projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix hidp_get_connection()
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP		 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP		 99 return NULL;
100
0139418c
MH		 101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP		 106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH		 112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP		 119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH		 126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH		 137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP		 142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP		 163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP		 167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP		 174 }
175
73b2ec18
GP		 176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP		 196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
457f4850 223 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP		 227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM		 233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP		 235}
236
89bc500e
GP		 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP		 243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
c9b66675 255 __set_chan_timer(chan, HZ / 5);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP		 258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP		 270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP		 275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP		 287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP		 291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP		 293 chan->state = BT_OPEN;
294
71ba0e56
GP		 295 atomic_set(&chan->refcnt, 1);
296
48454079
GP		 297 return chan;
298}
299
23691d75 300void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 301{
23691d75
GP		 302 write_lock_bh(&chan_list_lock);
303 list_del(&chan->global_l);
304 write_unlock_bh(&chan_list_lock);
305
71ba0e56 306 chan_put(chan);
6ff5abbf
GP		 307}
308
48454079 309static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 310{
af05b30b 311 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 312 chan->psm, chan->dcid);
0139418c 313
2950f21a
MH		 314 conn->disc_reason = 0x13;
315
8c1d787b 316 chan->conn = conn;
0139418c 317
715ec005 318 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 319 if (conn->hcon->type == LE_LINK) {
320 /* LE connection */
0c1bc5c6 321 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 322 chan->scid = L2CAP_CID_LE_DATA;
323 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 324 } else {
325 /* Alloc CID for connection-oriented socket */
fe4128e0 326 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 327 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 328 }
715ec005 329 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 330 /* Connectionless socket */
fe4128e0
GP		 331 chan->scid = L2CAP_CID_CONN_LESS;
332 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 333 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 334 } else {
335 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 336 chan->scid = L2CAP_CID_SIGNALING;
337 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 338 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 339 }
340
8f7975b1
AE		 341 chan->local_id = L2CAP_BESTEFFORT_ID;
342 chan->local_stype = L2CAP_SERV_BESTEFFORT;
343 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
344 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
345 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
346 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
347
71ba0e56 348 chan_hold(chan);
baa7e1fa
GP		 349
350 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 351}
352
8e87d142 353/* Delete channel.
0139418c 354 * Must be called on the locked socket. */
4519de9a 355static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 356{
48454079 357 struct sock *sk = chan->sk;
8c1d787b 358 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 359 struct sock *parent = bt_sk(sk)->parent;
360
c9b66675 361 __clear_chan_timer(chan);
0139418c 362
49208c9c 363 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 364
8e87d142 365 if (conn) {
baa7e1fa
GP		 366 /* Delete from channel list */
367 write_lock_bh(&conn->chan_lock);
368 list_del(&chan->list);
369 write_unlock_bh(&conn->chan_lock);
71ba0e56 370 chan_put(chan);
baa7e1fa 371
8c1d787b 372 chan->conn = NULL;
0139418c
MH		 373 hci_conn_put(conn->hcon);
374 }
375
89bc500e 376 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 377 sock_set_flag(sk, SOCK_ZAPPED);
378
379 if (err)
380 sk->sk_err = err;
381
382 if (parent) {
383 bt_accept_unlink(sk);
384 parent->sk_data_ready(parent, 0);
385 } else
386 sk->sk_state_change(sk);
c13ffa62 387
c1360a1c
GP		 388 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
389 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 390 return;
2ead70b8 391
58d35f87 392 skb_queue_purge(&chan->tx_q);
c13ffa62 393
0c1bc5c6 394 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 395 struct srej_list *l, *tmp;
396
1a09bcb9
GP		 397 __clear_retrans_timer(chan);
398 __clear_monitor_timer(chan);
399 __clear_ack_timer(chan);
c13ffa62 400
f1c6775b 401 skb_queue_purge(&chan->srej_q);
c13ffa62 402
39d5a3ee 403 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 404 list_del(&l->list);
405 kfree(l);
406 }
407 }
0139418c
MH		 408}
409
4519de9a
GP		 410static void l2cap_chan_cleanup_listen(struct sock *parent)
411{
412 struct sock *sk;
413
414 BT_DBG("parent %p", parent);
415
416 /* Close not yet accepted channels */
0f852724 417 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 418 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 419 __clear_chan_timer(chan);
0f852724 420 lock_sock(sk);
ba3bd0ee 421 l2cap_chan_close(chan, ECONNRESET);
0f852724 422 release_sock(sk);
ba3bd0ee 423 chan->ops->close(chan->data);
0f852724 424 }
4519de9a
GP		 425}
426
0f852724 427void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 428{
429 struct l2cap_conn *conn = chan->conn;
430 struct sock *sk = chan->sk;
431
89bc500e 432 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 433
89bc500e 434 switch (chan->state) {
4519de9a
GP		 435 case BT_LISTEN:
436 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 437
438 l2cap_state_change(chan, BT_CLOSED);
439 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 440 break;
441
442 case BT_CONNECTED:
443 case BT_CONFIG:
715ec005 444 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 445 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 446 __clear_chan_timer(chan);
447 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 448 l2cap_send_disconn_req(conn, chan, reason);
449 } else
450 l2cap_chan_del(chan, reason);
451 break;
452
453 case BT_CONNECT2:
715ec005 454 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 455 conn->hcon->type == ACL_LINK) {
456 struct l2cap_conn_rsp rsp;
457 __u16 result;
458
459 if (bt_sk(sk)->defer_setup)
460 result = L2CAP_CR_SEC_BLOCK;
461 else
462 result = L2CAP_CR_BAD_PSM;
89bc500e 463 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 464
465 rsp.scid = cpu_to_le16(chan->dcid);
466 rsp.dcid = cpu_to_le16(chan->scid);
467 rsp.result = cpu_to_le16(result);
468 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
470 sizeof(rsp), &rsp);
471 }
472
473 l2cap_chan_del(chan, reason);
474 break;
475
476 case BT_CONNECT:
477 case BT_DISCONN:
478 l2cap_chan_del(chan, reason);
479 break;
480
481 default:
482 sock_set_flag(sk, SOCK_ZAPPED);
483 break;
484 }
485}
486
4343478f 487static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 488{
715ec005 489 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 490 switch (chan->sec_level) {
8556edd3
JH		 491 case BT_SECURITY_HIGH:
492 return HCI_AT_DEDICATED_BONDING_MITM;
493 case BT_SECURITY_MEDIUM:
494 return HCI_AT_DEDICATED_BONDING;
495 default:
496 return HCI_AT_NO_BONDING;
497 }
fe4128e0 498 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 499 if (chan->sec_level == BT_SECURITY_LOW)
500 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 501
4343478f 502 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 503 return HCI_AT_NO_BONDING_MITM;
00ae4af9 504 else
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 } else {
4343478f 507 switch (chan->sec_level) {
00ae4af9 508 case BT_SECURITY_HIGH:
8556edd3 509 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 510 case BT_SECURITY_MEDIUM:
8556edd3 511 return HCI_AT_GENERAL_BONDING;
00ae4af9 512 default:
8556edd3 513 return HCI_AT_NO_BONDING;
00ae4af9 514 }
0684e5f9 515 }
8556edd3
JH		 516}
517
518/* Service level security */
4343478f 519static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 520{
8c1d787b 521 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 522 __u8 auth_type;
523
4343478f 524 auth_type = l2cap_get_auth_type(chan);
79d554a6 525
4343478f 526 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 527}
528
b5ad8b7f 529static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 530{
531 u8 id;
532
533 /* Get next available identificator.
534 * 1 - 128 are used by kernel.
535 * 129 - 199 are reserved.
536 * 200 - 254 are used by utilities like l2ping, etc.
537 */
538
539 spin_lock_bh(&conn->lock);
540
541 if (++conn->tx_ident > 128)
542 conn->tx_ident = 1;
543
544 id = conn->tx_ident;
545
546 spin_unlock_bh(&conn->lock);
547
548 return id;
549}
550
4519de9a 551static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 552{
553 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 554 u8 flags;
4e8402a3
MH		 555
556 BT_DBG("code 0x%2.2x", code);
557
558 if (!skb)
9a9c6a34 559 return;
4e8402a3 560
e702112f
AE		 561 if (lmp_no_flush_capable(conn->hcon->hdev))
562 flags = ACL_START_NO_FLUSH;
563 else
564 flags = ACL_START;
565
14b12d0b 566 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 567 skb->priority = HCI_PRIO_MAX;
14b12d0b 568
e702112f 569 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 570}
571
88843ab0 572static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 573{
574 struct sk_buff *skb;
575 struct l2cap_hdr *lh;
8c1d787b 576 struct l2cap_conn *conn = chan->conn;
e4ca6d98 577 int count, hlen;
e702112f 578 u8 flags;
fcc203c3 579
89bc500e 580 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 581 return;
582
e4ca6d98
AE		 583 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
584 hlen = L2CAP_EXT_HDR_SIZE;
585 else
586 hlen = L2CAP_ENH_HDR_SIZE;
587
47d1ec61 588 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 589 hlen += L2CAP_FCS_SIZE;
1c2acffb 590
88843ab0 591 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 592
fcc203c3 593 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 594
595 control |= __set_sframe(chan);
1c2acffb 596
e2ab4353 597 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 598 control |= __set_ctrl_final(chan);
9e917af1 599
e2ab4353 600 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 601 control |= __set_ctrl_poll(chan);
f0946ccf 602
1c2acffb
GP		 603 skb = bt_skb_alloc(count, GFP_ATOMIC);
604 if (!skb)
9a9c6a34 605 return;
1c2acffb
GP		 606
607 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 608 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 609 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 610
611 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 612
47d1ec61 613 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 614 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
615 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 616 }
617
e702112f
AE		 618 if (lmp_no_flush_capable(conn->hcon->hdev))
619 flags = ACL_START_NO_FLUSH;
620 else
621 flags = ACL_START;
622
15770b1a 623 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b 624
8c1d787b 625 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 626}
627
88843ab0 628static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 629{
e2ab4353 630 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 631 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 632 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 633 } else
ab784b73 634 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 635
0b209fae 636 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 637
525cd185 638 l2cap_send_sframe(chan, control);
7e743090
GP		 639}
640
b4450035 641static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 642{
c1360a1c 643 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 644}
645
fc7f8a7e 646static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 647{
8c1d787b 648 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 649
650 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 651 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
652 return;
653
4343478f
GP		 654 if (l2cap_check_security(chan) &&
655 __l2cap_no_conn_pending(chan)) {
b1235d79 656 struct l2cap_conn_req req;
fe4128e0
GP		 657 req.scid = cpu_to_le16(chan->scid);
658 req.psm = chan->psm;
79d554a6 659
fc7f8a7e 660 chan->ident = l2cap_get_ident(conn);
c1360a1c 661 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 662
fc7f8a7e
GP		 663 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
664 sizeof(req), &req);
b1235d79 665 }
79d554a6
MH		 666 } else {
667 struct l2cap_info_req req;
668 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
669
670 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
671 conn->info_ident = l2cap_get_ident(conn);
672
673 mod_timer(&conn->info_timer, jiffies +
674 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
675
676 l2cap_send_cmd(conn, conn->info_ident,
677 L2CAP_INFO_REQ, sizeof(req), &req);
678 }
679}
680
cf6c2c0b
GP		 681static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
682{
683 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 684 if (!disable_ertm)
cf6c2c0b
GP		 685 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
686
687 switch (mode) {
688 case L2CAP_MODE_ERTM:
689 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
690 case L2CAP_MODE_STREAMING:
691 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
692 default:
693 return 0x00;
694 }
695}
696
4519de9a 697static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 698{
e92c8e70 699 struct sock *sk;
22121fc9
GP		 700 struct l2cap_disconn_req req;
701
c13ffa62
GP		 702 if (!conn)
703 return;
704
e92c8e70
GP		 705 sk = chan->sk;
706
0c1bc5c6 707 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 708 __clear_retrans_timer(chan);
709 __clear_monitor_timer(chan);
710 __clear_ack_timer(chan);
c13ffa62
GP		 711 }
712
fe4128e0
GP		 713 req.dcid = cpu_to_le16(chan->dcid);
714 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 715 l2cap_send_cmd(conn, l2cap_get_ident(conn),
716 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 717
89bc500e 718 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 719 sk->sk_err = err;
22121fc9
GP		 720}
721
1da177e4 722/* ---- L2CAP connections ---- */
4e8402a3
MH		 723static void l2cap_conn_start(struct l2cap_conn *conn)
724{
820ffdb3 725 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 726
727 BT_DBG("conn %p", conn);
728
baa7e1fa 729 read_lock(&conn->chan_lock);
4e8402a3 730
820ffdb3 731 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 732 struct sock *sk = chan->sk;
baa7e1fa 733
4e8402a3
MH		 734 bh_lock_sock(sk);
735
715ec005 736 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 737 bh_unlock_sock(sk);
738 continue;
739 }
740
89bc500e 741 if (chan->state == BT_CONNECT) {
47731de7 742 struct l2cap_conn_req req;
79d554a6 743
4343478f 744 if (!l2cap_check_security(chan) ||
b4450035 745 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 746 bh_unlock_sock(sk);
747 continue;
748 }
79d554a6 749
c1360a1c
GP		 750 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
751 && test_bit(CONF_STATE2_DEVICE,
752 &chan->conf_state)) {
0f852724 753 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 754 * so release the lock */
2461daac 755 read_unlock(&conn->chan_lock);
89bc500e 756 l2cap_chan_close(chan, ECONNRESET);
2461daac 757 read_lock(&conn->chan_lock);
47731de7
GP		 758 bh_unlock_sock(sk);
759 continue;
b1235d79 760 }
47731de7 761
fe4128e0
GP		 762 req.scid = cpu_to_le16(chan->scid);
763 req.psm = chan->psm;
47731de7 764
fc7f8a7e 765 chan->ident = l2cap_get_ident(conn);
c1360a1c 766 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 767
fc7f8a7e
GP		 768 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
769 sizeof(req), &req);
47731de7 770
89bc500e 771 } else if (chan->state == BT_CONNECT2) {
79d554a6 772 struct l2cap_conn_rsp rsp;
e9aeb2dd 773 char buf[128];
fe4128e0
GP		 774 rsp.scid = cpu_to_le16(chan->dcid);
775 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 776
4343478f 777 if (l2cap_check_security(chan)) {
f66dc81f
MH		 778 if (bt_sk(sk)->defer_setup) {
779 struct sock *parent = bt_sk(sk)->parent;
780 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
781 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 782 if (parent)
783 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 784
785 } else {
89bc500e 786 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 787 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
788 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
789 }
79d554a6
MH		 790 } else {
791 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
792 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
793 }
794
fc7f8a7e
GP		 795 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
796 sizeof(rsp), &rsp);
e9aeb2dd 797
c1360a1c 798 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 799 rsp.result != L2CAP_CR_SUCCESS) {
800 bh_unlock_sock(sk);
801 continue;
802 }
803
c1360a1c 804 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 805 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 806 l2cap_build_conf_req(chan, buf), buf);
807 chan->num_conf_req++;
4e8402a3
MH		 808 }
809
810 bh_unlock_sock(sk);
811 }
812
baa7e1fa 813 read_unlock(&conn->chan_lock);
4e8402a3
MH		 814}
815
b62f328b
VT		 816/* Find socket with cid and source bdaddr.
817 * Returns closest match, locked.
818 */
23691d75 819static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 820{
23691d75 821 struct l2cap_chan *c, *c1 = NULL;
b62f328b 822
23691d75 823 read_lock(&chan_list_lock);
b62f328b 824
23691d75
GP		 825 list_for_each_entry(c, &chan_list, global_l) {
826 struct sock *sk = c->sk;
fe4128e0 827
89bc500e 828 if (state && c->state != state)
b62f328b
VT		 829 continue;
830
23691d75 831 if (c->scid == cid) {
b62f328b 832 /* Exact match. */
23691d75
GP		 833 if (!bacmp(&bt_sk(sk)->src, src)) {
834 read_unlock(&chan_list_lock);
835 return c;
836 }
b62f328b
VT		 837
838 /* Closest match */
839 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 840 c1 = c;
b62f328b
VT		 841 }
842 }
280f294f 843
23691d75 844 read_unlock(&chan_list_lock);
b62f328b 845
23691d75 846 return c1;
b62f328b
VT		 847}
848
849static void l2cap_le_conn_ready(struct l2cap_conn *conn)
850{
c916fbe4 851 struct sock *parent, *sk;
23691d75 852 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 853
854 BT_DBG("");
855
856 /* Check if we have socket listening on cid */
23691d75 857 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 858 conn->src);
23691d75 859 if (!pchan)
b62f328b
VT		 860 return;
861
23691d75
GP		 862 parent = pchan->sk;
863
62f3a2cf
GP		 864 bh_lock_sock(parent);
865
b62f328b
VT		 866 /* Check for backlog size */
867 if (sk_acceptq_is_full(parent)) {
868 BT_DBG("backlog full %d", parent->sk_ack_backlog);
869 goto clean;
870 }
871
80808e43
GP		 872 chan = pchan->ops->new_connection(pchan->data);
873 if (!chan)
b62f328b
VT		 874 goto clean;
875
80808e43 876 sk = chan->sk;
5d41ce1d 877
baa7e1fa 878 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 879
880 hci_conn_hold(conn->hcon);
881
b62f328b
VT		 882 bacpy(&bt_sk(sk)->src, conn->src);
883 bacpy(&bt_sk(sk)->dst, conn->dst);
884
d1010240
GP		 885 bt_accept_enqueue(parent, sk);
886
48454079
GP		 887 __l2cap_chan_add(conn, chan);
888
c9b66675 889 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 890
89bc500e 891 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 892 parent->sk_data_ready(parent, 0);
893
baa7e1fa 894 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 895
896clean:
897 bh_unlock_sock(parent);
898}
899
f1cb9af5
VCG		 900static void l2cap_chan_ready(struct sock *sk)
901{
902 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
903 struct sock *parent = bt_sk(sk)->parent;
904
905 BT_DBG("sk %p, parent %p", sk, parent);
906
907 chan->conf_state = 0;
908 __clear_chan_timer(chan);
909
43f3dc41 910 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 911 sk->sk_state_change(sk);
912
913 if (parent)
914 parent->sk_data_ready(parent, 0);
915}
916
4e8402a3
MH		 917static void l2cap_conn_ready(struct l2cap_conn *conn)
918{
48454079 919 struct l2cap_chan *chan;
4e8402a3 920
79d554a6 921 BT_DBG("conn %p", conn);
4e8402a3 922
b62f328b
VT		 923 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
924 l2cap_le_conn_ready(conn);
925
160dc6ac
VCG		 926 if (conn->hcon->out && conn->hcon->type == LE_LINK)
927 smp_conn_security(conn, conn->hcon->pending_sec_level);
928
baa7e1fa 929 read_lock(&conn->chan_lock);
4e8402a3 930
baa7e1fa 931 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 932 struct sock *sk = chan->sk;
baa7e1fa 933
79d554a6 934 bh_lock_sock(sk);
4e8402a3 935
63128451 936 if (conn->hcon->type == LE_LINK) {
b501d6a1 937 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 938 l2cap_chan_ready(sk);
acd7d370 939
63128451 940 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 941 __clear_chan_timer(chan);
89bc500e 942 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 943 sk->sk_state_change(sk);
b501d6a1 944
89bc500e 945 } else if (chan->state == BT_CONNECT)
fc7f8a7e 946 l2cap_do_start(chan);
4e8402a3 947
79d554a6 948 bh_unlock_sock(sk);
4e8402a3 949 }
79d554a6 950
baa7e1fa 951 read_unlock(&conn->chan_lock);
4e8402a3
MH		 952}
953
954/* Notify sockets that we cannot guaranty reliability anymore */
955static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
956{
48454079 957 struct l2cap_chan *chan;
4e8402a3
MH		 958
959 BT_DBG("conn %p", conn);
960
baa7e1fa 961 read_lock(&conn->chan_lock);
4e8402a3 962
baa7e1fa 963 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 964 struct sock *sk = chan->sk;
baa7e1fa 965
ecf61bdb 966 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 967 sk->sk_err = err;
968 }
969
baa7e1fa 970 read_unlock(&conn->chan_lock);
4e8402a3
MH		 971}
972
973static void l2cap_info_timeout(unsigned long arg)
974{
975 struct l2cap_conn *conn = (void *) arg;
976
984947dc 977 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 978 conn->info_ident = 0;
984947dc 979
4e8402a3
MH		 980 l2cap_conn_start(conn);
981}
982
5d3de7df
VCG		 983static void l2cap_conn_del(struct hci_conn *hcon, int err)
984{
985 struct l2cap_conn *conn = hcon->l2cap_data;
986 struct l2cap_chan *chan, *l;
987 struct sock *sk;
988
989 if (!conn)
990 return;
991
992 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
993
994 kfree_skb(conn->rx_skb);
995
996 /* Kill channels */
997 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
998 sk = chan->sk;
999 bh_lock_sock(sk);
1000 l2cap_chan_del(chan, err);
1001 bh_unlock_sock(sk);
1002 chan->ops->close(chan->data);
1003 }
1004
1005 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1006 del_timer_sync(&conn->info_timer);
1007
d26a2345 1008 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1009 del_timer(&conn->security_timer);
8aab4757 1010 smp_chan_destroy(conn);
d26a2345 1011 }
5d3de7df
VCG		 1012
1013 hcon->l2cap_data = NULL;
1014 kfree(conn);
1015}
1016
1017static void security_timeout(unsigned long arg)
1018{
1019 struct l2cap_conn *conn = (void *) arg;
1020
1021 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1022}
1023
1da177e4
LT		 1024static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1025{
0139418c 1026 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1027
0139418c 1028 if (conn || status)
1da177e4
LT		 1029 return conn;
1030
0139418c
MH		 1031 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1032 if (!conn)
1da177e4 1033 return NULL;
1da177e4
LT		 1034
1035 hcon->l2cap_data = conn;
1036 conn->hcon = hcon;
1037
0139418c
MH		 1038 BT_DBG("hcon %p conn %p", hcon, conn);
1039
acd7d370
VT		 1040 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1041 conn->mtu = hcon->hdev->le_mtu;
1042 else
1043 conn->mtu = hcon->hdev->acl_mtu;
1044
1da177e4
LT		 1045 conn->src = &hcon->hdev->bdaddr;
1046 conn->dst = &hcon->dst;
1047
4e8402a3
MH		 1048 conn->feat_mask = 0;
1049
1da177e4 1050 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1051 rwlock_init(&conn->chan_lock);
1052
1053 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1054
5d3de7df
VCG		 1055 if (hcon->type == LE_LINK)
1056 setup_timer(&conn->security_timer, security_timeout,
1057 (unsigned long) conn);
1058 else
b62f328b 1059 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1060 (unsigned long) conn);
1061
2950f21a
MH		 1062 conn->disc_reason = 0x13;
1063
1da177e4
LT		 1064 return conn;
1065}
1066
48454079 1067static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1068{
baa7e1fa 1069 write_lock_bh(&conn->chan_lock);
48454079 1070 __l2cap_chan_add(conn, chan);
baa7e1fa 1071 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1072}
1073
1da177e4 1074/* ---- Socket interface ---- */
1da177e4
LT		 1075
1076/* Find socket with psm and source bdaddr.
1077 * Returns closest match.
1078 */
23691d75 1079static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1080{
23691d75 1081 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1082
23691d75 1083 read_lock(&chan_list_lock);
e0f0cb56 1084
23691d75
GP		 1085 list_for_each_entry(c, &chan_list, global_l) {
1086 struct sock *sk = c->sk;
fe4128e0 1087
89bc500e 1088 if (state && c->state != state)
1da177e4
LT		 1089 continue;
1090
23691d75 1091 if (c->psm == psm) {
1da177e4 1092 /* Exact match. */
23691d75 1093 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1094 read_unlock(&chan_list_lock);
23691d75
GP		 1095 return c;
1096 }
1da177e4
LT		 1097
1098 /* Closest match */
1099 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1100 c1 = c;
1da177e4
LT		 1101 }
1102 }
1da177e4 1103
23691d75 1104 read_unlock(&chan_list_lock);
e0f0cb56 1105
23691d75 1106 return c1;
1da177e4
LT		 1107}
1108
77a74c7e 1109int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1110{
5d41ce1d 1111 struct sock *sk = chan->sk;
1da177e4
LT		 1112 bdaddr_t *src = &bt_sk(sk)->src;
1113 bdaddr_t *dst = &bt_sk(sk)->dst;
1114 struct l2cap_conn *conn;
1115 struct hci_conn *hcon;
1116 struct hci_dev *hdev;
09ab6f4c 1117 __u8 auth_type;
44d0e48e 1118 int err;
1da177e4 1119
f29972de 1120 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1121 chan->psm);
1da177e4 1122
af05b30b
GP		 1123 hdev = hci_get_route(dst, src);
1124 if (!hdev)
1da177e4
LT		 1125 return -EHOSTUNREACH;
1126
1127 hci_dev_lock_bh(hdev);
1128
4343478f 1129 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1130
fe4128e0 1131 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1132 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1133 chan->sec_level, auth_type);
acd7d370
VT		 1134 else
1135 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1136 chan->sec_level, auth_type);
acd7d370 1137
30e76272
VT		 1138 if (IS_ERR(hcon)) {
1139 err = PTR_ERR(hcon);
1da177e4 1140 goto done;
30e76272 1141 }
1da177e4
LT		 1142
1143 conn = l2cap_conn_add(hcon, 0);
1144 if (!conn) {
1145 hci_conn_put(hcon);
30e76272 1146 err = -ENOMEM;
1da177e4
LT		 1147 goto done;
1148 }
1149
1da177e4
LT		 1150 /* Update source addr of the socket */
1151 bacpy(src, conn->src);
1152
48454079
GP		 1153 l2cap_chan_add(conn, chan);
1154
89bc500e 1155 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1156 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1157
1158 if (hcon->state == BT_CONNECTED) {
715ec005 1159 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1160 __clear_chan_timer(chan);
4343478f 1161 if (l2cap_check_security(chan))
89bc500e 1162 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1163 } else
fc7f8a7e 1164 l2cap_do_start(chan);
1da177e4
LT		 1165 }
1166
30e76272
VT		 1167 err = 0;
1168
1da177e4
LT		 1169done:
1170 hci_dev_unlock_bh(hdev);
1171 hci_dev_put(hdev);
1172 return err;
1173}
1174
dcba0dba 1175int __l2cap_wait_ack(struct sock *sk)
6161c038 1176{
8c1d787b 1177 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1178 DECLARE_WAITQUEUE(wait, current);
1179 int err = 0;
1180 int timeo = HZ/5;
1181
2b0b05dd 1182 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1183 set_current_state(TASK_INTERRUPTIBLE);
1184 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1185 if (!timeo)
1186 timeo = HZ/5;
1187
1188 if (signal_pending(current)) {
1189 err = sock_intr_errno(timeo);
1190 break;
1191 }
1192
1193 release_sock(sk);
1194 timeo = schedule_timeout(timeo);
1195 lock_sock(sk);
a71a0cf4 1196 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1197
1198 err = sock_error(sk);
1199 if (err)
1200 break;
1201 }
1202 set_current_state(TASK_RUNNING);
2b0b05dd 1203 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1204 return err;
1205}
1206
e90bac06
GP		 1207static void l2cap_monitor_timeout(unsigned long arg)
1208{
525cd185
GP		 1209 struct l2cap_chan *chan = (void *) arg;
1210 struct sock *sk = chan->sk;
e90bac06 1211
525cd185 1212 BT_DBG("chan %p", chan);
0e98958d 1213
e686219a 1214 bh_lock_sock(sk);
2c03a7a4 1215 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1216 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1217 bh_unlock_sock(sk);
e90bac06
GP		 1218 return;
1219 }
1220
6a026610 1221 chan->retry_count++;
1a09bcb9 1222 __set_monitor_timer(chan);
e90bac06 1223
525cd185 1224 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1225 bh_unlock_sock(sk);
e90bac06
GP		 1226}
1227
1228static void l2cap_retrans_timeout(unsigned long arg)
1229{
525cd185
GP		 1230 struct l2cap_chan *chan = (void *) arg;
1231 struct sock *sk = chan->sk;
e90bac06 1232
49208c9c 1233 BT_DBG("chan %p", chan);
0e98958d 1234
e686219a 1235 bh_lock_sock(sk);
6a026610 1236 chan->retry_count = 1;
1a09bcb9 1237 __set_monitor_timer(chan);
e90bac06 1238
e2ab4353 1239 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1240
525cd185 1241 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1242 bh_unlock_sock(sk);
e90bac06
GP		 1243}
1244
42e5c802 1245static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1246{
1c2acffb 1247 struct sk_buff *skb;
1da177e4 1248
58d35f87 1249 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1250 chan->unacked_frames) {
42e5c802 1251 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1252 break;
1da177e4 1253
58d35f87 1254 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1255 kfree_skb(skb);
1da177e4 1256
6a026610 1257 chan->unacked_frames--;
1c2acffb 1258 }
1da177e4 1259
6a026610 1260 if (!chan->unacked_frames)
1a09bcb9 1261 __clear_retrans_timer(chan);
1c2acffb 1262}
1da177e4 1263
67c9e840 1264static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1265{
8c1d787b 1266 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1267 u16 flags;
1c2acffb 1268
5e59b791
LAD		 1269 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
1270 skb->priority);
1da177e4 1271
d57b0e8b
AE		 1272 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
1273 lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1274 flags = ACL_START_NO_FLUSH;
1275 else
1276 flags = ACL_START;
1277
15770b1a 1278 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
e702112f 1279 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1280}
1281
67c9e840 1282static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1283{
ccbb84af 1284 struct sk_buff *skb;
88843ab0
AE		 1285 u32 control;
1286 u16 fcs;
6840ed07 1287
58d35f87 1288 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1289 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1290 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1291 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1292
47d1ec61 1293 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1294 fcs = crc16(0, (u8 *)skb->data,
1295 skb->len - L2CAP_FCS_SIZE);
1296 put_unaligned_le16(fcs,
1297 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1298 }
1299
4343478f 1300 l2cap_do_send(chan, skb);
6840ed07 1301
836be934 1302 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1303 }
6840ed07
GP		 1304}
1305
fb45de7d 1306static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1307{
8f17154f 1308 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1309 u16 fcs;
1310 u32 control;
8f17154f 1311
58d35f87 1312 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1313 if (!skb)
1314 return;
8f17154f 1315
f11d676d
GP		 1316 do {
1317 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1318 break;
8f17154f 1319
58d35f87 1320 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1321 return;
8f17154f 1322
58d35f87 1323 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1324
2c03a7a4
GP		 1325 if (chan->remote_max_tx &&
1326 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1327 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1328 return;
1329 }
1330
1331 tx_skb = skb_clone(skb, GFP_ATOMIC);
1332 bt_cb(skb)->retries++;
88843ab0
AE		 1333
1334 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1335 control &= __get_sar_mask(chan);
3cb123d1 1336
e2ab4353 1337 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1338 control |= __set_ctrl_final(chan);
95ffa978 1339
0b209fae 1340 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1341 control |= __set_txseq(chan, tx_seq);
3cb123d1 1342
88843ab0 1343 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1344
47d1ec61 1345 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1346 fcs = crc16(0, (u8 *)tx_skb->data,
1347 tx_skb->len - L2CAP_FCS_SIZE);
1348 put_unaligned_le16(fcs,
1349 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1350 }
1351
4343478f 1352 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1353}
1354
67c9e840 1355static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1356{
1357 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1358 u16 fcs;
1359 u32 control;
9a9c6a34 1360 int nsent = 0;
1c2acffb 1361
89bc500e 1362 if (chan->state != BT_CONNECTED)
c13ffa62 1363 return -ENOTCONN;
e90bac06 1364
58d35f87 1365 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1366
2c03a7a4
GP		 1367 if (chan->remote_max_tx &&
1368 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1369 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1370 break;
1371 }
1372
e420aba3
AE		 1373 tx_skb = skb_clone(skb, GFP_ATOMIC);
1374
e90bac06
GP		 1375 bt_cb(skb)->retries++;
1376
88843ab0 1377 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1378 control &= __get_sar_mask(chan);
95ffa978 1379
e2ab4353 1380 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1381 control |= __set_ctrl_final(chan);
e2ab4353 1382
0b209fae 1383 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1384 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1385
88843ab0 1386 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1387
47d1ec61 1388 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1389 fcs = crc16(0, (u8 *)skb->data,
1390 tx_skb->len - L2CAP_FCS_SIZE);
1391 put_unaligned_le16(fcs, skb->data +
1392 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1393 }
1394
4343478f 1395 l2cap_do_send(chan, tx_skb);
9a9c6a34 1396
1a09bcb9 1397 __set_retrans_timer(chan);
1c2acffb 1398
42e5c802 1399 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1400
1401 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1402
23e9fde2 1403 if (bt_cb(skb)->retries == 1)
6a026610 1404 chan->unacked_frames++;
23e9fde2 1405
6a026610 1406 chan->frames_sent++;
1c2acffb 1407
58d35f87
GP		 1408 if (skb_queue_is_last(&chan->tx_q, skb))
1409 chan->tx_send_head = NULL;
1c2acffb 1410 else
58d35f87 1411 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1412
1413 nsent++;
1c2acffb
GP		 1414 }
1415
9e917af1
GP		 1416 return nsent;
1417}
1418
525cd185 1419static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1420{
dfc909be
GP		 1421 int ret;
1422
58d35f87
GP		 1423 if (!skb_queue_empty(&chan->tx_q))
1424 chan->tx_send_head = chan->tx_q.next;
dfc909be 1425
42e5c802 1426 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1427 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1428 return ret;
1429}
1430
525cd185 1431static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1432{
88843ab0 1433 u32 control = 0;
9e917af1 1434
0b209fae 1435 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1436
e2ab4353 1437 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1438 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1439 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1440 l2cap_send_sframe(chan, control);
9a9c6a34 1441 return;
9e917af1 1442 }
dfc909be 1443
525cd185 1444 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1445 return;
1446
ab784b73 1447 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1448 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1449}
1450
525cd185 1451static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1452{
1453 struct srej_list *tail;
88843ab0 1454 u32 control;
99b0d4b7 1455
ab784b73 1456 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1457 control |= __set_ctrl_final(chan);
99b0d4b7 1458
39d5a3ee 1459 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1460 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1461
525cd185 1462 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1463}
1464
1c2acffb
GP		 1465static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1466{
8c1d787b 1467 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1468 struct sk_buff **frag;
1469 int err, sent = 0;
1da177e4 1470
59203a21 1471 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1472 return -EFAULT;
1da177e4
LT		 1473
1474 sent += count;
1475 len -= count;
1476
1477 /* Continuation fragments (no L2CAP header) */
1478 frag = &skb_shinfo(skb)->frag_list;
1479 while (len) {
1480 count = min_t(unsigned int, conn->mtu, len);
1481
1482 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1483 if (!*frag)
0175d629 1484 return err;
1c2acffb
GP		 1485 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1486 return -EFAULT;
1da177e4 1487
5e59b791
LAD		 1488 (*frag)->priority = skb->priority;
1489
1da177e4
LT		 1490 sent += count;
1491 len -= count;
1492
1493 frag = &(*frag)->next;
1494 }
1da177e4
LT		 1495
1496 return sent;
1c2acffb 1497}
1da177e4 1498
5e59b791
LAD		 1499static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1500 struct msghdr *msg, size_t len,
1501 u32 priority)
1c2acffb 1502{
fe4128e0 1503 struct sock *sk = chan->sk;
8c1d787b 1504 struct l2cap_conn *conn = chan->conn;
1c2acffb 1505 struct sk_buff *skb;
03a51213 1506 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1507 struct l2cap_hdr *lh;
1508
5e59b791 1509 BT_DBG("sk %p len %d priority %u", sk, (int)len, priority);
1c2acffb
GP		 1510
1511 count = min_t(unsigned int, (conn->mtu - hlen), len);
1512 skb = bt_skb_send_alloc(sk, count + hlen,
1513 msg->msg_flags & MSG_DONTWAIT, &err);
1514 if (!skb)
0175d629 1515 return ERR_PTR(err);
1c2acffb 1516
5e59b791
LAD		 1517 skb->priority = priority;
1518
1c2acffb
GP		 1519 /* Create L2CAP header */
1520 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1521 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1522 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1523 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1524
1525 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1526 if (unlikely(err < 0)) {
1527 kfree_skb(skb);
1528 return ERR_PTR(err);
1529 }
1530 return skb;
1531}
1532
5e59b791
LAD		 1533static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1534 struct msghdr *msg, size_t len,
1535 u32 priority)
1c2acffb 1536{
fe4128e0 1537 struct sock *sk = chan->sk;
8c1d787b 1538 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1539 struct sk_buff *skb;
1540 int err, count, hlen = L2CAP_HDR_SIZE;
1541 struct l2cap_hdr *lh;
1542
1543 BT_DBG("sk %p len %d", sk, (int)len);
1544
1545 count = min_t(unsigned int, (conn->mtu - hlen), len);
1546 skb = bt_skb_send_alloc(sk, count + hlen,
1547 msg->msg_flags & MSG_DONTWAIT, &err);
1548 if (!skb)
0175d629 1549 return ERR_PTR(err);
1c2acffb 1550
5e59b791
LAD		 1551 skb->priority = priority;
1552
1c2acffb
GP		 1553 /* Create L2CAP header */
1554 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1555 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1556 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1557
1558 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1559 if (unlikely(err < 0)) {
1560 kfree_skb(skb);
1561 return ERR_PTR(err);
1562 }
1563 return skb;
1564}
1565
ab0ff76d
LAD		 1566static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1567 struct msghdr *msg, size_t len,
88843ab0 1568 u32 control, u16 sdulen)
1c2acffb 1569{
47d1ec61 1570 struct sock *sk = chan->sk;
8c1d787b 1571 struct l2cap_conn *conn = chan->conn;
1c2acffb 1572 struct sk_buff *skb;
e4ca6d98 1573 int err, count, hlen;
1c2acffb
GP		 1574 struct l2cap_hdr *lh;
1575
1576 BT_DBG("sk %p len %d", sk, (int)len);
1577
0ee0d208
GP		 1578 if (!conn)
1579 return ERR_PTR(-ENOTCONN);
1580
e4ca6d98
AE		 1581 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1582 hlen = L2CAP_EXT_HDR_SIZE;
1583 else
1584 hlen = L2CAP_ENH_HDR_SIZE;
1585
c74e560c 1586 if (sdulen)
03a51213 1587 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1588
47d1ec61 1589 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1590 hlen += L2CAP_FCS_SIZE;
fcc203c3 1591
1c2acffb
GP		 1592 count = min_t(unsigned int, (conn->mtu - hlen), len);
1593 skb = bt_skb_send_alloc(sk, count + hlen,
1594 msg->msg_flags & MSG_DONTWAIT, &err);
1595 if (!skb)
0175d629 1596 return ERR_PTR(err);
1c2acffb
GP		 1597
1598 /* Create L2CAP header */
1599 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1600 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1601 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1602
1603 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1604
c74e560c 1605 if (sdulen)
03a51213 1606 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb
GP		 1607
1608 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1609 if (unlikely(err < 0)) {
1610 kfree_skb(skb);
1611 return ERR_PTR(err);
1612 }
e90bac06 1613
47d1ec61 1614 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1615 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1616
e90bac06 1617 bt_cb(skb)->retries = 0;
1c2acffb 1618 return skb;
1da177e4
LT		 1619}
1620
67c9e840 1621static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1622{
c74e560c
GP		 1623 struct sk_buff *skb;
1624 struct sk_buff_head sar_queue;
88843ab0 1625 u32 control;
c74e560c
GP		 1626 size_t size = 0;
1627
ff12fd64 1628 skb_queue_head_init(&sar_queue);
7e0ef6ee 1629 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1630 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1631 if (IS_ERR(skb))
1632 return PTR_ERR(skb);
1633
1634 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1635 len -= chan->remote_mps;
1636 size += chan->remote_mps;
c74e560c
GP		 1637
1638 while (len > 0) {
1639 size_t buflen;
1640
2c03a7a4 1641 if (len > chan->remote_mps) {
7e0ef6ee 1642 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1643 buflen = chan->remote_mps;
c74e560c 1644 } else {
7e0ef6ee 1645 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1646 buflen = len;
1647 }
1648
47d1ec61 1649 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1650 if (IS_ERR(skb)) {
1651 skb_queue_purge(&sar_queue);
1652 return PTR_ERR(skb);
1653 }
1654
1655 __skb_queue_tail(&sar_queue, skb);
1656 len -= buflen;
1657 size += buflen;
c74e560c 1658 }
58d35f87
GP		 1659 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1660 if (chan->tx_send_head == NULL)
1661 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1662
1663 return size;
1664}
1665
5e59b791
LAD		 1666int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1667 u32 priority)
9a91a04a 1668{
9a91a04a 1669 struct sk_buff *skb;
88843ab0 1670 u32 control;
9a91a04a
GP		 1671 int err;
1672
1673 /* Connectionless channel */
715ec005 1674 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1675 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1676 if (IS_ERR(skb))
1677 return PTR_ERR(skb);
1678
1679 l2cap_do_send(chan, skb);
1680 return len;
1681 }
1682
1683 switch (chan->mode) {
1684 case L2CAP_MODE_BASIC:
1685 /* Check outgoing MTU */
1686 if (len > chan->omtu)
1687 return -EMSGSIZE;
1688
1689 /* Create a basic PDU */
5e59b791 1690 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1691 if (IS_ERR(skb))
1692 return PTR_ERR(skb);
1693
1694 l2cap_do_send(chan, skb);
1695 err = len;
1696 break;
1697
1698 case L2CAP_MODE_ERTM:
1699 case L2CAP_MODE_STREAMING:
1700 /* Entire SDU fits into one PDU */
1701 if (len <= chan->remote_mps) {
7e0ef6ee 1702 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1703 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1704 0);
1705 if (IS_ERR(skb))
1706 return PTR_ERR(skb);
1707
1708 __skb_queue_tail(&chan->tx_q, skb);
1709
1710 if (chan->tx_send_head == NULL)
1711 chan->tx_send_head = skb;
1712
1713 } else {
1714 /* Segment SDU into multiples PDUs */
1715 err = l2cap_sar_segment_sdu(chan, msg, len);
1716 if (err < 0)
1717 return err;
1718 }
1719
1720 if (chan->mode == L2CAP_MODE_STREAMING) {
1721 l2cap_streaming_send(chan);
1722 err = len;
1723 break;
1724 }
1725
e2ab4353
GP		 1726 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1727 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1728 err = len;
1729 break;
1730 }
1731
1732 err = l2cap_ertm_send(chan);
1733 if (err >= 0)
1734 err = len;
1735
1736 break;
1737
1738 default:
1739 BT_DBG("bad state %1.1x", chan->mode);
1740 err = -EBADFD;
1741 }
1742
1743 return err;
1744}
1745
1da177e4
LT		 1746/* Copy frame to all raw sockets on that connection */
1747static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1748{
1da177e4 1749 struct sk_buff *nskb;
48454079 1750 struct l2cap_chan *chan;
1da177e4
LT		 1751
1752 BT_DBG("conn %p", conn);
1753
baa7e1fa
GP		 1754 read_lock(&conn->chan_lock);
1755 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1756 struct sock *sk = chan->sk;
715ec005 1757 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1758 continue;
1759
1760 /* Don't send frame to the socket it came from */
1761 if (skb->sk == sk)
1762 continue;
af05b30b
GP		 1763 nskb = skb_clone(skb, GFP_ATOMIC);
1764 if (!nskb)
1da177e4
LT		 1765 continue;
1766
23070494 1767 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1768 kfree_skb(nskb);
1769 }
baa7e1fa 1770 read_unlock(&conn->chan_lock);
1da177e4
LT		 1771}
1772
1773/* ---- L2CAP signalling commands ---- */
1774static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1775 u8 code, u8 ident, u16 dlen, void *data)
1776{
1777 struct sk_buff *skb, **frag;
1778 struct l2cap_cmd_hdr *cmd;
1779 struct l2cap_hdr *lh;
1780 int len, count;
1781
af05b30b
GP		 1782 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1783 conn, code, ident, dlen);
1da177e4
LT		 1784
1785 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1786 count = min_t(unsigned int, conn->mtu, len);
1787
1788 skb = bt_skb_alloc(count, GFP_ATOMIC);
1789 if (!skb)
1790 return NULL;
1791
1792 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1793 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1794
1795 if (conn->hcon->type == LE_LINK)
1796 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1797 else
1798 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1799
1800 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1801 cmd->code = code;
1802 cmd->ident = ident;
aca3192c 1803 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1804
1805 if (dlen) {
1806 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1807 memcpy(skb_put(skb, count), data, count);
1808 data += count;
1809 }
1810
1811 len -= skb->len;
1812
1813 /* Continuation fragments (no L2CAP header) */
1814 frag = &skb_shinfo(skb)->frag_list;
1815 while (len) {
1816 count = min_t(unsigned int, conn->mtu, len);
1817
1818 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1819 if (!*frag)
1820 goto fail;
1821
1822 memcpy(skb_put(*frag, count), data, count);
1823
1824 len -= count;
1825 data += count;
1826
1827 frag = &(*frag)->next;
1828 }
1829
1830 return skb;
1831
1832fail:
1833 kfree_skb(skb);
1834 return NULL;
1835}
1836
1837static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1838{
1839 struct l2cap_conf_opt *opt = *ptr;
1840 int len;
1841
1842 len = L2CAP_CONF_OPT_SIZE + opt->len;
1843 *ptr += len;
1844
1845 *type = opt->type;
1846 *olen = opt->len;
1847
1848 switch (opt->len) {
1849 case 1:
1850 *val = *((u8 *) opt->val);
1851 break;
1852
1853 case 2:
bfaaeb3e 1854 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1855 break;
1856
1857 case 4:
bfaaeb3e 1858 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1859 break;
1860
1861 default:
1862 *val = (unsigned long) opt->val;
1863 break;
1864 }
1865
1866 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1867 return len;
1868}
1869
1da177e4
LT		 1870static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1871{
1872 struct l2cap_conf_opt *opt = *ptr;
1873
1874 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1875
1876 opt->type = type;
1877 opt->len = len;
1878
1879 switch (len) {
1880 case 1:
1881 *((u8 *) opt->val) = val;
1882 break;
1883
1884 case 2:
4f8b691c 1885 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1886 break;
1887
1888 case 4:
4f8b691c 1889 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1890 break;
1891
1892 default:
1893 memcpy(opt->val, (void *) val, len);
1894 break;
1895 }
1896
1897 *ptr += L2CAP_CONF_OPT_SIZE + len;
1898}
1899
f89cef09
AE		 1900static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1901{
1902 struct l2cap_conf_efs efs;
1903
1904 switch(chan->mode) {
1905 case L2CAP_MODE_ERTM:
1906 efs.id = chan->local_id;
1907 efs.stype = chan->local_stype;
1908 efs.msdu = cpu_to_le16(chan->local_msdu);
1909 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1910 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1911 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1912 break;
1913
1914 case L2CAP_MODE_STREAMING:
1915 efs.id = 1;
1916 efs.stype = L2CAP_SERV_BESTEFFORT;
1917 efs.msdu = cpu_to_le16(chan->local_msdu);
1918 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1919 efs.acc_lat = 0;
1920 efs.flush_to = 0;
1921 break;
1922
1923 default:
1924 return;
1925 }
1926
1927 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1928 (unsigned long) &efs);
1929}
1930
c1b4f43b
GP		 1931static void l2cap_ack_timeout(unsigned long arg)
1932{
525cd185 1933 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1934
525cd185
GP		 1935 bh_lock_sock(chan->sk);
1936 l2cap_send_ack(chan);
1937 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1938}
1939
525cd185 1940static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1941{
525cd185
GP		 1942 struct sock *sk = chan->sk;
1943
42e5c802 1944 chan->expected_ack_seq = 0;
6a026610 1945 chan->unacked_frames = 0;
42e5c802 1946 chan->buffer_seq = 0;
6a026610
GP		 1947 chan->num_acked = 0;
1948 chan->frames_sent = 0;
0565c1c2 1949
e92c8e70
GP		 1950 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1951 (unsigned long) chan);
1952 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1953 (unsigned long) chan);
1954 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1955
f1c6775b 1956 skb_queue_head_init(&chan->srej_q);
1890d36b 1957
39d5a3ee
GP		 1958 INIT_LIST_HEAD(&chan->srej_l);
1959
218bb9df
GP		 1960
1961 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1962}
1963
f2fcfcd6
GP		 1964static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1965{
1966 switch (mode) {
1967 case L2CAP_MODE_STREAMING:
1968 case L2CAP_MODE_ERTM:
1969 if (l2cap_mode_supported(mode, remote_feat_mask))
1970 return mode;
1971 /* fall through */
1972 default:
1973 return L2CAP_MODE_BASIC;
1974 }
1975}
1976
6327eb98
AE		 1977static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1978{
1979 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1980}
1981
f89cef09
AE		 1982static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1983{
1984 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1985}
1986
6327eb98
AE		 1987static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1988{
1989 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 1990 __l2cap_ews_supported(chan)) {
6327eb98
AE		 1991 /* use extended control field */
1992 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 1993 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
1994 } else {
6327eb98
AE		 1995 chan->tx_win = min_t(u16, chan->tx_win,
1996 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 1997 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
1998 }
6327eb98
AE		 1999}
2000
710f9b0a 2001static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2002{
1da177e4 2003 struct l2cap_conf_req *req = data;
0c1bc5c6 2004 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2005 void *ptr = req->data;
c8f79162 2006 u16 size;
1da177e4 2007
49208c9c 2008 BT_DBG("chan %p", chan);
1da177e4 2009
73ffa904 2010 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2011 goto done;
2012
0c1bc5c6 2013 switch (chan->mode) {
f2fcfcd6
GP		 2014 case L2CAP_MODE_STREAMING:
2015 case L2CAP_MODE_ERTM:
c1360a1c 2016 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2017 break;
85eb53c6 2018
f89cef09
AE		 2019 if (__l2cap_efs_supported(chan))
2020 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2021
2ba13ed6 2022 /* fall through */
f2fcfcd6 2023 default:
8c1d787b 2024 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2025 break;
2026 }
2027
2028done:
0c1bc5c6
GP		 2029 if (chan->imtu != L2CAP_DEFAULT_MTU)
2030 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2031
0c1bc5c6 2032 switch (chan->mode) {
65c7c491 2033 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2034 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2035 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2036 break;
2037
62547752
GP		 2038 rfc.mode = L2CAP_MODE_BASIC;
2039 rfc.txwin_size = 0;
2040 rfc.max_transmit = 0;
2041 rfc.retrans_timeout = 0;
2042 rfc.monitor_timeout = 0;
2043 rfc.max_pdu_size = 0;
2044
63406504
GP		 2045 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2046 (unsigned long) &rfc);
65c7c491
MH		 2047 break;
2048
2049 case L2CAP_MODE_ERTM:
2050 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2051 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2052 rfc.retrans_timeout = 0;
2053 rfc.monitor_timeout = 0;
c8f79162
AE		 2054
2055 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2056 L2CAP_EXT_HDR_SIZE -
2057 L2CAP_SDULEN_SIZE -
2058 L2CAP_FCS_SIZE);
2059 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2060
6327eb98
AE		 2061 l2cap_txwin_setup(chan);
2062
2063 rfc.txwin_size = min_t(u16, chan->tx_win,
2064 L2CAP_DEFAULT_TX_WINDOW);
2065
63406504
GP		 2066 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2067 (unsigned long) &rfc);
2068
f89cef09
AE		 2069 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2070 l2cap_add_opt_efs(&ptr, chan);
2071
8c1d787b 2072 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2073 break;
2074
47d1ec61 2075 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2076 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2077 chan->fcs = L2CAP_FCS_NONE;
2078 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2079 }
6327eb98
AE		 2080
2081 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2082 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2083 chan->tx_win);
f2fcfcd6
GP		 2084 break;
2085
2086 case L2CAP_MODE_STREAMING:
2087 rfc.mode = L2CAP_MODE_STREAMING;
2088 rfc.txwin_size = 0;
2089 rfc.max_transmit = 0;
2090 rfc.retrans_timeout = 0;
2091 rfc.monitor_timeout = 0;
c8f79162
AE		 2092
2093 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2094 L2CAP_EXT_HDR_SIZE -
2095 L2CAP_SDULEN_SIZE -
2096 L2CAP_FCS_SIZE);
2097 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2098
63406504
GP		 2099 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2100 (unsigned long) &rfc);
2101
f89cef09
AE		 2102 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2103 l2cap_add_opt_efs(&ptr, chan);
2104
8c1d787b 2105 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2106 break;
2107
47d1ec61 2108 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2109 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2110 chan->fcs = L2CAP_FCS_NONE;
2111 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2112 }
65c7c491
MH		 2113 break;
2114 }
1da177e4 2115
fe4128e0 2116 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2117 req->flags = cpu_to_le16(0);
1da177e4
LT		 2118
2119 return ptr - data;
2120}
2121
73ffa904 2122static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2123{
5dee9e7c
MH		 2124 struct l2cap_conf_rsp *rsp = data;
2125 void *ptr = rsp->data;
73ffa904
GP		 2126 void *req = chan->conf_req;
2127 int len = chan->conf_len;
5dee9e7c
MH		 2128 int type, hint, olen;
2129 unsigned long val;
6464f35f 2130 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2131 struct l2cap_conf_efs efs;
2132 u8 remote_efs = 0;
861d6882 2133 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2134 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2135 u16 size;
1da177e4 2136
73ffa904 2137 BT_DBG("chan %p", chan);
820ae1b8 2138
5dee9e7c
MH		 2139 while (len >= L2CAP_CONF_OPT_SIZE) {
2140 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2141
589d2746 2142 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2143 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2144
2145 switch (type) {
2146 case L2CAP_CONF_MTU:
861d6882 2147 mtu = val;
5dee9e7c
MH		 2148 break;
2149
2150 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2151 chan->flush_to = val;
5dee9e7c
MH		 2152 break;
2153
2154 case L2CAP_CONF_QOS:
2155 break;
2156
6464f35f
MH		 2157 case L2CAP_CONF_RFC:
2158 if (olen == sizeof(rfc))
2159 memcpy(&rfc, (void *) val, olen);
2160 break;
2161
fcc203c3
GP		 2162 case L2CAP_CONF_FCS:
2163 if (val == L2CAP_FCS_NONE)
c1360a1c 2164 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2165 break;
fcc203c3 2166
42dceae2
AE		 2167 case L2CAP_CONF_EFS:
2168 remote_efs = 1;
2169 if (olen == sizeof(efs))
2170 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2171 break;
2172
6327eb98
AE		 2173 case L2CAP_CONF_EWS:
2174 if (!enable_hs)
2175 return -ECONNREFUSED;
2176
2177 set_bit(FLAG_EXT_CTRL, &chan->flags);
2178 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2179 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98
AE		 2180 chan->remote_tx_win = val;
2181 break;
2182
5dee9e7c
MH		 2183 default:
2184 if (hint)
2185 break;
2186
2187 result = L2CAP_CONF_UNKNOWN;
2188 *((u8 *) ptr++) = type;
2189 break;
2190 }
2191 }
2192
73ffa904 2193 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2194 goto done;
2195
0c1bc5c6 2196 switch (chan->mode) {
f2fcfcd6
GP		 2197 case L2CAP_MODE_STREAMING:
2198 case L2CAP_MODE_ERTM:
c1360a1c 2199 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2200 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2201 chan->conn->feat_mask);
85eb53c6
GP		 2202 break;
2203 }
2204
42dceae2
AE		 2205 if (remote_efs) {
2206 if (__l2cap_efs_supported(chan))
2207 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2208 else
2209 return -ECONNREFUSED;
2210 }
2211
0c1bc5c6 2212 if (chan->mode != rfc.mode)
f2fcfcd6 2213 return -ECONNREFUSED;
742e519b 2214
f2fcfcd6 2215 break;
f2fcfcd6
GP		 2216 }
2217
2218done:
0c1bc5c6 2219 if (chan->mode != rfc.mode) {
f2fcfcd6 2220 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2221 rfc.mode = chan->mode;
f2fcfcd6 2222
73ffa904 2223 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2224 return -ECONNREFUSED;
2225
2226 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2227 sizeof(rfc), (unsigned long) &rfc);
2228 }
2229
5dee9e7c
MH		 2230 if (result == L2CAP_CONF_SUCCESS) {
2231 /* Configure output options and let the other side know
2232 * which ones we don't like. */
2233
f2fcfcd6
GP		 2234 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2235 result = L2CAP_CONF_UNACCEPT;
2236 else {
0c1bc5c6 2237 chan->omtu = mtu;
c1360a1c 2238 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2239 }
0c1bc5c6 2240 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2241
42dceae2
AE		 2242 if (remote_efs) {
2243 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2244 efs.stype != L2CAP_SERV_NOTRAFIC &&
2245 efs.stype != chan->local_stype) {
2246
2247 result = L2CAP_CONF_UNACCEPT;
2248
2249 if (chan->num_conf_req >= 1)
2250 return -ECONNREFUSED;
2251
2252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2253 sizeof(efs),
42dceae2 2254 (unsigned long) &efs);
0e8b207e 2255 } else {
3e6b3b95 2256 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2257 result = L2CAP_CONF_PENDING;
2258 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2259 }
2260 }
2261
f2fcfcd6
GP		 2262 switch (rfc.mode) {
2263 case L2CAP_MODE_BASIC:
47d1ec61 2264 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2265 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2266 break;
2267
2268 case L2CAP_MODE_ERTM:
6327eb98
AE		 2269 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2270 chan->remote_tx_win = rfc.txwin_size;
2271 else
2272 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2273
2c03a7a4 2274 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2275
c8f79162
AE		 2276 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2277 chan->conn->mtu -
2278 L2CAP_EXT_HDR_SIZE -
2279 L2CAP_SDULEN_SIZE -
2280 L2CAP_FCS_SIZE);
2281 rfc.max_pdu_size = cpu_to_le16(size);
2282 chan->remote_mps = size;
f2fcfcd6 2283
10467e9e
GP		 2284 rfc.retrans_timeout =
2285 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2286 rfc.monitor_timeout =
2287 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2288
c1360a1c 2289 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2290
2291 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2292 sizeof(rfc), (unsigned long) &rfc);
2293
42dceae2
AE		 2294 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2295 chan->remote_id = efs.id;
2296 chan->remote_stype = efs.stype;
2297 chan->remote_msdu = le16_to_cpu(efs.msdu);
2298 chan->remote_flush_to =
2299 le32_to_cpu(efs.flush_to);
2300 chan->remote_acc_lat =
2301 le32_to_cpu(efs.acc_lat);
2302 chan->remote_sdu_itime =
2303 le32_to_cpu(efs.sdu_itime);
2304 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2305 sizeof(efs), (unsigned long) &efs);
2306 }
f2fcfcd6
GP		 2307 break;
2308
2309 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2310 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2311 chan->conn->mtu -
2312 L2CAP_EXT_HDR_SIZE -
2313 L2CAP_SDULEN_SIZE -
2314 L2CAP_FCS_SIZE);
2315 rfc.max_pdu_size = cpu_to_le16(size);
2316 chan->remote_mps = size;
f2fcfcd6 2317
c1360a1c 2318 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2319
2320 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2321 sizeof(rfc), (unsigned long) &rfc);
2322
f2fcfcd6
GP		 2323 break;
2324
2325 default:
5dee9e7c 2326 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2327
6464f35f 2328 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2329 rfc.mode = chan->mode;
f2fcfcd6 2330 }
6464f35f 2331
f2fcfcd6 2332 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2333 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2334 }
fe4128e0 2335 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2336 rsp->result = cpu_to_le16(result);
2337 rsp->flags = cpu_to_le16(0x0000);
2338
2339 return ptr - data;
1da177e4
LT		 2340}
2341
b4450035 2342static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2343{
f2fcfcd6
GP		 2344 struct l2cap_conf_req *req = data;
2345 void *ptr = req->data;
2346 int type, olen;
2347 unsigned long val;
2348 struct l2cap_conf_rfc rfc;
2349
fe4128e0 2350 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2351
2352 while (len >= L2CAP_CONF_OPT_SIZE) {
2353 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2354
2355 switch (type) {
2356 case L2CAP_CONF_MTU:
2357 if (val < L2CAP_DEFAULT_MIN_MTU) {
2358 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2359 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2360 } else
0c1bc5c6
GP		 2361 chan->imtu = val;
2362 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2363 break;
2364
2365 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2366 chan->flush_to = val;
f2fcfcd6 2367 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2368 2, chan->flush_to);
f2fcfcd6
GP		 2369 break;
2370
2371 case L2CAP_CONF_RFC:
2372 if (olen == sizeof(rfc))
2373 memcpy(&rfc, (void *)val, olen);
2374
c1360a1c 2375 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2376 rfc.mode != chan->mode)
f2fcfcd6
GP		 2377 return -ECONNREFUSED;
2378
47d1ec61 2379 chan->fcs = 0;
f2fcfcd6
GP		 2380
2381 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2382 sizeof(rfc), (unsigned long) &rfc);
2383 break;
6327eb98
AE		 2384
2385 case L2CAP_CONF_EWS:
2386 chan->tx_win = min_t(u16, val,
2387 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2388 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2389 chan->tx_win);
6327eb98 2390 break;
f2fcfcd6
GP		 2391 }
2392 }
2393
0c1bc5c6 2394 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2395 return -ECONNREFUSED;
2396
0c1bc5c6 2397 chan->mode = rfc.mode;
6c2ea7a8 2398
0e8b207e 2399 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2400 switch (rfc.mode) {
2401 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2402 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2403 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2404 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2405 break;
2406 case L2CAP_MODE_STREAMING:
47d1ec61 2407 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2408 }
2409 }
2410
fe4128e0 2411 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2412 req->flags = cpu_to_le16(0x0000);
2413
2414 return ptr - data;
2415}
2416
fe4128e0 2417static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2418{
2419 struct l2cap_conf_rsp *rsp = data;
2420 void *ptr = rsp->data;
1da177e4 2421
fe4128e0 2422 BT_DBG("chan %p", chan);
1da177e4 2423
fe4128e0 2424 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2425 rsp->result = cpu_to_le16(result);
aca3192c 2426 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2427
2428 return ptr - data;
2429}
2430
8c1d787b 2431void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2432{
2433 struct l2cap_conn_rsp rsp;
8c1d787b 2434 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2435 u8 buf[128];
2436
fe4128e0
GP		 2437 rsp.scid = cpu_to_le16(chan->dcid);
2438 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2439 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2440 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2441 l2cap_send_cmd(conn, chan->ident,
2442 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2443
c1360a1c 2444 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2445 return;
2446
710f9b0a
GP		 2447 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2448 l2cap_build_conf_req(chan, buf), buf);
2449 chan->num_conf_req++;
2450}
2451
47d1ec61 2452static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2453{
7b1c0049
GP		 2454 int type, olen;
2455 unsigned long val;
2456 struct l2cap_conf_rfc rfc;
2457
47d1ec61 2458 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2459
0c1bc5c6 2460 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2461 return;
2462
2463 while (len >= L2CAP_CONF_OPT_SIZE) {
2464 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2465
2466 switch (type) {
2467 case L2CAP_CONF_RFC:
2468 if (olen == sizeof(rfc))
2469 memcpy(&rfc, (void *)val, olen);
2470 goto done;
2471 }
2472 }
2473
2474done:
2475 switch (rfc.mode) {
2476 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2477 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2478 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2479 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2480 break;
2481 case L2CAP_MODE_STREAMING:
47d1ec61 2482 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2483 }
2484}
2485
4e8402a3
MH		 2486static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2487{
e2fd318e 2488 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2489
e2fd318e 2490 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2491 return 0;
2492
2493 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2494 cmd->ident == conn->info_ident) {
4e8402a3 2495 del_timer(&conn->info_timer);
984947dc
MH		 2496
2497 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2498 conn->info_ident = 0;
984947dc 2499
4e8402a3
MH		 2500 l2cap_conn_start(conn);
2501 }
2502
2503 return 0;
2504}
2505
1da177e4
LT		 2506static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2507{
1da177e4
LT		 2508 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2509 struct l2cap_conn_rsp rsp;
23691d75 2510 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2511 struct sock *parent, *sk = NULL;
e7c29cb1 2512 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2513
2514 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2515 __le16 psm = req->psm;
1da177e4
LT		 2516
2517 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2518
2519 /* Check if we have socket listening on psm */
23691d75
GP		 2520 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2521 if (!pchan) {
1da177e4
LT		 2522 result = L2CAP_CR_BAD_PSM;
2523 goto sendresp;
2524 }
2525
23691d75
GP		 2526 parent = pchan->sk;
2527
e0f0cb56
GP		 2528 bh_lock_sock(parent);
2529
e7c29cb1
MH		 2530 /* Check if the ACL is secure enough (if not SDP) */
2531 if (psm != cpu_to_le16(0x0001) &&
2532 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2533 conn->disc_reason = 0x05;
e7c29cb1
MH		 2534 result = L2CAP_CR_SEC_BLOCK;
2535 goto response;
2536 }
2537
1da177e4
LT		 2538 result = L2CAP_CR_NO_MEM;
2539
2540 /* Check for backlog size */
2541 if (sk_acceptq_is_full(parent)) {
8e87d142 2542 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2543 goto response;
2544 }
2545
80808e43
GP		 2546 chan = pchan->ops->new_connection(pchan->data);
2547 if (!chan)
1da177e4
LT		 2548 goto response;
2549
80808e43
GP		 2550 sk = chan->sk;
2551
baa7e1fa 2552 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2553
2554 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2555 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2556 write_unlock_bh(&conn->chan_lock);
1da177e4 2557 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2558 chan->ops->close(chan->data);
1da177e4
LT		 2559 goto response;
2560 }
2561
2562 hci_conn_hold(conn->hcon);
2563
1da177e4
LT		 2564 bacpy(&bt_sk(sk)->src, conn->src);
2565 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2566 chan->psm = psm;
2567 chan->dcid = scid;
1da177e4 2568
d1010240
GP		 2569 bt_accept_enqueue(parent, sk);
2570
48454079
GP		 2571 __l2cap_chan_add(conn, chan);
2572
fe4128e0 2573 dcid = chan->scid;
1da177e4 2574
c9b66675 2575 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2576
fc7f8a7e 2577 chan->ident = cmd->ident;
1da177e4 2578
984947dc 2579 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2580 if (l2cap_check_security(chan)) {
f66dc81f 2581 if (bt_sk(sk)->defer_setup) {
89bc500e 2582 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2583 result = L2CAP_CR_PEND;
2584 status = L2CAP_CS_AUTHOR_PEND;
2585 parent->sk_data_ready(parent, 0);
2586 } else {
89bc500e 2587 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2588 result = L2CAP_CR_SUCCESS;
2589 status = L2CAP_CS_NO_INFO;
2590 }
79d554a6 2591 } else {
89bc500e 2592 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2593 result = L2CAP_CR_PEND;
2594 status = L2CAP_CS_AUTHEN_PEND;
2595 }
2596 } else {
89bc500e 2597 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2598 result = L2CAP_CR_PEND;
2599 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2600 }
2601
baa7e1fa 2602 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2603
2604response:
2605 bh_unlock_sock(parent);
2606
2607sendresp:
aca3192c
YH		 2608 rsp.scid = cpu_to_le16(scid);
2609 rsp.dcid = cpu_to_le16(dcid);
2610 rsp.result = cpu_to_le16(result);
2611 rsp.status = cpu_to_le16(status);
1da177e4 2612 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2613
2614 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2615 struct l2cap_info_req info;
2616 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2617
2618 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2619 conn->info_ident = l2cap_get_ident(conn);
2620
2621 mod_timer(&conn->info_timer, jiffies +
2622 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2623
2624 l2cap_send_cmd(conn, conn->info_ident,
2625 L2CAP_INFO_REQ, sizeof(info), &info);
2626 }
2627
c1360a1c 2628 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2629 result == L2CAP_CR_SUCCESS) {
2630 u8 buf[128];
c1360a1c 2631 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2632 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2633 l2cap_build_conf_req(chan, buf), buf);
2634 chan->num_conf_req++;
e9aeb2dd
GP		 2635 }
2636
1da177e4
LT		 2637 return 0;
2638}
2639
2640static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2641{
2642 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2643 u16 scid, dcid, result, status;
48454079 2644 struct l2cap_chan *chan;
1da177e4
LT		 2645 struct sock *sk;
2646 u8 req[128];
2647
2648 scid = __le16_to_cpu(rsp->scid);
2649 dcid = __le16_to_cpu(rsp->dcid);
2650 result = __le16_to_cpu(rsp->result);
2651 status = __le16_to_cpu(rsp->status);
2652
2653 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2654
2655 if (scid) {
baa7e1fa 2656 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2657 if (!chan)
57d3b22b 2658 return -EFAULT;
1da177e4 2659 } else {
baa7e1fa 2660 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2661 if (!chan)
57d3b22b 2662 return -EFAULT;
1da177e4
LT		 2663 }
2664
48454079
GP		 2665 sk = chan->sk;
2666
1da177e4
LT		 2667 switch (result) {
2668 case L2CAP_CR_SUCCESS:
89bc500e 2669 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2670 chan->ident = 0;
fe4128e0 2671 chan->dcid = dcid;
c1360a1c 2672 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2673
c1360a1c 2674 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2675 break;
2676
1da177e4 2677 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2678 l2cap_build_conf_req(chan, req), req);
2679 chan->num_conf_req++;
1da177e4
LT		 2680 break;
2681
2682 case L2CAP_CR_PEND:
c1360a1c 2683 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2684 break;
2685
2686 default:
a49184c2
AE		 2687 /* don't delete l2cap channel if sk is owned by user */
2688 if (sock_owned_by_user(sk)) {
89bc500e 2689 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2690 __clear_chan_timer(chan);
2691 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2692 break;
2693 }
2694
48454079 2695 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2696 break;
2697 }
2698
2699 bh_unlock_sock(sk);
2700 return 0;
2701}
2702
47d1ec61 2703static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2704{
2705 /* FCS is enabled only in ERTM or streaming mode, if one or both
2706 * sides request it.
2707 */
0c1bc5c6 2708 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2709 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2710 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2711 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2712}
2713
88219a0f 2714static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2715{
2716 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2717 u16 dcid, flags;
2718 u8 rsp[64];
48454079 2719 struct l2cap_chan *chan;
1da177e4 2720 struct sock *sk;
5dee9e7c 2721 int len;
1da177e4
LT		 2722
2723 dcid = __le16_to_cpu(req->dcid);
2724 flags = __le16_to_cpu(req->flags);
2725
2726 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2727
baa7e1fa 2728 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2729 if (!chan)
1da177e4
LT		 2730 return -ENOENT;
2731
48454079
GP		 2732 sk = chan->sk;
2733
033b1142 2734 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2735 struct l2cap_cmd_rej_cid rej;
2736
2737 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2738 rej.scid = cpu_to_le16(chan->scid);
2739 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2740
df6bd743
GP		 2741 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2742 sizeof(rej), &rej);
354f60a9 2743 goto unlock;
df6bd743 2744 }
354f60a9 2745
5dee9e7c 2746 /* Reject if config buffer is too small. */
88219a0f 2747 len = cmd_len - sizeof(*req);
7ac28817 2748 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2749 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2750 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2751 L2CAP_CONF_REJECT, flags), rsp);
2752 goto unlock;
2753 }
2754
2755 /* Store config. */
73ffa904
GP		 2756 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2757 chan->conf_len += len;
1da177e4
LT		 2758
2759 if (flags & 0x0001) {
2760 /* Incomplete config. Send empty response. */
2761 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2762 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2763 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2764 goto unlock;
2765 }
2766
2767 /* Complete config. */
73ffa904 2768 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2769 if (len < 0) {
e92c8e70 2770 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2771 goto unlock;
f2fcfcd6 2772 }
1da177e4 2773
5dee9e7c 2774 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2775 chan->num_conf_rsp++;
5dee9e7c 2776
5dee9e7c 2777 /* Reset config buffer. */
73ffa904 2778 chan->conf_len = 0;
5dee9e7c 2779
c1360a1c 2780 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2781 goto unlock;
2782
c1360a1c 2783 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2784 set_default_fcs(chan);
fcc203c3 2785
89bc500e 2786 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2787
42e5c802
GP		 2788 chan->next_tx_seq = 0;
2789 chan->expected_tx_seq = 0;
58d35f87 2790 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2791 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2792 l2cap_ertm_init(chan);
0565c1c2 2793
1da177e4 2794 l2cap_chan_ready(sk);
876d9484
MH		 2795 goto unlock;
2796 }
2797
c1360a1c 2798 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2799 u8 buf[64];
1da177e4 2800 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2801 l2cap_build_conf_req(chan, buf), buf);
2802 chan->num_conf_req++;
1da177e4
LT		 2803 }
2804
0e8b207e
AE		 2805 /* Got Conf Rsp PENDING from remote side and asume we sent
2806 Conf Rsp PENDING in the code above */
2807 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2808 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2809
2810 /* check compatibility */
2811
2812 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2813 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2814
2815 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2816 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2817 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2818 }
2819
1da177e4
LT		 2820unlock:
2821 bh_unlock_sock(sk);
2822 return 0;
2823}
2824
2825static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2826{
2827 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2828 u16 scid, flags, result;
48454079 2829 struct l2cap_chan *chan;
1da177e4 2830 struct sock *sk;
7b1c0049 2831 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2832
2833 scid = __le16_to_cpu(rsp->scid);
2834 flags = __le16_to_cpu(rsp->flags);
2835 result = __le16_to_cpu(rsp->result);
2836
af05b30b
GP		 2837 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2838 scid, flags, result);
1da177e4 2839
baa7e1fa 2840 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2841 if (!chan)
1da177e4
LT		 2842 return 0;
2843
48454079
GP		 2844 sk = chan->sk;
2845
1da177e4
LT		 2846 switch (result) {
2847 case L2CAP_CONF_SUCCESS:
47d1ec61 2848 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2849 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2850 break;
2851
0e8b207e
AE		 2852 case L2CAP_CONF_PENDING:
2853 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2854
2855 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2856 char buf[64];
2857
2858 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2859 buf, &result);
2860 if (len < 0) {
2861 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2862 goto done;
2863 }
2864
2865 /* check compatibility */
2866
2867 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2868 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2869
2870 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2871 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2872 L2CAP_CONF_SUCCESS, 0x0000), buf);
2873 }
2874 goto done;
2875
1da177e4 2876 case L2CAP_CONF_UNACCEPT:
73ffa904 2877 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2878 char req[64];
2879
c2c77ec8 2880 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2881 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2882 goto done;
2883 }
2884
f2fcfcd6
GP		 2885 /* throw out any old stored conf requests */
2886 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2887 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2888 req, &result);
f2fcfcd6 2889 if (len < 0) {
e92c8e70 2890 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2891 goto done;
2892 }
2893
2894 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2895 L2CAP_CONF_REQ, len, req);
73ffa904 2896 chan->num_conf_req++;
f2fcfcd6
GP		 2897 if (result != L2CAP_CONF_SUCCESS)
2898 goto done;
2899 break;
1da177e4
LT		 2900 }
2901
8e87d142 2902 default:
b1235d79 2903 sk->sk_err = ECONNRESET;
c9b66675 2904 __set_chan_timer(chan, HZ * 5);
e92c8e70 2905 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2906 goto done;
2907 }
2908
2909 if (flags & 0x01)
2910 goto done;
2911
c1360a1c 2912 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2913
c1360a1c 2914 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2915 set_default_fcs(chan);
fcc203c3 2916
89bc500e 2917 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2918 chan->next_tx_seq = 0;
2919 chan->expected_tx_seq = 0;
58d35f87 2920 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2921 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2922 l2cap_ertm_init(chan);
0565c1c2 2923
1da177e4
LT		 2924 l2cap_chan_ready(sk);
2925 }
2926
2927done:
2928 bh_unlock_sock(sk);
2929 return 0;
2930}
2931
2932static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2933{
2934 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2935 struct l2cap_disconn_rsp rsp;
2936 u16 dcid, scid;
48454079 2937 struct l2cap_chan *chan;
1da177e4
LT		 2938 struct sock *sk;
2939
2940 scid = __le16_to_cpu(req->scid);
2941 dcid = __le16_to_cpu(req->dcid);
2942
2943 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2944
baa7e1fa 2945 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2946 if (!chan)
1da177e4
LT		 2947 return 0;
2948
48454079
GP		 2949 sk = chan->sk;
2950
fe4128e0
GP		 2951 rsp.dcid = cpu_to_le16(chan->scid);
2952 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2953 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2954
2955 sk->sk_shutdown = SHUTDOWN_MASK;
2956
a49184c2
AE		 2957 /* don't delete l2cap channel if sk is owned by user */
2958 if (sock_owned_by_user(sk)) {
89bc500e 2959 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2960 __clear_chan_timer(chan);
2961 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2962 bh_unlock_sock(sk);
2963 return 0;
2964 }
2965
48454079 2966 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2967 bh_unlock_sock(sk);
2968
ba3bd0ee 2969 chan->ops->close(chan->data);
1da177e4
LT		 2970 return 0;
2971}
2972
2973static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2974{
2975 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2976 u16 dcid, scid;
48454079 2977 struct l2cap_chan *chan;
1da177e4
LT		 2978 struct sock *sk;
2979
2980 scid = __le16_to_cpu(rsp->scid);
2981 dcid = __le16_to_cpu(rsp->dcid);
2982
2983 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2984
baa7e1fa 2985 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2986 if (!chan)
1da177e4
LT		 2987 return 0;
2988
48454079
GP		 2989 sk = chan->sk;
2990
a49184c2
AE		 2991 /* don't delete l2cap channel if sk is owned by user */
2992 if (sock_owned_by_user(sk)) {
89bc500e 2993 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2994 __clear_chan_timer(chan);
2995 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2996 bh_unlock_sock(sk);
2997 return 0;
2998 }
2999
48454079 3000 l2cap_chan_del(chan, 0);
1da177e4
LT		 3001 bh_unlock_sock(sk);
3002
ba3bd0ee 3003 chan->ops->close(chan->data);
1da177e4
LT		 3004 return 0;
3005}
3006
3007static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3008{
3009 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3010 u16 type;
3011
3012 type = __le16_to_cpu(req->type);
3013
3014 BT_DBG("type 0x%4.4x", type);
3015
f0709e03
MH		 3016 if (type == L2CAP_IT_FEAT_MASK) {
3017 u8 buf[8];
44dd46de 3018 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3019 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3020 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3021 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3022 if (!disable_ertm)
fcc203c3
GP		 3023 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3024 | L2CAP_FEAT_FCS;
a5fd6f30 3025 if (enable_hs)
6327eb98
AE		 3026 feat_mask |= L2CAP_FEAT_EXT_FLOW
3027 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3028
1b7bf4ed 3029 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3030 l2cap_send_cmd(conn, cmd->ident,
3031 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3032 } else if (type == L2CAP_IT_FIXED_CHAN) {
3033 u8 buf[12];
3034 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3035 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3036 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3037 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3038 l2cap_send_cmd(conn, cmd->ident,
3039 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3040 } else {
3041 struct l2cap_info_rsp rsp;
3042 rsp.type = cpu_to_le16(type);
3043 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3044 l2cap_send_cmd(conn, cmd->ident,
3045 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3046 }
1da177e4
LT		 3047
3048 return 0;
3049}
3050
3051static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3052{
3053 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3054 u16 type, result;
3055
3056 type = __le16_to_cpu(rsp->type);
3057 result = __le16_to_cpu(rsp->result);
3058
3059 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3060
e90165be
AE		 3061 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3062 if (cmd->ident != conn->info_ident ||
3063 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3064 return 0;
3065
4e8402a3
MH		 3066 del_timer(&conn->info_timer);
3067
adb08ede
VT		 3068 if (result != L2CAP_IR_SUCCESS) {
3069 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3070 conn->info_ident = 0;
3071
3072 l2cap_conn_start(conn);
3073
3074 return 0;
3075 }
3076
984947dc 3077 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3078 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3079
47ec1dcd 3080 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3081 struct l2cap_info_req req;
3082 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3083
3084 conn->info_ident = l2cap_get_ident(conn);
3085
3086 l2cap_send_cmd(conn, conn->info_ident,
3087 L2CAP_INFO_REQ, sizeof(req), &req);
3088 } else {
3089 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3090 conn->info_ident = 0;
3091
3092 l2cap_conn_start(conn);
3093 }
3094 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3095 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3096 conn->info_ident = 0;
984947dc
MH		 3097
3098 l2cap_conn_start(conn);
3099 }
4e8402a3 3100
1da177e4
LT		 3101 return 0;
3102}
3103
e2174ca4 3104static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3105 u16 to_multiplier)
3106{
3107 u16 max_latency;
3108
3109 if (min > max || min < 6 || max > 3200)
3110 return -EINVAL;
3111
3112 if (to_multiplier < 10 || to_multiplier > 3200)
3113 return -EINVAL;
3114
3115 if (max >= to_multiplier * 8)
3116 return -EINVAL;
3117
3118 max_latency = (to_multiplier * 8 / max) - 1;
3119 if (latency > 499 || latency > max_latency)
3120 return -EINVAL;
3121
3122 return 0;
3123}
3124
3125static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3126 struct l2cap_cmd_hdr *cmd, u8 *data)
3127{
3128 struct hci_conn *hcon = conn->hcon;
3129 struct l2cap_conn_param_update_req *req;
3130 struct l2cap_conn_param_update_rsp rsp;
3131 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3132 int err;
de73115a
CT		 3133
3134 if (!(hcon->link_mode & HCI_LM_MASTER))
3135 return -EINVAL;
3136
3137 cmd_len = __le16_to_cpu(cmd->len);
3138 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3139 return -EPROTO;
3140
3141 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3142 min = __le16_to_cpu(req->min);
3143 max = __le16_to_cpu(req->max);
de73115a
CT		 3144 latency = __le16_to_cpu(req->latency);
3145 to_multiplier = __le16_to_cpu(req->to_multiplier);
3146
3147 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3148 min, max, latency, to_multiplier);
3149
3150 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3151
3152 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3153 if (err)
de73115a
CT		 3154 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3155 else
3156 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3157
3158 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3159 sizeof(rsp), &rsp);
3160
2ce603eb
CT		 3161 if (!err)
3162 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3163
de73115a
CT		 3164 return 0;
3165}
3166
3300d9a9
CT		 3167static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3168 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3169{
3170 int err = 0;
3171
3172 switch (cmd->code) {
3173 case L2CAP_COMMAND_REJ:
3174 l2cap_command_rej(conn, cmd, data);
3175 break;
3176
3177 case L2CAP_CONN_REQ:
3178 err = l2cap_connect_req(conn, cmd, data);
3179 break;
3180
3181 case L2CAP_CONN_RSP:
3182 err = l2cap_connect_rsp(conn, cmd, data);
3183 break;
3184
3185 case L2CAP_CONF_REQ:
3186 err = l2cap_config_req(conn, cmd, cmd_len, data);
3187 break;
3188
3189 case L2CAP_CONF_RSP:
3190 err = l2cap_config_rsp(conn, cmd, data);
3191 break;
3192
3193 case L2CAP_DISCONN_REQ:
3194 err = l2cap_disconnect_req(conn, cmd, data);
3195 break;
3196
3197 case L2CAP_DISCONN_RSP:
3198 err = l2cap_disconnect_rsp(conn, cmd, data);
3199 break;
3200
3201 case L2CAP_ECHO_REQ:
3202 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3203 break;
3204
3205 case L2CAP_ECHO_RSP:
3206 break;
3207
3208 case L2CAP_INFO_REQ:
3209 err = l2cap_information_req(conn, cmd, data);
3210 break;
3211
3212 case L2CAP_INFO_RSP:
3213 err = l2cap_information_rsp(conn, cmd, data);
3214 break;
3215
3216 default:
3217 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3218 err = -EINVAL;
3219 break;
3220 }
3221
3222 return err;
3223}
3224
3225static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3226 struct l2cap_cmd_hdr *cmd, u8 *data)
3227{
3228 switch (cmd->code) {
3229 case L2CAP_COMMAND_REJ:
3230 return 0;
3231
3232 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3233 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3234
3235 case L2CAP_CONN_PARAM_UPDATE_RSP:
3236 return 0;
3237
3238 default:
3239 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3240 return -EINVAL;
3241 }
3242}
3243
3244static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3245 struct sk_buff *skb)
1da177e4
LT		 3246{
3247 u8 *data = skb->data;
3248 int len = skb->len;
3249 struct l2cap_cmd_hdr cmd;
3300d9a9 3250 int err;
1da177e4
LT		 3251
3252 l2cap_raw_recv(conn, skb);
3253
3254 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3255 u16 cmd_len;
1da177e4
LT		 3256 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3257 data += L2CAP_CMD_HDR_SIZE;
3258 len -= L2CAP_CMD_HDR_SIZE;
3259
88219a0f 3260 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3261
88219a0f 3262 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3263
88219a0f 3264 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3265 BT_DBG("corrupted command");
3266 break;
3267 }
3268
3300d9a9
CT		 3269 if (conn->hcon->type == LE_LINK)
3270 err = l2cap_le_sig_cmd(conn, &cmd, data);
3271 else
3272 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3273
3274 if (err) {
e2fd318e 3275 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3276
3277 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3278
3279 /* FIXME: Map err to a valid reason */
e2fd318e 3280 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3281 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3282 }
3283
88219a0f
AV		 3284 data += cmd_len;
3285 len -= cmd_len;
1da177e4
LT		 3286 }
3287
3288 kfree_skb(skb);
3289}
3290
47d1ec61 3291static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3292{
3293 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3294 int hdr_size;
3295
3296 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3297 hdr_size = L2CAP_EXT_HDR_SIZE;
3298 else
3299 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3300
47d1ec61 3301 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3302 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3303 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3304 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3305
3306 if (our_fcs != rcv_fcs)
7a560e5c 3307 return -EBADMSG;
fcc203c3
GP		 3308 }
3309 return 0;
3310}
3311
525cd185 3312static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3313{
88843ab0 3314 u32 control = 0;
d5392c8f 3315
6a026610 3316 chan->frames_sent = 0;
d5392c8f 3317
0b209fae 3318 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3319
e2ab4353 3320 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3321 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3322 l2cap_send_sframe(chan, control);
e2ab4353 3323 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3324 }
3325
e2ab4353 3326 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3327 l2cap_retransmit_frames(chan);
d5392c8f 3328
525cd185 3329 l2cap_ertm_send(chan);
d5392c8f 3330
e2ab4353 3331 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3332 chan->frames_sent == 0) {
ab784b73 3333 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3334 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3335 }
3336}
3337
fb45de7d 3338static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3339{
3340 struct sk_buff *next_skb;
bfbacc11 3341 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3342
3343 bt_cb(skb)->tx_seq = tx_seq;
3344 bt_cb(skb)->sar = sar;
3345
f1c6775b 3346 next_skb = skb_peek(&chan->srej_q);
8f17154f 3347 if (!next_skb) {
f1c6775b 3348 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3349 return 0;
8f17154f
GP		 3350 }
3351
836be934 3352 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3353
8f17154f 3354 do {
9b53350d
JPRV		 3355 if (bt_cb(next_skb)->tx_seq == tx_seq)
3356 return -EINVAL;
3357
836be934
AE		 3358 next_tx_seq_offset = __seq_offset(chan,
3359 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3360
3361 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3362 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3363 return 0;
8f17154f
GP		 3364 }
3365
f1c6775b 3366 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3367 break;
3368
f1c6775b 3369 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3370
f1c6775b 3371 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3372
3373 return 0;
8f17154f
GP		 3374}
3375
84084a31
MM		 3376static void append_skb_frag(struct sk_buff *skb,
3377 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3378{
84084a31
MM		 3379 /* skb->len reflects data in skb as well as all fragments
3380 * skb->data_len reflects only data in fragments
3381 */
3382 if (!skb_has_frag_list(skb))
3383 skb_shinfo(skb)->frag_list = new_frag;
3384
3385 new_frag->next = NULL;
3386
3387 (*last_frag)->next = new_frag;
3388 *last_frag = new_frag;
3389
3390 skb->len += new_frag->len;
3391 skb->data_len += new_frag->len;
3392 skb->truesize += new_frag->truesize;
3393}
3394
88843ab0 3395static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3396{
3397 int err = -EINVAL;
18778a63 3398
7e0ef6ee
AE		 3399 switch (__get_ctrl_sar(chan, control)) {
3400 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3401 if (chan->sdu)
3402 break;
18778a63 3403
84084a31
MM		 3404 err = chan->ops->recv(chan->data, skb);
3405 break;
18778a63 3406
7e0ef6ee 3407 case L2CAP_SAR_START:
84084a31
MM		 3408 if (chan->sdu)
3409 break;
18778a63 3410
6f61fd47 3411 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3412 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3413
84084a31
MM		 3414 if (chan->sdu_len > chan->imtu) {
3415 err = -EMSGSIZE;
3416 break;
3417 }
1890d36b 3418
84084a31
MM		 3419 if (skb->len >= chan->sdu_len)
3420 break;
18778a63 3421
84084a31
MM		 3422 chan->sdu = skb;
3423 chan->sdu_last_frag = skb;
18778a63 3424
84084a31
MM		 3425 skb = NULL;
3426 err = 0;
18778a63
GP		 3427 break;
3428
7e0ef6ee 3429 case L2CAP_SAR_CONTINUE:
6f61fd47 3430 if (!chan->sdu)
84084a31 3431 break;
18778a63 3432
84084a31
MM		 3433 append_skb_frag(chan->sdu, skb,
3434 &chan->sdu_last_frag);
3435 skb = NULL;
18778a63 3436
84084a31
MM		 3437 if (chan->sdu->len >= chan->sdu_len)
3438 break;
4178ba46 3439
84084a31 3440 err = 0;
18778a63
GP		 3441 break;
3442
7e0ef6ee 3443 case L2CAP_SAR_END:
6f61fd47 3444 if (!chan->sdu)
84084a31 3445 break;
18778a63 3446
84084a31
MM		 3447 append_skb_frag(chan->sdu, skb,
3448 &chan->sdu_last_frag);
3449 skb = NULL;
4178ba46 3450
84084a31
MM		 3451 if (chan->sdu->len != chan->sdu_len)
3452 break;
18778a63 3453
84084a31 3454 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3455
84084a31
MM		 3456 if (!err) {
3457 /* Reassembly complete */
3458 chan->sdu = NULL;
3459 chan->sdu_last_frag = NULL;
3460 chan->sdu_len = 0;
1890d36b 3461 }
18778a63
GP		 3462 break;
3463 }
3464
84084a31
MM		 3465 if (err) {
3466 kfree_skb(skb);
3467 kfree_skb(chan->sdu);
3468 chan->sdu = NULL;
3469 chan->sdu_last_frag = NULL;
3470 chan->sdu_len = 0;
3471 }
18778a63 3472
84084a31 3473 return err;
18778a63
GP		 3474}
3475
26f880d2 3476static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3477{
88843ab0 3478 u32 control;
712132eb 3479
26f880d2 3480 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3481
26f880d2
MM		 3482 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3483
0b209fae 3484 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3485 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3486 l2cap_send_sframe(chan, control);
3487
3488 set_bit(CONN_RNR_SENT, &chan->conn_state);
3489
3490 __clear_ack_timer(chan);
3491}
3492
3493static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3494{
88843ab0 3495 u32 control;
712132eb 3496
e2ab4353 3497 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3498 goto done;
3499
0b209fae 3500 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3501 control |= __set_ctrl_poll(chan);
ab784b73 3502 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3503 l2cap_send_sframe(chan, control);
6a026610 3504 chan->retry_count = 1;
712132eb 3505
1a09bcb9
GP		 3506 __clear_retrans_timer(chan);
3507 __set_monitor_timer(chan);
712132eb 3508
e2ab4353 3509 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3510
3511done:
e2ab4353
GP		 3512 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3513 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3514
49208c9c 3515 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3516}
3517
e328140f 3518void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3519{
e328140f
MM		 3520 if (chan->mode == L2CAP_MODE_ERTM) {
3521 if (busy)
3522 l2cap_ertm_enter_local_busy(chan);
3523 else
3524 l2cap_ertm_exit_local_busy(chan);
1890d36b 3525 }
1890d36b
GP		 3526}
3527
fb45de7d 3528static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3529{
3530 struct sk_buff *skb;
88843ab0 3531 u32 control;
8f17154f 3532
e328140f
MM		 3533 while ((skb = skb_peek(&chan->srej_q)) &&
3534 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3535 int err;
3536
8f17154f
GP		 3537 if (bt_cb(skb)->tx_seq != tx_seq)
3538 break;
3539
f1c6775b 3540 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3541 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3542 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3543
3544 if (err < 0) {
3545 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3546 break;
3547 }
3548
836be934
AE		 3549 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3550 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3551 }
3552}
3553
fb45de7d 3554static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3555{
8f17154f 3556 struct srej_list *l, *tmp;
88843ab0 3557 u32 control;
8f17154f 3558
39d5a3ee 3559 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3560 if (l->tx_seq == tx_seq) {
3561 list_del(&l->list);
3562 kfree(l);
3563 return;
3564 }
ab784b73 3565 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3566 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3567 l2cap_send_sframe(chan, control);
8f17154f 3568 list_del(&l->list);
39d5a3ee 3569 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3570 }
3571}
3572
fb45de7d 3573static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3574{
8f17154f 3575 struct srej_list *new;
88843ab0 3576 u32 control;
8f17154f 3577
42e5c802 3578 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3579 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3580 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3581 l2cap_send_sframe(chan, control);
8f17154f
GP		 3582
3583 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802 3584 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3585
3586 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3587
39d5a3ee 3588 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3589 }
836be934
AE		 3590
3591 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f
GP		 3592}
3593
88843ab0 3594static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3595{
fb45de7d 3596 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3597 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3598 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3599 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3600 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3601 int err = 0;
3602
88843ab0 3603 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3604 tx_seq, rx_control);
1c2acffb 3605
03f6715d 3606 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3607 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3608 __clear_monitor_timer(chan);
6a026610 3609 if (chan->unacked_frames > 0)
1a09bcb9 3610 __set_retrans_timer(chan);
e2ab4353 3611 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3612 }
3613
42e5c802
GP		 3614 chan->expected_ack_seq = req_seq;
3615 l2cap_drop_acked_frames(chan);
9f121a5a 3616
836be934 3617 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3618
3619 /* invalid tx_seq */
47d1ec61 3620 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3621 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3622 goto drop;
3623 }
3624
e2ab4353 3625 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3626 goto drop;
3627
02f1b641
MM		 3628 if (tx_seq == chan->expected_tx_seq)
3629 goto expected;
3630
e2ab4353 3631 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3632 struct srej_list *first;
30afb5b2 3633
39d5a3ee 3634 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3635 struct srej_list, list);
3636 if (tx_seq == first->tx_seq) {
42e5c802 3637 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3638 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3639
3640 list_del(&first->list);
3641 kfree(first);
3642
39d5a3ee 3643 if (list_empty(&chan->srej_l)) {
42e5c802 3644 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3645 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3646 l2cap_send_ack(chan);
49208c9c 3647 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3648 }
3649 } else {
3650 struct srej_list *l;
9b53350d
JPRV		 3651
3652 /* duplicated tx_seq */
42e5c802 3653 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3654 goto drop;
8f17154f 3655
39d5a3ee 3656 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3657 if (l->tx_seq == tx_seq) {
525cd185 3658 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3659 return 0;
3660 }
3661 }
525cd185 3662 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3663 }
3664 } else {
836be934
AE		 3665 expected_tx_seq_offset = __seq_offset(chan,
3666 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3667
3668 /* duplicated tx_seq */
3669 if (tx_seq_offset < expected_tx_seq_offset)
3670 goto drop;
3671
e2ab4353 3672 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3673
49208c9c 3674 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3675
39d5a3ee 3676 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3677 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3678
f1c6775b 3679 __skb_queue_head_init(&chan->srej_q);
42e5c802 3680 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3681
e2ab4353 3682 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3683
525cd185 3684 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3685
1a09bcb9 3686 __clear_ack_timer(chan);
1c2acffb 3687 }
30afb5b2
GP		 3688 return 0;
3689
8f17154f 3690expected:
836be934 3691 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3692
e2ab4353 3693 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3694 bt_cb(skb)->tx_seq = tx_seq;
3695 bt_cb(skb)->sar = sar;
f1c6775b 3696 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3697 return 0;
3698 }
3699
84084a31 3700 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3701 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3702
e328140f
MM		 3703 if (err < 0) {
3704 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3705 return err;
3706 }
2ece3684 3707
03f6715d 3708 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3709 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3710 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3711 }
3712
1a09bcb9 3713 __set_ack_timer(chan);
c1b4f43b 3714
6a026610
GP		 3715 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3716 if (chan->num_acked == num_to_ack - 1)
525cd185 3717 l2cap_send_ack(chan);
9e917af1 3718
8f17154f 3719 return 0;
9b53350d
JPRV		 3720
3721drop:
3722 kfree_skb(skb);
3723 return 0;
1c2acffb
GP		 3724}
3725
88843ab0 3726static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3727{
88843ab0 3728 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3729 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3730
0b209fae 3731 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3732 l2cap_drop_acked_frames(chan);
1c2acffb 3733
e3781735 3734 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3735 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3736 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3737 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3738 (chan->unacked_frames > 0))
1a09bcb9 3739 __set_retrans_timer(chan);
05fbd89d 3740
e2ab4353 3741 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3742 l2cap_send_srejtail(chan);
05fbd89d 3743 } else {
525cd185 3744 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3745 }
1d8f5d16 3746
03f6715d 3747 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3748 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3749
e2ab4353 3750 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3751 l2cap_retransmit_frames(chan);
2246b2f1 3752
e072745f 3753 } else {
e2ab4353 3754 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3755 (chan->unacked_frames > 0))
1a09bcb9 3756 __set_retrans_timer(chan);
1c2acffb 3757
e2ab4353
GP		 3758 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3759 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3760 l2cap_send_ack(chan);
894718a6 3761 else
525cd185 3762 l2cap_ertm_send(chan);
e072745f
GP		 3763 }
3764}
2246b2f1 3765
88843ab0 3766static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3767{
0b209fae 3768 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3769
88843ab0 3770 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3771
e2ab4353 3772 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3773
42e5c802
GP		 3774 chan->expected_ack_seq = tx_seq;
3775 l2cap_drop_acked_frames(chan);
e072745f 3776
03f6715d 3777 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3778 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3779 l2cap_retransmit_frames(chan);
e072745f 3780 } else {
525cd185 3781 l2cap_retransmit_frames(chan);
30afb5b2 3782
e2ab4353
GP		 3783 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3784 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3785 }
3786}
88843ab0 3787static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3788{
0b209fae 3789 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3790
88843ab0 3791 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3792
e2ab4353 3793 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3794
e3781735 3795 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 3796 chan->expected_ack_seq = tx_seq;
3797 l2cap_drop_acked_frames(chan);
3cb123d1 3798
e2ab4353 3799 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3800 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3801
525cd185 3802 l2cap_ertm_send(chan);
dfc909be 3803
e2ab4353 3804 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3805 chan->srej_save_reqseq = tx_seq;
e2ab4353 3806 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3807 }
03f6715d 3808 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3809 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3810 chan->srej_save_reqseq == tx_seq)
e2ab4353 3811 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3812 else
525cd185 3813 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3814 } else {
525cd185 3815 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3816 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3817 chan->srej_save_reqseq = tx_seq;
e2ab4353 3818 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3819 }
e072745f
GP		 3820 }
3821}
3822
88843ab0 3823static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3824{
0b209fae 3825 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 3826
88843ab0 3827 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3828
e2ab4353 3829 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3830 chan->expected_ack_seq = tx_seq;
3831 l2cap_drop_acked_frames(chan);
e072745f 3832
e3781735 3833 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 3834 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3835
e2ab4353 3836 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3837 __clear_retrans_timer(chan);
e3781735 3838 if (__is_ctrl_poll(chan, rx_control))
525cd185 3839 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3840 return;
e072745f 3841 }
99b0d4b7 3842
e3781735 3843 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 3844 l2cap_send_srejtail(chan);
ab784b73
AE		 3845 } else {
3846 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
3847 l2cap_send_sframe(chan, rx_control);
3848 }
e072745f
GP		 3849}
3850
88843ab0 3851static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 3852{
88843ab0 3853 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 3854
03f6715d 3855 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3856 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3857 __clear_monitor_timer(chan);
6a026610 3858 if (chan->unacked_frames > 0)
1a09bcb9 3859 __set_retrans_timer(chan);
e2ab4353 3860 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3861 }
3862
ab784b73
AE		 3863 switch (__get_ctrl_super(chan, rx_control)) {
3864 case L2CAP_SUPER_RR:
525cd185 3865 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3866 break;
3867
ab784b73 3868 case L2CAP_SUPER_REJ:
525cd185 3869 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3870 break;
2246b2f1 3871
ab784b73 3872 case L2CAP_SUPER_SREJ:
525cd185 3873 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3874 break;
3875
ab784b73 3876 case L2CAP_SUPER_RNR:
525cd185 3877 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3878 break;
3879 }
3880
faaebd19 3881 kfree_skb(skb);
1c2acffb
GP		 3882 return 0;
3883}
3884
218bb9df
GP		 3885static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3886{
525cd185 3887 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 3888 u32 control;
0b209fae 3889 u16 req_seq;
218bb9df
GP		 3890 int len, next_tx_seq_offset, req_seq_offset;
3891
88843ab0
AE		 3892 control = __get_control(chan, skb->data);
3893 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 3894 len = skb->len;
3895
3896 /*
3897 * We can just drop the corrupted I-frame here.
3898 * Receiver will miss it and start proper recovery
3899 * procedures and ask retransmission.
3900 */
47d1ec61 3901 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3902 goto drop;
3903
793c2f1c 3904 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 3905 len -= L2CAP_SDULEN_SIZE;
218bb9df 3906
47d1ec61 3907 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 3908 len -= L2CAP_FCS_SIZE;
218bb9df 3909
47d1ec61 3910 if (len > chan->mps) {
8c1d787b 3911 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3912 goto drop;
3913 }
3914
0b209fae 3915 req_seq = __get_reqseq(chan, control);
218bb9df 3916
836be934
AE		 3917 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
3918
3919 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
3920 chan->expected_ack_seq);
218bb9df
GP		 3921
3922 /* check for invalid req-seq */
3923 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3924 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3925 goto drop;
3926 }
3927
793c2f1c 3928 if (!__is_sframe(chan, control)) {
218bb9df 3929 if (len < 0) {
8c1d787b 3930 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3931 goto drop;
3932 }
3933
525cd185 3934 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3935 } else {
3936 if (len != 0) {
3937 BT_ERR("%d", len);
8c1d787b 3938 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3939 goto drop;
3940 }
3941
525cd185 3942 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3943 }
3944
3945 return 0;
3946
3947drop:
3948 kfree_skb(skb);
3949 return 0;
3950}
3951
1da177e4
LT		 3952static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3953{
48454079 3954 struct l2cap_chan *chan;
bf734843 3955 struct sock *sk = NULL;
88843ab0 3956 u32 control;
fb45de7d 3957 u16 tx_seq;
218bb9df 3958 int len;
1da177e4 3959
baa7e1fa 3960 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3961 if (!chan) {
1da177e4
LT		 3962 BT_DBG("unknown cid 0x%4.4x", cid);
3963 goto drop;
3964 }
3965
48454079 3966 sk = chan->sk;
6840ed07 3967
49208c9c 3968 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3969
89bc500e 3970 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3971 goto drop;
3972
0c1bc5c6 3973 switch (chan->mode) {
1c2acffb
GP		 3974 case L2CAP_MODE_BASIC:
3975 /* If socket recv buffers overflows we drop data here
3976 * which is *bad* because L2CAP has to be reliable.
3977 * But we don't have any other choice. L2CAP doesn't
3978 * provide flow control mechanism. */
1da177e4 3979
0c1bc5c6 3980 if (chan->imtu < skb->len)
1c2acffb 3981 goto drop;
1da177e4 3982
23070494 3983 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3984 goto done;
3985 break;
3986
3987 case L2CAP_MODE_ERTM:
218bb9df
GP		 3988 if (!sock_owned_by_user(sk)) {
3989 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3990 } else {
218bb9df 3991 if (sk_add_backlog(sk, skb))
277ffbe3 3992 goto drop;
277ffbe3 3993 }
1c2acffb 3994
fcafde2e 3995 goto done;
1c2acffb 3996
6840ed07 3997 case L2CAP_MODE_STREAMING:
88843ab0
AE		 3998 control = __get_control(chan, skb->data);
3999 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4000 len = skb->len;
4001
47d1ec61 4002 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4003 goto drop;
4004
7e0ef6ee 4005 if (__is_sar_start(chan, control))
03a51213 4006 len -= L2CAP_SDULEN_SIZE;
6840ed07 4007
47d1ec61 4008 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4009 len -= L2CAP_FCS_SIZE;
fcc203c3 4010
793c2f1c 4011 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4012 goto drop;
4013
fb45de7d 4014 tx_seq = __get_txseq(chan, control);
6840ed07 4015
84084a31
MM		 4016 if (chan->expected_tx_seq != tx_seq) {
4017 /* Frame(s) missing - must discard partial SDU */
4018 kfree_skb(chan->sdu);
4019 chan->sdu = NULL;
4020 chan->sdu_last_frag = NULL;
4021 chan->sdu_len = 0;
6840ed07 4022
84084a31
MM		 4023 /* TODO: Notify userland of missing data */
4024 }
4025
836be934 4026 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4027
4028 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4029 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4030
4031 goto done;
4032
1c2acffb 4033 default:
0c1bc5c6 4034 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4035 break;
4036 }
1da177e4
LT		 4037
4038drop:
4039 kfree_skb(skb);
4040
4041done:
0139418c
MH		 4042 if (sk)
4043 bh_unlock_sock(sk);
4044
1da177e4
LT		 4045 return 0;
4046}
4047
8e036fc3 4048static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4049{
6dcae1ea 4050 struct sock *sk = NULL;
23691d75 4051 struct l2cap_chan *chan;
1da177e4 4052
23691d75
GP		 4053 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4054 if (!chan)
1da177e4
LT		 4055 goto drop;
4056
23691d75
GP		 4057 sk = chan->sk;
4058
e0f0cb56
GP		 4059 bh_lock_sock(sk);
4060
1da177e4
LT		 4061 BT_DBG("sk %p, len %d", sk, skb->len);
4062
89bc500e 4063 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4064 goto drop;
4065
e13e21dc 4066 if (chan->imtu < skb->len)
1da177e4
LT		 4067 goto drop;
4068
23070494 4069 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4070 goto done;
4071
4072drop:
4073 kfree_skb(skb);
4074
4075done:
af05b30b
GP		 4076 if (sk)
4077 bh_unlock_sock(sk);
1da177e4
LT		 4078 return 0;
4079}
4080
9f69bda6
GP		 4081static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4082{
6dcae1ea 4083 struct sock *sk = NULL;
23691d75 4084 struct l2cap_chan *chan;
9f69bda6 4085
23691d75
GP		 4086 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4087 if (!chan)
9f69bda6
GP		 4088 goto drop;
4089
23691d75
GP		 4090 sk = chan->sk;
4091
9f69bda6
GP		 4092 bh_lock_sock(sk);
4093
4094 BT_DBG("sk %p, len %d", sk, skb->len);
4095
89bc500e 4096 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4097 goto drop;
4098
e13e21dc 4099 if (chan->imtu < skb->len)
9f69bda6
GP		 4100 goto drop;
4101
23070494 4102 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4103 goto done;
4104
4105drop:
4106 kfree_skb(skb);
4107
4108done:
4109 if (sk)
4110 bh_unlock_sock(sk);
4111 return 0;
4112}
4113
1da177e4
LT		 4114static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4115{
4116 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4117 u16 cid, len;
4118 __le16 psm;
1da177e4
LT		 4119
4120 skb_pull(skb, L2CAP_HDR_SIZE);
4121 cid = __le16_to_cpu(lh->cid);
4122 len = __le16_to_cpu(lh->len);
4123
1c2acffb
GP		 4124 if (len != skb->len) {
4125 kfree_skb(skb);
4126 return;
4127 }
4128
1da177e4
LT		 4129 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4130
4131 switch (cid) {
3300d9a9 4132 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4133 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4134 l2cap_sig_channel(conn, skb);
4135 break;
4136
8db4dc46 4137 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4138 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4139 skb_pull(skb, 2);
4140 l2cap_conless_channel(conn, psm, skb);
4141 break;
4142
9f69bda6
GP		 4143 case L2CAP_CID_LE_DATA:
4144 l2cap_att_channel(conn, cid, skb);
4145 break;
4146
b501d6a1
AB		 4147 case L2CAP_CID_SMP:
4148 if (smp_sig_channel(conn, skb))
4149 l2cap_conn_del(conn->hcon, EACCES);
4150 break;
4151
1da177e4
LT		 4152 default:
4153 l2cap_data_channel(conn, cid, skb);
4154 break;
4155 }
4156}
4157
4158/* ---- L2CAP interface with lower layer (HCI) ---- */
4159
4160static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4161{
4162 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4163 struct l2cap_chan *c;
1da177e4
LT		 4164
4165 if (type != ACL_LINK)
963cf687 4166 return -EINVAL;
1da177e4
LT		 4167
4168 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4169
4170 /* Find listening sockets and check their link_mode */
23691d75
GP		 4171 read_lock(&chan_list_lock);
4172 list_for_each_entry(c, &chan_list, global_l) {
4173 struct sock *sk = c->sk;
4343478f 4174
89bc500e 4175 if (c->state != BT_LISTEN)
1da177e4
LT		 4176 continue;
4177
4178 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4179 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4180 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4181 lm1 |= HCI_LM_MASTER;
1da177e4 4182 exact++;
2af6b9d5
MH		 4183 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4184 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4185 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4186 lm2 |= HCI_LM_MASTER;
4187 }
1da177e4 4188 }
23691d75 4189 read_unlock(&chan_list_lock);
1da177e4
LT		 4190
4191 return exact ? lm1 : lm2;
4192}
4193
4194static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4195{
0139418c
MH		 4196 struct l2cap_conn *conn;
4197
1da177e4
LT		 4198 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4199
acd7d370 4200 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4201 return -EINVAL;
1da177e4
LT		 4202
4203 if (!status) {
1da177e4
LT		 4204 conn = l2cap_conn_add(hcon, status);
4205 if (conn)
4206 l2cap_conn_ready(conn);
0139418c 4207 } else
e175072f 4208 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4209
4210 return 0;
4211}
4212
2950f21a
MH		 4213static int l2cap_disconn_ind(struct hci_conn *hcon)
4214{
4215 struct l2cap_conn *conn = hcon->l2cap_data;
4216
4217 BT_DBG("hcon %p", hcon);
4218
b5694506 4219 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4220 return 0x13;
4221
4222 return conn->disc_reason;
4223}
4224
4225static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4226{
4227 BT_DBG("hcon %p reason %d", hcon, reason);
4228
acd7d370 4229 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4230 return -EINVAL;
1da177e4 4231
e175072f 4232 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4233
1da177e4
LT		 4234 return 0;
4235}
4236
4343478f 4237static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4238{
715ec005 4239 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4240 return;
4241
f62e4323 4242 if (encrypt == 0x00) {
4343478f 4243 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4244 __clear_chan_timer(chan);
4245 __set_chan_timer(chan, HZ * 5);
4343478f 4246 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4247 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4248 } else {
4343478f 4249 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4250 __clear_chan_timer(chan);
f62e4323
MH		 4251 }
4252}
4253
8c1b2355 4254static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4255{
0139418c 4256 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4257 struct l2cap_chan *chan;
1da177e4 4258
0139418c 4259 if (!conn)
1da177e4 4260 return 0;
0139418c 4261
1da177e4
LT		 4262 BT_DBG("conn %p", conn);
4263
160dc6ac
VCG		 4264 if (hcon->type == LE_LINK) {
4265 smp_distribute_keys(conn, 0);
4266 del_timer(&conn->security_timer);
4267 }
4268
baa7e1fa 4269 read_lock(&conn->chan_lock);
1da177e4 4270
baa7e1fa 4271 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4272 struct sock *sk = chan->sk;
baa7e1fa 4273
1da177e4
LT		 4274 bh_lock_sock(sk);
4275
f1cb9af5
VCG		 4276 BT_DBG("chan->scid %d", chan->scid);
4277
4278 if (chan->scid == L2CAP_CID_LE_DATA) {
4279 if (!status && encrypt) {
4280 chan->sec_level = hcon->sec_level;
4281 l2cap_chan_ready(sk);
4282 }
4283
4284 bh_unlock_sock(sk);
4285 continue;
4286 }
4287
c1360a1c 4288 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4289 bh_unlock_sock(sk);
4290 continue;
4291 }
4292
89bc500e
GP		 4293 if (!status && (chan->state == BT_CONNECTED ||
4294 chan->state == BT_CONFIG)) {
4343478f 4295 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4296 bh_unlock_sock(sk);
4297 continue;
4298 }
4299
89bc500e 4300 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4301 if (!status) {
4302 struct l2cap_conn_req req;
fe4128e0
GP		 4303 req.scid = cpu_to_le16(chan->scid);
4304 req.psm = chan->psm;
1da177e4 4305
fc7f8a7e 4306 chan->ident = l2cap_get_ident(conn);
c1360a1c 4307 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4308
fc7f8a7e 4309 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4310 L2CAP_CONN_REQ, sizeof(req), &req);
4311 } else {
c9b66675
GP		 4312 __clear_chan_timer(chan);
4313 __set_chan_timer(chan, HZ / 10);
b1235d79 4314 }
89bc500e 4315 } else if (chan->state == BT_CONNECT2) {
b1235d79 4316 struct l2cap_conn_rsp rsp;
df3c3931 4317 __u16 res, stat;
1da177e4 4318
b1235d79 4319 if (!status) {
df3c3931
JH		 4320 if (bt_sk(sk)->defer_setup) {
4321 struct sock *parent = bt_sk(sk)->parent;
4322 res = L2CAP_CR_PEND;
4323 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4324 if (parent)
4325 parent->sk_data_ready(parent, 0);
df3c3931 4326 } else {
05558911 4327 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4328 res = L2CAP_CR_SUCCESS;
4329 stat = L2CAP_CS_NO_INFO;
4330 }
b1235d79 4331 } else {
89bc500e 4332 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4333 __set_chan_timer(chan, HZ / 10);
df3c3931
JH		 4334 res = L2CAP_CR_SEC_BLOCK;
4335 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4336 }
4337
fe4128e0
GP		 4338 rsp.scid = cpu_to_le16(chan->dcid);
4339 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4340 rsp.result = cpu_to_le16(res);
4341 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4342 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4343 sizeof(rsp), &rsp);
b1235d79 4344 }
1da177e4
LT		 4345
4346 bh_unlock_sock(sk);
4347 }
4348
baa7e1fa 4349 read_unlock(&conn->chan_lock);
b1235d79 4350
1da177e4
LT		 4351 return 0;
4352}
4353
4354static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4355{
4356 struct l2cap_conn *conn = hcon->l2cap_data;
4357
5a08ecce
AE		 4358 if (!conn)
4359 conn = l2cap_conn_add(hcon, 0);
4360
4361 if (!conn)
1da177e4
LT		 4362 goto drop;
4363
4364 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4365
e702112f 4366 if (!(flags & ACL_CONT)) {
1da177e4 4367 struct l2cap_hdr *hdr;
48454079 4368 struct l2cap_chan *chan;
89794813 4369 u16 cid;
1da177e4
LT		 4370 int len;
4371
4372 if (conn->rx_len) {
4373 BT_ERR("Unexpected start frame (len %d)", skb->len);
4374 kfree_skb(conn->rx_skb);
4375 conn->rx_skb = NULL;
4376 conn->rx_len = 0;
4377 l2cap_conn_unreliable(conn, ECOMM);
4378 }
4379
aae7fe22
AE		 4380 /* Start fragment always begin with Basic L2CAP header */
4381 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4382 BT_ERR("Frame is too short (len %d)", skb->len);
4383 l2cap_conn_unreliable(conn, ECOMM);
4384 goto drop;
4385 }
4386
4387 hdr = (struct l2cap_hdr *) skb->data;
4388 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4389 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4390
4391 if (len == skb->len) {
4392 /* Complete frame received */
4393 l2cap_recv_frame(conn, skb);
4394 return 0;
4395 }
4396
4397 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4398
4399 if (skb->len > len) {
4400 BT_ERR("Frame is too long (len %d, expected len %d)",
4401 skb->len, len);
4402 l2cap_conn_unreliable(conn, ECOMM);
4403 goto drop;
4404 }
4405
baa7e1fa 4406 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4407
48454079
GP		 4408 if (chan && chan->sk) {
4409 struct sock *sk = chan->sk;
89794813 4410
0c1bc5c6 4411 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4412 BT_ERR("Frame exceeding recv MTU (len %d, "
4413 "MTU %d)", len,
0c1bc5c6 4414 chan->imtu);
48454079
GP		 4415 bh_unlock_sock(sk);
4416 l2cap_conn_unreliable(conn, ECOMM);
4417 goto drop;
4418 }
89794813 4419 bh_unlock_sock(sk);
48454079 4420 }
89794813 4421
1da177e4 4422 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4423 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4424 if (!conn->rx_skb)
1da177e4
LT		 4425 goto drop;
4426
d626f62b 4427 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4428 skb->len);
1da177e4
LT		 4429 conn->rx_len = len - skb->len;
4430 } else {
4431 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4432
4433 if (!conn->rx_len) {
4434 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4435 l2cap_conn_unreliable(conn, ECOMM);
4436 goto drop;
4437 }
4438
4439 if (skb->len > conn->rx_len) {
4440 BT_ERR("Fragment is too long (len %d, expected %d)",
4441 skb->len, conn->rx_len);
4442 kfree_skb(conn->rx_skb);
4443 conn->rx_skb = NULL;
4444 conn->rx_len = 0;
4445 l2cap_conn_unreliable(conn, ECOMM);
4446 goto drop;
4447 }
4448
d626f62b 4449 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4450 skb->len);
1da177e4
LT		 4451 conn->rx_len -= skb->len;
4452
4453 if (!conn->rx_len) {
4454 /* Complete frame received */
4455 l2cap_recv_frame(conn, conn->rx_skb);
4456 conn->rx_skb = NULL;
4457 }
4458 }
4459
4460drop:
4461 kfree_skb(skb);
4462 return 0;
4463}
4464
aef7d97c 4465static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4466{
23691d75 4467 struct l2cap_chan *c;
1da177e4 4468
23691d75 4469 read_lock_bh(&chan_list_lock);
1da177e4 4470
23691d75
GP		 4471 list_for_each_entry(c, &chan_list, global_l) {
4472 struct sock *sk = c->sk;
101545f6 4473
903d343e 4474 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4475 batostr(&bt_sk(sk)->src),
4476 batostr(&bt_sk(sk)->dst),
89bc500e 4477 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4478 c->scid, c->dcid, c->imtu, c->omtu,
4479 c->sec_level, c->mode);
05558911 4480}
1da177e4 4481
23691d75 4482 read_unlock_bh(&chan_list_lock);
1da177e4 4483
aef7d97c 4484 return 0;
1da177e4
LT		 4485}
4486
aef7d97c
MH		 4487static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4488{
4489 return single_open(file, l2cap_debugfs_show, inode->i_private);
4490}
4491
4492static const struct file_operations l2cap_debugfs_fops = {
4493 .open = l2cap_debugfs_open,
4494 .read = seq_read,
4495 .llseek = seq_lseek,
4496 .release = single_release,
4497};
4498
4499static struct dentry *l2cap_debugfs;
1da177e4 4500
1da177e4
LT		 4501static struct hci_proto l2cap_hci_proto = {
4502 .name = "L2CAP",
4503 .id = HCI_PROTO_L2CAP,
4504 .connect_ind = l2cap_connect_ind,
4505 .connect_cfm = l2cap_connect_cfm,
4506 .disconn_ind = l2cap_disconn_ind,
2950f21a 4507 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4508 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4509 .recv_acldata = l2cap_recv_acldata
4510};
4511
64274518 4512int __init l2cap_init(void)
1da177e4
LT		 4513{
4514 int err;
be9d1227 4515
bb58f747 4516 err = l2cap_init_sockets();
1da177e4
LT		 4517 if (err < 0)
4518 return err;
4519
1da177e4
LT		 4520 err = hci_register_proto(&l2cap_hci_proto);
4521 if (err < 0) {
4522 BT_ERR("L2CAP protocol registration failed");
4523 bt_sock_unregister(BTPROTO_L2CAP);
4524 goto error;
4525 }
4526
aef7d97c
MH		 4527 if (bt_debugfs) {
4528 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4529 bt_debugfs, NULL, &l2cap_debugfs_fops);
4530 if (!l2cap_debugfs)
4531 BT_ERR("Failed to create L2CAP debug file");
4532 }
1da177e4 4533
1da177e4
LT		 4534 return 0;
4535
4536error:
bb58f747 4537 l2cap_cleanup_sockets();
1da177e4
LT		 4538 return err;
4539}
4540
64274518 4541void l2cap_exit(void)
1da177e4 4542{
aef7d97c 4543 debugfs_remove(l2cap_debugfs);
1da177e4 4544
1da177e4
LT		 4545 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4546 BT_ERR("L2CAP protocol unregistration failed");
4547
bb58f747 4548 l2cap_cleanup_sockets();
1da177e4
LT		 4549}
4550
d1c4a17d
GP		 4551module_param(disable_ertm, bool, 0644);
4552MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE		 4553
4554module_param(enable_hs, bool, 0644);
4555MODULE_PARM_DESC(enable_hs, "Enable High Speed");
kernel source for telekom puls (alcatel/mediatek)