->sdu_last_frag = NULL;
4114 chan->sdu_len = 0;
1890d36b 4115 }
18778a63
GP		 4116 break;
4117 }
4118
84084a31
MM		 4119 if (err) {
4120 kfree_skb(skb);
4121 kfree_skb(chan->sdu);
4122 chan->sdu = NULL;
4123 chan->sdu_last_frag = NULL;
4124 chan->sdu_len = 0;
4125 }
18778a63 4126
84084a31 4127 return err;
18778a63
GP		 4128}
4129
26f880d2 4130static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 4131{
26f880d2 4132 BT_DBG("chan %p, Enter local busy", chan);
712132eb 4133
26f880d2 4134 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3c588192 4135 l2cap_seq_list_clear(&chan->srej_list);
26f880d2 4136
77f918bc 4137 __set_ack_timer(chan);
26f880d2
MM		 4138}
4139
4140static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4141{
88843ab0 4142 u32 control;
712132eb 4143
e2ab4353 4144 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 4145 goto done;
4146
0b209fae 4147 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 4148 control |= __set_ctrl_poll(chan);
ab784b73 4149 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 4150 l2cap_send_sframe(chan, control);
6a026610 4151 chan->retry_count = 1;
712132eb 4152
1a09bcb9
GP		 4153 __clear_retrans_timer(chan);
4154 __set_monitor_timer(chan);
712132eb 4155
e2ab4353 4156 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 4157
4158done:
e2ab4353
GP		 4159 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4160 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 4161
49208c9c 4162 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 4163}
4164
e328140f 4165void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 4166{
e328140f
MM		 4167 if (chan->mode == L2CAP_MODE_ERTM) {
4168 if (busy)
4169 l2cap_ertm_enter_local_busy(chan);
4170 else
4171 l2cap_ertm_exit_local_busy(chan);
1890d36b 4172 }
1890d36b
GP		 4173}
4174
fb45de7d 4175static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 4176{
4177 struct sk_buff *skb;
88843ab0 4178 u32 control;
8f17154f 4179
e328140f
MM		 4180 while ((skb = skb_peek(&chan->srej_q)) &&
4181 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4182 int err;
4183
3ce3514f 4184 if (bt_cb(skb)->control.txseq != tx_seq)
8f17154f
GP		 4185 break;
4186
f1c6775b 4187 skb = skb_dequeue(&chan->srej_q);
3ce3514f 4188 control = __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
84084a31 4189 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 4190
4191 if (err < 0) {
4192 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4193 break;
4194 }
4195
836be934
AE		 4196 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
4197 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 4198 }
4199}
4200
fb45de7d 4201static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4202{
8f17154f 4203 struct srej_list *l, *tmp;
88843ab0 4204 u32 control;
8f17154f 4205
39d5a3ee 4206 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 4207 if (l->tx_seq == tx_seq) {
4208 list_del(&l->list);
4209 kfree(l);
4210 return;
4211 }
ab784b73 4212 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4213 control |= __set_reqseq(chan, l->tx_seq);
525cd185 4214 l2cap_send_sframe(chan, control);
8f17154f 4215 list_del(&l->list);
39d5a3ee 4216 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 4217 }
4218}
4219
aef89f21 4220static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4221{
8f17154f 4222 struct srej_list *new;
88843ab0 4223 u32 control;
8f17154f 4224
42e5c802 4225 while (tx_seq != chan->expected_tx_seq) {
ab784b73 4226 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4227 control |= __set_reqseq(chan, chan->expected_tx_seq);
3c588192 4228 l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
525cd185 4229 l2cap_send_sframe(chan, control);
8f17154f
GP		 4230
4231 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 4232 if (!new)
4233 return -ENOMEM;
4234
42e5c802 4235 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 4236
4237 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4238
39d5a3ee 4239 list_add_tail(&new->list, &chan->srej_l);
8f17154f 4240 }
836be934
AE		 4241
4242 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 4243
4244 return 0;
8f17154f
GP		 4245}
4246
88843ab0 4247static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 4248{
fb45de7d 4249 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 4250 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 4251 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 4252 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 4253 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 4254 int err = 0;
4255
88843ab0 4256 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 4257 tx_seq, rx_control);
1c2acffb 4258
03f6715d 4259 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4260 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4261 __clear_monitor_timer(chan);
6a026610 4262 if (chan->unacked_frames > 0)
1a09bcb9 4263 __set_retrans_timer(chan);
e2ab4353 4264 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 4265 }
4266
42e5c802
GP		 4267 chan->expected_ack_seq = req_seq;
4268 l2cap_drop_acked_frames(chan);
9f121a5a 4269
836be934 4270 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4271
4272 /* invalid tx_seq */
47d1ec61 4273 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 4274 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 4275 goto drop;
4276 }
4277
77f918bc
SJ		 4278 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4279 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4280 l2cap_send_ack(chan);
1890d36b 4281 goto drop;
77f918bc 4282 }
1890d36b 4283
02f1b641
MM		 4284 if (tx_seq == chan->expected_tx_seq)
4285 goto expected;
4286
e2ab4353 4287 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 4288 struct srej_list *first;
30afb5b2 4289
39d5a3ee 4290 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 4291 struct srej_list, list);
4292 if (tx_seq == first->tx_seq) {
42e5c802 4293 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 4294 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 4295
4296 list_del(&first->list);
4297 kfree(first);
4298
39d5a3ee 4299 if (list_empty(&chan->srej_l)) {
42e5c802 4300 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 4301 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 4302 l2cap_send_ack(chan);
49208c9c 4303 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 4304 }
4305 } else {
4306 struct srej_list *l;
9b53350d
JPRV		 4307
4308 /* duplicated tx_seq */
42e5c802 4309 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 4310 goto drop;
8f17154f 4311
39d5a3ee 4312 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 4313 if (l->tx_seq == tx_seq) {
525cd185 4314 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 4315 return 0;
4316 }
4317 }
aef89f21
SJ		 4318
4319 err = l2cap_send_srejframe(chan, tx_seq);
4320 if (err < 0) {
4321 l2cap_send_disconn_req(chan->conn, chan, -err);
4322 return err;
4323 }
30afb5b2
GP		 4324 }
4325 } else {
836be934
AE		 4326 expected_tx_seq_offset = __seq_offset(chan,
4327 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4328
4329 /* duplicated tx_seq */
4330 if (tx_seq_offset < expected_tx_seq_offset)
4331 goto drop;
4332
e2ab4353 4333 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 4334
49208c9c 4335 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 4336
39d5a3ee 4337 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 4338 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 4339
f1c6775b 4340 __skb_queue_head_init(&chan->srej_q);
42e5c802 4341 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 4342
0ef3ef0f
SJ		 4343 /* Set P-bit only if there are some I-frames to ack. */
4344 if (__clear_ack_timer(chan))
4345 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 4346
aef89f21
SJ		 4347 err = l2cap_send_srejframe(chan, tx_seq);
4348 if (err < 0) {
4349 l2cap_send_disconn_req(chan->conn, chan, -err);
4350 return err;
4351 }
1c2acffb 4352 }
30afb5b2
GP		 4353 return 0;
4354
8f17154f 4355expected:
836be934 4356 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 4357
e2ab4353 4358 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3ce3514f
MM		 4359 bt_cb(skb)->control.txseq = tx_seq;
4360 bt_cb(skb)->control.sar = sar;
f1c6775b 4361 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 4362 return 0;
4363 }
4364
84084a31 4365 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 4366 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4367
e328140f
MM		 4368 if (err < 0) {
4369 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4370 return err;
4371 }
2ece3684 4372
03f6715d 4373 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4374 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4375 l2cap_retransmit_frames(chan);
4ec10d97
GP		 4376 }
4377
c1b4f43b 4378
6a026610
GP		 4379 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4380 if (chan->num_acked == num_to_ack - 1)
525cd185 4381 l2cap_send_ack(chan);
4d611e4d
GP		 4382 else
4383 __set_ack_timer(chan);
9e917af1 4384
8f17154f 4385 return 0;
9b53350d
JPRV		 4386
4387drop:
4388 kfree_skb(skb);
4389 return 0;
1c2acffb
GP		 4390}
4391
88843ab0 4392static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 4393{
88843ab0 4394 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 4395 __get_reqseq(chan, rx_control), rx_control);
0e98958d 4396
0b209fae 4397 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 4398 l2cap_drop_acked_frames(chan);
1c2acffb 4399
e3781735 4400 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4401 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4402 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4403 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4404 (chan->unacked_frames > 0))
1a09bcb9 4405 __set_retrans_timer(chan);
05fbd89d 4406
e2ab4353 4407 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4408 l2cap_send_srejtail(chan);
05fbd89d 4409 } else {
525cd185 4410 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4411 }
1d8f5d16 4412
03f6715d 4413 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4414 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4415
e2ab4353 4416 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4417 l2cap_retransmit_frames(chan);
2246b2f1 4418
e072745f 4419 } else {
e2ab4353 4420 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4421 (chan->unacked_frames > 0))
1a09bcb9 4422 __set_retrans_timer(chan);
1c2acffb 4423
e2ab4353
GP		 4424 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4425 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4426 l2cap_send_ack(chan);
894718a6 4427 else
525cd185 4428 l2cap_ertm_send(chan);
e072745f
GP		 4429 }
4430}
2246b2f1 4431
88843ab0 4432static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4433{
0b209fae 4434 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4435
88843ab0 4436 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4437
e2ab4353 4438 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4439
42e5c802
GP		 4440 chan->expected_ack_seq = tx_seq;
4441 l2cap_drop_acked_frames(chan);
e072745f 4442
03f6715d 4443 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4444 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4445 l2cap_retransmit_frames(chan);
e072745f 4446 } else {
525cd185 4447 l2cap_retransmit_frames(chan);
30afb5b2 4448
e2ab4353
GP		 4449 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4450 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4451 }
4452}
88843ab0 4453static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4454{
0b209fae 4455 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4456
88843ab0 4457 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4458
e2ab4353 4459 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4460
e3781735 4461 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4462 chan->expected_ack_seq = tx_seq;
4463 l2cap_drop_acked_frames(chan);
3cb123d1 4464
e2ab4353 4465 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4466 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4467
525cd185 4468 l2cap_ertm_send(chan);
dfc909be 4469
e2ab4353 4470 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4471 chan->srej_save_reqseq = tx_seq;
e2ab4353 4472 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4473 }
03f6715d 4474 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4475 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4476 chan->srej_save_reqseq == tx_seq)
e2ab4353 4477 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4478 else
525cd185 4479 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4480 } else {
525cd185 4481 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4482 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4483 chan->srej_save_reqseq = tx_seq;
e2ab4353 4484 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4485 }
e072745f
GP		 4486 }
4487}
4488
88843ab0 4489static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4490{
0b209fae 4491 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4492
88843ab0 4493 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4494
e2ab4353 4495 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4496 chan->expected_ack_seq = tx_seq;
4497 l2cap_drop_acked_frames(chan);
e072745f 4498
e3781735 4499 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4500 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4501
e2ab4353 4502 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4503 __clear_retrans_timer(chan);
e3781735 4504 if (__is_ctrl_poll(chan, rx_control))
525cd185 4505 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4506 return;
e072745f 4507 }
99b0d4b7 4508
e3781735 4509 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4510 l2cap_send_srejtail(chan);
ab784b73
AE		 4511 } else {
4512 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4513 l2cap_send_sframe(chan, rx_control);
4514 }
e072745f
GP		 4515}
4516
88843ab0 4517static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4518{
88843ab0 4519 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4520
03f6715d 4521 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4522 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4523 __clear_monitor_timer(chan);
6a026610 4524 if (chan->unacked_frames > 0)
1a09bcb9 4525 __set_retrans_timer(chan);
e2ab4353 4526 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4527 }
4528
ab784b73
AE		 4529 switch (__get_ctrl_super(chan, rx_control)) {
4530 case L2CAP_SUPER_RR:
525cd185 4531 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4532 break;
4533
ab784b73 4534 case L2CAP_SUPER_REJ:
525cd185 4535 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4536 break;
2246b2f1 4537
ab784b73 4538 case L2CAP_SUPER_SREJ:
525cd185 4539 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4540 break;
4541
ab784b73 4542 case L2CAP_SUPER_RNR:
525cd185 4543 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4544 break;
4545 }
4546
faaebd19 4547 kfree_skb(skb);
1c2acffb
GP		 4548 return 0;
4549}
4550
cad8f1d0 4551static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4552{
88843ab0 4553 u32 control;
0b209fae 4554 u16 req_seq;
218bb9df
GP		 4555 int len, next_tx_seq_offset, req_seq_offset;
4556
b76bbd66
MM		 4557 __unpack_control(chan, skb);
4558
88843ab0
AE		 4559 control = __get_control(chan, skb->data);
4560 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4561 len = skb->len;
4562
4563 /*
4564 * We can just drop the corrupted I-frame here.
4565 * Receiver will miss it and start proper recovery
4566 * procedures and ask retransmission.
4567 */
47d1ec61 4568 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4569 goto drop;
4570
793c2f1c 4571 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4572 len -= L2CAP_SDULEN_SIZE;
218bb9df 4573
47d1ec61 4574 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4575 len -= L2CAP_FCS_SIZE;
218bb9df 4576
47d1ec61 4577 if (len > chan->mps) {
8c1d787b 4578 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4579 goto drop;
4580 }
4581
0b209fae 4582 req_seq = __get_reqseq(chan, control);
218bb9df 4583
836be934
AE		 4584 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4585
4586 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4587 chan->expected_ack_seq);
218bb9df
GP		 4588
4589 /* check for invalid req-seq */
4590 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4591 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4592 goto drop;
4593 }
4594
793c2f1c 4595 if (!__is_sframe(chan, control)) {
218bb9df 4596 if (len < 0) {
8c1d787b 4597 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4598 goto drop;
4599 }
4600
525cd185 4601 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4602 } else {
4603 if (len != 0) {
4604 BT_ERR("%d", len);
8c1d787b 4605 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4606 goto drop;
4607 }
4608
525cd185 4609 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4610 }
4611
4612 return 0;
4613
4614drop:
4615 kfree_skb(skb);
4616 return 0;
4617}
4618
1da177e4
LT		 4619static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4620{
48454079 4621 struct l2cap_chan *chan;
88843ab0 4622 u32 control;
fb45de7d 4623 u16 tx_seq;
218bb9df 4624 int len;
1da177e4 4625
baa7e1fa 4626 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4627 if (!chan) {
1da177e4 4628 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4629 /* Drop packet and return */
3379013b 4630 kfree_skb(skb);
6be36555 4631 return 0;
1da177e4
LT		 4632 }
4633
6be36555 4634 l2cap_chan_lock(chan);
6840ed07 4635
49208c9c 4636 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4637
89bc500e 4638 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4639 goto drop;
4640
0c1bc5c6 4641 switch (chan->mode) {
1c2acffb
GP		 4642 case L2CAP_MODE_BASIC:
4643 /* If socket recv buffers overflows we drop data here
4644 * which is *bad* because L2CAP has to be reliable.
4645 * But we don't have any other choice. L2CAP doesn't
4646 * provide flow control mechanism. */
1da177e4 4647
0c1bc5c6 4648 if (chan->imtu < skb->len)
1c2acffb 4649 goto drop;
1da177e4 4650
23070494 4651 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4652 goto done;
4653 break;
4654
4655 case L2CAP_MODE_ERTM:
5ef8cb9e 4656 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4657
fcafde2e 4658 goto done;
1c2acffb 4659
6840ed07 4660 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4661 control = __get_control(chan, skb->data);
4662 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4663 len = skb->len;
4664
47d1ec61 4665 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4666 goto drop;
4667
7e0ef6ee 4668 if (__is_sar_start(chan, control))
03a51213 4669 len -= L2CAP_SDULEN_SIZE;
6840ed07 4670
47d1ec61 4671 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4672 len -= L2CAP_FCS_SIZE;
fcc203c3 4673
793c2f1c 4674 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4675 goto drop;
4676
fb45de7d 4677 tx_seq = __get_txseq(chan, control);
6840ed07 4678
84084a31
MM		 4679 if (chan->expected_tx_seq != tx_seq) {
4680 /* Frame(s) missing - must discard partial SDU */
4681 kfree_skb(chan->sdu);
4682 chan->sdu = NULL;
4683 chan->sdu_last_frag = NULL;
4684 chan->sdu_len = 0;
6840ed07 4685
84084a31
MM		 4686 /* TODO: Notify userland of missing data */
4687 }
4688
836be934 4689 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4690
4691 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4692 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4693
4694 goto done;
4695
1c2acffb 4696 default:
0c1bc5c6 4697 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4698 break;
4699 }
1da177e4
LT		 4700
4701drop:
4702 kfree_skb(skb);
4703
4704done:
6be36555 4705 l2cap_chan_unlock(chan);
0139418c 4706
1da177e4
LT		 4707 return 0;
4708}
4709
8e036fc3 4710static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4711{
23691d75 4712 struct l2cap_chan *chan;
1da177e4 4713
c2287681 4714 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4715 if (!chan)
1da177e4
LT		 4716 goto drop;
4717
5b4cedaa 4718 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4719
89bc500e 4720 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4721 goto drop;
4722
e13e21dc 4723 if (chan->imtu < skb->len)
1da177e4
LT		 4724 goto drop;
4725
23070494 4726 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4727 return 0;
1da177e4
LT		 4728
4729drop:
4730 kfree_skb(skb);
4731
1da177e4
LT		 4732 return 0;
4733}
4734
d9b88702
AE		 4735static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4736 struct sk_buff *skb)
9f69bda6 4737{
23691d75 4738 struct l2cap_chan *chan;
9f69bda6 4739
c2287681 4740 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4741 if (!chan)
9f69bda6
GP		 4742 goto drop;
4743
5b4cedaa 4744 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4745
89bc500e 4746 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4747 goto drop;
4748
e13e21dc 4749 if (chan->imtu < skb->len)
9f69bda6
GP		 4750 goto drop;
4751
23070494 4752 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4753 return 0;
9f69bda6
GP		 4754
4755drop:
4756 kfree_skb(skb);
4757
9f69bda6
GP		 4758 return 0;
4759}
4760
1da177e4
LT		 4761static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4762{
4763 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4764 u16 cid, len;
4765 __le16 psm;
1da177e4
LT		 4766
4767 skb_pull(skb, L2CAP_HDR_SIZE);
4768 cid = __le16_to_cpu(lh->cid);
4769 len = __le16_to_cpu(lh->len);
4770
1c2acffb
GP		 4771 if (len != skb->len) {
4772 kfree_skb(skb);
4773 return;
4774 }
4775
1da177e4
LT		 4776 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4777
4778 switch (cid) {
3300d9a9 4779 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4780 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4781 l2cap_sig_channel(conn, skb);
4782 break;
4783
8db4dc46 4784 case L2CAP_CID_CONN_LESS:
097db76c 4785 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4786 skb_pull(skb, 2);
4787 l2cap_conless_channel(conn, psm, skb);
4788 break;
4789
9f69bda6
GP		 4790 case L2CAP_CID_LE_DATA:
4791 l2cap_att_channel(conn, cid, skb);
4792 break;
4793
b501d6a1
AB		 4794 case L2CAP_CID_SMP:
4795 if (smp_sig_channel(conn, skb))
4796 l2cap_conn_del(conn->hcon, EACCES);
4797 break;
4798
1da177e4
LT		 4799 default:
4800 l2cap_data_channel(conn, cid, skb);
4801 break;
4802 }
4803}
4804
4805/* ---- L2CAP interface with lower layer (HCI) ---- */
4806
686ebf28 4807int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4808{
4809 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4810 struct l2cap_chan *c;
1da177e4 4811
1da177e4
LT		 4812 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4813
4814 /* Find listening sockets and check their link_mode */
23691d75
GP		 4815 read_lock(&chan_list_lock);
4816 list_for_each_entry(c, &chan_list, global_l) {
4817 struct sock *sk = c->sk;
4343478f 4818
89bc500e 4819 if (c->state != BT_LISTEN)
1da177e4
LT		 4820 continue;
4821
4822 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4823 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4824 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4825 lm1 |= HCI_LM_MASTER;
1da177e4 4826 exact++;
2af6b9d5
MH		 4827 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4828 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4829 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4830 lm2 |= HCI_LM_MASTER;
4831 }
1da177e4 4832 }
23691d75 4833 read_unlock(&chan_list_lock);
1da177e4
LT		 4834
4835 return exact ? lm1 : lm2;
4836}
4837
686ebf28 4838int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4839{
0139418c
MH		 4840 struct l2cap_conn *conn;
4841
1da177e4
LT		 4842 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4843
1da177e4 4844 if (!status) {
1da177e4
LT		 4845 conn = l2cap_conn_add(hcon, status);
4846 if (conn)
4847 l2cap_conn_ready(conn);
0139418c 4848 } else
e175072f 4849 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4850
4851 return 0;
4852}
4853
686ebf28 4854int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4855{
4856 struct l2cap_conn *conn = hcon->l2cap_data;
4857
4858 BT_DBG("hcon %p", hcon);
4859
686ebf28 4860 if (!conn)
9f5a0d7b 4861 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4862 return conn->disc_reason;
4863}
4864
686ebf28 4865int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4866{
4867 BT_DBG("hcon %p reason %d", hcon, reason);
4868
e175072f 4869 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4870 return 0;
4871}
4872
4343478f 4873static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4874{
715ec005 4875 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4876 return;
4877
f62e4323 4878 if (encrypt == 0x00) {
4343478f 4879 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4880 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4881 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4882 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4883 } else {
4343478f 4884 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4885 __clear_chan_timer(chan);
f62e4323
MH		 4886 }
4887}
4888
686ebf28 4889int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4890{
0139418c 4891 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4892 struct l2cap_chan *chan;
1da177e4 4893
0139418c 4894 if (!conn)
1da177e4 4895 return 0;
0139418c 4896
1da177e4
LT		 4897 BT_DBG("conn %p", conn);
4898
160dc6ac 4899 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4900 if (!status && encrypt)
4901 smp_distribute_keys(conn, 0);
17cd3f37 4902 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4903 }
4904
3df91ea2 4905 mutex_lock(&conn->chan_lock);
1da177e4 4906
3df91ea2 4907 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4908 l2cap_chan_lock(chan);
1da177e4 4909
f1cb9af5
VCG		 4910 BT_DBG("chan->scid %d", chan->scid);
4911
4912 if (chan->scid == L2CAP_CID_LE_DATA) {
4913 if (!status && encrypt) {
4914 chan->sec_level = hcon->sec_level;
cf4cd009 4915 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4916 }
4917
6be36555 4918 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4919 continue;
4920 }
4921
c1360a1c 4922 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4923 l2cap_chan_unlock(chan);
6a8d3010
MH		 4924 continue;
4925 }
4926
89bc500e
GP		 4927 if (!status && (chan->state == BT_CONNECTED ||
4928 chan->state == BT_CONFIG)) {
a7d7723a
GP		 4929 struct sock *sk = chan->sk;
4930
4931 bt_sk(sk)->suspended = false;
4932 sk->sk_state_change(sk);
4933
4343478f 4934 l2cap_check_encryption(chan, encrypt);
6be36555 4935 l2cap_chan_unlock(chan);
9719f8af
MH		 4936 continue;
4937 }
4938
89bc500e 4939 if (chan->state == BT_CONNECT) {
b1235d79 4940 if (!status) {
9b27f350 4941 l2cap_send_conn_req(chan);
b1235d79 4942 } else {
ba13ccd9 4943 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4944 }
89bc500e 4945 } else if (chan->state == BT_CONNECT2) {
6be36555 4946 struct sock *sk = chan->sk;
b1235d79 4947 struct l2cap_conn_rsp rsp;
df3c3931 4948 __u16 res, stat;
1da177e4 4949
6be36555
AE		 4950 lock_sock(sk);
4951
b1235d79 4952 if (!status) {
df3c3931
JH		 4953 if (bt_sk(sk)->defer_setup) {
4954 struct sock *parent = bt_sk(sk)->parent;
4955 res = L2CAP_CR_PEND;
4956 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4957 if (parent)
4958 parent->sk_data_ready(parent, 0);
df3c3931 4959 } else {
0e587be7 4960 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4961 res = L2CAP_CR_SUCCESS;
4962 stat = L2CAP_CS_NO_INFO;
4963 }
b1235d79 4964 } else {
0e587be7 4965 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4966 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4967 res = L2CAP_CR_SEC_BLOCK;
4968 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4969 }
4970
6be36555
AE		 4971 release_sock(sk);
4972
fe4128e0
GP		 4973 rsp.scid = cpu_to_le16(chan->dcid);
4974 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4975 rsp.result = cpu_to_le16(res);
4976 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4977 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4978 sizeof(rsp), &rsp);
b1235d79 4979 }
1da177e4 4980
6be36555 4981 l2cap_chan_unlock(chan);
1da177e4
LT		 4982 }
4983
3df91ea2 4984 mutex_unlock(&conn->chan_lock);
b1235d79 4985
1da177e4
LT		 4986 return 0;
4987}
4988
686ebf28 4989int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4990{
4991 struct l2cap_conn *conn = hcon->l2cap_data;
4992
5a08ecce
AE		 4993 if (!conn)
4994 conn = l2cap_conn_add(hcon, 0);
4995
4996 if (!conn)
1da177e4
LT		 4997 goto drop;
4998
4999 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5000
e702112f 5001 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5002 struct l2cap_hdr *hdr;
5003 int len;
5004
5005 if (conn->rx_len) {
5006 BT_ERR("Unexpected start frame (len %d)", skb->len);
5007 kfree_skb(conn->rx_skb);
5008 conn->rx_skb = NULL;
5009 conn->rx_len = 0;
5010 l2cap_conn_unreliable(conn, ECOMM);
5011 }
5012
aae7fe22
AE		 5013 /* Start fragment always begin with Basic L2CAP header */
5014 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5015 BT_ERR("Frame is too short (len %d)", skb->len);
5016 l2cap_conn_unreliable(conn, ECOMM);
5017 goto drop;
5018 }
5019
5020 hdr = (struct l2cap_hdr *) skb->data;
5021 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5022
5023 if (len == skb->len) {
5024 /* Complete frame received */
5025 l2cap_recv_frame(conn, skb);
5026 return 0;
5027 }
5028
5029 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5030
5031 if (skb->len > len) {
5032 BT_ERR("Frame is too long (len %d, expected len %d)",
5033 skb->len, len);
5034 l2cap_conn_unreliable(conn, ECOMM);
5035 goto drop;
5036 }
5037
5038 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5039 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5040 if (!conn->rx_skb)
1da177e4
LT		 5041 goto drop;
5042
d626f62b 5043 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5044 skb->len);
1da177e4
LT		 5045 conn->rx_len = len - skb->len;
5046 } else {
5047 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5048
5049 if (!conn->rx_len) {
5050 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5051 l2cap_conn_unreliable(conn, ECOMM);
5052 goto drop;
5053 }
5054
5055 if (skb->len > conn->rx_len) {
5056 BT_ERR("Fragment is too long (len %d, expected %d)",
5057 skb->len, conn->rx_len);
5058 kfree_skb(conn->rx_skb);
5059 conn->rx_skb = NULL;
5060 conn->rx_len = 0;
5061 l2cap_conn_unreliable(conn, ECOMM);
5062 goto drop;
5063 }
5064
d626f62b 5065 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5066 skb->len);
1da177e4
LT		 5067 conn->rx_len -= skb->len;
5068
5069 if (!conn->rx_len) {
5070 /* Complete frame received */
5071 l2cap_recv_frame(conn, conn->rx_skb);
5072 conn->rx_skb = NULL;
5073 }
5074 }
5075
5076drop:
5077 kfree_skb(skb);
5078 return 0;
5079}
5080
aef7d97c 5081static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5082{
23691d75 5083 struct l2cap_chan *c;
1da177e4 5084
333055f2 5085 read_lock(&chan_list_lock);
1da177e4 5086
23691d75
GP		 5087 list_for_each_entry(c, &chan_list, global_l) {
5088 struct sock *sk = c->sk;
101545f6 5089
903d343e 5090 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5091 batostr(&bt_sk(sk)->src),
5092 batostr(&bt_sk(sk)->dst),
89bc500e 5093 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5094 c->scid, c->dcid, c->imtu, c->omtu,
5095 c->sec_level, c->mode);
61e1b4b7 5096 }
1da177e4 5097
333055f2 5098 read_unlock(&chan_list_lock);
1da177e4 5099
aef7d97c 5100 return 0;
1da177e4
LT		 5101}
5102
aef7d97c
MH		 5103static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5104{
5105 return single_open(file, l2cap_debugfs_show, inode->i_private);
5106}
5107
5108static const struct file_operations l2cap_debugfs_fops = {
5109 .open = l2cap_debugfs_open,
5110 .read = seq_read,
5111 .llseek = seq_lseek,
5112 .release = single_release,
5113};
5114
5115static struct dentry *l2cap_debugfs;
1da177e4 5116
64274518 5117int __init l2cap_init(void)
1da177e4
LT		 5118{
5119 int err;
be9d1227 5120
bb58f747 5121 err = l2cap_init_sockets();
1da177e4
LT		 5122 if (err < 0)
5123 return err;
5124
aef7d97c
MH		 5125 if (bt_debugfs) {
5126 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5127 bt_debugfs, NULL, &l2cap_debugfs_fops);
5128 if (!l2cap_debugfs)
5129 BT_ERR("Failed to create L2CAP debug file");
5130 }
1da177e4 5131
1da177e4 5132 return 0;
1da177e4
LT		 5133}
5134
64274518 5135void l2cap_exit(void)
1da177e4 5136{
aef7d97c 5137 debugfs_remove(l2cap_debugfs);
bb58f747 5138 l2cap_cleanup_sockets();
1da177e4
LT		 5139}
5140
d1c4a17d
GP		 5141module_param(disable_ertm, bool, 0644);
5142MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)