projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add status parameter to mgmt_disconnect response
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP		 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP		 99 return NULL;
100
0139418c
MH		 101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP		 106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH		 112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP		 119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH		 126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH		 137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP		 142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP		 163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP		 167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP		 174 }
175
73b2ec18
GP		 176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP		 196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
457f4850 223 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP		 227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM		 233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP		 235}
236
89bc500e
GP		 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP		 243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
f3f668b0 255 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP		 258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP		 270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP		 275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP		 287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP		 291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP		 293 chan->state = BT_OPEN;
294
71ba0e56
GP		 295 atomic_set(&chan->refcnt, 1);
296
abc545b8
SJ		 297 BT_DBG("sk %p chan %p", sk, chan);
298
48454079
GP		 299 return chan;
300}
301
23691d75 302void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 303{
23691d75
GP		 304 write_lock_bh(&chan_list_lock);
305 list_del(&chan->global_l);
306 write_unlock_bh(&chan_list_lock);
307
71ba0e56 308 chan_put(chan);
6ff5abbf
GP		 309}
310
48454079 311static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 312{
af05b30b 313 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 314 chan->psm, chan->dcid);
0139418c 315
9f5a0d7b 316 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 317
8c1d787b 318 chan->conn = conn;
0139418c 319
715ec005 320 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 321 if (conn->hcon->type == LE_LINK) {
322 /* LE connection */
0c1bc5c6 323 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 324 chan->scid = L2CAP_CID_LE_DATA;
325 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 326 } else {
327 /* Alloc CID for connection-oriented socket */
fe4128e0 328 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 329 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 330 }
715ec005 331 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 332 /* Connectionless socket */
fe4128e0
GP		 333 chan->scid = L2CAP_CID_CONN_LESS;
334 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 335 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 336 } else {
337 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 338 chan->scid = L2CAP_CID_SIGNALING;
339 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 340 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 341 }
342
8f7975b1
AE		 343 chan->local_id = L2CAP_BESTEFFORT_ID;
344 chan->local_stype = L2CAP_SERV_BESTEFFORT;
345 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
346 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
347 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
348 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
349
71ba0e56 350 chan_hold(chan);
baa7e1fa
GP		 351
352 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 353}
354
8e87d142 355/* Delete channel.
0139418c 356 * Must be called on the locked socket. */
4519de9a 357static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 358{
48454079 359 struct sock *sk = chan->sk;
8c1d787b 360 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 361 struct sock *parent = bt_sk(sk)->parent;
362
c9b66675 363 __clear_chan_timer(chan);
0139418c 364
49208c9c 365 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 366
8e87d142 367 if (conn) {
baa7e1fa
GP		 368 /* Delete from channel list */
369 write_lock_bh(&conn->chan_lock);
370 list_del(&chan->list);
371 write_unlock_bh(&conn->chan_lock);
71ba0e56 372 chan_put(chan);
baa7e1fa 373
8c1d787b 374 chan->conn = NULL;
0139418c
MH		 375 hci_conn_put(conn->hcon);
376 }
377
89bc500e 378 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 379 sock_set_flag(sk, SOCK_ZAPPED);
380
381 if (err)
382 sk->sk_err = err;
383
384 if (parent) {
385 bt_accept_unlink(sk);
386 parent->sk_data_ready(parent, 0);
387 } else
388 sk->sk_state_change(sk);
c13ffa62 389
c1360a1c
GP		 390 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
391 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 392 return;
2ead70b8 393
58d35f87 394 skb_queue_purge(&chan->tx_q);
c13ffa62 395
0c1bc5c6 396 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 397 struct srej_list *l, *tmp;
398
1a09bcb9
GP		 399 __clear_retrans_timer(chan);
400 __clear_monitor_timer(chan);
401 __clear_ack_timer(chan);
c13ffa62 402
f1c6775b 403 skb_queue_purge(&chan->srej_q);
c13ffa62 404
39d5a3ee 405 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 406 list_del(&l->list);
407 kfree(l);
408 }
409 }
0139418c
MH		 410}
411
4519de9a
GP		 412static void l2cap_chan_cleanup_listen(struct sock *parent)
413{
414 struct sock *sk;
415
416 BT_DBG("parent %p", parent);
417
418 /* Close not yet accepted channels */
0f852724 419 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 420 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 421 __clear_chan_timer(chan);
0f852724 422 lock_sock(sk);
ba3bd0ee 423 l2cap_chan_close(chan, ECONNRESET);
0f852724 424 release_sock(sk);
ba3bd0ee 425 chan->ops->close(chan->data);
0f852724 426 }
4519de9a
GP		 427}
428
0f852724 429void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 430{
431 struct l2cap_conn *conn = chan->conn;
432 struct sock *sk = chan->sk;
433
89bc500e 434 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 435
89bc500e 436 switch (chan->state) {
4519de9a
GP		 437 case BT_LISTEN:
438 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 439
440 l2cap_state_change(chan, BT_CLOSED);
441 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 442 break;
443
444 case BT_CONNECTED:
445 case BT_CONFIG:
715ec005 446 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 447 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 448 __clear_chan_timer(chan);
449 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 450 l2cap_send_disconn_req(conn, chan, reason);
451 } else
452 l2cap_chan_del(chan, reason);
453 break;
454
455 case BT_CONNECT2:
715ec005 456 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 457 conn->hcon->type == ACL_LINK) {
458 struct l2cap_conn_rsp rsp;
459 __u16 result;
460
461 if (bt_sk(sk)->defer_setup)
462 result = L2CAP_CR_SEC_BLOCK;
463 else
464 result = L2CAP_CR_BAD_PSM;
89bc500e 465 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 466
467 rsp.scid = cpu_to_le16(chan->dcid);
468 rsp.dcid = cpu_to_le16(chan->scid);
469 rsp.result = cpu_to_le16(result);
470 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
471 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
472 sizeof(rsp), &rsp);
473 }
474
475 l2cap_chan_del(chan, reason);
476 break;
477
478 case BT_CONNECT:
479 case BT_DISCONN:
480 l2cap_chan_del(chan, reason);
481 break;
482
483 default:
484 sock_set_flag(sk, SOCK_ZAPPED);
485 break;
486 }
487}
488
4343478f 489static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 490{
715ec005 491 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 492 switch (chan->sec_level) {
8556edd3
JH		 493 case BT_SECURITY_HIGH:
494 return HCI_AT_DEDICATED_BONDING_MITM;
495 case BT_SECURITY_MEDIUM:
496 return HCI_AT_DEDICATED_BONDING;
497 default:
498 return HCI_AT_NO_BONDING;
499 }
fe4128e0 500 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 501 if (chan->sec_level == BT_SECURITY_LOW)
502 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 503
4343478f 504 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 505 return HCI_AT_NO_BONDING_MITM;
00ae4af9 506 else
8556edd3 507 return HCI_AT_NO_BONDING;
00ae4af9 508 } else {
4343478f 509 switch (chan->sec_level) {
00ae4af9 510 case BT_SECURITY_HIGH:
8556edd3 511 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 512 case BT_SECURITY_MEDIUM:
8556edd3 513 return HCI_AT_GENERAL_BONDING;
00ae4af9 514 default:
8556edd3 515 return HCI_AT_NO_BONDING;
00ae4af9 516 }
0684e5f9 517 }
8556edd3
JH		 518}
519
520/* Service level security */
4343478f 521static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 522{
8c1d787b 523 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 524 __u8 auth_type;
525
4343478f 526 auth_type = l2cap_get_auth_type(chan);
79d554a6 527
4343478f 528 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 529}
530
b5ad8b7f 531static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 532{
533 u8 id;
534
535 /* Get next available identificator.
536 * 1 - 128 are used by kernel.
537 * 129 - 199 are reserved.
538 * 200 - 254 are used by utilities like l2ping, etc.
539 */
540
541 spin_lock_bh(&conn->lock);
542
543 if (++conn->tx_ident > 128)
544 conn->tx_ident = 1;
545
546 id = conn->tx_ident;
547
548 spin_unlock_bh(&conn->lock);
549
550 return id;
551}
552
4519de9a 553static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 554{
555 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 556 u8 flags;
4e8402a3
MH		 557
558 BT_DBG("code 0x%2.2x", code);
559
560 if (!skb)
9a9c6a34 561 return;
4e8402a3 562
e702112f
AE		 563 if (lmp_no_flush_capable(conn->hcon->hdev))
564 flags = ACL_START_NO_FLUSH;
565 else
566 flags = ACL_START;
567
14b12d0b 568 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 569 skb->priority = HCI_PRIO_MAX;
14b12d0b 570
73d80deb
LAD		 571 hci_send_acl(conn->hchan, skb, flags);
572}
573
574static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
575{
576 struct hci_conn *hcon = chan->conn->hcon;
577 u16 flags;
578
579 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
580 skb->priority);
581
582 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
583 lmp_no_flush_capable(hcon->hdev))
584 flags = ACL_START_NO_FLUSH;
585 else
586 flags = ACL_START;
14b12d0b 587
73d80deb
LAD		 588 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
589 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 590}
591
88843ab0 592static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 593{
594 struct sk_buff *skb;
595 struct l2cap_hdr *lh;
8c1d787b 596 struct l2cap_conn *conn = chan->conn;
e4ca6d98 597 int count, hlen;
fcc203c3 598
89bc500e 599 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 600 return;
601
e4ca6d98
AE		 602 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
603 hlen = L2CAP_EXT_HDR_SIZE;
604 else
605 hlen = L2CAP_ENH_HDR_SIZE;
606
47d1ec61 607 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 608 hlen += L2CAP_FCS_SIZE;
1c2acffb 609
88843ab0 610 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 611
fcc203c3 612 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 613
614 control |= __set_sframe(chan);
1c2acffb 615
e2ab4353 616 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 617 control |= __set_ctrl_final(chan);
9e917af1 618
e2ab4353 619 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 620 control |= __set_ctrl_poll(chan);
f0946ccf 621
1c2acffb
GP		 622 skb = bt_skb_alloc(count, GFP_ATOMIC);
623 if (!skb)
9a9c6a34 624 return;
1c2acffb
GP		 625
626 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 627 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 628 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 629
630 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 631
47d1ec61 632 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 633 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
634 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 635 }
636
73d80deb
LAD		 637 skb->priority = HCI_PRIO_MAX;
638 l2cap_do_send(chan, skb);
1c2acffb
GP		 639}
640
88843ab0 641static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 642{
e2ab4353 643 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 644 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 645 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 646 } else
ab784b73 647 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 648
0b209fae 649 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 650
525cd185 651 l2cap_send_sframe(chan, control);
7e743090
GP		 652}
653
b4450035 654static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 655{
c1360a1c 656 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 657}
658
fc7f8a7e 659static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 660{
8c1d787b 661 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 662
663 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 664 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
665 return;
666
4343478f
GP		 667 if (l2cap_check_security(chan) &&
668 __l2cap_no_conn_pending(chan)) {
b1235d79 669 struct l2cap_conn_req req;
fe4128e0
GP		 670 req.scid = cpu_to_le16(chan->scid);
671 req.psm = chan->psm;
79d554a6 672
fc7f8a7e 673 chan->ident = l2cap_get_ident(conn);
c1360a1c 674 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 675
fc7f8a7e
GP		 676 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
677 sizeof(req), &req);
b1235d79 678 }
79d554a6
MH		 679 } else {
680 struct l2cap_info_req req;
681 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
682
683 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
684 conn->info_ident = l2cap_get_ident(conn);
685
686 mod_timer(&conn->info_timer, jiffies +
687 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
688
689 l2cap_send_cmd(conn, conn->info_ident,
690 L2CAP_INFO_REQ, sizeof(req), &req);
691 }
692}
693
cf6c2c0b
GP		 694static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
695{
696 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 697 if (!disable_ertm)
cf6c2c0b
GP		 698 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
699
700 switch (mode) {
701 case L2CAP_MODE_ERTM:
702 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
703 case L2CAP_MODE_STREAMING:
704 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
705 default:
706 return 0x00;
707 }
708}
709
4519de9a 710static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 711{
e92c8e70 712 struct sock *sk;
22121fc9
GP		 713 struct l2cap_disconn_req req;
714
c13ffa62
GP		 715 if (!conn)
716 return;
717
e92c8e70
GP		 718 sk = chan->sk;
719
0c1bc5c6 720 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 721 __clear_retrans_timer(chan);
722 __clear_monitor_timer(chan);
723 __clear_ack_timer(chan);
c13ffa62
GP		 724 }
725
fe4128e0
GP		 726 req.dcid = cpu_to_le16(chan->dcid);
727 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 728 l2cap_send_cmd(conn, l2cap_get_ident(conn),
729 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 730
89bc500e 731 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 732 sk->sk_err = err;
22121fc9
GP		 733}
734
1da177e4 735/* ---- L2CAP connections ---- */
4e8402a3
MH		 736static void l2cap_conn_start(struct l2cap_conn *conn)
737{
820ffdb3 738 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 739
740 BT_DBG("conn %p", conn);
741
baa7e1fa 742 read_lock(&conn->chan_lock);
4e8402a3 743
820ffdb3 744 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 745 struct sock *sk = chan->sk;
baa7e1fa 746
4e8402a3
MH		 747 bh_lock_sock(sk);
748
715ec005 749 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 750 bh_unlock_sock(sk);
751 continue;
752 }
753
89bc500e 754 if (chan->state == BT_CONNECT) {
47731de7 755 struct l2cap_conn_req req;
79d554a6 756
4343478f 757 if (!l2cap_check_security(chan) ||
b4450035 758 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 759 bh_unlock_sock(sk);
760 continue;
761 }
79d554a6 762
c1360a1c
GP		 763 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
764 && test_bit(CONF_STATE2_DEVICE,
765 &chan->conf_state)) {
0f852724 766 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 767 * so release the lock */
2461daac 768 read_unlock(&conn->chan_lock);
89bc500e 769 l2cap_chan_close(chan, ECONNRESET);
2461daac 770 read_lock(&conn->chan_lock);
47731de7
GP		 771 bh_unlock_sock(sk);
772 continue;
b1235d79 773 }
47731de7 774
fe4128e0
GP		 775 req.scid = cpu_to_le16(chan->scid);
776 req.psm = chan->psm;
47731de7 777
fc7f8a7e 778 chan->ident = l2cap_get_ident(conn);
c1360a1c 779 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 780
fc7f8a7e
GP		 781 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
782 sizeof(req), &req);
47731de7 783
89bc500e 784 } else if (chan->state == BT_CONNECT2) {
79d554a6 785 struct l2cap_conn_rsp rsp;
e9aeb2dd 786 char buf[128];
fe4128e0
GP		 787 rsp.scid = cpu_to_le16(chan->dcid);
788 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 789
4343478f 790 if (l2cap_check_security(chan)) {
f66dc81f
MH		 791 if (bt_sk(sk)->defer_setup) {
792 struct sock *parent = bt_sk(sk)->parent;
793 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
794 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 795 if (parent)
796 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 797
798 } else {
89bc500e 799 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 800 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
801 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
802 }
79d554a6
MH		 803 } else {
804 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
805 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
806 }
807
fc7f8a7e
GP		 808 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
809 sizeof(rsp), &rsp);
e9aeb2dd 810
c1360a1c 811 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 812 rsp.result != L2CAP_CR_SUCCESS) {
813 bh_unlock_sock(sk);
814 continue;
815 }
816
c1360a1c 817 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 818 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 819 l2cap_build_conf_req(chan, buf), buf);
820 chan->num_conf_req++;
4e8402a3
MH		 821 }
822
823 bh_unlock_sock(sk);
824 }
825
baa7e1fa 826 read_unlock(&conn->chan_lock);
4e8402a3
MH		 827}
828
b62f328b
VT		 829/* Find socket with cid and source bdaddr.
830 * Returns closest match, locked.
831 */
23691d75 832static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 833{
23691d75 834 struct l2cap_chan *c, *c1 = NULL;
b62f328b 835
23691d75 836 read_lock(&chan_list_lock);
b62f328b 837
23691d75
GP		 838 list_for_each_entry(c, &chan_list, global_l) {
839 struct sock *sk = c->sk;
fe4128e0 840
89bc500e 841 if (state && c->state != state)
b62f328b
VT		 842 continue;
843
23691d75 844 if (c->scid == cid) {
b62f328b 845 /* Exact match. */
23691d75
GP		 846 if (!bacmp(&bt_sk(sk)->src, src)) {
847 read_unlock(&chan_list_lock);
848 return c;
849 }
b62f328b
VT		 850
851 /* Closest match */
852 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 853 c1 = c;
b62f328b
VT		 854 }
855 }
280f294f 856
23691d75 857 read_unlock(&chan_list_lock);
b62f328b 858
23691d75 859 return c1;
b62f328b
VT		 860}
861
862static void l2cap_le_conn_ready(struct l2cap_conn *conn)
863{
c916fbe4 864 struct sock *parent, *sk;
23691d75 865 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 866
867 BT_DBG("");
868
869 /* Check if we have socket listening on cid */
23691d75 870 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 871 conn->src);
23691d75 872 if (!pchan)
b62f328b
VT		 873 return;
874
23691d75
GP		 875 parent = pchan->sk;
876
62f3a2cf
GP		 877 bh_lock_sock(parent);
878
b62f328b
VT		 879 /* Check for backlog size */
880 if (sk_acceptq_is_full(parent)) {
881 BT_DBG("backlog full %d", parent->sk_ack_backlog);
882 goto clean;
883 }
884
80808e43
GP		 885 chan = pchan->ops->new_connection(pchan->data);
886 if (!chan)
b62f328b
VT		 887 goto clean;
888
80808e43 889 sk = chan->sk;
5d41ce1d 890
baa7e1fa 891 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 892
893 hci_conn_hold(conn->hcon);
894
b62f328b
VT		 895 bacpy(&bt_sk(sk)->src, conn->src);
896 bacpy(&bt_sk(sk)->dst, conn->dst);
897
d1010240
GP		 898 bt_accept_enqueue(parent, sk);
899
48454079
GP		 900 __l2cap_chan_add(conn, chan);
901
c9b66675 902 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 903
89bc500e 904 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 905 parent->sk_data_ready(parent, 0);
906
baa7e1fa 907 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 908
909clean:
910 bh_unlock_sock(parent);
911}
912
f1cb9af5
VCG		 913static void l2cap_chan_ready(struct sock *sk)
914{
915 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
916 struct sock *parent = bt_sk(sk)->parent;
917
918 BT_DBG("sk %p, parent %p", sk, parent);
919
920 chan->conf_state = 0;
921 __clear_chan_timer(chan);
922
43f3dc41 923 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 924 sk->sk_state_change(sk);
925
926 if (parent)
927 parent->sk_data_ready(parent, 0);
928}
929
4e8402a3
MH		 930static void l2cap_conn_ready(struct l2cap_conn *conn)
931{
48454079 932 struct l2cap_chan *chan;
4e8402a3 933
79d554a6 934 BT_DBG("conn %p", conn);
4e8402a3 935
b62f328b
VT		 936 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
937 l2cap_le_conn_ready(conn);
938
160dc6ac
VCG		 939 if (conn->hcon->out && conn->hcon->type == LE_LINK)
940 smp_conn_security(conn, conn->hcon->pending_sec_level);
941
baa7e1fa 942 read_lock(&conn->chan_lock);
4e8402a3 943
baa7e1fa 944 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 945 struct sock *sk = chan->sk;
baa7e1fa 946
79d554a6 947 bh_lock_sock(sk);
4e8402a3 948
63128451 949 if (conn->hcon->type == LE_LINK) {
b501d6a1 950 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 951 l2cap_chan_ready(sk);
acd7d370 952
63128451 953 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 954 __clear_chan_timer(chan);
89bc500e 955 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 956 sk->sk_state_change(sk);
b501d6a1 957
89bc500e 958 } else if (chan->state == BT_CONNECT)
fc7f8a7e 959 l2cap_do_start(chan);
4e8402a3 960
79d554a6 961 bh_unlock_sock(sk);
4e8402a3 962 }
79d554a6 963
baa7e1fa 964 read_unlock(&conn->chan_lock);
4e8402a3
MH		 965}
966
967/* Notify sockets that we cannot guaranty reliability anymore */
968static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
969{
48454079 970 struct l2cap_chan *chan;
4e8402a3
MH		 971
972 BT_DBG("conn %p", conn);
973
baa7e1fa 974 read_lock(&conn->chan_lock);
4e8402a3 975
baa7e1fa 976 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 977 struct sock *sk = chan->sk;
baa7e1fa 978
ecf61bdb 979 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 980 sk->sk_err = err;
981 }
982
baa7e1fa 983 read_unlock(&conn->chan_lock);
4e8402a3
MH		 984}
985
986static void l2cap_info_timeout(unsigned long arg)
987{
988 struct l2cap_conn *conn = (void *) arg;
989
984947dc 990 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 991 conn->info_ident = 0;
984947dc 992
4e8402a3
MH		 993 l2cap_conn_start(conn);
994}
995
5d3de7df
VCG		 996static void l2cap_conn_del(struct hci_conn *hcon, int err)
997{
998 struct l2cap_conn *conn = hcon->l2cap_data;
999 struct l2cap_chan *chan, *l;
1000 struct sock *sk;
1001
1002 if (!conn)
1003 return;
1004
1005 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1006
1007 kfree_skb(conn->rx_skb);
1008
1009 /* Kill channels */
1010 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1011 sk = chan->sk;
1012 bh_lock_sock(sk);
1013 l2cap_chan_del(chan, err);
1014 bh_unlock_sock(sk);
1015 chan->ops->close(chan->data);
1016 }
1017
73d80deb
LAD		 1018 hci_chan_del(conn->hchan);
1019
5d3de7df
VCG		 1020 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1021 del_timer_sync(&conn->info_timer);
1022
d26a2345 1023 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1024 del_timer(&conn->security_timer);
8aab4757 1025 smp_chan_destroy(conn);
d26a2345 1026 }
5d3de7df
VCG		 1027
1028 hcon->l2cap_data = NULL;
1029 kfree(conn);
1030}
1031
1032static void security_timeout(unsigned long arg)
1033{
1034 struct l2cap_conn *conn = (void *) arg;
1035
1036 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1037}
1038
1da177e4
LT		 1039static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1040{
0139418c 1041 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1042 struct hci_chan *hchan;
1da177e4 1043
0139418c 1044 if (conn || status)
1da177e4
LT		 1045 return conn;
1046
73d80deb
LAD		 1047 hchan = hci_chan_create(hcon);
1048 if (!hchan)
1049 return NULL;
1050
0139418c 1051 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1052 if (!conn) {
1053 hci_chan_del(hchan);
1da177e4 1054 return NULL;
73d80deb 1055 }
1da177e4
LT		 1056
1057 hcon->l2cap_data = conn;
1058 conn->hcon = hcon;
73d80deb 1059 conn->hchan = hchan;
1da177e4 1060
73d80deb 1061 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1062
acd7d370
VT		 1063 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1064 conn->mtu = hcon->hdev->le_mtu;
1065 else
1066 conn->mtu = hcon->hdev->acl_mtu;
1067
1da177e4
LT		 1068 conn->src = &hcon->hdev->bdaddr;
1069 conn->dst = &hcon->dst;
1070
4e8402a3
MH		 1071 conn->feat_mask = 0;
1072
1da177e4 1073 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1074 rwlock_init(&conn->chan_lock);
1075
1076 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1077
5d3de7df
VCG		 1078 if (hcon->type == LE_LINK)
1079 setup_timer(&conn->security_timer, security_timeout,
1080 (unsigned long) conn);
1081 else
b62f328b 1082 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1083 (unsigned long) conn);
1084
9f5a0d7b 1085 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1086
1da177e4
LT		 1087 return conn;
1088}
1089
48454079 1090static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1091{
baa7e1fa 1092 write_lock_bh(&conn->chan_lock);
48454079 1093 __l2cap_chan_add(conn, chan);
baa7e1fa 1094 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1095}
1096
1da177e4 1097/* ---- Socket interface ---- */
1da177e4
LT		 1098
1099/* Find socket with psm and source bdaddr.
1100 * Returns closest match.
1101 */
23691d75 1102static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1103{
23691d75 1104 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1105
23691d75 1106 read_lock(&chan_list_lock);
e0f0cb56 1107
23691d75
GP		 1108 list_for_each_entry(c, &chan_list, global_l) {
1109 struct sock *sk = c->sk;
fe4128e0 1110
89bc500e 1111 if (state && c->state != state)
1da177e4
LT		 1112 continue;
1113
23691d75 1114 if (c->psm == psm) {
1da177e4 1115 /* Exact match. */
23691d75 1116 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1117 read_unlock(&chan_list_lock);
23691d75
GP		 1118 return c;
1119 }
1da177e4
LT		 1120
1121 /* Closest match */
1122 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1123 c1 = c;
1da177e4
LT		 1124 }
1125 }
1da177e4 1126
23691d75 1127 read_unlock(&chan_list_lock);
e0f0cb56 1128
23691d75 1129 return c1;
1da177e4
LT		 1130}
1131
77a74c7e 1132int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1133{
5d41ce1d 1134 struct sock *sk = chan->sk;
1da177e4
LT		 1135 bdaddr_t *src = &bt_sk(sk)->src;
1136 bdaddr_t *dst = &bt_sk(sk)->dst;
1137 struct l2cap_conn *conn;
1138 struct hci_conn *hcon;
1139 struct hci_dev *hdev;
09ab6f4c 1140 __u8 auth_type;
44d0e48e 1141 int err;
1da177e4 1142
f29972de 1143 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1144 chan->psm);
1da177e4 1145
af05b30b
GP		 1146 hdev = hci_get_route(dst, src);
1147 if (!hdev)
1da177e4
LT		 1148 return -EHOSTUNREACH;
1149
1150 hci_dev_lock_bh(hdev);
1151
4343478f 1152 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1153
fe4128e0 1154 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1155 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1156 chan->sec_level, auth_type);
acd7d370
VT		 1157 else
1158 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1159 chan->sec_level, auth_type);
acd7d370 1160
30e76272
VT		 1161 if (IS_ERR(hcon)) {
1162 err = PTR_ERR(hcon);
1da177e4 1163 goto done;
30e76272 1164 }
1da177e4
LT		 1165
1166 conn = l2cap_conn_add(hcon, 0);
1167 if (!conn) {
1168 hci_conn_put(hcon);
30e76272 1169 err = -ENOMEM;
1da177e4
LT		 1170 goto done;
1171 }
1172
1da177e4
LT		 1173 /* Update source addr of the socket */
1174 bacpy(src, conn->src);
1175
48454079
GP		 1176 l2cap_chan_add(conn, chan);
1177
89bc500e 1178 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1179 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1180
1181 if (hcon->state == BT_CONNECTED) {
715ec005 1182 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1183 __clear_chan_timer(chan);
4343478f 1184 if (l2cap_check_security(chan))
89bc500e 1185 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1186 } else
fc7f8a7e 1187 l2cap_do_start(chan);
1da177e4
LT		 1188 }
1189
30e76272
VT		 1190 err = 0;
1191
1da177e4
LT		 1192done:
1193 hci_dev_unlock_bh(hdev);
1194 hci_dev_put(hdev);
1195 return err;
1196}
1197
dcba0dba 1198int __l2cap_wait_ack(struct sock *sk)
6161c038 1199{
8c1d787b 1200 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1201 DECLARE_WAITQUEUE(wait, current);
1202 int err = 0;
1203 int timeo = HZ/5;
1204
2b0b05dd 1205 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1206 set_current_state(TASK_INTERRUPTIBLE);
1207 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1208 if (!timeo)
1209 timeo = HZ/5;
1210
1211 if (signal_pending(current)) {
1212 err = sock_intr_errno(timeo);
1213 break;
1214 }
1215
1216 release_sock(sk);
1217 timeo = schedule_timeout(timeo);
1218 lock_sock(sk);
a71a0cf4 1219 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1220
1221 err = sock_error(sk);
1222 if (err)
1223 break;
1224 }
1225 set_current_state(TASK_RUNNING);
2b0b05dd 1226 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1227 return err;
1228}
1229
e90bac06
GP		 1230static void l2cap_monitor_timeout(unsigned long arg)
1231{
525cd185
GP		 1232 struct l2cap_chan *chan = (void *) arg;
1233 struct sock *sk = chan->sk;
e90bac06 1234
525cd185 1235 BT_DBG("chan %p", chan);
0e98958d 1236
e686219a 1237 bh_lock_sock(sk);
2c03a7a4 1238 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1239 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1240 bh_unlock_sock(sk);
e90bac06
GP		 1241 return;
1242 }
1243
6a026610 1244 chan->retry_count++;
1a09bcb9 1245 __set_monitor_timer(chan);
e90bac06 1246
525cd185 1247 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1248 bh_unlock_sock(sk);
e90bac06
GP		 1249}
1250
1251static void l2cap_retrans_timeout(unsigned long arg)
1252{
525cd185
GP		 1253 struct l2cap_chan *chan = (void *) arg;
1254 struct sock *sk = chan->sk;
e90bac06 1255
49208c9c 1256 BT_DBG("chan %p", chan);
0e98958d 1257
e686219a 1258 bh_lock_sock(sk);
6a026610 1259 chan->retry_count = 1;
1a09bcb9 1260 __set_monitor_timer(chan);
e90bac06 1261
e2ab4353 1262 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1263
525cd185 1264 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1265 bh_unlock_sock(sk);
e90bac06
GP		 1266}
1267
42e5c802 1268static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1269{
1c2acffb 1270 struct sk_buff *skb;
1da177e4 1271
58d35f87 1272 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1273 chan->unacked_frames) {
42e5c802 1274 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1275 break;
1da177e4 1276
58d35f87 1277 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1278 kfree_skb(skb);
1da177e4 1279
6a026610 1280 chan->unacked_frames--;
1c2acffb 1281 }
1da177e4 1282
6a026610 1283 if (!chan->unacked_frames)
1a09bcb9 1284 __clear_retrans_timer(chan);
1c2acffb 1285}
1da177e4 1286
67c9e840 1287static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1288{
ccbb84af 1289 struct sk_buff *skb;
88843ab0
AE		 1290 u32 control;
1291 u16 fcs;
6840ed07 1292
58d35f87 1293 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1294 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1295 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1296 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1297
47d1ec61 1298 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1299 fcs = crc16(0, (u8 *)skb->data,
1300 skb->len - L2CAP_FCS_SIZE);
1301 put_unaligned_le16(fcs,
1302 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1303 }
1304
4343478f 1305 l2cap_do_send(chan, skb);
6840ed07 1306
836be934 1307 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1308 }
6840ed07
GP		 1309}
1310
fb45de7d 1311static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1312{
8f17154f 1313 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1314 u16 fcs;
1315 u32 control;
8f17154f 1316
58d35f87 1317 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1318 if (!skb)
1319 return;
8f17154f 1320
f11d676d
GP		 1321 do {
1322 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1323 break;
8f17154f 1324
58d35f87 1325 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1326 return;
8f17154f 1327
58d35f87 1328 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1329
2c03a7a4
GP		 1330 if (chan->remote_max_tx &&
1331 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1332 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1333 return;
1334 }
1335
1336 tx_skb = skb_clone(skb, GFP_ATOMIC);
1337 bt_cb(skb)->retries++;
88843ab0
AE		 1338
1339 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1340 control &= __get_sar_mask(chan);
3cb123d1 1341
e2ab4353 1342 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1343 control |= __set_ctrl_final(chan);
95ffa978 1344
0b209fae 1345 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1346 control |= __set_txseq(chan, tx_seq);
3cb123d1 1347
88843ab0 1348 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1349
47d1ec61 1350 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1351 fcs = crc16(0, (u8 *)tx_skb->data,
1352 tx_skb->len - L2CAP_FCS_SIZE);
1353 put_unaligned_le16(fcs,
1354 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1355 }
1356
4343478f 1357 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1358}
1359
67c9e840 1360static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1361{
1362 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1363 u16 fcs;
1364 u32 control;
9a9c6a34 1365 int nsent = 0;
1c2acffb 1366
89bc500e 1367 if (chan->state != BT_CONNECTED)
c13ffa62 1368 return -ENOTCONN;
e90bac06 1369
58d35f87 1370 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1371
2c03a7a4
GP		 1372 if (chan->remote_max_tx &&
1373 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1374 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1375 break;
1376 }
1377
e420aba3
AE		 1378 tx_skb = skb_clone(skb, GFP_ATOMIC);
1379
e90bac06
GP		 1380 bt_cb(skb)->retries++;
1381
88843ab0 1382 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1383 control &= __get_sar_mask(chan);
95ffa978 1384
e2ab4353 1385 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1386 control |= __set_ctrl_final(chan);
e2ab4353 1387
0b209fae 1388 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1389 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1390
88843ab0 1391 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1392
47d1ec61 1393 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1394 fcs = crc16(0, (u8 *)skb->data,
1395 tx_skb->len - L2CAP_FCS_SIZE);
1396 put_unaligned_le16(fcs, skb->data +
1397 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1398 }
1399
4343478f 1400 l2cap_do_send(chan, tx_skb);
9a9c6a34 1401
1a09bcb9 1402 __set_retrans_timer(chan);
1c2acffb 1403
42e5c802 1404 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1405
1406 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1407
23e9fde2 1408 if (bt_cb(skb)->retries == 1)
6a026610 1409 chan->unacked_frames++;
23e9fde2 1410
6a026610 1411 chan->frames_sent++;
1c2acffb 1412
58d35f87
GP		 1413 if (skb_queue_is_last(&chan->tx_q, skb))
1414 chan->tx_send_head = NULL;
1c2acffb 1415 else
58d35f87 1416 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1417
1418 nsent++;
1c2acffb
GP		 1419 }
1420
9e917af1
GP		 1421 return nsent;
1422}
1423
525cd185 1424static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1425{
dfc909be
GP		 1426 int ret;
1427
58d35f87
GP		 1428 if (!skb_queue_empty(&chan->tx_q))
1429 chan->tx_send_head = chan->tx_q.next;
dfc909be 1430
42e5c802 1431 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1432 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1433 return ret;
1434}
1435
525cd185 1436static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1437{
88843ab0 1438 u32 control = 0;
9e917af1 1439
0b209fae 1440 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1441
e2ab4353 1442 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1443 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1444 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1445 l2cap_send_sframe(chan, control);
9a9c6a34 1446 return;
9e917af1 1447 }
dfc909be 1448
525cd185 1449 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1450 return;
1451
ab784b73 1452 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1453 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1454}
1455
525cd185 1456static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1457{
1458 struct srej_list *tail;
88843ab0 1459 u32 control;
99b0d4b7 1460
ab784b73 1461 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1462 control |= __set_ctrl_final(chan);
99b0d4b7 1463
39d5a3ee 1464 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1465 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1466
525cd185 1467 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1468}
1469
1c2acffb
GP		 1470static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1471{
8c1d787b 1472 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1473 struct sk_buff **frag;
1474 int err, sent = 0;
1da177e4 1475
59203a21 1476 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1477 return -EFAULT;
1da177e4
LT		 1478
1479 sent += count;
1480 len -= count;
1481
1482 /* Continuation fragments (no L2CAP header) */
1483 frag = &skb_shinfo(skb)->frag_list;
1484 while (len) {
1485 count = min_t(unsigned int, conn->mtu, len);
1486
1487 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1488 if (!*frag)
0175d629 1489 return err;
1c2acffb
GP		 1490 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1491 return -EFAULT;
1da177e4 1492
5e59b791
LAD		 1493 (*frag)->priority = skb->priority;
1494
1da177e4
LT		 1495 sent += count;
1496 len -= count;
1497
1498 frag = &(*frag)->next;
1499 }
1da177e4
LT		 1500
1501 return sent;
1c2acffb 1502}
1da177e4 1503
5e59b791
LAD		 1504static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1505 struct msghdr *msg, size_t len,
1506 u32 priority)
1c2acffb 1507{
fe4128e0 1508 struct sock *sk = chan->sk;
8c1d787b 1509 struct l2cap_conn *conn = chan->conn;
1c2acffb 1510 struct sk_buff *skb;
03a51213 1511 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1512 struct l2cap_hdr *lh;
1513
5e59b791 1514 BT_DBG("sk %p len %d priority %u", sk, (int)len, priority);
1c2acffb
GP		 1515
1516 count = min_t(unsigned int, (conn->mtu - hlen), len);
1517 skb = bt_skb_send_alloc(sk, count + hlen,
1518 msg->msg_flags & MSG_DONTWAIT, &err);
1519 if (!skb)
0175d629 1520 return ERR_PTR(err);
1c2acffb 1521
5e59b791
LAD		 1522 skb->priority = priority;
1523
1c2acffb
GP		 1524 /* Create L2CAP header */
1525 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1526 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1527 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1528 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1529
1530 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1531 if (unlikely(err < 0)) {
1532 kfree_skb(skb);
1533 return ERR_PTR(err);
1534 }
1535 return skb;
1536}
1537
5e59b791
LAD		 1538static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1539 struct msghdr *msg, size_t len,
1540 u32 priority)
1c2acffb 1541{
fe4128e0 1542 struct sock *sk = chan->sk;
8c1d787b 1543 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1544 struct sk_buff *skb;
1545 int err, count, hlen = L2CAP_HDR_SIZE;
1546 struct l2cap_hdr *lh;
1547
1548 BT_DBG("sk %p len %d", sk, (int)len);
1549
1550 count = min_t(unsigned int, (conn->mtu - hlen), len);
1551 skb = bt_skb_send_alloc(sk, count + hlen,
1552 msg->msg_flags & MSG_DONTWAIT, &err);
1553 if (!skb)
0175d629 1554 return ERR_PTR(err);
1c2acffb 1555
5e59b791
LAD		 1556 skb->priority = priority;
1557
1c2acffb
GP		 1558 /* Create L2CAP header */
1559 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1560 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1561 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1562
1563 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1564 if (unlikely(err < 0)) {
1565 kfree_skb(skb);
1566 return ERR_PTR(err);
1567 }
1568 return skb;
1569}
1570
ab0ff76d
LAD		 1571static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1572 struct msghdr *msg, size_t len,
88843ab0 1573 u32 control, u16 sdulen)
1c2acffb 1574{
47d1ec61 1575 struct sock *sk = chan->sk;
8c1d787b 1576 struct l2cap_conn *conn = chan->conn;
1c2acffb 1577 struct sk_buff *skb;
e4ca6d98 1578 int err, count, hlen;
1c2acffb
GP		 1579 struct l2cap_hdr *lh;
1580
1581 BT_DBG("sk %p len %d", sk, (int)len);
1582
0ee0d208
GP		 1583 if (!conn)
1584 return ERR_PTR(-ENOTCONN);
1585
e4ca6d98
AE		 1586 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1587 hlen = L2CAP_EXT_HDR_SIZE;
1588 else
1589 hlen = L2CAP_ENH_HDR_SIZE;
1590
c74e560c 1591 if (sdulen)
03a51213 1592 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1593
47d1ec61 1594 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1595 hlen += L2CAP_FCS_SIZE;
fcc203c3 1596
1c2acffb
GP		 1597 count = min_t(unsigned int, (conn->mtu - hlen), len);
1598 skb = bt_skb_send_alloc(sk, count + hlen,
1599 msg->msg_flags & MSG_DONTWAIT, &err);
1600 if (!skb)
0175d629 1601 return ERR_PTR(err);
1c2acffb
GP		 1602
1603 /* Create L2CAP header */
1604 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1605 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1606 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1607
1608 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1609
c74e560c 1610 if (sdulen)
03a51213 1611 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb
GP		 1612
1613 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1614 if (unlikely(err < 0)) {
1615 kfree_skb(skb);
1616 return ERR_PTR(err);
1617 }
e90bac06 1618
47d1ec61 1619 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1620 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1621
e90bac06 1622 bt_cb(skb)->retries = 0;
1c2acffb 1623 return skb;
1da177e4
LT		 1624}
1625
67c9e840 1626static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1627{
c74e560c
GP		 1628 struct sk_buff *skb;
1629 struct sk_buff_head sar_queue;
88843ab0 1630 u32 control;
c74e560c
GP		 1631 size_t size = 0;
1632
ff12fd64 1633 skb_queue_head_init(&sar_queue);
7e0ef6ee 1634 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1635 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1636 if (IS_ERR(skb))
1637 return PTR_ERR(skb);
1638
1639 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1640 len -= chan->remote_mps;
1641 size += chan->remote_mps;
c74e560c
GP		 1642
1643 while (len > 0) {
1644 size_t buflen;
1645
2c03a7a4 1646 if (len > chan->remote_mps) {
7e0ef6ee 1647 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1648 buflen = chan->remote_mps;
c74e560c 1649 } else {
7e0ef6ee 1650 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1651 buflen = len;
1652 }
1653
47d1ec61 1654 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1655 if (IS_ERR(skb)) {
1656 skb_queue_purge(&sar_queue);
1657 return PTR_ERR(skb);
1658 }
1659
1660 __skb_queue_tail(&sar_queue, skb);
1661 len -= buflen;
1662 size += buflen;
c74e560c 1663 }
58d35f87
GP		 1664 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1665 if (chan->tx_send_head == NULL)
1666 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1667
1668 return size;
1669}
1670
5e59b791
LAD		 1671int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1672 u32 priority)
9a91a04a 1673{
9a91a04a 1674 struct sk_buff *skb;
88843ab0 1675 u32 control;
9a91a04a
GP		 1676 int err;
1677
1678 /* Connectionless channel */
715ec005 1679 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1680 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1681 if (IS_ERR(skb))
1682 return PTR_ERR(skb);
1683
1684 l2cap_do_send(chan, skb);
1685 return len;
1686 }
1687
1688 switch (chan->mode) {
1689 case L2CAP_MODE_BASIC:
1690 /* Check outgoing MTU */
1691 if (len > chan->omtu)
1692 return -EMSGSIZE;
1693
1694 /* Create a basic PDU */
5e59b791 1695 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1696 if (IS_ERR(skb))
1697 return PTR_ERR(skb);
1698
1699 l2cap_do_send(chan, skb);
1700 err = len;
1701 break;
1702
1703 case L2CAP_MODE_ERTM:
1704 case L2CAP_MODE_STREAMING:
1705 /* Entire SDU fits into one PDU */
1706 if (len <= chan->remote_mps) {
7e0ef6ee 1707 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1708 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1709 0);
1710 if (IS_ERR(skb))
1711 return PTR_ERR(skb);
1712
1713 __skb_queue_tail(&chan->tx_q, skb);
1714
1715 if (chan->tx_send_head == NULL)
1716 chan->tx_send_head = skb;
1717
1718 } else {
1719 /* Segment SDU into multiples PDUs */
1720 err = l2cap_sar_segment_sdu(chan, msg, len);
1721 if (err < 0)
1722 return err;
1723 }
1724
1725 if (chan->mode == L2CAP_MODE_STREAMING) {
1726 l2cap_streaming_send(chan);
1727 err = len;
1728 break;
1729 }
1730
e2ab4353
GP		 1731 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1732 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1733 err = len;
1734 break;
1735 }
1736
1737 err = l2cap_ertm_send(chan);
1738 if (err >= 0)
1739 err = len;
1740
1741 break;
1742
1743 default:
1744 BT_DBG("bad state %1.1x", chan->mode);
1745 err = -EBADFD;
1746 }
1747
1748 return err;
1749}
1750
1da177e4
LT		 1751/* Copy frame to all raw sockets on that connection */
1752static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1753{
1da177e4 1754 struct sk_buff *nskb;
48454079 1755 struct l2cap_chan *chan;
1da177e4
LT		 1756
1757 BT_DBG("conn %p", conn);
1758
baa7e1fa
GP		 1759 read_lock(&conn->chan_lock);
1760 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1761 struct sock *sk = chan->sk;
715ec005 1762 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1763 continue;
1764
1765 /* Don't send frame to the socket it came from */
1766 if (skb->sk == sk)
1767 continue;
af05b30b
GP		 1768 nskb = skb_clone(skb, GFP_ATOMIC);
1769 if (!nskb)
1da177e4
LT		 1770 continue;
1771
23070494 1772 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1773 kfree_skb(nskb);
1774 }
baa7e1fa 1775 read_unlock(&conn->chan_lock);
1da177e4
LT		 1776}
1777
1778/* ---- L2CAP signalling commands ---- */
1779static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1780 u8 code, u8 ident, u16 dlen, void *data)
1781{
1782 struct sk_buff *skb, **frag;
1783 struct l2cap_cmd_hdr *cmd;
1784 struct l2cap_hdr *lh;
1785 int len, count;
1786
af05b30b
GP		 1787 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1788 conn, code, ident, dlen);
1da177e4
LT		 1789
1790 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1791 count = min_t(unsigned int, conn->mtu, len);
1792
1793 skb = bt_skb_alloc(count, GFP_ATOMIC);
1794 if (!skb)
1795 return NULL;
1796
1797 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1798 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1799
1800 if (conn->hcon->type == LE_LINK)
1801 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1802 else
1803 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1804
1805 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1806 cmd->code = code;
1807 cmd->ident = ident;
aca3192c 1808 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1809
1810 if (dlen) {
1811 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1812 memcpy(skb_put(skb, count), data, count);
1813 data += count;
1814 }
1815
1816 len -= skb->len;
1817
1818 /* Continuation fragments (no L2CAP header) */
1819 frag = &skb_shinfo(skb)->frag_list;
1820 while (len) {
1821 count = min_t(unsigned int, conn->mtu, len);
1822
1823 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1824 if (!*frag)
1825 goto fail;
1826
1827 memcpy(skb_put(*frag, count), data, count);
1828
1829 len -= count;
1830 data += count;
1831
1832 frag = &(*frag)->next;
1833 }
1834
1835 return skb;
1836
1837fail:
1838 kfree_skb(skb);
1839 return NULL;
1840}
1841
1842static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1843{
1844 struct l2cap_conf_opt *opt = *ptr;
1845 int len;
1846
1847 len = L2CAP_CONF_OPT_SIZE + opt->len;
1848 *ptr += len;
1849
1850 *type = opt->type;
1851 *olen = opt->len;
1852
1853 switch (opt->len) {
1854 case 1:
1855 *val = *((u8 *) opt->val);
1856 break;
1857
1858 case 2:
bfaaeb3e 1859 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1860 break;
1861
1862 case 4:
bfaaeb3e 1863 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1864 break;
1865
1866 default:
1867 *val = (unsigned long) opt->val;
1868 break;
1869 }
1870
1871 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1872 return len;
1873}
1874
1da177e4
LT		 1875static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1876{
1877 struct l2cap_conf_opt *opt = *ptr;
1878
1879 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1880
1881 opt->type = type;
1882 opt->len = len;
1883
1884 switch (len) {
1885 case 1:
1886 *((u8 *) opt->val) = val;
1887 break;
1888
1889 case 2:
4f8b691c 1890 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1891 break;
1892
1893 case 4:
4f8b691c 1894 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1895 break;
1896
1897 default:
1898 memcpy(opt->val, (void *) val, len);
1899 break;
1900 }
1901
1902 *ptr += L2CAP_CONF_OPT_SIZE + len;
1903}
1904
f89cef09
AE		 1905static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1906{
1907 struct l2cap_conf_efs efs;
1908
1909 switch(chan->mode) {
1910 case L2CAP_MODE_ERTM:
1911 efs.id = chan->local_id;
1912 efs.stype = chan->local_stype;
1913 efs.msdu = cpu_to_le16(chan->local_msdu);
1914 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1915 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1916 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1917 break;
1918
1919 case L2CAP_MODE_STREAMING:
1920 efs.id = 1;
1921 efs.stype = L2CAP_SERV_BESTEFFORT;
1922 efs.msdu = cpu_to_le16(chan->local_msdu);
1923 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1924 efs.acc_lat = 0;
1925 efs.flush_to = 0;
1926 break;
1927
1928 default:
1929 return;
1930 }
1931
1932 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1933 (unsigned long) &efs);
1934}
1935
c1b4f43b
GP		 1936static void l2cap_ack_timeout(unsigned long arg)
1937{
525cd185 1938 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1939
525cd185
GP		 1940 bh_lock_sock(chan->sk);
1941 l2cap_send_ack(chan);
1942 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1943}
1944
525cd185 1945static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1946{
525cd185
GP		 1947 struct sock *sk = chan->sk;
1948
42e5c802 1949 chan->expected_ack_seq = 0;
6a026610 1950 chan->unacked_frames = 0;
42e5c802 1951 chan->buffer_seq = 0;
6a026610
GP		 1952 chan->num_acked = 0;
1953 chan->frames_sent = 0;
0565c1c2 1954
e92c8e70
GP		 1955 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1956 (unsigned long) chan);
1957 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1958 (unsigned long) chan);
1959 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1960
f1c6775b 1961 skb_queue_head_init(&chan->srej_q);
1890d36b 1962
39d5a3ee
GP		 1963 INIT_LIST_HEAD(&chan->srej_l);
1964
218bb9df
GP		 1965
1966 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1967}
1968
f2fcfcd6
GP		 1969static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1970{
1971 switch (mode) {
1972 case L2CAP_MODE_STREAMING:
1973 case L2CAP_MODE_ERTM:
1974 if (l2cap_mode_supported(mode, remote_feat_mask))
1975 return mode;
1976 /* fall through */
1977 default:
1978 return L2CAP_MODE_BASIC;
1979 }
1980}
1981
6327eb98
AE		 1982static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1983{
1984 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1985}
1986
f89cef09
AE		 1987static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1988{
1989 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1990}
1991
6327eb98
AE		 1992static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1993{
1994 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 1995 __l2cap_ews_supported(chan)) {
6327eb98
AE		 1996 /* use extended control field */
1997 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 1998 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
1999 } else {
6327eb98
AE		 2000 chan->tx_win = min_t(u16, chan->tx_win,
2001 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2002 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2003 }
6327eb98
AE		 2004}
2005
710f9b0a 2006static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2007{
1da177e4 2008 struct l2cap_conf_req *req = data;
0c1bc5c6 2009 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2010 void *ptr = req->data;
c8f79162 2011 u16 size;
1da177e4 2012
49208c9c 2013 BT_DBG("chan %p", chan);
1da177e4 2014
73ffa904 2015 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2016 goto done;
2017
0c1bc5c6 2018 switch (chan->mode) {
f2fcfcd6
GP		 2019 case L2CAP_MODE_STREAMING:
2020 case L2CAP_MODE_ERTM:
c1360a1c 2021 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2022 break;
85eb53c6 2023
f89cef09
AE		 2024 if (__l2cap_efs_supported(chan))
2025 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2026
2ba13ed6 2027 /* fall through */
f2fcfcd6 2028 default:
8c1d787b 2029 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2030 break;
2031 }
2032
2033done:
0c1bc5c6
GP		 2034 if (chan->imtu != L2CAP_DEFAULT_MTU)
2035 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2036
0c1bc5c6 2037 switch (chan->mode) {
65c7c491 2038 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2039 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2040 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2041 break;
2042
62547752
GP		 2043 rfc.mode = L2CAP_MODE_BASIC;
2044 rfc.txwin_size = 0;
2045 rfc.max_transmit = 0;
2046 rfc.retrans_timeout = 0;
2047 rfc.monitor_timeout = 0;
2048 rfc.max_pdu_size = 0;
2049
63406504
GP		 2050 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2051 (unsigned long) &rfc);
65c7c491
MH		 2052 break;
2053
2054 case L2CAP_MODE_ERTM:
2055 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2056 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2057 rfc.retrans_timeout = 0;
2058 rfc.monitor_timeout = 0;
c8f79162
AE		 2059
2060 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2061 L2CAP_EXT_HDR_SIZE -
2062 L2CAP_SDULEN_SIZE -
2063 L2CAP_FCS_SIZE);
2064 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2065
6327eb98
AE		 2066 l2cap_txwin_setup(chan);
2067
2068 rfc.txwin_size = min_t(u16, chan->tx_win,
2069 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2070
63406504
GP		 2071 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2072 (unsigned long) &rfc);
2073
f89cef09
AE		 2074 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2075 l2cap_add_opt_efs(&ptr, chan);
2076
8c1d787b 2077 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2078 break;
2079
47d1ec61 2080 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2081 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2082 chan->fcs = L2CAP_FCS_NONE;
2083 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2084 }
6327eb98
AE		 2085
2086 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2087 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2088 chan->tx_win);
f2fcfcd6
GP		 2089 break;
2090
2091 case L2CAP_MODE_STREAMING:
2092 rfc.mode = L2CAP_MODE_STREAMING;
2093 rfc.txwin_size = 0;
2094 rfc.max_transmit = 0;
2095 rfc.retrans_timeout = 0;
2096 rfc.monitor_timeout = 0;
c8f79162
AE		 2097
2098 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2099 L2CAP_EXT_HDR_SIZE -
2100 L2CAP_SDULEN_SIZE -
2101 L2CAP_FCS_SIZE);
2102 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2103
63406504
GP		 2104 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2105 (unsigned long) &rfc);
2106
f89cef09
AE		 2107 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2108 l2cap_add_opt_efs(&ptr, chan);
2109
8c1d787b 2110 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2111 break;
2112
47d1ec61 2113 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2114 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2115 chan->fcs = L2CAP_FCS_NONE;
2116 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2117 }
65c7c491
MH		 2118 break;
2119 }
1da177e4 2120
fe4128e0 2121 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2122 req->flags = cpu_to_le16(0);
1da177e4
LT		 2123
2124 return ptr - data;
2125}
2126
73ffa904 2127static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2128{
5dee9e7c
MH		 2129 struct l2cap_conf_rsp *rsp = data;
2130 void *ptr = rsp->data;
73ffa904
GP		 2131 void *req = chan->conf_req;
2132 int len = chan->conf_len;
5dee9e7c
MH		 2133 int type, hint, olen;
2134 unsigned long val;
6464f35f 2135 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2136 struct l2cap_conf_efs efs;
2137 u8 remote_efs = 0;
861d6882 2138 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2139 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2140 u16 size;
1da177e4 2141
73ffa904 2142 BT_DBG("chan %p", chan);
820ae1b8 2143
5dee9e7c
MH		 2144 while (len >= L2CAP_CONF_OPT_SIZE) {
2145 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2146
589d2746 2147 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2148 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2149
2150 switch (type) {
2151 case L2CAP_CONF_MTU:
861d6882 2152 mtu = val;
5dee9e7c
MH		 2153 break;
2154
2155 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2156 chan->flush_to = val;
5dee9e7c
MH		 2157 break;
2158
2159 case L2CAP_CONF_QOS:
2160 break;
2161
6464f35f
MH		 2162 case L2CAP_CONF_RFC:
2163 if (olen == sizeof(rfc))
2164 memcpy(&rfc, (void *) val, olen);
2165 break;
2166
fcc203c3
GP		 2167 case L2CAP_CONF_FCS:
2168 if (val == L2CAP_FCS_NONE)
c1360a1c 2169 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2170 break;
fcc203c3 2171
42dceae2
AE		 2172 case L2CAP_CONF_EFS:
2173 remote_efs = 1;
2174 if (olen == sizeof(efs))
2175 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2176 break;
2177
6327eb98
AE		 2178 case L2CAP_CONF_EWS:
2179 if (!enable_hs)
2180 return -ECONNREFUSED;
fcc203c3 2181
6327eb98
AE		 2182 set_bit(FLAG_EXT_CTRL, &chan->flags);
2183 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2184 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2185 chan->remote_tx_win = val;
fcc203c3
GP		 2186 break;
2187
5dee9e7c
MH		 2188 default:
2189 if (hint)
2190 break;
2191
2192 result = L2CAP_CONF_UNKNOWN;
2193 *((u8 *) ptr++) = type;
2194 break;
2195 }
2196 }
2197
73ffa904 2198 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2199 goto done;
2200
0c1bc5c6 2201 switch (chan->mode) {
f2fcfcd6
GP		 2202 case L2CAP_MODE_STREAMING:
2203 case L2CAP_MODE_ERTM:
c1360a1c 2204 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2205 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2206 chan->conn->feat_mask);
85eb53c6
GP		 2207 break;
2208 }
2209
42dceae2
AE		 2210 if (remote_efs) {
2211 if (__l2cap_efs_supported(chan))
2212 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2213 else
2214 return -ECONNREFUSED;
2215 }
2216
0c1bc5c6 2217 if (chan->mode != rfc.mode)
f2fcfcd6 2218 return -ECONNREFUSED;
742e519b 2219
f2fcfcd6 2220 break;
f2fcfcd6
GP		 2221 }
2222
2223done:
0c1bc5c6 2224 if (chan->mode != rfc.mode) {
f2fcfcd6 2225 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2226 rfc.mode = chan->mode;
f2fcfcd6 2227
73ffa904 2228 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2229 return -ECONNREFUSED;
2230
2231 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2232 sizeof(rfc), (unsigned long) &rfc);
2233 }
2234
5dee9e7c
MH		 2235 if (result == L2CAP_CONF_SUCCESS) {
2236 /* Configure output options and let the other side know
2237 * which ones we don't like. */
2238
f2fcfcd6
GP		 2239 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2240 result = L2CAP_CONF_UNACCEPT;
2241 else {
0c1bc5c6 2242 chan->omtu = mtu;
c1360a1c 2243 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2244 }
0c1bc5c6 2245 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2246
42dceae2
AE		 2247 if (remote_efs) {
2248 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2249 efs.stype != L2CAP_SERV_NOTRAFIC &&
2250 efs.stype != chan->local_stype) {
2251
2252 result = L2CAP_CONF_UNACCEPT;
2253
2254 if (chan->num_conf_req >= 1)
2255 return -ECONNREFUSED;
2256
2257 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2258 sizeof(efs),
42dceae2 2259 (unsigned long) &efs);
0e8b207e 2260 } else {
3e6b3b95 2261 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2262 result = L2CAP_CONF_PENDING;
2263 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2264 }
2265 }
2266
f2fcfcd6
GP		 2267 switch (rfc.mode) {
2268 case L2CAP_MODE_BASIC:
47d1ec61 2269 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2270 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2271 break;
2272
2273 case L2CAP_MODE_ERTM:
6327eb98
AE		 2274 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2275 chan->remote_tx_win = rfc.txwin_size;
2276 else
2277 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2278
2c03a7a4 2279 chan->remote_max_tx = rfc.max_transmit;
1c762159 2280
c8f79162
AE		 2281 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2282 chan->conn->mtu -
2283 L2CAP_EXT_HDR_SIZE -
2284 L2CAP_SDULEN_SIZE -
2285 L2CAP_FCS_SIZE);
2286 rfc.max_pdu_size = cpu_to_le16(size);
2287 chan->remote_mps = size;
f2fcfcd6 2288
10467e9e
GP		 2289 rfc.retrans_timeout =
2290 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2291 rfc.monitor_timeout =
2292 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2293
c1360a1c 2294 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2295
2296 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2297 sizeof(rfc), (unsigned long) &rfc);
2298
42dceae2
AE		 2299 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2300 chan->remote_id = efs.id;
2301 chan->remote_stype = efs.stype;
2302 chan->remote_msdu = le16_to_cpu(efs.msdu);
2303 chan->remote_flush_to =
2304 le32_to_cpu(efs.flush_to);
2305 chan->remote_acc_lat =
2306 le32_to_cpu(efs.acc_lat);
2307 chan->remote_sdu_itime =
2308 le32_to_cpu(efs.sdu_itime);
2309 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2310 sizeof(efs), (unsigned long) &efs);
2311 }
f2fcfcd6
GP		 2312 break;
2313
2314 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2315 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2316 chan->conn->mtu -
2317 L2CAP_EXT_HDR_SIZE -
2318 L2CAP_SDULEN_SIZE -
2319 L2CAP_FCS_SIZE);
2320 rfc.max_pdu_size = cpu_to_le16(size);
2321 chan->remote_mps = size;
f2fcfcd6 2322
c1360a1c 2323 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2324
2325 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2326 sizeof(rfc), (unsigned long) &rfc);
2327
f2fcfcd6
GP		 2328 break;
2329
2330 default:
5dee9e7c 2331 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2332
6464f35f 2333 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2334 rfc.mode = chan->mode;
f2fcfcd6 2335 }
6464f35f 2336
f2fcfcd6 2337 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2338 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2339 }
fe4128e0 2340 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2341 rsp->result = cpu_to_le16(result);
2342 rsp->flags = cpu_to_le16(0x0000);
2343
2344 return ptr - data;
1da177e4
LT		 2345}
2346
b4450035 2347static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2348{
f2fcfcd6
GP		 2349 struct l2cap_conf_req *req = data;
2350 void *ptr = req->data;
2351 int type, olen;
2352 unsigned long val;
2353 struct l2cap_conf_rfc rfc;
66af7aaf 2354 struct l2cap_conf_efs efs;
f2fcfcd6 2355
fe4128e0 2356 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2357
2358 while (len >= L2CAP_CONF_OPT_SIZE) {
2359 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2360
2361 switch (type) {
2362 case L2CAP_CONF_MTU:
2363 if (val < L2CAP_DEFAULT_MIN_MTU) {
2364 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2365 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2366 } else
0c1bc5c6
GP		 2367 chan->imtu = val;
2368 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2369 break;
2370
2371 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2372 chan->flush_to = val;
f2fcfcd6 2373 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2374 2, chan->flush_to);
f2fcfcd6
GP		 2375 break;
2376
2377 case L2CAP_CONF_RFC:
2378 if (olen == sizeof(rfc))
2379 memcpy(&rfc, (void *)val, olen);
2380
c1360a1c 2381 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2382 rfc.mode != chan->mode)
f2fcfcd6
GP		 2383 return -ECONNREFUSED;
2384
47d1ec61 2385 chan->fcs = 0;
f2fcfcd6
GP		 2386
2387 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2388 sizeof(rfc), (unsigned long) &rfc);
2389 break;
6327eb98
AE		 2390
2391 case L2CAP_CONF_EWS:
2392 chan->tx_win = min_t(u16, val,
2393 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2394 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2395 chan->tx_win);
6327eb98 2396 break;
66af7aaf
AE		 2397
2398 case L2CAP_CONF_EFS:
2399 if (olen == sizeof(efs))
2400 memcpy(&efs, (void *)val, olen);
2401
2402 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2403 efs.stype != L2CAP_SERV_NOTRAFIC &&
2404 efs.stype != chan->local_stype)
2405 return -ECONNREFUSED;
2406
2407 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2408 sizeof(efs), (unsigned long) &efs);
2409 break;
f2fcfcd6
GP		 2410 }
2411 }
2412
0c1bc5c6 2413 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2414 return -ECONNREFUSED;
2415
0c1bc5c6 2416 chan->mode = rfc.mode;
6c2ea7a8 2417
0e8b207e 2418 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2419 switch (rfc.mode) {
2420 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2421 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2422 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2423 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2424
2425 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2426 chan->local_msdu = le16_to_cpu(efs.msdu);
2427 chan->local_sdu_itime =
2428 le32_to_cpu(efs.sdu_itime);
2429 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2430 chan->local_flush_to =
2431 le32_to_cpu(efs.flush_to);
2432 }
f2fcfcd6 2433 break;
66af7aaf 2434
f2fcfcd6 2435 case L2CAP_MODE_STREAMING:
47d1ec61 2436 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2437 }
2438 }
2439
fe4128e0 2440 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2441 req->flags = cpu_to_le16(0x0000);
2442
2443 return ptr - data;
2444}
2445
fe4128e0 2446static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2447{
2448 struct l2cap_conf_rsp *rsp = data;
2449 void *ptr = rsp->data;
1da177e4 2450
fe4128e0 2451 BT_DBG("chan %p", chan);
1da177e4 2452
fe4128e0 2453 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2454 rsp->result = cpu_to_le16(result);
aca3192c 2455 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2456
2457 return ptr - data;
2458}
2459
8c1d787b 2460void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2461{
2462 struct l2cap_conn_rsp rsp;
8c1d787b 2463 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2464 u8 buf[128];
2465
fe4128e0
GP		 2466 rsp.scid = cpu_to_le16(chan->dcid);
2467 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2468 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2469 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2470 l2cap_send_cmd(conn, chan->ident,
2471 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2472
c1360a1c 2473 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2474 return;
2475
710f9b0a
GP		 2476 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2477 l2cap_build_conf_req(chan, buf), buf);
2478 chan->num_conf_req++;
2479}
2480
47d1ec61 2481static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2482{
7b1c0049
GP		 2483 int type, olen;
2484 unsigned long val;
2485 struct l2cap_conf_rfc rfc;
2486
47d1ec61 2487 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2488
0c1bc5c6 2489 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2490 return;
2491
2492 while (len >= L2CAP_CONF_OPT_SIZE) {
2493 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2494
2495 switch (type) {
2496 case L2CAP_CONF_RFC:
2497 if (olen == sizeof(rfc))
2498 memcpy(&rfc, (void *)val, olen);
2499 goto done;
2500 }
2501 }
2502
2503done:
2504 switch (rfc.mode) {
2505 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2506 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2507 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2508 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2509 break;
2510 case L2CAP_MODE_STREAMING:
47d1ec61 2511 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2512 }
2513}
2514
4e8402a3
MH		 2515static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2516{
e2fd318e 2517 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2518
e2fd318e 2519 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2520 return 0;
2521
2522 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2523 cmd->ident == conn->info_ident) {
4e8402a3 2524 del_timer(&conn->info_timer);
984947dc
MH		 2525
2526 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2527 conn->info_ident = 0;
984947dc 2528
4e8402a3
MH		 2529 l2cap_conn_start(conn);
2530 }
2531
2532 return 0;
2533}
2534
1da177e4
LT		 2535static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2536{
1da177e4
LT		 2537 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2538 struct l2cap_conn_rsp rsp;
23691d75 2539 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2540 struct sock *parent, *sk = NULL;
e7c29cb1 2541 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2542
2543 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2544 __le16 psm = req->psm;
1da177e4
LT		 2545
2546 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2547
2548 /* Check if we have socket listening on psm */
23691d75
GP		 2549 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2550 if (!pchan) {
1da177e4
LT		 2551 result = L2CAP_CR_BAD_PSM;
2552 goto sendresp;
2553 }
2554
23691d75
GP		 2555 parent = pchan->sk;
2556
e0f0cb56
GP		 2557 bh_lock_sock(parent);
2558
e7c29cb1
MH		 2559 /* Check if the ACL is secure enough (if not SDP) */
2560 if (psm != cpu_to_le16(0x0001) &&
2561 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2562 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2563 result = L2CAP_CR_SEC_BLOCK;
2564 goto response;
2565 }
2566
1da177e4
LT		 2567 result = L2CAP_CR_NO_MEM;
2568
2569 /* Check for backlog size */
2570 if (sk_acceptq_is_full(parent)) {
8e87d142 2571 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2572 goto response;
2573 }
2574
80808e43
GP		 2575 chan = pchan->ops->new_connection(pchan->data);
2576 if (!chan)
1da177e4
LT		 2577 goto response;
2578
80808e43
GP		 2579 sk = chan->sk;
2580
baa7e1fa 2581 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2582
2583 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2584 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2585 write_unlock_bh(&conn->chan_lock);
1da177e4 2586 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2587 chan->ops->close(chan->data);
1da177e4
LT		 2588 goto response;
2589 }
2590
2591 hci_conn_hold(conn->hcon);
2592
1da177e4
LT		 2593 bacpy(&bt_sk(sk)->src, conn->src);
2594 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2595 chan->psm = psm;
2596 chan->dcid = scid;
1da177e4 2597
d1010240
GP		 2598 bt_accept_enqueue(parent, sk);
2599
48454079
GP		 2600 __l2cap_chan_add(conn, chan);
2601
fe4128e0 2602 dcid = chan->scid;
1da177e4 2603
c9b66675 2604 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2605
fc7f8a7e 2606 chan->ident = cmd->ident;
1da177e4 2607
984947dc 2608 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2609 if (l2cap_check_security(chan)) {
f66dc81f 2610 if (bt_sk(sk)->defer_setup) {
89bc500e 2611 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2612 result = L2CAP_CR_PEND;
2613 status = L2CAP_CS_AUTHOR_PEND;
2614 parent->sk_data_ready(parent, 0);
2615 } else {
89bc500e 2616 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2617 result = L2CAP_CR_SUCCESS;
2618 status = L2CAP_CS_NO_INFO;
2619 }
79d554a6 2620 } else {
89bc500e 2621 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2622 result = L2CAP_CR_PEND;
2623 status = L2CAP_CS_AUTHEN_PEND;
2624 }
2625 } else {
89bc500e 2626 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2627 result = L2CAP_CR_PEND;
2628 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2629 }
2630
baa7e1fa 2631 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2632
2633response:
2634 bh_unlock_sock(parent);
2635
2636sendresp:
aca3192c
YH		 2637 rsp.scid = cpu_to_le16(scid);
2638 rsp.dcid = cpu_to_le16(dcid);
2639 rsp.result = cpu_to_le16(result);
2640 rsp.status = cpu_to_le16(status);
1da177e4 2641 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2642
2643 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2644 struct l2cap_info_req info;
2645 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2646
2647 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2648 conn->info_ident = l2cap_get_ident(conn);
2649
2650 mod_timer(&conn->info_timer, jiffies +
2651 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2652
2653 l2cap_send_cmd(conn, conn->info_ident,
2654 L2CAP_INFO_REQ, sizeof(info), &info);
2655 }
2656
c1360a1c 2657 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2658 result == L2CAP_CR_SUCCESS) {
2659 u8 buf[128];
c1360a1c 2660 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2661 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2662 l2cap_build_conf_req(chan, buf), buf);
2663 chan->num_conf_req++;
e9aeb2dd
GP		 2664 }
2665
1da177e4
LT		 2666 return 0;
2667}
2668
2669static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2670{
2671 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2672 u16 scid, dcid, result, status;
48454079 2673 struct l2cap_chan *chan;
1da177e4
LT		 2674 struct sock *sk;
2675 u8 req[128];
2676
2677 scid = __le16_to_cpu(rsp->scid);
2678 dcid = __le16_to_cpu(rsp->dcid);
2679 result = __le16_to_cpu(rsp->result);
2680 status = __le16_to_cpu(rsp->status);
2681
2682 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2683
2684 if (scid) {
baa7e1fa 2685 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2686 if (!chan)
57d3b22b 2687 return -EFAULT;
1da177e4 2688 } else {
baa7e1fa 2689 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2690 if (!chan)
57d3b22b 2691 return -EFAULT;
1da177e4
LT		 2692 }
2693
48454079
GP		 2694 sk = chan->sk;
2695
1da177e4
LT		 2696 switch (result) {
2697 case L2CAP_CR_SUCCESS:
89bc500e 2698 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2699 chan->ident = 0;
fe4128e0 2700 chan->dcid = dcid;
c1360a1c 2701 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2702
c1360a1c 2703 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2704 break;
2705
1da177e4 2706 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2707 l2cap_build_conf_req(chan, req), req);
2708 chan->num_conf_req++;
1da177e4
LT		 2709 break;
2710
2711 case L2CAP_CR_PEND:
c1360a1c 2712 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2713 break;
2714
2715 default:
a49184c2
AE		 2716 /* don't delete l2cap channel if sk is owned by user */
2717 if (sock_owned_by_user(sk)) {
89bc500e 2718 l2cap_state_change(chan, BT_DISCONN);
c9b66675 2719 __clear_chan_timer(chan);
f3f668b0 2720 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
a49184c2
AE		 2721 break;
2722 }
2723
48454079 2724 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2725 break;
2726 }
2727
2728 bh_unlock_sock(sk);
2729 return 0;
2730}
2731
47d1ec61 2732static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2733{
2734 /* FCS is enabled only in ERTM or streaming mode, if one or both
2735 * sides request it.
2736 */
0c1bc5c6 2737 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2738 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2739 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2740 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2741}
2742
88219a0f 2743static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2744{
2745 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2746 u16 dcid, flags;
2747 u8 rsp[64];
48454079 2748 struct l2cap_chan *chan;
1da177e4 2749 struct sock *sk;
5dee9e7c 2750 int len;
1da177e4
LT		 2751
2752 dcid = __le16_to_cpu(req->dcid);
2753 flags = __le16_to_cpu(req->flags);
2754
2755 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2756
baa7e1fa 2757 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2758 if (!chan)
1da177e4
LT		 2759 return -ENOENT;
2760
48454079
GP		 2761 sk = chan->sk;
2762
033b1142 2763 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2764 struct l2cap_cmd_rej_cid rej;
2765
2766 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2767 rej.scid = cpu_to_le16(chan->scid);
2768 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2769
df6bd743
GP		 2770 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2771 sizeof(rej), &rej);
354f60a9 2772 goto unlock;
df6bd743 2773 }
354f60a9 2774
5dee9e7c 2775 /* Reject if config buffer is too small. */
88219a0f 2776 len = cmd_len - sizeof(*req);
7ac28817 2777 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2778 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2779 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2780 L2CAP_CONF_REJECT, flags), rsp);
2781 goto unlock;
2782 }
2783
2784 /* Store config. */
73ffa904
GP		 2785 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2786 chan->conf_len += len;
1da177e4
LT		 2787
2788 if (flags & 0x0001) {
2789 /* Incomplete config. Send empty response. */
2790 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2791 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2792 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2793 goto unlock;
2794 }
2795
2796 /* Complete config. */
73ffa904 2797 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2798 if (len < 0) {
e92c8e70 2799 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2800 goto unlock;
f2fcfcd6 2801 }
1da177e4 2802
5dee9e7c 2803 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2804 chan->num_conf_rsp++;
5dee9e7c 2805
5dee9e7c 2806 /* Reset config buffer. */
73ffa904 2807 chan->conf_len = 0;
5dee9e7c 2808
c1360a1c 2809 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2810 goto unlock;
2811
c1360a1c 2812 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2813 set_default_fcs(chan);
fcc203c3 2814
89bc500e 2815 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2816
42e5c802
GP		 2817 chan->next_tx_seq = 0;
2818 chan->expected_tx_seq = 0;
58d35f87 2819 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2820 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2821 l2cap_ertm_init(chan);
0565c1c2 2822
1da177e4 2823 l2cap_chan_ready(sk);
876d9484
MH		 2824 goto unlock;
2825 }
2826
c1360a1c 2827 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2828 u8 buf[64];
1da177e4 2829 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2830 l2cap_build_conf_req(chan, buf), buf);
2831 chan->num_conf_req++;
1da177e4
LT		 2832 }
2833
0e8b207e
AE		 2834 /* Got Conf Rsp PENDING from remote side and asume we sent
2835 Conf Rsp PENDING in the code above */
2836 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2837 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2838
2839 /* check compatibility */
2840
2841 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2842 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2843
2844 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2845 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2846 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2847 }
2848
1da177e4
LT		 2849unlock:
2850 bh_unlock_sock(sk);
2851 return 0;
2852}
2853
2854static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2855{
2856 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2857 u16 scid, flags, result;
48454079 2858 struct l2cap_chan *chan;
1da177e4 2859 struct sock *sk;
7b1c0049 2860 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2861
2862 scid = __le16_to_cpu(rsp->scid);
2863 flags = __le16_to_cpu(rsp->flags);
2864 result = __le16_to_cpu(rsp->result);
2865
af05b30b
GP		 2866 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2867 scid, flags, result);
1da177e4 2868
baa7e1fa 2869 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2870 if (!chan)
1da177e4
LT		 2871 return 0;
2872
48454079
GP		 2873 sk = chan->sk;
2874
1da177e4
LT		 2875 switch (result) {
2876 case L2CAP_CONF_SUCCESS:
47d1ec61 2877 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2878 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2879 break;
2880
0e8b207e
AE		 2881 case L2CAP_CONF_PENDING:
2882 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2883
2884 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2885 char buf[64];
2886
2887 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2888 buf, &result);
2889 if (len < 0) {
2890 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2891 goto done;
2892 }
2893
2894 /* check compatibility */
2895
2896 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2897 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2898
2899 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2900 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2901 L2CAP_CONF_SUCCESS, 0x0000), buf);
2902 }
2903 goto done;
2904
1da177e4 2905 case L2CAP_CONF_UNACCEPT:
73ffa904 2906 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2907 char req[64];
2908
c2c77ec8 2909 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2910 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2911 goto done;
2912 }
2913
f2fcfcd6
GP		 2914 /* throw out any old stored conf requests */
2915 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2916 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2917 req, &result);
f2fcfcd6 2918 if (len < 0) {
e92c8e70 2919 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2920 goto done;
2921 }
2922
2923 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2924 L2CAP_CONF_REQ, len, req);
73ffa904 2925 chan->num_conf_req++;
f2fcfcd6
GP		 2926 if (result != L2CAP_CONF_SUCCESS)
2927 goto done;
2928 break;
1da177e4
LT		 2929 }
2930
8e87d142 2931 default:
b1235d79 2932 sk->sk_err = ECONNRESET;
f3f668b0 2933 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 2934 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2935 goto done;
2936 }
2937
2938 if (flags & 0x01)
2939 goto done;
2940
c1360a1c 2941 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2942
c1360a1c 2943 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2944 set_default_fcs(chan);
fcc203c3 2945
89bc500e 2946 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2947 chan->next_tx_seq = 0;
2948 chan->expected_tx_seq = 0;
58d35f87 2949 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2950 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2951 l2cap_ertm_init(chan);
0565c1c2 2952
1da177e4
LT		 2953 l2cap_chan_ready(sk);
2954 }
2955
2956done:
2957 bh_unlock_sock(sk);
2958 return 0;
2959}
2960
2961static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2962{
2963 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2964 struct l2cap_disconn_rsp rsp;
2965 u16 dcid, scid;
48454079 2966 struct l2cap_chan *chan;
1da177e4
LT		 2967 struct sock *sk;
2968
2969 scid = __le16_to_cpu(req->scid);
2970 dcid = __le16_to_cpu(req->dcid);
2971
2972 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2973
baa7e1fa 2974 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2975 if (!chan)
1da177e4
LT		 2976 return 0;
2977
48454079
GP		 2978 sk = chan->sk;
2979
fe4128e0
GP		 2980 rsp.dcid = cpu_to_le16(chan->scid);
2981 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2982 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2983
2984 sk->sk_shutdown = SHUTDOWN_MASK;
2985
a49184c2
AE		 2986 /* don't delete l2cap channel if sk is owned by user */
2987 if (sock_owned_by_user(sk)) {
89bc500e 2988 l2cap_state_change(chan, BT_DISCONN);
c9b66675 2989 __clear_chan_timer(chan);
f3f668b0 2990 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
a49184c2
AE		 2991 bh_unlock_sock(sk);
2992 return 0;
2993 }
2994
48454079 2995 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2996 bh_unlock_sock(sk);
2997
ba3bd0ee 2998 chan->ops->close(chan->data);
1da177e4
LT		 2999 return 0;
3000}
3001
3002static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3003{
3004 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3005 u16 dcid, scid;
48454079 3006 struct l2cap_chan *chan;
1da177e4
LT		 3007 struct sock *sk;
3008
3009 scid = __le16_to_cpu(rsp->scid);
3010 dcid = __le16_to_cpu(rsp->dcid);
3011
3012 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3013
baa7e1fa 3014 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3015 if (!chan)
1da177e4
LT		 3016 return 0;
3017
48454079
GP		 3018 sk = chan->sk;
3019
a49184c2
AE		 3020 /* don't delete l2cap channel if sk is owned by user */
3021 if (sock_owned_by_user(sk)) {
89bc500e 3022 l2cap_state_change(chan,BT_DISCONN);
c9b66675 3023 __clear_chan_timer(chan);
f3f668b0 3024 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
a49184c2
AE		 3025 bh_unlock_sock(sk);
3026 return 0;
3027 }
3028
48454079 3029 l2cap_chan_del(chan, 0);
1da177e4
LT		 3030 bh_unlock_sock(sk);
3031
ba3bd0ee 3032 chan->ops->close(chan->data);
1da177e4
LT		 3033 return 0;
3034}
3035
3036static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3037{
3038 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3039 u16 type;
3040
3041 type = __le16_to_cpu(req->type);
3042
3043 BT_DBG("type 0x%4.4x", type);
3044
f0709e03
MH		 3045 if (type == L2CAP_IT_FEAT_MASK) {
3046 u8 buf[8];
44dd46de 3047 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3048 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3049 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3050 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3051 if (!disable_ertm)
fcc203c3
GP		 3052 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3053 | L2CAP_FEAT_FCS;
a5fd6f30 3054 if (enable_hs)
6327eb98
AE		 3055 feat_mask |= L2CAP_FEAT_EXT_FLOW
3056 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3057
1b7bf4ed 3058 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3059 l2cap_send_cmd(conn, cmd->ident,
3060 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3061 } else if (type == L2CAP_IT_FIXED_CHAN) {
3062 u8 buf[12];
3063 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3064
3065 if (enable_hs)
3066 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3067 else
3068 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3069
e1027a7c
MH		 3070 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3071 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3072 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3073 l2cap_send_cmd(conn, cmd->ident,
3074 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3075 } else {
3076 struct l2cap_info_rsp rsp;
3077 rsp.type = cpu_to_le16(type);
3078 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3079 l2cap_send_cmd(conn, cmd->ident,
3080 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3081 }
1da177e4
LT		 3082
3083 return 0;
3084}
3085
3086static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3087{
3088 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3089 u16 type, result;
3090
3091 type = __le16_to_cpu(rsp->type);
3092 result = __le16_to_cpu(rsp->result);
3093
3094 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3095
e90165be
AE		 3096 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3097 if (cmd->ident != conn->info_ident ||
3098 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3099 return 0;
3100
4e8402a3
MH		 3101 del_timer(&conn->info_timer);
3102
adb08ede
VT		 3103 if (result != L2CAP_IR_SUCCESS) {
3104 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3105 conn->info_ident = 0;
3106
3107 l2cap_conn_start(conn);
3108
3109 return 0;
3110 }
3111
984947dc 3112 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3113 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3114
47ec1dcd 3115 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3116 struct l2cap_info_req req;
3117 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3118
3119 conn->info_ident = l2cap_get_ident(conn);
3120
3121 l2cap_send_cmd(conn, conn->info_ident,
3122 L2CAP_INFO_REQ, sizeof(req), &req);
3123 } else {
3124 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3125 conn->info_ident = 0;
3126
3127 l2cap_conn_start(conn);
3128 }
3129 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3130 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3131 conn->info_ident = 0;
984947dc
MH		 3132
3133 l2cap_conn_start(conn);
3134 }
4e8402a3 3135
1da177e4
LT		 3136 return 0;
3137}
3138
f94ff6ff
MM		 3139static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3140 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3141 void *data)
3142{
3143 struct l2cap_create_chan_req *req = data;
3144 struct l2cap_create_chan_rsp rsp;
3145 u16 psm, scid;
3146
3147 if (cmd_len != sizeof(*req))
3148 return -EPROTO;
3149
3150 if (!enable_hs)
3151 return -EINVAL;
3152
3153 psm = le16_to_cpu(req->psm);
3154 scid = le16_to_cpu(req->scid);
3155
3156 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3157
3158 /* Placeholder: Always reject */
3159 rsp.dcid = 0;
3160 rsp.scid = cpu_to_le16(scid);
3161 rsp.result = L2CAP_CR_NO_MEM;
3162 rsp.status = L2CAP_CS_NO_INFO;
3163
3164 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3165 sizeof(rsp), &rsp);
3166
3167 return 0;
3168}
3169
3170static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3171 struct l2cap_cmd_hdr *cmd, void *data)
3172{
3173 BT_DBG("conn %p", conn);
3174
3175 return l2cap_connect_rsp(conn, cmd, data);
3176}
3177
8d5a04a1
MM		 3178static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3179 u16 icid, u16 result)
3180{
3181 struct l2cap_move_chan_rsp rsp;
3182
3183 BT_DBG("icid %d, result %d", icid, result);
3184
3185 rsp.icid = cpu_to_le16(icid);
3186 rsp.result = cpu_to_le16(result);
3187
3188 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3189}
3190
3191static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3192 struct l2cap_chan *chan, u16 icid, u16 result)
3193{
3194 struct l2cap_move_chan_cfm cfm;
3195 u8 ident;
3196
3197 BT_DBG("icid %d, result %d", icid, result);
3198
3199 ident = l2cap_get_ident(conn);
3200 if (chan)
3201 chan->ident = ident;
3202
3203 cfm.icid = cpu_to_le16(icid);
3204 cfm.result = cpu_to_le16(result);
3205
3206 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3207}
3208
3209static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3210 u16 icid)
3211{
3212 struct l2cap_move_chan_cfm_rsp rsp;
3213
3214 BT_DBG("icid %d", icid);
3215
3216 rsp.icid = cpu_to_le16(icid);
3217 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3218}
3219
3220static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3221 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3222{
3223 struct l2cap_move_chan_req *req = data;
3224 u16 icid = 0;
3225 u16 result = L2CAP_MR_NOT_ALLOWED;
3226
3227 if (cmd_len != sizeof(*req))
3228 return -EPROTO;
3229
3230 icid = le16_to_cpu(req->icid);
3231
3232 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3233
3234 if (!enable_hs)
3235 return -EINVAL;
3236
3237 /* Placeholder: Always refuse */
3238 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3239
3240 return 0;
3241}
3242
3243static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3244 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3245{
3246 struct l2cap_move_chan_rsp *rsp = data;
3247 u16 icid, result;
3248
3249 if (cmd_len != sizeof(*rsp))
3250 return -EPROTO;
3251
3252 icid = le16_to_cpu(rsp->icid);
3253 result = le16_to_cpu(rsp->result);
3254
3255 BT_DBG("icid %d, result %d", icid, result);
3256
3257 /* Placeholder: Always unconfirmed */
3258 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3259
3260 return 0;
3261}
3262
3263static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3264 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3265{
3266 struct l2cap_move_chan_cfm *cfm = data;
3267 u16 icid, result;
3268
3269 if (cmd_len != sizeof(*cfm))
3270 return -EPROTO;
3271
3272 icid = le16_to_cpu(cfm->icid);
3273 result = le16_to_cpu(cfm->result);
3274
3275 BT_DBG("icid %d, result %d", icid, result);
3276
3277 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3278
3279 return 0;
3280}
3281
3282static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3283 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3284{
3285 struct l2cap_move_chan_cfm_rsp *rsp = data;
3286 u16 icid;
3287
3288 if (cmd_len != sizeof(*rsp))
3289 return -EPROTO;
3290
3291 icid = le16_to_cpu(rsp->icid);
3292
3293 BT_DBG("icid %d", icid);
3294
3295 return 0;
3296}
3297
e2174ca4 3298static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3299 u16 to_multiplier)
3300{
3301 u16 max_latency;
3302
3303 if (min > max || min < 6 || max > 3200)
3304 return -EINVAL;
3305
3306 if (to_multiplier < 10 || to_multiplier > 3200)
3307 return -EINVAL;
3308
3309 if (max >= to_multiplier * 8)
3310 return -EINVAL;
3311
3312 max_latency = (to_multiplier * 8 / max) - 1;
3313 if (latency > 499 || latency > max_latency)
3314 return -EINVAL;
3315
3316 return 0;
3317}
3318
3319static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3320 struct l2cap_cmd_hdr *cmd, u8 *data)
3321{
3322 struct hci_conn *hcon = conn->hcon;
3323 struct l2cap_conn_param_update_req *req;
3324 struct l2cap_conn_param_update_rsp rsp;
3325 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3326 int err;
de73115a
CT		 3327
3328 if (!(hcon->link_mode & HCI_LM_MASTER))
3329 return -EINVAL;
3330
3331 cmd_len = __le16_to_cpu(cmd->len);
3332 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3333 return -EPROTO;
3334
3335 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3336 min = __le16_to_cpu(req->min);
3337 max = __le16_to_cpu(req->max);
de73115a
CT		 3338 latency = __le16_to_cpu(req->latency);
3339 to_multiplier = __le16_to_cpu(req->to_multiplier);
3340
3341 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3342 min, max, latency, to_multiplier);
3343
3344 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3345
3346 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3347 if (err)
de73115a
CT		 3348 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3349 else
3350 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3351
3352 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3353 sizeof(rsp), &rsp);
3354
2ce603eb
CT		 3355 if (!err)
3356 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3357
de73115a
CT		 3358 return 0;
3359}
3360
3300d9a9
CT		 3361static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3362 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3363{
3364 int err = 0;
3365
3366 switch (cmd->code) {
3367 case L2CAP_COMMAND_REJ:
3368 l2cap_command_rej(conn, cmd, data);
3369 break;
3370
3371 case L2CAP_CONN_REQ:
3372 err = l2cap_connect_req(conn, cmd, data);
3373 break;
3374
3375 case L2CAP_CONN_RSP:
3376 err = l2cap_connect_rsp(conn, cmd, data);
3377 break;
3378
3379 case L2CAP_CONF_REQ:
3380 err = l2cap_config_req(conn, cmd, cmd_len, data);
3381 break;
3382
3383 case L2CAP_CONF_RSP:
3384 err = l2cap_config_rsp(conn, cmd, data);
3385 break;
3386
3387 case L2CAP_DISCONN_REQ:
3388 err = l2cap_disconnect_req(conn, cmd, data);
3389 break;
3390
3391 case L2CAP_DISCONN_RSP:
3392 err = l2cap_disconnect_rsp(conn, cmd, data);
3393 break;
3394
3395 case L2CAP_ECHO_REQ:
3396 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3397 break;
3398
3399 case L2CAP_ECHO_RSP:
3400 break;
3401
3402 case L2CAP_INFO_REQ:
3403 err = l2cap_information_req(conn, cmd, data);
3404 break;
3405
3406 case L2CAP_INFO_RSP:
3407 err = l2cap_information_rsp(conn, cmd, data);
3408 break;
3409
f94ff6ff
MM		 3410 case L2CAP_CREATE_CHAN_REQ:
3411 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3412 break;
3413
3414 case L2CAP_CREATE_CHAN_RSP:
3415 err = l2cap_create_channel_rsp(conn, cmd, data);
3416 break;
3417
8d5a04a1
MM		 3418 case L2CAP_MOVE_CHAN_REQ:
3419 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3420 break;
3421
3422 case L2CAP_MOVE_CHAN_RSP:
3423 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3424 break;
3425
3426 case L2CAP_MOVE_CHAN_CFM:
3427 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3428 break;
3429
3430 case L2CAP_MOVE_CHAN_CFM_RSP:
3431 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3432 break;
3433
3300d9a9
CT		 3434 default:
3435 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3436 err = -EINVAL;
3437 break;
3438 }
3439
3440 return err;
3441}
3442
3443static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3444 struct l2cap_cmd_hdr *cmd, u8 *data)
3445{
3446 switch (cmd->code) {
3447 case L2CAP_COMMAND_REJ:
3448 return 0;
3449
3450 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3451 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3452
3453 case L2CAP_CONN_PARAM_UPDATE_RSP:
3454 return 0;
3455
3456 default:
3457 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3458 return -EINVAL;
3459 }
3460}
3461
3462static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3463 struct sk_buff *skb)
1da177e4
LT		 3464{
3465 u8 *data = skb->data;
3466 int len = skb->len;
3467 struct l2cap_cmd_hdr cmd;
3300d9a9 3468 int err;
1da177e4
LT		 3469
3470 l2cap_raw_recv(conn, skb);
3471
3472 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3473 u16 cmd_len;
1da177e4
LT		 3474 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3475 data += L2CAP_CMD_HDR_SIZE;
3476 len -= L2CAP_CMD_HDR_SIZE;
3477
88219a0f 3478 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3479
88219a0f 3480 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3481
88219a0f 3482 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3483 BT_DBG("corrupted command");
3484 break;
3485 }
3486
3300d9a9
CT		 3487 if (conn->hcon->type == LE_LINK)
3488 err = l2cap_le_sig_cmd(conn, &cmd, data);
3489 else
3490 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3491
3492 if (err) {
e2fd318e 3493 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3494
3495 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3496
3497 /* FIXME: Map err to a valid reason */
e2fd318e 3498 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3499 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3500 }
3501
88219a0f
AV		 3502 data += cmd_len;
3503 len -= cmd_len;
1da177e4
LT		 3504 }
3505
3506 kfree_skb(skb);
3507}
3508
47d1ec61 3509static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3510{
3511 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3512 int hdr_size;
3513
3514 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3515 hdr_size = L2CAP_EXT_HDR_SIZE;
3516 else
3517 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3518
47d1ec61 3519 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3520 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3521 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3522 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3523
3524 if (our_fcs != rcv_fcs)
7a560e5c 3525 return -EBADMSG;
fcc203c3
GP		 3526 }
3527 return 0;
3528}
3529
525cd185 3530static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3531{
88843ab0 3532 u32 control = 0;
d5392c8f 3533
6a026610 3534 chan->frames_sent = 0;
d5392c8f 3535
0b209fae 3536 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3537
e2ab4353 3538 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3539 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3540 l2cap_send_sframe(chan, control);
e2ab4353 3541 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3542 }
3543
e2ab4353 3544 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3545 l2cap_retransmit_frames(chan);
d5392c8f 3546
525cd185 3547 l2cap_ertm_send(chan);
d5392c8f 3548
e2ab4353 3549 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3550 chan->frames_sent == 0) {
ab784b73 3551 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3552 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3553 }
3554}
3555
fb45de7d 3556static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3557{
3558 struct sk_buff *next_skb;
bfbacc11 3559 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3560
3561 bt_cb(skb)->tx_seq = tx_seq;
3562 bt_cb(skb)->sar = sar;
3563
f1c6775b 3564 next_skb = skb_peek(&chan->srej_q);
8f17154f 3565 if (!next_skb) {
f1c6775b 3566 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3567 return 0;
8f17154f
GP		 3568 }
3569
836be934 3570 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3571
8f17154f 3572 do {
9b53350d
JPRV		 3573 if (bt_cb(next_skb)->tx_seq == tx_seq)
3574 return -EINVAL;
3575
836be934
AE		 3576 next_tx_seq_offset = __seq_offset(chan,
3577 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3578
3579 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3580 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3581 return 0;
8f17154f
GP		 3582 }
3583
f1c6775b 3584 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3585 break;
3586
f1c6775b 3587 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3588
f1c6775b 3589 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3590
3591 return 0;
8f17154f
GP		 3592}
3593
84084a31
MM		 3594static void append_skb_frag(struct sk_buff *skb,
3595 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3596{
84084a31
MM		 3597 /* skb->len reflects data in skb as well as all fragments
3598 * skb->data_len reflects only data in fragments
3599 */
3600 if (!skb_has_frag_list(skb))
3601 skb_shinfo(skb)->frag_list = new_frag;
3602
3603 new_frag->next = NULL;
3604
3605 (*last_frag)->next = new_frag;
3606 *last_frag = new_frag;
3607
3608 skb->len += new_frag->len;
3609 skb->data_len += new_frag->len;
3610 skb->truesize += new_frag->truesize;
3611}
3612
88843ab0 3613static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3614{
3615 int err = -EINVAL;
18778a63 3616
7e0ef6ee
AE		 3617 switch (__get_ctrl_sar(chan, control)) {
3618 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3619 if (chan->sdu)
3620 break;
18778a63 3621
84084a31
MM		 3622 err = chan->ops->recv(chan->data, skb);
3623 break;
18778a63 3624
7e0ef6ee 3625 case L2CAP_SAR_START:
84084a31
MM		 3626 if (chan->sdu)
3627 break;
18778a63 3628
6f61fd47 3629 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3630 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3631
84084a31
MM		 3632 if (chan->sdu_len > chan->imtu) {
3633 err = -EMSGSIZE;
3634 break;
3635 }
1890d36b 3636
84084a31
MM		 3637 if (skb->len >= chan->sdu_len)
3638 break;
18778a63 3639
84084a31
MM		 3640 chan->sdu = skb;
3641 chan->sdu_last_frag = skb;
18778a63 3642
84084a31
MM		 3643 skb = NULL;
3644 err = 0;
18778a63
GP		 3645 break;
3646
7e0ef6ee 3647 case L2CAP_SAR_CONTINUE:
6f61fd47 3648 if (!chan->sdu)
84084a31 3649 break;
18778a63 3650
84084a31
MM		 3651 append_skb_frag(chan->sdu, skb,
3652 &chan->sdu_last_frag);
3653 skb = NULL;
18778a63 3654
84084a31
MM		 3655 if (chan->sdu->len >= chan->sdu_len)
3656 break;
4178ba46 3657
84084a31 3658 err = 0;
18778a63
GP		 3659 break;
3660
7e0ef6ee 3661 case L2CAP_SAR_END:
6f61fd47 3662 if (!chan->sdu)
84084a31 3663 break;
18778a63 3664
84084a31
MM		 3665 append_skb_frag(chan->sdu, skb,
3666 &chan->sdu_last_frag);
3667 skb = NULL;
4178ba46 3668
84084a31
MM		 3669 if (chan->sdu->len != chan->sdu_len)
3670 break;
18778a63 3671
84084a31 3672 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3673
84084a31
MM		 3674 if (!err) {
3675 /* Reassembly complete */
3676 chan->sdu = NULL;
3677 chan->sdu_last_frag = NULL;
3678 chan->sdu_len = 0;
1890d36b 3679 }
18778a63
GP		 3680 break;
3681 }
3682
84084a31
MM		 3683 if (err) {
3684 kfree_skb(skb);
3685 kfree_skb(chan->sdu);
3686 chan->sdu = NULL;
3687 chan->sdu_last_frag = NULL;
3688 chan->sdu_len = 0;
3689 }
18778a63 3690
84084a31 3691 return err;
18778a63
GP		 3692}
3693
26f880d2 3694static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3695{
88843ab0 3696 u32 control;
712132eb 3697
26f880d2 3698 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3699
26f880d2
MM		 3700 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3701
0b209fae 3702 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3703 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3704 l2cap_send_sframe(chan, control);
3705
3706 set_bit(CONN_RNR_SENT, &chan->conn_state);
3707
3708 __clear_ack_timer(chan);
3709}
3710
3711static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3712{
88843ab0 3713 u32 control;
712132eb 3714
e2ab4353 3715 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3716 goto done;
3717
0b209fae 3718 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3719 control |= __set_ctrl_poll(chan);
ab784b73 3720 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3721 l2cap_send_sframe(chan, control);
6a026610 3722 chan->retry_count = 1;
712132eb 3723
1a09bcb9
GP		 3724 __clear_retrans_timer(chan);
3725 __set_monitor_timer(chan);
712132eb 3726
e2ab4353 3727 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3728
3729done:
e2ab4353
GP		 3730 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3731 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3732
49208c9c 3733 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3734}
3735
e328140f 3736void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3737{
e328140f
MM		 3738 if (chan->mode == L2CAP_MODE_ERTM) {
3739 if (busy)
3740 l2cap_ertm_enter_local_busy(chan);
3741 else
3742 l2cap_ertm_exit_local_busy(chan);
1890d36b 3743 }
1890d36b
GP		 3744}
3745
fb45de7d 3746static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3747{
3748 struct sk_buff *skb;
88843ab0 3749 u32 control;
8f17154f 3750
e328140f
MM		 3751 while ((skb = skb_peek(&chan->srej_q)) &&
3752 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3753 int err;
3754
8f17154f
GP		 3755 if (bt_cb(skb)->tx_seq != tx_seq)
3756 break;
3757
f1c6775b 3758 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3759 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3760 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3761
3762 if (err < 0) {
3763 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3764 break;
3765 }
3766
836be934
AE		 3767 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3768 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3769 }
3770}
3771
fb45de7d 3772static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3773{
8f17154f 3774 struct srej_list *l, *tmp;
88843ab0 3775 u32 control;
8f17154f 3776
39d5a3ee 3777 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3778 if (l->tx_seq == tx_seq) {
3779 list_del(&l->list);
3780 kfree(l);
3781 return;
3782 }
ab784b73 3783 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3784 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3785 l2cap_send_sframe(chan, control);
8f17154f 3786 list_del(&l->list);
39d5a3ee 3787 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3788 }
3789}
3790
fb45de7d 3791static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3792{
8f17154f 3793 struct srej_list *new;
88843ab0 3794 u32 control;
8f17154f 3795
42e5c802 3796 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3797 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3798 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3799 l2cap_send_sframe(chan, control);
8f17154f
GP		 3800
3801 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802 3802 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3803
3804 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3805
39d5a3ee 3806 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3807 }
836be934
AE		 3808
3809 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f
GP		 3810}
3811
88843ab0 3812static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3813{
fb45de7d 3814 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3815 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3816 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3817 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3818 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3819 int err = 0;
3820
88843ab0 3821 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3822 tx_seq, rx_control);
1c2acffb 3823
03f6715d 3824 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3825 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3826 __clear_monitor_timer(chan);
6a026610 3827 if (chan->unacked_frames > 0)
1a09bcb9 3828 __set_retrans_timer(chan);
e2ab4353 3829 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3830 }
3831
42e5c802
GP		 3832 chan->expected_ack_seq = req_seq;
3833 l2cap_drop_acked_frames(chan);
9f121a5a 3834
836be934 3835 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3836
3837 /* invalid tx_seq */
47d1ec61 3838 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3839 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3840 goto drop;
3841 }
3842
e2ab4353 3843 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3844 goto drop;
3845
02f1b641
MM		 3846 if (tx_seq == chan->expected_tx_seq)
3847 goto expected;
3848
e2ab4353 3849 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3850 struct srej_list *first;
30afb5b2 3851
39d5a3ee 3852 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3853 struct srej_list, list);
3854 if (tx_seq == first->tx_seq) {
42e5c802 3855 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3856 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3857
3858 list_del(&first->list);
3859 kfree(first);
3860
39d5a3ee 3861 if (list_empty(&chan->srej_l)) {
42e5c802 3862 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3863 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3864 l2cap_send_ack(chan);
49208c9c 3865 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3866 }
3867 } else {
3868 struct srej_list *l;
9b53350d
JPRV		 3869
3870 /* duplicated tx_seq */
42e5c802 3871 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3872 goto drop;
8f17154f 3873
39d5a3ee 3874 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3875 if (l->tx_seq == tx_seq) {
525cd185 3876 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3877 return 0;
3878 }
3879 }
525cd185 3880 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3881 }
3882 } else {
836be934
AE		 3883 expected_tx_seq_offset = __seq_offset(chan,
3884 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3885
3886 /* duplicated tx_seq */
3887 if (tx_seq_offset < expected_tx_seq_offset)
3888 goto drop;
3889
e2ab4353 3890 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3891
49208c9c 3892 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3893
39d5a3ee 3894 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3895 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3896
f1c6775b 3897 __skb_queue_head_init(&chan->srej_q);
42e5c802 3898 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3899
e2ab4353 3900 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3901
525cd185 3902 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3903
1a09bcb9 3904 __clear_ack_timer(chan);
1c2acffb 3905 }
30afb5b2
GP		 3906 return 0;
3907
8f17154f 3908expected:
836be934 3909 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3910
e2ab4353 3911 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3912 bt_cb(skb)->tx_seq = tx_seq;
3913 bt_cb(skb)->sar = sar;
f1c6775b 3914 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3915 return 0;
3916 }
3917
84084a31 3918 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3919 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3920
e328140f
MM		 3921 if (err < 0) {
3922 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3923 return err;
3924 }
2ece3684 3925
03f6715d 3926 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3927 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3928 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3929 }
3930
1a09bcb9 3931 __set_ack_timer(chan);
c1b4f43b 3932
6a026610
GP		 3933 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3934 if (chan->num_acked == num_to_ack - 1)
525cd185 3935 l2cap_send_ack(chan);
9e917af1 3936
8f17154f 3937 return 0;
9b53350d
JPRV		 3938
3939drop:
3940 kfree_skb(skb);
3941 return 0;
1c2acffb
GP		 3942}
3943
88843ab0 3944static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3945{
88843ab0 3946 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3947 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3948
0b209fae 3949 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3950 l2cap_drop_acked_frames(chan);
1c2acffb 3951
e3781735 3952 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3953 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3954 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3955 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3956 (chan->unacked_frames > 0))
1a09bcb9 3957 __set_retrans_timer(chan);
05fbd89d 3958
e2ab4353 3959 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3960 l2cap_send_srejtail(chan);
05fbd89d 3961 } else {
525cd185 3962 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3963 }
1d8f5d16 3964
03f6715d 3965 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3966 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3967
e2ab4353 3968 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3969 l2cap_retransmit_frames(chan);
2246b2f1 3970
e072745f 3971 } else {
e2ab4353 3972 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3973 (chan->unacked_frames > 0))
1a09bcb9 3974 __set_retrans_timer(chan);
1c2acffb 3975
e2ab4353
GP		 3976 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3977 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3978 l2cap_send_ack(chan);
894718a6 3979 else
525cd185 3980 l2cap_ertm_send(chan);
e072745f
GP		 3981 }
3982}
2246b2f1 3983
88843ab0 3984static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3985{
0b209fae 3986 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3987
88843ab0 3988 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3989
e2ab4353 3990 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3991
42e5c802
GP		 3992 chan->expected_ack_seq = tx_seq;
3993 l2cap_drop_acked_frames(chan);
e072745f 3994
03f6715d 3995 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3996 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3997 l2cap_retransmit_frames(chan);
e072745f 3998 } else {
525cd185 3999 l2cap_retransmit_frames(chan);
30afb5b2 4000
e2ab4353
GP		 4001 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4002 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4003 }
4004}
88843ab0 4005static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4006{
0b209fae 4007 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4008
88843ab0 4009 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4010
e2ab4353 4011 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4012
e3781735 4013 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4014 chan->expected_ack_seq = tx_seq;
4015 l2cap_drop_acked_frames(chan);
3cb123d1 4016
e2ab4353 4017 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4018 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4019
525cd185 4020 l2cap_ertm_send(chan);
dfc909be 4021
e2ab4353 4022 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4023 chan->srej_save_reqseq = tx_seq;
e2ab4353 4024 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4025 }
03f6715d 4026 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4027 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4028 chan->srej_save_reqseq == tx_seq)
e2ab4353 4029 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4030 else
525cd185 4031 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4032 } else {
525cd185 4033 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4034 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4035 chan->srej_save_reqseq = tx_seq;
e2ab4353 4036 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4037 }
e072745f
GP		 4038 }
4039}
4040
88843ab0 4041static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4042{
0b209fae 4043 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4044
88843ab0 4045 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4046
e2ab4353 4047 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4048 chan->expected_ack_seq = tx_seq;
4049 l2cap_drop_acked_frames(chan);
e072745f 4050
e3781735 4051 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4052 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4053
e2ab4353 4054 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4055 __clear_retrans_timer(chan);
e3781735 4056 if (__is_ctrl_poll(chan, rx_control))
525cd185 4057 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4058 return;
e072745f 4059 }
99b0d4b7 4060
e3781735 4061 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4062 l2cap_send_srejtail(chan);
ab784b73
AE		 4063 } else {
4064 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4065 l2cap_send_sframe(chan, rx_control);
4066 }
e072745f
GP		 4067}
4068
88843ab0 4069static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4070{
88843ab0 4071 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4072
03f6715d 4073 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4074 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4075 __clear_monitor_timer(chan);
6a026610 4076 if (chan->unacked_frames > 0)
1a09bcb9 4077 __set_retrans_timer(chan);
e2ab4353 4078 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4079 }
4080
ab784b73
AE		 4081 switch (__get_ctrl_super(chan, rx_control)) {
4082 case L2CAP_SUPER_RR:
525cd185 4083 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4084 break;
4085
ab784b73 4086 case L2CAP_SUPER_REJ:
525cd185 4087 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4088 break;
2246b2f1 4089
ab784b73 4090 case L2CAP_SUPER_SREJ:
525cd185 4091 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4092 break;
4093
ab784b73 4094 case L2CAP_SUPER_RNR:
525cd185 4095 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4096 break;
4097 }
4098
faaebd19 4099 kfree_skb(skb);
1c2acffb
GP		 4100 return 0;
4101}
4102
218bb9df
GP		 4103static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4104{
525cd185 4105 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 4106 u32 control;
0b209fae 4107 u16 req_seq;
218bb9df
GP		 4108 int len, next_tx_seq_offset, req_seq_offset;
4109
88843ab0
AE		 4110 control = __get_control(chan, skb->data);
4111 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4112 len = skb->len;
4113
4114 /*
4115 * We can just drop the corrupted I-frame here.
4116 * Receiver will miss it and start proper recovery
4117 * procedures and ask retransmission.
4118 */
47d1ec61 4119 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4120 goto drop;
4121
793c2f1c 4122 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4123 len -= L2CAP_SDULEN_SIZE;
218bb9df 4124
47d1ec61 4125 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4126 len -= L2CAP_FCS_SIZE;
218bb9df 4127
47d1ec61 4128 if (len > chan->mps) {
8c1d787b 4129 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4130 goto drop;
4131 }
4132
0b209fae 4133 req_seq = __get_reqseq(chan, control);
218bb9df 4134
836be934
AE		 4135 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4136
4137 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4138 chan->expected_ack_seq);
218bb9df
GP		 4139
4140 /* check for invalid req-seq */
4141 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4142 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4143 goto drop;
4144 }
4145
793c2f1c 4146 if (!__is_sframe(chan, control)) {
218bb9df 4147 if (len < 0) {
8c1d787b 4148 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4149 goto drop;
4150 }
4151
525cd185 4152 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4153 } else {
4154 if (len != 0) {
4155 BT_ERR("%d", len);
8c1d787b 4156 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4157 goto drop;
4158 }
4159
525cd185 4160 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4161 }
4162
4163 return 0;
4164
4165drop:
4166 kfree_skb(skb);
4167 return 0;
4168}
4169
1da177e4
LT		 4170static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4171{
48454079 4172 struct l2cap_chan *chan;
bf734843 4173 struct sock *sk = NULL;
88843ab0 4174 u32 control;
fb45de7d 4175 u16 tx_seq;
218bb9df 4176 int len;
1da177e4 4177
baa7e1fa 4178 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4179 if (!chan) {
1da177e4
LT		 4180 BT_DBG("unknown cid 0x%4.4x", cid);
4181 goto drop;
4182 }
4183
48454079 4184 sk = chan->sk;
6840ed07 4185
49208c9c 4186 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4187
89bc500e 4188 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4189 goto drop;
4190
0c1bc5c6 4191 switch (chan->mode) {
1c2acffb
GP		 4192 case L2CAP_MODE_BASIC:
4193 /* If socket recv buffers overflows we drop data here
4194 * which is *bad* because L2CAP has to be reliable.
4195 * But we don't have any other choice. L2CAP doesn't
4196 * provide flow control mechanism. */
1da177e4 4197
0c1bc5c6 4198 if (chan->imtu < skb->len)
1c2acffb 4199 goto drop;
1da177e4 4200
23070494 4201 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4202 goto done;
4203 break;
4204
4205 case L2CAP_MODE_ERTM:
218bb9df
GP		 4206 if (!sock_owned_by_user(sk)) {
4207 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4208 } else {
218bb9df 4209 if (sk_add_backlog(sk, skb))
277ffbe3 4210 goto drop;
277ffbe3 4211 }
1c2acffb 4212
fcafde2e 4213 goto done;
1c2acffb 4214
6840ed07 4215 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4216 control = __get_control(chan, skb->data);
4217 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4218 len = skb->len;
4219
47d1ec61 4220 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4221 goto drop;
4222
7e0ef6ee 4223 if (__is_sar_start(chan, control))
03a51213 4224 len -= L2CAP_SDULEN_SIZE;
6840ed07 4225
47d1ec61 4226 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4227 len -= L2CAP_FCS_SIZE;
fcc203c3 4228
793c2f1c 4229 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4230 goto drop;
4231
fb45de7d 4232 tx_seq = __get_txseq(chan, control);
6840ed07 4233
84084a31
MM		 4234 if (chan->expected_tx_seq != tx_seq) {
4235 /* Frame(s) missing - must discard partial SDU */
4236 kfree_skb(chan->sdu);
4237 chan->sdu = NULL;
4238 chan->sdu_last_frag = NULL;
4239 chan->sdu_len = 0;
6840ed07 4240
84084a31
MM		 4241 /* TODO: Notify userland of missing data */
4242 }
4243
836be934 4244 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4245
4246 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4247 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4248
4249 goto done;
4250
1c2acffb 4251 default:
0c1bc5c6 4252 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4253 break;
4254 }
1da177e4
LT		 4255
4256drop:
4257 kfree_skb(skb);
4258
4259done:
0139418c
MH		 4260 if (sk)
4261 bh_unlock_sock(sk);
4262
1da177e4
LT		 4263 return 0;
4264}
4265
8e036fc3 4266static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4267{
6dcae1ea 4268 struct sock *sk = NULL;
23691d75 4269 struct l2cap_chan *chan;
1da177e4 4270
23691d75
GP		 4271 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4272 if (!chan)
1da177e4
LT		 4273 goto drop;
4274
23691d75
GP		 4275 sk = chan->sk;
4276
e0f0cb56
GP		 4277 bh_lock_sock(sk);
4278
1da177e4
LT		 4279 BT_DBG("sk %p, len %d", sk, skb->len);
4280
89bc500e 4281 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4282 goto drop;
4283
e13e21dc 4284 if (chan->imtu < skb->len)
1da177e4
LT		 4285 goto drop;
4286
23070494 4287 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4288 goto done;
4289
4290drop:
4291 kfree_skb(skb);
4292
4293done:
af05b30b
GP		 4294 if (sk)
4295 bh_unlock_sock(sk);
1da177e4
LT		 4296 return 0;
4297}
4298
9f69bda6
GP		 4299static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4300{
6dcae1ea 4301 struct sock *sk = NULL;
23691d75 4302 struct l2cap_chan *chan;
9f69bda6 4303
23691d75
GP		 4304 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4305 if (!chan)
9f69bda6
GP		 4306 goto drop;
4307
23691d75
GP		 4308 sk = chan->sk;
4309
9f69bda6
GP		 4310 bh_lock_sock(sk);
4311
4312 BT_DBG("sk %p, len %d", sk, skb->len);
4313
89bc500e 4314 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4315 goto drop;
4316
e13e21dc 4317 if (chan->imtu < skb->len)
9f69bda6
GP		 4318 goto drop;
4319
23070494 4320 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4321 goto done;
4322
4323drop:
4324 kfree_skb(skb);
4325
4326done:
4327 if (sk)
4328 bh_unlock_sock(sk);
4329 return 0;
4330}
4331
1da177e4
LT		 4332static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4333{
4334 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4335 u16 cid, len;
4336 __le16 psm;
1da177e4
LT		 4337
4338 skb_pull(skb, L2CAP_HDR_SIZE);
4339 cid = __le16_to_cpu(lh->cid);
4340 len = __le16_to_cpu(lh->len);
4341
1c2acffb
GP		 4342 if (len != skb->len) {
4343 kfree_skb(skb);
4344 return;
4345 }
4346
1da177e4
LT		 4347 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4348
4349 switch (cid) {
3300d9a9 4350 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4351 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4352 l2cap_sig_channel(conn, skb);
4353 break;
4354
8db4dc46 4355 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4356 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4357 skb_pull(skb, 2);
4358 l2cap_conless_channel(conn, psm, skb);
4359 break;
4360
9f69bda6
GP		 4361 case L2CAP_CID_LE_DATA:
4362 l2cap_att_channel(conn, cid, skb);
4363 break;
4364
b501d6a1
AB		 4365 case L2CAP_CID_SMP:
4366 if (smp_sig_channel(conn, skb))
4367 l2cap_conn_del(conn->hcon, EACCES);
4368 break;
4369
1da177e4
LT		 4370 default:
4371 l2cap_data_channel(conn, cid, skb);
4372 break;
4373 }
4374}
4375
4376/* ---- L2CAP interface with lower layer (HCI) ---- */
4377
4378static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4379{
4380 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4381 struct l2cap_chan *c;
1da177e4
LT		 4382
4383 if (type != ACL_LINK)
963cf687 4384 return -EINVAL;
1da177e4
LT		 4385
4386 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4387
4388 /* Find listening sockets and check their link_mode */
23691d75
GP		 4389 read_lock(&chan_list_lock);
4390 list_for_each_entry(c, &chan_list, global_l) {
4391 struct sock *sk = c->sk;
4343478f 4392
89bc500e 4393 if (c->state != BT_LISTEN)
1da177e4
LT		 4394 continue;
4395
4396 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4397 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4398 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4399 lm1 |= HCI_LM_MASTER;
1da177e4 4400 exact++;
2af6b9d5
MH		 4401 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4402 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4403 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4404 lm2 |= HCI_LM_MASTER;
4405 }
1da177e4 4406 }
23691d75 4407 read_unlock(&chan_list_lock);
1da177e4
LT		 4408
4409 return exact ? lm1 : lm2;
4410}
4411
4412static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4413{
0139418c
MH		 4414 struct l2cap_conn *conn;
4415
1da177e4
LT		 4416 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4417
acd7d370 4418 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4419 return -EINVAL;
1da177e4
LT		 4420
4421 if (!status) {
1da177e4
LT		 4422 conn = l2cap_conn_add(hcon, status);
4423 if (conn)
4424 l2cap_conn_ready(conn);
0139418c 4425 } else
e175072f 4426 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4427
4428 return 0;
4429}
4430
2950f21a
MH		 4431static int l2cap_disconn_ind(struct hci_conn *hcon)
4432{
4433 struct l2cap_conn *conn = hcon->l2cap_data;
4434
4435 BT_DBG("hcon %p", hcon);
4436
b5694506 4437 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
9f5a0d7b 4438 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4439
4440 return conn->disc_reason;
4441}
4442
4443static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4444{
4445 BT_DBG("hcon %p reason %d", hcon, reason);
4446
acd7d370 4447 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4448 return -EINVAL;
1da177e4 4449
e175072f 4450 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4451
1da177e4
LT		 4452 return 0;
4453}
4454
4343478f 4455static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4456{
715ec005 4457 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4458 return;
4459
f62e4323 4460 if (encrypt == 0x00) {
4343478f 4461 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675 4462 __clear_chan_timer(chan);
f3f668b0 4463 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4464 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4465 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4466 } else {
4343478f 4467 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4468 __clear_chan_timer(chan);
f62e4323
MH		 4469 }
4470}
4471
8c1b2355 4472static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4473{
0139418c 4474 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4475 struct l2cap_chan *chan;
1da177e4 4476
0139418c 4477 if (!conn)
1da177e4 4478 return 0;
0139418c 4479
1da177e4
LT		 4480 BT_DBG("conn %p", conn);
4481
160dc6ac
VCG		 4482 if (hcon->type == LE_LINK) {
4483 smp_distribute_keys(conn, 0);
4484 del_timer(&conn->security_timer);
4485 }
4486
baa7e1fa 4487 read_lock(&conn->chan_lock);
1da177e4 4488
baa7e1fa 4489 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4490 struct sock *sk = chan->sk;
baa7e1fa 4491
1da177e4
LT		 4492 bh_lock_sock(sk);
4493
f1cb9af5
VCG		 4494 BT_DBG("chan->scid %d", chan->scid);
4495
4496 if (chan->scid == L2CAP_CID_LE_DATA) {
4497 if (!status && encrypt) {
4498 chan->sec_level = hcon->sec_level;
4499 l2cap_chan_ready(sk);
4500 }
4501
4502 bh_unlock_sock(sk);
4503 continue;
4504 }
4505
c1360a1c 4506 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4507 bh_unlock_sock(sk);
4508 continue;
4509 }
4510
89bc500e
GP		 4511 if (!status && (chan->state == BT_CONNECTED ||
4512 chan->state == BT_CONFIG)) {
4343478f 4513 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4514 bh_unlock_sock(sk);
4515 continue;
4516 }
4517
89bc500e 4518 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4519 if (!status) {
4520 struct l2cap_conn_req req;
fe4128e0
GP		 4521 req.scid = cpu_to_le16(chan->scid);
4522 req.psm = chan->psm;
1da177e4 4523
fc7f8a7e 4524 chan->ident = l2cap_get_ident(conn);
c1360a1c 4525 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4526
fc7f8a7e 4527 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4528 L2CAP_CONN_REQ, sizeof(req), &req);
4529 } else {
c9b66675 4530 __clear_chan_timer(chan);
f3f668b0 4531 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4532 }
89bc500e 4533 } else if (chan->state == BT_CONNECT2) {
b1235d79 4534 struct l2cap_conn_rsp rsp;
df3c3931 4535 __u16 res, stat;
1da177e4 4536
b1235d79 4537 if (!status) {
df3c3931
JH		 4538 if (bt_sk(sk)->defer_setup) {
4539 struct sock *parent = bt_sk(sk)->parent;
4540 res = L2CAP_CR_PEND;
4541 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4542 if (parent)
4543 parent->sk_data_ready(parent, 0);
df3c3931 4544 } else {
05558911 4545 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4546 res = L2CAP_CR_SUCCESS;
4547 stat = L2CAP_CS_NO_INFO;
4548 }
b1235d79 4549 } else {
89bc500e 4550 l2cap_state_change(chan, BT_DISCONN);
f3f668b0 4551 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4552 res = L2CAP_CR_SEC_BLOCK;
4553 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4554 }
4555
fe4128e0
GP		 4556 rsp.scid = cpu_to_le16(chan->dcid);
4557 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4558 rsp.result = cpu_to_le16(res);
4559 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4560 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4561 sizeof(rsp), &rsp);
b1235d79 4562 }
1da177e4
LT		 4563
4564 bh_unlock_sock(sk);
4565 }
4566
baa7e1fa 4567 read_unlock(&conn->chan_lock);
b1235d79 4568
1da177e4
LT		 4569 return 0;
4570}
4571
4572static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4573{
4574 struct l2cap_conn *conn = hcon->l2cap_data;
4575
5a08ecce
AE		 4576 if (!conn)
4577 conn = l2cap_conn_add(hcon, 0);
4578
4579 if (!conn)
1da177e4
LT		 4580 goto drop;
4581
4582 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4583
e702112f 4584 if (!(flags & ACL_CONT)) {
1da177e4 4585 struct l2cap_hdr *hdr;
48454079 4586 struct l2cap_chan *chan;
89794813 4587 u16 cid;
1da177e4
LT		 4588 int len;
4589
4590 if (conn->rx_len) {
4591 BT_ERR("Unexpected start frame (len %d)", skb->len);
4592 kfree_skb(conn->rx_skb);
4593 conn->rx_skb = NULL;
4594 conn->rx_len = 0;
4595 l2cap_conn_unreliable(conn, ECOMM);
4596 }
4597
aae7fe22
AE		 4598 /* Start fragment always begin with Basic L2CAP header */
4599 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4600 BT_ERR("Frame is too short (len %d)", skb->len);
4601 l2cap_conn_unreliable(conn, ECOMM);
4602 goto drop;
4603 }
4604
4605 hdr = (struct l2cap_hdr *) skb->data;
4606 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4607 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4608
4609 if (len == skb->len) {
4610 /* Complete frame received */
4611 l2cap_recv_frame(conn, skb);
4612 return 0;
4613 }
4614
4615 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4616
4617 if (skb->len > len) {
4618 BT_ERR("Frame is too long (len %d, expected len %d)",
4619 skb->len, len);
4620 l2cap_conn_unreliable(conn, ECOMM);
4621 goto drop;
4622 }
4623
baa7e1fa 4624 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4625
48454079
GP		 4626 if (chan && chan->sk) {
4627 struct sock *sk = chan->sk;
89794813 4628
0c1bc5c6 4629 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4630 BT_ERR("Frame exceeding recv MTU (len %d, "
4631 "MTU %d)", len,
0c1bc5c6 4632 chan->imtu);
48454079
GP		 4633 bh_unlock_sock(sk);
4634 l2cap_conn_unreliable(conn, ECOMM);
4635 goto drop;
4636 }
89794813 4637 bh_unlock_sock(sk);
48454079 4638 }
89794813 4639
1da177e4 4640 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4641 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4642 if (!conn->rx_skb)
1da177e4
LT		 4643 goto drop;
4644
d626f62b 4645 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4646 skb->len);
1da177e4
LT		 4647 conn->rx_len = len - skb->len;
4648 } else {
4649 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4650
4651 if (!conn->rx_len) {
4652 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4653 l2cap_conn_unreliable(conn, ECOMM);
4654 goto drop;
4655 }
4656
4657 if (skb->len > conn->rx_len) {
4658 BT_ERR("Fragment is too long (len %d, expected %d)",
4659 skb->len, conn->rx_len);
4660 kfree_skb(conn->rx_skb);
4661 conn->rx_skb = NULL;
4662 conn->rx_len = 0;
4663 l2cap_conn_unreliable(conn, ECOMM);
4664 goto drop;
4665 }
4666
d626f62b 4667 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4668 skb->len);
1da177e4
LT		 4669 conn->rx_len -= skb->len;
4670
4671 if (!conn->rx_len) {
4672 /* Complete frame received */
4673 l2cap_recv_frame(conn, conn->rx_skb);
4674 conn->rx_skb = NULL;
4675 }
4676 }
4677
4678drop:
4679 kfree_skb(skb);
4680 return 0;
4681}
4682
aef7d97c 4683static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4684{
23691d75 4685 struct l2cap_chan *c;
1da177e4 4686
23691d75 4687 read_lock_bh(&chan_list_lock);
1da177e4 4688
23691d75
GP		 4689 list_for_each_entry(c, &chan_list, global_l) {
4690 struct sock *sk = c->sk;
101545f6 4691
903d343e 4692 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4693 batostr(&bt_sk(sk)->src),
4694 batostr(&bt_sk(sk)->dst),
89bc500e 4695 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4696 c->scid, c->dcid, c->imtu, c->omtu,
4697 c->sec_level, c->mode);
05558911 4698}
1da177e4 4699
23691d75 4700 read_unlock_bh(&chan_list_lock);
1da177e4 4701
aef7d97c 4702 return 0;
1da177e4
LT		 4703}
4704
aef7d97c
MH		 4705static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4706{
4707 return single_open(file, l2cap_debugfs_show, inode->i_private);
4708}
4709
4710static const struct file_operations l2cap_debugfs_fops = {
4711 .open = l2cap_debugfs_open,
4712 .read = seq_read,
4713 .llseek = seq_lseek,
4714 .release = single_release,
4715};
4716
4717static struct dentry *l2cap_debugfs;
1da177e4 4718
1da177e4
LT		 4719static struct hci_proto l2cap_hci_proto = {
4720 .name = "L2CAP",
4721 .id = HCI_PROTO_L2CAP,
4722 .connect_ind = l2cap_connect_ind,
4723 .connect_cfm = l2cap_connect_cfm,
4724 .disconn_ind = l2cap_disconn_ind,
2950f21a 4725 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4726 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4727 .recv_acldata = l2cap_recv_acldata
4728};
4729
64274518 4730int __init l2cap_init(void)
1da177e4
LT		 4731{
4732 int err;
be9d1227 4733
bb58f747 4734 err = l2cap_init_sockets();
1da177e4
LT		 4735 if (err < 0)
4736 return err;
4737
1da177e4
LT		 4738 err = hci_register_proto(&l2cap_hci_proto);
4739 if (err < 0) {
4740 BT_ERR("L2CAP protocol registration failed");
4741 bt_sock_unregister(BTPROTO_L2CAP);
4742 goto error;
4743 }
4744
aef7d97c
MH		 4745 if (bt_debugfs) {
4746 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4747 bt_debugfs, NULL, &l2cap_debugfs_fops);
4748 if (!l2cap_debugfs)
4749 BT_ERR("Failed to create L2CAP debug file");
4750 }
1da177e4 4751
1da177e4
LT		 4752 return 0;
4753
4754error:
bb58f747 4755 l2cap_cleanup_sockets();
1da177e4
LT		 4756 return err;
4757}
4758
64274518 4759void l2cap_exit(void)
1da177e4 4760{
aef7d97c 4761 debugfs_remove(l2cap_debugfs);
1da177e4 4762
1da177e4
LT		 4763 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4764 BT_ERR("L2CAP protocol unregistration failed");
4765
bb58f747 4766 l2cap_cleanup_sockets();
1da177e4
LT		 4767}
4768
d1c4a17d
GP		 4769module_param(disable_ertm, bool, 0644);
4770MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE		 4771
4772module_param(enable_hs, bool, 0644);
4773MODULE_PARM_DESC(enable_hs, "Enable High Speed");
kernel source for telekom puls (alcatel/mediatek)