projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Revert to mutexes from RCU list
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
1da177e4
LT		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
8e87d142
YH		 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 25 SOFTWARE IS DISCLAIMED.
26*/
27
bb58f747 28/* Bluetooth L2CAP core. */
1da177e4 29
1da177e4
LT		 30#include <linux/module.h>
31
32#include <linux/types.h>
4fc268d2 33#include <linux/capability.h>
1da177e4
LT		 34#include <linux/errno.h>
35#include <linux/kernel.h>
1da177e4
LT		 36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/poll.h>
39#include <linux/fcntl.h>
40#include <linux/init.h>
41#include <linux/interrupt.h>
42#include <linux/socket.h>
43#include <linux/skbuff.h>
1da177e4 44#include <linux/list.h>
be9d1227 45#include <linux/device.h>
aef7d97c
MH		 46#include <linux/debugfs.h>
47#include <linux/seq_file.h>
af05b30b 48#include <linux/uaccess.h>
fcc203c3 49#include <linux/crc16.h>
1da177e4
LT		 50#include <net/sock.h>
51
52#include <asm/system.h>
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
eb939922 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
0139418c 76/* ---- L2CAP channels ---- */
71ba0e56 77
baa7e1fa 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 79{
3df91ea2 80 struct l2cap_chan *c;
3d57dc68 81
3df91ea2
AE		 82 list_for_each_entry(c, &conn->chan_l, list) {
83 if (c->dcid == cid)
84 return c;
0139418c 85 }
3df91ea2 86 return NULL;
0139418c
MH		 87}
88
baa7e1fa 89static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
101 * Returns locked socket */
baa7e1fa 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 103{
48454079 104 struct l2cap_chan *c;
baa7e1fa 105
3df91ea2 106 mutex_lock(&conn->chan_lock);
baa7e1fa 107 c = __l2cap_get_chan_by_scid(conn, cid);
3df91ea2
AE		 108 mutex_unlock(&conn->chan_lock);
109
48454079 110 return c;
0139418c
MH		 111}
112
baa7e1fa 113static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 114{
3df91ea2 115 struct l2cap_chan *c;
3d57dc68 116
3df91ea2
AE		 117 list_for_each_entry(c, &conn->chan_l, list) {
118 if (c->ident == ident)
119 return c;
0139418c 120 }
3df91ea2 121 return NULL;
0139418c
MH		 122}
123
baa7e1fa 124static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 125{
48454079 126 struct l2cap_chan *c;
baa7e1fa 127
3df91ea2 128 mutex_lock(&conn->chan_lock);
baa7e1fa 129 c = __l2cap_get_chan_by_ident(conn, ident);
3df91ea2
AE		 130 mutex_unlock(&conn->chan_lock);
131
48454079 132 return c;
0139418c
MH		 133}
134
23691d75 135static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 136{
23691d75 137 struct l2cap_chan *c;
9e4425ff 138
23691d75
GP		 139 list_for_each_entry(c, &chan_list, global_l) {
140 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 141 return c;
9e4425ff 142 }
250938cb 143 return NULL;
9e4425ff
GP		 144}
145
146int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
147{
73b2ec18
GP		 148 int err;
149
333055f2 150 write_lock(&chan_list_lock);
9e4425ff 151
23691d75 152 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 153 err = -EADDRINUSE;
154 goto done;
9e4425ff
GP		 155 }
156
73b2ec18
GP		 157 if (psm) {
158 chan->psm = psm;
159 chan->sport = psm;
160 err = 0;
161 } else {
162 u16 p;
163
164 err = -EINVAL;
165 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 166 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 167 chan->psm = cpu_to_le16(p);
168 chan->sport = cpu_to_le16(p);
169 err = 0;
170 break;
171 }
172 }
9e4425ff 173
73b2ec18 174done:
333055f2 175 write_unlock(&chan_list_lock);
73b2ec18 176 return err;
9e4425ff
GP		 177}
178
179int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
180{
333055f2 181 write_lock(&chan_list_lock);
9e4425ff
GP		 182
183 chan->scid = scid;
184
333055f2 185 write_unlock(&chan_list_lock);
9e4425ff
GP		 186
187 return 0;
188}
189
baa7e1fa 190static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 191{
8db4dc46 192 u16 cid = L2CAP_CID_DYN_START;
0139418c 193
8db4dc46 194 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 195 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 196 return cid;
197 }
198
199 return 0;
200}
201
89bc500e
GP		 202static void l2cap_state_change(struct l2cap_chan *chan, int state)
203{
42d2d87c 204 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 205 state_to_string(state));
206
89bc500e
GP		 207 chan->state = state;
208 chan->ops->state_change(chan->data, state);
209}
210
721c4181 211static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 212{
721c4181
GP		 213 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
214 chan_timer.work);
3df91ea2 215 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 216 struct sock *sk = chan->sk;
217 int reason;
218
e05dcc32 219 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 220
3df91ea2 221 mutex_lock(&conn->chan_lock);
721c4181 222 lock_sock(sk);
ab07801d 223
89bc500e 224 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 225 reason = ECONNREFUSED;
89bc500e 226 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 227 chan->sec_level != BT_SECURITY_SDP)
228 reason = ECONNREFUSED;
229 else
230 reason = ETIMEDOUT;
231
0f852724 232 l2cap_chan_close(chan, reason);
ab07801d 233
721c4181 234 release_sock(sk);
ab07801d 235
ba3bd0ee 236 chan->ops->close(chan->data);
3df91ea2
AE		 237 mutex_unlock(&conn->chan_lock);
238
371fd835 239 l2cap_chan_put(chan);
ab07801d
GP		 240}
241
23691d75 242struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 243{
244 struct l2cap_chan *chan;
245
246 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
247 if (!chan)
248 return NULL;
249
250 chan->sk = sk;
251
333055f2 252 write_lock(&chan_list_lock);
23691d75 253 list_add(&chan->global_l, &chan_list);
333055f2 254 write_unlock(&chan_list_lock);
23691d75 255
721c4181 256 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 257
89bc500e
GP		 258 chan->state = BT_OPEN;
259
71ba0e56
GP		 260 atomic_set(&chan->refcnt, 1);
261
abc545b8
SJ		 262 BT_DBG("sk %p chan %p", sk, chan);
263
48454079
GP		 264 return chan;
265}
266
23691d75 267void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 268{
333055f2 269 write_lock(&chan_list_lock);
23691d75 270 list_del(&chan->global_l);
333055f2 271 write_unlock(&chan_list_lock);
23691d75 272
371fd835 273 l2cap_chan_put(chan);
6ff5abbf
GP		 274}
275
3d57dc68 276static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 277{
af05b30b 278 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 279 chan->psm, chan->dcid);
0139418c 280
9f5a0d7b 281 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 282
8c1d787b 283 chan->conn = conn;
0139418c 284
5491120e
AE		 285 switch (chan->chan_type) {
286 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 287 if (conn->hcon->type == LE_LINK) {
288 /* LE connection */
0c1bc5c6 289 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 290 chan->scid = L2CAP_CID_LE_DATA;
291 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 292 } else {
293 /* Alloc CID for connection-oriented socket */
fe4128e0 294 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 295 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 296 }
5491120e
AE		 297 break;
298
299 case L2CAP_CHAN_CONN_LESS:
0139418c 300 /* Connectionless socket */
fe4128e0
GP		 301 chan->scid = L2CAP_CID_CONN_LESS;
302 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 303 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 304 break;
305
306 default:
0139418c 307 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 308 chan->scid = L2CAP_CID_SIGNALING;
309 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 310 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 311 }
312
8f7975b1
AE		 313 chan->local_id = L2CAP_BESTEFFORT_ID;
314 chan->local_stype = L2CAP_SERV_BESTEFFORT;
315 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
316 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
317 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
318 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
319
371fd835 320 l2cap_chan_hold(chan);
baa7e1fa 321
3df91ea2
AE		 322 mutex_lock(&conn->chan_lock);
323 list_add(&chan->list, &conn->chan_l);
324 mutex_unlock(&conn->chan_lock);
0139418c
MH		 325}
326
8e87d142 327/* Delete channel.
0139418c 328 * Must be called on the locked socket. */
4519de9a 329static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 330{
48454079 331 struct sock *sk = chan->sk;
8c1d787b 332 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 333 struct sock *parent = bt_sk(sk)->parent;
334
c9b66675 335 __clear_chan_timer(chan);
0139418c 336
49208c9c 337 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 338
8e87d142 339 if (conn) {
baa7e1fa 340 /* Delete from channel list */
3df91ea2 341 list_del(&chan->list);
3d57dc68 342
371fd835 343 l2cap_chan_put(chan);
baa7e1fa 344
8c1d787b 345 chan->conn = NULL;
0139418c
MH		 346 hci_conn_put(conn->hcon);
347 }
348
89bc500e 349 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 350 sock_set_flag(sk, SOCK_ZAPPED);
351
352 if (err)
353 sk->sk_err = err;
354
355 if (parent) {
356 bt_accept_unlink(sk);
357 parent->sk_data_ready(parent, 0);
358 } else
359 sk->sk_state_change(sk);
c13ffa62 360
c1360a1c
GP		 361 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
362 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 363 return;
2ead70b8 364
58d35f87 365 skb_queue_purge(&chan->tx_q);
c13ffa62 366
0c1bc5c6 367 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 368 struct srej_list *l, *tmp;
369
1a09bcb9
GP		 370 __clear_retrans_timer(chan);
371 __clear_monitor_timer(chan);
372 __clear_ack_timer(chan);
c13ffa62 373
f1c6775b 374 skb_queue_purge(&chan->srej_q);
c13ffa62 375
39d5a3ee 376 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 377 list_del(&l->list);
378 kfree(l);
379 }
380 }
0139418c
MH		 381}
382
4519de9a
GP		 383static void l2cap_chan_cleanup_listen(struct sock *parent)
384{
385 struct sock *sk;
386
387 BT_DBG("parent %p", parent);
388
389 /* Close not yet accepted channels */
0f852724 390 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 391 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 392
c9b66675 393 __clear_chan_timer(chan);
0f852724 394 lock_sock(sk);
ba3bd0ee 395 l2cap_chan_close(chan, ECONNRESET);
0f852724 396 release_sock(sk);
3df91ea2 397
ba3bd0ee 398 chan->ops->close(chan->data);
0f852724 399 }
4519de9a
GP		 400}
401
0f852724 402void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 403{
404 struct l2cap_conn *conn = chan->conn;
405 struct sock *sk = chan->sk;
406
e05dcc32
AE		 407 BT_DBG("chan %p state %s sk %p", chan,
408 state_to_string(chan->state), sk);
4519de9a 409
89bc500e 410 switch (chan->state) {
4519de9a
GP		 411 case BT_LISTEN:
412 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 413
414 l2cap_state_change(chan, BT_CLOSED);
415 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 416 break;
417
418 case BT_CONNECTED:
419 case BT_CONFIG:
715ec005 420 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 421 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 422 __clear_chan_timer(chan);
423 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 424 l2cap_send_disconn_req(conn, chan, reason);
425 } else
426 l2cap_chan_del(chan, reason);
427 break;
428
429 case BT_CONNECT2:
715ec005 430 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 431 conn->hcon->type == ACL_LINK) {
432 struct l2cap_conn_rsp rsp;
433 __u16 result;
434
435 if (bt_sk(sk)->defer_setup)
436 result = L2CAP_CR_SEC_BLOCK;
437 else
438 result = L2CAP_CR_BAD_PSM;
89bc500e 439 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 440
441 rsp.scid = cpu_to_le16(chan->dcid);
442 rsp.dcid = cpu_to_le16(chan->scid);
443 rsp.result = cpu_to_le16(result);
444 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
445 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
446 sizeof(rsp), &rsp);
447 }
448
449 l2cap_chan_del(chan, reason);
450 break;
451
452 case BT_CONNECT:
453 case BT_DISCONN:
454 l2cap_chan_del(chan, reason);
455 break;
456
457 default:
458 sock_set_flag(sk, SOCK_ZAPPED);
459 break;
460 }
461}
462
4343478f 463static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 464{
715ec005 465 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 466 switch (chan->sec_level) {
8556edd3
JH		 467 case BT_SECURITY_HIGH:
468 return HCI_AT_DEDICATED_BONDING_MITM;
469 case BT_SECURITY_MEDIUM:
470 return HCI_AT_DEDICATED_BONDING;
471 default:
472 return HCI_AT_NO_BONDING;
473 }
fe4128e0 474 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 475 if (chan->sec_level == BT_SECURITY_LOW)
476 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 477
4343478f 478 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 479 return HCI_AT_NO_BONDING_MITM;
00ae4af9 480 else
8556edd3 481 return HCI_AT_NO_BONDING;
00ae4af9 482 } else {
4343478f 483 switch (chan->sec_level) {
00ae4af9 484 case BT_SECURITY_HIGH:
8556edd3 485 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 486 case BT_SECURITY_MEDIUM:
8556edd3 487 return HCI_AT_GENERAL_BONDING;
00ae4af9 488 default:
8556edd3 489 return HCI_AT_NO_BONDING;
00ae4af9 490 }
0684e5f9 491 }
8556edd3
JH		 492}
493
494/* Service level security */
d45fc423 495int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 496{
8c1d787b 497 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 498 __u8 auth_type;
499
4343478f 500 auth_type = l2cap_get_auth_type(chan);
79d554a6 501
4343478f 502 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 503}
504
b5ad8b7f 505static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 506{
507 u8 id;
508
509 /* Get next available identificator.
510 * 1 - 128 are used by kernel.
511 * 129 - 199 are reserved.
512 * 200 - 254 are used by utilities like l2ping, etc.
513 */
514
333055f2 515 spin_lock(&conn->lock);
4e8402a3
MH		 516
517 if (++conn->tx_ident > 128)
518 conn->tx_ident = 1;
519
520 id = conn->tx_ident;
521
333055f2 522 spin_unlock(&conn->lock);
4e8402a3
MH		 523
524 return id;
525}
526
4519de9a 527static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 528{
529 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 530 u8 flags;
4e8402a3
MH		 531
532 BT_DBG("code 0x%2.2x", code);
533
534 if (!skb)
9a9c6a34 535 return;
4e8402a3 536
e702112f
AE		 537 if (lmp_no_flush_capable(conn->hcon->hdev))
538 flags = ACL_START_NO_FLUSH;
539 else
540 flags = ACL_START;
541
14b12d0b 542 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 543 skb->priority = HCI_PRIO_MAX;
14b12d0b 544
73d80deb
LAD		 545 hci_send_acl(conn->hchan, skb, flags);
546}
547
548static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
549{
550 struct hci_conn *hcon = chan->conn->hcon;
551 u16 flags;
552
553 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
554 skb->priority);
555
556 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
557 lmp_no_flush_capable(hcon->hdev))
558 flags = ACL_START_NO_FLUSH;
559 else
560 flags = ACL_START;
14b12d0b 561
73d80deb
LAD		 562 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
563 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 564}
565
88843ab0 566static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 567{
568 struct sk_buff *skb;
569 struct l2cap_hdr *lh;
8c1d787b 570 struct l2cap_conn *conn = chan->conn;
e4ca6d98 571 int count, hlen;
fcc203c3 572
89bc500e 573 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 574 return;
575
e4ca6d98
AE		 576 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
577 hlen = L2CAP_EXT_HDR_SIZE;
578 else
579 hlen = L2CAP_ENH_HDR_SIZE;
580
47d1ec61 581 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 582 hlen += L2CAP_FCS_SIZE;
1c2acffb 583
88843ab0 584 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 585
fcc203c3 586 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 587
588 control |= __set_sframe(chan);
1c2acffb 589
e2ab4353 590 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 591 control |= __set_ctrl_final(chan);
9e917af1 592
e2ab4353 593 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 594 control |= __set_ctrl_poll(chan);
f0946ccf 595
1c2acffb
GP		 596 skb = bt_skb_alloc(count, GFP_ATOMIC);
597 if (!skb)
9a9c6a34 598 return;
1c2acffb
GP		 599
600 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 601 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 602 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 603
604 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 605
47d1ec61 606 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 607 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
608 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 609 }
610
73d80deb
LAD		 611 skb->priority = HCI_PRIO_MAX;
612 l2cap_do_send(chan, skb);
1c2acffb
GP		 613}
614
88843ab0 615static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 616{
e2ab4353 617 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 618 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 619 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 620 } else
ab784b73 621 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 622
0b209fae 623 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 624
525cd185 625 l2cap_send_sframe(chan, control);
7e743090
GP		 626}
627
b4450035 628static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 629{
c1360a1c 630 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 631}
632
fc7f8a7e 633static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 634{
8c1d787b 635 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 636
637 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 638 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
639 return;
640
d45fc423 641 if (l2cap_chan_check_security(chan) &&
4343478f 642 __l2cap_no_conn_pending(chan)) {
b1235d79 643 struct l2cap_conn_req req;
fe4128e0
GP		 644 req.scid = cpu_to_le16(chan->scid);
645 req.psm = chan->psm;
79d554a6 646
fc7f8a7e 647 chan->ident = l2cap_get_ident(conn);
c1360a1c 648 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 649
fc7f8a7e
GP		 650 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
651 sizeof(req), &req);
b1235d79 652 }
79d554a6
MH		 653 } else {
654 struct l2cap_info_req req;
655 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
656
657 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
658 conn->info_ident = l2cap_get_ident(conn);
659
030013d8 660 schedule_delayed_work(&conn->info_timer,
79d554a6
MH		 661 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
662
663 l2cap_send_cmd(conn, conn->info_ident,
664 L2CAP_INFO_REQ, sizeof(req), &req);
665 }
666}
667
cf6c2c0b
GP		 668static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
669{
670 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 671 if (!disable_ertm)
cf6c2c0b
GP		 672 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
673
674 switch (mode) {
675 case L2CAP_MODE_ERTM:
676 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
677 case L2CAP_MODE_STREAMING:
678 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
679 default:
680 return 0x00;
681 }
682}
683
4519de9a 684static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 685{
e92c8e70 686 struct sock *sk;
22121fc9
GP		 687 struct l2cap_disconn_req req;
688
c13ffa62
GP		 689 if (!conn)
690 return;
691
e92c8e70
GP		 692 sk = chan->sk;
693
0c1bc5c6 694 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 695 __clear_retrans_timer(chan);
696 __clear_monitor_timer(chan);
697 __clear_ack_timer(chan);
c13ffa62
GP		 698 }
699
fe4128e0
GP		 700 req.dcid = cpu_to_le16(chan->dcid);
701 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 702 l2cap_send_cmd(conn, l2cap_get_ident(conn),
703 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 704
89bc500e 705 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 706 sk->sk_err = err;
22121fc9
GP		 707}
708
1da177e4 709/* ---- L2CAP connections ---- */
4e8402a3
MH		 710static void l2cap_conn_start(struct l2cap_conn *conn)
711{
3df91ea2 712 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 713
714 BT_DBG("conn %p", conn);
715
3df91ea2 716 mutex_lock(&conn->chan_lock);
4e8402a3 717
3df91ea2 718 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 719 struct sock *sk = chan->sk;
baa7e1fa 720
4e8402a3
MH		 721 bh_lock_sock(sk);
722
715ec005 723 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 724 bh_unlock_sock(sk);
725 continue;
726 }
727
89bc500e 728 if (chan->state == BT_CONNECT) {
47731de7 729 struct l2cap_conn_req req;
79d554a6 730
d45fc423 731 if (!l2cap_chan_check_security(chan) ||
b4450035 732 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 733 bh_unlock_sock(sk);
734 continue;
735 }
79d554a6 736
c1360a1c
GP		 737 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
738 && test_bit(CONF_STATE2_DEVICE,
739 &chan->conf_state)) {
0f852724 740 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 741 * so release the lock */
89bc500e 742 l2cap_chan_close(chan, ECONNRESET);
47731de7
GP		 743 bh_unlock_sock(sk);
744 continue;
b1235d79 745 }
47731de7 746
fe4128e0
GP		 747 req.scid = cpu_to_le16(chan->scid);
748 req.psm = chan->psm;
47731de7 749
fc7f8a7e 750 chan->ident = l2cap_get_ident(conn);
c1360a1c 751 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 752
fc7f8a7e
GP		 753 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
754 sizeof(req), &req);
47731de7 755
89bc500e 756 } else if (chan->state == BT_CONNECT2) {
79d554a6 757 struct l2cap_conn_rsp rsp;
e9aeb2dd 758 char buf[128];
fe4128e0
GP		 759 rsp.scid = cpu_to_le16(chan->dcid);
760 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 761
d45fc423 762 if (l2cap_chan_check_security(chan)) {
f66dc81f
MH		 763 if (bt_sk(sk)->defer_setup) {
764 struct sock *parent = bt_sk(sk)->parent;
765 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
766 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 767 if (parent)
768 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 769
770 } else {
89bc500e 771 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 772 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
773 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
774 }
79d554a6
MH		 775 } else {
776 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
777 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
778 }
779
fc7f8a7e
GP		 780 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
781 sizeof(rsp), &rsp);
e9aeb2dd 782
c1360a1c 783 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 784 rsp.result != L2CAP_CR_SUCCESS) {
785 bh_unlock_sock(sk);
786 continue;
787 }
788
c1360a1c 789 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 790 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 791 l2cap_build_conf_req(chan, buf), buf);
792 chan->num_conf_req++;
4e8402a3
MH		 793 }
794
795 bh_unlock_sock(sk);
796 }
797
3df91ea2 798 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 799}
800
b62f328b
VT		 801/* Find socket with cid and source bdaddr.
802 * Returns closest match, locked.
803 */
23691d75 804static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 805{
23691d75 806 struct l2cap_chan *c, *c1 = NULL;
b62f328b 807
23691d75 808 read_lock(&chan_list_lock);
b62f328b 809
23691d75
GP		 810 list_for_each_entry(c, &chan_list, global_l) {
811 struct sock *sk = c->sk;
fe4128e0 812
89bc500e 813 if (state && c->state != state)
b62f328b
VT		 814 continue;
815
23691d75 816 if (c->scid == cid) {
b62f328b 817 /* Exact match. */
23691d75
GP		 818 if (!bacmp(&bt_sk(sk)->src, src)) {
819 read_unlock(&chan_list_lock);
820 return c;
821 }
b62f328b
VT		 822
823 /* Closest match */
824 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 825 c1 = c;
b62f328b
VT		 826 }
827 }
280f294f 828
23691d75 829 read_unlock(&chan_list_lock);
b62f328b 830
23691d75 831 return c1;
b62f328b
VT		 832}
833
834static void l2cap_le_conn_ready(struct l2cap_conn *conn)
835{
c916fbe4 836 struct sock *parent, *sk;
23691d75 837 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 838
839 BT_DBG("");
840
841 /* Check if we have socket listening on cid */
23691d75 842 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 843 conn->src);
23691d75 844 if (!pchan)
b62f328b
VT		 845 return;
846
23691d75
GP		 847 parent = pchan->sk;
848
aa2ac881 849 lock_sock(parent);
62f3a2cf 850
b62f328b
VT		 851 /* Check for backlog size */
852 if (sk_acceptq_is_full(parent)) {
853 BT_DBG("backlog full %d", parent->sk_ack_backlog);
854 goto clean;
855 }
856
80808e43
GP		 857 chan = pchan->ops->new_connection(pchan->data);
858 if (!chan)
b62f328b
VT		 859 goto clean;
860
80808e43 861 sk = chan->sk;
5d41ce1d 862
b62f328b
VT		 863 hci_conn_hold(conn->hcon);
864
b62f328b
VT		 865 bacpy(&bt_sk(sk)->src, conn->src);
866 bacpy(&bt_sk(sk)->dst, conn->dst);
867
d1010240
GP		 868 bt_accept_enqueue(parent, sk);
869
3d57dc68 870 l2cap_chan_add(conn, chan);
48454079 871
c9b66675 872 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 873
89bc500e 874 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 875 parent->sk_data_ready(parent, 0);
876
b62f328b 877clean:
aa2ac881 878 release_sock(parent);
b62f328b
VT		 879}
880
cf4cd009 881static void l2cap_chan_ready(struct l2cap_chan *chan)
f1cb9af5 882{
cf4cd009 883 struct sock *sk = chan->sk;
f1cb9af5
VCG		 884 struct sock *parent = bt_sk(sk)->parent;
885
886 BT_DBG("sk %p, parent %p", sk, parent);
887
888 chan->conf_state = 0;
889 __clear_chan_timer(chan);
890
43f3dc41 891 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 892 sk->sk_state_change(sk);
893
894 if (parent)
895 parent->sk_data_ready(parent, 0);
896}
897
4e8402a3
MH		 898static void l2cap_conn_ready(struct l2cap_conn *conn)
899{
48454079 900 struct l2cap_chan *chan;
4e8402a3 901
79d554a6 902 BT_DBG("conn %p", conn);
4e8402a3 903
b62f328b
VT		 904 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
905 l2cap_le_conn_ready(conn);
906
160dc6ac
VCG		 907 if (conn->hcon->out && conn->hcon->type == LE_LINK)
908 smp_conn_security(conn, conn->hcon->pending_sec_level);
909
3df91ea2 910 mutex_lock(&conn->chan_lock);
4e8402a3 911
3df91ea2 912 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 913 struct sock *sk = chan->sk;
baa7e1fa 914
79d554a6 915 bh_lock_sock(sk);
4e8402a3 916
63128451 917 if (conn->hcon->type == LE_LINK) {
b501d6a1 918 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 919 l2cap_chan_ready(chan);
acd7d370 920
63128451 921 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 922 __clear_chan_timer(chan);
89bc500e 923 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 924 sk->sk_state_change(sk);
b501d6a1 925
89bc500e 926 } else if (chan->state == BT_CONNECT)
fc7f8a7e 927 l2cap_do_start(chan);
4e8402a3 928
79d554a6 929 bh_unlock_sock(sk);
4e8402a3 930 }
79d554a6 931
3df91ea2 932 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 933}
934
935/* Notify sockets that we cannot guaranty reliability anymore */
936static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
937{
48454079 938 struct l2cap_chan *chan;
4e8402a3
MH		 939
940 BT_DBG("conn %p", conn);
941
3df91ea2 942 mutex_lock(&conn->chan_lock);
4e8402a3 943
3df91ea2 944 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 945 struct sock *sk = chan->sk;
baa7e1fa 946
ecf61bdb 947 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 948 sk->sk_err = err;
949 }
950
3df91ea2 951 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 952}
953
f878fcad 954static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 955{
f878fcad 956 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 957 info_timer.work);
4e8402a3 958
984947dc 959 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 960 conn->info_ident = 0;
984947dc 961
4e8402a3
MH		 962 l2cap_conn_start(conn);
963}
964
5d3de7df
VCG		 965static void l2cap_conn_del(struct hci_conn *hcon, int err)
966{
967 struct l2cap_conn *conn = hcon->l2cap_data;
968 struct l2cap_chan *chan, *l;
969 struct sock *sk;
970
971 if (!conn)
972 return;
973
974 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
975
976 kfree_skb(conn->rx_skb);
977
3df91ea2
AE		 978 mutex_lock(&conn->chan_lock);
979
5d3de7df
VCG		 980 /* Kill channels */
981 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
982 sk = chan->sk;
aa2ac881 983 lock_sock(sk);
5d3de7df 984 l2cap_chan_del(chan, err);
aa2ac881 985 release_sock(sk);
5d3de7df
VCG		 986 chan->ops->close(chan->data);
987 }
988
3df91ea2
AE		 989 mutex_unlock(&conn->chan_lock);
990
73d80deb
LAD		 991 hci_chan_del(conn->hchan);
992
5d3de7df 993 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 994 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 995
51a8efd7 996 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 997 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 998 smp_chan_destroy(conn);
d26a2345 999 }
5d3de7df
VCG		 1000
1001 hcon->l2cap_data = NULL;
1002 kfree(conn);
1003}
1004
6c9d42a1 1005static void security_timeout(struct work_struct *work)
5d3de7df 1006{
6c9d42a1
GP		 1007 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1008 security_timer.work);
5d3de7df
VCG		 1009
1010 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1011}
1012
1da177e4
LT		 1013static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1014{
0139418c 1015 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1016 struct hci_chan *hchan;
1da177e4 1017
0139418c 1018 if (conn || status)
1da177e4
LT		 1019 return conn;
1020
73d80deb
LAD		 1021 hchan = hci_chan_create(hcon);
1022 if (!hchan)
1023 return NULL;
1024
0139418c 1025 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1026 if (!conn) {
1027 hci_chan_del(hchan);
1da177e4 1028 return NULL;
73d80deb 1029 }
1da177e4
LT		 1030
1031 hcon->l2cap_data = conn;
1032 conn->hcon = hcon;
73d80deb 1033 conn->hchan = hchan;
1da177e4 1034
73d80deb 1035 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1036
acd7d370
VT		 1037 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1038 conn->mtu = hcon->hdev->le_mtu;
1039 else
1040 conn->mtu = hcon->hdev->acl_mtu;
1041
1da177e4
LT		 1042 conn->src = &hcon->hdev->bdaddr;
1043 conn->dst = &hcon->dst;
1044
4e8402a3
MH		 1045 conn->feat_mask = 0;
1046
1da177e4 1047 spin_lock_init(&conn->lock);
3df91ea2 1048 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1049
1050 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1051
5d3de7df 1052 if (hcon->type == LE_LINK)
6c9d42a1 1053 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1054 else
030013d8 1055 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1056
9f5a0d7b 1057 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1058
1da177e4
LT		 1059 return conn;
1060}
1061
1da177e4 1062/* ---- Socket interface ---- */
1da177e4
LT		 1063
1064/* Find socket with psm and source bdaddr.
1065 * Returns closest match.
1066 */
23691d75 1067static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1068{
23691d75 1069 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1070
23691d75 1071 read_lock(&chan_list_lock);
e0f0cb56 1072
23691d75
GP		 1073 list_for_each_entry(c, &chan_list, global_l) {
1074 struct sock *sk = c->sk;
fe4128e0 1075
89bc500e 1076 if (state && c->state != state)
1da177e4
LT		 1077 continue;
1078
23691d75 1079 if (c->psm == psm) {
1da177e4 1080 /* Exact match. */
23691d75 1081 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1082 read_unlock(&chan_list_lock);
23691d75
GP		 1083 return c;
1084 }
1da177e4
LT		 1085
1086 /* Closest match */
1087 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1088 c1 = c;
1da177e4
LT		 1089 }
1090 }
1da177e4 1091
23691d75 1092 read_unlock(&chan_list_lock);
e0f0cb56 1093
23691d75 1094 return c1;
1da177e4
LT		 1095}
1096
cbe8fed4 1097int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1da177e4 1098{
5d41ce1d 1099 struct sock *sk = chan->sk;
1da177e4 1100 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1101 struct l2cap_conn *conn;
1102 struct hci_conn *hcon;
1103 struct hci_dev *hdev;
09ab6f4c 1104 __u8 auth_type;
44d0e48e 1105 int err;
1da177e4 1106
f29972de 1107 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1108 chan->psm);
1da177e4 1109
af05b30b
GP		 1110 hdev = hci_get_route(dst, src);
1111 if (!hdev)
1da177e4
LT		 1112 return -EHOSTUNREACH;
1113
09fd0de5 1114 hci_dev_lock(hdev);
1da177e4 1115
03a00194
GP		 1116 lock_sock(sk);
1117
1118 /* PSM must be odd and lsb of upper byte must be 0 */
1119 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1120 chan->chan_type != L2CAP_CHAN_RAW) {
1121 err = -EINVAL;
1122 goto done;
1123 }
1124
1125 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1126 err = -EINVAL;
1127 goto done;
1128 }
1129
1130 switch (chan->mode) {
1131 case L2CAP_MODE_BASIC:
1132 break;
1133 case L2CAP_MODE_ERTM:
1134 case L2CAP_MODE_STREAMING:
1135 if (!disable_ertm)
1136 break;
1137 /* fall through */
1138 default:
1139 err = -ENOTSUPP;
1140 goto done;
1141 }
1142
1143 switch (sk->sk_state) {
1144 case BT_CONNECT:
1145 case BT_CONNECT2:
1146 case BT_CONFIG:
1147 /* Already connecting */
1148 err = 0;
1149 goto done;
1150
1151 case BT_CONNECTED:
1152 /* Already connected */
1153 err = -EISCONN;
1154 goto done;
1155
1156 case BT_OPEN:
1157 case BT_BOUND:
1158 /* Can connect */
1159 break;
1160
1161 default:
1162 err = -EBADFD;
1163 goto done;
1164 }
1165
1166 /* Set destination address and psm */
9219b2a0 1167 bacpy(&bt_sk(sk)->dst, dst);
03a00194
GP		 1168 chan->psm = psm;
1169 chan->dcid = cid;
1da177e4 1170
4343478f 1171 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1172
fe4128e0 1173 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1174 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1175 chan->sec_level, auth_type);
acd7d370
VT		 1176 else
1177 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1178 chan->sec_level, auth_type);
acd7d370 1179
30e76272
VT		 1180 if (IS_ERR(hcon)) {
1181 err = PTR_ERR(hcon);
1da177e4 1182 goto done;
30e76272 1183 }
1da177e4
LT		 1184
1185 conn = l2cap_conn_add(hcon, 0);
1186 if (!conn) {
1187 hci_conn_put(hcon);
30e76272 1188 err = -ENOMEM;
1da177e4
LT		 1189 goto done;
1190 }
1191
1da177e4
LT		 1192 /* Update source addr of the socket */
1193 bacpy(src, conn->src);
1194
48454079
GP		 1195 l2cap_chan_add(conn, chan);
1196
89bc500e 1197 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1198 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1199
1200 if (hcon->state == BT_CONNECTED) {
715ec005 1201 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1202 __clear_chan_timer(chan);
d45fc423 1203 if (l2cap_chan_check_security(chan))
89bc500e 1204 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1205 } else
fc7f8a7e 1206 l2cap_do_start(chan);
1da177e4
LT		 1207 }
1208
30e76272
VT		 1209 err = 0;
1210
1da177e4 1211done:
09fd0de5 1212 hci_dev_unlock(hdev);
1da177e4
LT		 1213 hci_dev_put(hdev);
1214 return err;
1215}
1216
dcba0dba 1217int __l2cap_wait_ack(struct sock *sk)
6161c038 1218{
8c1d787b 1219 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1220 DECLARE_WAITQUEUE(wait, current);
1221 int err = 0;
1222 int timeo = HZ/5;
1223
2b0b05dd 1224 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1225 set_current_state(TASK_INTERRUPTIBLE);
1226 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1227 if (!timeo)
1228 timeo = HZ/5;
1229
1230 if (signal_pending(current)) {
1231 err = sock_intr_errno(timeo);
1232 break;
1233 }
1234
1235 release_sock(sk);
1236 timeo = schedule_timeout(timeo);
1237 lock_sock(sk);
a71a0cf4 1238 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1239
1240 err = sock_error(sk);
1241 if (err)
1242 break;
1243 }
1244 set_current_state(TASK_RUNNING);
2b0b05dd 1245 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1246 return err;
1247}
1248
721c4181 1249static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1250{
721c4181
GP		 1251 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1252 monitor_timer.work);
525cd185 1253 struct sock *sk = chan->sk;
e90bac06 1254
525cd185 1255 BT_DBG("chan %p", chan);
0e98958d 1256
721c4181 1257 lock_sock(sk);
2c03a7a4 1258 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1259 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
721c4181 1260 release_sock(sk);
e90bac06
GP		 1261 return;
1262 }
1263
6a026610 1264 chan->retry_count++;
1a09bcb9 1265 __set_monitor_timer(chan);
e90bac06 1266
525cd185 1267 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1268 release_sock(sk);
e90bac06
GP		 1269}
1270
721c4181 1271static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1272{
721c4181
GP		 1273 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1274 retrans_timer.work);
525cd185 1275 struct sock *sk = chan->sk;
e90bac06 1276
49208c9c 1277 BT_DBG("chan %p", chan);
0e98958d 1278
721c4181 1279 lock_sock(sk);
6a026610 1280 chan->retry_count = 1;
1a09bcb9 1281 __set_monitor_timer(chan);
e90bac06 1282
e2ab4353 1283 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1284
525cd185 1285 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1286 release_sock(sk);
e90bac06
GP		 1287}
1288
42e5c802 1289static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1290{
1c2acffb 1291 struct sk_buff *skb;
1da177e4 1292
58d35f87 1293 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1294 chan->unacked_frames) {
42e5c802 1295 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1296 break;
1da177e4 1297
58d35f87 1298 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1299 kfree_skb(skb);
1da177e4 1300
6a026610 1301 chan->unacked_frames--;
1c2acffb 1302 }
1da177e4 1303
6a026610 1304 if (!chan->unacked_frames)
1a09bcb9 1305 __clear_retrans_timer(chan);
1c2acffb 1306}
1da177e4 1307
67c9e840 1308static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1309{
ccbb84af 1310 struct sk_buff *skb;
88843ab0
AE		 1311 u32 control;
1312 u16 fcs;
6840ed07 1313
58d35f87 1314 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1315 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1316 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1317 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1318
47d1ec61 1319 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1320 fcs = crc16(0, (u8 *)skb->data,
1321 skb->len - L2CAP_FCS_SIZE);
1322 put_unaligned_le16(fcs,
1323 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1324 }
1325
4343478f 1326 l2cap_do_send(chan, skb);
6840ed07 1327
836be934 1328 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1329 }
6840ed07
GP		 1330}
1331
fb45de7d 1332static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1333{
8f17154f 1334 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1335 u16 fcs;
1336 u32 control;
8f17154f 1337
58d35f87 1338 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1339 if (!skb)
1340 return;
8f17154f 1341
d1726b6d 1342 while (bt_cb(skb)->tx_seq != tx_seq) {
58d35f87 1343 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1344 return;
8f17154f 1345
d1726b6d
SJ		 1346 skb = skb_queue_next(&chan->tx_q, skb);
1347 }
8f17154f 1348
2c03a7a4
GP		 1349 if (chan->remote_max_tx &&
1350 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1351 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1352 return;
1353 }
1354
1355 tx_skb = skb_clone(skb, GFP_ATOMIC);
1356 bt_cb(skb)->retries++;
88843ab0
AE		 1357
1358 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1359 control &= __get_sar_mask(chan);
3cb123d1 1360
e2ab4353 1361 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1362 control |= __set_ctrl_final(chan);
95ffa978 1363
0b209fae 1364 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1365 control |= __set_txseq(chan, tx_seq);
3cb123d1 1366
88843ab0 1367 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1368
47d1ec61 1369 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1370 fcs = crc16(0, (u8 *)tx_skb->data,
1371 tx_skb->len - L2CAP_FCS_SIZE);
1372 put_unaligned_le16(fcs,
1373 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1374 }
1375
4343478f 1376 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1377}
1378
67c9e840 1379static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1380{
1381 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1382 u16 fcs;
1383 u32 control;
9a9c6a34 1384 int nsent = 0;
1c2acffb 1385
89bc500e 1386 if (chan->state != BT_CONNECTED)
c13ffa62 1387 return -ENOTCONN;
e90bac06 1388
58d35f87 1389 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1390
2c03a7a4
GP		 1391 if (chan->remote_max_tx &&
1392 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1393 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1394 break;
1395 }
1396
e420aba3
AE		 1397 tx_skb = skb_clone(skb, GFP_ATOMIC);
1398
e90bac06
GP		 1399 bt_cb(skb)->retries++;
1400
88843ab0 1401 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1402 control &= __get_sar_mask(chan);
95ffa978 1403
e2ab4353 1404 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1405 control |= __set_ctrl_final(chan);
e2ab4353 1406
0b209fae 1407 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1408 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1409
88843ab0 1410 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1411
47d1ec61 1412 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1413 fcs = crc16(0, (u8 *)skb->data,
1414 tx_skb->len - L2CAP_FCS_SIZE);
1415 put_unaligned_le16(fcs, skb->data +
1416 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1417 }
1418
4343478f 1419 l2cap_do_send(chan, tx_skb);
9a9c6a34 1420
1a09bcb9 1421 __set_retrans_timer(chan);
1c2acffb 1422
42e5c802 1423 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1424
1425 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1426
8ed7a0ae 1427 if (bt_cb(skb)->retries == 1) {
6a026610 1428 chan->unacked_frames++;
930fa4ae
SJ		 1429
1430 if (!nsent++)
1431 __clear_ack_timer(chan);
8ed7a0ae 1432 }
23e9fde2 1433
6a026610 1434 chan->frames_sent++;
1c2acffb 1435
58d35f87
GP		 1436 if (skb_queue_is_last(&chan->tx_q, skb))
1437 chan->tx_send_head = NULL;
1c2acffb 1438 else
58d35f87 1439 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1440 }
1441
9e917af1
GP		 1442 return nsent;
1443}
1444
525cd185 1445static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1446{
dfc909be
GP		 1447 int ret;
1448
58d35f87
GP		 1449 if (!skb_queue_empty(&chan->tx_q))
1450 chan->tx_send_head = chan->tx_q.next;
dfc909be 1451
42e5c802 1452 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1453 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1454 return ret;
1455}
1456
b17e73bb 1457static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1458{
88843ab0 1459 u32 control = 0;
9e917af1 1460
0b209fae 1461 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1462
e2ab4353 1463 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1464 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1465 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1466 l2cap_send_sframe(chan, control);
9a9c6a34 1467 return;
9e917af1 1468 }
dfc909be 1469
525cd185 1470 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1471 return;
1472
ab784b73 1473 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1474 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1475}
1476
b17e73bb
SJ		 1477static void l2cap_send_ack(struct l2cap_chan *chan)
1478{
1479 __clear_ack_timer(chan);
1480 __l2cap_send_ack(chan);
1481}
1482
525cd185 1483static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1484{
1485 struct srej_list *tail;
88843ab0 1486 u32 control;
99b0d4b7 1487
ab784b73 1488 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1489 control |= __set_ctrl_final(chan);
99b0d4b7 1490
39d5a3ee 1491 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1492 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1493
525cd185 1494 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1495}
1496
0952a57a 1497static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1c2acffb 1498{
0952a57a 1499 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1500 struct sk_buff **frag;
1501 int err, sent = 0;
1da177e4 1502
59203a21 1503 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1504 return -EFAULT;
1da177e4
LT		 1505
1506 sent += count;
1507 len -= count;
1508
1509 /* Continuation fragments (no L2CAP header) */
1510 frag = &skb_shinfo(skb)->frag_list;
1511 while (len) {
1512 count = min_t(unsigned int, conn->mtu, len);
1513
2f7719ce
AE		 1514 *frag = chan->ops->alloc_skb(chan, count,
1515 msg->msg_flags & MSG_DONTWAIT, &err);
1516
1da177e4 1517 if (!*frag)
0175d629 1518 return err;
1c2acffb
GP		 1519 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1520 return -EFAULT;
1da177e4 1521
5e59b791
LAD		 1522 (*frag)->priority = skb->priority;
1523
1da177e4
LT		 1524 sent += count;
1525 len -= count;
1526
1527 frag = &(*frag)->next;
1528 }
1da177e4
LT		 1529
1530 return sent;
1c2acffb 1531}
1da177e4 1532
5e59b791
LAD		 1533static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1534 struct msghdr *msg, size_t len,
1535 u32 priority)
1c2acffb 1536{
8c1d787b 1537 struct l2cap_conn *conn = chan->conn;
1c2acffb 1538 struct sk_buff *skb;
03a51213 1539 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1540 struct l2cap_hdr *lh;
1541
6d5922b0 1542 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1543
1544 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1545
1546 skb = chan->ops->alloc_skb(chan, count + hlen,
1547 msg->msg_flags & MSG_DONTWAIT, &err);
1548
1c2acffb 1549 if (!skb)
0175d629 1550 return ERR_PTR(err);
1c2acffb 1551
5e59b791
LAD		 1552 skb->priority = priority;
1553
1c2acffb
GP		 1554 /* Create L2CAP header */
1555 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1556 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1557 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1558 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb 1559
0952a57a 1560 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1561 if (unlikely(err < 0)) {
1562 kfree_skb(skb);
1563 return ERR_PTR(err);
1564 }
1565 return skb;
1566}
1567
5e59b791
LAD		 1568static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1569 struct msghdr *msg, size_t len,
1570 u32 priority)
1c2acffb 1571{
8c1d787b 1572 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1573 struct sk_buff *skb;
1574 int err, count, hlen = L2CAP_HDR_SIZE;
1575 struct l2cap_hdr *lh;
1576
6d5922b0 1577 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb
GP		 1578
1579 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1580
1581 skb = chan->ops->alloc_skb(chan, count + hlen,
1582 msg->msg_flags & MSG_DONTWAIT, &err);
1583
1c2acffb 1584 if (!skb)
0175d629 1585 return ERR_PTR(err);
1c2acffb 1586
5e59b791
LAD		 1587 skb->priority = priority;
1588
1c2acffb
GP		 1589 /* Create L2CAP header */
1590 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1591 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1592 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1593
0952a57a 1594 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1595 if (unlikely(err < 0)) {
1596 kfree_skb(skb);
1597 return ERR_PTR(err);
1598 }
1599 return skb;
1600}
1601
ab0ff76d
LAD		 1602static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1603 struct msghdr *msg, size_t len,
88843ab0 1604 u32 control, u16 sdulen)
1c2acffb 1605{
8c1d787b 1606 struct l2cap_conn *conn = chan->conn;
1c2acffb 1607 struct sk_buff *skb;
e4ca6d98 1608 int err, count, hlen;
1c2acffb
GP		 1609 struct l2cap_hdr *lh;
1610
6d5922b0 1611 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1612
0ee0d208
GP		 1613 if (!conn)
1614 return ERR_PTR(-ENOTCONN);
1615
e4ca6d98
AE		 1616 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1617 hlen = L2CAP_EXT_HDR_SIZE;
1618 else
1619 hlen = L2CAP_ENH_HDR_SIZE;
1620
c74e560c 1621 if (sdulen)
03a51213 1622 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1623
47d1ec61 1624 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1625 hlen += L2CAP_FCS_SIZE;
fcc203c3 1626
1c2acffb 1627 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1628
1629 skb = chan->ops->alloc_skb(chan, count + hlen,
1630 msg->msg_flags & MSG_DONTWAIT, &err);
1631
1c2acffb 1632 if (!skb)
0175d629 1633 return ERR_PTR(err);
1c2acffb
GP		 1634
1635 /* Create L2CAP header */
1636 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1637 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1638 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1639
1640 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1641
c74e560c 1642 if (sdulen)
03a51213 1643 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1644
0952a57a 1645 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1646 if (unlikely(err < 0)) {
1647 kfree_skb(skb);
1648 return ERR_PTR(err);
1649 }
e90bac06 1650
47d1ec61 1651 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1652 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1653
e90bac06 1654 bt_cb(skb)->retries = 0;
1c2acffb 1655 return skb;
1da177e4
LT		 1656}
1657
67c9e840 1658static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1659{
c74e560c
GP		 1660 struct sk_buff *skb;
1661 struct sk_buff_head sar_queue;
88843ab0 1662 u32 control;
c74e560c
GP		 1663 size_t size = 0;
1664
ff12fd64 1665 skb_queue_head_init(&sar_queue);
7e0ef6ee 1666 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1667 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1668 if (IS_ERR(skb))
1669 return PTR_ERR(skb);
1670
1671 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1672 len -= chan->remote_mps;
1673 size += chan->remote_mps;
c74e560c
GP		 1674
1675 while (len > 0) {
1676 size_t buflen;
1677
2c03a7a4 1678 if (len > chan->remote_mps) {
7e0ef6ee 1679 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1680 buflen = chan->remote_mps;
c74e560c 1681 } else {
7e0ef6ee 1682 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1683 buflen = len;
1684 }
1685
47d1ec61 1686 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1687 if (IS_ERR(skb)) {
1688 skb_queue_purge(&sar_queue);
1689 return PTR_ERR(skb);
1690 }
1691
1692 __skb_queue_tail(&sar_queue, skb);
1693 len -= buflen;
1694 size += buflen;
c74e560c 1695 }
58d35f87
GP		 1696 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1697 if (chan->tx_send_head == NULL)
1698 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1699
1700 return size;
1701}
1702
5e59b791
LAD		 1703int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1704 u32 priority)
9a91a04a 1705{
9a91a04a 1706 struct sk_buff *skb;
88843ab0 1707 u32 control;
9a91a04a
GP		 1708 int err;
1709
1710 /* Connectionless channel */
715ec005 1711 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1712 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1713 if (IS_ERR(skb))
1714 return PTR_ERR(skb);
1715
1716 l2cap_do_send(chan, skb);
1717 return len;
1718 }
1719
1720 switch (chan->mode) {
1721 case L2CAP_MODE_BASIC:
1722 /* Check outgoing MTU */
1723 if (len > chan->omtu)
1724 return -EMSGSIZE;
1725
1726 /* Create a basic PDU */
5e59b791 1727 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1728 if (IS_ERR(skb))
1729 return PTR_ERR(skb);
1730
1731 l2cap_do_send(chan, skb);
1732 err = len;
1733 break;
1734
1735 case L2CAP_MODE_ERTM:
1736 case L2CAP_MODE_STREAMING:
1737 /* Entire SDU fits into one PDU */
1738 if (len <= chan->remote_mps) {
7e0ef6ee 1739 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1740 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1741 0);
1742 if (IS_ERR(skb))
1743 return PTR_ERR(skb);
1744
1745 __skb_queue_tail(&chan->tx_q, skb);
1746
1747 if (chan->tx_send_head == NULL)
1748 chan->tx_send_head = skb;
1749
1750 } else {
1751 /* Segment SDU into multiples PDUs */
1752 err = l2cap_sar_segment_sdu(chan, msg, len);
1753 if (err < 0)
1754 return err;
1755 }
1756
1757 if (chan->mode == L2CAP_MODE_STREAMING) {
1758 l2cap_streaming_send(chan);
1759 err = len;
1760 break;
1761 }
1762
e2ab4353
GP		 1763 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1764 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1765 err = len;
1766 break;
1767 }
1768
1769 err = l2cap_ertm_send(chan);
1770 if (err >= 0)
1771 err = len;
1772
1773 break;
1774
1775 default:
1776 BT_DBG("bad state %1.1x", chan->mode);
1777 err = -EBADFD;
1778 }
1779
1780 return err;
1781}
1782
1da177e4
LT		 1783/* Copy frame to all raw sockets on that connection */
1784static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1785{
1da177e4 1786 struct sk_buff *nskb;
48454079 1787 struct l2cap_chan *chan;
1da177e4
LT		 1788
1789 BT_DBG("conn %p", conn);
1790
3df91ea2 1791 mutex_lock(&conn->chan_lock);
3d57dc68 1792
3df91ea2 1793 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1794 struct sock *sk = chan->sk;
715ec005 1795 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1796 continue;
1797
1798 /* Don't send frame to the socket it came from */
1799 if (skb->sk == sk)
1800 continue;
af05b30b
GP		 1801 nskb = skb_clone(skb, GFP_ATOMIC);
1802 if (!nskb)
1da177e4
LT		 1803 continue;
1804
23070494 1805 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1806 kfree_skb(nskb);
1807 }
3d57dc68 1808
3df91ea2 1809 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 1810}
1811
1812/* ---- L2CAP signalling commands ---- */
1813static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1814 u8 code, u8 ident, u16 dlen, void *data)
1815{
1816 struct sk_buff *skb, **frag;
1817 struct l2cap_cmd_hdr *cmd;
1818 struct l2cap_hdr *lh;
1819 int len, count;
1820
af05b30b
GP		 1821 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1822 conn, code, ident, dlen);
1da177e4
LT		 1823
1824 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1825 count = min_t(unsigned int, conn->mtu, len);
1826
1827 skb = bt_skb_alloc(count, GFP_ATOMIC);
1828 if (!skb)
1829 return NULL;
1830
1831 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1832 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1833
1834 if (conn->hcon->type == LE_LINK)
1835 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1836 else
1837 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1838
1839 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1840 cmd->code = code;
1841 cmd->ident = ident;
aca3192c 1842 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1843
1844 if (dlen) {
1845 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1846 memcpy(skb_put(skb, count), data, count);
1847 data += count;
1848 }
1849
1850 len -= skb->len;
1851
1852 /* Continuation fragments (no L2CAP header) */
1853 frag = &skb_shinfo(skb)->frag_list;
1854 while (len) {
1855 count = min_t(unsigned int, conn->mtu, len);
1856
1857 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1858 if (!*frag)
1859 goto fail;
1860
1861 memcpy(skb_put(*frag, count), data, count);
1862
1863 len -= count;
1864 data += count;
1865
1866 frag = &(*frag)->next;
1867 }
1868
1869 return skb;
1870
1871fail:
1872 kfree_skb(skb);
1873 return NULL;
1874}
1875
1876static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1877{
1878 struct l2cap_conf_opt *opt = *ptr;
1879 int len;
1880
1881 len = L2CAP_CONF_OPT_SIZE + opt->len;
1882 *ptr += len;
1883
1884 *type = opt->type;
1885 *olen = opt->len;
1886
1887 switch (opt->len) {
1888 case 1:
1889 *val = *((u8 *) opt->val);
1890 break;
1891
1892 case 2:
bfaaeb3e 1893 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1894 break;
1895
1896 case 4:
bfaaeb3e 1897 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1898 break;
1899
1900 default:
1901 *val = (unsigned long) opt->val;
1902 break;
1903 }
1904
1905 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1906 return len;
1907}
1908
1da177e4
LT		 1909static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1910{
1911 struct l2cap_conf_opt *opt = *ptr;
1912
1913 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1914
1915 opt->type = type;
1916 opt->len = len;
1917
1918 switch (len) {
1919 case 1:
1920 *((u8 *) opt->val) = val;
1921 break;
1922
1923 case 2:
4f8b691c 1924 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1925 break;
1926
1927 case 4:
4f8b691c 1928 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1929 break;
1930
1931 default:
1932 memcpy(opt->val, (void *) val, len);
1933 break;
1934 }
1935
1936 *ptr += L2CAP_CONF_OPT_SIZE + len;
1937}
1938
f89cef09
AE		 1939static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1940{
1941 struct l2cap_conf_efs efs;
1942
1ec918ce 1943 switch (chan->mode) {
f89cef09
AE		 1944 case L2CAP_MODE_ERTM:
1945 efs.id = chan->local_id;
1946 efs.stype = chan->local_stype;
1947 efs.msdu = cpu_to_le16(chan->local_msdu);
1948 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1949 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1950 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1951 break;
1952
1953 case L2CAP_MODE_STREAMING:
1954 efs.id = 1;
1955 efs.stype = L2CAP_SERV_BESTEFFORT;
1956 efs.msdu = cpu_to_le16(chan->local_msdu);
1957 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1958 efs.acc_lat = 0;
1959 efs.flush_to = 0;
1960 break;
1961
1962 default:
1963 return;
1964 }
1965
1966 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1967 (unsigned long) &efs);
1968}
1969
721c4181 1970static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 1971{
721c4181
GP		 1972 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1973 ack_timer.work);
c1b4f43b 1974
2fb9b3d4
GP		 1975 BT_DBG("chan %p", chan);
1976
721c4181 1977 lock_sock(chan->sk);
b17e73bb 1978 __l2cap_send_ack(chan);
721c4181 1979 release_sock(chan->sk);
09bfb2ee
SJ		 1980
1981 l2cap_chan_put(chan);
c1b4f43b
GP		 1982}
1983
525cd185 1984static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1985{
42e5c802 1986 chan->expected_ack_seq = 0;
6a026610 1987 chan->unacked_frames = 0;
42e5c802 1988 chan->buffer_seq = 0;
6a026610
GP		 1989 chan->num_acked = 0;
1990 chan->frames_sent = 0;
0565c1c2 1991
721c4181
GP		 1992 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
1993 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
1994 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 1995
f1c6775b 1996 skb_queue_head_init(&chan->srej_q);
1890d36b 1997
39d5a3ee 1998 INIT_LIST_HEAD(&chan->srej_l);
0565c1c2
GP		 1999}
2000
f2fcfcd6
GP		 2001static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2002{
2003 switch (mode) {
2004 case L2CAP_MODE_STREAMING:
2005 case L2CAP_MODE_ERTM:
2006 if (l2cap_mode_supported(mode, remote_feat_mask))
2007 return mode;
2008 /* fall through */
2009 default:
2010 return L2CAP_MODE_BASIC;
2011 }
2012}
2013
6327eb98
AE		 2014static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2015{
2016 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2017}
2018
f89cef09
AE		 2019static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2020{
2021 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2022}
2023
6327eb98
AE		 2024static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2025{
2026 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2027 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2028 /* use extended control field */
2029 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2030 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2031 } else {
6327eb98
AE		 2032 chan->tx_win = min_t(u16, chan->tx_win,
2033 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2034 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2035 }
6327eb98
AE		 2036}
2037
710f9b0a 2038static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2039{
1da177e4 2040 struct l2cap_conf_req *req = data;
0c1bc5c6 2041 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2042 void *ptr = req->data;
c8f79162 2043 u16 size;
1da177e4 2044
49208c9c 2045 BT_DBG("chan %p", chan);
1da177e4 2046
73ffa904 2047 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2048 goto done;
2049
0c1bc5c6 2050 switch (chan->mode) {
f2fcfcd6
GP		 2051 case L2CAP_MODE_STREAMING:
2052 case L2CAP_MODE_ERTM:
c1360a1c 2053 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2054 break;
85eb53c6 2055
f89cef09
AE		 2056 if (__l2cap_efs_supported(chan))
2057 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2058
2ba13ed6 2059 /* fall through */
f2fcfcd6 2060 default:
8c1d787b 2061 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2062 break;
2063 }
2064
2065done:
0c1bc5c6
GP		 2066 if (chan->imtu != L2CAP_DEFAULT_MTU)
2067 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2068
0c1bc5c6 2069 switch (chan->mode) {
65c7c491 2070 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2071 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2072 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2073 break;
2074
62547752
GP		 2075 rfc.mode = L2CAP_MODE_BASIC;
2076 rfc.txwin_size = 0;
2077 rfc.max_transmit = 0;
2078 rfc.retrans_timeout = 0;
2079 rfc.monitor_timeout = 0;
2080 rfc.max_pdu_size = 0;
2081
63406504
GP		 2082 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2083 (unsigned long) &rfc);
65c7c491
MH		 2084 break;
2085
2086 case L2CAP_MODE_ERTM:
2087 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2088 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2089 rfc.retrans_timeout = 0;
2090 rfc.monitor_timeout = 0;
c8f79162
AE		 2091
2092 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2093 L2CAP_EXT_HDR_SIZE -
2094 L2CAP_SDULEN_SIZE -
2095 L2CAP_FCS_SIZE);
2096 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2097
6327eb98
AE		 2098 l2cap_txwin_setup(chan);
2099
2100 rfc.txwin_size = min_t(u16, chan->tx_win,
2101 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2102
63406504
GP		 2103 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2104 (unsigned long) &rfc);
2105
f89cef09
AE		 2106 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2107 l2cap_add_opt_efs(&ptr, chan);
2108
8c1d787b 2109 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2110 break;
2111
47d1ec61 2112 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2113 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2114 chan->fcs = L2CAP_FCS_NONE;
2115 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2116 }
6327eb98
AE		 2117
2118 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2119 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2120 chan->tx_win);
f2fcfcd6
GP		 2121 break;
2122
2123 case L2CAP_MODE_STREAMING:
2124 rfc.mode = L2CAP_MODE_STREAMING;
2125 rfc.txwin_size = 0;
2126 rfc.max_transmit = 0;
2127 rfc.retrans_timeout = 0;
2128 rfc.monitor_timeout = 0;
c8f79162
AE		 2129
2130 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2131 L2CAP_EXT_HDR_SIZE -
2132 L2CAP_SDULEN_SIZE -
2133 L2CAP_FCS_SIZE);
2134 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2135
63406504
GP		 2136 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2137 (unsigned long) &rfc);
2138
f89cef09
AE		 2139 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2140 l2cap_add_opt_efs(&ptr, chan);
2141
8c1d787b 2142 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2143 break;
2144
47d1ec61 2145 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2146 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2147 chan->fcs = L2CAP_FCS_NONE;
2148 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2149 }
65c7c491
MH		 2150 break;
2151 }
1da177e4 2152
fe4128e0 2153 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2154 req->flags = cpu_to_le16(0);
1da177e4
LT		 2155
2156 return ptr - data;
2157}
2158
73ffa904 2159static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2160{
5dee9e7c
MH		 2161 struct l2cap_conf_rsp *rsp = data;
2162 void *ptr = rsp->data;
73ffa904
GP		 2163 void *req = chan->conf_req;
2164 int len = chan->conf_len;
5dee9e7c
MH		 2165 int type, hint, olen;
2166 unsigned long val;
6464f35f 2167 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2168 struct l2cap_conf_efs efs;
2169 u8 remote_efs = 0;
861d6882 2170 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2171 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2172 u16 size;
1da177e4 2173
73ffa904 2174 BT_DBG("chan %p", chan);
820ae1b8 2175
5dee9e7c
MH		 2176 while (len >= L2CAP_CONF_OPT_SIZE) {
2177 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2178
589d2746 2179 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2180 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2181
2182 switch (type) {
2183 case L2CAP_CONF_MTU:
861d6882 2184 mtu = val;
5dee9e7c
MH		 2185 break;
2186
2187 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2188 chan->flush_to = val;
5dee9e7c
MH		 2189 break;
2190
2191 case L2CAP_CONF_QOS:
2192 break;
2193
6464f35f
MH		 2194 case L2CAP_CONF_RFC:
2195 if (olen == sizeof(rfc))
2196 memcpy(&rfc, (void *) val, olen);
2197 break;
2198
fcc203c3
GP		 2199 case L2CAP_CONF_FCS:
2200 if (val == L2CAP_FCS_NONE)
c1360a1c 2201 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2202 break;
fcc203c3 2203
42dceae2
AE		 2204 case L2CAP_CONF_EFS:
2205 remote_efs = 1;
2206 if (olen == sizeof(efs))
2207 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2208 break;
2209
6327eb98
AE		 2210 case L2CAP_CONF_EWS:
2211 if (!enable_hs)
2212 return -ECONNREFUSED;
fcc203c3 2213
6327eb98
AE		 2214 set_bit(FLAG_EXT_CTRL, &chan->flags);
2215 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2216 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2217 chan->remote_tx_win = val;
fcc203c3
GP		 2218 break;
2219
5dee9e7c
MH		 2220 default:
2221 if (hint)
2222 break;
2223
2224 result = L2CAP_CONF_UNKNOWN;
2225 *((u8 *) ptr++) = type;
2226 break;
2227 }
2228 }
2229
73ffa904 2230 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2231 goto done;
2232
0c1bc5c6 2233 switch (chan->mode) {
f2fcfcd6
GP		 2234 case L2CAP_MODE_STREAMING:
2235 case L2CAP_MODE_ERTM:
c1360a1c 2236 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2237 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2238 chan->conn->feat_mask);
85eb53c6
GP		 2239 break;
2240 }
2241
42dceae2
AE		 2242 if (remote_efs) {
2243 if (__l2cap_efs_supported(chan))
2244 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2245 else
2246 return -ECONNREFUSED;
2247 }
2248
0c1bc5c6 2249 if (chan->mode != rfc.mode)
f2fcfcd6 2250 return -ECONNREFUSED;
742e519b 2251
f2fcfcd6 2252 break;
f2fcfcd6
GP		 2253 }
2254
2255done:
0c1bc5c6 2256 if (chan->mode != rfc.mode) {
f2fcfcd6 2257 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2258 rfc.mode = chan->mode;
f2fcfcd6 2259
73ffa904 2260 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2261 return -ECONNREFUSED;
2262
2263 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2264 sizeof(rfc), (unsigned long) &rfc);
2265 }
2266
5dee9e7c
MH		 2267 if (result == L2CAP_CONF_SUCCESS) {
2268 /* Configure output options and let the other side know
2269 * which ones we don't like. */
2270
f2fcfcd6
GP		 2271 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2272 result = L2CAP_CONF_UNACCEPT;
2273 else {
0c1bc5c6 2274 chan->omtu = mtu;
c1360a1c 2275 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2276 }
0c1bc5c6 2277 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2278
42dceae2
AE		 2279 if (remote_efs) {
2280 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2281 efs.stype != L2CAP_SERV_NOTRAFIC &&
2282 efs.stype != chan->local_stype) {
2283
2284 result = L2CAP_CONF_UNACCEPT;
2285
2286 if (chan->num_conf_req >= 1)
2287 return -ECONNREFUSED;
2288
2289 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2290 sizeof(efs),
42dceae2 2291 (unsigned long) &efs);
0e8b207e 2292 } else {
3e6b3b95 2293 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2294 result = L2CAP_CONF_PENDING;
2295 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2296 }
2297 }
2298
f2fcfcd6
GP		 2299 switch (rfc.mode) {
2300 case L2CAP_MODE_BASIC:
47d1ec61 2301 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2302 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2303 break;
2304
2305 case L2CAP_MODE_ERTM:
6327eb98
AE		 2306 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2307 chan->remote_tx_win = rfc.txwin_size;
2308 else
2309 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2310
2c03a7a4 2311 chan->remote_max_tx = rfc.max_transmit;
1c762159 2312
c8f79162
AE		 2313 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2314 chan->conn->mtu -
2315 L2CAP_EXT_HDR_SIZE -
2316 L2CAP_SDULEN_SIZE -
2317 L2CAP_FCS_SIZE);
2318 rfc.max_pdu_size = cpu_to_le16(size);
2319 chan->remote_mps = size;
f2fcfcd6 2320
10467e9e
GP		 2321 rfc.retrans_timeout =
2322 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2323 rfc.monitor_timeout =
2324 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2325
c1360a1c 2326 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2327
2328 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2329 sizeof(rfc), (unsigned long) &rfc);
2330
42dceae2
AE		 2331 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2332 chan->remote_id = efs.id;
2333 chan->remote_stype = efs.stype;
2334 chan->remote_msdu = le16_to_cpu(efs.msdu);
2335 chan->remote_flush_to =
2336 le32_to_cpu(efs.flush_to);
2337 chan->remote_acc_lat =
2338 le32_to_cpu(efs.acc_lat);
2339 chan->remote_sdu_itime =
2340 le32_to_cpu(efs.sdu_itime);
2341 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2342 sizeof(efs), (unsigned long) &efs);
2343 }
f2fcfcd6
GP		 2344 break;
2345
2346 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2347 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2348 chan->conn->mtu -
2349 L2CAP_EXT_HDR_SIZE -
2350 L2CAP_SDULEN_SIZE -
2351 L2CAP_FCS_SIZE);
2352 rfc.max_pdu_size = cpu_to_le16(size);
2353 chan->remote_mps = size;
f2fcfcd6 2354
c1360a1c 2355 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2356
2357 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2358 sizeof(rfc), (unsigned long) &rfc);
2359
f2fcfcd6
GP		 2360 break;
2361
2362 default:
5dee9e7c 2363 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2364
6464f35f 2365 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2366 rfc.mode = chan->mode;
f2fcfcd6 2367 }
6464f35f 2368
f2fcfcd6 2369 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2370 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2371 }
fe4128e0 2372 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2373 rsp->result = cpu_to_le16(result);
2374 rsp->flags = cpu_to_le16(0x0000);
2375
2376 return ptr - data;
1da177e4
LT		 2377}
2378
b4450035 2379static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2380{
f2fcfcd6
GP		 2381 struct l2cap_conf_req *req = data;
2382 void *ptr = req->data;
2383 int type, olen;
2384 unsigned long val;
36e999a8 2385 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2386 struct l2cap_conf_efs efs;
f2fcfcd6 2387
fe4128e0 2388 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2389
2390 while (len >= L2CAP_CONF_OPT_SIZE) {
2391 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2392
2393 switch (type) {
2394 case L2CAP_CONF_MTU:
2395 if (val < L2CAP_DEFAULT_MIN_MTU) {
2396 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2397 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2398 } else
0c1bc5c6
GP		 2399 chan->imtu = val;
2400 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2401 break;
2402
2403 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2404 chan->flush_to = val;
f2fcfcd6 2405 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2406 2, chan->flush_to);
f2fcfcd6
GP		 2407 break;
2408
2409 case L2CAP_CONF_RFC:
2410 if (olen == sizeof(rfc))
2411 memcpy(&rfc, (void *)val, olen);
2412
c1360a1c 2413 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2414 rfc.mode != chan->mode)
f2fcfcd6
GP		 2415 return -ECONNREFUSED;
2416
47d1ec61 2417 chan->fcs = 0;
f2fcfcd6
GP		 2418
2419 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2420 sizeof(rfc), (unsigned long) &rfc);
2421 break;
6327eb98
AE		 2422
2423 case L2CAP_CONF_EWS:
2424 chan->tx_win = min_t(u16, val,
2425 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2426 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2427 chan->tx_win);
6327eb98 2428 break;
66af7aaf
AE		 2429
2430 case L2CAP_CONF_EFS:
2431 if (olen == sizeof(efs))
2432 memcpy(&efs, (void *)val, olen);
2433
2434 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2435 efs.stype != L2CAP_SERV_NOTRAFIC &&
2436 efs.stype != chan->local_stype)
2437 return -ECONNREFUSED;
2438
2439 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2440 sizeof(efs), (unsigned long) &efs);
2441 break;
f2fcfcd6
GP		 2442 }
2443 }
2444
0c1bc5c6 2445 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2446 return -ECONNREFUSED;
2447
0c1bc5c6 2448 chan->mode = rfc.mode;
6c2ea7a8 2449
0e8b207e 2450 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2451 switch (rfc.mode) {
2452 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2453 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2454 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2455 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2456
2457 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2458 chan->local_msdu = le16_to_cpu(efs.msdu);
2459 chan->local_sdu_itime =
2460 le32_to_cpu(efs.sdu_itime);
2461 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2462 chan->local_flush_to =
2463 le32_to_cpu(efs.flush_to);
2464 }
f2fcfcd6 2465 break;
66af7aaf 2466
f2fcfcd6 2467 case L2CAP_MODE_STREAMING:
47d1ec61 2468 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2469 }
2470 }
2471
fe4128e0 2472 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2473 req->flags = cpu_to_le16(0x0000);
2474
2475 return ptr - data;
2476}
2477
fe4128e0 2478static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2479{
2480 struct l2cap_conf_rsp *rsp = data;
2481 void *ptr = rsp->data;
1da177e4 2482
fe4128e0 2483 BT_DBG("chan %p", chan);
1da177e4 2484
fe4128e0 2485 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2486 rsp->result = cpu_to_le16(result);
aca3192c 2487 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2488
2489 return ptr - data;
2490}
2491
8c1d787b 2492void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2493{
2494 struct l2cap_conn_rsp rsp;
8c1d787b 2495 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2496 u8 buf[128];
2497
fe4128e0
GP		 2498 rsp.scid = cpu_to_le16(chan->dcid);
2499 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2500 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2501 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2502 l2cap_send_cmd(conn, chan->ident,
2503 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2504
c1360a1c 2505 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2506 return;
2507
710f9b0a
GP		 2508 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2509 l2cap_build_conf_req(chan, buf), buf);
2510 chan->num_conf_req++;
2511}
2512
47d1ec61 2513static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2514{
7b1c0049
GP		 2515 int type, olen;
2516 unsigned long val;
2517 struct l2cap_conf_rfc rfc;
2518
47d1ec61 2519 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2520
0c1bc5c6 2521 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2522 return;
2523
2524 while (len >= L2CAP_CONF_OPT_SIZE) {
2525 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2526
2527 switch (type) {
2528 case L2CAP_CONF_RFC:
2529 if (olen == sizeof(rfc))
2530 memcpy(&rfc, (void *)val, olen);
2531 goto done;
2532 }
2533 }
2534
36e999a8
MM		 2535 /* Use sane default values in case a misbehaving remote device
2536 * did not send an RFC option.
2537 */
2538 rfc.mode = chan->mode;
2539 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2540 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2541 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2542
2543 BT_ERR("Expected RFC option was not found, using defaults");
2544
7b1c0049
GP		 2545done:
2546 switch (rfc.mode) {
2547 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2548 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2549 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2550 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2551 break;
2552 case L2CAP_MODE_STREAMING:
47d1ec61 2553 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2554 }
2555}
2556
4e8402a3
MH		 2557static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2558{
e2fd318e 2559 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2560
e2fd318e 2561 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2562 return 0;
2563
2564 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2565 cmd->ident == conn->info_ident) {
17cd3f37 2566 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2567
2568 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2569 conn->info_ident = 0;
984947dc 2570
4e8402a3
MH		 2571 l2cap_conn_start(conn);
2572 }
2573
2574 return 0;
2575}
2576
1da177e4
LT		 2577static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2578{
1da177e4
LT		 2579 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2580 struct l2cap_conn_rsp rsp;
23691d75 2581 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2582 struct sock *parent, *sk = NULL;
e7c29cb1 2583 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2584
2585 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2586 __le16 psm = req->psm;
1da177e4
LT		 2587
2588 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2589
2590 /* Check if we have socket listening on psm */
23691d75
GP		 2591 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2592 if (!pchan) {
1da177e4
LT		 2593 result = L2CAP_CR_BAD_PSM;
2594 goto sendresp;
2595 }
2596
23691d75
GP		 2597 parent = pchan->sk;
2598
3df91ea2 2599 mutex_lock(&conn->chan_lock);
aa2ac881 2600 lock_sock(parent);
e0f0cb56 2601
e7c29cb1
MH		 2602 /* Check if the ACL is secure enough (if not SDP) */
2603 if (psm != cpu_to_le16(0x0001) &&
2604 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2605 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2606 result = L2CAP_CR_SEC_BLOCK;
2607 goto response;
2608 }
2609
1da177e4
LT		 2610 result = L2CAP_CR_NO_MEM;
2611
2612 /* Check for backlog size */
2613 if (sk_acceptq_is_full(parent)) {
8e87d142 2614 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2615 goto response;
2616 }
2617
80808e43
GP		 2618 chan = pchan->ops->new_connection(pchan->data);
2619 if (!chan)
1da177e4
LT		 2620 goto response;
2621
80808e43
GP		 2622 sk = chan->sk;
2623
1da177e4 2624 /* Check if we already have channel with that dcid */
baa7e1fa 2625 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 2626 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2627 chan->ops->close(chan->data);
1da177e4
LT		 2628 goto response;
2629 }
2630
2631 hci_conn_hold(conn->hcon);
2632
1da177e4
LT		 2633 bacpy(&bt_sk(sk)->src, conn->src);
2634 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2635 chan->psm = psm;
2636 chan->dcid = scid;
1da177e4 2637
d1010240
GP		 2638 bt_accept_enqueue(parent, sk);
2639
3d57dc68 2640 l2cap_chan_add(conn, chan);
48454079 2641
fe4128e0 2642 dcid = chan->scid;
1da177e4 2643
c9b66675 2644 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2645
fc7f8a7e 2646 chan->ident = cmd->ident;
1da177e4 2647
984947dc 2648 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2649 if (l2cap_chan_check_security(chan)) {
f66dc81f 2650 if (bt_sk(sk)->defer_setup) {
89bc500e 2651 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2652 result = L2CAP_CR_PEND;
2653 status = L2CAP_CS_AUTHOR_PEND;
2654 parent->sk_data_ready(parent, 0);
2655 } else {
89bc500e 2656 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2657 result = L2CAP_CR_SUCCESS;
2658 status = L2CAP_CS_NO_INFO;
2659 }
79d554a6 2660 } else {
89bc500e 2661 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2662 result = L2CAP_CR_PEND;
2663 status = L2CAP_CS_AUTHEN_PEND;
2664 }
2665 } else {
89bc500e 2666 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2667 result = L2CAP_CR_PEND;
2668 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2669 }
2670
1da177e4 2671response:
aa2ac881 2672 release_sock(parent);
3df91ea2 2673 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2674
2675sendresp:
aca3192c
YH		 2676 rsp.scid = cpu_to_le16(scid);
2677 rsp.dcid = cpu_to_le16(dcid);
2678 rsp.result = cpu_to_le16(result);
2679 rsp.status = cpu_to_le16(status);
1da177e4 2680 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2681
2682 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2683 struct l2cap_info_req info;
2684 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2685
2686 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2687 conn->info_ident = l2cap_get_ident(conn);
2688
030013d8 2689 schedule_delayed_work(&conn->info_timer,
79d554a6
MH		 2690 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2691
2692 l2cap_send_cmd(conn, conn->info_ident,
2693 L2CAP_INFO_REQ, sizeof(info), &info);
2694 }
2695
c1360a1c 2696 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2697 result == L2CAP_CR_SUCCESS) {
2698 u8 buf[128];
c1360a1c 2699 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2700 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2701 l2cap_build_conf_req(chan, buf), buf);
2702 chan->num_conf_req++;
e9aeb2dd
GP		 2703 }
2704
1da177e4
LT		 2705 return 0;
2706}
2707
2708static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2709{
2710 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2711 u16 scid, dcid, result, status;
48454079 2712 struct l2cap_chan *chan;
1da177e4
LT		 2713 struct sock *sk;
2714 u8 req[128];
3df91ea2 2715 int err;
1da177e4
LT		 2716
2717 scid = __le16_to_cpu(rsp->scid);
2718 dcid = __le16_to_cpu(rsp->dcid);
2719 result = __le16_to_cpu(rsp->result);
2720 status = __le16_to_cpu(rsp->status);
2721
1b009c98
AE		 2722 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2723 dcid, scid, result, status);
1da177e4 2724
3df91ea2
AE		 2725 mutex_lock(&conn->chan_lock);
2726
1da177e4 2727 if (scid) {
3df91ea2
AE		 2728 chan = __l2cap_get_chan_by_scid(conn, scid);
2729 if (!chan) {
2730 err = -EFAULT;
2731 goto unlock;
2732 }
1da177e4 2733 } else {
3df91ea2
AE		 2734 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
2735 if (!chan) {
2736 err = -EFAULT;
2737 goto unlock;
2738 }
1da177e4
LT		 2739 }
2740
3df91ea2
AE		 2741 err = 0;
2742
48454079 2743 sk = chan->sk;
3df91ea2 2744 lock_sock(sk);
48454079 2745
1da177e4
LT		 2746 switch (result) {
2747 case L2CAP_CR_SUCCESS:
89bc500e 2748 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2749 chan->ident = 0;
fe4128e0 2750 chan->dcid = dcid;
c1360a1c 2751 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2752
c1360a1c 2753 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2754 break;
2755
1da177e4 2756 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2757 l2cap_build_conf_req(chan, req), req);
2758 chan->num_conf_req++;
1da177e4
LT		 2759 break;
2760
2761 case L2CAP_CR_PEND:
c1360a1c 2762 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2763 break;
2764
2765 default:
48454079 2766 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2767 break;
2768 }
2769
aa2ac881 2770 release_sock(sk);
3df91ea2
AE		 2771
2772unlock:
2773 mutex_unlock(&conn->chan_lock);
2774
2775 return err;
1da177e4
LT		 2776}
2777
47d1ec61 2778static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2779{
2780 /* FCS is enabled only in ERTM or streaming mode, if one or both
2781 * sides request it.
2782 */
0c1bc5c6 2783 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2784 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2785 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2786 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2787}
2788
88219a0f 2789static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2790{
2791 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2792 u16 dcid, flags;
2793 u8 rsp[64];
48454079 2794 struct l2cap_chan *chan;
1da177e4 2795 struct sock *sk;
5dee9e7c 2796 int len;
1da177e4
LT		 2797
2798 dcid = __le16_to_cpu(req->dcid);
2799 flags = __le16_to_cpu(req->flags);
2800
2801 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2802
baa7e1fa 2803 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2804 if (!chan)
1da177e4
LT		 2805 return -ENOENT;
2806
48454079 2807 sk = chan->sk;
3df91ea2 2808 lock_sock(sk);
48454079 2809
033b1142 2810 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2811 struct l2cap_cmd_rej_cid rej;
2812
2813 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2814 rej.scid = cpu_to_le16(chan->scid);
2815 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2816
df6bd743
GP		 2817 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2818 sizeof(rej), &rej);
354f60a9 2819 goto unlock;
df6bd743 2820 }
354f60a9 2821
5dee9e7c 2822 /* Reject if config buffer is too small. */
88219a0f 2823 len = cmd_len - sizeof(*req);
7ac28817 2824 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2825 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2826 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2827 L2CAP_CONF_REJECT, flags), rsp);
2828 goto unlock;
2829 }
2830
2831 /* Store config. */
73ffa904
GP		 2832 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2833 chan->conf_len += len;
1da177e4
LT		 2834
2835 if (flags & 0x0001) {
2836 /* Incomplete config. Send empty response. */
2837 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2838 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2839 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2840 goto unlock;
2841 }
2842
2843 /* Complete config. */
73ffa904 2844 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2845 if (len < 0) {
e92c8e70 2846 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2847 goto unlock;
f2fcfcd6 2848 }
1da177e4 2849
5dee9e7c 2850 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2851 chan->num_conf_rsp++;
5dee9e7c 2852
5dee9e7c 2853 /* Reset config buffer. */
73ffa904 2854 chan->conf_len = 0;
5dee9e7c 2855
c1360a1c 2856 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2857 goto unlock;
2858
c1360a1c 2859 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2860 set_default_fcs(chan);
fcc203c3 2861
89bc500e 2862 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2863
42e5c802
GP		 2864 chan->next_tx_seq = 0;
2865 chan->expected_tx_seq = 0;
58d35f87 2866 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2867 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2868 l2cap_ertm_init(chan);
0565c1c2 2869
cf4cd009 2870 l2cap_chan_ready(chan);
876d9484
MH		 2871 goto unlock;
2872 }
2873
c1360a1c 2874 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2875 u8 buf[64];
1da177e4 2876 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2877 l2cap_build_conf_req(chan, buf), buf);
2878 chan->num_conf_req++;
1da177e4
LT		 2879 }
2880
0e8b207e
AE		 2881 /* Got Conf Rsp PENDING from remote side and asume we sent
2882 Conf Rsp PENDING in the code above */
2883 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2884 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2885
2886 /* check compatibility */
2887
2888 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2889 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2890
2891 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2892 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2893 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2894 }
2895
1da177e4 2896unlock:
aa2ac881 2897 release_sock(sk);
1da177e4
LT		 2898 return 0;
2899}
2900
2901static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2902{
2903 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2904 u16 scid, flags, result;
48454079 2905 struct l2cap_chan *chan;
1da177e4 2906 struct sock *sk;
7b1c0049 2907 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2908
2909 scid = __le16_to_cpu(rsp->scid);
2910 flags = __le16_to_cpu(rsp->flags);
2911 result = __le16_to_cpu(rsp->result);
2912
af05b30b
GP		 2913 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2914 scid, flags, result);
1da177e4 2915
baa7e1fa 2916 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2917 if (!chan)
1da177e4
LT		 2918 return 0;
2919
48454079 2920 sk = chan->sk;
3df91ea2 2921 lock_sock(sk);
48454079 2922
1da177e4
LT		 2923 switch (result) {
2924 case L2CAP_CONF_SUCCESS:
47d1ec61 2925 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2926 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2927 break;
2928
0e8b207e
AE		 2929 case L2CAP_CONF_PENDING:
2930 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2931
2932 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2933 char buf[64];
2934
2935 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2936 buf, &result);
2937 if (len < 0) {
2938 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2939 goto done;
2940 }
2941
2942 /* check compatibility */
2943
2944 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2945 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2946
2947 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2948 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2949 L2CAP_CONF_SUCCESS, 0x0000), buf);
2950 }
2951 goto done;
2952
1da177e4 2953 case L2CAP_CONF_UNACCEPT:
73ffa904 2954 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2955 char req[64];
2956
c2c77ec8 2957 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2958 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2959 goto done;
2960 }
2961
f2fcfcd6
GP		 2962 /* throw out any old stored conf requests */
2963 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2964 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2965 req, &result);
f2fcfcd6 2966 if (len < 0) {
e92c8e70 2967 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2968 goto done;
2969 }
2970
2971 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2972 L2CAP_CONF_REQ, len, req);
73ffa904 2973 chan->num_conf_req++;
f2fcfcd6
GP		 2974 if (result != L2CAP_CONF_SUCCESS)
2975 goto done;
2976 break;
1da177e4
LT		 2977 }
2978
8e87d142 2979 default:
b1235d79 2980 sk->sk_err = ECONNRESET;
b83ddfe2
AK		 2981 __set_chan_timer(chan,
2982 msecs_to_jiffies(L2CAP_DISC_REJ_TIMEOUT));
e92c8e70 2983 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2984 goto done;
2985 }
2986
2987 if (flags & 0x01)
2988 goto done;
2989
c1360a1c 2990 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2991
c1360a1c 2992 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2993 set_default_fcs(chan);
fcc203c3 2994
89bc500e 2995 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2996 chan->next_tx_seq = 0;
2997 chan->expected_tx_seq = 0;
58d35f87 2998 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2999 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 3000 l2cap_ertm_init(chan);
0565c1c2 3001
cf4cd009 3002 l2cap_chan_ready(chan);
1da177e4
LT		 3003 }
3004
3005done:
aa2ac881 3006 release_sock(sk);
1da177e4
LT		 3007 return 0;
3008}
3009
3010static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3011{
3012 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3013 struct l2cap_disconn_rsp rsp;
3014 u16 dcid, scid;
48454079 3015 struct l2cap_chan *chan;
1da177e4
LT		 3016 struct sock *sk;
3017
3018 scid = __le16_to_cpu(req->scid);
3019 dcid = __le16_to_cpu(req->dcid);
3020
3021 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3022
3df91ea2
AE		 3023 mutex_lock(&conn->chan_lock);
3024
3025 chan = __l2cap_get_chan_by_scid(conn, dcid);
3026 if (!chan) {
3027 mutex_unlock(&conn->chan_lock);
1da177e4 3028 return 0;
3df91ea2 3029 }
1da177e4 3030
48454079 3031 sk = chan->sk;
3df91ea2 3032 lock_sock(sk);
48454079 3033
fe4128e0
GP		 3034 rsp.dcid = cpu_to_le16(chan->scid);
3035 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3036 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3037
3038 sk->sk_shutdown = SHUTDOWN_MASK;
3039
48454079 3040 l2cap_chan_del(chan, ECONNRESET);
aa2ac881 3041 release_sock(sk);
1da177e4 3042
ba3bd0ee 3043 chan->ops->close(chan->data);
3df91ea2
AE		 3044
3045 mutex_unlock(&conn->chan_lock);
3046
1da177e4
LT		 3047 return 0;
3048}
3049
3050static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3051{
3052 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3053 u16 dcid, scid;
48454079 3054 struct l2cap_chan *chan;
1da177e4
LT		 3055 struct sock *sk;
3056
3057 scid = __le16_to_cpu(rsp->scid);
3058 dcid = __le16_to_cpu(rsp->dcid);
3059
3060 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3061
3df91ea2
AE		 3062 mutex_lock(&conn->chan_lock);
3063
3064 chan = __l2cap_get_chan_by_scid(conn, scid);
3065 if (!chan) {
3066 mutex_unlock(&conn->chan_lock);
1da177e4 3067 return 0;
3df91ea2 3068 }
1da177e4 3069
48454079 3070 sk = chan->sk;
3df91ea2 3071 lock_sock(sk);
48454079 3072
48454079 3073 l2cap_chan_del(chan, 0);
aa2ac881 3074 release_sock(sk);
1da177e4 3075
ba3bd0ee 3076 chan->ops->close(chan->data);
3df91ea2
AE		 3077
3078 mutex_unlock(&conn->chan_lock);
3079
1da177e4
LT		 3080 return 0;
3081}
3082
3083static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3084{
3085 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3086 u16 type;
3087
3088 type = __le16_to_cpu(req->type);
3089
3090 BT_DBG("type 0x%4.4x", type);
3091
f0709e03
MH		 3092 if (type == L2CAP_IT_FEAT_MASK) {
3093 u8 buf[8];
44dd46de 3094 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3095 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3096 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3097 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3098 if (!disable_ertm)
fcc203c3
GP		 3099 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3100 | L2CAP_FEAT_FCS;
a5fd6f30 3101 if (enable_hs)
6327eb98
AE		 3102 feat_mask |= L2CAP_FEAT_EXT_FLOW
3103 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3104
1b7bf4ed 3105 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3106 l2cap_send_cmd(conn, cmd->ident,
3107 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3108 } else if (type == L2CAP_IT_FIXED_CHAN) {
3109 u8 buf[12];
3110 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3111
3112 if (enable_hs)
3113 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3114 else
3115 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3116
e1027a7c
MH		 3117 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3118 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3119 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3120 l2cap_send_cmd(conn, cmd->ident,
3121 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3122 } else {
3123 struct l2cap_info_rsp rsp;
3124 rsp.type = cpu_to_le16(type);
3125 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3126 l2cap_send_cmd(conn, cmd->ident,
3127 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3128 }
1da177e4
LT		 3129
3130 return 0;
3131}
3132
3133static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3134{
3135 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3136 u16 type, result;
3137
3138 type = __le16_to_cpu(rsp->type);
3139 result = __le16_to_cpu(rsp->result);
3140
3141 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3142
e90165be
AE		 3143 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3144 if (cmd->ident != conn->info_ident ||
3145 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3146 return 0;
3147
17cd3f37 3148 cancel_delayed_work(&conn->info_timer);
4e8402a3 3149
adb08ede
VT		 3150 if (result != L2CAP_IR_SUCCESS) {
3151 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3152 conn->info_ident = 0;
3153
3154 l2cap_conn_start(conn);
3155
3156 return 0;
3157 }
3158
984947dc 3159 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3160 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3161
47ec1dcd 3162 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3163 struct l2cap_info_req req;
3164 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3165
3166 conn->info_ident = l2cap_get_ident(conn);
3167
3168 l2cap_send_cmd(conn, conn->info_ident,
3169 L2CAP_INFO_REQ, sizeof(req), &req);
3170 } else {
3171 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3172 conn->info_ident = 0;
3173
3174 l2cap_conn_start(conn);
3175 }
3176 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3177 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3178 conn->info_ident = 0;
984947dc
MH		 3179
3180 l2cap_conn_start(conn);
3181 }
4e8402a3 3182
1da177e4
LT		 3183 return 0;
3184}
3185
f94ff6ff
MM		 3186static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3187 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3188 void *data)
3189{
3190 struct l2cap_create_chan_req *req = data;
3191 struct l2cap_create_chan_rsp rsp;
3192 u16 psm, scid;
3193
3194 if (cmd_len != sizeof(*req))
3195 return -EPROTO;
3196
3197 if (!enable_hs)
3198 return -EINVAL;
3199
3200 psm = le16_to_cpu(req->psm);
3201 scid = le16_to_cpu(req->scid);
3202
3203 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3204
3205 /* Placeholder: Always reject */
3206 rsp.dcid = 0;
3207 rsp.scid = cpu_to_le16(scid);
3208 rsp.result = L2CAP_CR_NO_MEM;
3209 rsp.status = L2CAP_CS_NO_INFO;
3210
3211 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3212 sizeof(rsp), &rsp);
3213
3214 return 0;
3215}
3216
3217static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3218 struct l2cap_cmd_hdr *cmd, void *data)
3219{
3220 BT_DBG("conn %p", conn);
3221
3222 return l2cap_connect_rsp(conn, cmd, data);
3223}
3224
8d5a04a1
MM		 3225static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3226 u16 icid, u16 result)
3227{
3228 struct l2cap_move_chan_rsp rsp;
3229
3230 BT_DBG("icid %d, result %d", icid, result);
3231
3232 rsp.icid = cpu_to_le16(icid);
3233 rsp.result = cpu_to_le16(result);
3234
3235 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3236}
3237
3238static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3239 struct l2cap_chan *chan, u16 icid, u16 result)
3240{
3241 struct l2cap_move_chan_cfm cfm;
3242 u8 ident;
3243
3244 BT_DBG("icid %d, result %d", icid, result);
3245
3246 ident = l2cap_get_ident(conn);
3247 if (chan)
3248 chan->ident = ident;
3249
3250 cfm.icid = cpu_to_le16(icid);
3251 cfm.result = cpu_to_le16(result);
3252
3253 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3254}
3255
3256static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3257 u16 icid)
3258{
3259 struct l2cap_move_chan_cfm_rsp rsp;
3260
3261 BT_DBG("icid %d", icid);
3262
3263 rsp.icid = cpu_to_le16(icid);
3264 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3265}
3266
3267static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3268 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3269{
3270 struct l2cap_move_chan_req *req = data;
3271 u16 icid = 0;
3272 u16 result = L2CAP_MR_NOT_ALLOWED;
3273
3274 if (cmd_len != sizeof(*req))
3275 return -EPROTO;
3276
3277 icid = le16_to_cpu(req->icid);
3278
3279 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3280
3281 if (!enable_hs)
3282 return -EINVAL;
3283
3284 /* Placeholder: Always refuse */
3285 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3286
3287 return 0;
3288}
3289
3290static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3291 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3292{
3293 struct l2cap_move_chan_rsp *rsp = data;
3294 u16 icid, result;
3295
3296 if (cmd_len != sizeof(*rsp))
3297 return -EPROTO;
3298
3299 icid = le16_to_cpu(rsp->icid);
3300 result = le16_to_cpu(rsp->result);
3301
3302 BT_DBG("icid %d, result %d", icid, result);
3303
3304 /* Placeholder: Always unconfirmed */
3305 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3306
3307 return 0;
3308}
3309
3310static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3311 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3312{
3313 struct l2cap_move_chan_cfm *cfm = data;
3314 u16 icid, result;
3315
3316 if (cmd_len != sizeof(*cfm))
3317 return -EPROTO;
3318
3319 icid = le16_to_cpu(cfm->icid);
3320 result = le16_to_cpu(cfm->result);
3321
3322 BT_DBG("icid %d, result %d", icid, result);
3323
3324 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3325
3326 return 0;
3327}
3328
3329static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3330 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3331{
3332 struct l2cap_move_chan_cfm_rsp *rsp = data;
3333 u16 icid;
3334
3335 if (cmd_len != sizeof(*rsp))
3336 return -EPROTO;
3337
3338 icid = le16_to_cpu(rsp->icid);
3339
3340 BT_DBG("icid %d", icid);
3341
3342 return 0;
3343}
3344
e2174ca4 3345static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3346 u16 to_multiplier)
3347{
3348 u16 max_latency;
3349
3350 if (min > max || min < 6 || max > 3200)
3351 return -EINVAL;
3352
3353 if (to_multiplier < 10 || to_multiplier > 3200)
3354 return -EINVAL;
3355
3356 if (max >= to_multiplier * 8)
3357 return -EINVAL;
3358
3359 max_latency = (to_multiplier * 8 / max) - 1;
3360 if (latency > 499 || latency > max_latency)
3361 return -EINVAL;
3362
3363 return 0;
3364}
3365
3366static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3367 struct l2cap_cmd_hdr *cmd, u8 *data)
3368{
3369 struct hci_conn *hcon = conn->hcon;
3370 struct l2cap_conn_param_update_req *req;
3371 struct l2cap_conn_param_update_rsp rsp;
3372 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3373 int err;
de73115a
CT		 3374
3375 if (!(hcon->link_mode & HCI_LM_MASTER))
3376 return -EINVAL;
3377
3378 cmd_len = __le16_to_cpu(cmd->len);
3379 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3380 return -EPROTO;
3381
3382 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3383 min = __le16_to_cpu(req->min);
3384 max = __le16_to_cpu(req->max);
de73115a
CT		 3385 latency = __le16_to_cpu(req->latency);
3386 to_multiplier = __le16_to_cpu(req->to_multiplier);
3387
3388 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3389 min, max, latency, to_multiplier);
3390
3391 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3392
3393 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3394 if (err)
de73115a
CT		 3395 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3396 else
3397 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3398
3399 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3400 sizeof(rsp), &rsp);
3401
2ce603eb
CT		 3402 if (!err)
3403 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3404
de73115a
CT		 3405 return 0;
3406}
3407
3300d9a9
CT		 3408static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3409 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3410{
3411 int err = 0;
3412
3413 switch (cmd->code) {
3414 case L2CAP_COMMAND_REJ:
3415 l2cap_command_rej(conn, cmd, data);
3416 break;
3417
3418 case L2CAP_CONN_REQ:
3419 err = l2cap_connect_req(conn, cmd, data);
3420 break;
3421
3422 case L2CAP_CONN_RSP:
3423 err = l2cap_connect_rsp(conn, cmd, data);
3424 break;
3425
3426 case L2CAP_CONF_REQ:
3427 err = l2cap_config_req(conn, cmd, cmd_len, data);
3428 break;
3429
3430 case L2CAP_CONF_RSP:
3431 err = l2cap_config_rsp(conn, cmd, data);
3432 break;
3433
3434 case L2CAP_DISCONN_REQ:
3435 err = l2cap_disconnect_req(conn, cmd, data);
3436 break;
3437
3438 case L2CAP_DISCONN_RSP:
3439 err = l2cap_disconnect_rsp(conn, cmd, data);
3440 break;
3441
3442 case L2CAP_ECHO_REQ:
3443 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3444 break;
3445
3446 case L2CAP_ECHO_RSP:
3447 break;
3448
3449 case L2CAP_INFO_REQ:
3450 err = l2cap_information_req(conn, cmd, data);
3451 break;
3452
3453 case L2CAP_INFO_RSP:
3454 err = l2cap_information_rsp(conn, cmd, data);
3455 break;
3456
f94ff6ff
MM		 3457 case L2CAP_CREATE_CHAN_REQ:
3458 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3459 break;
3460
3461 case L2CAP_CREATE_CHAN_RSP:
3462 err = l2cap_create_channel_rsp(conn, cmd, data);
3463 break;
3464
8d5a04a1
MM		 3465 case L2CAP_MOVE_CHAN_REQ:
3466 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3467 break;
3468
3469 case L2CAP_MOVE_CHAN_RSP:
3470 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3471 break;
3472
3473 case L2CAP_MOVE_CHAN_CFM:
3474 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3475 break;
3476
3477 case L2CAP_MOVE_CHAN_CFM_RSP:
3478 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3479 break;
3480
3300d9a9
CT		 3481 default:
3482 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3483 err = -EINVAL;
3484 break;
3485 }
3486
3487 return err;
3488}
3489
3490static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3491 struct l2cap_cmd_hdr *cmd, u8 *data)
3492{
3493 switch (cmd->code) {
3494 case L2CAP_COMMAND_REJ:
3495 return 0;
3496
3497 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3498 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3499
3500 case L2CAP_CONN_PARAM_UPDATE_RSP:
3501 return 0;
3502
3503 default:
3504 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3505 return -EINVAL;
3506 }
3507}
3508
3509static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3510 struct sk_buff *skb)
1da177e4
LT		 3511{
3512 u8 *data = skb->data;
3513 int len = skb->len;
3514 struct l2cap_cmd_hdr cmd;
3300d9a9 3515 int err;
1da177e4
LT		 3516
3517 l2cap_raw_recv(conn, skb);
3518
3519 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3520 u16 cmd_len;
1da177e4
LT		 3521 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3522 data += L2CAP_CMD_HDR_SIZE;
3523 len -= L2CAP_CMD_HDR_SIZE;
3524
88219a0f 3525 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3526
88219a0f 3527 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3528
88219a0f 3529 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3530 BT_DBG("corrupted command");
3531 break;
3532 }
3533
3300d9a9
CT		 3534 if (conn->hcon->type == LE_LINK)
3535 err = l2cap_le_sig_cmd(conn, &cmd, data);
3536 else
3537 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3538
3539 if (err) {
e2fd318e 3540 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3541
3542 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3543
3544 /* FIXME: Map err to a valid reason */
e2fd318e 3545 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3546 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3547 }
3548
88219a0f
AV		 3549 data += cmd_len;
3550 len -= cmd_len;
1da177e4
LT		 3551 }
3552
3553 kfree_skb(skb);
3554}
3555
47d1ec61 3556static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3557{
3558 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3559 int hdr_size;
3560
3561 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3562 hdr_size = L2CAP_EXT_HDR_SIZE;
3563 else
3564 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3565
47d1ec61 3566 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3567 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3568 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3569 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3570
3571 if (our_fcs != rcv_fcs)
7a560e5c 3572 return -EBADMSG;
fcc203c3
GP		 3573 }
3574 return 0;
3575}
3576
525cd185 3577static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3578{
88843ab0 3579 u32 control = 0;
d5392c8f 3580
6a026610 3581 chan->frames_sent = 0;
d5392c8f 3582
0b209fae 3583 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3584
e2ab4353 3585 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3586 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3587 l2cap_send_sframe(chan, control);
e2ab4353 3588 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3589 }
3590
e2ab4353 3591 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3592 l2cap_retransmit_frames(chan);
d5392c8f 3593
525cd185 3594 l2cap_ertm_send(chan);
d5392c8f 3595
e2ab4353 3596 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3597 chan->frames_sent == 0) {
ab784b73 3598 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3599 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3600 }
3601}
3602
fb45de7d 3603static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3604{
3605 struct sk_buff *next_skb;
bfbacc11 3606 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3607
3608 bt_cb(skb)->tx_seq = tx_seq;
3609 bt_cb(skb)->sar = sar;
3610
f1c6775b 3611 next_skb = skb_peek(&chan->srej_q);
8f17154f 3612
836be934 3613 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3614
039d9572 3615 while (next_skb) {
9b53350d
JPRV		 3616 if (bt_cb(next_skb)->tx_seq == tx_seq)
3617 return -EINVAL;
3618
836be934
AE		 3619 next_tx_seq_offset = __seq_offset(chan,
3620 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3621
3622 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3623 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3624 return 0;
8f17154f
GP		 3625 }
3626
f1c6775b 3627 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3628 next_skb = NULL;
3629 else
3630 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3631 }
8f17154f 3632
f1c6775b 3633 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3634
3635 return 0;
8f17154f
GP		 3636}
3637
84084a31
MM		 3638static void append_skb_frag(struct sk_buff *skb,
3639 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3640{
84084a31
MM		 3641 /* skb->len reflects data in skb as well as all fragments
3642 * skb->data_len reflects only data in fragments
3643 */
3644 if (!skb_has_frag_list(skb))
3645 skb_shinfo(skb)->frag_list = new_frag;
3646
3647 new_frag->next = NULL;
3648
3649 (*last_frag)->next = new_frag;
3650 *last_frag = new_frag;
3651
3652 skb->len += new_frag->len;
3653 skb->data_len += new_frag->len;
3654 skb->truesize += new_frag->truesize;
3655}
3656
88843ab0 3657static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3658{
3659 int err = -EINVAL;
18778a63 3660
7e0ef6ee
AE		 3661 switch (__get_ctrl_sar(chan, control)) {
3662 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3663 if (chan->sdu)
3664 break;
18778a63 3665
84084a31
MM		 3666 err = chan->ops->recv(chan->data, skb);
3667 break;
18778a63 3668
7e0ef6ee 3669 case L2CAP_SAR_START:
84084a31
MM		 3670 if (chan->sdu)
3671 break;
18778a63 3672
6f61fd47 3673 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3674 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3675
84084a31
MM		 3676 if (chan->sdu_len > chan->imtu) {
3677 err = -EMSGSIZE;
3678 break;
3679 }
1890d36b 3680
84084a31
MM		 3681 if (skb->len >= chan->sdu_len)
3682 break;
18778a63 3683
84084a31
MM		 3684 chan->sdu = skb;
3685 chan->sdu_last_frag = skb;
18778a63 3686
84084a31
MM		 3687 skb = NULL;
3688 err = 0;
18778a63
GP		 3689 break;
3690
7e0ef6ee 3691 case L2CAP_SAR_CONTINUE:
6f61fd47 3692 if (!chan->sdu)
84084a31 3693 break;
18778a63 3694
84084a31
MM		 3695 append_skb_frag(chan->sdu, skb,
3696 &chan->sdu_last_frag);
3697 skb = NULL;
18778a63 3698
84084a31
MM		 3699 if (chan->sdu->len >= chan->sdu_len)
3700 break;
4178ba46 3701
84084a31 3702 err = 0;
18778a63
GP		 3703 break;
3704
7e0ef6ee 3705 case L2CAP_SAR_END:
6f61fd47 3706 if (!chan->sdu)
84084a31 3707 break;
18778a63 3708
84084a31
MM		 3709 append_skb_frag(chan->sdu, skb,
3710 &chan->sdu_last_frag);
3711 skb = NULL;
4178ba46 3712
84084a31
MM		 3713 if (chan->sdu->len != chan->sdu_len)
3714 break;
18778a63 3715
84084a31 3716 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3717
84084a31
MM		 3718 if (!err) {
3719 /* Reassembly complete */
3720 chan->sdu = NULL;
3721 chan->sdu_last_frag = NULL;
3722 chan->sdu_len = 0;
1890d36b 3723 }
18778a63
GP		 3724 break;
3725 }
3726
84084a31
MM		 3727 if (err) {
3728 kfree_skb(skb);
3729 kfree_skb(chan->sdu);
3730 chan->sdu = NULL;
3731 chan->sdu_last_frag = NULL;
3732 chan->sdu_len = 0;
3733 }
18778a63 3734
84084a31 3735 return err;
18778a63
GP		 3736}
3737
26f880d2 3738static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3739{
26f880d2 3740 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3741
26f880d2
MM		 3742 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3743
77f918bc 3744 __set_ack_timer(chan);
26f880d2
MM		 3745}
3746
3747static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3748{
88843ab0 3749 u32 control;
712132eb 3750
e2ab4353 3751 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3752 goto done;
3753
0b209fae 3754 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3755 control |= __set_ctrl_poll(chan);
ab784b73 3756 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3757 l2cap_send_sframe(chan, control);
6a026610 3758 chan->retry_count = 1;
712132eb 3759
1a09bcb9
GP		 3760 __clear_retrans_timer(chan);
3761 __set_monitor_timer(chan);
712132eb 3762
e2ab4353 3763 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3764
3765done:
e2ab4353
GP		 3766 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3767 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3768
49208c9c 3769 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3770}
3771
e328140f 3772void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3773{
e328140f
MM		 3774 if (chan->mode == L2CAP_MODE_ERTM) {
3775 if (busy)
3776 l2cap_ertm_enter_local_busy(chan);
3777 else
3778 l2cap_ertm_exit_local_busy(chan);
1890d36b 3779 }
1890d36b
GP		 3780}
3781
fb45de7d 3782static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3783{
3784 struct sk_buff *skb;
88843ab0 3785 u32 control;
8f17154f 3786
e328140f
MM		 3787 while ((skb = skb_peek(&chan->srej_q)) &&
3788 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3789 int err;
3790
8f17154f
GP		 3791 if (bt_cb(skb)->tx_seq != tx_seq)
3792 break;
3793
f1c6775b 3794 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3795 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3796 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3797
3798 if (err < 0) {
3799 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3800 break;
3801 }
3802
836be934
AE		 3803 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3804 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3805 }
3806}
3807
fb45de7d 3808static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3809{
8f17154f 3810 struct srej_list *l, *tmp;
88843ab0 3811 u32 control;
8f17154f 3812
39d5a3ee 3813 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3814 if (l->tx_seq == tx_seq) {
3815 list_del(&l->list);
3816 kfree(l);
3817 return;
3818 }
ab784b73 3819 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3820 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3821 l2cap_send_sframe(chan, control);
8f17154f 3822 list_del(&l->list);
39d5a3ee 3823 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3824 }
3825}
3826
aef89f21 3827static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3828{
8f17154f 3829 struct srej_list *new;
88843ab0 3830 u32 control;
8f17154f 3831
42e5c802 3832 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3833 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3834 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3835 l2cap_send_sframe(chan, control);
8f17154f
GP		 3836
3837 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 3838 if (!new)
3839 return -ENOMEM;
3840
42e5c802 3841 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3842
3843 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3844
39d5a3ee 3845 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3846 }
836be934
AE		 3847
3848 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 3849
3850 return 0;
8f17154f
GP		 3851}
3852
88843ab0 3853static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3854{
fb45de7d 3855 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3856 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3857 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3858 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3859 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3860 int err = 0;
3861
88843ab0 3862 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3863 tx_seq, rx_control);
1c2acffb 3864
03f6715d 3865 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3866 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3867 __clear_monitor_timer(chan);
6a026610 3868 if (chan->unacked_frames > 0)
1a09bcb9 3869 __set_retrans_timer(chan);
e2ab4353 3870 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3871 }
3872
42e5c802
GP		 3873 chan->expected_ack_seq = req_seq;
3874 l2cap_drop_acked_frames(chan);
9f121a5a 3875
836be934 3876 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3877
3878 /* invalid tx_seq */
47d1ec61 3879 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3880 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3881 goto drop;
3882 }
3883
77f918bc
SJ		 3884 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3885 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3886 l2cap_send_ack(chan);
1890d36b 3887 goto drop;
77f918bc 3888 }
1890d36b 3889
02f1b641
MM		 3890 if (tx_seq == chan->expected_tx_seq)
3891 goto expected;
3892
e2ab4353 3893 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3894 struct srej_list *first;
30afb5b2 3895
39d5a3ee 3896 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3897 struct srej_list, list);
3898 if (tx_seq == first->tx_seq) {
42e5c802 3899 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3900 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3901
3902 list_del(&first->list);
3903 kfree(first);
3904
39d5a3ee 3905 if (list_empty(&chan->srej_l)) {
42e5c802 3906 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3907 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3908 l2cap_send_ack(chan);
49208c9c 3909 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3910 }
3911 } else {
3912 struct srej_list *l;
9b53350d
JPRV		 3913
3914 /* duplicated tx_seq */
42e5c802 3915 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3916 goto drop;
8f17154f 3917
39d5a3ee 3918 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3919 if (l->tx_seq == tx_seq) {
525cd185 3920 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3921 return 0;
3922 }
3923 }
aef89f21
SJ		 3924
3925 err = l2cap_send_srejframe(chan, tx_seq);
3926 if (err < 0) {
3927 l2cap_send_disconn_req(chan->conn, chan, -err);
3928 return err;
3929 }
30afb5b2
GP		 3930 }
3931 } else {
836be934
AE		 3932 expected_tx_seq_offset = __seq_offset(chan,
3933 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3934
3935 /* duplicated tx_seq */
3936 if (tx_seq_offset < expected_tx_seq_offset)
3937 goto drop;
3938
e2ab4353 3939 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3940
49208c9c 3941 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3942
39d5a3ee 3943 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3944 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3945
f1c6775b 3946 __skb_queue_head_init(&chan->srej_q);
42e5c802 3947 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3948
0ef3ef0f
SJ		 3949 /* Set P-bit only if there are some I-frames to ack. */
3950 if (__clear_ack_timer(chan))
3951 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3952
aef89f21
SJ		 3953 err = l2cap_send_srejframe(chan, tx_seq);
3954 if (err < 0) {
3955 l2cap_send_disconn_req(chan->conn, chan, -err);
3956 return err;
3957 }
1c2acffb 3958 }
30afb5b2
GP		 3959 return 0;
3960
8f17154f 3961expected:
836be934 3962 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3963
e2ab4353 3964 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3965 bt_cb(skb)->tx_seq = tx_seq;
3966 bt_cb(skb)->sar = sar;
f1c6775b 3967 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3968 return 0;
3969 }
3970
84084a31 3971 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3972 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3973
e328140f
MM		 3974 if (err < 0) {
3975 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3976 return err;
3977 }
2ece3684 3978
03f6715d 3979 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3980 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3981 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3982 }
3983
c1b4f43b 3984
6a026610
GP		 3985 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3986 if (chan->num_acked == num_to_ack - 1)
525cd185 3987 l2cap_send_ack(chan);
4d611e4d
GP		 3988 else
3989 __set_ack_timer(chan);
9e917af1 3990
8f17154f 3991 return 0;
9b53350d
JPRV		 3992
3993drop:
3994 kfree_skb(skb);
3995 return 0;
1c2acffb
GP		 3996}
3997
88843ab0 3998static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3999{
88843ab0 4000 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 4001 __get_reqseq(chan, rx_control), rx_control);
0e98958d 4002
0b209fae 4003 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 4004 l2cap_drop_acked_frames(chan);
1c2acffb 4005
e3781735 4006 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4007 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4008 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4009 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4010 (chan->unacked_frames > 0))
1a09bcb9 4011 __set_retrans_timer(chan);
05fbd89d 4012
e2ab4353 4013 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4014 l2cap_send_srejtail(chan);
05fbd89d 4015 } else {
525cd185 4016 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4017 }
1d8f5d16 4018
03f6715d 4019 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4020 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4021
e2ab4353 4022 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4023 l2cap_retransmit_frames(chan);
2246b2f1 4024
e072745f 4025 } else {
e2ab4353 4026 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4027 (chan->unacked_frames > 0))
1a09bcb9 4028 __set_retrans_timer(chan);
1c2acffb 4029
e2ab4353
GP		 4030 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4031 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4032 l2cap_send_ack(chan);
894718a6 4033 else
525cd185 4034 l2cap_ertm_send(chan);
e072745f
GP		 4035 }
4036}
2246b2f1 4037
88843ab0 4038static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4039{
0b209fae 4040 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4041
88843ab0 4042 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4043
e2ab4353 4044 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4045
42e5c802
GP		 4046 chan->expected_ack_seq = tx_seq;
4047 l2cap_drop_acked_frames(chan);
e072745f 4048
03f6715d 4049 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4050 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4051 l2cap_retransmit_frames(chan);
e072745f 4052 } else {
525cd185 4053 l2cap_retransmit_frames(chan);
30afb5b2 4054
e2ab4353
GP		 4055 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4056 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4057 }
4058}
88843ab0 4059static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4060{
0b209fae 4061 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4062
88843ab0 4063 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4064
e2ab4353 4065 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4066
e3781735 4067 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4068 chan->expected_ack_seq = tx_seq;
4069 l2cap_drop_acked_frames(chan);
3cb123d1 4070
e2ab4353 4071 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4072 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4073
525cd185 4074 l2cap_ertm_send(chan);
dfc909be 4075
e2ab4353 4076 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4077 chan->srej_save_reqseq = tx_seq;
e2ab4353 4078 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4079 }
03f6715d 4080 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4081 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4082 chan->srej_save_reqseq == tx_seq)
e2ab4353 4083 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4084 else
525cd185 4085 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4086 } else {
525cd185 4087 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4088 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4089 chan->srej_save_reqseq = tx_seq;
e2ab4353 4090 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4091 }
e072745f
GP		 4092 }
4093}
4094
88843ab0 4095static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4096{
0b209fae 4097 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4098
88843ab0 4099 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4100
e2ab4353 4101 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4102 chan->expected_ack_seq = tx_seq;
4103 l2cap_drop_acked_frames(chan);
e072745f 4104
e3781735 4105 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4106 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4107
e2ab4353 4108 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4109 __clear_retrans_timer(chan);
e3781735 4110 if (__is_ctrl_poll(chan, rx_control))
525cd185 4111 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4112 return;
e072745f 4113 }
99b0d4b7 4114
e3781735 4115 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4116 l2cap_send_srejtail(chan);
ab784b73
AE		 4117 } else {
4118 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4119 l2cap_send_sframe(chan, rx_control);
4120 }
e072745f
GP		 4121}
4122
88843ab0 4123static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4124{
88843ab0 4125 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4126
03f6715d 4127 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4128 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4129 __clear_monitor_timer(chan);
6a026610 4130 if (chan->unacked_frames > 0)
1a09bcb9 4131 __set_retrans_timer(chan);
e2ab4353 4132 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4133 }
4134
ab784b73
AE		 4135 switch (__get_ctrl_super(chan, rx_control)) {
4136 case L2CAP_SUPER_RR:
525cd185 4137 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4138 break;
4139
ab784b73 4140 case L2CAP_SUPER_REJ:
525cd185 4141 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4142 break;
2246b2f1 4143
ab784b73 4144 case L2CAP_SUPER_SREJ:
525cd185 4145 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4146 break;
4147
ab784b73 4148 case L2CAP_SUPER_RNR:
525cd185 4149 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4150 break;
4151 }
4152
faaebd19 4153 kfree_skb(skb);
1c2acffb
GP		 4154 return 0;
4155}
4156
cad8f1d0 4157static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4158{
88843ab0 4159 u32 control;
0b209fae 4160 u16 req_seq;
218bb9df
GP		 4161 int len, next_tx_seq_offset, req_seq_offset;
4162
88843ab0
AE		 4163 control = __get_control(chan, skb->data);
4164 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4165 len = skb->len;
4166
4167 /*
4168 * We can just drop the corrupted I-frame here.
4169 * Receiver will miss it and start proper recovery
4170 * procedures and ask retransmission.
4171 */
47d1ec61 4172 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4173 goto drop;
4174
793c2f1c 4175 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4176 len -= L2CAP_SDULEN_SIZE;
218bb9df 4177
47d1ec61 4178 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4179 len -= L2CAP_FCS_SIZE;
218bb9df 4180
47d1ec61 4181 if (len > chan->mps) {
8c1d787b 4182 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4183 goto drop;
4184 }
4185
0b209fae 4186 req_seq = __get_reqseq(chan, control);
218bb9df 4187
836be934
AE		 4188 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4189
4190 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4191 chan->expected_ack_seq);
218bb9df
GP		 4192
4193 /* check for invalid req-seq */
4194 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4195 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4196 goto drop;
4197 }
4198
793c2f1c 4199 if (!__is_sframe(chan, control)) {
218bb9df 4200 if (len < 0) {
8c1d787b 4201 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4202 goto drop;
4203 }
4204
525cd185 4205 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4206 } else {
4207 if (len != 0) {
4208 BT_ERR("%d", len);
8c1d787b 4209 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4210 goto drop;
4211 }
4212
525cd185 4213 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4214 }
4215
4216 return 0;
4217
4218drop:
4219 kfree_skb(skb);
4220 return 0;
4221}
4222
1da177e4
LT		 4223static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4224{
48454079 4225 struct l2cap_chan *chan;
bf734843 4226 struct sock *sk = NULL;
88843ab0 4227 u32 control;
fb45de7d 4228 u16 tx_seq;
218bb9df 4229 int len;
1da177e4 4230
baa7e1fa 4231 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4232 if (!chan) {
1da177e4
LT		 4233 BT_DBG("unknown cid 0x%4.4x", cid);
4234 goto drop;
4235 }
4236
48454079 4237 sk = chan->sk;
3df91ea2 4238 lock_sock(sk);
6840ed07 4239
49208c9c 4240 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4241
89bc500e 4242 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4243 goto drop;
4244
0c1bc5c6 4245 switch (chan->mode) {
1c2acffb
GP		 4246 case L2CAP_MODE_BASIC:
4247 /* If socket recv buffers overflows we drop data here
4248 * which is *bad* because L2CAP has to be reliable.
4249 * But we don't have any other choice. L2CAP doesn't
4250 * provide flow control mechanism. */
1da177e4 4251
0c1bc5c6 4252 if (chan->imtu < skb->len)
1c2acffb 4253 goto drop;
1da177e4 4254
23070494 4255 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4256 goto done;
4257 break;
4258
4259 case L2CAP_MODE_ERTM:
5ef8cb9e 4260 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4261
fcafde2e 4262 goto done;
1c2acffb 4263
6840ed07 4264 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4265 control = __get_control(chan, skb->data);
4266 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4267 len = skb->len;
4268
47d1ec61 4269 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4270 goto drop;
4271
7e0ef6ee 4272 if (__is_sar_start(chan, control))
03a51213 4273 len -= L2CAP_SDULEN_SIZE;
6840ed07 4274
47d1ec61 4275 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4276 len -= L2CAP_FCS_SIZE;
fcc203c3 4277
793c2f1c 4278 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4279 goto drop;
4280
fb45de7d 4281 tx_seq = __get_txseq(chan, control);
6840ed07 4282
84084a31
MM		 4283 if (chan->expected_tx_seq != tx_seq) {
4284 /* Frame(s) missing - must discard partial SDU */
4285 kfree_skb(chan->sdu);
4286 chan->sdu = NULL;
4287 chan->sdu_last_frag = NULL;
4288 chan->sdu_len = 0;
6840ed07 4289
84084a31
MM		 4290 /* TODO: Notify userland of missing data */
4291 }
4292
836be934 4293 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4294
4295 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4296 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4297
4298 goto done;
4299
1c2acffb 4300 default:
0c1bc5c6 4301 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4302 break;
4303 }
1da177e4
LT		 4304
4305drop:
4306 kfree_skb(skb);
4307
4308done:
0139418c 4309 if (sk)
aa2ac881 4310 release_sock(sk);
0139418c 4311
1da177e4
LT		 4312 return 0;
4313}
4314
8e036fc3 4315static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4316{
6dcae1ea 4317 struct sock *sk = NULL;
23691d75 4318 struct l2cap_chan *chan;
1da177e4 4319
23691d75
GP		 4320 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4321 if (!chan)
1da177e4
LT		 4322 goto drop;
4323
23691d75
GP		 4324 sk = chan->sk;
4325
aa2ac881 4326 lock_sock(sk);
e0f0cb56 4327
1da177e4
LT		 4328 BT_DBG("sk %p, len %d", sk, skb->len);
4329
89bc500e 4330 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4331 goto drop;
4332
e13e21dc 4333 if (chan->imtu < skb->len)
1da177e4
LT		 4334 goto drop;
4335
23070494 4336 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4337 goto done;
4338
4339drop:
4340 kfree_skb(skb);
4341
4342done:
af05b30b 4343 if (sk)
aa2ac881 4344 release_sock(sk);
1da177e4
LT		 4345 return 0;
4346}
4347
9f69bda6
GP		 4348static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4349{
6dcae1ea 4350 struct sock *sk = NULL;
23691d75 4351 struct l2cap_chan *chan;
9f69bda6 4352
23691d75
GP		 4353 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4354 if (!chan)
9f69bda6
GP		 4355 goto drop;
4356
23691d75
GP		 4357 sk = chan->sk;
4358
aa2ac881 4359 lock_sock(sk);
9f69bda6
GP		 4360
4361 BT_DBG("sk %p, len %d", sk, skb->len);
4362
89bc500e 4363 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4364 goto drop;
4365
e13e21dc 4366 if (chan->imtu < skb->len)
9f69bda6
GP		 4367 goto drop;
4368
23070494 4369 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4370 goto done;
4371
4372drop:
4373 kfree_skb(skb);
4374
4375done:
4376 if (sk)
aa2ac881 4377 release_sock(sk);
9f69bda6
GP		 4378 return 0;
4379}
4380
1da177e4
LT		 4381static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4382{
4383 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4384 u16 cid, len;
4385 __le16 psm;
1da177e4
LT		 4386
4387 skb_pull(skb, L2CAP_HDR_SIZE);
4388 cid = __le16_to_cpu(lh->cid);
4389 len = __le16_to_cpu(lh->len);
4390
1c2acffb
GP		 4391 if (len != skb->len) {
4392 kfree_skb(skb);
4393 return;
4394 }
4395
1da177e4
LT		 4396 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4397
4398 switch (cid) {
3300d9a9 4399 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4400 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4401 l2cap_sig_channel(conn, skb);
4402 break;
4403
8db4dc46 4404 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4405 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4406 skb_pull(skb, 2);
4407 l2cap_conless_channel(conn, psm, skb);
4408 break;
4409
9f69bda6
GP		 4410 case L2CAP_CID_LE_DATA:
4411 l2cap_att_channel(conn, cid, skb);
4412 break;
4413
b501d6a1
AB		 4414 case L2CAP_CID_SMP:
4415 if (smp_sig_channel(conn, skb))
4416 l2cap_conn_del(conn->hcon, EACCES);
4417 break;
4418
1da177e4
LT		 4419 default:
4420 l2cap_data_channel(conn, cid, skb);
4421 break;
4422 }
4423}
4424
4425/* ---- L2CAP interface with lower layer (HCI) ---- */
4426
686ebf28 4427int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4428{
4429 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4430 struct l2cap_chan *c;
1da177e4 4431
1da177e4
LT		 4432 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4433
4434 /* Find listening sockets and check their link_mode */
23691d75
GP		 4435 read_lock(&chan_list_lock);
4436 list_for_each_entry(c, &chan_list, global_l) {
4437 struct sock *sk = c->sk;
4343478f 4438
89bc500e 4439 if (c->state != BT_LISTEN)
1da177e4
LT		 4440 continue;
4441
4442 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4443 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4444 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4445 lm1 |= HCI_LM_MASTER;
1da177e4 4446 exact++;
2af6b9d5
MH		 4447 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4448 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4449 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4450 lm2 |= HCI_LM_MASTER;
4451 }
1da177e4 4452 }
23691d75 4453 read_unlock(&chan_list_lock);
1da177e4
LT		 4454
4455 return exact ? lm1 : lm2;
4456}
4457
686ebf28 4458int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4459{
0139418c
MH		 4460 struct l2cap_conn *conn;
4461
1da177e4
LT		 4462 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4463
1da177e4 4464 if (!status) {
1da177e4
LT		 4465 conn = l2cap_conn_add(hcon, status);
4466 if (conn)
4467 l2cap_conn_ready(conn);
0139418c 4468 } else
e175072f 4469 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4470
4471 return 0;
4472}
4473
686ebf28 4474int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4475{
4476 struct l2cap_conn *conn = hcon->l2cap_data;
4477
4478 BT_DBG("hcon %p", hcon);
4479
686ebf28 4480 if (!conn)
9f5a0d7b 4481 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4482 return conn->disc_reason;
4483}
4484
686ebf28 4485int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4486{
4487 BT_DBG("hcon %p reason %d", hcon, reason);
4488
e175072f 4489 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4490 return 0;
4491}
4492
4343478f 4493static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4494{
715ec005 4495 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4496 return;
4497
f62e4323 4498 if (encrypt == 0x00) {
4343478f 4499 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675 4500 __clear_chan_timer(chan);
b83ddfe2
AK		 4501 __set_chan_timer(chan,
4502 msecs_to_jiffies(L2CAP_ENC_TIMEOUT));
4343478f 4503 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4504 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4505 } else {
4343478f 4506 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4507 __clear_chan_timer(chan);
f62e4323
MH		 4508 }
4509}
4510
686ebf28 4511int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4512{
0139418c 4513 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4514 struct l2cap_chan *chan;
1da177e4 4515
0139418c 4516 if (!conn)
1da177e4 4517 return 0;
0139418c 4518
1da177e4
LT		 4519 BT_DBG("conn %p", conn);
4520
160dc6ac
VCG		 4521 if (hcon->type == LE_LINK) {
4522 smp_distribute_keys(conn, 0);
17cd3f37 4523 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4524 }
4525
3df91ea2 4526 mutex_lock(&conn->chan_lock);
1da177e4 4527
3df91ea2 4528 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4529 struct sock *sk = chan->sk;
baa7e1fa 4530
1da177e4
LT		 4531 bh_lock_sock(sk);
4532
f1cb9af5
VCG		 4533 BT_DBG("chan->scid %d", chan->scid);
4534
4535 if (chan->scid == L2CAP_CID_LE_DATA) {
4536 if (!status && encrypt) {
4537 chan->sec_level = hcon->sec_level;
cf4cd009 4538 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4539 }
4540
4541 bh_unlock_sock(sk);
4542 continue;
4543 }
4544
c1360a1c 4545 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4546 bh_unlock_sock(sk);
4547 continue;
4548 }
4549
89bc500e
GP		 4550 if (!status && (chan->state == BT_CONNECTED ||
4551 chan->state == BT_CONFIG)) {
4343478f 4552 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4553 bh_unlock_sock(sk);
4554 continue;
4555 }
4556
89bc500e 4557 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4558 if (!status) {
4559 struct l2cap_conn_req req;
fe4128e0
GP		 4560 req.scid = cpu_to_le16(chan->scid);
4561 req.psm = chan->psm;
1da177e4 4562
fc7f8a7e 4563 chan->ident = l2cap_get_ident(conn);
c1360a1c 4564 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4565
fc7f8a7e 4566 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4567 L2CAP_CONN_REQ, sizeof(req), &req);
4568 } else {
c9b66675 4569 __clear_chan_timer(chan);
b83ddfe2
AK		 4570 __set_chan_timer(chan,
4571 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
b1235d79 4572 }
89bc500e 4573 } else if (chan->state == BT_CONNECT2) {
b1235d79 4574 struct l2cap_conn_rsp rsp;
df3c3931 4575 __u16 res, stat;
1da177e4 4576
b1235d79 4577 if (!status) {
df3c3931
JH		 4578 if (bt_sk(sk)->defer_setup) {
4579 struct sock *parent = bt_sk(sk)->parent;
4580 res = L2CAP_CR_PEND;
4581 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4582 if (parent)
4583 parent->sk_data_ready(parent, 0);
df3c3931 4584 } else {
05558911 4585 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4586 res = L2CAP_CR_SUCCESS;
4587 stat = L2CAP_CS_NO_INFO;
4588 }
b1235d79 4589 } else {
89bc500e 4590 l2cap_state_change(chan, BT_DISCONN);
b83ddfe2
AK		 4591 __set_chan_timer(chan,
4592 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
df3c3931
JH		 4593 res = L2CAP_CR_SEC_BLOCK;
4594 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4595 }
4596
fe4128e0
GP		 4597 rsp.scid = cpu_to_le16(chan->dcid);
4598 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4599 rsp.result = cpu_to_le16(res);
4600 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4601 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4602 sizeof(rsp), &rsp);
b1235d79 4603 }
1da177e4
LT		 4604
4605 bh_unlock_sock(sk);
4606 }
4607
3df91ea2 4608 mutex_unlock(&conn->chan_lock);
b1235d79 4609
1da177e4
LT		 4610 return 0;
4611}
4612
686ebf28 4613int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4614{
4615 struct l2cap_conn *conn = hcon->l2cap_data;
4616
5a08ecce
AE		 4617 if (!conn)
4618 conn = l2cap_conn_add(hcon, 0);
4619
4620 if (!conn)
1da177e4
LT		 4621 goto drop;
4622
4623 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4624
e702112f 4625 if (!(flags & ACL_CONT)) {
1da177e4 4626 struct l2cap_hdr *hdr;
48454079 4627 struct l2cap_chan *chan;
89794813 4628 u16 cid;
1da177e4
LT		 4629 int len;
4630
4631 if (conn->rx_len) {
4632 BT_ERR("Unexpected start frame (len %d)", skb->len);
4633 kfree_skb(conn->rx_skb);
4634 conn->rx_skb = NULL;
4635 conn->rx_len = 0;
4636 l2cap_conn_unreliable(conn, ECOMM);
4637 }
4638
aae7fe22
AE		 4639 /* Start fragment always begin with Basic L2CAP header */
4640 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4641 BT_ERR("Frame is too short (len %d)", skb->len);
4642 l2cap_conn_unreliable(conn, ECOMM);
4643 goto drop;
4644 }
4645
4646 hdr = (struct l2cap_hdr *) skb->data;
4647 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4648 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4649
4650 if (len == skb->len) {
4651 /* Complete frame received */
4652 l2cap_recv_frame(conn, skb);
4653 return 0;
4654 }
4655
4656 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4657
4658 if (skb->len > len) {
4659 BT_ERR("Frame is too long (len %d, expected len %d)",
4660 skb->len, len);
4661 l2cap_conn_unreliable(conn, ECOMM);
4662 goto drop;
4663 }
4664
baa7e1fa 4665 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4666
48454079
GP		 4667 if (chan && chan->sk) {
4668 struct sock *sk = chan->sk;
3df91ea2 4669 lock_sock(sk);
89794813 4670
0c1bc5c6 4671 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4672 BT_ERR("Frame exceeding recv MTU (len %d, "
4673 "MTU %d)", len,
0c1bc5c6 4674 chan->imtu);
aa2ac881 4675 release_sock(sk);
48454079
GP		 4676 l2cap_conn_unreliable(conn, ECOMM);
4677 goto drop;
4678 }
aa2ac881 4679 release_sock(sk);
48454079 4680 }
89794813 4681
1da177e4 4682 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4683 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4684 if (!conn->rx_skb)
1da177e4
LT		 4685 goto drop;
4686
d626f62b 4687 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4688 skb->len);
1da177e4
LT		 4689 conn->rx_len = len - skb->len;
4690 } else {
4691 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4692
4693 if (!conn->rx_len) {
4694 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4695 l2cap_conn_unreliable(conn, ECOMM);
4696 goto drop;
4697 }
4698
4699 if (skb->len > conn->rx_len) {
4700 BT_ERR("Fragment is too long (len %d, expected %d)",
4701 skb->len, conn->rx_len);
4702 kfree_skb(conn->rx_skb);
4703 conn->rx_skb = NULL;
4704 conn->rx_len = 0;
4705 l2cap_conn_unreliable(conn, ECOMM);
4706 goto drop;
4707 }
4708
d626f62b 4709 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4710 skb->len);
1da177e4
LT		 4711 conn->rx_len -= skb->len;
4712
4713 if (!conn->rx_len) {
4714 /* Complete frame received */
4715 l2cap_recv_frame(conn, conn->rx_skb);
4716 conn->rx_skb = NULL;
4717 }
4718 }
4719
4720drop:
4721 kfree_skb(skb);
4722 return 0;
4723}
4724
aef7d97c 4725static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4726{
23691d75 4727 struct l2cap_chan *c;
1da177e4 4728
333055f2 4729 read_lock(&chan_list_lock);
1da177e4 4730
23691d75
GP		 4731 list_for_each_entry(c, &chan_list, global_l) {
4732 struct sock *sk = c->sk;
101545f6 4733
903d343e 4734 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4735 batostr(&bt_sk(sk)->src),
4736 batostr(&bt_sk(sk)->dst),
89bc500e 4737 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4738 c->scid, c->dcid, c->imtu, c->omtu,
4739 c->sec_level, c->mode);
61e1b4b7 4740 }
1da177e4 4741
333055f2 4742 read_unlock(&chan_list_lock);
1da177e4 4743
aef7d97c 4744 return 0;
1da177e4
LT		 4745}
4746
aef7d97c
MH		 4747static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4748{
4749 return single_open(file, l2cap_debugfs_show, inode->i_private);
4750}
4751
4752static const struct file_operations l2cap_debugfs_fops = {
4753 .open = l2cap_debugfs_open,
4754 .read = seq_read,
4755 .llseek = seq_lseek,
4756 .release = single_release,
4757};
4758
4759static struct dentry *l2cap_debugfs;
1da177e4 4760
64274518 4761int __init l2cap_init(void)
1da177e4
LT		 4762{
4763 int err;
be9d1227 4764
bb58f747 4765 err = l2cap_init_sockets();
1da177e4
LT		 4766 if (err < 0)
4767 return err;
4768
aef7d97c
MH		 4769 if (bt_debugfs) {
4770 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4771 bt_debugfs, NULL, &l2cap_debugfs_fops);
4772 if (!l2cap_debugfs)
4773 BT_ERR("Failed to create L2CAP debug file");
4774 }
1da177e4 4775
1da177e4 4776 return 0;
1da177e4
LT		 4777}
4778
64274518 4779void l2cap_exit(void)
1da177e4 4780{
aef7d97c 4781 debugfs_remove(l2cap_debugfs);
bb58f747 4782 l2cap_cleanup_sockets();
1da177e4
LT		 4783}
4784
d1c4a17d
GP		 4785module_param(disable_ertm, bool, 0644);
4786MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)