projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove duplicate structure members from bt_skb_cb
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
1da177e4
LT		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
8e87d142
YH		 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 25 SOFTWARE IS DISCLAIMED.
26*/
27
bb58f747 28/* Bluetooth L2CAP core. */
1da177e4 29
1da177e4
LT		 30#include <linux/module.h>
31
32#include <linux/types.h>
4fc268d2 33#include <linux/capability.h>
1da177e4
LT		 34#include <linux/errno.h>
35#include <linux/kernel.h>
1da177e4
LT		 36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/poll.h>
39#include <linux/fcntl.h>
40#include <linux/init.h>
41#include <linux/interrupt.h>
42#include <linux/socket.h>
43#include <linux/skbuff.h>
1da177e4 44#include <linux/list.h>
be9d1227 45#include <linux/device.h>
aef7d97c
MH		 46#include <linux/debugfs.h>
47#include <linux/seq_file.h>
af05b30b 48#include <linux/uaccess.h>
fcc203c3 49#include <linux/crc16.h>
1da177e4
LT		 50#include <net/sock.h>
51
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
eb939922 59bool disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 62static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 63
b5ad8b7f
JB		 64static LIST_HEAD(chan_list);
65static DEFINE_RWLOCK(chan_list_lock);
1da177e4 66
1da177e4
LT		 67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
710f9b0a 71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
1da177e4 74
0139418c 75/* ---- L2CAP channels ---- */
71ba0e56 76
baa7e1fa 77static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->dcid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
baa7e1fa 88static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 89{
3df91ea2 90 struct l2cap_chan *c;
3d57dc68 91
3df91ea2
AE		 92 list_for_each_entry(c, &conn->chan_l, list) {
93 if (c->scid == cid)
94 return c;
0139418c 95 }
3df91ea2 96 return NULL;
0139418c
MH		 97}
98
99/* Find channel with given SCID.
100 * Returns locked socket */
baa7e1fa 101static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 102{
48454079 103 struct l2cap_chan *c;
baa7e1fa 104
3df91ea2 105 mutex_lock(&conn->chan_lock);
baa7e1fa 106 c = __l2cap_get_chan_by_scid(conn, cid);
3df91ea2
AE		 107 mutex_unlock(&conn->chan_lock);
108
48454079 109 return c;
0139418c
MH		 110}
111
baa7e1fa 112static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 113{
3df91ea2 114 struct l2cap_chan *c;
3d57dc68 115
3df91ea2
AE		 116 list_for_each_entry(c, &conn->chan_l, list) {
117 if (c->ident == ident)
118 return c;
0139418c 119 }
3df91ea2 120 return NULL;
0139418c
MH		 121}
122
baa7e1fa 123static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 124{
48454079 125 struct l2cap_chan *c;
baa7e1fa 126
3df91ea2 127 mutex_lock(&conn->chan_lock);
baa7e1fa 128 c = __l2cap_get_chan_by_ident(conn, ident);
3df91ea2
AE		 129 mutex_unlock(&conn->chan_lock);
130
48454079 131 return c;
0139418c
MH		 132}
133
23691d75 134static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 135{
23691d75 136 struct l2cap_chan *c;
9e4425ff 137
23691d75
GP		 138 list_for_each_entry(c, &chan_list, global_l) {
139 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 140 return c;
9e4425ff 141 }
250938cb 142 return NULL;
9e4425ff
GP		 143}
144
145int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
146{
73b2ec18
GP		 147 int err;
148
333055f2 149 write_lock(&chan_list_lock);
9e4425ff 150
23691d75 151 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 152 err = -EADDRINUSE;
153 goto done;
9e4425ff
GP		 154 }
155
73b2ec18
GP		 156 if (psm) {
157 chan->psm = psm;
158 chan->sport = psm;
159 err = 0;
160 } else {
161 u16 p;
162
163 err = -EINVAL;
164 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 165 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 166 chan->psm = cpu_to_le16(p);
167 chan->sport = cpu_to_le16(p);
168 err = 0;
169 break;
170 }
171 }
9e4425ff 172
73b2ec18 173done:
333055f2 174 write_unlock(&chan_list_lock);
73b2ec18 175 return err;
9e4425ff
GP		 176}
177
178int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
179{
333055f2 180 write_lock(&chan_list_lock);
9e4425ff
GP		 181
182 chan->scid = scid;
183
333055f2 184 write_unlock(&chan_list_lock);
9e4425ff
GP		 185
186 return 0;
187}
188
baa7e1fa 189static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 190{
8db4dc46 191 u16 cid = L2CAP_CID_DYN_START;
0139418c 192
8db4dc46 193 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 194 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 195 return cid;
196 }
197
198 return 0;
199}
200
0e587be7 201static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 202{
42d2d87c 203 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 204 state_to_string(state));
205
89bc500e
GP		 206 chan->state = state;
207 chan->ops->state_change(chan->data, state);
208}
209
0e587be7
AE		 210static void l2cap_state_change(struct l2cap_chan *chan, int state)
211{
212 struct sock *sk = chan->sk;
213
214 lock_sock(sk);
215 __l2cap_state_change(chan, state);
216 release_sock(sk);
217}
218
2e0052e4
AE		 219static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
220{
221 struct sock *sk = chan->sk;
222
223 sk->sk_err = err;
224}
225
226static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
227{
228 struct sock *sk = chan->sk;
229
230 lock_sock(sk);
231 __l2cap_chan_set_err(chan, err);
232 release_sock(sk);
233}
234
3c588192
MM		 235/* ---- L2CAP sequence number lists ---- */
236
237/* For ERTM, ordered lists of sequence numbers must be tracked for
238 * SREJ requests that are received and for frames that are to be
239 * retransmitted. These seq_list functions implement a singly-linked
240 * list in an array, where membership in the list can also be checked
241 * in constant time. Items can also be added to the tail of the list
242 * and removed from the head in constant time, without further memory
243 * allocs or frees.
244 */
245
246static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
247{
248 size_t alloc_size, i;
249
250 /* Allocated size is a power of 2 to map sequence numbers
251 * (which may be up to 14 bits) in to a smaller array that is
252 * sized for the negotiated ERTM transmit windows.
253 */
254 alloc_size = roundup_pow_of_two(size);
255
256 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
257 if (!seq_list->list)
258 return -ENOMEM;
259
260 seq_list->mask = alloc_size - 1;
261 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
262 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
263 for (i = 0; i < alloc_size; i++)
264 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
265
266 return 0;
267}
268
269static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
270{
271 kfree(seq_list->list);
272}
273
274static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
275 u16 seq)
276{
277 /* Constant-time check for list membership */
278 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
279}
280
281static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
282{
283 u16 mask = seq_list->mask;
284
285 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
286 /* In case someone tries to pop the head of an empty list */
287 return L2CAP_SEQ_LIST_CLEAR;
288 } else if (seq_list->head == seq) {
289 /* Head can be removed in constant time */
290 seq_list->head = seq_list->list[seq & mask];
291 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
294 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
295 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
296 }
297 } else {
298 /* Walk the list to find the sequence number */
299 u16 prev = seq_list->head;
300 while (seq_list->list[prev & mask] != seq) {
301 prev = seq_list->list[prev & mask];
302 if (prev == L2CAP_SEQ_LIST_TAIL)
303 return L2CAP_SEQ_LIST_CLEAR;
304 }
305
306 /* Unlink the number from the list and clear it */
307 seq_list->list[prev & mask] = seq_list->list[seq & mask];
308 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
309 if (seq_list->tail == seq)
310 seq_list->tail = prev;
311 }
312 return seq;
313}
314
315static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
316{
317 /* Remove the head in constant time */
318 return l2cap_seq_list_remove(seq_list, seq_list->head);
319}
320
321static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
322{
323 if (seq_list->head != L2CAP_SEQ_LIST_CLEAR) {
324 u16 i;
325 for (i = 0; i <= seq_list->mask; i++)
326 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
327
328 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
329 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
330 }
331}
332
333static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
334{
335 u16 mask = seq_list->mask;
336
337 /* All appends happen in constant time */
338
339 if (seq_list->list[seq & mask] == L2CAP_SEQ_LIST_CLEAR) {
340 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
341 seq_list->head = seq;
342 else
343 seq_list->list[seq_list->tail & mask] = seq;
344
345 seq_list->tail = seq;
346 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
347 }
348}
349
721c4181 350static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 351{
721c4181
GP		 352 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
353 chan_timer.work);
3df91ea2 354 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 355 int reason;
356
e05dcc32 357 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 358
3df91ea2 359 mutex_lock(&conn->chan_lock);
6be36555 360 l2cap_chan_lock(chan);
ab07801d 361
89bc500e 362 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 363 reason = ECONNREFUSED;
89bc500e 364 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 365 chan->sec_level != BT_SECURITY_SDP)
366 reason = ECONNREFUSED;
367 else
368 reason = ETIMEDOUT;
369
0f852724 370 l2cap_chan_close(chan, reason);
ab07801d 371
6be36555 372 l2cap_chan_unlock(chan);
ab07801d 373
ba3bd0ee 374 chan->ops->close(chan->data);
3df91ea2
AE		 375 mutex_unlock(&conn->chan_lock);
376
371fd835 377 l2cap_chan_put(chan);
ab07801d
GP		 378}
379
eef1d9b6 380struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 381{
382 struct l2cap_chan *chan;
383
384 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
385 if (!chan)
386 return NULL;
387
c03b355e
AE		 388 mutex_init(&chan->lock);
389
333055f2 390 write_lock(&chan_list_lock);
23691d75 391 list_add(&chan->global_l, &chan_list);
333055f2 392 write_unlock(&chan_list_lock);
23691d75 393
721c4181 394 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 395
89bc500e
GP		 396 chan->state = BT_OPEN;
397
71ba0e56
GP		 398 atomic_set(&chan->refcnt, 1);
399
eef1d9b6 400 BT_DBG("chan %p", chan);
abc545b8 401
48454079
GP		 402 return chan;
403}
404
23691d75 405void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 406{
333055f2 407 write_lock(&chan_list_lock);
23691d75 408 list_del(&chan->global_l);
333055f2 409 write_unlock(&chan_list_lock);
23691d75 410
371fd835 411 l2cap_chan_put(chan);
6ff5abbf
GP		 412}
413
bd4b1653
AE		 414void l2cap_chan_set_defaults(struct l2cap_chan *chan)
415{
416 chan->fcs = L2CAP_FCS_CRC16;
417 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
418 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
419 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
420 chan->sec_level = BT_SECURITY_LOW;
421
422 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
423}
424
14a28491 425static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 426{
af05b30b 427 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 428 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 429
9f5a0d7b 430 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 431
8c1d787b 432 chan->conn = conn;
0139418c 433
5491120e
AE		 434 switch (chan->chan_type) {
435 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 436 if (conn->hcon->type == LE_LINK) {
437 /* LE connection */
0c1bc5c6 438 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 439 chan->scid = L2CAP_CID_LE_DATA;
440 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 441 } else {
442 /* Alloc CID for connection-oriented socket */
fe4128e0 443 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 444 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 445 }
5491120e
AE		 446 break;
447
448 case L2CAP_CHAN_CONN_LESS:
0139418c 449 /* Connectionless socket */
fe4128e0
GP		 450 chan->scid = L2CAP_CID_CONN_LESS;
451 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 452 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 453 break;
454
455 default:
0139418c 456 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 457 chan->scid = L2CAP_CID_SIGNALING;
458 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 459 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 460 }
461
8f7975b1
AE		 462 chan->local_id = L2CAP_BESTEFFORT_ID;
463 chan->local_stype = L2CAP_SERV_BESTEFFORT;
464 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
465 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
466 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
467 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
468
371fd835 469 l2cap_chan_hold(chan);
baa7e1fa 470
3df91ea2 471 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 472}
473
14a28491 474static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 475{
476 mutex_lock(&conn->chan_lock);
477 __l2cap_chan_add(conn, chan);
3df91ea2 478 mutex_unlock(&conn->chan_lock);
0139418c
MH		 479}
480
4519de9a 481static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 482{
48454079 483 struct sock *sk = chan->sk;
8c1d787b 484 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 485 struct sock *parent = bt_sk(sk)->parent;
486
c9b66675 487 __clear_chan_timer(chan);
0139418c 488
49208c9c 489 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 490
8e87d142 491 if (conn) {
baa7e1fa 492 /* Delete from channel list */
3df91ea2 493 list_del(&chan->list);
3d57dc68 494
371fd835 495 l2cap_chan_put(chan);
baa7e1fa 496
8c1d787b 497 chan->conn = NULL;
0139418c
MH		 498 hci_conn_put(conn->hcon);
499 }
500
6be36555
AE		 501 lock_sock(sk);
502
0e587be7 503 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 504 sock_set_flag(sk, SOCK_ZAPPED);
505
506 if (err)
2e0052e4 507 __l2cap_chan_set_err(chan, err);
0139418c
MH		 508
509 if (parent) {
510 bt_accept_unlink(sk);
511 parent->sk_data_ready(parent, 0);
512 } else
513 sk->sk_state_change(sk);
c13ffa62 514
6be36555
AE		 515 release_sock(sk);
516
c1360a1c
GP		 517 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
518 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 519 return;
2ead70b8 520
58d35f87 521 skb_queue_purge(&chan->tx_q);
c13ffa62 522
0c1bc5c6 523 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 524 struct srej_list *l, *tmp;
525
1a09bcb9
GP		 526 __clear_retrans_timer(chan);
527 __clear_monitor_timer(chan);
528 __clear_ack_timer(chan);
c13ffa62 529
f1c6775b 530 skb_queue_purge(&chan->srej_q);
c13ffa62 531
3c588192
MM		 532 l2cap_seq_list_free(&chan->srej_list);
533 l2cap_seq_list_free(&chan->retrans_list);
39d5a3ee 534 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 535 list_del(&l->list);
536 kfree(l);
537 }
538 }
0139418c
MH		 539}
540
4519de9a
GP		 541static void l2cap_chan_cleanup_listen(struct sock *parent)
542{
543 struct sock *sk;
544
545 BT_DBG("parent %p", parent);
546
547 /* Close not yet accepted channels */
0f852724 548 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 549 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 550
6be36555 551 l2cap_chan_lock(chan);
c9b66675 552 __clear_chan_timer(chan);
ba3bd0ee 553 l2cap_chan_close(chan, ECONNRESET);
6be36555 554 l2cap_chan_unlock(chan);
3df91ea2 555
ba3bd0ee 556 chan->ops->close(chan->data);
0f852724 557 }
4519de9a
GP		 558}
559
0f852724 560void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 561{
562 struct l2cap_conn *conn = chan->conn;
563 struct sock *sk = chan->sk;
564
e05dcc32
AE		 565 BT_DBG("chan %p state %s sk %p", chan,
566 state_to_string(chan->state), sk);
4519de9a 567
89bc500e 568 switch (chan->state) {
4519de9a 569 case BT_LISTEN:
6be36555 570 lock_sock(sk);
4519de9a 571 l2cap_chan_cleanup_listen(sk);
89bc500e 572
0e587be7 573 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 574 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 575 release_sock(sk);
4519de9a
GP		 576 break;
577
578 case BT_CONNECTED:
579 case BT_CONFIG:
715ec005 580 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 581 conn->hcon->type == ACL_LINK) {
c9b66675 582 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 583 l2cap_send_disconn_req(conn, chan, reason);
584 } else
585 l2cap_chan_del(chan, reason);
586 break;
587
588 case BT_CONNECT2:
715ec005 589 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 590 conn->hcon->type == ACL_LINK) {
591 struct l2cap_conn_rsp rsp;
592 __u16 result;
593
594 if (bt_sk(sk)->defer_setup)
595 result = L2CAP_CR_SEC_BLOCK;
596 else
597 result = L2CAP_CR_BAD_PSM;
89bc500e 598 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 599
600 rsp.scid = cpu_to_le16(chan->dcid);
601 rsp.dcid = cpu_to_le16(chan->scid);
602 rsp.result = cpu_to_le16(result);
603 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
604 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
605 sizeof(rsp), &rsp);
606 }
607
608 l2cap_chan_del(chan, reason);
609 break;
610
611 case BT_CONNECT:
612 case BT_DISCONN:
613 l2cap_chan_del(chan, reason);
614 break;
615
616 default:
6be36555 617 lock_sock(sk);
4519de9a 618 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 619 release_sock(sk);
4519de9a
GP		 620 break;
621 }
622}
623
4343478f 624static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 625{
715ec005 626 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 627 switch (chan->sec_level) {
8556edd3
JH		 628 case BT_SECURITY_HIGH:
629 return HCI_AT_DEDICATED_BONDING_MITM;
630 case BT_SECURITY_MEDIUM:
631 return HCI_AT_DEDICATED_BONDING;
632 default:
633 return HCI_AT_NO_BONDING;
634 }
fe4128e0 635 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 636 if (chan->sec_level == BT_SECURITY_LOW)
637 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 638
4343478f 639 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 640 return HCI_AT_NO_BONDING_MITM;
00ae4af9 641 else
8556edd3 642 return HCI_AT_NO_BONDING;
00ae4af9 643 } else {
4343478f 644 switch (chan->sec_level) {
00ae4af9 645 case BT_SECURITY_HIGH:
8556edd3 646 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 647 case BT_SECURITY_MEDIUM:
8556edd3 648 return HCI_AT_GENERAL_BONDING;
00ae4af9 649 default:
8556edd3 650 return HCI_AT_NO_BONDING;
00ae4af9 651 }
0684e5f9 652 }
8556edd3
JH		 653}
654
655/* Service level security */
d45fc423 656int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 657{
8c1d787b 658 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 659 __u8 auth_type;
660
4343478f 661 auth_type = l2cap_get_auth_type(chan);
79d554a6 662
4343478f 663 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 664}
665
b5ad8b7f 666static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 667{
668 u8 id;
669
670 /* Get next available identificator.
671 * 1 - 128 are used by kernel.
672 * 129 - 199 are reserved.
673 * 200 - 254 are used by utilities like l2ping, etc.
674 */
675
333055f2 676 spin_lock(&conn->lock);
4e8402a3
MH		 677
678 if (++conn->tx_ident > 128)
679 conn->tx_ident = 1;
680
681 id = conn->tx_ident;
682
333055f2 683 spin_unlock(&conn->lock);
4e8402a3
MH		 684
685 return id;
686}
687
4519de9a 688static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 689{
690 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 691 u8 flags;
4e8402a3
MH		 692
693 BT_DBG("code 0x%2.2x", code);
694
695 if (!skb)
9a9c6a34 696 return;
4e8402a3 697
e702112f
AE		 698 if (lmp_no_flush_capable(conn->hcon->hdev))
699 flags = ACL_START_NO_FLUSH;
700 else
701 flags = ACL_START;
702
14b12d0b 703 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 704 skb->priority = HCI_PRIO_MAX;
14b12d0b 705
73d80deb
LAD		 706 hci_send_acl(conn->hchan, skb, flags);
707}
708
709static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
710{
711 struct hci_conn *hcon = chan->conn->hcon;
712 u16 flags;
713
714 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
715 skb->priority);
716
717 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
718 lmp_no_flush_capable(hcon->hdev))
719 flags = ACL_START_NO_FLUSH;
720 else
721 flags = ACL_START;
14b12d0b 722
73d80deb
LAD		 723 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
724 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 725}
726
88843ab0 727static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 728{
729 struct sk_buff *skb;
730 struct l2cap_hdr *lh;
8c1d787b 731 struct l2cap_conn *conn = chan->conn;
e4ca6d98 732 int count, hlen;
fcc203c3 733
89bc500e 734 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 735 return;
736
e4ca6d98
AE		 737 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
738 hlen = L2CAP_EXT_HDR_SIZE;
739 else
740 hlen = L2CAP_ENH_HDR_SIZE;
741
47d1ec61 742 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 743 hlen += L2CAP_FCS_SIZE;
1c2acffb 744
88843ab0 745 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 746
fcc203c3 747 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 748
749 control |= __set_sframe(chan);
1c2acffb 750
e2ab4353 751 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 752 control |= __set_ctrl_final(chan);
9e917af1 753
e2ab4353 754 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 755 control |= __set_ctrl_poll(chan);
f0946ccf 756
1c2acffb
GP		 757 skb = bt_skb_alloc(count, GFP_ATOMIC);
758 if (!skb)
9a9c6a34 759 return;
1c2acffb
GP		 760
761 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 762 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 763 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 764
765 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 766
47d1ec61 767 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 768 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
769 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 770 }
771
73d80deb
LAD		 772 skb->priority = HCI_PRIO_MAX;
773 l2cap_do_send(chan, skb);
1c2acffb
GP		 774}
775
88843ab0 776static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 777{
e2ab4353 778 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 779 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 780 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 781 } else
ab784b73 782 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 783
0b209fae 784 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 785
525cd185 786 l2cap_send_sframe(chan, control);
7e743090
GP		 787}
788
b76bbd66
MM		 789static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
790{
791 u16 packed;
792
793 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
794 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
795
796 if (control->sframe) {
797 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
798 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
799 packed |= L2CAP_CTRL_FRAME_TYPE;
800 } else {
801 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
802 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
803 }
804
805 return packed;
806}
807
808static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
809{
810 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
811 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
812
813 if (enh & L2CAP_CTRL_FRAME_TYPE) {
814 /* S-Frame */
815 control->sframe = 1;
816 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
817 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
818
819 control->sar = 0;
820 control->txseq = 0;
821 } else {
822 /* I-Frame */
823 control->sframe = 0;
824 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
825 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
826
827 control->poll = 0;
828 control->super = 0;
829 }
830}
831
832static u32 __pack_extended_control(struct l2cap_ctrl *control)
833{
834 u32 packed;
835
836 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
837 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
838
839 if (control->sframe) {
840 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
841 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
842 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
843 } else {
844 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
845 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
846 }
847
848 return packed;
849}
850
851static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
852{
853 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
854 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
855
856 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
857 /* S-Frame */
858 control->sframe = 1;
859 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
860 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
861
862 control->sar = 0;
863 control->txseq = 0;
864 } else {
865 /* I-Frame */
866 control->sframe = 0;
867 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
868 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
869
870 control->poll = 0;
871 control->super = 0;
872 }
873}
874
875static inline void __unpack_control(struct l2cap_chan *chan,
876 struct sk_buff *skb)
877{
878 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
879 __unpack_extended_control(get_unaligned_le32(skb->data),
880 &bt_cb(skb)->control);
881 } else {
882 __unpack_enhanced_control(get_unaligned_le16(skb->data),
883 &bt_cb(skb)->control);
884 }
885}
886
887static inline void __pack_control(struct l2cap_chan *chan,
888 struct l2cap_ctrl *control,
889 struct sk_buff *skb)
890{
891 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
892 put_unaligned_le32(__pack_extended_control(control),
893 skb->data + L2CAP_HDR_SIZE);
894 } else {
895 put_unaligned_le16(__pack_enhanced_control(control),
896 skb->data + L2CAP_HDR_SIZE);
897 }
898}
899
b4450035 900static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 901{
c1360a1c 902 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 903}
904
9b27f350
AE		 905static void l2cap_send_conn_req(struct l2cap_chan *chan)
906{
907 struct l2cap_conn *conn = chan->conn;
908 struct l2cap_conn_req req;
909
910 req.scid = cpu_to_le16(chan->scid);
911 req.psm = chan->psm;
912
913 chan->ident = l2cap_get_ident(conn);
914
915 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
916
917 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
918}
919
9f0caeb1
VCG		 920static void l2cap_chan_ready(struct l2cap_chan *chan)
921{
922 struct sock *sk = chan->sk;
923 struct sock *parent;
924
925 lock_sock(sk);
926
927 parent = bt_sk(sk)->parent;
928
929 BT_DBG("sk %p, parent %p", sk, parent);
930
931 chan->conf_state = 0;
932 __clear_chan_timer(chan);
933
934 __l2cap_state_change(chan, BT_CONNECTED);
935 sk->sk_state_change(sk);
936
937 if (parent)
938 parent->sk_data_ready(parent, 0);
939
940 release_sock(sk);
941}
942
fc7f8a7e 943static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 944{
8c1d787b 945 struct l2cap_conn *conn = chan->conn;
79d554a6 946
9f0caeb1
VCG		 947 if (conn->hcon->type == LE_LINK) {
948 l2cap_chan_ready(chan);
949 return;
950 }
951
79d554a6 952 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 953 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
954 return;
955
d45fc423 956 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 957 __l2cap_no_conn_pending(chan))
958 l2cap_send_conn_req(chan);
79d554a6
MH		 959 } else {
960 struct l2cap_info_req req;
961 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
962
963 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
964 conn->info_ident = l2cap_get_ident(conn);
965
ba13ccd9 966 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 967
968 l2cap_send_cmd(conn, conn->info_ident,
969 L2CAP_INFO_REQ, sizeof(req), &req);
970 }
971}
972
cf6c2c0b
GP		 973static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
974{
975 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 976 if (!disable_ertm)
cf6c2c0b
GP		 977 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
978
979 switch (mode) {
980 case L2CAP_MODE_ERTM:
981 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
982 case L2CAP_MODE_STREAMING:
983 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
984 default:
985 return 0x00;
986 }
987}
988
4519de9a 989static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 990{
6be36555 991 struct sock *sk = chan->sk;
22121fc9
GP		 992 struct l2cap_disconn_req req;
993
c13ffa62
GP		 994 if (!conn)
995 return;
996
0c1bc5c6 997 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 998 __clear_retrans_timer(chan);
999 __clear_monitor_timer(chan);
1000 __clear_ack_timer(chan);
c13ffa62
GP		 1001 }
1002
fe4128e0
GP		 1003 req.dcid = cpu_to_le16(chan->dcid);
1004 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1005 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1006 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1007
6be36555 1008 lock_sock(sk);
0e587be7 1009 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1010 __l2cap_chan_set_err(chan, err);
6be36555 1011 release_sock(sk);
22121fc9
GP		 1012}
1013
1da177e4 1014/* ---- L2CAP connections ---- */
4e8402a3
MH		 1015static void l2cap_conn_start(struct l2cap_conn *conn)
1016{
3df91ea2 1017 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1018
1019 BT_DBG("conn %p", conn);
1020
3df91ea2 1021 mutex_lock(&conn->chan_lock);
4e8402a3 1022
3df91ea2 1023 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1024 struct sock *sk = chan->sk;
baa7e1fa 1025
6be36555 1026 l2cap_chan_lock(chan);
4e8402a3 1027
715ec005 1028 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1029 l2cap_chan_unlock(chan);
79d554a6
MH		 1030 continue;
1031 }
1032
89bc500e 1033 if (chan->state == BT_CONNECT) {
d45fc423 1034 if (!l2cap_chan_check_security(chan) ||
b4450035 1035 !__l2cap_no_conn_pending(chan)) {
6be36555 1036 l2cap_chan_unlock(chan);
47731de7
GP		 1037 continue;
1038 }
79d554a6 1039
c1360a1c
GP		 1040 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1041 && test_bit(CONF_STATE2_DEVICE,
1042 &chan->conf_state)) {
89bc500e 1043 l2cap_chan_close(chan, ECONNRESET);
6be36555 1044 l2cap_chan_unlock(chan);
47731de7 1045 continue;
b1235d79 1046 }
47731de7 1047
9b27f350 1048 l2cap_send_conn_req(chan);
47731de7 1049
89bc500e 1050 } else if (chan->state == BT_CONNECT2) {
79d554a6 1051 struct l2cap_conn_rsp rsp;
e9aeb2dd 1052 char buf[128];
fe4128e0
GP		 1053 rsp.scid = cpu_to_le16(chan->dcid);
1054 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1055
d45fc423 1056 if (l2cap_chan_check_security(chan)) {
6be36555 1057 lock_sock(sk);
f66dc81f
MH		 1058 if (bt_sk(sk)->defer_setup) {
1059 struct sock *parent = bt_sk(sk)->parent;
1060 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1061 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1062 if (parent)
1063 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1064
1065 } else {
0e587be7 1066 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1067 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1068 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1069 }
6be36555 1070 release_sock(sk);
79d554a6
MH		 1071 } else {
1072 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1073 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1074 }
1075
fc7f8a7e
GP		 1076 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1077 sizeof(rsp), &rsp);
e9aeb2dd 1078
c1360a1c 1079 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1080 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1081 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1082 continue;
1083 }
1084
c1360a1c 1085 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1086 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1087 l2cap_build_conf_req(chan, buf), buf);
1088 chan->num_conf_req++;
4e8402a3
MH		 1089 }
1090
6be36555 1091 l2cap_chan_unlock(chan);
4e8402a3
MH		 1092 }
1093
3df91ea2 1094 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1095}
1096
c2287681 1097/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1098 * Returns closest match, locked.
1099 */
d9b88702 1100static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1101 bdaddr_t *src,
1102 bdaddr_t *dst)
b62f328b 1103{
23691d75 1104 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1105
23691d75 1106 read_lock(&chan_list_lock);
b62f328b 1107
23691d75
GP		 1108 list_for_each_entry(c, &chan_list, global_l) {
1109 struct sock *sk = c->sk;
fe4128e0 1110
89bc500e 1111 if (state && c->state != state)
b62f328b
VT		 1112 continue;
1113
23691d75 1114 if (c->scid == cid) {
c2287681
IY		 1115 int src_match, dst_match;
1116 int src_any, dst_any;
1117
b62f328b 1118 /* Exact match. */
c2287681
IY		 1119 src_match = !bacmp(&bt_sk(sk)->src, src);
1120 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1121 if (src_match && dst_match) {
23691d75
GP		 1122 read_unlock(&chan_list_lock);
1123 return c;
1124 }
b62f328b
VT		 1125
1126 /* Closest match */
c2287681
IY		 1127 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1128 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1129 if ((src_match && dst_any) || (src_any && dst_match) ||
1130 (src_any && dst_any))
23691d75 1131 c1 = c;
b62f328b
VT		 1132 }
1133 }
280f294f 1134
23691d75 1135 read_unlock(&chan_list_lock);
b62f328b 1136
23691d75 1137 return c1;
b62f328b
VT		 1138}
1139
1140static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1141{
c916fbe4 1142 struct sock *parent, *sk;
23691d75 1143 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1144
1145 BT_DBG("");
1146
1147 /* Check if we have socket listening on cid */
23691d75 1148 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1149 conn->src, conn->dst);
23691d75 1150 if (!pchan)
b62f328b
VT		 1151 return;
1152
23691d75
GP		 1153 parent = pchan->sk;
1154
aa2ac881 1155 lock_sock(parent);
62f3a2cf 1156
b62f328b
VT		 1157 /* Check for backlog size */
1158 if (sk_acceptq_is_full(parent)) {
1159 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1160 goto clean;
1161 }
1162
80808e43
GP		 1163 chan = pchan->ops->new_connection(pchan->data);
1164 if (!chan)
b62f328b
VT		 1165 goto clean;
1166
80808e43 1167 sk = chan->sk;
5d41ce1d 1168
b62f328b
VT		 1169 hci_conn_hold(conn->hcon);
1170
b62f328b
VT		 1171 bacpy(&bt_sk(sk)->src, conn->src);
1172 bacpy(&bt_sk(sk)->dst, conn->dst);
1173
d1010240
GP		 1174 bt_accept_enqueue(parent, sk);
1175
3d57dc68 1176 l2cap_chan_add(conn, chan);
48454079 1177
c9b66675 1178 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1179
0e587be7 1180 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1181 parent->sk_data_ready(parent, 0);
1182
b62f328b 1183clean:
aa2ac881 1184 release_sock(parent);
b62f328b
VT		 1185}
1186
4e8402a3
MH		 1187static void l2cap_conn_ready(struct l2cap_conn *conn)
1188{
48454079 1189 struct l2cap_chan *chan;
4e8402a3 1190
79d554a6 1191 BT_DBG("conn %p", conn);
4e8402a3 1192
b62f328b
VT		 1193 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1194 l2cap_le_conn_ready(conn);
1195
160dc6ac
VCG		 1196 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1197 smp_conn_security(conn, conn->hcon->pending_sec_level);
1198
3df91ea2 1199 mutex_lock(&conn->chan_lock);
4e8402a3 1200
3df91ea2 1201 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1202
6be36555 1203 l2cap_chan_lock(chan);
4e8402a3 1204
63128451 1205 if (conn->hcon->type == LE_LINK) {
b501d6a1 1206 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1207 l2cap_chan_ready(chan);
acd7d370 1208
63128451 1209 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1210 struct sock *sk = chan->sk;
c9b66675 1211 __clear_chan_timer(chan);
6be36555 1212 lock_sock(sk);
0e587be7 1213 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1214 sk->sk_state_change(sk);
6be36555 1215 release_sock(sk);
b501d6a1 1216
89bc500e 1217 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1218 l2cap_do_start(chan);
4e8402a3 1219
6be36555 1220 l2cap_chan_unlock(chan);
4e8402a3 1221 }
79d554a6 1222
3df91ea2 1223 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1224}
1225
1226/* Notify sockets that we cannot guaranty reliability anymore */
1227static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1228{
48454079 1229 struct l2cap_chan *chan;
4e8402a3
MH		 1230
1231 BT_DBG("conn %p", conn);
1232
3df91ea2 1233 mutex_lock(&conn->chan_lock);
4e8402a3 1234
3df91ea2 1235 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1236 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1237 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1238 }
1239
3df91ea2 1240 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1241}
1242
f878fcad 1243static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1244{
f878fcad 1245 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1246 info_timer.work);
4e8402a3 1247
984947dc 1248 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1249 conn->info_ident = 0;
984947dc 1250
4e8402a3
MH		 1251 l2cap_conn_start(conn);
1252}
1253
5d3de7df
VCG		 1254static void l2cap_conn_del(struct hci_conn *hcon, int err)
1255{
1256 struct l2cap_conn *conn = hcon->l2cap_data;
1257 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1258
1259 if (!conn)
1260 return;
1261
1262 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1263
1264 kfree_skb(conn->rx_skb);
1265
3df91ea2
AE		 1266 mutex_lock(&conn->chan_lock);
1267
5d3de7df
VCG		 1268 /* Kill channels */
1269 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
6be36555
AE		 1270 l2cap_chan_lock(chan);
1271
5d3de7df 1272 l2cap_chan_del(chan, err);
6be36555
AE		 1273
1274 l2cap_chan_unlock(chan);
1275
5d3de7df
VCG		 1276 chan->ops->close(chan->data);
1277 }
1278
3df91ea2
AE		 1279 mutex_unlock(&conn->chan_lock);
1280
73d80deb
LAD		 1281 hci_chan_del(conn->hchan);
1282
5d3de7df 1283 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1284 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1285
51a8efd7 1286 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1287 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1288 smp_chan_destroy(conn);
d26a2345 1289 }
5d3de7df
VCG		 1290
1291 hcon->l2cap_data = NULL;
1292 kfree(conn);
1293}
1294
6c9d42a1 1295static void security_timeout(struct work_struct *work)
5d3de7df 1296{
6c9d42a1
GP		 1297 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1298 security_timer.work);
5d3de7df
VCG		 1299
1300 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1301}
1302
1da177e4
LT		 1303static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1304{
0139418c 1305 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1306 struct hci_chan *hchan;
1da177e4 1307
0139418c 1308 if (conn || status)
1da177e4
LT		 1309 return conn;
1310
73d80deb
LAD		 1311 hchan = hci_chan_create(hcon);
1312 if (!hchan)
1313 return NULL;
1314
0139418c 1315 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1316 if (!conn) {
1317 hci_chan_del(hchan);
1da177e4 1318 return NULL;
73d80deb 1319 }
1da177e4
LT		 1320
1321 hcon->l2cap_data = conn;
1322 conn->hcon = hcon;
73d80deb 1323 conn->hchan = hchan;
1da177e4 1324
73d80deb 1325 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1326
acd7d370
VT		 1327 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1328 conn->mtu = hcon->hdev->le_mtu;
1329 else
1330 conn->mtu = hcon->hdev->acl_mtu;
1331
1da177e4
LT		 1332 conn->src = &hcon->hdev->bdaddr;
1333 conn->dst = &hcon->dst;
1334
4e8402a3
MH		 1335 conn->feat_mask = 0;
1336
1da177e4 1337 spin_lock_init(&conn->lock);
3df91ea2 1338 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1339
1340 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1341
5d3de7df 1342 if (hcon->type == LE_LINK)
6c9d42a1 1343 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1344 else
030013d8 1345 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1346
9f5a0d7b 1347 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1348
1da177e4
LT		 1349 return conn;
1350}
1351
1da177e4 1352/* ---- Socket interface ---- */
1da177e4 1353
c2287681 1354/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1355 * Returns closest match.
1356 */
c2287681
IY		 1357static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1358 bdaddr_t *src,
1359 bdaddr_t *dst)
1da177e4 1360{
23691d75 1361 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1362
23691d75 1363 read_lock(&chan_list_lock);
e0f0cb56 1364
23691d75
GP		 1365 list_for_each_entry(c, &chan_list, global_l) {
1366 struct sock *sk = c->sk;
fe4128e0 1367
89bc500e 1368 if (state && c->state != state)
1da177e4
LT		 1369 continue;
1370
23691d75 1371 if (c->psm == psm) {
c2287681
IY		 1372 int src_match, dst_match;
1373 int src_any, dst_any;
1374
1da177e4 1375 /* Exact match. */
c2287681
IY		 1376 src_match = !bacmp(&bt_sk(sk)->src, src);
1377 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1378 if (src_match && dst_match) {
a7567b20 1379 read_unlock(&chan_list_lock);
23691d75
GP		 1380 return c;
1381 }
1da177e4
LT		 1382
1383 /* Closest match */
c2287681
IY		 1384 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1385 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1386 if ((src_match && dst_any) || (src_any && dst_match) ||
1387 (src_any && dst_any))
23691d75 1388 c1 = c;
1da177e4
LT		 1389 }
1390 }
1da177e4 1391
23691d75 1392 read_unlock(&chan_list_lock);
e0f0cb56 1393
23691d75 1394 return c1;
1da177e4
LT		 1395}
1396
8e9f9892
AG		 1397int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1398 bdaddr_t *dst, u8 dst_type)
1da177e4 1399{
5d41ce1d 1400 struct sock *sk = chan->sk;
1da177e4 1401 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1402 struct l2cap_conn *conn;
1403 struct hci_conn *hcon;
1404 struct hci_dev *hdev;
09ab6f4c 1405 __u8 auth_type;
44d0e48e 1406 int err;
1da177e4 1407
8e9f9892
AG		 1408 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1409 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1410
af05b30b
GP		 1411 hdev = hci_get_route(dst, src);
1412 if (!hdev)
1da177e4
LT		 1413 return -EHOSTUNREACH;
1414
09fd0de5 1415 hci_dev_lock(hdev);
1da177e4 1416
6be36555 1417 l2cap_chan_lock(chan);
03a00194
GP		 1418
1419 /* PSM must be odd and lsb of upper byte must be 0 */
1420 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1421 chan->chan_type != L2CAP_CHAN_RAW) {
1422 err = -EINVAL;
1423 goto done;
1424 }
1425
1426 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1427 err = -EINVAL;
1428 goto done;
1429 }
1430
1431 switch (chan->mode) {
1432 case L2CAP_MODE_BASIC:
1433 break;
1434 case L2CAP_MODE_ERTM:
1435 case L2CAP_MODE_STREAMING:
1436 if (!disable_ertm)
1437 break;
1438 /* fall through */
1439 default:
1440 err = -ENOTSUPP;
1441 goto done;
1442 }
1443
6be36555
AE		 1444 lock_sock(sk);
1445
03a00194
GP		 1446 switch (sk->sk_state) {
1447 case BT_CONNECT:
1448 case BT_CONNECT2:
1449 case BT_CONFIG:
1450 /* Already connecting */
1451 err = 0;
6be36555 1452 release_sock(sk);
03a00194
GP		 1453 goto done;
1454
1455 case BT_CONNECTED:
1456 /* Already connected */
1457 err = -EISCONN;
6be36555 1458 release_sock(sk);
03a00194
GP		 1459 goto done;
1460
1461 case BT_OPEN:
1462 case BT_BOUND:
1463 /* Can connect */
1464 break;
1465
1466 default:
1467 err = -EBADFD;
6be36555 1468 release_sock(sk);
03a00194
GP		 1469 goto done;
1470 }
1471
1472 /* Set destination address and psm */
9219b2a0 1473 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1474
1475 release_sock(sk);
1476
03a00194
GP		 1477 chan->psm = psm;
1478 chan->dcid = cid;
1da177e4 1479
4343478f 1480 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1481
fe4128e0 1482 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1483 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1484 chan->sec_level, auth_type);
acd7d370 1485 else
8e9f9892 1486 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1487 chan->sec_level, auth_type);
acd7d370 1488
30e76272
VT		 1489 if (IS_ERR(hcon)) {
1490 err = PTR_ERR(hcon);
1da177e4 1491 goto done;
30e76272 1492 }
1da177e4
LT		 1493
1494 conn = l2cap_conn_add(hcon, 0);
1495 if (!conn) {
1496 hci_conn_put(hcon);
30e76272 1497 err = -ENOMEM;
1da177e4
LT		 1498 goto done;
1499 }
1500
9f0caeb1
VCG		 1501 if (hcon->type == LE_LINK) {
1502 err = 0;
1503
1504 if (!list_empty(&conn->chan_l)) {
1505 err = -EBUSY;
1506 hci_conn_put(hcon);
1507 }
1508
1509 if (err)
1510 goto done;
1511 }
1512
1da177e4
LT		 1513 /* Update source addr of the socket */
1514 bacpy(src, conn->src);
1515
6be36555 1516 l2cap_chan_unlock(chan);
48454079 1517 l2cap_chan_add(conn, chan);
6be36555 1518 l2cap_chan_lock(chan);
48454079 1519
6be36555 1520 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1521 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1522
1523 if (hcon->state == BT_CONNECTED) {
715ec005 1524 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1525 __clear_chan_timer(chan);
d45fc423 1526 if (l2cap_chan_check_security(chan))
6be36555 1527 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1528 } else
fc7f8a7e 1529 l2cap_do_start(chan);
1da177e4
LT		 1530 }
1531
30e76272
VT		 1532 err = 0;
1533
1da177e4 1534done:
6be36555 1535 l2cap_chan_unlock(chan);
09fd0de5 1536 hci_dev_unlock(hdev);
1da177e4
LT		 1537 hci_dev_put(hdev);
1538 return err;
1539}
1540
dcba0dba 1541int __l2cap_wait_ack(struct sock *sk)
6161c038 1542{
8c1d787b 1543 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1544 DECLARE_WAITQUEUE(wait, current);
1545 int err = 0;
1546 int timeo = HZ/5;
1547
2b0b05dd 1548 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1549 set_current_state(TASK_INTERRUPTIBLE);
1550 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1551 if (!timeo)
1552 timeo = HZ/5;
1553
1554 if (signal_pending(current)) {
1555 err = sock_intr_errno(timeo);
1556 break;
1557 }
1558
1559 release_sock(sk);
1560 timeo = schedule_timeout(timeo);
1561 lock_sock(sk);
a71a0cf4 1562 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1563
1564 err = sock_error(sk);
1565 if (err)
1566 break;
1567 }
1568 set_current_state(TASK_RUNNING);
2b0b05dd 1569 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1570 return err;
1571}
1572
721c4181 1573static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1574{
721c4181
GP		 1575 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1576 monitor_timer.work);
e90bac06 1577
525cd185 1578 BT_DBG("chan %p", chan);
0e98958d 1579
6be36555
AE		 1580 l2cap_chan_lock(chan);
1581
2c03a7a4 1582 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1583 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1584 l2cap_chan_unlock(chan);
8d7e1c7f 1585 l2cap_chan_put(chan);
e90bac06
GP		 1586 return;
1587 }
1588
6a026610 1589 chan->retry_count++;
1a09bcb9 1590 __set_monitor_timer(chan);
e90bac06 1591
525cd185 1592 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1593 l2cap_chan_unlock(chan);
8d7e1c7f 1594 l2cap_chan_put(chan);
e90bac06
GP		 1595}
1596
721c4181 1597static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1598{
721c4181
GP		 1599 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1600 retrans_timer.work);
e90bac06 1601
49208c9c 1602 BT_DBG("chan %p", chan);
0e98958d 1603
6be36555
AE		 1604 l2cap_chan_lock(chan);
1605
6a026610 1606 chan->retry_count = 1;
1a09bcb9 1607 __set_monitor_timer(chan);
e90bac06 1608
e2ab4353 1609 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1610
525cd185 1611 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1612
1613 l2cap_chan_unlock(chan);
8d7e1c7f 1614 l2cap_chan_put(chan);
e90bac06
GP		 1615}
1616
42e5c802 1617static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1618{
1c2acffb 1619 struct sk_buff *skb;
1da177e4 1620
58d35f87 1621 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1622 chan->unacked_frames) {
3ce3514f 1623 if (bt_cb(skb)->control.txseq == chan->expected_ack_seq)
1c2acffb 1624 break;
1da177e4 1625
58d35f87 1626 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1627 kfree_skb(skb);
1da177e4 1628
6a026610 1629 chan->unacked_frames--;
1c2acffb 1630 }
1da177e4 1631
6a026610 1632 if (!chan->unacked_frames)
1a09bcb9 1633 __clear_retrans_timer(chan);
1c2acffb 1634}
1da177e4 1635
67c9e840 1636static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1637{
ccbb84af 1638 struct sk_buff *skb;
88843ab0
AE		 1639 u32 control;
1640 u16 fcs;
6840ed07 1641
58d35f87 1642 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1643 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1644 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1645 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1646
47d1ec61 1647 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1648 fcs = crc16(0, (u8 *)skb->data,
1649 skb->len - L2CAP_FCS_SIZE);
1650 put_unaligned_le16(fcs,
1651 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1652 }
1653
4343478f 1654 l2cap_do_send(chan, skb);
6840ed07 1655
836be934 1656 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1657 }
6840ed07
GP		 1658}
1659
fb45de7d 1660static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1661{
8f17154f 1662 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1663 u16 fcs;
1664 u32 control;
8f17154f 1665
58d35f87 1666 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1667 if (!skb)
1668 return;
8f17154f 1669
3ce3514f 1670 while (bt_cb(skb)->control.txseq != tx_seq) {
58d35f87 1671 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1672 return;
8f17154f 1673
d1726b6d
SJ		 1674 skb = skb_queue_next(&chan->tx_q, skb);
1675 }
8f17154f 1676
3ce3514f
MM		 1677 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1678 chan->remote_max_tx) {
8c1d787b 1679 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1680 return;
1681 }
1682
1683 tx_skb = skb_clone(skb, GFP_ATOMIC);
3ce3514f 1684 bt_cb(skb)->control.retries++;
88843ab0
AE		 1685
1686 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1687 control &= __get_sar_mask(chan);
3cb123d1 1688
e2ab4353 1689 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1690 control |= __set_ctrl_final(chan);
95ffa978 1691
0b209fae 1692 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1693 control |= __set_txseq(chan, tx_seq);
3cb123d1 1694
88843ab0 1695 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1696
47d1ec61 1697 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1698 fcs = crc16(0, (u8 *)tx_skb->data,
1699 tx_skb->len - L2CAP_FCS_SIZE);
1700 put_unaligned_le16(fcs,
1701 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1702 }
1703
4343478f 1704 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1705}
1706
67c9e840 1707static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1708{
1709 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1710 u16 fcs;
1711 u32 control;
9a9c6a34 1712 int nsent = 0;
1c2acffb 1713
89bc500e 1714 if (chan->state != BT_CONNECTED)
c13ffa62 1715 return -ENOTCONN;
e90bac06 1716
58d35f87 1717 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1718
3ce3514f
MM		 1719 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1720 chan->remote_max_tx) {
8c1d787b 1721 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1722 break;
1723 }
1724
e420aba3
AE		 1725 tx_skb = skb_clone(skb, GFP_ATOMIC);
1726
3ce3514f 1727 bt_cb(skb)->control.retries++;
e90bac06 1728
88843ab0 1729 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1730 control &= __get_sar_mask(chan);
95ffa978 1731
e2ab4353 1732 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1733 control |= __set_ctrl_final(chan);
e2ab4353 1734
0b209fae 1735 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1736 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1737
88843ab0 1738 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1739
47d1ec61 1740 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1741 fcs = crc16(0, (u8 *)skb->data,
1742 tx_skb->len - L2CAP_FCS_SIZE);
1743 put_unaligned_le16(fcs, skb->data +
1744 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1745 }
1746
4343478f 1747 l2cap_do_send(chan, tx_skb);
9a9c6a34 1748
1a09bcb9 1749 __set_retrans_timer(chan);
1c2acffb 1750
3ce3514f 1751 bt_cb(skb)->control.txseq = chan->next_tx_seq;
836be934
AE		 1752
1753 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1754
3ce3514f 1755 if (bt_cb(skb)->control.retries == 1) {
6a026610 1756 chan->unacked_frames++;
930fa4ae
SJ		 1757
1758 if (!nsent++)
1759 __clear_ack_timer(chan);
8ed7a0ae 1760 }
23e9fde2 1761
6a026610 1762 chan->frames_sent++;
1c2acffb 1763
58d35f87
GP		 1764 if (skb_queue_is_last(&chan->tx_q, skb))
1765 chan->tx_send_head = NULL;
1c2acffb 1766 else
58d35f87 1767 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1768 }
1769
9e917af1
GP		 1770 return nsent;
1771}
1772
525cd185 1773static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1774{
dfc909be
GP		 1775 int ret;
1776
58d35f87
GP		 1777 if (!skb_queue_empty(&chan->tx_q))
1778 chan->tx_send_head = chan->tx_q.next;
dfc909be 1779
42e5c802 1780 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1781 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1782 return ret;
1783}
1784
b17e73bb 1785static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1786{
88843ab0 1787 u32 control = 0;
9e917af1 1788
0b209fae 1789 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1790
e2ab4353 1791 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1792 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1793 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1794 l2cap_send_sframe(chan, control);
9a9c6a34 1795 return;
9e917af1 1796 }
dfc909be 1797
525cd185 1798 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1799 return;
1800
ab784b73 1801 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1802 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1803}
1804
b17e73bb
SJ		 1805static void l2cap_send_ack(struct l2cap_chan *chan)
1806{
1807 __clear_ack_timer(chan);
1808 __l2cap_send_ack(chan);
1809}
1810
525cd185 1811static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1812{
1813 struct srej_list *tail;
88843ab0 1814 u32 control;
99b0d4b7 1815
ab784b73 1816 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1817 control |= __set_ctrl_final(chan);
99b0d4b7 1818
39d5a3ee 1819 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1820 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1821
525cd185 1822 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1823}
1824
04124681
GP		 1825static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1826 struct msghdr *msg, int len,
1827 int count, struct sk_buff *skb)
1c2acffb 1828{
0952a57a 1829 struct l2cap_conn *conn = chan->conn;
1c2acffb 1830 struct sk_buff **frag;
90338947 1831 int sent = 0;
1da177e4 1832
59203a21 1833 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1834 return -EFAULT;
1da177e4
LT		 1835
1836 sent += count;
1837 len -= count;
1838
1839 /* Continuation fragments (no L2CAP header) */
1840 frag = &skb_shinfo(skb)->frag_list;
1841 while (len) {
1842 count = min_t(unsigned int, conn->mtu, len);
1843
2f7719ce 1844 *frag = chan->ops->alloc_skb(chan, count,
90338947 1845 msg->msg_flags & MSG_DONTWAIT);
2f7719ce 1846
90338947
GP		 1847 if (IS_ERR(*frag))
1848 return PTR_ERR(*frag);
1c2acffb
GP		 1849 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1850 return -EFAULT;
1da177e4 1851
5e59b791
LAD		 1852 (*frag)->priority = skb->priority;
1853
1da177e4
LT		 1854 sent += count;
1855 len -= count;
1856
1857 frag = &(*frag)->next;
1858 }
1da177e4
LT		 1859
1860 return sent;
1c2acffb 1861}
1da177e4 1862
5e59b791
LAD		 1863static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1864 struct msghdr *msg, size_t len,
1865 u32 priority)
1c2acffb 1866{
8c1d787b 1867 struct l2cap_conn *conn = chan->conn;
1c2acffb 1868 struct sk_buff *skb;
03a51213 1869 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1870 struct l2cap_hdr *lh;
1871
6d5922b0 1872 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1873
1874 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1875
1876 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1877 msg->msg_flags & MSG_DONTWAIT);
1878 if (IS_ERR(skb))
1879 return skb;
1c2acffb 1880
5e59b791
LAD		 1881 skb->priority = priority;
1882
1c2acffb
GP		 1883 /* Create L2CAP header */
1884 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1885 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1886 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
097db76c 1887 put_unaligned(chan->psm, skb_put(skb, 2));
1c2acffb 1888
0952a57a 1889 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1890 if (unlikely(err < 0)) {
1891 kfree_skb(skb);
1892 return ERR_PTR(err);
1893 }
1894 return skb;
1895}
1896
5e59b791
LAD		 1897static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1898 struct msghdr *msg, size_t len,
1899 u32 priority)
1c2acffb 1900{
8c1d787b 1901 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1902 struct sk_buff *skb;
1903 int err, count, hlen = L2CAP_HDR_SIZE;
1904 struct l2cap_hdr *lh;
1905
6d5922b0 1906 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb
GP		 1907
1908 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1909
1910 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1911 msg->msg_flags & MSG_DONTWAIT);
1912 if (IS_ERR(skb))
1913 return skb;
1c2acffb 1914
5e59b791
LAD		 1915 skb->priority = priority;
1916
1c2acffb
GP		 1917 /* Create L2CAP header */
1918 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1919 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1920 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1921
0952a57a 1922 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1923 if (unlikely(err < 0)) {
1924 kfree_skb(skb);
1925 return ERR_PTR(err);
1926 }
1927 return skb;
1928}
1929
ab0ff76d
LAD		 1930static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1931 struct msghdr *msg, size_t len,
88843ab0 1932 u32 control, u16 sdulen)
1c2acffb 1933{
8c1d787b 1934 struct l2cap_conn *conn = chan->conn;
1c2acffb 1935 struct sk_buff *skb;
e4ca6d98 1936 int err, count, hlen;
1c2acffb
GP		 1937 struct l2cap_hdr *lh;
1938
6d5922b0 1939 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1940
0ee0d208
GP		 1941 if (!conn)
1942 return ERR_PTR(-ENOTCONN);
1943
e4ca6d98
AE		 1944 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1945 hlen = L2CAP_EXT_HDR_SIZE;
1946 else
1947 hlen = L2CAP_ENH_HDR_SIZE;
1948
c74e560c 1949 if (sdulen)
03a51213 1950 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1951
47d1ec61 1952 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1953 hlen += L2CAP_FCS_SIZE;
fcc203c3 1954
1c2acffb 1955 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1956
1957 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1958 msg->msg_flags & MSG_DONTWAIT);
1959 if (IS_ERR(skb))
1960 return skb;
1c2acffb
GP		 1961
1962 /* Create L2CAP header */
1963 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1964 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1965 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1966
1967 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1968
c74e560c 1969 if (sdulen)
03a51213 1970 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1971
0952a57a 1972 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1973 if (unlikely(err < 0)) {
1974 kfree_skb(skb);
1975 return ERR_PTR(err);
1976 }
e90bac06 1977
47d1ec61 1978 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1979 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1980
3ce3514f 1981 bt_cb(skb)->control.retries = 0;
1c2acffb 1982 return skb;
1da177e4
LT		 1983}
1984
67c9e840 1985static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1986{
c74e560c
GP		 1987 struct sk_buff *skb;
1988 struct sk_buff_head sar_queue;
88843ab0 1989 u32 control;
c74e560c
GP		 1990 size_t size = 0;
1991
ff12fd64 1992 skb_queue_head_init(&sar_queue);
7e0ef6ee 1993 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1994 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1995 if (IS_ERR(skb))
1996 return PTR_ERR(skb);
1997
1998 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1999 len -= chan->remote_mps;
2000 size += chan->remote_mps;
c74e560c
GP		 2001
2002 while (len > 0) {
2003 size_t buflen;
2004
2c03a7a4 2005 if (len > chan->remote_mps) {
7e0ef6ee 2006 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 2007 buflen = chan->remote_mps;
c74e560c 2008 } else {
7e0ef6ee 2009 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 2010 buflen = len;
2011 }
2012
47d1ec61 2013 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 2014 if (IS_ERR(skb)) {
2015 skb_queue_purge(&sar_queue);
2016 return PTR_ERR(skb);
2017 }
2018
2019 __skb_queue_tail(&sar_queue, skb);
2020 len -= buflen;
2021 size += buflen;
c74e560c 2022 }
58d35f87
GP		 2023 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
2024 if (chan->tx_send_head == NULL)
2025 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 2026
2027 return size;
2028}
2029
5e59b791
LAD		 2030int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2031 u32 priority)
9a91a04a 2032{
9a91a04a 2033 struct sk_buff *skb;
88843ab0 2034 u32 control;
9a91a04a
GP		 2035 int err;
2036
2037 /* Connectionless channel */
715ec005 2038 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2039 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2040 if (IS_ERR(skb))
2041 return PTR_ERR(skb);
2042
2043 l2cap_do_send(chan, skb);
2044 return len;
2045 }
2046
2047 switch (chan->mode) {
2048 case L2CAP_MODE_BASIC:
2049 /* Check outgoing MTU */
2050 if (len > chan->omtu)
2051 return -EMSGSIZE;
2052
2053 /* Create a basic PDU */
5e59b791 2054 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2055 if (IS_ERR(skb))
2056 return PTR_ERR(skb);
2057
2058 l2cap_do_send(chan, skb);
2059 err = len;
2060 break;
2061
2062 case L2CAP_MODE_ERTM:
2063 case L2CAP_MODE_STREAMING:
2064 /* Entire SDU fits into one PDU */
2065 if (len <= chan->remote_mps) {
7e0ef6ee 2066 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 2067 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
2068 0);
2069 if (IS_ERR(skb))
2070 return PTR_ERR(skb);
2071
2072 __skb_queue_tail(&chan->tx_q, skb);
2073
2074 if (chan->tx_send_head == NULL)
2075 chan->tx_send_head = skb;
2076
2077 } else {
2078 /* Segment SDU into multiples PDUs */
2079 err = l2cap_sar_segment_sdu(chan, msg, len);
2080 if (err < 0)
2081 return err;
2082 }
2083
2084 if (chan->mode == L2CAP_MODE_STREAMING) {
2085 l2cap_streaming_send(chan);
2086 err = len;
2087 break;
2088 }
2089
e2ab4353
GP		 2090 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
2091 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 2092 err = len;
2093 break;
2094 }
2095
2096 err = l2cap_ertm_send(chan);
2097 if (err >= 0)
2098 err = len;
2099
2100 break;
2101
2102 default:
2103 BT_DBG("bad state %1.1x", chan->mode);
2104 err = -EBADFD;
2105 }
2106
2107 return err;
2108}
2109
1da177e4
LT		 2110/* Copy frame to all raw sockets on that connection */
2111static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2112{
1da177e4 2113 struct sk_buff *nskb;
48454079 2114 struct l2cap_chan *chan;
1da177e4
LT		 2115
2116 BT_DBG("conn %p", conn);
2117
3df91ea2 2118 mutex_lock(&conn->chan_lock);
3d57dc68 2119
3df91ea2 2120 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2121 struct sock *sk = chan->sk;
715ec005 2122 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2123 continue;
2124
2125 /* Don't send frame to the socket it came from */
2126 if (skb->sk == sk)
2127 continue;
af05b30b
GP		 2128 nskb = skb_clone(skb, GFP_ATOMIC);
2129 if (!nskb)
1da177e4
LT		 2130 continue;
2131
23070494 2132 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2133 kfree_skb(nskb);
2134 }
3d57dc68 2135
3df91ea2 2136 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2137}
2138
2139/* ---- L2CAP signalling commands ---- */
2140static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2141 u8 code, u8 ident, u16 dlen, void *data)
2142{
2143 struct sk_buff *skb, **frag;
2144 struct l2cap_cmd_hdr *cmd;
2145 struct l2cap_hdr *lh;
2146 int len, count;
2147
af05b30b
GP		 2148 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2149 conn, code, ident, dlen);
1da177e4
LT		 2150
2151 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2152 count = min_t(unsigned int, conn->mtu, len);
2153
2154 skb = bt_skb_alloc(count, GFP_ATOMIC);
2155 if (!skb)
2156 return NULL;
2157
2158 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2159 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2160
2161 if (conn->hcon->type == LE_LINK)
2162 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2163 else
2164 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2165
2166 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2167 cmd->code = code;
2168 cmd->ident = ident;
aca3192c 2169 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2170
2171 if (dlen) {
2172 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2173 memcpy(skb_put(skb, count), data, count);
2174 data += count;
2175 }
2176
2177 len -= skb->len;
2178
2179 /* Continuation fragments (no L2CAP header) */
2180 frag = &skb_shinfo(skb)->frag_list;
2181 while (len) {
2182 count = min_t(unsigned int, conn->mtu, len);
2183
2184 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2185 if (!*frag)
2186 goto fail;
2187
2188 memcpy(skb_put(*frag, count), data, count);
2189
2190 len -= count;
2191 data += count;
2192
2193 frag = &(*frag)->next;
2194 }
2195
2196 return skb;
2197
2198fail:
2199 kfree_skb(skb);
2200 return NULL;
2201}
2202
2203static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2204{
2205 struct l2cap_conf_opt *opt = *ptr;
2206 int len;
2207
2208 len = L2CAP_CONF_OPT_SIZE + opt->len;
2209 *ptr += len;
2210
2211 *type = opt->type;
2212 *olen = opt->len;
2213
2214 switch (opt->len) {
2215 case 1:
2216 *val = *((u8 *) opt->val);
2217 break;
2218
2219 case 2:
bfaaeb3e 2220 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2221 break;
2222
2223 case 4:
bfaaeb3e 2224 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2225 break;
2226
2227 default:
2228 *val = (unsigned long) opt->val;
2229 break;
2230 }
2231
2232 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2233 return len;
2234}
2235
1da177e4
LT		 2236static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2237{
2238 struct l2cap_conf_opt *opt = *ptr;
2239
2240 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2241
2242 opt->type = type;
2243 opt->len = len;
2244
2245 switch (len) {
2246 case 1:
2247 *((u8 *) opt->val) = val;
2248 break;
2249
2250 case 2:
4f8b691c 2251 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2252 break;
2253
2254 case 4:
4f8b691c 2255 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2256 break;
2257
2258 default:
2259 memcpy(opt->val, (void *) val, len);
2260 break;
2261 }
2262
2263 *ptr += L2CAP_CONF_OPT_SIZE + len;
2264}
2265
f89cef09
AE		 2266static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2267{
2268 struct l2cap_conf_efs efs;
2269
1ec918ce 2270 switch (chan->mode) {
f89cef09
AE		 2271 case L2CAP_MODE_ERTM:
2272 efs.id = chan->local_id;
2273 efs.stype = chan->local_stype;
2274 efs.msdu = cpu_to_le16(chan->local_msdu);
2275 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2276 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2277 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2278 break;
2279
2280 case L2CAP_MODE_STREAMING:
2281 efs.id = 1;
2282 efs.stype = L2CAP_SERV_BESTEFFORT;
2283 efs.msdu = cpu_to_le16(chan->local_msdu);
2284 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2285 efs.acc_lat = 0;
2286 efs.flush_to = 0;
2287 break;
2288
2289 default:
2290 return;
2291 }
2292
2293 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2294 (unsigned long) &efs);
2295}
2296
721c4181 2297static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2298{
721c4181
GP		 2299 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2300 ack_timer.work);
c1b4f43b 2301
2fb9b3d4
GP		 2302 BT_DBG("chan %p", chan);
2303
6be36555
AE		 2304 l2cap_chan_lock(chan);
2305
b17e73bb 2306 __l2cap_send_ack(chan);
6be36555
AE		 2307
2308 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2309
2310 l2cap_chan_put(chan);
c1b4f43b
GP		 2311}
2312
3c588192 2313static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2314{
3c588192
MM		 2315 int err;
2316
42e5c802 2317 chan->expected_ack_seq = 0;
6a026610 2318 chan->unacked_frames = 0;
42e5c802 2319 chan->buffer_seq = 0;
6a026610
GP		 2320 chan->num_acked = 0;
2321 chan->frames_sent = 0;
0565c1c2 2322
721c4181
GP		 2323 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2324 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2325 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2326
f1c6775b 2327 skb_queue_head_init(&chan->srej_q);
1890d36b 2328
39d5a3ee 2329 INIT_LIST_HEAD(&chan->srej_l);
3c588192
MM		 2330 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2331 if (err < 0)
2332 return err;
2333
2334 return l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
0565c1c2
GP		 2335}
2336
f2fcfcd6
GP		 2337static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2338{
2339 switch (mode) {
2340 case L2CAP_MODE_STREAMING:
2341 case L2CAP_MODE_ERTM:
2342 if (l2cap_mode_supported(mode, remote_feat_mask))
2343 return mode;
2344 /* fall through */
2345 default:
2346 return L2CAP_MODE_BASIC;
2347 }
2348}
2349
6327eb98
AE		 2350static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2351{
2352 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2353}
2354
f89cef09
AE		 2355static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2356{
2357 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2358}
2359
6327eb98
AE		 2360static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2361{
2362 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2363 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2364 /* use extended control field */
2365 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2366 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2367 } else {
6327eb98
AE		 2368 chan->tx_win = min_t(u16, chan->tx_win,
2369 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2370 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2371 }
6327eb98
AE		 2372}
2373
710f9b0a 2374static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2375{
1da177e4 2376 struct l2cap_conf_req *req = data;
0c1bc5c6 2377 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2378 void *ptr = req->data;
c8f79162 2379 u16 size;
1da177e4 2380
49208c9c 2381 BT_DBG("chan %p", chan);
1da177e4 2382
73ffa904 2383 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2384 goto done;
2385
0c1bc5c6 2386 switch (chan->mode) {
f2fcfcd6
GP		 2387 case L2CAP_MODE_STREAMING:
2388 case L2CAP_MODE_ERTM:
c1360a1c 2389 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2390 break;
85eb53c6 2391
f89cef09
AE		 2392 if (__l2cap_efs_supported(chan))
2393 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2394
2ba13ed6 2395 /* fall through */
f2fcfcd6 2396 default:
8c1d787b 2397 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2398 break;
2399 }
2400
2401done:
0c1bc5c6
GP		 2402 if (chan->imtu != L2CAP_DEFAULT_MTU)
2403 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2404
0c1bc5c6 2405 switch (chan->mode) {
65c7c491 2406 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2407 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2408 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2409 break;
2410
62547752
GP		 2411 rfc.mode = L2CAP_MODE_BASIC;
2412 rfc.txwin_size = 0;
2413 rfc.max_transmit = 0;
2414 rfc.retrans_timeout = 0;
2415 rfc.monitor_timeout = 0;
2416 rfc.max_pdu_size = 0;
2417
63406504
GP		 2418 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2419 (unsigned long) &rfc);
65c7c491
MH		 2420 break;
2421
2422 case L2CAP_MODE_ERTM:
2423 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2424 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2425 rfc.retrans_timeout = 0;
2426 rfc.monitor_timeout = 0;
c8f79162
AE		 2427
2428 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2429 L2CAP_EXT_HDR_SIZE -
2430 L2CAP_SDULEN_SIZE -
2431 L2CAP_FCS_SIZE);
2432 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2433
6327eb98
AE		 2434 l2cap_txwin_setup(chan);
2435
2436 rfc.txwin_size = min_t(u16, chan->tx_win,
2437 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2438
63406504
GP		 2439 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2440 (unsigned long) &rfc);
2441
f89cef09
AE		 2442 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2443 l2cap_add_opt_efs(&ptr, chan);
2444
8c1d787b 2445 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2446 break;
2447
47d1ec61 2448 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2449 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2450 chan->fcs = L2CAP_FCS_NONE;
2451 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2452 }
6327eb98
AE		 2453
2454 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2455 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2456 chan->tx_win);
f2fcfcd6
GP		 2457 break;
2458
2459 case L2CAP_MODE_STREAMING:
2460 rfc.mode = L2CAP_MODE_STREAMING;
2461 rfc.txwin_size = 0;
2462 rfc.max_transmit = 0;
2463 rfc.retrans_timeout = 0;
2464 rfc.monitor_timeout = 0;
c8f79162
AE		 2465
2466 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2467 L2CAP_EXT_HDR_SIZE -
2468 L2CAP_SDULEN_SIZE -
2469 L2CAP_FCS_SIZE);
2470 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2471
63406504
GP		 2472 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2473 (unsigned long) &rfc);
2474
f89cef09
AE		 2475 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2476 l2cap_add_opt_efs(&ptr, chan);
2477
8c1d787b 2478 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2479 break;
2480
47d1ec61 2481 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2482 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2483 chan->fcs = L2CAP_FCS_NONE;
2484 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2485 }
65c7c491
MH		 2486 break;
2487 }
1da177e4 2488
fe4128e0 2489 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2490 req->flags = cpu_to_le16(0);
1da177e4
LT		 2491
2492 return ptr - data;
2493}
2494
73ffa904 2495static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2496{
5dee9e7c
MH		 2497 struct l2cap_conf_rsp *rsp = data;
2498 void *ptr = rsp->data;
73ffa904
GP		 2499 void *req = chan->conf_req;
2500 int len = chan->conf_len;
5dee9e7c
MH		 2501 int type, hint, olen;
2502 unsigned long val;
6464f35f 2503 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2504 struct l2cap_conf_efs efs;
2505 u8 remote_efs = 0;
861d6882 2506 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2507 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2508 u16 size;
1da177e4 2509
73ffa904 2510 BT_DBG("chan %p", chan);
820ae1b8 2511
5dee9e7c
MH		 2512 while (len >= L2CAP_CONF_OPT_SIZE) {
2513 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2514
589d2746 2515 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2516 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2517
2518 switch (type) {
2519 case L2CAP_CONF_MTU:
861d6882 2520 mtu = val;
5dee9e7c
MH		 2521 break;
2522
2523 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2524 chan->flush_to = val;
5dee9e7c
MH		 2525 break;
2526
2527 case L2CAP_CONF_QOS:
2528 break;
2529
6464f35f
MH		 2530 case L2CAP_CONF_RFC:
2531 if (olen == sizeof(rfc))
2532 memcpy(&rfc, (void *) val, olen);
2533 break;
2534
fcc203c3
GP		 2535 case L2CAP_CONF_FCS:
2536 if (val == L2CAP_FCS_NONE)
c1360a1c 2537 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2538 break;
fcc203c3 2539
42dceae2
AE		 2540 case L2CAP_CONF_EFS:
2541 remote_efs = 1;
2542 if (olen == sizeof(efs))
2543 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2544 break;
2545
6327eb98
AE		 2546 case L2CAP_CONF_EWS:
2547 if (!enable_hs)
2548 return -ECONNREFUSED;
fcc203c3 2549
6327eb98
AE		 2550 set_bit(FLAG_EXT_CTRL, &chan->flags);
2551 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2552 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2553 chan->remote_tx_win = val;
fcc203c3
GP		 2554 break;
2555
5dee9e7c
MH		 2556 default:
2557 if (hint)
2558 break;
2559
2560 result = L2CAP_CONF_UNKNOWN;
2561 *((u8 *) ptr++) = type;
2562 break;
2563 }
2564 }
2565
73ffa904 2566 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2567 goto done;
2568
0c1bc5c6 2569 switch (chan->mode) {
f2fcfcd6
GP		 2570 case L2CAP_MODE_STREAMING:
2571 case L2CAP_MODE_ERTM:
c1360a1c 2572 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2573 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2574 chan->conn->feat_mask);
85eb53c6
GP		 2575 break;
2576 }
2577
42dceae2
AE		 2578 if (remote_efs) {
2579 if (__l2cap_efs_supported(chan))
2580 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2581 else
2582 return -ECONNREFUSED;
2583 }
2584
0c1bc5c6 2585 if (chan->mode != rfc.mode)
f2fcfcd6 2586 return -ECONNREFUSED;
742e519b 2587
f2fcfcd6 2588 break;
f2fcfcd6
GP		 2589 }
2590
2591done:
0c1bc5c6 2592 if (chan->mode != rfc.mode) {
f2fcfcd6 2593 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2594 rfc.mode = chan->mode;
f2fcfcd6 2595
73ffa904 2596 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2597 return -ECONNREFUSED;
2598
2599 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2600 sizeof(rfc), (unsigned long) &rfc);
2601 }
2602
5dee9e7c
MH		 2603 if (result == L2CAP_CONF_SUCCESS) {
2604 /* Configure output options and let the other side know
2605 * which ones we don't like. */
2606
f2fcfcd6
GP		 2607 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2608 result = L2CAP_CONF_UNACCEPT;
2609 else {
0c1bc5c6 2610 chan->omtu = mtu;
c1360a1c 2611 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2612 }
0c1bc5c6 2613 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2614
42dceae2
AE		 2615 if (remote_efs) {
2616 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2617 efs.stype != L2CAP_SERV_NOTRAFIC &&
2618 efs.stype != chan->local_stype) {
2619
2620 result = L2CAP_CONF_UNACCEPT;
2621
2622 if (chan->num_conf_req >= 1)
2623 return -ECONNREFUSED;
2624
2625 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2626 sizeof(efs),
42dceae2 2627 (unsigned long) &efs);
0e8b207e 2628 } else {
3e6b3b95 2629 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2630 result = L2CAP_CONF_PENDING;
2631 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2632 }
2633 }
2634
f2fcfcd6
GP		 2635 switch (rfc.mode) {
2636 case L2CAP_MODE_BASIC:
47d1ec61 2637 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2638 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2639 break;
2640
2641 case L2CAP_MODE_ERTM:
6327eb98
AE		 2642 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2643 chan->remote_tx_win = rfc.txwin_size;
2644 else
2645 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2646
2c03a7a4 2647 chan->remote_max_tx = rfc.max_transmit;
1c762159 2648
c8f79162
AE		 2649 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2650 chan->conn->mtu -
2651 L2CAP_EXT_HDR_SIZE -
2652 L2CAP_SDULEN_SIZE -
2653 L2CAP_FCS_SIZE);
2654 rfc.max_pdu_size = cpu_to_le16(size);
2655 chan->remote_mps = size;
f2fcfcd6 2656
10467e9e 2657 rfc.retrans_timeout =
4fd21a88 2658 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2659 rfc.monitor_timeout =
4fd21a88 2660 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2661
c1360a1c 2662 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2663
2664 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2665 sizeof(rfc), (unsigned long) &rfc);
2666
42dceae2
AE		 2667 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2668 chan->remote_id = efs.id;
2669 chan->remote_stype = efs.stype;
2670 chan->remote_msdu = le16_to_cpu(efs.msdu);
2671 chan->remote_flush_to =
2672 le32_to_cpu(efs.flush_to);
2673 chan->remote_acc_lat =
2674 le32_to_cpu(efs.acc_lat);
2675 chan->remote_sdu_itime =
2676 le32_to_cpu(efs.sdu_itime);
2677 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2678 sizeof(efs), (unsigned long) &efs);
2679 }
f2fcfcd6
GP		 2680 break;
2681
2682 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2683 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2684 chan->conn->mtu -
2685 L2CAP_EXT_HDR_SIZE -
2686 L2CAP_SDULEN_SIZE -
2687 L2CAP_FCS_SIZE);
2688 rfc.max_pdu_size = cpu_to_le16(size);
2689 chan->remote_mps = size;
f2fcfcd6 2690
c1360a1c 2691 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2692
2693 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2694 sizeof(rfc), (unsigned long) &rfc);
2695
f2fcfcd6
GP		 2696 break;
2697
2698 default:
5dee9e7c 2699 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2700
6464f35f 2701 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2702 rfc.mode = chan->mode;
f2fcfcd6 2703 }
6464f35f 2704
f2fcfcd6 2705 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2706 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2707 }
fe4128e0 2708 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2709 rsp->result = cpu_to_le16(result);
2710 rsp->flags = cpu_to_le16(0x0000);
2711
2712 return ptr - data;
1da177e4
LT		 2713}
2714
b4450035 2715static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2716{
f2fcfcd6
GP		 2717 struct l2cap_conf_req *req = data;
2718 void *ptr = req->data;
2719 int type, olen;
2720 unsigned long val;
36e999a8 2721 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2722 struct l2cap_conf_efs efs;
f2fcfcd6 2723
fe4128e0 2724 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2725
2726 while (len >= L2CAP_CONF_OPT_SIZE) {
2727 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2728
2729 switch (type) {
2730 case L2CAP_CONF_MTU:
2731 if (val < L2CAP_DEFAULT_MIN_MTU) {
2732 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2733 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2734 } else
0c1bc5c6
GP		 2735 chan->imtu = val;
2736 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2737 break;
2738
2739 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2740 chan->flush_to = val;
f2fcfcd6 2741 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2742 2, chan->flush_to);
f2fcfcd6
GP		 2743 break;
2744
2745 case L2CAP_CONF_RFC:
2746 if (olen == sizeof(rfc))
2747 memcpy(&rfc, (void *)val, olen);
2748
c1360a1c 2749 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2750 rfc.mode != chan->mode)
f2fcfcd6
GP		 2751 return -ECONNREFUSED;
2752
47d1ec61 2753 chan->fcs = 0;
f2fcfcd6
GP		 2754
2755 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2756 sizeof(rfc), (unsigned long) &rfc);
2757 break;
6327eb98
AE		 2758
2759 case L2CAP_CONF_EWS:
2760 chan->tx_win = min_t(u16, val,
2761 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2762 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2763 chan->tx_win);
6327eb98 2764 break;
66af7aaf
AE		 2765
2766 case L2CAP_CONF_EFS:
2767 if (olen == sizeof(efs))
2768 memcpy(&efs, (void *)val, olen);
2769
2770 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2771 efs.stype != L2CAP_SERV_NOTRAFIC &&
2772 efs.stype != chan->local_stype)
2773 return -ECONNREFUSED;
2774
2775 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2776 sizeof(efs), (unsigned long) &efs);
2777 break;
f2fcfcd6
GP		 2778 }
2779 }
2780
0c1bc5c6 2781 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2782 return -ECONNREFUSED;
2783
0c1bc5c6 2784 chan->mode = rfc.mode;
6c2ea7a8 2785
0e8b207e 2786 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2787 switch (rfc.mode) {
2788 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2789 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2790 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2791 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2792
2793 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2794 chan->local_msdu = le16_to_cpu(efs.msdu);
2795 chan->local_sdu_itime =
2796 le32_to_cpu(efs.sdu_itime);
2797 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2798 chan->local_flush_to =
2799 le32_to_cpu(efs.flush_to);
2800 }
f2fcfcd6 2801 break;
66af7aaf 2802
f2fcfcd6 2803 case L2CAP_MODE_STREAMING:
47d1ec61 2804 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2805 }
2806 }
2807
fe4128e0 2808 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2809 req->flags = cpu_to_le16(0x0000);
2810
2811 return ptr - data;
2812}
2813
fe4128e0 2814static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2815{
2816 struct l2cap_conf_rsp *rsp = data;
2817 void *ptr = rsp->data;
1da177e4 2818
fe4128e0 2819 BT_DBG("chan %p", chan);
1da177e4 2820
fe4128e0 2821 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2822 rsp->result = cpu_to_le16(result);
aca3192c 2823 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2824
2825 return ptr - data;
2826}
2827
8c1d787b 2828void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2829{
2830 struct l2cap_conn_rsp rsp;
8c1d787b 2831 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2832 u8 buf[128];
2833
fe4128e0
GP		 2834 rsp.scid = cpu_to_le16(chan->dcid);
2835 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2836 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2837 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2838 l2cap_send_cmd(conn, chan->ident,
2839 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2840
c1360a1c 2841 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2842 return;
2843
710f9b0a
GP		 2844 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2845 l2cap_build_conf_req(chan, buf), buf);
2846 chan->num_conf_req++;
2847}
2848
47d1ec61 2849static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2850{
7b1c0049
GP		 2851 int type, olen;
2852 unsigned long val;
2853 struct l2cap_conf_rfc rfc;
2854
47d1ec61 2855 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2856
0c1bc5c6 2857 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2858 return;
2859
2860 while (len >= L2CAP_CONF_OPT_SIZE) {
2861 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2862
2863 switch (type) {
2864 case L2CAP_CONF_RFC:
2865 if (olen == sizeof(rfc))
2866 memcpy(&rfc, (void *)val, olen);
2867 goto done;
2868 }
2869 }
2870
36e999a8
MM		 2871 /* Use sane default values in case a misbehaving remote device
2872 * did not send an RFC option.
2873 */
2874 rfc.mode = chan->mode;
2875 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2876 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2877 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2878
2879 BT_ERR("Expected RFC option was not found, using defaults");
2880
7b1c0049
GP		 2881done:
2882 switch (rfc.mode) {
2883 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2884 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2885 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2886 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2887 break;
2888 case L2CAP_MODE_STREAMING:
47d1ec61 2889 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2890 }
2891}
2892
4e8402a3
MH		 2893static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2894{
e2fd318e 2895 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2896
e2fd318e 2897 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2898 return 0;
2899
2900 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2901 cmd->ident == conn->info_ident) {
17cd3f37 2902 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2903
2904 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2905 conn->info_ident = 0;
984947dc 2906
4e8402a3
MH		 2907 l2cap_conn_start(conn);
2908 }
2909
2910 return 0;
2911}
2912
1da177e4
LT		 2913static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2914{
1da177e4
LT		 2915 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2916 struct l2cap_conn_rsp rsp;
23691d75 2917 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2918 struct sock *parent, *sk = NULL;
e7c29cb1 2919 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2920
2921 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2922 __le16 psm = req->psm;
1da177e4 2923
097db76c 2924 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 2925
2926 /* Check if we have socket listening on psm */
c2287681 2927 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 2928 if (!pchan) {
1da177e4
LT		 2929 result = L2CAP_CR_BAD_PSM;
2930 goto sendresp;
2931 }
2932
23691d75
GP		 2933 parent = pchan->sk;
2934
3df91ea2 2935 mutex_lock(&conn->chan_lock);
aa2ac881 2936 lock_sock(parent);
e0f0cb56 2937
e7c29cb1
MH		 2938 /* Check if the ACL is secure enough (if not SDP) */
2939 if (psm != cpu_to_le16(0x0001) &&
2940 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2941 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2942 result = L2CAP_CR_SEC_BLOCK;
2943 goto response;
2944 }
2945
1da177e4
LT		 2946 result = L2CAP_CR_NO_MEM;
2947
2948 /* Check for backlog size */
2949 if (sk_acceptq_is_full(parent)) {
8e87d142 2950 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2951 goto response;
2952 }
2953
80808e43
GP		 2954 chan = pchan->ops->new_connection(pchan->data);
2955 if (!chan)
1da177e4
LT		 2956 goto response;
2957
80808e43
GP		 2958 sk = chan->sk;
2959
1da177e4 2960 /* Check if we already have channel with that dcid */
baa7e1fa 2961 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 2962 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2963 chan->ops->close(chan->data);
1da177e4
LT		 2964 goto response;
2965 }
2966
2967 hci_conn_hold(conn->hcon);
2968
1da177e4
LT		 2969 bacpy(&bt_sk(sk)->src, conn->src);
2970 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2971 chan->psm = psm;
2972 chan->dcid = scid;
1da177e4 2973
d1010240
GP		 2974 bt_accept_enqueue(parent, sk);
2975
6be36555 2976 __l2cap_chan_add(conn, chan);
48454079 2977
fe4128e0 2978 dcid = chan->scid;
1da177e4 2979
c9b66675 2980 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2981
fc7f8a7e 2982 chan->ident = cmd->ident;
1da177e4 2983
984947dc 2984 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2985 if (l2cap_chan_check_security(chan)) {
f66dc81f 2986 if (bt_sk(sk)->defer_setup) {
0e587be7 2987 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2988 result = L2CAP_CR_PEND;
2989 status = L2CAP_CS_AUTHOR_PEND;
2990 parent->sk_data_ready(parent, 0);
2991 } else {
0e587be7 2992 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2993 result = L2CAP_CR_SUCCESS;
2994 status = L2CAP_CS_NO_INFO;
2995 }
79d554a6 2996 } else {
0e587be7 2997 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2998 result = L2CAP_CR_PEND;
2999 status = L2CAP_CS_AUTHEN_PEND;
3000 }
3001 } else {
0e587be7 3002 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3003 result = L2CAP_CR_PEND;
3004 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3005 }
3006
1da177e4 3007response:
aa2ac881 3008 release_sock(parent);
3df91ea2 3009 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3010
3011sendresp:
aca3192c
YH		 3012 rsp.scid = cpu_to_le16(scid);
3013 rsp.dcid = cpu_to_le16(dcid);
3014 rsp.result = cpu_to_le16(result);
3015 rsp.status = cpu_to_le16(status);
1da177e4 3016 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3017
3018 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3019 struct l2cap_info_req info;
3020 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3021
3022 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3023 conn->info_ident = l2cap_get_ident(conn);
3024
ba13ccd9 3025 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3026
3027 l2cap_send_cmd(conn, conn->info_ident,
3028 L2CAP_INFO_REQ, sizeof(info), &info);
3029 }
3030
c1360a1c 3031 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3032 result == L2CAP_CR_SUCCESS) {
3033 u8 buf[128];
c1360a1c 3034 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3035 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3036 l2cap_build_conf_req(chan, buf), buf);
3037 chan->num_conf_req++;
e9aeb2dd
GP		 3038 }
3039
1da177e4
LT		 3040 return 0;
3041}
3042
3043static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3044{
3045 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3046 u16 scid, dcid, result, status;
48454079 3047 struct l2cap_chan *chan;
1da177e4 3048 u8 req[128];
3df91ea2 3049 int err;
1da177e4
LT		 3050
3051 scid = __le16_to_cpu(rsp->scid);
3052 dcid = __le16_to_cpu(rsp->dcid);
3053 result = __le16_to_cpu(rsp->result);
3054 status = __le16_to_cpu(rsp->status);
3055
1b009c98
AE		 3056 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3057 dcid, scid, result, status);
1da177e4 3058
3df91ea2
AE		 3059 mutex_lock(&conn->chan_lock);
3060
1da177e4 3061 if (scid) {
3df91ea2
AE		 3062 chan = __l2cap_get_chan_by_scid(conn, scid);
3063 if (!chan) {
3064 err = -EFAULT;
3065 goto unlock;
3066 }
1da177e4 3067 } else {
3df91ea2
AE		 3068 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3069 if (!chan) {
3070 err = -EFAULT;
3071 goto unlock;
3072 }
1da177e4
LT		 3073 }
3074
3df91ea2
AE		 3075 err = 0;
3076
6be36555 3077 l2cap_chan_lock(chan);
48454079 3078
1da177e4
LT		 3079 switch (result) {
3080 case L2CAP_CR_SUCCESS:
89bc500e 3081 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3082 chan->ident = 0;
fe4128e0 3083 chan->dcid = dcid;
c1360a1c 3084 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3085
c1360a1c 3086 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3087 break;
3088
1da177e4 3089 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3090 l2cap_build_conf_req(chan, req), req);
3091 chan->num_conf_req++;
1da177e4
LT		 3092 break;
3093
3094 case L2CAP_CR_PEND:
c1360a1c 3095 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3096 break;
3097
3098 default:
48454079 3099 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3100 break;
3101 }
3102
6be36555 3103 l2cap_chan_unlock(chan);
3df91ea2
AE		 3104
3105unlock:
3106 mutex_unlock(&conn->chan_lock);
3107
3108 return err;
1da177e4
LT		 3109}
3110
47d1ec61 3111static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3112{
3113 /* FCS is enabled only in ERTM or streaming mode, if one or both
3114 * sides request it.
3115 */
0c1bc5c6 3116 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3117 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3118 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3119 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3120}
3121
88219a0f 3122static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3123{
3124 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3125 u16 dcid, flags;
3126 u8 rsp[64];
48454079 3127 struct l2cap_chan *chan;
3c588192 3128 int len, err = 0;
1da177e4
LT		 3129
3130 dcid = __le16_to_cpu(req->dcid);
3131 flags = __le16_to_cpu(req->flags);
3132
3133 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3134
baa7e1fa 3135 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3136 if (!chan)
1da177e4
LT		 3137 return -ENOENT;
3138
6be36555 3139 l2cap_chan_lock(chan);
48454079 3140
033b1142 3141 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3142 struct l2cap_cmd_rej_cid rej;
3143
3144 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3145 rej.scid = cpu_to_le16(chan->scid);
3146 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3147
df6bd743
GP		 3148 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3149 sizeof(rej), &rej);
354f60a9 3150 goto unlock;
df6bd743 3151 }
354f60a9 3152
5dee9e7c 3153 /* Reject if config buffer is too small. */
88219a0f 3154 len = cmd_len - sizeof(*req);
7ac28817 3155 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3156 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3157 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3158 L2CAP_CONF_REJECT, flags), rsp);
3159 goto unlock;
3160 }
3161
3162 /* Store config. */
73ffa904
GP		 3163 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3164 chan->conf_len += len;
1da177e4
LT		 3165
3166 if (flags & 0x0001) {
3167 /* Incomplete config. Send empty response. */
3168 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3169 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3170 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3171 goto unlock;
3172 }
3173
3174 /* Complete config. */
73ffa904 3175 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3176 if (len < 0) {
e92c8e70 3177 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3178 goto unlock;
f2fcfcd6 3179 }
1da177e4 3180
5dee9e7c 3181 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3182 chan->num_conf_rsp++;
5dee9e7c 3183
5dee9e7c 3184 /* Reset config buffer. */
73ffa904 3185 chan->conf_len = 0;
5dee9e7c 3186
c1360a1c 3187 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3188 goto unlock;
3189
c1360a1c 3190 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3191 set_default_fcs(chan);
fcc203c3 3192
89bc500e 3193 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3194
42e5c802
GP		 3195 chan->next_tx_seq = 0;
3196 chan->expected_tx_seq = 0;
58d35f87 3197 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 3198 if (chan->mode == L2CAP_MODE_ERTM)
3c588192
MM		 3199 err = l2cap_ertm_init(chan);
3200
3201 if (err < 0)
3202 l2cap_send_disconn_req(chan->conn, chan, -err);
3203 else
3204 l2cap_chan_ready(chan);
0565c1c2 3205
876d9484
MH		 3206 goto unlock;
3207 }
3208
c1360a1c 3209 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3210 u8 buf[64];
1da177e4 3211 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3212 l2cap_build_conf_req(chan, buf), buf);
3213 chan->num_conf_req++;
1da177e4
LT		 3214 }
3215
0e8b207e
AE		 3216 /* Got Conf Rsp PENDING from remote side and asume we sent
3217 Conf Rsp PENDING in the code above */
3218 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3219 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3220
3221 /* check compatibility */
3222
3223 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3224 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3225
3226 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3227 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3228 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3229 }
3230
1da177e4 3231unlock:
6be36555 3232 l2cap_chan_unlock(chan);
3c588192 3233 return err;
1da177e4
LT		 3234}
3235
3236static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3237{
3238 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3239 u16 scid, flags, result;
48454079 3240 struct l2cap_chan *chan;
61386cba 3241 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3242 int err = 0;
1da177e4
LT		 3243
3244 scid = __le16_to_cpu(rsp->scid);
3245 flags = __le16_to_cpu(rsp->flags);
3246 result = __le16_to_cpu(rsp->result);
3247
61386cba
AE		 3248 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3249 result, len);
1da177e4 3250
baa7e1fa 3251 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3252 if (!chan)
1da177e4
LT		 3253 return 0;
3254
6be36555 3255 l2cap_chan_lock(chan);
48454079 3256
1da177e4
LT		 3257 switch (result) {
3258 case L2CAP_CONF_SUCCESS:
47d1ec61 3259 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3260 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3261 break;
3262
0e8b207e
AE		 3263 case L2CAP_CONF_PENDING:
3264 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3265
3266 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3267 char buf[64];
3268
3269 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3270 buf, &result);
3271 if (len < 0) {
3272 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3273 goto done;
3274 }
3275
3276 /* check compatibility */
3277
3278 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3279 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3280
3281 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3282 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3283 L2CAP_CONF_SUCCESS, 0x0000), buf);
3284 }
3285 goto done;
3286
1da177e4 3287 case L2CAP_CONF_UNACCEPT:
73ffa904 3288 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3289 char req[64];
3290
c2c77ec8 3291 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3292 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3293 goto done;
3294 }
3295
f2fcfcd6
GP		 3296 /* throw out any old stored conf requests */
3297 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3298 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3299 req, &result);
f2fcfcd6 3300 if (len < 0) {
e92c8e70 3301 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3302 goto done;
3303 }
3304
3305 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3306 L2CAP_CONF_REQ, len, req);
73ffa904 3307 chan->num_conf_req++;
f2fcfcd6
GP		 3308 if (result != L2CAP_CONF_SUCCESS)
3309 goto done;
3310 break;
1da177e4
LT		 3311 }
3312
8e87d142 3313 default:
6be36555 3314 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3315
ba13ccd9 3316 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3317 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3318 goto done;
3319 }
3320
3321 if (flags & 0x01)
3322 goto done;
3323
c1360a1c 3324 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3325
c1360a1c 3326 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3327 set_default_fcs(chan);
fcc203c3 3328
89bc500e 3329 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 3330 chan->next_tx_seq = 0;
3331 chan->expected_tx_seq = 0;
58d35f87 3332 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 3333 if (chan->mode == L2CAP_MODE_ERTM)
3c588192 3334 err = l2cap_ertm_init(chan);
0565c1c2 3335
3c588192
MM		 3336 if (err < 0)
3337 l2cap_send_disconn_req(chan->conn, chan, -err);
3338 else
3339 l2cap_chan_ready(chan);
1da177e4
LT		 3340 }
3341
3342done:
6be36555 3343 l2cap_chan_unlock(chan);
3c588192 3344 return err;
1da177e4
LT		 3345}
3346
3347static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3348{
3349 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3350 struct l2cap_disconn_rsp rsp;
3351 u16 dcid, scid;
48454079 3352 struct l2cap_chan *chan;
1da177e4
LT		 3353 struct sock *sk;
3354
3355 scid = __le16_to_cpu(req->scid);
3356 dcid = __le16_to_cpu(req->dcid);
3357
3358 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3359
3df91ea2
AE		 3360 mutex_lock(&conn->chan_lock);
3361
3362 chan = __l2cap_get_chan_by_scid(conn, dcid);
3363 if (!chan) {
3364 mutex_unlock(&conn->chan_lock);
1da177e4 3365 return 0;
3df91ea2 3366 }
1da177e4 3367
6be36555
AE		 3368 l2cap_chan_lock(chan);
3369
48454079
GP		 3370 sk = chan->sk;
3371
fe4128e0
GP		 3372 rsp.dcid = cpu_to_le16(chan->scid);
3373 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3374 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3375
6be36555 3376 lock_sock(sk);
1da177e4 3377 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3378 release_sock(sk);
1da177e4 3379
48454079 3380 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3381
3382 l2cap_chan_unlock(chan);
1da177e4 3383
ba3bd0ee 3384 chan->ops->close(chan->data);
3df91ea2
AE		 3385
3386 mutex_unlock(&conn->chan_lock);
3387
1da177e4
LT		 3388 return 0;
3389}
3390
3391static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3392{
3393 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3394 u16 dcid, scid;
48454079 3395 struct l2cap_chan *chan;
1da177e4
LT		 3396
3397 scid = __le16_to_cpu(rsp->scid);
3398 dcid = __le16_to_cpu(rsp->dcid);
3399
3400 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3401
3df91ea2
AE		 3402 mutex_lock(&conn->chan_lock);
3403
3404 chan = __l2cap_get_chan_by_scid(conn, scid);
3405 if (!chan) {
3406 mutex_unlock(&conn->chan_lock);
1da177e4 3407 return 0;
3df91ea2 3408 }
1da177e4 3409
6be36555 3410 l2cap_chan_lock(chan);
48454079 3411
48454079 3412 l2cap_chan_del(chan, 0);
6be36555
AE		 3413
3414 l2cap_chan_unlock(chan);
1da177e4 3415
ba3bd0ee 3416 chan->ops->close(chan->data);
3df91ea2
AE		 3417
3418 mutex_unlock(&conn->chan_lock);
3419
1da177e4
LT		 3420 return 0;
3421}
3422
3423static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3424{
3425 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3426 u16 type;
3427
3428 type = __le16_to_cpu(req->type);
3429
3430 BT_DBG("type 0x%4.4x", type);
3431
f0709e03
MH		 3432 if (type == L2CAP_IT_FEAT_MASK) {
3433 u8 buf[8];
44dd46de 3434 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3435 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3436 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3437 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3438 if (!disable_ertm)
fcc203c3
GP		 3439 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3440 | L2CAP_FEAT_FCS;
a5fd6f30 3441 if (enable_hs)
6327eb98
AE		 3442 feat_mask |= L2CAP_FEAT_EXT_FLOW
3443 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3444
1b7bf4ed 3445 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3446 l2cap_send_cmd(conn, cmd->ident,
3447 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3448 } else if (type == L2CAP_IT_FIXED_CHAN) {
3449 u8 buf[12];
3450 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3451
3452 if (enable_hs)
3453 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3454 else
3455 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3456
e1027a7c
MH		 3457 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3458 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3459 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3460 l2cap_send_cmd(conn, cmd->ident,
3461 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3462 } else {
3463 struct l2cap_info_rsp rsp;
3464 rsp.type = cpu_to_le16(type);
3465 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3466 l2cap_send_cmd(conn, cmd->ident,
3467 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3468 }
1da177e4
LT		 3469
3470 return 0;
3471}
3472
3473static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3474{
3475 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3476 u16 type, result;
3477
3478 type = __le16_to_cpu(rsp->type);
3479 result = __le16_to_cpu(rsp->result);
3480
3481 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3482
e90165be
AE		 3483 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3484 if (cmd->ident != conn->info_ident ||
3485 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3486 return 0;
3487
17cd3f37 3488 cancel_delayed_work(&conn->info_timer);
4e8402a3 3489
adb08ede
VT		 3490 if (result != L2CAP_IR_SUCCESS) {
3491 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3492 conn->info_ident = 0;
3493
3494 l2cap_conn_start(conn);
3495
3496 return 0;
3497 }
3498
978c93b9
AE		 3499 switch (type) {
3500 case L2CAP_IT_FEAT_MASK:
83985319 3501 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3502
47ec1dcd 3503 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3504 struct l2cap_info_req req;
3505 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3506
3507 conn->info_ident = l2cap_get_ident(conn);
3508
3509 l2cap_send_cmd(conn, conn->info_ident,
3510 L2CAP_INFO_REQ, sizeof(req), &req);
3511 } else {
3512 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3513 conn->info_ident = 0;
3514
3515 l2cap_conn_start(conn);
3516 }
978c93b9
AE		 3517 break;
3518
3519 case L2CAP_IT_FIXED_CHAN:
3520 conn->fixed_chan_mask = rsp->data[0];
984947dc 3521 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3522 conn->info_ident = 0;
984947dc
MH		 3523
3524 l2cap_conn_start(conn);
978c93b9 3525 break;
984947dc 3526 }
4e8402a3 3527
1da177e4
LT		 3528 return 0;
3529}
3530
f94ff6ff
MM		 3531static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3532 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3533 void *data)
3534{
3535 struct l2cap_create_chan_req *req = data;
3536 struct l2cap_create_chan_rsp rsp;
3537 u16 psm, scid;
3538
3539 if (cmd_len != sizeof(*req))
3540 return -EPROTO;
3541
3542 if (!enable_hs)
3543 return -EINVAL;
3544
3545 psm = le16_to_cpu(req->psm);
3546 scid = le16_to_cpu(req->scid);
3547
3548 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3549
3550 /* Placeholder: Always reject */
3551 rsp.dcid = 0;
3552 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3553 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3554 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3555
3556 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3557 sizeof(rsp), &rsp);
3558
3559 return 0;
3560}
3561
3562static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3563 struct l2cap_cmd_hdr *cmd, void *data)
3564{
3565 BT_DBG("conn %p", conn);
3566
3567 return l2cap_connect_rsp(conn, cmd, data);
3568}
3569
8d5a04a1
MM		 3570static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3571 u16 icid, u16 result)
3572{
3573 struct l2cap_move_chan_rsp rsp;
3574
3575 BT_DBG("icid %d, result %d", icid, result);
3576
3577 rsp.icid = cpu_to_le16(icid);
3578 rsp.result = cpu_to_le16(result);
3579
3580 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3581}
3582
3583static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3584 struct l2cap_chan *chan, u16 icid, u16 result)
3585{
3586 struct l2cap_move_chan_cfm cfm;
3587 u8 ident;
3588
3589 BT_DBG("icid %d, result %d", icid, result);
3590
3591 ident = l2cap_get_ident(conn);
3592 if (chan)
3593 chan->ident = ident;
3594
3595 cfm.icid = cpu_to_le16(icid);
3596 cfm.result = cpu_to_le16(result);
3597
3598 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3599}
3600
3601static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3602 u16 icid)
3603{
3604 struct l2cap_move_chan_cfm_rsp rsp;
3605
3606 BT_DBG("icid %d", icid);
3607
3608 rsp.icid = cpu_to_le16(icid);
3609 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3610}
3611
3612static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3613 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3614{
3615 struct l2cap_move_chan_req *req = data;
3616 u16 icid = 0;
3617 u16 result = L2CAP_MR_NOT_ALLOWED;
3618
3619 if (cmd_len != sizeof(*req))
3620 return -EPROTO;
3621
3622 icid = le16_to_cpu(req->icid);
3623
3624 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3625
3626 if (!enable_hs)
3627 return -EINVAL;
3628
3629 /* Placeholder: Always refuse */
3630 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3631
3632 return 0;
3633}
3634
3635static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3636 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3637{
3638 struct l2cap_move_chan_rsp *rsp = data;
3639 u16 icid, result;
3640
3641 if (cmd_len != sizeof(*rsp))
3642 return -EPROTO;
3643
3644 icid = le16_to_cpu(rsp->icid);
3645 result = le16_to_cpu(rsp->result);
3646
3647 BT_DBG("icid %d, result %d", icid, result);
3648
3649 /* Placeholder: Always unconfirmed */
3650 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3651
3652 return 0;
3653}
3654
3655static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3656 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3657{
3658 struct l2cap_move_chan_cfm *cfm = data;
3659 u16 icid, result;
3660
3661 if (cmd_len != sizeof(*cfm))
3662 return -EPROTO;
3663
3664 icid = le16_to_cpu(cfm->icid);
3665 result = le16_to_cpu(cfm->result);
3666
3667 BT_DBG("icid %d, result %d", icid, result);
3668
3669 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3670
3671 return 0;
3672}
3673
3674static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3675 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3676{
3677 struct l2cap_move_chan_cfm_rsp *rsp = data;
3678 u16 icid;
3679
3680 if (cmd_len != sizeof(*rsp))
3681 return -EPROTO;
3682
3683 icid = le16_to_cpu(rsp->icid);
3684
3685 BT_DBG("icid %d", icid);
3686
3687 return 0;
3688}
3689
e2174ca4 3690static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3691 u16 to_multiplier)
3692{
3693 u16 max_latency;
3694
3695 if (min > max || min < 6 || max > 3200)
3696 return -EINVAL;
3697
3698 if (to_multiplier < 10 || to_multiplier > 3200)
3699 return -EINVAL;
3700
3701 if (max >= to_multiplier * 8)
3702 return -EINVAL;
3703
3704 max_latency = (to_multiplier * 8 / max) - 1;
3705 if (latency > 499 || latency > max_latency)
3706 return -EINVAL;
3707
3708 return 0;
3709}
3710
3711static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3712 struct l2cap_cmd_hdr *cmd, u8 *data)
3713{
3714 struct hci_conn *hcon = conn->hcon;
3715 struct l2cap_conn_param_update_req *req;
3716 struct l2cap_conn_param_update_rsp rsp;
3717 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3718 int err;
de73115a
CT		 3719
3720 if (!(hcon->link_mode & HCI_LM_MASTER))
3721 return -EINVAL;
3722
3723 cmd_len = __le16_to_cpu(cmd->len);
3724 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3725 return -EPROTO;
3726
3727 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3728 min = __le16_to_cpu(req->min);
3729 max = __le16_to_cpu(req->max);
de73115a
CT		 3730 latency = __le16_to_cpu(req->latency);
3731 to_multiplier = __le16_to_cpu(req->to_multiplier);
3732
3733 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3734 min, max, latency, to_multiplier);
3735
3736 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3737
3738 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3739 if (err)
de73115a
CT		 3740 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3741 else
3742 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3743
3744 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3745 sizeof(rsp), &rsp);
3746
2ce603eb
CT		 3747 if (!err)
3748 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3749
de73115a
CT		 3750 return 0;
3751}
3752
3300d9a9
CT		 3753static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3754 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3755{
3756 int err = 0;
3757
3758 switch (cmd->code) {
3759 case L2CAP_COMMAND_REJ:
3760 l2cap_command_rej(conn, cmd, data);
3761 break;
3762
3763 case L2CAP_CONN_REQ:
3764 err = l2cap_connect_req(conn, cmd, data);
3765 break;
3766
3767 case L2CAP_CONN_RSP:
3768 err = l2cap_connect_rsp(conn, cmd, data);
3769 break;
3770
3771 case L2CAP_CONF_REQ:
3772 err = l2cap_config_req(conn, cmd, cmd_len, data);
3773 break;
3774
3775 case L2CAP_CONF_RSP:
3776 err = l2cap_config_rsp(conn, cmd, data);
3777 break;
3778
3779 case L2CAP_DISCONN_REQ:
3780 err = l2cap_disconnect_req(conn, cmd, data);
3781 break;
3782
3783 case L2CAP_DISCONN_RSP:
3784 err = l2cap_disconnect_rsp(conn, cmd, data);
3785 break;
3786
3787 case L2CAP_ECHO_REQ:
3788 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3789 break;
3790
3791 case L2CAP_ECHO_RSP:
3792 break;
3793
3794 case L2CAP_INFO_REQ:
3795 err = l2cap_information_req(conn, cmd, data);
3796 break;
3797
3798 case L2CAP_INFO_RSP:
3799 err = l2cap_information_rsp(conn, cmd, data);
3800 break;
3801
f94ff6ff
MM		 3802 case L2CAP_CREATE_CHAN_REQ:
3803 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3804 break;
3805
3806 case L2CAP_CREATE_CHAN_RSP:
3807 err = l2cap_create_channel_rsp(conn, cmd, data);
3808 break;
3809
8d5a04a1
MM		 3810 case L2CAP_MOVE_CHAN_REQ:
3811 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3812 break;
3813
3814 case L2CAP_MOVE_CHAN_RSP:
3815 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3816 break;
3817
3818 case L2CAP_MOVE_CHAN_CFM:
3819 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3820 break;
3821
3822 case L2CAP_MOVE_CHAN_CFM_RSP:
3823 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3824 break;
3825
3300d9a9
CT		 3826 default:
3827 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3828 err = -EINVAL;
3829 break;
3830 }
3831
3832 return err;
3833}
3834
3835static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3836 struct l2cap_cmd_hdr *cmd, u8 *data)
3837{
3838 switch (cmd->code) {
3839 case L2CAP_COMMAND_REJ:
3840 return 0;
3841
3842 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3843 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3844
3845 case L2CAP_CONN_PARAM_UPDATE_RSP:
3846 return 0;
3847
3848 default:
3849 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3850 return -EINVAL;
3851 }
3852}
3853
3854static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3855 struct sk_buff *skb)
1da177e4
LT		 3856{
3857 u8 *data = skb->data;
3858 int len = skb->len;
3859 struct l2cap_cmd_hdr cmd;
3300d9a9 3860 int err;
1da177e4
LT		 3861
3862 l2cap_raw_recv(conn, skb);
3863
3864 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3865 u16 cmd_len;
1da177e4
LT		 3866 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3867 data += L2CAP_CMD_HDR_SIZE;
3868 len -= L2CAP_CMD_HDR_SIZE;
3869
88219a0f 3870 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3871
88219a0f 3872 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3873
88219a0f 3874 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3875 BT_DBG("corrupted command");
3876 break;
3877 }
3878
3300d9a9
CT		 3879 if (conn->hcon->type == LE_LINK)
3880 err = l2cap_le_sig_cmd(conn, &cmd, data);
3881 else
3882 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3883
3884 if (err) {
e2fd318e 3885 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3886
3887 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3888
3889 /* FIXME: Map err to a valid reason */
e2fd318e 3890 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3891 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3892 }
3893
88219a0f
AV		 3894 data += cmd_len;
3895 len -= cmd_len;
1da177e4
LT		 3896 }
3897
3898 kfree_skb(skb);
3899}
3900
47d1ec61 3901static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3902{
3903 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3904 int hdr_size;
3905
3906 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3907 hdr_size = L2CAP_EXT_HDR_SIZE;
3908 else
3909 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3910
47d1ec61 3911 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3912 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3913 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3914 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3915
3916 if (our_fcs != rcv_fcs)
7a560e5c 3917 return -EBADMSG;
fcc203c3
GP		 3918 }
3919 return 0;
3920}
3921
525cd185 3922static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3923{
88843ab0 3924 u32 control = 0;
d5392c8f 3925
6a026610 3926 chan->frames_sent = 0;
d5392c8f 3927
0b209fae 3928 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3929
e2ab4353 3930 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3931 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3932 l2cap_send_sframe(chan, control);
e2ab4353 3933 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3934 }
3935
e2ab4353 3936 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3937 l2cap_retransmit_frames(chan);
d5392c8f 3938
525cd185 3939 l2cap_ertm_send(chan);
d5392c8f 3940
e2ab4353 3941 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3942 chan->frames_sent == 0) {
ab784b73 3943 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3944 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3945 }
3946}
3947
fb45de7d 3948static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3949{
3950 struct sk_buff *next_skb;
bfbacc11 3951 int tx_seq_offset, next_tx_seq_offset;
8f17154f 3952
3ce3514f
MM		 3953 bt_cb(skb)->control.txseq = tx_seq;
3954 bt_cb(skb)->control.sar = sar;
8f17154f 3955
f1c6775b 3956 next_skb = skb_peek(&chan->srej_q);
8f17154f 3957
836be934 3958 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3959
039d9572 3960 while (next_skb) {
3ce3514f 3961 if (bt_cb(next_skb)->control.txseq == tx_seq)
9b53350d
JPRV		 3962 return -EINVAL;
3963
836be934 3964 next_tx_seq_offset = __seq_offset(chan,
3ce3514f 3965 bt_cb(next_skb)->control.txseq, chan->buffer_seq);
bfbacc11
JPRV		 3966
3967 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3968 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3969 return 0;
8f17154f
GP		 3970 }
3971
f1c6775b 3972 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3973 next_skb = NULL;
3974 else
3975 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3976 }
8f17154f 3977
f1c6775b 3978 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3979
3980 return 0;
8f17154f
GP		 3981}
3982
84084a31
MM		 3983static void append_skb_frag(struct sk_buff *skb,
3984 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3985{
84084a31
MM		 3986 /* skb->len reflects data in skb as well as all fragments
3987 * skb->data_len reflects only data in fragments
3988 */
3989 if (!skb_has_frag_list(skb))
3990 skb_shinfo(skb)->frag_list = new_frag;
3991
3992 new_frag->next = NULL;
3993
3994 (*last_frag)->next = new_frag;
3995 *last_frag = new_frag;
3996
3997 skb->len += new_frag->len;
3998 skb->data_len += new_frag->len;
3999 skb->truesize += new_frag->truesize;
4000}
4001
88843ab0 4002static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 4003{
4004 int err = -EINVAL;
18778a63 4005
7e0ef6ee
AE		 4006 switch (__get_ctrl_sar(chan, control)) {
4007 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4008 if (chan->sdu)
4009 break;
18778a63 4010
84084a31
MM		 4011 err = chan->ops->recv(chan->data, skb);
4012 break;
18778a63 4013
7e0ef6ee 4014 case L2CAP_SAR_START:
84084a31
MM		 4015 if (chan->sdu)
4016 break;
18778a63 4017
6f61fd47 4018 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4019 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4020
84084a31
MM		 4021 if (chan->sdu_len > chan->imtu) {
4022 err = -EMSGSIZE;
4023 break;
4024 }
1890d36b 4025
84084a31
MM		 4026 if (skb->len >= chan->sdu_len)
4027 break;
18778a63 4028
84084a31
MM		 4029 chan->sdu = skb;
4030 chan->sdu_last_frag = skb;
18778a63 4031
84084a31
MM		 4032 skb = NULL;
4033 err = 0;
18778a63
GP		 4034 break;
4035
7e0ef6ee 4036 case L2CAP_SAR_CONTINUE:
6f61fd47 4037 if (!chan->sdu)
84084a31 4038 break;
18778a63 4039
84084a31
MM		 4040 append_skb_frag(chan->sdu, skb,
4041 &chan->sdu_last_frag);
4042 skb = NULL;
18778a63 4043
84084a31
MM		 4044 if (chan->sdu->len >= chan->sdu_len)
4045 break;
4178ba46 4046
84084a31 4047 err = 0;
18778a63
GP		 4048 break;
4049
7e0ef6ee 4050 case L2CAP_SAR_END:
6f61fd47 4051 if (!chan->sdu)
84084a31 4052 break;
18778a63 4053
84084a31
MM		 4054 append_skb_frag(chan->sdu, skb,
4055 &chan->sdu_last_frag);
4056 skb = NULL;
4178ba46 4057
84084a31
MM		 4058 if (chan->sdu->len != chan->sdu_len)
4059 break;
18778a63 4060
84084a31 4061 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4062
84084a31
MM		 4063 if (!err) {
4064 /* Reassembly complete */
4065 chan->sdu = NULL;
4066 chan->sdu_last_frag = NULL;
4067 chan->sdu_len = 0;
1890d36b 4068 }
18778a63
GP		 4069 break;
4070 }
4071
84084a31
MM		 4072 if (err) {
4073 kfree_skb(skb);
4074 kfree_skb(chan->sdu);
4075 chan->sdu = NULL;
4076 chan->sdu_last_frag = NULL;
4077 chan->sdu_len = 0;
4078 }
18778a63 4079
84084a31 4080 return err;
18778a63
GP		 4081}
4082
26f880d2 4083static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 4084{
26f880d2 4085 BT_DBG("chan %p, Enter local busy", chan);
712132eb 4086
26f880d2 4087 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3c588192 4088 l2cap_seq_list_clear(&chan->srej_list);
26f880d2 4089
77f918bc 4090 __set_ack_timer(chan);
26f880d2
MM		 4091}
4092
4093static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4094{
88843ab0 4095 u32 control;
712132eb 4096
e2ab4353 4097 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 4098 goto done;
4099
0b209fae 4100 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 4101 control |= __set_ctrl_poll(chan);
ab784b73 4102 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 4103 l2cap_send_sframe(chan, control);
6a026610 4104 chan->retry_count = 1;
712132eb 4105
1a09bcb9
GP		 4106 __clear_retrans_timer(chan);
4107 __set_monitor_timer(chan);
712132eb 4108
e2ab4353 4109 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 4110
4111done:
e2ab4353
GP		 4112 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4113 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 4114
49208c9c 4115 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 4116}
4117
e328140f 4118void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 4119{
e328140f
MM		 4120 if (chan->mode == L2CAP_MODE_ERTM) {
4121 if (busy)
4122 l2cap_ertm_enter_local_busy(chan);
4123 else
4124 l2cap_ertm_exit_local_busy(chan);
1890d36b 4125 }
1890d36b
GP		 4126}
4127
fb45de7d 4128static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 4129{
4130 struct sk_buff *skb;
88843ab0 4131 u32 control;
8f17154f 4132
e328140f
MM		 4133 while ((skb = skb_peek(&chan->srej_q)) &&
4134 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4135 int err;
4136
3ce3514f 4137 if (bt_cb(skb)->control.txseq != tx_seq)
8f17154f
GP		 4138 break;
4139
f1c6775b 4140 skb = skb_dequeue(&chan->srej_q);
3ce3514f 4141 control = __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
84084a31 4142 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 4143
4144 if (err < 0) {
4145 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4146 break;
4147 }
4148
836be934
AE		 4149 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
4150 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 4151 }
4152}
4153
fb45de7d 4154static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4155{
8f17154f 4156 struct srej_list *l, *tmp;
88843ab0 4157 u32 control;
8f17154f 4158
39d5a3ee 4159 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 4160 if (l->tx_seq == tx_seq) {
4161 list_del(&l->list);
4162 kfree(l);
4163 return;
4164 }
ab784b73 4165 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4166 control |= __set_reqseq(chan, l->tx_seq);
525cd185 4167 l2cap_send_sframe(chan, control);
8f17154f 4168 list_del(&l->list);
39d5a3ee 4169 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 4170 }
4171}
4172
aef89f21 4173static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4174{
8f17154f 4175 struct srej_list *new;
88843ab0 4176 u32 control;
8f17154f 4177
42e5c802 4178 while (tx_seq != chan->expected_tx_seq) {
ab784b73 4179 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4180 control |= __set_reqseq(chan, chan->expected_tx_seq);
3c588192 4181 l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
525cd185 4182 l2cap_send_sframe(chan, control);
8f17154f
GP		 4183
4184 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 4185 if (!new)
4186 return -ENOMEM;
4187
42e5c802 4188 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 4189
4190 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4191
39d5a3ee 4192 list_add_tail(&new->list, &chan->srej_l);
8f17154f 4193 }
836be934
AE		 4194
4195 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 4196
4197 return 0;
8f17154f
GP		 4198}
4199
88843ab0 4200static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 4201{
fb45de7d 4202 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 4203 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 4204 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 4205 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 4206 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 4207 int err = 0;
4208
88843ab0 4209 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 4210 tx_seq, rx_control);
1c2acffb 4211
03f6715d 4212 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4213 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4214 __clear_monitor_timer(chan);
6a026610 4215 if (chan->unacked_frames > 0)
1a09bcb9 4216 __set_retrans_timer(chan);
e2ab4353 4217 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 4218 }
4219
42e5c802
GP		 4220 chan->expected_ack_seq = req_seq;
4221 l2cap_drop_acked_frames(chan);
9f121a5a 4222
836be934 4223 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4224
4225 /* invalid tx_seq */
47d1ec61 4226 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 4227 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 4228 goto drop;
4229 }
4230
77f918bc
SJ		 4231 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4232 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4233 l2cap_send_ack(chan);
1890d36b 4234 goto drop;
77f918bc 4235 }
1890d36b 4236
02f1b641
MM		 4237 if (tx_seq == chan->expected_tx_seq)
4238 goto expected;
4239
e2ab4353 4240 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 4241 struct srej_list *first;
30afb5b2 4242
39d5a3ee 4243 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 4244 struct srej_list, list);
4245 if (tx_seq == first->tx_seq) {
42e5c802 4246 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 4247 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 4248
4249 list_del(&first->list);
4250 kfree(first);
4251
39d5a3ee 4252 if (list_empty(&chan->srej_l)) {
42e5c802 4253 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 4254 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 4255 l2cap_send_ack(chan);
49208c9c 4256 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 4257 }
4258 } else {
4259 struct srej_list *l;
9b53350d
JPRV		 4260
4261 /* duplicated tx_seq */
42e5c802 4262 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 4263 goto drop;
8f17154f 4264
39d5a3ee 4265 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 4266 if (l->tx_seq == tx_seq) {
525cd185 4267 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 4268 return 0;
4269 }
4270 }
aef89f21
SJ		 4271
4272 err = l2cap_send_srejframe(chan, tx_seq);
4273 if (err < 0) {
4274 l2cap_send_disconn_req(chan->conn, chan, -err);
4275 return err;
4276 }
30afb5b2
GP		 4277 }
4278 } else {
836be934
AE		 4279 expected_tx_seq_offset = __seq_offset(chan,
4280 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4281
4282 /* duplicated tx_seq */
4283 if (tx_seq_offset < expected_tx_seq_offset)
4284 goto drop;
4285
e2ab4353 4286 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 4287
49208c9c 4288 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 4289
39d5a3ee 4290 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 4291 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 4292
f1c6775b 4293 __skb_queue_head_init(&chan->srej_q);
42e5c802 4294 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 4295
0ef3ef0f
SJ		 4296 /* Set P-bit only if there are some I-frames to ack. */
4297 if (__clear_ack_timer(chan))
4298 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 4299
aef89f21
SJ		 4300 err = l2cap_send_srejframe(chan, tx_seq);
4301 if (err < 0) {
4302 l2cap_send_disconn_req(chan->conn, chan, -err);
4303 return err;
4304 }
1c2acffb 4305 }
30afb5b2
GP		 4306 return 0;
4307
8f17154f 4308expected:
836be934 4309 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 4310
e2ab4353 4311 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3ce3514f
MM		 4312 bt_cb(skb)->control.txseq = tx_seq;
4313 bt_cb(skb)->control.sar = sar;
f1c6775b 4314 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 4315 return 0;
4316 }
4317
84084a31 4318 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 4319 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4320
e328140f
MM		 4321 if (err < 0) {
4322 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4323 return err;
4324 }
2ece3684 4325
03f6715d 4326 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4327 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4328 l2cap_retransmit_frames(chan);
4ec10d97
GP		 4329 }
4330
c1b4f43b 4331
6a026610
GP		 4332 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4333 if (chan->num_acked == num_to_ack - 1)
525cd185 4334 l2cap_send_ack(chan);
4d611e4d
GP		 4335 else
4336 __set_ack_timer(chan);
9e917af1 4337
8f17154f 4338 return 0;
9b53350d
JPRV		 4339
4340drop:
4341 kfree_skb(skb);
4342 return 0;
1c2acffb
GP		 4343}
4344
88843ab0 4345static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 4346{
88843ab0 4347 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 4348 __get_reqseq(chan, rx_control), rx_control);
0e98958d 4349
0b209fae 4350 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 4351 l2cap_drop_acked_frames(chan);
1c2acffb 4352
e3781735 4353 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4354 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4355 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4356 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4357 (chan->unacked_frames > 0))
1a09bcb9 4358 __set_retrans_timer(chan);
05fbd89d 4359
e2ab4353 4360 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4361 l2cap_send_srejtail(chan);
05fbd89d 4362 } else {
525cd185 4363 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4364 }
1d8f5d16 4365
03f6715d 4366 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4367 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4368
e2ab4353 4369 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4370 l2cap_retransmit_frames(chan);
2246b2f1 4371
e072745f 4372 } else {
e2ab4353 4373 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4374 (chan->unacked_frames > 0))
1a09bcb9 4375 __set_retrans_timer(chan);
1c2acffb 4376
e2ab4353
GP		 4377 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4378 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4379 l2cap_send_ack(chan);
894718a6 4380 else
525cd185 4381 l2cap_ertm_send(chan);
e072745f
GP		 4382 }
4383}
2246b2f1 4384
88843ab0 4385static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4386{
0b209fae 4387 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4388
88843ab0 4389 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4390
e2ab4353 4391 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4392
42e5c802
GP		 4393 chan->expected_ack_seq = tx_seq;
4394 l2cap_drop_acked_frames(chan);
e072745f 4395
03f6715d 4396 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4397 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4398 l2cap_retransmit_frames(chan);
e072745f 4399 } else {
525cd185 4400 l2cap_retransmit_frames(chan);
30afb5b2 4401
e2ab4353
GP		 4402 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4403 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4404 }
4405}
88843ab0 4406static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4407{
0b209fae 4408 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4409
88843ab0 4410 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4411
e2ab4353 4412 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4413
e3781735 4414 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4415 chan->expected_ack_seq = tx_seq;
4416 l2cap_drop_acked_frames(chan);
3cb123d1 4417
e2ab4353 4418 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4419 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4420
525cd185 4421 l2cap_ertm_send(chan);
dfc909be 4422
e2ab4353 4423 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4424 chan->srej_save_reqseq = tx_seq;
e2ab4353 4425 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4426 }
03f6715d 4427 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4428 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4429 chan->srej_save_reqseq == tx_seq)
e2ab4353 4430 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4431 else
525cd185 4432 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4433 } else {
525cd185 4434 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4435 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4436 chan->srej_save_reqseq = tx_seq;
e2ab4353 4437 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4438 }
e072745f
GP		 4439 }
4440}
4441
88843ab0 4442static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4443{
0b209fae 4444 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4445
88843ab0 4446 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4447
e2ab4353 4448 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4449 chan->expected_ack_seq = tx_seq;
4450 l2cap_drop_acked_frames(chan);
e072745f 4451
e3781735 4452 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4453 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4454
e2ab4353 4455 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4456 __clear_retrans_timer(chan);
e3781735 4457 if (__is_ctrl_poll(chan, rx_control))
525cd185 4458 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4459 return;
e072745f 4460 }
99b0d4b7 4461
e3781735 4462 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4463 l2cap_send_srejtail(chan);
ab784b73
AE		 4464 } else {
4465 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4466 l2cap_send_sframe(chan, rx_control);
4467 }
e072745f
GP		 4468}
4469
88843ab0 4470static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4471{
88843ab0 4472 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4473
03f6715d 4474 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4475 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4476 __clear_monitor_timer(chan);
6a026610 4477 if (chan->unacked_frames > 0)
1a09bcb9 4478 __set_retrans_timer(chan);
e2ab4353 4479 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4480 }
4481
ab784b73
AE		 4482 switch (__get_ctrl_super(chan, rx_control)) {
4483 case L2CAP_SUPER_RR:
525cd185 4484 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4485 break;
4486
ab784b73 4487 case L2CAP_SUPER_REJ:
525cd185 4488 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4489 break;
2246b2f1 4490
ab784b73 4491 case L2CAP_SUPER_SREJ:
525cd185 4492 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4493 break;
4494
ab784b73 4495 case L2CAP_SUPER_RNR:
525cd185 4496 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4497 break;
4498 }
4499
faaebd19 4500 kfree_skb(skb);
1c2acffb
GP		 4501 return 0;
4502}
4503
cad8f1d0 4504static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4505{
88843ab0 4506 u32 control;
0b209fae 4507 u16 req_seq;
218bb9df
GP		 4508 int len, next_tx_seq_offset, req_seq_offset;
4509
b76bbd66
MM		 4510 __unpack_control(chan, skb);
4511
88843ab0
AE		 4512 control = __get_control(chan, skb->data);
4513 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4514 len = skb->len;
4515
4516 /*
4517 * We can just drop the corrupted I-frame here.
4518 * Receiver will miss it and start proper recovery
4519 * procedures and ask retransmission.
4520 */
47d1ec61 4521 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4522 goto drop;
4523
793c2f1c 4524 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4525 len -= L2CAP_SDULEN_SIZE;
218bb9df 4526
47d1ec61 4527 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4528 len -= L2CAP_FCS_SIZE;
218bb9df 4529
47d1ec61 4530 if (len > chan->mps) {
8c1d787b 4531 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4532 goto drop;
4533 }
4534
0b209fae 4535 req_seq = __get_reqseq(chan, control);
218bb9df 4536
836be934
AE		 4537 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4538
4539 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4540 chan->expected_ack_seq);
218bb9df
GP		 4541
4542 /* check for invalid req-seq */
4543 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4544 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4545 goto drop;
4546 }
4547
793c2f1c 4548 if (!__is_sframe(chan, control)) {
218bb9df 4549 if (len < 0) {
8c1d787b 4550 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4551 goto drop;
4552 }
4553
525cd185 4554 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4555 } else {
4556 if (len != 0) {
4557 BT_ERR("%d", len);
8c1d787b 4558 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4559 goto drop;
4560 }
4561
525cd185 4562 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4563 }
4564
4565 return 0;
4566
4567drop:
4568 kfree_skb(skb);
4569 return 0;
4570}
4571
1da177e4
LT		 4572static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4573{
48454079 4574 struct l2cap_chan *chan;
88843ab0 4575 u32 control;
fb45de7d 4576 u16 tx_seq;
218bb9df 4577 int len;
1da177e4 4578
baa7e1fa 4579 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4580 if (!chan) {
1da177e4 4581 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4582 /* Drop packet and return */
3379013b 4583 kfree_skb(skb);
6be36555 4584 return 0;
1da177e4
LT		 4585 }
4586
6be36555 4587 l2cap_chan_lock(chan);
6840ed07 4588
49208c9c 4589 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4590
89bc500e 4591 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4592 goto drop;
4593
0c1bc5c6 4594 switch (chan->mode) {
1c2acffb
GP		 4595 case L2CAP_MODE_BASIC:
4596 /* If socket recv buffers overflows we drop data here
4597 * which is *bad* because L2CAP has to be reliable.
4598 * But we don't have any other choice. L2CAP doesn't
4599 * provide flow control mechanism. */
1da177e4 4600
0c1bc5c6 4601 if (chan->imtu < skb->len)
1c2acffb 4602 goto drop;
1da177e4 4603
23070494 4604 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4605 goto done;
4606 break;
4607
4608 case L2CAP_MODE_ERTM:
5ef8cb9e 4609 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4610
fcafde2e 4611 goto done;
1c2acffb 4612
6840ed07 4613 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4614 control = __get_control(chan, skb->data);
4615 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4616 len = skb->len;
4617
47d1ec61 4618 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4619 goto drop;
4620
7e0ef6ee 4621 if (__is_sar_start(chan, control))
03a51213 4622 len -= L2CAP_SDULEN_SIZE;
6840ed07 4623
47d1ec61 4624 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4625 len -= L2CAP_FCS_SIZE;
fcc203c3 4626
793c2f1c 4627 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4628 goto drop;
4629
fb45de7d 4630 tx_seq = __get_txseq(chan, control);
6840ed07 4631
84084a31
MM		 4632 if (chan->expected_tx_seq != tx_seq) {
4633 /* Frame(s) missing - must discard partial SDU */
4634 kfree_skb(chan->sdu);
4635 chan->sdu = NULL;
4636 chan->sdu_last_frag = NULL;
4637 chan->sdu_len = 0;
6840ed07 4638
84084a31
MM		 4639 /* TODO: Notify userland of missing data */
4640 }
4641
836be934 4642 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4643
4644 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4645 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4646
4647 goto done;
4648
1c2acffb 4649 default:
0c1bc5c6 4650 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4651 break;
4652 }
1da177e4
LT		 4653
4654drop:
4655 kfree_skb(skb);
4656
4657done:
6be36555 4658 l2cap_chan_unlock(chan);
0139418c 4659
1da177e4
LT		 4660 return 0;
4661}
4662
8e036fc3 4663static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4664{
23691d75 4665 struct l2cap_chan *chan;
1da177e4 4666
c2287681 4667 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4668 if (!chan)
1da177e4
LT		 4669 goto drop;
4670
5b4cedaa 4671 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4672
89bc500e 4673 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4674 goto drop;
4675
e13e21dc 4676 if (chan->imtu < skb->len)
1da177e4
LT		 4677 goto drop;
4678
23070494 4679 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4680 return 0;
1da177e4
LT		 4681
4682drop:
4683 kfree_skb(skb);
4684
1da177e4
LT		 4685 return 0;
4686}
4687
d9b88702
AE		 4688static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4689 struct sk_buff *skb)
9f69bda6 4690{
23691d75 4691 struct l2cap_chan *chan;
9f69bda6 4692
c2287681 4693 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4694 if (!chan)
9f69bda6
GP		 4695 goto drop;
4696
5b4cedaa 4697 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4698
89bc500e 4699 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4700 goto drop;
4701
e13e21dc 4702 if (chan->imtu < skb->len)
9f69bda6
GP		 4703 goto drop;
4704
23070494 4705 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4706 return 0;
9f69bda6
GP		 4707
4708drop:
4709 kfree_skb(skb);
4710
9f69bda6
GP		 4711 return 0;
4712}
4713
1da177e4
LT		 4714static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4715{
4716 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4717 u16 cid, len;
4718 __le16 psm;
1da177e4
LT		 4719
4720 skb_pull(skb, L2CAP_HDR_SIZE);
4721 cid = __le16_to_cpu(lh->cid);
4722 len = __le16_to_cpu(lh->len);
4723
1c2acffb
GP		 4724 if (len != skb->len) {
4725 kfree_skb(skb);
4726 return;
4727 }
4728
1da177e4
LT		 4729 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4730
4731 switch (cid) {
3300d9a9 4732 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4733 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4734 l2cap_sig_channel(conn, skb);
4735 break;
4736
8db4dc46 4737 case L2CAP_CID_CONN_LESS:
097db76c 4738 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4739 skb_pull(skb, 2);
4740 l2cap_conless_channel(conn, psm, skb);
4741 break;
4742
9f69bda6
GP		 4743 case L2CAP_CID_LE_DATA:
4744 l2cap_att_channel(conn, cid, skb);
4745 break;
4746
b501d6a1
AB		 4747 case L2CAP_CID_SMP:
4748 if (smp_sig_channel(conn, skb))
4749 l2cap_conn_del(conn->hcon, EACCES);
4750 break;
4751
1da177e4
LT		 4752 default:
4753 l2cap_data_channel(conn, cid, skb);
4754 break;
4755 }
4756}
4757
4758/* ---- L2CAP interface with lower layer (HCI) ---- */
4759
686ebf28 4760int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4761{
4762 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4763 struct l2cap_chan *c;
1da177e4 4764
1da177e4
LT		 4765 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4766
4767 /* Find listening sockets and check their link_mode */
23691d75
GP		 4768 read_lock(&chan_list_lock);
4769 list_for_each_entry(c, &chan_list, global_l) {
4770 struct sock *sk = c->sk;
4343478f 4771
89bc500e 4772 if (c->state != BT_LISTEN)
1da177e4
LT		 4773 continue;
4774
4775 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4776 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4777 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4778 lm1 |= HCI_LM_MASTER;
1da177e4 4779 exact++;
2af6b9d5
MH		 4780 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4781 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4782 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4783 lm2 |= HCI_LM_MASTER;
4784 }
1da177e4 4785 }
23691d75 4786 read_unlock(&chan_list_lock);
1da177e4
LT		 4787
4788 return exact ? lm1 : lm2;
4789}
4790
686ebf28 4791int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4792{
0139418c
MH		 4793 struct l2cap_conn *conn;
4794
1da177e4
LT		 4795 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4796
1da177e4 4797 if (!status) {
1da177e4
LT		 4798 conn = l2cap_conn_add(hcon, status);
4799 if (conn)
4800 l2cap_conn_ready(conn);
0139418c 4801 } else
e175072f 4802 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4803
4804 return 0;
4805}
4806
686ebf28 4807int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4808{
4809 struct l2cap_conn *conn = hcon->l2cap_data;
4810
4811 BT_DBG("hcon %p", hcon);
4812
686ebf28 4813 if (!conn)
9f5a0d7b 4814 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4815 return conn->disc_reason;
4816}
4817
686ebf28 4818int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4819{
4820 BT_DBG("hcon %p reason %d", hcon, reason);
4821
e175072f 4822 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4823 return 0;
4824}
4825
4343478f 4826static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4827{
715ec005 4828 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4829 return;
4830
f62e4323 4831 if (encrypt == 0x00) {
4343478f 4832 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4833 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4834 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4835 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4836 } else {
4343478f 4837 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4838 __clear_chan_timer(chan);
f62e4323
MH		 4839 }
4840}
4841
686ebf28 4842int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4843{
0139418c 4844 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4845 struct l2cap_chan *chan;
1da177e4 4846
0139418c 4847 if (!conn)
1da177e4 4848 return 0;
0139418c 4849
1da177e4
LT		 4850 BT_DBG("conn %p", conn);
4851
160dc6ac 4852 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4853 if (!status && encrypt)
4854 smp_distribute_keys(conn, 0);
17cd3f37 4855 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4856 }
4857
3df91ea2 4858 mutex_lock(&conn->chan_lock);
1da177e4 4859
3df91ea2 4860 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4861 l2cap_chan_lock(chan);
1da177e4 4862
f1cb9af5
VCG		 4863 BT_DBG("chan->scid %d", chan->scid);
4864
4865 if (chan->scid == L2CAP_CID_LE_DATA) {
4866 if (!status && encrypt) {
4867 chan->sec_level = hcon->sec_level;
cf4cd009 4868 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4869 }
4870
6be36555 4871 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4872 continue;
4873 }
4874
c1360a1c 4875 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4876 l2cap_chan_unlock(chan);
6a8d3010
MH		 4877 continue;
4878 }
4879
89bc500e
GP		 4880 if (!status && (chan->state == BT_CONNECTED ||
4881 chan->state == BT_CONFIG)) {
4343478f 4882 l2cap_check_encryption(chan, encrypt);
6be36555 4883 l2cap_chan_unlock(chan);
9719f8af
MH		 4884 continue;
4885 }
4886
89bc500e 4887 if (chan->state == BT_CONNECT) {
b1235d79 4888 if (!status) {
9b27f350 4889 l2cap_send_conn_req(chan);
b1235d79 4890 } else {
ba13ccd9 4891 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4892 }
89bc500e 4893 } else if (chan->state == BT_CONNECT2) {
6be36555 4894 struct sock *sk = chan->sk;
b1235d79 4895 struct l2cap_conn_rsp rsp;
df3c3931 4896 __u16 res, stat;
1da177e4 4897
6be36555
AE		 4898 lock_sock(sk);
4899
b1235d79 4900 if (!status) {
df3c3931
JH		 4901 if (bt_sk(sk)->defer_setup) {
4902 struct sock *parent = bt_sk(sk)->parent;
4903 res = L2CAP_CR_PEND;
4904 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4905 if (parent)
4906 parent->sk_data_ready(parent, 0);
df3c3931 4907 } else {
0e587be7 4908 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4909 res = L2CAP_CR_SUCCESS;
4910 stat = L2CAP_CS_NO_INFO;
4911 }
b1235d79 4912 } else {
0e587be7 4913 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4914 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4915 res = L2CAP_CR_SEC_BLOCK;
4916 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4917 }
4918
6be36555
AE		 4919 release_sock(sk);
4920
fe4128e0
GP		 4921 rsp.scid = cpu_to_le16(chan->dcid);
4922 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4923 rsp.result = cpu_to_le16(res);
4924 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4925 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4926 sizeof(rsp), &rsp);
b1235d79 4927 }
1da177e4 4928
6be36555 4929 l2cap_chan_unlock(chan);
1da177e4
LT		 4930 }
4931
3df91ea2 4932 mutex_unlock(&conn->chan_lock);
b1235d79 4933
1da177e4
LT		 4934 return 0;
4935}
4936
686ebf28 4937int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4938{
4939 struct l2cap_conn *conn = hcon->l2cap_data;
4940
5a08ecce
AE		 4941 if (!conn)
4942 conn = l2cap_conn_add(hcon, 0);
4943
4944 if (!conn)
1da177e4
LT		 4945 goto drop;
4946
4947 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4948
e702112f 4949 if (!(flags & ACL_CONT)) {
1da177e4 4950 struct l2cap_hdr *hdr;
48454079 4951 struct l2cap_chan *chan;
89794813 4952 u16 cid;
1da177e4
LT		 4953 int len;
4954
4955 if (conn->rx_len) {
4956 BT_ERR("Unexpected start frame (len %d)", skb->len);
4957 kfree_skb(conn->rx_skb);
4958 conn->rx_skb = NULL;
4959 conn->rx_len = 0;
4960 l2cap_conn_unreliable(conn, ECOMM);
4961 }
4962
aae7fe22
AE		 4963 /* Start fragment always begin with Basic L2CAP header */
4964 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4965 BT_ERR("Frame is too short (len %d)", skb->len);
4966 l2cap_conn_unreliable(conn, ECOMM);
4967 goto drop;
4968 }
4969
4970 hdr = (struct l2cap_hdr *) skb->data;
4971 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4972 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4973
4974 if (len == skb->len) {
4975 /* Complete frame received */
4976 l2cap_recv_frame(conn, skb);
4977 return 0;
4978 }
4979
4980 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4981
4982 if (skb->len > len) {
4983 BT_ERR("Frame is too long (len %d, expected len %d)",
4984 skb->len, len);
4985 l2cap_conn_unreliable(conn, ECOMM);
4986 goto drop;
4987 }
4988
baa7e1fa 4989 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4990
48454079
GP		 4991 if (chan && chan->sk) {
4992 struct sock *sk = chan->sk;
3df91ea2 4993 lock_sock(sk);
89794813 4994
0c1bc5c6 4995 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4996 BT_ERR("Frame exceeding recv MTU (len %d, "
4997 "MTU %d)", len,
0c1bc5c6 4998 chan->imtu);
aa2ac881 4999 release_sock(sk);
48454079
GP		 5000 l2cap_conn_unreliable(conn, ECOMM);
5001 goto drop;
5002 }
aa2ac881 5003 release_sock(sk);
48454079 5004 }
89794813 5005
1da177e4 5006 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5007 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5008 if (!conn->rx_skb)
1da177e4
LT		 5009 goto drop;
5010
d626f62b 5011 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5012 skb->len);
1da177e4
LT		 5013 conn->rx_len = len - skb->len;
5014 } else {
5015 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5016
5017 if (!conn->rx_len) {
5018 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5019 l2cap_conn_unreliable(conn, ECOMM);
5020 goto drop;
5021 }
5022
5023 if (skb->len > conn->rx_len) {
5024 BT_ERR("Fragment is too long (len %d, expected %d)",
5025 skb->len, conn->rx_len);
5026 kfree_skb(conn->rx_skb);
5027 conn->rx_skb = NULL;
5028 conn->rx_len = 0;
5029 l2cap_conn_unreliable(conn, ECOMM);
5030 goto drop;
5031 }
5032
d626f62b 5033 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5034 skb->len);
1da177e4
LT		 5035 conn->rx_len -= skb->len;
5036
5037 if (!conn->rx_len) {
5038 /* Complete frame received */
5039 l2cap_recv_frame(conn, conn->rx_skb);
5040 conn->rx_skb = NULL;
5041 }
5042 }
5043
5044drop:
5045 kfree_skb(skb);
5046 return 0;
5047}
5048
aef7d97c 5049static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5050{
23691d75 5051 struct l2cap_chan *c;
1da177e4 5052
333055f2 5053 read_lock(&chan_list_lock);
1da177e4 5054
23691d75
GP		 5055 list_for_each_entry(c, &chan_list, global_l) {
5056 struct sock *sk = c->sk;
101545f6 5057
903d343e 5058 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5059 batostr(&bt_sk(sk)->src),
5060 batostr(&bt_sk(sk)->dst),
89bc500e 5061 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5062 c->scid, c->dcid, c->imtu, c->omtu,
5063 c->sec_level, c->mode);
61e1b4b7 5064 }
1da177e4 5065
333055f2 5066 read_unlock(&chan_list_lock);
1da177e4 5067
aef7d97c 5068 return 0;
1da177e4
LT		 5069}
5070
aef7d97c
MH		 5071static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5072{
5073 return single_open(file, l2cap_debugfs_show, inode->i_private);
5074}
5075
5076static const struct file_operations l2cap_debugfs_fops = {
5077 .open = l2cap_debugfs_open,
5078 .read = seq_read,
5079 .llseek = seq_lseek,
5080 .release = single_release,
5081};
5082
5083static struct dentry *l2cap_debugfs;
1da177e4 5084
64274518 5085int __init l2cap_init(void)
1da177e4
LT		 5086{
5087 int err;
be9d1227 5088
bb58f747 5089 err = l2cap_init_sockets();
1da177e4
LT		 5090 if (err < 0)
5091 return err;
5092
aef7d97c
MH		 5093 if (bt_debugfs) {
5094 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5095 bt_debugfs, NULL, &l2cap_debugfs_fops);
5096 if (!l2cap_debugfs)
5097 BT_ERR("Failed to create L2CAP debug file");
5098 }
1da177e4 5099
1da177e4 5100 return 0;
1da177e4
LT		 5101}
5102
64274518 5103void l2cap_exit(void)
1da177e4 5104{
aef7d97c 5105 debugfs_remove(l2cap_debugfs);
bb58f747 5106 l2cap_cleanup_sockets();
1da177e4
LT		 5107}
5108
d1c4a17d
GP		 5109module_param(disable_ertm, bool, 0644);
5110MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)