projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix LE pairing completion on connection failure
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
eb939922 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 74 struct l2cap_chan *chan, int err);
1da177e4 75
0139418c 76/* ---- L2CAP channels ---- */
71ba0e56 77
baa7e1fa 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 79{
3df91ea2 80 struct l2cap_chan *c;
3d57dc68 81
3df91ea2
AE		 82 list_for_each_entry(c, &conn->chan_l, list) {
83 if (c->dcid == cid)
84 return c;
0139418c 85 }
3df91ea2 86 return NULL;
0139418c
MH		 87}
88
baa7e1fa 89static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
ef191ade 101 * Returns locked channel. */
baa7e1fa 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 103{
48454079 104 struct l2cap_chan *c;
baa7e1fa 105
3df91ea2 106 mutex_lock(&conn->chan_lock);
baa7e1fa 107 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 108 if (c)
109 l2cap_chan_lock(c);
3df91ea2
AE		 110 mutex_unlock(&conn->chan_lock);
111
48454079 112 return c;
0139418c
MH		 113}
114
baa7e1fa 115static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 116{
3df91ea2 117 struct l2cap_chan *c;
3d57dc68 118
3df91ea2
AE		 119 list_for_each_entry(c, &conn->chan_l, list) {
120 if (c->ident == ident)
121 return c;
0139418c 122 }
3df91ea2 123 return NULL;
0139418c
MH		 124}
125
23691d75 126static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 127{
23691d75 128 struct l2cap_chan *c;
9e4425ff 129
23691d75
GP		 130 list_for_each_entry(c, &chan_list, global_l) {
131 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 132 return c;
9e4425ff 133 }
250938cb 134 return NULL;
9e4425ff
GP		 135}
136
137int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
138{
73b2ec18
GP		 139 int err;
140
333055f2 141 write_lock(&chan_list_lock);
9e4425ff 142
23691d75 143 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 144 err = -EADDRINUSE;
145 goto done;
9e4425ff
GP		 146 }
147
73b2ec18
GP		 148 if (psm) {
149 chan->psm = psm;
150 chan->sport = psm;
151 err = 0;
152 } else {
153 u16 p;
154
155 err = -EINVAL;
156 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 157 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 158 chan->psm = cpu_to_le16(p);
159 chan->sport = cpu_to_le16(p);
160 err = 0;
161 break;
162 }
163 }
9e4425ff 164
73b2ec18 165done:
333055f2 166 write_unlock(&chan_list_lock);
73b2ec18 167 return err;
9e4425ff
GP		 168}
169
170int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
171{
333055f2 172 write_lock(&chan_list_lock);
9e4425ff
GP		 173
174 chan->scid = scid;
175
333055f2 176 write_unlock(&chan_list_lock);
9e4425ff
GP		 177
178 return 0;
179}
180
baa7e1fa 181static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 182{
8db4dc46 183 u16 cid = L2CAP_CID_DYN_START;
0139418c 184
8db4dc46 185 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 186 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 187 return cid;
188 }
189
190 return 0;
191}
192
0e587be7 193static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 194{
42d2d87c 195 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 196 state_to_string(state));
197
89bc500e
GP		 198 chan->state = state;
199 chan->ops->state_change(chan->data, state);
200}
201
0e587be7
AE		 202static void l2cap_state_change(struct l2cap_chan *chan, int state)
203{
204 struct sock *sk = chan->sk;
205
206 lock_sock(sk);
207 __l2cap_state_change(chan, state);
208 release_sock(sk);
209}
210
2e0052e4
AE		 211static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
212{
213 struct sock *sk = chan->sk;
214
215 sk->sk_err = err;
216}
217
218static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
219{
220 struct sock *sk = chan->sk;
221
222 lock_sock(sk);
223 __l2cap_chan_set_err(chan, err);
224 release_sock(sk);
225}
226
3c588192
MM		 227/* ---- L2CAP sequence number lists ---- */
228
229/* For ERTM, ordered lists of sequence numbers must be tracked for
230 * SREJ requests that are received and for frames that are to be
231 * retransmitted. These seq_list functions implement a singly-linked
232 * list in an array, where membership in the list can also be checked
233 * in constant time. Items can also be added to the tail of the list
234 * and removed from the head in constant time, without further memory
235 * allocs or frees.
236 */
237
238static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
239{
240 size_t alloc_size, i;
241
242 /* Allocated size is a power of 2 to map sequence numbers
243 * (which may be up to 14 bits) in to a smaller array that is
244 * sized for the negotiated ERTM transmit windows.
245 */
246 alloc_size = roundup_pow_of_two(size);
247
248 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
249 if (!seq_list->list)
250 return -ENOMEM;
251
252 seq_list->mask = alloc_size - 1;
253 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
254 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
255 for (i = 0; i < alloc_size; i++)
256 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
257
258 return 0;
259}
260
261static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
262{
263 kfree(seq_list->list);
264}
265
266static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
267 u16 seq)
268{
269 /* Constant-time check for list membership */
270 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
271}
272
273static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
274{
275 u16 mask = seq_list->mask;
276
277 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
278 /* In case someone tries to pop the head of an empty list */
279 return L2CAP_SEQ_LIST_CLEAR;
280 } else if (seq_list->head == seq) {
281 /* Head can be removed in constant time */
282 seq_list->head = seq_list->list[seq & mask];
283 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
284
285 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
286 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
287 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
288 }
289 } else {
290 /* Walk the list to find the sequence number */
291 u16 prev = seq_list->head;
292 while (seq_list->list[prev & mask] != seq) {
293 prev = seq_list->list[prev & mask];
294 if (prev == L2CAP_SEQ_LIST_TAIL)
295 return L2CAP_SEQ_LIST_CLEAR;
296 }
297
298 /* Unlink the number from the list and clear it */
299 seq_list->list[prev & mask] = seq_list->list[seq & mask];
300 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
301 if (seq_list->tail == seq)
302 seq_list->tail = prev;
303 }
304 return seq;
305}
306
307static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
308{
309 /* Remove the head in constant time */
310 return l2cap_seq_list_remove(seq_list, seq_list->head);
311}
312
313static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
314{
f522ae36 315 u16 i;
3c588192 316
f522ae36
GP		 317 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
318 return;
319
320 for (i = 0; i <= seq_list->mask; i++)
321 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
322
323 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
324 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 325}
326
327static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
328{
329 u16 mask = seq_list->mask;
330
331 /* All appends happen in constant time */
332
f522ae36
GP		 333 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
334 return;
3c588192 335
f522ae36
GP		 336 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
337 seq_list->head = seq;
338 else
339 seq_list->list[seq_list->tail & mask] = seq;
340
341 seq_list->tail = seq;
342 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 343}
344
721c4181 345static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 346{
721c4181
GP		 347 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
348 chan_timer.work);
3df91ea2 349 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 350 int reason;
351
e05dcc32 352 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 353
3df91ea2 354 mutex_lock(&conn->chan_lock);
6be36555 355 l2cap_chan_lock(chan);
ab07801d 356
89bc500e 357 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 358 reason = ECONNREFUSED;
89bc500e 359 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 360 chan->sec_level != BT_SECURITY_SDP)
361 reason = ECONNREFUSED;
362 else
363 reason = ETIMEDOUT;
364
0f852724 365 l2cap_chan_close(chan, reason);
ab07801d 366
6be36555 367 l2cap_chan_unlock(chan);
ab07801d 368
ba3bd0ee 369 chan->ops->close(chan->data);
3df91ea2
AE		 370 mutex_unlock(&conn->chan_lock);
371
371fd835 372 l2cap_chan_put(chan);
ab07801d
GP		 373}
374
eef1d9b6 375struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 376{
377 struct l2cap_chan *chan;
378
379 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
380 if (!chan)
381 return NULL;
382
c03b355e
AE		 383 mutex_init(&chan->lock);
384
333055f2 385 write_lock(&chan_list_lock);
23691d75 386 list_add(&chan->global_l, &chan_list);
333055f2 387 write_unlock(&chan_list_lock);
23691d75 388
721c4181 389 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 390
89bc500e
GP		 391 chan->state = BT_OPEN;
392
71ba0e56
GP		 393 atomic_set(&chan->refcnt, 1);
394
eef1d9b6 395 BT_DBG("chan %p", chan);
abc545b8 396
48454079
GP		 397 return chan;
398}
399
23691d75 400void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 401{
333055f2 402 write_lock(&chan_list_lock);
23691d75 403 list_del(&chan->global_l);
333055f2 404 write_unlock(&chan_list_lock);
23691d75 405
371fd835 406 l2cap_chan_put(chan);
6ff5abbf
GP		 407}
408
bd4b1653
AE		 409void l2cap_chan_set_defaults(struct l2cap_chan *chan)
410{
411 chan->fcs = L2CAP_FCS_CRC16;
412 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
413 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
414 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
415 chan->sec_level = BT_SECURITY_LOW;
416
417 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
418}
419
14a28491 420static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 421{
af05b30b 422 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 423 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 424
9f5a0d7b 425 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 426
8c1d787b 427 chan->conn = conn;
0139418c 428
5491120e
AE		 429 switch (chan->chan_type) {
430 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 431 if (conn->hcon->type == LE_LINK) {
432 /* LE connection */
0c1bc5c6 433 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 434 chan->scid = L2CAP_CID_LE_DATA;
435 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 436 } else {
437 /* Alloc CID for connection-oriented socket */
fe4128e0 438 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 439 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 440 }
5491120e
AE		 441 break;
442
443 case L2CAP_CHAN_CONN_LESS:
0139418c 444 /* Connectionless socket */
fe4128e0
GP		 445 chan->scid = L2CAP_CID_CONN_LESS;
446 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 447 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 448 break;
449
450 default:
0139418c 451 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 452 chan->scid = L2CAP_CID_SIGNALING;
453 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 454 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 455 }
456
8f7975b1
AE		 457 chan->local_id = L2CAP_BESTEFFORT_ID;
458 chan->local_stype = L2CAP_SERV_BESTEFFORT;
459 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
460 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
461 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
462 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
463
371fd835 464 l2cap_chan_hold(chan);
baa7e1fa 465
3df91ea2 466 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 467}
468
14a28491 469static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 470{
471 mutex_lock(&conn->chan_lock);
472 __l2cap_chan_add(conn, chan);
3df91ea2 473 mutex_unlock(&conn->chan_lock);
0139418c
MH		 474}
475
4519de9a 476static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 477{
48454079 478 struct sock *sk = chan->sk;
8c1d787b 479 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 480 struct sock *parent = bt_sk(sk)->parent;
481
c9b66675 482 __clear_chan_timer(chan);
0139418c 483
49208c9c 484 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 485
8e87d142 486 if (conn) {
baa7e1fa 487 /* Delete from channel list */
3df91ea2 488 list_del(&chan->list);
3d57dc68 489
371fd835 490 l2cap_chan_put(chan);
baa7e1fa 491
8c1d787b 492 chan->conn = NULL;
0139418c
MH		 493 hci_conn_put(conn->hcon);
494 }
495
6be36555
AE		 496 lock_sock(sk);
497
0e587be7 498 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 499 sock_set_flag(sk, SOCK_ZAPPED);
500
501 if (err)
2e0052e4 502 __l2cap_chan_set_err(chan, err);
0139418c
MH		 503
504 if (parent) {
505 bt_accept_unlink(sk);
506 parent->sk_data_ready(parent, 0);
507 } else
508 sk->sk_state_change(sk);
c13ffa62 509
6be36555
AE		 510 release_sock(sk);
511
c1360a1c
GP		 512 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
513 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 514 return;
2ead70b8 515
58d35f87 516 skb_queue_purge(&chan->tx_q);
c13ffa62 517
0c1bc5c6 518 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 519 struct srej_list *l, *tmp;
520
1a09bcb9
GP		 521 __clear_retrans_timer(chan);
522 __clear_monitor_timer(chan);
523 __clear_ack_timer(chan);
c13ffa62 524
f1c6775b 525 skb_queue_purge(&chan->srej_q);
c13ffa62 526
3c588192
MM		 527 l2cap_seq_list_free(&chan->srej_list);
528 l2cap_seq_list_free(&chan->retrans_list);
39d5a3ee 529 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 530 list_del(&l->list);
531 kfree(l);
532 }
533 }
0139418c
MH		 534}
535
4519de9a
GP		 536static void l2cap_chan_cleanup_listen(struct sock *parent)
537{
538 struct sock *sk;
539
540 BT_DBG("parent %p", parent);
541
542 /* Close not yet accepted channels */
0f852724 543 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 544 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 545
6be36555 546 l2cap_chan_lock(chan);
c9b66675 547 __clear_chan_timer(chan);
ba3bd0ee 548 l2cap_chan_close(chan, ECONNRESET);
6be36555 549 l2cap_chan_unlock(chan);
3df91ea2 550
ba3bd0ee 551 chan->ops->close(chan->data);
0f852724 552 }
4519de9a
GP		 553}
554
0f852724 555void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 556{
557 struct l2cap_conn *conn = chan->conn;
558 struct sock *sk = chan->sk;
559
e05dcc32
AE		 560 BT_DBG("chan %p state %s sk %p", chan,
561 state_to_string(chan->state), sk);
4519de9a 562
89bc500e 563 switch (chan->state) {
4519de9a 564 case BT_LISTEN:
6be36555 565 lock_sock(sk);
4519de9a 566 l2cap_chan_cleanup_listen(sk);
89bc500e 567
0e587be7 568 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 569 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 570 release_sock(sk);
4519de9a
GP		 571 break;
572
573 case BT_CONNECTED:
574 case BT_CONFIG:
715ec005 575 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 576 conn->hcon->type == ACL_LINK) {
c9b66675 577 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 578 l2cap_send_disconn_req(conn, chan, reason);
579 } else
580 l2cap_chan_del(chan, reason);
581 break;
582
583 case BT_CONNECT2:
715ec005 584 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 585 conn->hcon->type == ACL_LINK) {
586 struct l2cap_conn_rsp rsp;
587 __u16 result;
588
c5daa683 589 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 590 result = L2CAP_CR_SEC_BLOCK;
591 else
592 result = L2CAP_CR_BAD_PSM;
89bc500e 593 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 594
595 rsp.scid = cpu_to_le16(chan->dcid);
596 rsp.dcid = cpu_to_le16(chan->scid);
597 rsp.result = cpu_to_le16(result);
598 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
599 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
600 sizeof(rsp), &rsp);
601 }
602
603 l2cap_chan_del(chan, reason);
604 break;
605
606 case BT_CONNECT:
607 case BT_DISCONN:
608 l2cap_chan_del(chan, reason);
609 break;
610
611 default:
6be36555 612 lock_sock(sk);
4519de9a 613 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 614 release_sock(sk);
4519de9a
GP		 615 break;
616 }
617}
618
4343478f 619static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 620{
715ec005 621 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 622 switch (chan->sec_level) {
8556edd3
JH		 623 case BT_SECURITY_HIGH:
624 return HCI_AT_DEDICATED_BONDING_MITM;
625 case BT_SECURITY_MEDIUM:
626 return HCI_AT_DEDICATED_BONDING;
627 default:
628 return HCI_AT_NO_BONDING;
629 }
fe4128e0 630 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 631 if (chan->sec_level == BT_SECURITY_LOW)
632 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 633
4343478f 634 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 635 return HCI_AT_NO_BONDING_MITM;
00ae4af9 636 else
8556edd3 637 return HCI_AT_NO_BONDING;
00ae4af9 638 } else {
4343478f 639 switch (chan->sec_level) {
00ae4af9 640 case BT_SECURITY_HIGH:
8556edd3 641 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 642 case BT_SECURITY_MEDIUM:
8556edd3 643 return HCI_AT_GENERAL_BONDING;
00ae4af9 644 default:
8556edd3 645 return HCI_AT_NO_BONDING;
00ae4af9 646 }
0684e5f9 647 }
8556edd3
JH		 648}
649
650/* Service level security */
d45fc423 651int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 652{
8c1d787b 653 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 654 __u8 auth_type;
655
4343478f 656 auth_type = l2cap_get_auth_type(chan);
79d554a6 657
4343478f 658 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 659}
660
b5ad8b7f 661static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 662{
663 u8 id;
664
665 /* Get next available identificator.
666 * 1 - 128 are used by kernel.
667 * 129 - 199 are reserved.
668 * 200 - 254 are used by utilities like l2ping, etc.
669 */
670
333055f2 671 spin_lock(&conn->lock);
4e8402a3
MH		 672
673 if (++conn->tx_ident > 128)
674 conn->tx_ident = 1;
675
676 id = conn->tx_ident;
677
333055f2 678 spin_unlock(&conn->lock);
4e8402a3
MH		 679
680 return id;
681}
682
4519de9a 683static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 684{
685 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 686 u8 flags;
4e8402a3
MH		 687
688 BT_DBG("code 0x%2.2x", code);
689
690 if (!skb)
9a9c6a34 691 return;
4e8402a3 692
e702112f
AE		 693 if (lmp_no_flush_capable(conn->hcon->hdev))
694 flags = ACL_START_NO_FLUSH;
695 else
696 flags = ACL_START;
697
14b12d0b 698 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 699 skb->priority = HCI_PRIO_MAX;
14b12d0b 700
73d80deb
LAD		 701 hci_send_acl(conn->hchan, skb, flags);
702}
703
704static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
705{
706 struct hci_conn *hcon = chan->conn->hcon;
707 u16 flags;
708
709 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
710 skb->priority);
711
712 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
713 lmp_no_flush_capable(hcon->hdev))
714 flags = ACL_START_NO_FLUSH;
715 else
716 flags = ACL_START;
14b12d0b 717
73d80deb
LAD		 718 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
719 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 720}
721
b76bbd66
MM		 722static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
723{
724 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
725 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
726
727 if (enh & L2CAP_CTRL_FRAME_TYPE) {
728 /* S-Frame */
729 control->sframe = 1;
730 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
731 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
732
733 control->sar = 0;
734 control->txseq = 0;
735 } else {
736 /* I-Frame */
737 control->sframe = 0;
738 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
739 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
740
741 control->poll = 0;
742 control->super = 0;
743 }
744}
745
b76bbd66
MM		 746static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
747{
748 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
749 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
750
751 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
752 /* S-Frame */
753 control->sframe = 1;
754 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
755 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
756
757 control->sar = 0;
758 control->txseq = 0;
759 } else {
760 /* I-Frame */
761 control->sframe = 0;
762 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
763 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
764
765 control->poll = 0;
766 control->super = 0;
767 }
768}
769
770static inline void __unpack_control(struct l2cap_chan *chan,
771 struct sk_buff *skb)
772{
773 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
774 __unpack_extended_control(get_unaligned_le32(skb->data),
775 &bt_cb(skb)->control);
776 } else {
777 __unpack_enhanced_control(get_unaligned_le16(skb->data),
778 &bt_cb(skb)->control);
779 }
780}
781
b5c6aaed
MM		 782static u32 __pack_extended_control(struct l2cap_ctrl *control)
783{
784 u32 packed;
785
786 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
787 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
788
789 if (control->sframe) {
790 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
791 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
792 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
793 } else {
794 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
795 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
796 }
797
798 return packed;
799}
800
801static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
802{
803 u16 packed;
804
805 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
806 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
807
808 if (control->sframe) {
809 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
810 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
811 packed |= L2CAP_CTRL_FRAME_TYPE;
812 } else {
813 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
814 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
815 }
816
817 return packed;
818}
819
b76bbd66
MM		 820static inline void __pack_control(struct l2cap_chan *chan,
821 struct l2cap_ctrl *control,
822 struct sk_buff *skb)
823{
824 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
825 put_unaligned_le32(__pack_extended_control(control),
826 skb->data + L2CAP_HDR_SIZE);
827 } else {
828 put_unaligned_le16(__pack_enhanced_control(control),
829 skb->data + L2CAP_HDR_SIZE);
830 }
831}
832
b5c6aaed
MM		 833static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
834{
835 struct sk_buff *skb;
836 struct l2cap_hdr *lh;
837 struct l2cap_conn *conn = chan->conn;
838 int count, hlen;
839
840 if (chan->state != BT_CONNECTED)
841 return;
842
843 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
844 hlen = L2CAP_EXT_HDR_SIZE;
845 else
846 hlen = L2CAP_ENH_HDR_SIZE;
847
848 if (chan->fcs == L2CAP_FCS_CRC16)
849 hlen += L2CAP_FCS_SIZE;
850
851 BT_DBG("chan %p, control 0x%8.8x", chan, control);
852
853 count = min_t(unsigned int, conn->mtu, hlen);
854
855 control |= __set_sframe(chan);
856
857 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
858 control |= __set_ctrl_final(chan);
859
860 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
861 control |= __set_ctrl_poll(chan);
862
863 skb = bt_skb_alloc(count, GFP_ATOMIC);
864 if (!skb)
865 return;
866
867 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
868 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
869 lh->cid = cpu_to_le16(chan->dcid);
870
871 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
872
873 if (chan->fcs == L2CAP_FCS_CRC16) {
874 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
875 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
876 }
877
878 skb->priority = HCI_PRIO_MAX;
879 l2cap_do_send(chan, skb);
880}
881
882static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
883{
884 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
885 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
886 set_bit(CONN_RNR_SENT, &chan->conn_state);
887 } else
888 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
889
890 control |= __set_reqseq(chan, chan->buffer_seq);
891
892 l2cap_send_sframe(chan, control);
893}
894
b4450035 895static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 896{
c1360a1c 897 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 898}
899
9b27f350
AE		 900static void l2cap_send_conn_req(struct l2cap_chan *chan)
901{
902 struct l2cap_conn *conn = chan->conn;
903 struct l2cap_conn_req req;
904
905 req.scid = cpu_to_le16(chan->scid);
906 req.psm = chan->psm;
907
908 chan->ident = l2cap_get_ident(conn);
909
910 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
911
912 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
913}
914
9f0caeb1
VCG		 915static void l2cap_chan_ready(struct l2cap_chan *chan)
916{
917 struct sock *sk = chan->sk;
918 struct sock *parent;
919
920 lock_sock(sk);
921
922 parent = bt_sk(sk)->parent;
923
924 BT_DBG("sk %p, parent %p", sk, parent);
925
926 chan->conf_state = 0;
927 __clear_chan_timer(chan);
928
929 __l2cap_state_change(chan, BT_CONNECTED);
930 sk->sk_state_change(sk);
931
932 if (parent)
933 parent->sk_data_ready(parent, 0);
934
935 release_sock(sk);
936}
937
fc7f8a7e 938static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 939{
8c1d787b 940 struct l2cap_conn *conn = chan->conn;
79d554a6 941
9f0caeb1
VCG		 942 if (conn->hcon->type == LE_LINK) {
943 l2cap_chan_ready(chan);
944 return;
945 }
946
79d554a6 947 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 948 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
949 return;
950
d45fc423 951 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 952 __l2cap_no_conn_pending(chan))
953 l2cap_send_conn_req(chan);
79d554a6
MH		 954 } else {
955 struct l2cap_info_req req;
956 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
957
958 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
959 conn->info_ident = l2cap_get_ident(conn);
960
ba13ccd9 961 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 962
963 l2cap_send_cmd(conn, conn->info_ident,
964 L2CAP_INFO_REQ, sizeof(req), &req);
965 }
966}
967
cf6c2c0b
GP		 968static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
969{
970 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 971 if (!disable_ertm)
cf6c2c0b
GP		 972 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
973
974 switch (mode) {
975 case L2CAP_MODE_ERTM:
976 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
977 case L2CAP_MODE_STREAMING:
978 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
979 default:
980 return 0x00;
981 }
982}
983
4519de9a 984static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 985{
6be36555 986 struct sock *sk = chan->sk;
22121fc9
GP		 987 struct l2cap_disconn_req req;
988
c13ffa62
GP		 989 if (!conn)
990 return;
991
0c1bc5c6 992 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 993 __clear_retrans_timer(chan);
994 __clear_monitor_timer(chan);
995 __clear_ack_timer(chan);
c13ffa62
GP		 996 }
997
fe4128e0
GP		 998 req.dcid = cpu_to_le16(chan->dcid);
999 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1000 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1001 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1002
6be36555 1003 lock_sock(sk);
0e587be7 1004 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1005 __l2cap_chan_set_err(chan, err);
6be36555 1006 release_sock(sk);
22121fc9
GP		 1007}
1008
1da177e4 1009/* ---- L2CAP connections ---- */
4e8402a3
MH		 1010static void l2cap_conn_start(struct l2cap_conn *conn)
1011{
3df91ea2 1012 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1013
1014 BT_DBG("conn %p", conn);
1015
3df91ea2 1016 mutex_lock(&conn->chan_lock);
4e8402a3 1017
3df91ea2 1018 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1019 struct sock *sk = chan->sk;
baa7e1fa 1020
6be36555 1021 l2cap_chan_lock(chan);
4e8402a3 1022
715ec005 1023 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1024 l2cap_chan_unlock(chan);
79d554a6
MH		 1025 continue;
1026 }
1027
89bc500e 1028 if (chan->state == BT_CONNECT) {
d45fc423 1029 if (!l2cap_chan_check_security(chan) ||
b4450035 1030 !__l2cap_no_conn_pending(chan)) {
6be36555 1031 l2cap_chan_unlock(chan);
47731de7
GP		 1032 continue;
1033 }
79d554a6 1034
c1360a1c
GP		 1035 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1036 && test_bit(CONF_STATE2_DEVICE,
1037 &chan->conf_state)) {
89bc500e 1038 l2cap_chan_close(chan, ECONNRESET);
6be36555 1039 l2cap_chan_unlock(chan);
47731de7 1040 continue;
b1235d79 1041 }
47731de7 1042
9b27f350 1043 l2cap_send_conn_req(chan);
47731de7 1044
89bc500e 1045 } else if (chan->state == BT_CONNECT2) {
79d554a6 1046 struct l2cap_conn_rsp rsp;
e9aeb2dd 1047 char buf[128];
fe4128e0
GP		 1048 rsp.scid = cpu_to_le16(chan->dcid);
1049 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1050
d45fc423 1051 if (l2cap_chan_check_security(chan)) {
6be36555 1052 lock_sock(sk);
c5daa683
GP		 1053 if (test_bit(BT_SK_DEFER_SETUP,
1054 &bt_sk(sk)->flags)) {
f66dc81f
MH		 1055 struct sock *parent = bt_sk(sk)->parent;
1056 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1057 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1058 if (parent)
1059 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1060
1061 } else {
0e587be7 1062 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1063 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1064 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1065 }
6be36555 1066 release_sock(sk);
79d554a6
MH		 1067 } else {
1068 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1069 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1070 }
1071
fc7f8a7e
GP		 1072 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1073 sizeof(rsp), &rsp);
e9aeb2dd 1074
c1360a1c 1075 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1076 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1077 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1078 continue;
1079 }
1080
c1360a1c 1081 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1082 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1083 l2cap_build_conf_req(chan, buf), buf);
1084 chan->num_conf_req++;
4e8402a3
MH		 1085 }
1086
6be36555 1087 l2cap_chan_unlock(chan);
4e8402a3
MH		 1088 }
1089
3df91ea2 1090 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1091}
1092
c2287681 1093/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1094 * Returns closest match, locked.
1095 */
d9b88702 1096static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1097 bdaddr_t *src,
1098 bdaddr_t *dst)
b62f328b 1099{
23691d75 1100 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1101
23691d75 1102 read_lock(&chan_list_lock);
b62f328b 1103
23691d75
GP		 1104 list_for_each_entry(c, &chan_list, global_l) {
1105 struct sock *sk = c->sk;
fe4128e0 1106
89bc500e 1107 if (state && c->state != state)
b62f328b
VT		 1108 continue;
1109
23691d75 1110 if (c->scid == cid) {
c2287681
IY		 1111 int src_match, dst_match;
1112 int src_any, dst_any;
1113
b62f328b 1114 /* Exact match. */
c2287681
IY		 1115 src_match = !bacmp(&bt_sk(sk)->src, src);
1116 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1117 if (src_match && dst_match) {
23691d75
GP		 1118 read_unlock(&chan_list_lock);
1119 return c;
1120 }
b62f328b
VT		 1121
1122 /* Closest match */
c2287681
IY		 1123 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1124 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1125 if ((src_match && dst_any) || (src_any && dst_match) ||
1126 (src_any && dst_any))
23691d75 1127 c1 = c;
b62f328b
VT		 1128 }
1129 }
280f294f 1130
23691d75 1131 read_unlock(&chan_list_lock);
b62f328b 1132
23691d75 1133 return c1;
b62f328b
VT		 1134}
1135
1136static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1137{
c916fbe4 1138 struct sock *parent, *sk;
23691d75 1139 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1140
1141 BT_DBG("");
1142
1143 /* Check if we have socket listening on cid */
23691d75 1144 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1145 conn->src, conn->dst);
23691d75 1146 if (!pchan)
b62f328b
VT		 1147 return;
1148
23691d75
GP		 1149 parent = pchan->sk;
1150
aa2ac881 1151 lock_sock(parent);
62f3a2cf 1152
b62f328b
VT		 1153 /* Check for backlog size */
1154 if (sk_acceptq_is_full(parent)) {
1155 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1156 goto clean;
1157 }
1158
80808e43
GP		 1159 chan = pchan->ops->new_connection(pchan->data);
1160 if (!chan)
b62f328b
VT		 1161 goto clean;
1162
80808e43 1163 sk = chan->sk;
5d41ce1d 1164
b62f328b
VT		 1165 hci_conn_hold(conn->hcon);
1166
b62f328b
VT		 1167 bacpy(&bt_sk(sk)->src, conn->src);
1168 bacpy(&bt_sk(sk)->dst, conn->dst);
1169
d1010240
GP		 1170 bt_accept_enqueue(parent, sk);
1171
3d57dc68 1172 l2cap_chan_add(conn, chan);
48454079 1173
c9b66675 1174 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1175
0e587be7 1176 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1177 parent->sk_data_ready(parent, 0);
1178
b62f328b 1179clean:
aa2ac881 1180 release_sock(parent);
b62f328b
VT		 1181}
1182
4e8402a3
MH		 1183static void l2cap_conn_ready(struct l2cap_conn *conn)
1184{
48454079 1185 struct l2cap_chan *chan;
4e8402a3 1186
79d554a6 1187 BT_DBG("conn %p", conn);
4e8402a3 1188
b62f328b
VT		 1189 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1190 l2cap_le_conn_ready(conn);
1191
160dc6ac
VCG		 1192 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1193 smp_conn_security(conn, conn->hcon->pending_sec_level);
1194
3df91ea2 1195 mutex_lock(&conn->chan_lock);
4e8402a3 1196
3df91ea2 1197 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1198
6be36555 1199 l2cap_chan_lock(chan);
4e8402a3 1200
63128451 1201 if (conn->hcon->type == LE_LINK) {
b501d6a1 1202 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1203 l2cap_chan_ready(chan);
acd7d370 1204
63128451 1205 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1206 struct sock *sk = chan->sk;
c9b66675 1207 __clear_chan_timer(chan);
6be36555 1208 lock_sock(sk);
0e587be7 1209 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1210 sk->sk_state_change(sk);
6be36555 1211 release_sock(sk);
b501d6a1 1212
89bc500e 1213 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1214 l2cap_do_start(chan);
4e8402a3 1215
6be36555 1216 l2cap_chan_unlock(chan);
4e8402a3 1217 }
79d554a6 1218
3df91ea2 1219 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1220}
1221
1222/* Notify sockets that we cannot guaranty reliability anymore */
1223static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1224{
48454079 1225 struct l2cap_chan *chan;
4e8402a3
MH		 1226
1227 BT_DBG("conn %p", conn);
1228
3df91ea2 1229 mutex_lock(&conn->chan_lock);
4e8402a3 1230
3df91ea2 1231 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1232 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1233 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1234 }
1235
3df91ea2 1236 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1237}
1238
f878fcad 1239static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1240{
f878fcad 1241 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1242 info_timer.work);
4e8402a3 1243
984947dc 1244 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1245 conn->info_ident = 0;
984947dc 1246
4e8402a3
MH		 1247 l2cap_conn_start(conn);
1248}
1249
5d3de7df
VCG		 1250static void l2cap_conn_del(struct hci_conn *hcon, int err)
1251{
1252 struct l2cap_conn *conn = hcon->l2cap_data;
1253 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1254
1255 if (!conn)
1256 return;
1257
1258 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1259
1260 kfree_skb(conn->rx_skb);
1261
3df91ea2
AE		 1262 mutex_lock(&conn->chan_lock);
1263
5d3de7df
VCG		 1264 /* Kill channels */
1265 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1266 l2cap_chan_hold(chan);
6be36555
AE		 1267 l2cap_chan_lock(chan);
1268
5d3de7df 1269 l2cap_chan_del(chan, err);
6be36555
AE		 1270
1271 l2cap_chan_unlock(chan);
1272
5d3de7df 1273 chan->ops->close(chan->data);
61d6ef3e 1274 l2cap_chan_put(chan);
5d3de7df
VCG		 1275 }
1276
3df91ea2
AE		 1277 mutex_unlock(&conn->chan_lock);
1278
73d80deb
LAD		 1279 hci_chan_del(conn->hchan);
1280
5d3de7df 1281 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1282 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1283
51a8efd7 1284 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1285 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1286 smp_chan_destroy(conn);
d26a2345 1287 }
5d3de7df
VCG		 1288
1289 hcon->l2cap_data = NULL;
1290 kfree(conn);
1291}
1292
6c9d42a1 1293static void security_timeout(struct work_struct *work)
5d3de7df 1294{
6c9d42a1
GP		 1295 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1296 security_timer.work);
5d3de7df
VCG		 1297
1298 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1299}
1300
1da177e4
LT		 1301static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1302{
0139418c 1303 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1304 struct hci_chan *hchan;
1da177e4 1305
0139418c 1306 if (conn || status)
1da177e4
LT		 1307 return conn;
1308
73d80deb
LAD		 1309 hchan = hci_chan_create(hcon);
1310 if (!hchan)
1311 return NULL;
1312
0139418c 1313 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1314 if (!conn) {
1315 hci_chan_del(hchan);
1da177e4 1316 return NULL;
73d80deb 1317 }
1da177e4
LT		 1318
1319 hcon->l2cap_data = conn;
1320 conn->hcon = hcon;
73d80deb 1321 conn->hchan = hchan;
1da177e4 1322
73d80deb 1323 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1324
acd7d370
VT		 1325 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1326 conn->mtu = hcon->hdev->le_mtu;
1327 else
1328 conn->mtu = hcon->hdev->acl_mtu;
1329
1da177e4
LT		 1330 conn->src = &hcon->hdev->bdaddr;
1331 conn->dst = &hcon->dst;
1332
4e8402a3
MH		 1333 conn->feat_mask = 0;
1334
1da177e4 1335 spin_lock_init(&conn->lock);
3df91ea2 1336 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1337
1338 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1339
5d3de7df 1340 if (hcon->type == LE_LINK)
6c9d42a1 1341 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1342 else
030013d8 1343 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1344
9f5a0d7b 1345 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1346
1da177e4
LT		 1347 return conn;
1348}
1349
1da177e4 1350/* ---- Socket interface ---- */
1da177e4 1351
c2287681 1352/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1353 * Returns closest match.
1354 */
c2287681
IY		 1355static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1356 bdaddr_t *src,
1357 bdaddr_t *dst)
1da177e4 1358{
23691d75 1359 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1360
23691d75 1361 read_lock(&chan_list_lock);
e0f0cb56 1362
23691d75
GP		 1363 list_for_each_entry(c, &chan_list, global_l) {
1364 struct sock *sk = c->sk;
fe4128e0 1365
89bc500e 1366 if (state && c->state != state)
1da177e4
LT		 1367 continue;
1368
23691d75 1369 if (c->psm == psm) {
c2287681
IY		 1370 int src_match, dst_match;
1371 int src_any, dst_any;
1372
1da177e4 1373 /* Exact match. */
c2287681
IY		 1374 src_match = !bacmp(&bt_sk(sk)->src, src);
1375 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1376 if (src_match && dst_match) {
a7567b20 1377 read_unlock(&chan_list_lock);
23691d75
GP		 1378 return c;
1379 }
1da177e4
LT		 1380
1381 /* Closest match */
c2287681
IY		 1382 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1383 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1384 if ((src_match && dst_any) || (src_any && dst_match) ||
1385 (src_any && dst_any))
23691d75 1386 c1 = c;
1da177e4
LT		 1387 }
1388 }
1da177e4 1389
23691d75 1390 read_unlock(&chan_list_lock);
e0f0cb56 1391
23691d75 1392 return c1;
1da177e4
LT		 1393}
1394
8e9f9892
AG		 1395int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1396 bdaddr_t *dst, u8 dst_type)
1da177e4 1397{
5d41ce1d 1398 struct sock *sk = chan->sk;
1da177e4 1399 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1400 struct l2cap_conn *conn;
1401 struct hci_conn *hcon;
1402 struct hci_dev *hdev;
09ab6f4c 1403 __u8 auth_type;
44d0e48e 1404 int err;
1da177e4 1405
8e9f9892
AG		 1406 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1407 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1408
af05b30b
GP		 1409 hdev = hci_get_route(dst, src);
1410 if (!hdev)
1da177e4
LT		 1411 return -EHOSTUNREACH;
1412
09fd0de5 1413 hci_dev_lock(hdev);
1da177e4 1414
6be36555 1415 l2cap_chan_lock(chan);
03a00194
GP		 1416
1417 /* PSM must be odd and lsb of upper byte must be 0 */
1418 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1419 chan->chan_type != L2CAP_CHAN_RAW) {
1420 err = -EINVAL;
1421 goto done;
1422 }
1423
1424 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1425 err = -EINVAL;
1426 goto done;
1427 }
1428
1429 switch (chan->mode) {
1430 case L2CAP_MODE_BASIC:
1431 break;
1432 case L2CAP_MODE_ERTM:
1433 case L2CAP_MODE_STREAMING:
1434 if (!disable_ertm)
1435 break;
1436 /* fall through */
1437 default:
1438 err = -ENOTSUPP;
1439 goto done;
1440 }
1441
6be36555
AE		 1442 lock_sock(sk);
1443
03a00194
GP		 1444 switch (sk->sk_state) {
1445 case BT_CONNECT:
1446 case BT_CONNECT2:
1447 case BT_CONFIG:
1448 /* Already connecting */
1449 err = 0;
6be36555 1450 release_sock(sk);
03a00194
GP		 1451 goto done;
1452
1453 case BT_CONNECTED:
1454 /* Already connected */
1455 err = -EISCONN;
6be36555 1456 release_sock(sk);
03a00194
GP		 1457 goto done;
1458
1459 case BT_OPEN:
1460 case BT_BOUND:
1461 /* Can connect */
1462 break;
1463
1464 default:
1465 err = -EBADFD;
6be36555 1466 release_sock(sk);
03a00194
GP		 1467 goto done;
1468 }
1469
1470 /* Set destination address and psm */
9219b2a0 1471 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1472
1473 release_sock(sk);
1474
03a00194
GP		 1475 chan->psm = psm;
1476 chan->dcid = cid;
1da177e4 1477
4343478f 1478 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1479
fe4128e0 1480 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1481 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1482 chan->sec_level, auth_type);
acd7d370 1483 else
8e9f9892 1484 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1485 chan->sec_level, auth_type);
acd7d370 1486
30e76272
VT		 1487 if (IS_ERR(hcon)) {
1488 err = PTR_ERR(hcon);
1da177e4 1489 goto done;
30e76272 1490 }
1da177e4
LT		 1491
1492 conn = l2cap_conn_add(hcon, 0);
1493 if (!conn) {
1494 hci_conn_put(hcon);
30e76272 1495 err = -ENOMEM;
1da177e4
LT		 1496 goto done;
1497 }
1498
9f0caeb1
VCG		 1499 if (hcon->type == LE_LINK) {
1500 err = 0;
1501
1502 if (!list_empty(&conn->chan_l)) {
1503 err = -EBUSY;
1504 hci_conn_put(hcon);
1505 }
1506
1507 if (err)
1508 goto done;
1509 }
1510
1da177e4
LT		 1511 /* Update source addr of the socket */
1512 bacpy(src, conn->src);
1513
6be36555 1514 l2cap_chan_unlock(chan);
48454079 1515 l2cap_chan_add(conn, chan);
6be36555 1516 l2cap_chan_lock(chan);
48454079 1517
6be36555 1518 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1519 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1520
1521 if (hcon->state == BT_CONNECTED) {
715ec005 1522 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1523 __clear_chan_timer(chan);
d45fc423 1524 if (l2cap_chan_check_security(chan))
6be36555 1525 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1526 } else
fc7f8a7e 1527 l2cap_do_start(chan);
1da177e4
LT		 1528 }
1529
30e76272
VT		 1530 err = 0;
1531
1da177e4 1532done:
6be36555 1533 l2cap_chan_unlock(chan);
09fd0de5 1534 hci_dev_unlock(hdev);
1da177e4
LT		 1535 hci_dev_put(hdev);
1536 return err;
1537}
1538
dcba0dba 1539int __l2cap_wait_ack(struct sock *sk)
6161c038 1540{
8c1d787b 1541 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1542 DECLARE_WAITQUEUE(wait, current);
1543 int err = 0;
1544 int timeo = HZ/5;
1545
2b0b05dd 1546 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1547 set_current_state(TASK_INTERRUPTIBLE);
1548 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1549 if (!timeo)
1550 timeo = HZ/5;
1551
1552 if (signal_pending(current)) {
1553 err = sock_intr_errno(timeo);
1554 break;
1555 }
1556
1557 release_sock(sk);
1558 timeo = schedule_timeout(timeo);
1559 lock_sock(sk);
a71a0cf4 1560 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1561
1562 err = sock_error(sk);
1563 if (err)
1564 break;
1565 }
1566 set_current_state(TASK_RUNNING);
2b0b05dd 1567 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1568 return err;
1569}
1570
721c4181 1571static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1572{
721c4181
GP		 1573 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1574 monitor_timer.work);
e90bac06 1575
525cd185 1576 BT_DBG("chan %p", chan);
0e98958d 1577
6be36555
AE		 1578 l2cap_chan_lock(chan);
1579
2c03a7a4 1580 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1581 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1582 l2cap_chan_unlock(chan);
8d7e1c7f 1583 l2cap_chan_put(chan);
e90bac06
GP		 1584 return;
1585 }
1586
6a026610 1587 chan->retry_count++;
1a09bcb9 1588 __set_monitor_timer(chan);
e90bac06 1589
525cd185 1590 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1591 l2cap_chan_unlock(chan);
8d7e1c7f 1592 l2cap_chan_put(chan);
e90bac06
GP		 1593}
1594
721c4181 1595static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1596{
721c4181
GP		 1597 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1598 retrans_timer.work);
e90bac06 1599
49208c9c 1600 BT_DBG("chan %p", chan);
0e98958d 1601
6be36555
AE		 1602 l2cap_chan_lock(chan);
1603
6a026610 1604 chan->retry_count = 1;
1a09bcb9 1605 __set_monitor_timer(chan);
e90bac06 1606
e2ab4353 1607 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1608
525cd185 1609 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1610
1611 l2cap_chan_unlock(chan);
8d7e1c7f 1612 l2cap_chan_put(chan);
e90bac06
GP		 1613}
1614
42e5c802 1615static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1616{
1c2acffb 1617 struct sk_buff *skb;
1da177e4 1618
58d35f87 1619 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1620 chan->unacked_frames) {
3ce3514f 1621 if (bt_cb(skb)->control.txseq == chan->expected_ack_seq)
1c2acffb 1622 break;
1da177e4 1623
58d35f87 1624 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1625 kfree_skb(skb);
1da177e4 1626
6a026610 1627 chan->unacked_frames--;
1c2acffb 1628 }
1da177e4 1629
6a026610 1630 if (!chan->unacked_frames)
1a09bcb9 1631 __clear_retrans_timer(chan);
1c2acffb 1632}
1da177e4 1633
67c9e840 1634static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1635{
ccbb84af 1636 struct sk_buff *skb;
88843ab0
AE		 1637 u32 control;
1638 u16 fcs;
6840ed07 1639
58d35f87 1640 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1641 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1642 control |= __set_txseq(chan, chan->next_tx_seq);
94122bbe 1643 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
88843ab0 1644 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1645
47d1ec61 1646 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1647 fcs = crc16(0, (u8 *)skb->data,
1648 skb->len - L2CAP_FCS_SIZE);
1649 put_unaligned_le16(fcs,
1650 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1651 }
1652
4343478f 1653 l2cap_do_send(chan, skb);
6840ed07 1654
836be934 1655 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1656 }
6840ed07
GP		 1657}
1658
fb45de7d 1659static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1660{
8f17154f 1661 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1662 u16 fcs;
1663 u32 control;
8f17154f 1664
58d35f87 1665 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1666 if (!skb)
1667 return;
8f17154f 1668
3ce3514f 1669 while (bt_cb(skb)->control.txseq != tx_seq) {
58d35f87 1670 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1671 return;
8f17154f 1672
d1726b6d
SJ		 1673 skb = skb_queue_next(&chan->tx_q, skb);
1674 }
8f17154f 1675
3ce3514f
MM		 1676 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1677 chan->remote_max_tx) {
8c1d787b 1678 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1679 return;
1680 }
1681
1682 tx_skb = skb_clone(skb, GFP_ATOMIC);
3ce3514f 1683 bt_cb(skb)->control.retries++;
88843ab0
AE		 1684
1685 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1686 control &= __get_sar_mask(chan);
3cb123d1 1687
e2ab4353 1688 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1689 control |= __set_ctrl_final(chan);
95ffa978 1690
0b209fae 1691 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1692 control |= __set_txseq(chan, tx_seq);
3cb123d1 1693
88843ab0 1694 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1695
47d1ec61 1696 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1697 fcs = crc16(0, (u8 *)tx_skb->data,
1698 tx_skb->len - L2CAP_FCS_SIZE);
1699 put_unaligned_le16(fcs,
1700 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1701 }
1702
4343478f 1703 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1704}
1705
67c9e840 1706static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1707{
1708 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1709 u16 fcs;
1710 u32 control;
9a9c6a34 1711 int nsent = 0;
1c2acffb 1712
89bc500e 1713 if (chan->state != BT_CONNECTED)
c13ffa62 1714 return -ENOTCONN;
e90bac06 1715
94122bbe
MM		 1716 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1717 return 0;
1718
58d35f87 1719 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1720
3ce3514f
MM		 1721 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1722 chan->remote_max_tx) {
8c1d787b 1723 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1724 break;
1725 }
1726
e420aba3
AE		 1727 tx_skb = skb_clone(skb, GFP_ATOMIC);
1728
3ce3514f 1729 bt_cb(skb)->control.retries++;
e90bac06 1730
88843ab0 1731 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1732 control &= __get_sar_mask(chan);
95ffa978 1733
e2ab4353 1734 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1735 control |= __set_ctrl_final(chan);
e2ab4353 1736
0b209fae 1737 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1738 control |= __set_txseq(chan, chan->next_tx_seq);
94122bbe 1739 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1c2acffb 1740
88843ab0 1741 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1742
47d1ec61 1743 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1744 fcs = crc16(0, (u8 *)skb->data,
1745 tx_skb->len - L2CAP_FCS_SIZE);
1746 put_unaligned_le16(fcs, skb->data +
1747 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1748 }
1749
4343478f 1750 l2cap_do_send(chan, tx_skb);
9a9c6a34 1751
1a09bcb9 1752 __set_retrans_timer(chan);
1c2acffb 1753
3ce3514f 1754 bt_cb(skb)->control.txseq = chan->next_tx_seq;
836be934
AE		 1755
1756 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1757
3ce3514f 1758 if (bt_cb(skb)->control.retries == 1) {
6a026610 1759 chan->unacked_frames++;
930fa4ae
SJ		 1760
1761 if (!nsent++)
1762 __clear_ack_timer(chan);
8ed7a0ae 1763 }
23e9fde2 1764
6a026610 1765 chan->frames_sent++;
1c2acffb 1766
58d35f87
GP		 1767 if (skb_queue_is_last(&chan->tx_q, skb))
1768 chan->tx_send_head = NULL;
1c2acffb 1769 else
58d35f87 1770 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1771 }
1772
9e917af1
GP		 1773 return nsent;
1774}
1775
525cd185 1776static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1777{
dfc909be
GP		 1778 int ret;
1779
58d35f87
GP		 1780 if (!skb_queue_empty(&chan->tx_q))
1781 chan->tx_send_head = chan->tx_q.next;
dfc909be 1782
42e5c802 1783 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1784 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1785 return ret;
1786}
1787
b17e73bb 1788static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1789{
88843ab0 1790 u32 control = 0;
9e917af1 1791
0b209fae 1792 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1793
e2ab4353 1794 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1795 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1796 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1797 l2cap_send_sframe(chan, control);
9a9c6a34 1798 return;
9e917af1 1799 }
dfc909be 1800
525cd185 1801 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1802 return;
1803
ab784b73 1804 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1805 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1806}
1807
b17e73bb
SJ		 1808static void l2cap_send_ack(struct l2cap_chan *chan)
1809{
1810 __clear_ack_timer(chan);
1811 __l2cap_send_ack(chan);
1812}
1813
525cd185 1814static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1815{
1816 struct srej_list *tail;
88843ab0 1817 u32 control;
99b0d4b7 1818
ab784b73 1819 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1820 control |= __set_ctrl_final(chan);
99b0d4b7 1821
39d5a3ee 1822 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1823 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1824
525cd185 1825 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1826}
1827
04124681
GP		 1828static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1829 struct msghdr *msg, int len,
1830 int count, struct sk_buff *skb)
1c2acffb 1831{
0952a57a 1832 struct l2cap_conn *conn = chan->conn;
1c2acffb 1833 struct sk_buff **frag;
90338947 1834 int sent = 0;
1da177e4 1835
59203a21 1836 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1837 return -EFAULT;
1da177e4
LT		 1838
1839 sent += count;
1840 len -= count;
1841
1842 /* Continuation fragments (no L2CAP header) */
1843 frag = &skb_shinfo(skb)->frag_list;
1844 while (len) {
fbe00700
GP		 1845 struct sk_buff *tmp;
1846
1da177e4
LT		 1847 count = min_t(unsigned int, conn->mtu, len);
1848
fbe00700
GP		 1849 tmp = chan->ops->alloc_skb(chan, count,
1850 msg->msg_flags & MSG_DONTWAIT);
1851 if (IS_ERR(tmp))
1852 return PTR_ERR(tmp);
1853
1854 *frag = tmp;
2f7719ce 1855
1c2acffb
GP		 1856 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1857 return -EFAULT;
1da177e4 1858
5e59b791
LAD		 1859 (*frag)->priority = skb->priority;
1860
1da177e4
LT		 1861 sent += count;
1862 len -= count;
1863
2d0ed3d5
GP		 1864 skb->len += (*frag)->len;
1865 skb->data_len += (*frag)->len;
1866
1da177e4
LT		 1867 frag = &(*frag)->next;
1868 }
1da177e4
LT		 1869
1870 return sent;
1c2acffb 1871}
1da177e4 1872
5e59b791
LAD		 1873static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1874 struct msghdr *msg, size_t len,
1875 u32 priority)
1c2acffb 1876{
8c1d787b 1877 struct l2cap_conn *conn = chan->conn;
1c2acffb 1878 struct sk_buff *skb;
03a51213 1879 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1880 struct l2cap_hdr *lh;
1881
6d5922b0 1882 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1883
1884 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1885
1886 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1887 msg->msg_flags & MSG_DONTWAIT);
1888 if (IS_ERR(skb))
1889 return skb;
1c2acffb 1890
5e59b791
LAD		 1891 skb->priority = priority;
1892
1c2acffb
GP		 1893 /* Create L2CAP header */
1894 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1895 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1896 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1897 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1898
0952a57a 1899 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1900 if (unlikely(err < 0)) {
1901 kfree_skb(skb);
1902 return ERR_PTR(err);
1903 }
1904 return skb;
1905}
1906
5e59b791
LAD		 1907static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1908 struct msghdr *msg, size_t len,
1909 u32 priority)
1c2acffb 1910{
8c1d787b 1911 struct l2cap_conn *conn = chan->conn;
1c2acffb 1912 struct sk_buff *skb;
f2ba7fae 1913 int err, count;
1c2acffb
GP		 1914 struct l2cap_hdr *lh;
1915
6d5922b0 1916 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1917
f2ba7fae 1918 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1919
f2ba7fae 1920 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1921 msg->msg_flags & MSG_DONTWAIT);
1922 if (IS_ERR(skb))
1923 return skb;
1c2acffb 1924
5e59b791
LAD		 1925 skb->priority = priority;
1926
1c2acffb
GP		 1927 /* Create L2CAP header */
1928 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1929 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1930 lh->len = cpu_to_le16(len);
1c2acffb 1931
0952a57a 1932 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1933 if (unlikely(err < 0)) {
1934 kfree_skb(skb);
1935 return ERR_PTR(err);
1936 }
1937 return skb;
1938}
1939
ab0ff76d
LAD		 1940static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1941 struct msghdr *msg, size_t len,
94122bbe 1942 u16 sdulen)
1c2acffb 1943{
8c1d787b 1944 struct l2cap_conn *conn = chan->conn;
1c2acffb 1945 struct sk_buff *skb;
e4ca6d98 1946 int err, count, hlen;
1c2acffb
GP		 1947 struct l2cap_hdr *lh;
1948
6d5922b0 1949 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1950
0ee0d208
GP		 1951 if (!conn)
1952 return ERR_PTR(-ENOTCONN);
1953
e4ca6d98
AE		 1954 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1955 hlen = L2CAP_EXT_HDR_SIZE;
1956 else
1957 hlen = L2CAP_ENH_HDR_SIZE;
1958
c74e560c 1959 if (sdulen)
03a51213 1960 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1961
47d1ec61 1962 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1963 hlen += L2CAP_FCS_SIZE;
fcc203c3 1964
1c2acffb 1965 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1966
1967 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1968 msg->msg_flags & MSG_DONTWAIT);
1969 if (IS_ERR(skb))
1970 return skb;
1c2acffb
GP		 1971
1972 /* Create L2CAP header */
1973 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1974 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1975 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 1976
94122bbe 1977 __put_control(chan, 0, skb_put(skb, __ctrl_size(chan)));
88843ab0 1978
c74e560c 1979 if (sdulen)
03a51213 1980 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1981
0952a57a 1982 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1983 if (unlikely(err < 0)) {
1984 kfree_skb(skb);
1985 return ERR_PTR(err);
1986 }
e90bac06 1987
47d1ec61 1988 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1989 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1990
3ce3514f 1991 bt_cb(skb)->control.retries = 0;
1c2acffb 1992 return skb;
1da177e4
LT		 1993}
1994
94122bbe
MM		 1995static int l2cap_segment_sdu(struct l2cap_chan *chan,
1996 struct sk_buff_head *seg_queue,
1997 struct msghdr *msg, size_t len)
c74e560c 1998{
c74e560c 1999 struct sk_buff *skb;
94122bbe
MM		 2000 u16 sdu_len;
2001 size_t pdu_len;
2002 int err = 0;
2003 u8 sar;
c74e560c 2004
94122bbe 2005 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2006
94122bbe
MM		 2007 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2008 * so fragmented skbs are not used. The HCI layer's handling
2009 * of fragmented skbs is not compatible with ERTM's queueing.
2010 */
c74e560c 2011
94122bbe
MM		 2012 /* PDU size is derived from the HCI MTU */
2013 pdu_len = chan->conn->mtu;
c74e560c 2014
94122bbe
MM		 2015 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2016
2017 /* Adjust for largest possible L2CAP overhead. */
2018 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2019
2020 /* Remote device may have requested smaller PDUs */
2021 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2022
2023 if (len <= pdu_len) {
2024 sar = L2CAP_SAR_UNSEGMENTED;
2025 sdu_len = 0;
2026 pdu_len = len;
2027 } else {
2028 sar = L2CAP_SAR_START;
2029 sdu_len = len;
2030 pdu_len -= L2CAP_SDULEN_SIZE;
2031 }
2032
2033 while (len > 0) {
2034 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2035
c74e560c 2036 if (IS_ERR(skb)) {
94122bbe 2037 __skb_queue_purge(seg_queue);
c74e560c
GP		 2038 return PTR_ERR(skb);
2039 }
2040
94122bbe
MM		 2041 bt_cb(skb)->control.sar = sar;
2042 __skb_queue_tail(seg_queue, skb);
2043
2044 len -= pdu_len;
2045 if (sdu_len) {
2046 sdu_len = 0;
2047 pdu_len += L2CAP_SDULEN_SIZE;
2048 }
2049
2050 if (len <= pdu_len) {
2051 sar = L2CAP_SAR_END;
2052 pdu_len = len;
2053 } else {
2054 sar = L2CAP_SAR_CONTINUE;
2055 }
c74e560c 2056 }
c74e560c 2057
94122bbe 2058 return err;
c74e560c
GP		 2059}
2060
5e59b791
LAD		 2061int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2062 u32 priority)
9a91a04a 2063{
9a91a04a 2064 struct sk_buff *skb;
9a91a04a 2065 int err;
94122bbe 2066 struct sk_buff_head seg_queue;
9a91a04a
GP		 2067
2068 /* Connectionless channel */
715ec005 2069 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2070 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2071 if (IS_ERR(skb))
2072 return PTR_ERR(skb);
2073
2074 l2cap_do_send(chan, skb);
2075 return len;
2076 }
2077
2078 switch (chan->mode) {
2079 case L2CAP_MODE_BASIC:
2080 /* Check outgoing MTU */
2081 if (len > chan->omtu)
2082 return -EMSGSIZE;
2083
2084 /* Create a basic PDU */
5e59b791 2085 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2086 if (IS_ERR(skb))
2087 return PTR_ERR(skb);
2088
2089 l2cap_do_send(chan, skb);
2090 err = len;
2091 break;
2092
2093 case L2CAP_MODE_ERTM:
2094 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2095 /* Check outgoing MTU */
2096 if (len > chan->omtu) {
2097 err = -EMSGSIZE;
2098 break;
2099 }
9a91a04a 2100
94122bbe 2101 __skb_queue_head_init(&seg_queue);
9a91a04a 2102
94122bbe
MM		 2103 /* Do segmentation before calling in to the state machine,
2104 * since it's possible to block while waiting for memory
2105 * allocation.
2106 */
2107 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2108
94122bbe
MM		 2109 /* The channel could have been closed while segmenting,
2110 * check that it is still connected.
2111 */
2112 if (chan->state != BT_CONNECTED) {
2113 __skb_queue_purge(&seg_queue);
2114 err = -ENOTCONN;
9a91a04a
GP		 2115 }
2116
94122bbe 2117 if (err)
9a91a04a 2118 break;
9a91a04a 2119
577cfaeb
MM		 2120 if (chan->mode == L2CAP_MODE_ERTM && chan->tx_send_head == NULL)
2121 chan->tx_send_head = seg_queue.next;
94122bbe 2122 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
577cfaeb 2123
94122bbe
MM		 2124 if (chan->mode == L2CAP_MODE_ERTM)
2125 err = l2cap_ertm_send(chan);
2126 else
2127 l2cap_streaming_send(chan);
9a91a04a 2128
9a91a04a
GP		 2129 if (err >= 0)
2130 err = len;
2131
94122bbe
MM		 2132 /* If the skbs were not queued for sending, they'll still be in
2133 * seg_queue and need to be purged.
2134 */
2135 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2136 break;
2137
2138 default:
2139 BT_DBG("bad state %1.1x", chan->mode);
2140 err = -EBADFD;
2141 }
2142
2143 return err;
2144}
2145
1da177e4
LT		 2146/* Copy frame to all raw sockets on that connection */
2147static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2148{
1da177e4 2149 struct sk_buff *nskb;
48454079 2150 struct l2cap_chan *chan;
1da177e4
LT		 2151
2152 BT_DBG("conn %p", conn);
2153
3df91ea2 2154 mutex_lock(&conn->chan_lock);
3d57dc68 2155
3df91ea2 2156 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2157 struct sock *sk = chan->sk;
715ec005 2158 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2159 continue;
2160
2161 /* Don't send frame to the socket it came from */
2162 if (skb->sk == sk)
2163 continue;
af05b30b
GP		 2164 nskb = skb_clone(skb, GFP_ATOMIC);
2165 if (!nskb)
1da177e4
LT		 2166 continue;
2167
23070494 2168 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2169 kfree_skb(nskb);
2170 }
3d57dc68 2171
3df91ea2 2172 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2173}
2174
2175/* ---- L2CAP signalling commands ---- */
2176static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2177 u8 code, u8 ident, u16 dlen, void *data)
2178{
2179 struct sk_buff *skb, **frag;
2180 struct l2cap_cmd_hdr *cmd;
2181 struct l2cap_hdr *lh;
2182 int len, count;
2183
af05b30b
GP		 2184 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2185 conn, code, ident, dlen);
1da177e4
LT		 2186
2187 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2188 count = min_t(unsigned int, conn->mtu, len);
2189
2190 skb = bt_skb_alloc(count, GFP_ATOMIC);
2191 if (!skb)
2192 return NULL;
2193
2194 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2195 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2196
2197 if (conn->hcon->type == LE_LINK)
2198 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2199 else
2200 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2201
2202 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2203 cmd->code = code;
2204 cmd->ident = ident;
aca3192c 2205 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2206
2207 if (dlen) {
2208 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2209 memcpy(skb_put(skb, count), data, count);
2210 data += count;
2211 }
2212
2213 len -= skb->len;
2214
2215 /* Continuation fragments (no L2CAP header) */
2216 frag = &skb_shinfo(skb)->frag_list;
2217 while (len) {
2218 count = min_t(unsigned int, conn->mtu, len);
2219
2220 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2221 if (!*frag)
2222 goto fail;
2223
2224 memcpy(skb_put(*frag, count), data, count);
2225
2226 len -= count;
2227 data += count;
2228
2229 frag = &(*frag)->next;
2230 }
2231
2232 return skb;
2233
2234fail:
2235 kfree_skb(skb);
2236 return NULL;
2237}
2238
2239static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2240{
2241 struct l2cap_conf_opt *opt = *ptr;
2242 int len;
2243
2244 len = L2CAP_CONF_OPT_SIZE + opt->len;
2245 *ptr += len;
2246
2247 *type = opt->type;
2248 *olen = opt->len;
2249
2250 switch (opt->len) {
2251 case 1:
2252 *val = *((u8 *) opt->val);
2253 break;
2254
2255 case 2:
bfaaeb3e 2256 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2257 break;
2258
2259 case 4:
bfaaeb3e 2260 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2261 break;
2262
2263 default:
2264 *val = (unsigned long) opt->val;
2265 break;
2266 }
2267
2268 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2269 return len;
2270}
2271
1da177e4
LT		 2272static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2273{
2274 struct l2cap_conf_opt *opt = *ptr;
2275
2276 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2277
2278 opt->type = type;
2279 opt->len = len;
2280
2281 switch (len) {
2282 case 1:
2283 *((u8 *) opt->val) = val;
2284 break;
2285
2286 case 2:
4f8b691c 2287 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2288 break;
2289
2290 case 4:
4f8b691c 2291 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2292 break;
2293
2294 default:
2295 memcpy(opt->val, (void *) val, len);
2296 break;
2297 }
2298
2299 *ptr += L2CAP_CONF_OPT_SIZE + len;
2300}
2301
f89cef09
AE		 2302static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2303{
2304 struct l2cap_conf_efs efs;
2305
1ec918ce 2306 switch (chan->mode) {
f89cef09
AE		 2307 case L2CAP_MODE_ERTM:
2308 efs.id = chan->local_id;
2309 efs.stype = chan->local_stype;
2310 efs.msdu = cpu_to_le16(chan->local_msdu);
2311 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2312 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2313 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2314 break;
2315
2316 case L2CAP_MODE_STREAMING:
2317 efs.id = 1;
2318 efs.stype = L2CAP_SERV_BESTEFFORT;
2319 efs.msdu = cpu_to_le16(chan->local_msdu);
2320 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2321 efs.acc_lat = 0;
2322 efs.flush_to = 0;
2323 break;
2324
2325 default:
2326 return;
2327 }
2328
2329 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2330 (unsigned long) &efs);
2331}
2332
721c4181 2333static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2334{
721c4181
GP		 2335 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2336 ack_timer.work);
c1b4f43b 2337
2fb9b3d4
GP		 2338 BT_DBG("chan %p", chan);
2339
6be36555
AE		 2340 l2cap_chan_lock(chan);
2341
b17e73bb 2342 __l2cap_send_ack(chan);
6be36555
AE		 2343
2344 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2345
2346 l2cap_chan_put(chan);
c1b4f43b
GP		 2347}
2348
3c588192 2349static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2350{
3c588192
MM		 2351 int err;
2352
105bdf9e
MM		 2353 chan->next_tx_seq = 0;
2354 chan->expected_tx_seq = 0;
42e5c802 2355 chan->expected_ack_seq = 0;
6a026610 2356 chan->unacked_frames = 0;
42e5c802 2357 chan->buffer_seq = 0;
6a026610
GP		 2358 chan->num_acked = 0;
2359 chan->frames_sent = 0;
105bdf9e
MM		 2360 chan->last_acked_seq = 0;
2361 chan->sdu = NULL;
2362 chan->sdu_last_frag = NULL;
2363 chan->sdu_len = 0;
2364
d34c34fb
MM		 2365 skb_queue_head_init(&chan->tx_q);
2366
105bdf9e
MM		 2367 if (chan->mode != L2CAP_MODE_ERTM)
2368 return 0;
2369
2370 chan->rx_state = L2CAP_RX_STATE_RECV;
2371 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2372
721c4181
GP		 2373 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2374 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2375 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2376
f1c6775b 2377 skb_queue_head_init(&chan->srej_q);
1890d36b 2378
39d5a3ee 2379 INIT_LIST_HEAD(&chan->srej_l);
3c588192
MM		 2380 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2381 if (err < 0)
2382 return err;
2383
2384 return l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
0565c1c2
GP		 2385}
2386
f2fcfcd6
GP		 2387static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2388{
2389 switch (mode) {
2390 case L2CAP_MODE_STREAMING:
2391 case L2CAP_MODE_ERTM:
2392 if (l2cap_mode_supported(mode, remote_feat_mask))
2393 return mode;
2394 /* fall through */
2395 default:
2396 return L2CAP_MODE_BASIC;
2397 }
2398}
2399
6327eb98
AE		 2400static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2401{
2402 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2403}
2404
f89cef09
AE		 2405static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2406{
2407 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2408}
2409
6327eb98
AE		 2410static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2411{
2412 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2413 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2414 /* use extended control field */
2415 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2416 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2417 } else {
6327eb98
AE		 2418 chan->tx_win = min_t(u16, chan->tx_win,
2419 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2420 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2421 }
6327eb98
AE		 2422}
2423
710f9b0a 2424static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2425{
1da177e4 2426 struct l2cap_conf_req *req = data;
0c1bc5c6 2427 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2428 void *ptr = req->data;
c8f79162 2429 u16 size;
1da177e4 2430
49208c9c 2431 BT_DBG("chan %p", chan);
1da177e4 2432
73ffa904 2433 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2434 goto done;
2435
0c1bc5c6 2436 switch (chan->mode) {
f2fcfcd6
GP		 2437 case L2CAP_MODE_STREAMING:
2438 case L2CAP_MODE_ERTM:
c1360a1c 2439 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2440 break;
85eb53c6 2441
f89cef09
AE		 2442 if (__l2cap_efs_supported(chan))
2443 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2444
2ba13ed6 2445 /* fall through */
f2fcfcd6 2446 default:
8c1d787b 2447 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2448 break;
2449 }
2450
2451done:
0c1bc5c6
GP		 2452 if (chan->imtu != L2CAP_DEFAULT_MTU)
2453 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2454
0c1bc5c6 2455 switch (chan->mode) {
65c7c491 2456 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2457 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2458 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2459 break;
2460
62547752
GP		 2461 rfc.mode = L2CAP_MODE_BASIC;
2462 rfc.txwin_size = 0;
2463 rfc.max_transmit = 0;
2464 rfc.retrans_timeout = 0;
2465 rfc.monitor_timeout = 0;
2466 rfc.max_pdu_size = 0;
2467
63406504
GP		 2468 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2469 (unsigned long) &rfc);
65c7c491
MH		 2470 break;
2471
2472 case L2CAP_MODE_ERTM:
2473 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2474 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2475 rfc.retrans_timeout = 0;
2476 rfc.monitor_timeout = 0;
c8f79162
AE		 2477
2478 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2479 L2CAP_EXT_HDR_SIZE -
2480 L2CAP_SDULEN_SIZE -
2481 L2CAP_FCS_SIZE);
2482 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2483
6327eb98
AE		 2484 l2cap_txwin_setup(chan);
2485
2486 rfc.txwin_size = min_t(u16, chan->tx_win,
2487 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2488
63406504
GP		 2489 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2490 (unsigned long) &rfc);
2491
f89cef09
AE		 2492 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2493 l2cap_add_opt_efs(&ptr, chan);
2494
8c1d787b 2495 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2496 break;
2497
47d1ec61 2498 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2499 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2500 chan->fcs = L2CAP_FCS_NONE;
2501 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2502 }
6327eb98
AE		 2503
2504 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2505 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2506 chan->tx_win);
f2fcfcd6
GP		 2507 break;
2508
2509 case L2CAP_MODE_STREAMING:
2510 rfc.mode = L2CAP_MODE_STREAMING;
2511 rfc.txwin_size = 0;
2512 rfc.max_transmit = 0;
2513 rfc.retrans_timeout = 0;
2514 rfc.monitor_timeout = 0;
c8f79162
AE		 2515
2516 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2517 L2CAP_EXT_HDR_SIZE -
2518 L2CAP_SDULEN_SIZE -
2519 L2CAP_FCS_SIZE);
2520 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2521
63406504
GP		 2522 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2523 (unsigned long) &rfc);
2524
f89cef09
AE		 2525 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2526 l2cap_add_opt_efs(&ptr, chan);
2527
8c1d787b 2528 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2529 break;
2530
47d1ec61 2531 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2532 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2533 chan->fcs = L2CAP_FCS_NONE;
2534 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2535 }
65c7c491
MH		 2536 break;
2537 }
1da177e4 2538
fe4128e0 2539 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2540 req->flags = cpu_to_le16(0);
1da177e4
LT		 2541
2542 return ptr - data;
2543}
2544
73ffa904 2545static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2546{
5dee9e7c
MH		 2547 struct l2cap_conf_rsp *rsp = data;
2548 void *ptr = rsp->data;
73ffa904
GP		 2549 void *req = chan->conf_req;
2550 int len = chan->conf_len;
5dee9e7c
MH		 2551 int type, hint, olen;
2552 unsigned long val;
6464f35f 2553 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2554 struct l2cap_conf_efs efs;
2555 u8 remote_efs = 0;
861d6882 2556 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2557 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2558 u16 size;
1da177e4 2559
73ffa904 2560 BT_DBG("chan %p", chan);
820ae1b8 2561
5dee9e7c
MH		 2562 while (len >= L2CAP_CONF_OPT_SIZE) {
2563 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2564
589d2746 2565 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2566 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2567
2568 switch (type) {
2569 case L2CAP_CONF_MTU:
861d6882 2570 mtu = val;
5dee9e7c
MH		 2571 break;
2572
2573 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2574 chan->flush_to = val;
5dee9e7c
MH		 2575 break;
2576
2577 case L2CAP_CONF_QOS:
2578 break;
2579
6464f35f
MH		 2580 case L2CAP_CONF_RFC:
2581 if (olen == sizeof(rfc))
2582 memcpy(&rfc, (void *) val, olen);
2583 break;
2584
fcc203c3
GP		 2585 case L2CAP_CONF_FCS:
2586 if (val == L2CAP_FCS_NONE)
c1360a1c 2587 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2588 break;
fcc203c3 2589
42dceae2
AE		 2590 case L2CAP_CONF_EFS:
2591 remote_efs = 1;
2592 if (olen == sizeof(efs))
2593 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2594 break;
2595
6327eb98
AE		 2596 case L2CAP_CONF_EWS:
2597 if (!enable_hs)
2598 return -ECONNREFUSED;
fcc203c3 2599
6327eb98
AE		 2600 set_bit(FLAG_EXT_CTRL, &chan->flags);
2601 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2602 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2603 chan->remote_tx_win = val;
fcc203c3
GP		 2604 break;
2605
5dee9e7c
MH		 2606 default:
2607 if (hint)
2608 break;
2609
2610 result = L2CAP_CONF_UNKNOWN;
2611 *((u8 *) ptr++) = type;
2612 break;
2613 }
2614 }
2615
73ffa904 2616 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2617 goto done;
2618
0c1bc5c6 2619 switch (chan->mode) {
f2fcfcd6
GP		 2620 case L2CAP_MODE_STREAMING:
2621 case L2CAP_MODE_ERTM:
c1360a1c 2622 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2623 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2624 chan->conn->feat_mask);
85eb53c6
GP		 2625 break;
2626 }
2627
42dceae2
AE		 2628 if (remote_efs) {
2629 if (__l2cap_efs_supported(chan))
2630 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2631 else
2632 return -ECONNREFUSED;
2633 }
2634
0c1bc5c6 2635 if (chan->mode != rfc.mode)
f2fcfcd6 2636 return -ECONNREFUSED;
742e519b 2637
f2fcfcd6 2638 break;
f2fcfcd6
GP		 2639 }
2640
2641done:
0c1bc5c6 2642 if (chan->mode != rfc.mode) {
f2fcfcd6 2643 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2644 rfc.mode = chan->mode;
f2fcfcd6 2645
73ffa904 2646 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2647 return -ECONNREFUSED;
2648
2649 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2650 sizeof(rfc), (unsigned long) &rfc);
2651 }
2652
5dee9e7c
MH		 2653 if (result == L2CAP_CONF_SUCCESS) {
2654 /* Configure output options and let the other side know
2655 * which ones we don't like. */
2656
f2fcfcd6
GP		 2657 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2658 result = L2CAP_CONF_UNACCEPT;
2659 else {
0c1bc5c6 2660 chan->omtu = mtu;
c1360a1c 2661 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2662 }
0c1bc5c6 2663 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2664
42dceae2
AE		 2665 if (remote_efs) {
2666 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2667 efs.stype != L2CAP_SERV_NOTRAFIC &&
2668 efs.stype != chan->local_stype) {
2669
2670 result = L2CAP_CONF_UNACCEPT;
2671
2672 if (chan->num_conf_req >= 1)
2673 return -ECONNREFUSED;
2674
2675 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2676 sizeof(efs),
42dceae2 2677 (unsigned long) &efs);
0e8b207e 2678 } else {
3e6b3b95 2679 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2680 result = L2CAP_CONF_PENDING;
2681 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2682 }
2683 }
2684
f2fcfcd6
GP		 2685 switch (rfc.mode) {
2686 case L2CAP_MODE_BASIC:
47d1ec61 2687 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2688 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2689 break;
2690
2691 case L2CAP_MODE_ERTM:
6327eb98
AE		 2692 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2693 chan->remote_tx_win = rfc.txwin_size;
2694 else
2695 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2696
2c03a7a4 2697 chan->remote_max_tx = rfc.max_transmit;
1c762159 2698
c8f79162
AE		 2699 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2700 chan->conn->mtu -
2701 L2CAP_EXT_HDR_SIZE -
2702 L2CAP_SDULEN_SIZE -
2703 L2CAP_FCS_SIZE);
2704 rfc.max_pdu_size = cpu_to_le16(size);
2705 chan->remote_mps = size;
f2fcfcd6 2706
10467e9e 2707 rfc.retrans_timeout =
4fd21a88 2708 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2709 rfc.monitor_timeout =
4fd21a88 2710 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2711
c1360a1c 2712 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2713
2714 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2715 sizeof(rfc), (unsigned long) &rfc);
2716
42dceae2
AE		 2717 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2718 chan->remote_id = efs.id;
2719 chan->remote_stype = efs.stype;
2720 chan->remote_msdu = le16_to_cpu(efs.msdu);
2721 chan->remote_flush_to =
2722 le32_to_cpu(efs.flush_to);
2723 chan->remote_acc_lat =
2724 le32_to_cpu(efs.acc_lat);
2725 chan->remote_sdu_itime =
2726 le32_to_cpu(efs.sdu_itime);
2727 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2728 sizeof(efs), (unsigned long) &efs);
2729 }
f2fcfcd6
GP		 2730 break;
2731
2732 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2733 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2734 chan->conn->mtu -
2735 L2CAP_EXT_HDR_SIZE -
2736 L2CAP_SDULEN_SIZE -
2737 L2CAP_FCS_SIZE);
2738 rfc.max_pdu_size = cpu_to_le16(size);
2739 chan->remote_mps = size;
f2fcfcd6 2740
c1360a1c 2741 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2742
2743 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2744 sizeof(rfc), (unsigned long) &rfc);
2745
f2fcfcd6
GP		 2746 break;
2747
2748 default:
5dee9e7c 2749 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2750
6464f35f 2751 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2752 rfc.mode = chan->mode;
f2fcfcd6 2753 }
6464f35f 2754
f2fcfcd6 2755 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2756 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2757 }
fe4128e0 2758 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2759 rsp->result = cpu_to_le16(result);
2760 rsp->flags = cpu_to_le16(0x0000);
2761
2762 return ptr - data;
1da177e4
LT		 2763}
2764
b4450035 2765static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2766{
f2fcfcd6
GP		 2767 struct l2cap_conf_req *req = data;
2768 void *ptr = req->data;
2769 int type, olen;
2770 unsigned long val;
36e999a8 2771 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2772 struct l2cap_conf_efs efs;
f2fcfcd6 2773
fe4128e0 2774 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2775
2776 while (len >= L2CAP_CONF_OPT_SIZE) {
2777 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2778
2779 switch (type) {
2780 case L2CAP_CONF_MTU:
2781 if (val < L2CAP_DEFAULT_MIN_MTU) {
2782 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2783 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2784 } else
0c1bc5c6
GP		 2785 chan->imtu = val;
2786 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2787 break;
2788
2789 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2790 chan->flush_to = val;
f2fcfcd6 2791 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2792 2, chan->flush_to);
f2fcfcd6
GP		 2793 break;
2794
2795 case L2CAP_CONF_RFC:
2796 if (olen == sizeof(rfc))
2797 memcpy(&rfc, (void *)val, olen);
2798
c1360a1c 2799 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2800 rfc.mode != chan->mode)
f2fcfcd6
GP		 2801 return -ECONNREFUSED;
2802
47d1ec61 2803 chan->fcs = 0;
f2fcfcd6
GP		 2804
2805 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2806 sizeof(rfc), (unsigned long) &rfc);
2807 break;
6327eb98
AE		 2808
2809 case L2CAP_CONF_EWS:
2810 chan->tx_win = min_t(u16, val,
2811 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2812 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2813 chan->tx_win);
6327eb98 2814 break;
66af7aaf
AE		 2815
2816 case L2CAP_CONF_EFS:
2817 if (olen == sizeof(efs))
2818 memcpy(&efs, (void *)val, olen);
2819
2820 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2821 efs.stype != L2CAP_SERV_NOTRAFIC &&
2822 efs.stype != chan->local_stype)
2823 return -ECONNREFUSED;
2824
2825 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2826 sizeof(efs), (unsigned long) &efs);
2827 break;
f2fcfcd6
GP		 2828 }
2829 }
2830
0c1bc5c6 2831 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2832 return -ECONNREFUSED;
2833
0c1bc5c6 2834 chan->mode = rfc.mode;
6c2ea7a8 2835
0e8b207e 2836 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2837 switch (rfc.mode) {
2838 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2839 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2840 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2841 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2842
2843 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2844 chan->local_msdu = le16_to_cpu(efs.msdu);
2845 chan->local_sdu_itime =
2846 le32_to_cpu(efs.sdu_itime);
2847 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2848 chan->local_flush_to =
2849 le32_to_cpu(efs.flush_to);
2850 }
f2fcfcd6 2851 break;
66af7aaf 2852
f2fcfcd6 2853 case L2CAP_MODE_STREAMING:
47d1ec61 2854 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2855 }
2856 }
2857
fe4128e0 2858 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2859 req->flags = cpu_to_le16(0x0000);
2860
2861 return ptr - data;
2862}
2863
fe4128e0 2864static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2865{
2866 struct l2cap_conf_rsp *rsp = data;
2867 void *ptr = rsp->data;
1da177e4 2868
fe4128e0 2869 BT_DBG("chan %p", chan);
1da177e4 2870
fe4128e0 2871 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2872 rsp->result = cpu_to_le16(result);
aca3192c 2873 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2874
2875 return ptr - data;
2876}
2877
8c1d787b 2878void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2879{
2880 struct l2cap_conn_rsp rsp;
8c1d787b 2881 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2882 u8 buf[128];
2883
fe4128e0
GP		 2884 rsp.scid = cpu_to_le16(chan->dcid);
2885 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2886 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2887 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2888 l2cap_send_cmd(conn, chan->ident,
2889 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2890
c1360a1c 2891 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2892 return;
2893
710f9b0a
GP		 2894 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2895 l2cap_build_conf_req(chan, buf), buf);
2896 chan->num_conf_req++;
2897}
2898
47d1ec61 2899static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2900{
7b1c0049
GP		 2901 int type, olen;
2902 unsigned long val;
2903 struct l2cap_conf_rfc rfc;
2904
47d1ec61 2905 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2906
0c1bc5c6 2907 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2908 return;
2909
2910 while (len >= L2CAP_CONF_OPT_SIZE) {
2911 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2912
2913 switch (type) {
2914 case L2CAP_CONF_RFC:
2915 if (olen == sizeof(rfc))
2916 memcpy(&rfc, (void *)val, olen);
2917 goto done;
2918 }
2919 }
2920
36e999a8
MM		 2921 /* Use sane default values in case a misbehaving remote device
2922 * did not send an RFC option.
2923 */
2924 rfc.mode = chan->mode;
2925 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2926 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2927 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2928
2929 BT_ERR("Expected RFC option was not found, using defaults");
2930
7b1c0049
GP		 2931done:
2932 switch (rfc.mode) {
2933 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2934 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2935 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2936 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2937 break;
2938 case L2CAP_MODE_STREAMING:
47d1ec61 2939 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2940 }
2941}
2942
4e8402a3
MH		 2943static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2944{
e2fd318e 2945 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2946
e2fd318e 2947 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2948 return 0;
2949
2950 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2951 cmd->ident == conn->info_ident) {
17cd3f37 2952 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2953
2954 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2955 conn->info_ident = 0;
984947dc 2956
4e8402a3
MH		 2957 l2cap_conn_start(conn);
2958 }
2959
2960 return 0;
2961}
2962
1da177e4
LT		 2963static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2964{
1da177e4
LT		 2965 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2966 struct l2cap_conn_rsp rsp;
23691d75 2967 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2968 struct sock *parent, *sk = NULL;
e7c29cb1 2969 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2970
2971 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2972 __le16 psm = req->psm;
1da177e4 2973
097db76c 2974 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 2975
2976 /* Check if we have socket listening on psm */
c2287681 2977 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 2978 if (!pchan) {
1da177e4
LT		 2979 result = L2CAP_CR_BAD_PSM;
2980 goto sendresp;
2981 }
2982
23691d75
GP		 2983 parent = pchan->sk;
2984
3df91ea2 2985 mutex_lock(&conn->chan_lock);
aa2ac881 2986 lock_sock(parent);
e0f0cb56 2987
e7c29cb1
MH		 2988 /* Check if the ACL is secure enough (if not SDP) */
2989 if (psm != cpu_to_le16(0x0001) &&
2990 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2991 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2992 result = L2CAP_CR_SEC_BLOCK;
2993 goto response;
2994 }
2995
1da177e4
LT		 2996 result = L2CAP_CR_NO_MEM;
2997
2998 /* Check for backlog size */
2999 if (sk_acceptq_is_full(parent)) {
8e87d142 3000 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3001 goto response;
3002 }
3003
80808e43
GP		 3004 chan = pchan->ops->new_connection(pchan->data);
3005 if (!chan)
1da177e4
LT		 3006 goto response;
3007
80808e43
GP		 3008 sk = chan->sk;
3009
1da177e4 3010 /* Check if we already have channel with that dcid */
baa7e1fa 3011 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3012 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3013 chan->ops->close(chan->data);
1da177e4
LT		 3014 goto response;
3015 }
3016
3017 hci_conn_hold(conn->hcon);
3018
1da177e4
LT		 3019 bacpy(&bt_sk(sk)->src, conn->src);
3020 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3021 chan->psm = psm;
3022 chan->dcid = scid;
1da177e4 3023
d1010240
GP		 3024 bt_accept_enqueue(parent, sk);
3025
6be36555 3026 __l2cap_chan_add(conn, chan);
48454079 3027
fe4128e0 3028 dcid = chan->scid;
1da177e4 3029
c9b66675 3030 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3031
fc7f8a7e 3032 chan->ident = cmd->ident;
1da177e4 3033
984947dc 3034 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3035 if (l2cap_chan_check_security(chan)) {
c5daa683 3036 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3037 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3038 result = L2CAP_CR_PEND;
3039 status = L2CAP_CS_AUTHOR_PEND;
3040 parent->sk_data_ready(parent, 0);
3041 } else {
0e587be7 3042 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3043 result = L2CAP_CR_SUCCESS;
3044 status = L2CAP_CS_NO_INFO;
3045 }
79d554a6 3046 } else {
0e587be7 3047 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3048 result = L2CAP_CR_PEND;
3049 status = L2CAP_CS_AUTHEN_PEND;
3050 }
3051 } else {
0e587be7 3052 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3053 result = L2CAP_CR_PEND;
3054 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3055 }
3056
1da177e4 3057response:
aa2ac881 3058 release_sock(parent);
3df91ea2 3059 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3060
3061sendresp:
aca3192c
YH		 3062 rsp.scid = cpu_to_le16(scid);
3063 rsp.dcid = cpu_to_le16(dcid);
3064 rsp.result = cpu_to_le16(result);
3065 rsp.status = cpu_to_le16(status);
1da177e4 3066 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3067
3068 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3069 struct l2cap_info_req info;
3070 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3071
3072 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3073 conn->info_ident = l2cap_get_ident(conn);
3074
ba13ccd9 3075 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3076
3077 l2cap_send_cmd(conn, conn->info_ident,
3078 L2CAP_INFO_REQ, sizeof(info), &info);
3079 }
3080
c1360a1c 3081 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3082 result == L2CAP_CR_SUCCESS) {
3083 u8 buf[128];
c1360a1c 3084 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3085 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3086 l2cap_build_conf_req(chan, buf), buf);
3087 chan->num_conf_req++;
e9aeb2dd
GP		 3088 }
3089
1da177e4
LT		 3090 return 0;
3091}
3092
3093static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3094{
3095 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3096 u16 scid, dcid, result, status;
48454079 3097 struct l2cap_chan *chan;
1da177e4 3098 u8 req[128];
3df91ea2 3099 int err;
1da177e4
LT		 3100
3101 scid = __le16_to_cpu(rsp->scid);
3102 dcid = __le16_to_cpu(rsp->dcid);
3103 result = __le16_to_cpu(rsp->result);
3104 status = __le16_to_cpu(rsp->status);
3105
1b009c98
AE		 3106 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3107 dcid, scid, result, status);
1da177e4 3108
3df91ea2
AE		 3109 mutex_lock(&conn->chan_lock);
3110
1da177e4 3111 if (scid) {
3df91ea2
AE		 3112 chan = __l2cap_get_chan_by_scid(conn, scid);
3113 if (!chan) {
3114 err = -EFAULT;
3115 goto unlock;
3116 }
1da177e4 3117 } else {
3df91ea2
AE		 3118 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3119 if (!chan) {
3120 err = -EFAULT;
3121 goto unlock;
3122 }
1da177e4
LT		 3123 }
3124
3df91ea2
AE		 3125 err = 0;
3126
6be36555 3127 l2cap_chan_lock(chan);
48454079 3128
1da177e4
LT		 3129 switch (result) {
3130 case L2CAP_CR_SUCCESS:
89bc500e 3131 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3132 chan->ident = 0;
fe4128e0 3133 chan->dcid = dcid;
c1360a1c 3134 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3135
c1360a1c 3136 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3137 break;
3138
1da177e4 3139 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3140 l2cap_build_conf_req(chan, req), req);
3141 chan->num_conf_req++;
1da177e4
LT		 3142 break;
3143
3144 case L2CAP_CR_PEND:
c1360a1c 3145 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3146 break;
3147
3148 default:
48454079 3149 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3150 break;
3151 }
3152
6be36555 3153 l2cap_chan_unlock(chan);
3df91ea2
AE		 3154
3155unlock:
3156 mutex_unlock(&conn->chan_lock);
3157
3158 return err;
1da177e4
LT		 3159}
3160
47d1ec61 3161static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3162{
3163 /* FCS is enabled only in ERTM or streaming mode, if one or both
3164 * sides request it.
3165 */
0c1bc5c6 3166 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3167 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3168 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3169 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3170}
3171
88219a0f 3172static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3173{
3174 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3175 u16 dcid, flags;
3176 u8 rsp[64];
48454079 3177 struct l2cap_chan *chan;
3c588192 3178 int len, err = 0;
1da177e4
LT		 3179
3180 dcid = __le16_to_cpu(req->dcid);
3181 flags = __le16_to_cpu(req->flags);
3182
3183 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3184
baa7e1fa 3185 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3186 if (!chan)
1da177e4
LT		 3187 return -ENOENT;
3188
033b1142 3189 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3190 struct l2cap_cmd_rej_cid rej;
3191
3192 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3193 rej.scid = cpu_to_le16(chan->scid);
3194 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3195
df6bd743
GP		 3196 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3197 sizeof(rej), &rej);
354f60a9 3198 goto unlock;
df6bd743 3199 }
354f60a9 3200
5dee9e7c 3201 /* Reject if config buffer is too small. */
88219a0f 3202 len = cmd_len - sizeof(*req);
7ac28817 3203 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3204 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3205 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3206 L2CAP_CONF_REJECT, flags), rsp);
3207 goto unlock;
3208 }
3209
3210 /* Store config. */
73ffa904
GP		 3211 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3212 chan->conf_len += len;
1da177e4
LT		 3213
3214 if (flags & 0x0001) {
3215 /* Incomplete config. Send empty response. */
3216 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3217 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3218 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3219 goto unlock;
3220 }
3221
3222 /* Complete config. */
73ffa904 3223 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3224 if (len < 0) {
e92c8e70 3225 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3226 goto unlock;
f2fcfcd6 3227 }
1da177e4 3228
5dee9e7c 3229 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3230 chan->num_conf_rsp++;
5dee9e7c 3231
5dee9e7c 3232 /* Reset config buffer. */
73ffa904 3233 chan->conf_len = 0;
5dee9e7c 3234
c1360a1c 3235 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3236 goto unlock;
3237
c1360a1c 3238 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3239 set_default_fcs(chan);
fcc203c3 3240
89bc500e 3241 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3242
105bdf9e
MM		 3243 if (chan->mode == L2CAP_MODE_ERTM ||
3244 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3245 err = l2cap_ertm_init(chan);
3246
3247 if (err < 0)
3248 l2cap_send_disconn_req(chan->conn, chan, -err);
3249 else
3250 l2cap_chan_ready(chan);
0565c1c2 3251
876d9484
MH		 3252 goto unlock;
3253 }
3254
c1360a1c 3255 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3256 u8 buf[64];
1da177e4 3257 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3258 l2cap_build_conf_req(chan, buf), buf);
3259 chan->num_conf_req++;
1da177e4
LT		 3260 }
3261
0e8b207e
AE		 3262 /* Got Conf Rsp PENDING from remote side and asume we sent
3263 Conf Rsp PENDING in the code above */
3264 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3265 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3266
3267 /* check compatibility */
3268
3269 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3270 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3271
3272 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3273 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3274 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3275 }
3276
1da177e4 3277unlock:
6be36555 3278 l2cap_chan_unlock(chan);
3c588192 3279 return err;
1da177e4
LT		 3280}
3281
3282static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3283{
3284 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3285 u16 scid, flags, result;
48454079 3286 struct l2cap_chan *chan;
61386cba 3287 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3288 int err = 0;
1da177e4
LT		 3289
3290 scid = __le16_to_cpu(rsp->scid);
3291 flags = __le16_to_cpu(rsp->flags);
3292 result = __le16_to_cpu(rsp->result);
3293
61386cba
AE		 3294 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3295 result, len);
1da177e4 3296
baa7e1fa 3297 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3298 if (!chan)
1da177e4
LT		 3299 return 0;
3300
3301 switch (result) {
3302 case L2CAP_CONF_SUCCESS:
47d1ec61 3303 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3304 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3305 break;
3306
0e8b207e
AE		 3307 case L2CAP_CONF_PENDING:
3308 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3309
3310 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3311 char buf[64];
3312
3313 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3314 buf, &result);
3315 if (len < 0) {
3316 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3317 goto done;
3318 }
3319
3320 /* check compatibility */
3321
3322 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3323 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3324
3325 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3326 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3327 L2CAP_CONF_SUCCESS, 0x0000), buf);
3328 }
3329 goto done;
3330
1da177e4 3331 case L2CAP_CONF_UNACCEPT:
73ffa904 3332 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3333 char req[64];
3334
c2c77ec8 3335 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3336 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3337 goto done;
3338 }
3339
f2fcfcd6
GP		 3340 /* throw out any old stored conf requests */
3341 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3342 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3343 req, &result);
f2fcfcd6 3344 if (len < 0) {
e92c8e70 3345 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3346 goto done;
3347 }
3348
3349 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3350 L2CAP_CONF_REQ, len, req);
73ffa904 3351 chan->num_conf_req++;
f2fcfcd6
GP		 3352 if (result != L2CAP_CONF_SUCCESS)
3353 goto done;
3354 break;
1da177e4
LT		 3355 }
3356
8e87d142 3357 default:
6be36555 3358 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3359
ba13ccd9 3360 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3361 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3362 goto done;
3363 }
3364
3365 if (flags & 0x01)
3366 goto done;
3367
c1360a1c 3368 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3369
c1360a1c 3370 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3371 set_default_fcs(chan);
fcc203c3 3372
89bc500e 3373 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3374 if (chan->mode == L2CAP_MODE_ERTM ||
3375 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3376 err = l2cap_ertm_init(chan);
0565c1c2 3377
3c588192
MM		 3378 if (err < 0)
3379 l2cap_send_disconn_req(chan->conn, chan, -err);
3380 else
3381 l2cap_chan_ready(chan);
1da177e4
LT		 3382 }
3383
3384done:
6be36555 3385 l2cap_chan_unlock(chan);
3c588192 3386 return err;
1da177e4
LT		 3387}
3388
3389static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3390{
3391 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3392 struct l2cap_disconn_rsp rsp;
3393 u16 dcid, scid;
48454079 3394 struct l2cap_chan *chan;
1da177e4
LT		 3395 struct sock *sk;
3396
3397 scid = __le16_to_cpu(req->scid);
3398 dcid = __le16_to_cpu(req->dcid);
3399
3400 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3401
3df91ea2
AE		 3402 mutex_lock(&conn->chan_lock);
3403
3404 chan = __l2cap_get_chan_by_scid(conn, dcid);
3405 if (!chan) {
3406 mutex_unlock(&conn->chan_lock);
1da177e4 3407 return 0;
3df91ea2 3408 }
1da177e4 3409
6be36555
AE		 3410 l2cap_chan_lock(chan);
3411
48454079
GP		 3412 sk = chan->sk;
3413
fe4128e0
GP		 3414 rsp.dcid = cpu_to_le16(chan->scid);
3415 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3416 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3417
6be36555 3418 lock_sock(sk);
1da177e4 3419 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3420 release_sock(sk);
1da177e4 3421
61d6ef3e 3422 l2cap_chan_hold(chan);
48454079 3423 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3424
3425 l2cap_chan_unlock(chan);
1da177e4 3426
ba3bd0ee 3427 chan->ops->close(chan->data);
61d6ef3e 3428 l2cap_chan_put(chan);
3df91ea2
AE		 3429
3430 mutex_unlock(&conn->chan_lock);
3431
1da177e4
LT		 3432 return 0;
3433}
3434
3435static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3436{
3437 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3438 u16 dcid, scid;
48454079 3439 struct l2cap_chan *chan;
1da177e4
LT		 3440
3441 scid = __le16_to_cpu(rsp->scid);
3442 dcid = __le16_to_cpu(rsp->dcid);
3443
3444 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3445
3df91ea2
AE		 3446 mutex_lock(&conn->chan_lock);
3447
3448 chan = __l2cap_get_chan_by_scid(conn, scid);
3449 if (!chan) {
3450 mutex_unlock(&conn->chan_lock);
1da177e4 3451 return 0;
3df91ea2 3452 }
1da177e4 3453
6be36555 3454 l2cap_chan_lock(chan);
48454079 3455
61d6ef3e 3456 l2cap_chan_hold(chan);
48454079 3457 l2cap_chan_del(chan, 0);
6be36555
AE		 3458
3459 l2cap_chan_unlock(chan);
1da177e4 3460
ba3bd0ee 3461 chan->ops->close(chan->data);
61d6ef3e 3462 l2cap_chan_put(chan);
3df91ea2
AE		 3463
3464 mutex_unlock(&conn->chan_lock);
3465
1da177e4
LT		 3466 return 0;
3467}
3468
3469static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3470{
3471 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3472 u16 type;
3473
3474 type = __le16_to_cpu(req->type);
3475
3476 BT_DBG("type 0x%4.4x", type);
3477
f0709e03
MH		 3478 if (type == L2CAP_IT_FEAT_MASK) {
3479 u8 buf[8];
44dd46de 3480 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3481 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3482 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3483 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3484 if (!disable_ertm)
fcc203c3
GP		 3485 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3486 | L2CAP_FEAT_FCS;
a5fd6f30 3487 if (enable_hs)
6327eb98
AE		 3488 feat_mask |= L2CAP_FEAT_EXT_FLOW
3489 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3490
1b7bf4ed 3491 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3492 l2cap_send_cmd(conn, cmd->ident,
3493 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3494 } else if (type == L2CAP_IT_FIXED_CHAN) {
3495 u8 buf[12];
3496 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3497
3498 if (enable_hs)
3499 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3500 else
3501 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3502
e1027a7c
MH		 3503 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3504 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3505 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3506 l2cap_send_cmd(conn, cmd->ident,
3507 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3508 } else {
3509 struct l2cap_info_rsp rsp;
3510 rsp.type = cpu_to_le16(type);
3511 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3512 l2cap_send_cmd(conn, cmd->ident,
3513 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3514 }
1da177e4
LT		 3515
3516 return 0;
3517}
3518
3519static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3520{
3521 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3522 u16 type, result;
3523
3524 type = __le16_to_cpu(rsp->type);
3525 result = __le16_to_cpu(rsp->result);
3526
3527 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3528
e90165be
AE		 3529 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3530 if (cmd->ident != conn->info_ident ||
3531 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3532 return 0;
3533
17cd3f37 3534 cancel_delayed_work(&conn->info_timer);
4e8402a3 3535
adb08ede
VT		 3536 if (result != L2CAP_IR_SUCCESS) {
3537 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3538 conn->info_ident = 0;
3539
3540 l2cap_conn_start(conn);
3541
3542 return 0;
3543 }
3544
978c93b9
AE		 3545 switch (type) {
3546 case L2CAP_IT_FEAT_MASK:
83985319 3547 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3548
47ec1dcd 3549 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3550 struct l2cap_info_req req;
3551 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3552
3553 conn->info_ident = l2cap_get_ident(conn);
3554
3555 l2cap_send_cmd(conn, conn->info_ident,
3556 L2CAP_INFO_REQ, sizeof(req), &req);
3557 } else {
3558 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3559 conn->info_ident = 0;
3560
3561 l2cap_conn_start(conn);
3562 }
978c93b9
AE		 3563 break;
3564
3565 case L2CAP_IT_FIXED_CHAN:
3566 conn->fixed_chan_mask = rsp->data[0];
984947dc 3567 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3568 conn->info_ident = 0;
984947dc
MH		 3569
3570 l2cap_conn_start(conn);
978c93b9 3571 break;
984947dc 3572 }
4e8402a3 3573
1da177e4
LT		 3574 return 0;
3575}
3576
f94ff6ff
MM		 3577static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3578 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3579 void *data)
3580{
3581 struct l2cap_create_chan_req *req = data;
3582 struct l2cap_create_chan_rsp rsp;
3583 u16 psm, scid;
3584
3585 if (cmd_len != sizeof(*req))
3586 return -EPROTO;
3587
3588 if (!enable_hs)
3589 return -EINVAL;
3590
3591 psm = le16_to_cpu(req->psm);
3592 scid = le16_to_cpu(req->scid);
3593
3594 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3595
3596 /* Placeholder: Always reject */
3597 rsp.dcid = 0;
3598 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3599 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3600 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3601
3602 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3603 sizeof(rsp), &rsp);
3604
3605 return 0;
3606}
3607
3608static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3609 struct l2cap_cmd_hdr *cmd, void *data)
3610{
3611 BT_DBG("conn %p", conn);
3612
3613 return l2cap_connect_rsp(conn, cmd, data);
3614}
3615
8d5a04a1
MM		 3616static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3617 u16 icid, u16 result)
3618{
3619 struct l2cap_move_chan_rsp rsp;
3620
3621 BT_DBG("icid %d, result %d", icid, result);
3622
3623 rsp.icid = cpu_to_le16(icid);
3624 rsp.result = cpu_to_le16(result);
3625
3626 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3627}
3628
3629static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3630 struct l2cap_chan *chan, u16 icid, u16 result)
3631{
3632 struct l2cap_move_chan_cfm cfm;
3633 u8 ident;
3634
3635 BT_DBG("icid %d, result %d", icid, result);
3636
3637 ident = l2cap_get_ident(conn);
3638 if (chan)
3639 chan->ident = ident;
3640
3641 cfm.icid = cpu_to_le16(icid);
3642 cfm.result = cpu_to_le16(result);
3643
3644 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3645}
3646
3647static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3648 u16 icid)
3649{
3650 struct l2cap_move_chan_cfm_rsp rsp;
3651
3652 BT_DBG("icid %d", icid);
3653
3654 rsp.icid = cpu_to_le16(icid);
3655 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3656}
3657
3658static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3659 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3660{
3661 struct l2cap_move_chan_req *req = data;
3662 u16 icid = 0;
3663 u16 result = L2CAP_MR_NOT_ALLOWED;
3664
3665 if (cmd_len != sizeof(*req))
3666 return -EPROTO;
3667
3668 icid = le16_to_cpu(req->icid);
3669
3670 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3671
3672 if (!enable_hs)
3673 return -EINVAL;
3674
3675 /* Placeholder: Always refuse */
3676 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3677
3678 return 0;
3679}
3680
3681static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3682 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3683{
3684 struct l2cap_move_chan_rsp *rsp = data;
3685 u16 icid, result;
3686
3687 if (cmd_len != sizeof(*rsp))
3688 return -EPROTO;
3689
3690 icid = le16_to_cpu(rsp->icid);
3691 result = le16_to_cpu(rsp->result);
3692
3693 BT_DBG("icid %d, result %d", icid, result);
3694
3695 /* Placeholder: Always unconfirmed */
3696 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3697
3698 return 0;
3699}
3700
3701static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3702 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3703{
3704 struct l2cap_move_chan_cfm *cfm = data;
3705 u16 icid, result;
3706
3707 if (cmd_len != sizeof(*cfm))
3708 return -EPROTO;
3709
3710 icid = le16_to_cpu(cfm->icid);
3711 result = le16_to_cpu(cfm->result);
3712
3713 BT_DBG("icid %d, result %d", icid, result);
3714
3715 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3716
3717 return 0;
3718}
3719
3720static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3721 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3722{
3723 struct l2cap_move_chan_cfm_rsp *rsp = data;
3724 u16 icid;
3725
3726 if (cmd_len != sizeof(*rsp))
3727 return -EPROTO;
3728
3729 icid = le16_to_cpu(rsp->icid);
3730
3731 BT_DBG("icid %d", icid);
3732
3733 return 0;
3734}
3735
e2174ca4 3736static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3737 u16 to_multiplier)
3738{
3739 u16 max_latency;
3740
3741 if (min > max || min < 6 || max > 3200)
3742 return -EINVAL;
3743
3744 if (to_multiplier < 10 || to_multiplier > 3200)
3745 return -EINVAL;
3746
3747 if (max >= to_multiplier * 8)
3748 return -EINVAL;
3749
3750 max_latency = (to_multiplier * 8 / max) - 1;
3751 if (latency > 499 || latency > max_latency)
3752 return -EINVAL;
3753
3754 return 0;
3755}
3756
3757static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3758 struct l2cap_cmd_hdr *cmd, u8 *data)
3759{
3760 struct hci_conn *hcon = conn->hcon;
3761 struct l2cap_conn_param_update_req *req;
3762 struct l2cap_conn_param_update_rsp rsp;
3763 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3764 int err;
de73115a
CT		 3765
3766 if (!(hcon->link_mode & HCI_LM_MASTER))
3767 return -EINVAL;
3768
3769 cmd_len = __le16_to_cpu(cmd->len);
3770 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3771 return -EPROTO;
3772
3773 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3774 min = __le16_to_cpu(req->min);
3775 max = __le16_to_cpu(req->max);
de73115a
CT		 3776 latency = __le16_to_cpu(req->latency);
3777 to_multiplier = __le16_to_cpu(req->to_multiplier);
3778
3779 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3780 min, max, latency, to_multiplier);
3781
3782 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3783
3784 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3785 if (err)
de73115a
CT		 3786 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3787 else
3788 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3789
3790 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3791 sizeof(rsp), &rsp);
3792
2ce603eb
CT		 3793 if (!err)
3794 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3795
de73115a
CT		 3796 return 0;
3797}
3798
3300d9a9
CT		 3799static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3800 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3801{
3802 int err = 0;
3803
3804 switch (cmd->code) {
3805 case L2CAP_COMMAND_REJ:
3806 l2cap_command_rej(conn, cmd, data);
3807 break;
3808
3809 case L2CAP_CONN_REQ:
3810 err = l2cap_connect_req(conn, cmd, data);
3811 break;
3812
3813 case L2CAP_CONN_RSP:
3814 err = l2cap_connect_rsp(conn, cmd, data);
3815 break;
3816
3817 case L2CAP_CONF_REQ:
3818 err = l2cap_config_req(conn, cmd, cmd_len, data);
3819 break;
3820
3821 case L2CAP_CONF_RSP:
3822 err = l2cap_config_rsp(conn, cmd, data);
3823 break;
3824
3825 case L2CAP_DISCONN_REQ:
3826 err = l2cap_disconnect_req(conn, cmd, data);
3827 break;
3828
3829 case L2CAP_DISCONN_RSP:
3830 err = l2cap_disconnect_rsp(conn, cmd, data);
3831 break;
3832
3833 case L2CAP_ECHO_REQ:
3834 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3835 break;
3836
3837 case L2CAP_ECHO_RSP:
3838 break;
3839
3840 case L2CAP_INFO_REQ:
3841 err = l2cap_information_req(conn, cmd, data);
3842 break;
3843
3844 case L2CAP_INFO_RSP:
3845 err = l2cap_information_rsp(conn, cmd, data);
3846 break;
3847
f94ff6ff
MM		 3848 case L2CAP_CREATE_CHAN_REQ:
3849 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3850 break;
3851
3852 case L2CAP_CREATE_CHAN_RSP:
3853 err = l2cap_create_channel_rsp(conn, cmd, data);
3854 break;
3855
8d5a04a1
MM		 3856 case L2CAP_MOVE_CHAN_REQ:
3857 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3858 break;
3859
3860 case L2CAP_MOVE_CHAN_RSP:
3861 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3862 break;
3863
3864 case L2CAP_MOVE_CHAN_CFM:
3865 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3866 break;
3867
3868 case L2CAP_MOVE_CHAN_CFM_RSP:
3869 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3870 break;
3871
3300d9a9
CT		 3872 default:
3873 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3874 err = -EINVAL;
3875 break;
3876 }
3877
3878 return err;
3879}
3880
3881static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3882 struct l2cap_cmd_hdr *cmd, u8 *data)
3883{
3884 switch (cmd->code) {
3885 case L2CAP_COMMAND_REJ:
3886 return 0;
3887
3888 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3889 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3890
3891 case L2CAP_CONN_PARAM_UPDATE_RSP:
3892 return 0;
3893
3894 default:
3895 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3896 return -EINVAL;
3897 }
3898}
3899
3900static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3901 struct sk_buff *skb)
1da177e4
LT		 3902{
3903 u8 *data = skb->data;
3904 int len = skb->len;
3905 struct l2cap_cmd_hdr cmd;
3300d9a9 3906 int err;
1da177e4
LT		 3907
3908 l2cap_raw_recv(conn, skb);
3909
3910 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3911 u16 cmd_len;
1da177e4
LT		 3912 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3913 data += L2CAP_CMD_HDR_SIZE;
3914 len -= L2CAP_CMD_HDR_SIZE;
3915
88219a0f 3916 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3917
88219a0f 3918 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3919
88219a0f 3920 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3921 BT_DBG("corrupted command");
3922 break;
3923 }
3924
3300d9a9
CT		 3925 if (conn->hcon->type == LE_LINK)
3926 err = l2cap_le_sig_cmd(conn, &cmd, data);
3927 else
3928 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3929
3930 if (err) {
e2fd318e 3931 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3932
3933 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3934
3935 /* FIXME: Map err to a valid reason */
e2fd318e 3936 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3937 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3938 }
3939
88219a0f
AV		 3940 data += cmd_len;
3941 len -= cmd_len;
1da177e4
LT		 3942 }
3943
3944 kfree_skb(skb);
3945}
3946
47d1ec61 3947static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3948{
3949 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3950 int hdr_size;
3951
3952 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3953 hdr_size = L2CAP_EXT_HDR_SIZE;
3954 else
3955 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3956
47d1ec61 3957 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3958 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3959 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3960 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3961
3962 if (our_fcs != rcv_fcs)
7a560e5c 3963 return -EBADMSG;
fcc203c3
GP		 3964 }
3965 return 0;
3966}
3967
525cd185 3968static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3969{
88843ab0 3970 u32 control = 0;
d5392c8f 3971
6a026610 3972 chan->frames_sent = 0;
d5392c8f 3973
0b209fae 3974 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3975
e2ab4353 3976 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3977 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3978 l2cap_send_sframe(chan, control);
e2ab4353 3979 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3980 }
3981
e2ab4353 3982 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3983 l2cap_retransmit_frames(chan);
d5392c8f 3984
525cd185 3985 l2cap_ertm_send(chan);
d5392c8f 3986
e2ab4353 3987 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3988 chan->frames_sent == 0) {
ab784b73 3989 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3990 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3991 }
3992}
3993
fb45de7d 3994static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3995{
3996 struct sk_buff *next_skb;
bfbacc11 3997 int tx_seq_offset, next_tx_seq_offset;
8f17154f 3998
3ce3514f
MM		 3999 bt_cb(skb)->control.txseq = tx_seq;
4000 bt_cb(skb)->control.sar = sar;
8f17154f 4001
f1c6775b 4002 next_skb = skb_peek(&chan->srej_q);
8f17154f 4003
836be934 4004 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 4005
039d9572 4006 while (next_skb) {
3ce3514f 4007 if (bt_cb(next_skb)->control.txseq == tx_seq)
9b53350d
JPRV		 4008 return -EINVAL;
4009
836be934 4010 next_tx_seq_offset = __seq_offset(chan,
3ce3514f 4011 bt_cb(next_skb)->control.txseq, chan->buffer_seq);
bfbacc11
JPRV		 4012
4013 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 4014 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 4015 return 0;
8f17154f
GP		 4016 }
4017
f1c6775b 4018 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 4019 next_skb = NULL;
4020 else
4021 next_skb = skb_queue_next(&chan->srej_q, next_skb);
4022 }
8f17154f 4023
f1c6775b 4024 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 4025
4026 return 0;
8f17154f
GP		 4027}
4028
84084a31
MM		 4029static void append_skb_frag(struct sk_buff *skb,
4030 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4031{
84084a31
MM		 4032 /* skb->len reflects data in skb as well as all fragments
4033 * skb->data_len reflects only data in fragments
4034 */
4035 if (!skb_has_frag_list(skb))
4036 skb_shinfo(skb)->frag_list = new_frag;
4037
4038 new_frag->next = NULL;
4039
4040 (*last_frag)->next = new_frag;
4041 *last_frag = new_frag;
4042
4043 skb->len += new_frag->len;
4044 skb->data_len += new_frag->len;
4045 skb->truesize += new_frag->truesize;
4046}
4047
88843ab0 4048static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 4049{
4050 int err = -EINVAL;
18778a63 4051
7e0ef6ee
AE		 4052 switch (__get_ctrl_sar(chan, control)) {
4053 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4054 if (chan->sdu)
4055 break;
18778a63 4056
84084a31
MM		 4057 err = chan->ops->recv(chan->data, skb);
4058 break;
18778a63 4059
7e0ef6ee 4060 case L2CAP_SAR_START:
84084a31
MM		 4061 if (chan->sdu)
4062 break;
18778a63 4063
6f61fd47 4064 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4065 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4066
84084a31
MM		 4067 if (chan->sdu_len > chan->imtu) {
4068 err = -EMSGSIZE;
4069 break;
4070 }
1890d36b 4071
84084a31
MM		 4072 if (skb->len >= chan->sdu_len)
4073 break;
18778a63 4074
84084a31
MM		 4075 chan->sdu = skb;
4076 chan->sdu_last_frag = skb;
18778a63 4077
84084a31
MM		 4078 skb = NULL;
4079 err = 0;
18778a63
GP		 4080 break;
4081
7e0ef6ee 4082 case L2CAP_SAR_CONTINUE:
6f61fd47 4083 if (!chan->sdu)
84084a31 4084 break;
18778a63 4085
84084a31
MM		 4086 append_skb_frag(chan->sdu, skb,
4087 &chan->sdu_last_frag);
4088 skb = NULL;
18778a63 4089
84084a31
MM		 4090 if (chan->sdu->len >= chan->sdu_len)
4091 break;
4178ba46 4092
84084a31 4093 err = 0;
18778a63
GP		 4094 break;
4095
7e0ef6ee 4096 case L2CAP_SAR_END:
6f61fd47 4097 if (!chan->sdu)
84084a31 4098 break;
18778a63 4099
84084a31
MM		 4100 append_skb_frag(chan->sdu, skb,
4101 &chan->sdu_last_frag);
4102 skb = NULL;
4178ba46 4103
84084a31
MM		 4104 if (chan->sdu->len != chan->sdu_len)
4105 break;
18778a63 4106
84084a31 4107 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4108
84084a31
MM		 4109 if (!err) {
4110 /* Reassembly complete */
4111 chan->sdu = NULL;
4112 chan->sdu_last_frag = NULL;
4113 chan->sdu_len = 0;
1890d36b 4114 }
18778a63
GP		 4115 break;
4116 }
4117
84084a31
MM		 4118 if (err) {
4119 kfree_skb(skb);
4120 kfree_skb(chan->sdu);
4121 chan->sdu = NULL;
4122 chan->sdu_last_frag = NULL;
4123 chan->sdu_len = 0;
4124 }
18778a63 4125
84084a31 4126 return err;
18778a63
GP		 4127}
4128
26f880d2 4129static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 4130{
26f880d2 4131 BT_DBG("chan %p, Enter local busy", chan);
712132eb 4132
26f880d2 4133 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3c588192 4134 l2cap_seq_list_clear(&chan->srej_list);
26f880d2 4135
77f918bc 4136 __set_ack_timer(chan);
26f880d2
MM		 4137}
4138
4139static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4140{
88843ab0 4141 u32 control;
712132eb 4142
e2ab4353 4143 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 4144 goto done;
4145
0b209fae 4146 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 4147 control |= __set_ctrl_poll(chan);
ab784b73 4148 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 4149 l2cap_send_sframe(chan, control);
6a026610 4150 chan->retry_count = 1;
712132eb 4151
1a09bcb9
GP		 4152 __clear_retrans_timer(chan);
4153 __set_monitor_timer(chan);
712132eb 4154
e2ab4353 4155 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 4156
4157done:
e2ab4353
GP		 4158 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4159 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 4160
49208c9c 4161 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 4162}
4163
e328140f 4164void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 4165{
e328140f
MM		 4166 if (chan->mode == L2CAP_MODE_ERTM) {
4167 if (busy)
4168 l2cap_ertm_enter_local_busy(chan);
4169 else
4170 l2cap_ertm_exit_local_busy(chan);
1890d36b 4171 }
1890d36b
GP		 4172}
4173
fb45de7d 4174static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 4175{
4176 struct sk_buff *skb;
88843ab0 4177 u32 control;
8f17154f 4178
e328140f
MM		 4179 while ((skb = skb_peek(&chan->srej_q)) &&
4180 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4181 int err;
4182
3ce3514f 4183 if (bt_cb(skb)->control.txseq != tx_seq)
8f17154f
GP		 4184 break;
4185
f1c6775b 4186 skb = skb_dequeue(&chan->srej_q);
3ce3514f 4187 control = __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
84084a31 4188 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 4189
4190 if (err < 0) {
4191 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4192 break;
4193 }
4194
836be934
AE		 4195 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
4196 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 4197 }
4198}
4199
fb45de7d 4200static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4201{
8f17154f 4202 struct srej_list *l, *tmp;
88843ab0 4203 u32 control;
8f17154f 4204
39d5a3ee 4205 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 4206 if (l->tx_seq == tx_seq) {
4207 list_del(&l->list);
4208 kfree(l);
4209 return;
4210 }
ab784b73 4211 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4212 control |= __set_reqseq(chan, l->tx_seq);
525cd185 4213 l2cap_send_sframe(chan, control);
8f17154f 4214 list_del(&l->list);
39d5a3ee 4215 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 4216 }
4217}
4218
aef89f21 4219static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4220{
8f17154f 4221 struct srej_list *new;
88843ab0 4222 u32 control;
8f17154f 4223
42e5c802 4224 while (tx_seq != chan->expected_tx_seq) {
ab784b73 4225 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4226 control |= __set_reqseq(chan, chan->expected_tx_seq);
3c588192 4227 l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
525cd185 4228 l2cap_send_sframe(chan, control);
8f17154f
GP		 4229
4230 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 4231 if (!new)
4232 return -ENOMEM;
4233
42e5c802 4234 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 4235
4236 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4237
39d5a3ee 4238 list_add_tail(&new->list, &chan->srej_l);
8f17154f 4239 }
836be934
AE		 4240
4241 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 4242
4243 return 0;
8f17154f
GP		 4244}
4245
88843ab0 4246static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 4247{
fb45de7d 4248 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 4249 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 4250 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 4251 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 4252 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 4253 int err = 0;
4254
88843ab0 4255 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 4256 tx_seq, rx_control);
1c2acffb 4257
03f6715d 4258 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4259 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4260 __clear_monitor_timer(chan);
6a026610 4261 if (chan->unacked_frames > 0)
1a09bcb9 4262 __set_retrans_timer(chan);
e2ab4353 4263 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 4264 }
4265
42e5c802
GP		 4266 chan->expected_ack_seq = req_seq;
4267 l2cap_drop_acked_frames(chan);
9f121a5a 4268
836be934 4269 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4270
4271 /* invalid tx_seq */
47d1ec61 4272 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 4273 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 4274 goto drop;
4275 }
4276
77f918bc
SJ		 4277 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4278 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4279 l2cap_send_ack(chan);
1890d36b 4280 goto drop;
77f918bc 4281 }
1890d36b 4282
02f1b641
MM		 4283 if (tx_seq == chan->expected_tx_seq)
4284 goto expected;
4285
e2ab4353 4286 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 4287 struct srej_list *first;
30afb5b2 4288
39d5a3ee 4289 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 4290 struct srej_list, list);
4291 if (tx_seq == first->tx_seq) {
42e5c802 4292 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 4293 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 4294
4295 list_del(&first->list);
4296 kfree(first);
4297
39d5a3ee 4298 if (list_empty(&chan->srej_l)) {
42e5c802 4299 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 4300 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 4301 l2cap_send_ack(chan);
49208c9c 4302 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 4303 }
4304 } else {
4305 struct srej_list *l;
9b53350d
JPRV		 4306
4307 /* duplicated tx_seq */
42e5c802 4308 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 4309 goto drop;
8f17154f 4310
39d5a3ee 4311 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 4312 if (l->tx_seq == tx_seq) {
525cd185 4313 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 4314 return 0;
4315 }
4316 }
aef89f21
SJ		 4317
4318 err = l2cap_send_srejframe(chan, tx_seq);
4319 if (err < 0) {
4320 l2cap_send_disconn_req(chan->conn, chan, -err);
4321 return err;
4322 }
30afb5b2
GP		 4323 }
4324 } else {
836be934
AE		 4325 expected_tx_seq_offset = __seq_offset(chan,
4326 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4327
4328 /* duplicated tx_seq */
4329 if (tx_seq_offset < expected_tx_seq_offset)
4330 goto drop;
4331
e2ab4353 4332 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 4333
49208c9c 4334 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 4335
39d5a3ee 4336 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 4337 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 4338
f1c6775b 4339 __skb_queue_head_init(&chan->srej_q);
42e5c802 4340 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 4341
0ef3ef0f
SJ		 4342 /* Set P-bit only if there are some I-frames to ack. */
4343 if (__clear_ack_timer(chan))
4344 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 4345
aef89f21
SJ		 4346 err = l2cap_send_srejframe(chan, tx_seq);
4347 if (err < 0) {
4348 l2cap_send_disconn_req(chan->conn, chan, -err);
4349 return err;
4350 }
1c2acffb 4351 }
30afb5b2
GP		 4352 return 0;
4353
8f17154f 4354expected:
836be934 4355 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 4356
e2ab4353 4357 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3ce3514f
MM		 4358 bt_cb(skb)->control.txseq = tx_seq;
4359 bt_cb(skb)->control.sar = sar;
f1c6775b 4360 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 4361 return 0;
4362 }
4363
84084a31 4364 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 4365 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4366
e328140f
MM		 4367 if (err < 0) {
4368 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4369 return err;
4370 }
2ece3684 4371
03f6715d 4372 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4373 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4374 l2cap_retransmit_frames(chan);
4ec10d97
GP		 4375 }
4376
c1b4f43b 4377
6a026610
GP		 4378 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4379 if (chan->num_acked == num_to_ack - 1)
525cd185 4380 l2cap_send_ack(chan);
4d611e4d
GP		 4381 else
4382 __set_ack_timer(chan);
9e917af1 4383
8f17154f 4384 return 0;
9b53350d
JPRV		 4385
4386drop:
4387 kfree_skb(skb);
4388 return 0;
1c2acffb
GP		 4389}
4390
88843ab0 4391static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 4392{
88843ab0 4393 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 4394 __get_reqseq(chan, rx_control), rx_control);
0e98958d 4395
0b209fae 4396 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 4397 l2cap_drop_acked_frames(chan);
1c2acffb 4398
e3781735 4399 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4400 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4401 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4402 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4403 (chan->unacked_frames > 0))
1a09bcb9 4404 __set_retrans_timer(chan);
05fbd89d 4405
e2ab4353 4406 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4407 l2cap_send_srejtail(chan);
05fbd89d 4408 } else {
525cd185 4409 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4410 }
1d8f5d16 4411
03f6715d 4412 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4413 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4414
e2ab4353 4415 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4416 l2cap_retransmit_frames(chan);
2246b2f1 4417
e072745f 4418 } else {
e2ab4353 4419 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4420 (chan->unacked_frames > 0))
1a09bcb9 4421 __set_retrans_timer(chan);
1c2acffb 4422
e2ab4353
GP		 4423 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4424 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4425 l2cap_send_ack(chan);
894718a6 4426 else
525cd185 4427 l2cap_ertm_send(chan);
e072745f
GP		 4428 }
4429}
2246b2f1 4430
88843ab0 4431static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4432{
0b209fae 4433 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4434
88843ab0 4435 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4436
e2ab4353 4437 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4438
42e5c802
GP		 4439 chan->expected_ack_seq = tx_seq;
4440 l2cap_drop_acked_frames(chan);
e072745f 4441
03f6715d 4442 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4443 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4444 l2cap_retransmit_frames(chan);
e072745f 4445 } else {
525cd185 4446 l2cap_retransmit_frames(chan);
30afb5b2 4447
e2ab4353
GP		 4448 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4449 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4450 }
4451}
88843ab0 4452static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4453{
0b209fae 4454 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4455
88843ab0 4456 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4457
e2ab4353 4458 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4459
e3781735 4460 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4461 chan->expected_ack_seq = tx_seq;
4462 l2cap_drop_acked_frames(chan);
3cb123d1 4463
e2ab4353 4464 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4465 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4466
525cd185 4467 l2cap_ertm_send(chan);
dfc909be 4468
e2ab4353 4469 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4470 chan->srej_save_reqseq = tx_seq;
e2ab4353 4471 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4472 }
03f6715d 4473 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4474 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4475 chan->srej_save_reqseq == tx_seq)
e2ab4353 4476 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4477 else
525cd185 4478 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4479 } else {
525cd185 4480 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4481 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4482 chan->srej_save_reqseq = tx_seq;
e2ab4353 4483 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4484 }
e072745f
GP		 4485 }
4486}
4487
88843ab0 4488static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4489{
0b209fae 4490 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4491
88843ab0 4492 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4493
e2ab4353 4494 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4495 chan->expected_ack_seq = tx_seq;
4496 l2cap_drop_acked_frames(chan);
e072745f 4497
e3781735 4498 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4499 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4500
e2ab4353 4501 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4502 __clear_retrans_timer(chan);
e3781735 4503 if (__is_ctrl_poll(chan, rx_control))
525cd185 4504 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4505 return;
e072745f 4506 }
99b0d4b7 4507
e3781735 4508 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4509 l2cap_send_srejtail(chan);
ab784b73
AE		 4510 } else {
4511 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4512 l2cap_send_sframe(chan, rx_control);
4513 }
e072745f
GP		 4514}
4515
88843ab0 4516static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4517{
88843ab0 4518 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4519
03f6715d 4520 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4521 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4522 __clear_monitor_timer(chan);
6a026610 4523 if (chan->unacked_frames > 0)
1a09bcb9 4524 __set_retrans_timer(chan);
e2ab4353 4525 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4526 }
4527
ab784b73
AE		 4528 switch (__get_ctrl_super(chan, rx_control)) {
4529 case L2CAP_SUPER_RR:
525cd185 4530 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4531 break;
4532
ab784b73 4533 case L2CAP_SUPER_REJ:
525cd185 4534 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4535 break;
2246b2f1 4536
ab784b73 4537 case L2CAP_SUPER_SREJ:
525cd185 4538 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4539 break;
4540
ab784b73 4541 case L2CAP_SUPER_RNR:
525cd185 4542 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4543 break;
4544 }
4545
faaebd19 4546 kfree_skb(skb);
1c2acffb
GP		 4547 return 0;
4548}
4549
cad8f1d0 4550static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4551{
88843ab0 4552 u32 control;
0b209fae 4553 u16 req_seq;
218bb9df
GP		 4554 int len, next_tx_seq_offset, req_seq_offset;
4555
b76bbd66
MM		 4556 __unpack_control(chan, skb);
4557
88843ab0
AE		 4558 control = __get_control(chan, skb->data);
4559 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4560 len = skb->len;
4561
4562 /*
4563 * We can just drop the corrupted I-frame here.
4564 * Receiver will miss it and start proper recovery
4565 * procedures and ask retransmission.
4566 */
47d1ec61 4567 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4568 goto drop;
4569
793c2f1c 4570 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4571 len -= L2CAP_SDULEN_SIZE;
218bb9df 4572
47d1ec61 4573 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4574 len -= L2CAP_FCS_SIZE;
218bb9df 4575
47d1ec61 4576 if (len > chan->mps) {
8c1d787b 4577 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4578 goto drop;
4579 }
4580
0b209fae 4581 req_seq = __get_reqseq(chan, control);
218bb9df 4582
836be934
AE		 4583 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4584
4585 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4586 chan->expected_ack_seq);
218bb9df
GP		 4587
4588 /* check for invalid req-seq */
4589 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4590 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4591 goto drop;
4592 }
4593
793c2f1c 4594 if (!__is_sframe(chan, control)) {
218bb9df 4595 if (len < 0) {
8c1d787b 4596 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4597 goto drop;
4598 }
4599
525cd185 4600 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4601 } else {
4602 if (len != 0) {
4603 BT_ERR("%d", len);
8c1d787b 4604 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4605 goto drop;
4606 }
4607
525cd185 4608 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4609 }
4610
4611 return 0;
4612
4613drop:
4614 kfree_skb(skb);
4615 return 0;
4616}
4617
1da177e4
LT		 4618static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4619{
48454079 4620 struct l2cap_chan *chan;
88843ab0 4621 u32 control;
fb45de7d 4622 u16 tx_seq;
218bb9df 4623 int len;
1da177e4 4624
baa7e1fa 4625 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4626 if (!chan) {
1da177e4 4627 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4628 /* Drop packet and return */
3379013b 4629 kfree_skb(skb);
6be36555 4630 return 0;
1da177e4
LT		 4631 }
4632
49208c9c 4633 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4634
89bc500e 4635 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4636 goto drop;
4637
0c1bc5c6 4638 switch (chan->mode) {
1c2acffb
GP		 4639 case L2CAP_MODE_BASIC:
4640 /* If socket recv buffers overflows we drop data here
4641 * which is *bad* because L2CAP has to be reliable.
4642 * But we don't have any other choice. L2CAP doesn't
4643 * provide flow control mechanism. */
1da177e4 4644
0c1bc5c6 4645 if (chan->imtu < skb->len)
1c2acffb 4646 goto drop;
1da177e4 4647
23070494 4648 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4649 goto done;
4650 break;
4651
4652 case L2CAP_MODE_ERTM:
5ef8cb9e 4653 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4654
fcafde2e 4655 goto done;
1c2acffb 4656
6840ed07 4657 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4658 control = __get_control(chan, skb->data);
4659 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4660 len = skb->len;
4661
47d1ec61 4662 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4663 goto drop;
4664
7e0ef6ee 4665 if (__is_sar_start(chan, control))
03a51213 4666 len -= L2CAP_SDULEN_SIZE;
6840ed07 4667
47d1ec61 4668 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4669 len -= L2CAP_FCS_SIZE;
fcc203c3 4670
793c2f1c 4671 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4672 goto drop;
4673
fb45de7d 4674 tx_seq = __get_txseq(chan, control);
6840ed07 4675
84084a31
MM		 4676 if (chan->expected_tx_seq != tx_seq) {
4677 /* Frame(s) missing - must discard partial SDU */
4678 kfree_skb(chan->sdu);
4679 chan->sdu = NULL;
4680 chan->sdu_last_frag = NULL;
4681 chan->sdu_len = 0;
6840ed07 4682
84084a31
MM		 4683 /* TODO: Notify userland of missing data */
4684 }
4685
836be934 4686 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4687
4688 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4689 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4690
4691 goto done;
4692
1c2acffb 4693 default:
0c1bc5c6 4694 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4695 break;
4696 }
1da177e4
LT		 4697
4698drop:
4699 kfree_skb(skb);
4700
4701done:
6be36555 4702 l2cap_chan_unlock(chan);
0139418c 4703
1da177e4
LT		 4704 return 0;
4705}
4706
8e036fc3 4707static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4708{
23691d75 4709 struct l2cap_chan *chan;
1da177e4 4710
c2287681 4711 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4712 if (!chan)
1da177e4
LT		 4713 goto drop;
4714
5b4cedaa 4715 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4716
89bc500e 4717 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4718 goto drop;
4719
e13e21dc 4720 if (chan->imtu < skb->len)
1da177e4
LT		 4721 goto drop;
4722
23070494 4723 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4724 return 0;
1da177e4
LT		 4725
4726drop:
4727 kfree_skb(skb);
4728
1da177e4
LT		 4729 return 0;
4730}
4731
d9b88702
AE		 4732static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4733 struct sk_buff *skb)
9f69bda6 4734{
23691d75 4735 struct l2cap_chan *chan;
9f69bda6 4736
c2287681 4737 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4738 if (!chan)
9f69bda6
GP		 4739 goto drop;
4740
5b4cedaa 4741 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4742
89bc500e 4743 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4744 goto drop;
4745
e13e21dc 4746 if (chan->imtu < skb->len)
9f69bda6
GP		 4747 goto drop;
4748
23070494 4749 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4750 return 0;
9f69bda6
GP		 4751
4752drop:
4753 kfree_skb(skb);
4754
9f69bda6
GP		 4755 return 0;
4756}
4757
1da177e4
LT		 4758static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4759{
4760 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4761 u16 cid, len;
4762 __le16 psm;
1da177e4
LT		 4763
4764 skb_pull(skb, L2CAP_HDR_SIZE);
4765 cid = __le16_to_cpu(lh->cid);
4766 len = __le16_to_cpu(lh->len);
4767
1c2acffb
GP		 4768 if (len != skb->len) {
4769 kfree_skb(skb);
4770 return;
4771 }
4772
1da177e4
LT		 4773 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4774
4775 switch (cid) {
3300d9a9 4776 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4777 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4778 l2cap_sig_channel(conn, skb);
4779 break;
4780
8db4dc46 4781 case L2CAP_CID_CONN_LESS:
097db76c 4782 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4783 skb_pull(skb, 2);
4784 l2cap_conless_channel(conn, psm, skb);
4785 break;
4786
9f69bda6
GP		 4787 case L2CAP_CID_LE_DATA:
4788 l2cap_att_channel(conn, cid, skb);
4789 break;
4790
b501d6a1
AB		 4791 case L2CAP_CID_SMP:
4792 if (smp_sig_channel(conn, skb))
4793 l2cap_conn_del(conn->hcon, EACCES);
4794 break;
4795
1da177e4
LT		 4796 default:
4797 l2cap_data_channel(conn, cid, skb);
4798 break;
4799 }
4800}
4801
4802/* ---- L2CAP interface with lower layer (HCI) ---- */
4803
686ebf28 4804int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4805{
4806 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4807 struct l2cap_chan *c;
1da177e4 4808
1da177e4
LT		 4809 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4810
4811 /* Find listening sockets and check their link_mode */
23691d75
GP		 4812 read_lock(&chan_list_lock);
4813 list_for_each_entry(c, &chan_list, global_l) {
4814 struct sock *sk = c->sk;
4343478f 4815
89bc500e 4816 if (c->state != BT_LISTEN)
1da177e4
LT		 4817 continue;
4818
4819 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4820 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4821 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4822 lm1 |= HCI_LM_MASTER;
1da177e4 4823 exact++;
2af6b9d5
MH		 4824 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4825 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4826 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4827 lm2 |= HCI_LM_MASTER;
4828 }
1da177e4 4829 }
23691d75 4830 read_unlock(&chan_list_lock);
1da177e4
LT		 4831
4832 return exact ? lm1 : lm2;
4833}
4834
686ebf28 4835int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4836{
0139418c
MH		 4837 struct l2cap_conn *conn;
4838
1da177e4
LT		 4839 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4840
1da177e4 4841 if (!status) {
1da177e4
LT		 4842 conn = l2cap_conn_add(hcon, status);
4843 if (conn)
4844 l2cap_conn_ready(conn);
0139418c 4845 } else
e175072f 4846 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4847
4848 return 0;
4849}
4850
686ebf28 4851int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4852{
4853 struct l2cap_conn *conn = hcon->l2cap_data;
4854
4855 BT_DBG("hcon %p", hcon);
4856
686ebf28 4857 if (!conn)
9f5a0d7b 4858 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4859 return conn->disc_reason;
4860}
4861
686ebf28 4862int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4863{
4864 BT_DBG("hcon %p reason %d", hcon, reason);
4865
e175072f 4866 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4867 return 0;
4868}
4869
4343478f 4870static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4871{
715ec005 4872 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4873 return;
4874
f62e4323 4875 if (encrypt == 0x00) {
4343478f 4876 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4877 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4878 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4879 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4880 } else {
4343478f 4881 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4882 __clear_chan_timer(chan);
f62e4323
MH		 4883 }
4884}
4885
686ebf28 4886int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4887{
0139418c 4888 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4889 struct l2cap_chan *chan;
1da177e4 4890
0139418c 4891 if (!conn)
1da177e4 4892 return 0;
0139418c 4893
1da177e4
LT		 4894 BT_DBG("conn %p", conn);
4895
160dc6ac 4896 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4897 if (!status && encrypt)
4898 smp_distribute_keys(conn, 0);
17cd3f37 4899 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4900 }
4901
3df91ea2 4902 mutex_lock(&conn->chan_lock);
1da177e4 4903
3df91ea2 4904 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4905 l2cap_chan_lock(chan);
1da177e4 4906
f1cb9af5
VCG		 4907 BT_DBG("chan->scid %d", chan->scid);
4908
4909 if (chan->scid == L2CAP_CID_LE_DATA) {
4910 if (!status && encrypt) {
4911 chan->sec_level = hcon->sec_level;
cf4cd009 4912 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4913 }
4914
6be36555 4915 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4916 continue;
4917 }
4918
c1360a1c 4919 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4920 l2cap_chan_unlock(chan);
6a8d3010
MH		 4921 continue;
4922 }
4923
89bc500e
GP		 4924 if (!status && (chan->state == BT_CONNECTED ||
4925 chan->state == BT_CONFIG)) {
a7d7723a
GP		 4926 struct sock *sk = chan->sk;
4927
c5daa683 4928 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 4929 sk->sk_state_change(sk);
4930
4343478f 4931 l2cap_check_encryption(chan, encrypt);
6be36555 4932 l2cap_chan_unlock(chan);
9719f8af
MH		 4933 continue;
4934 }
4935
89bc500e 4936 if (chan->state == BT_CONNECT) {
b1235d79 4937 if (!status) {
9b27f350 4938 l2cap_send_conn_req(chan);
b1235d79 4939 } else {
ba13ccd9 4940 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4941 }
89bc500e 4942 } else if (chan->state == BT_CONNECT2) {
6be36555 4943 struct sock *sk = chan->sk;
b1235d79 4944 struct l2cap_conn_rsp rsp;
df3c3931 4945 __u16 res, stat;
1da177e4 4946
6be36555
AE		 4947 lock_sock(sk);
4948
b1235d79 4949 if (!status) {
c5daa683
GP		 4950 if (test_bit(BT_SK_DEFER_SETUP,
4951 &bt_sk(sk)->flags)) {
df3c3931
JH		 4952 struct sock *parent = bt_sk(sk)->parent;
4953 res = L2CAP_CR_PEND;
4954 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4955 if (parent)
4956 parent->sk_data_ready(parent, 0);
df3c3931 4957 } else {
0e587be7 4958 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4959 res = L2CAP_CR_SUCCESS;
4960 stat = L2CAP_CS_NO_INFO;
4961 }
b1235d79 4962 } else {
0e587be7 4963 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4964 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4965 res = L2CAP_CR_SEC_BLOCK;
4966 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4967 }
4968
6be36555
AE		 4969 release_sock(sk);
4970
fe4128e0
GP		 4971 rsp.scid = cpu_to_le16(chan->dcid);
4972 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4973 rsp.result = cpu_to_le16(res);
4974 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4975 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4976 sizeof(rsp), &rsp);
b1235d79 4977 }
1da177e4 4978
6be36555 4979 l2cap_chan_unlock(chan);
1da177e4
LT		 4980 }
4981
3df91ea2 4982 mutex_unlock(&conn->chan_lock);
b1235d79 4983
1da177e4
LT		 4984 return 0;
4985}
4986
686ebf28 4987int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4988{
4989 struct l2cap_conn *conn = hcon->l2cap_data;
4990
5a08ecce
AE		 4991 if (!conn)
4992 conn = l2cap_conn_add(hcon, 0);
4993
4994 if (!conn)
1da177e4
LT		 4995 goto drop;
4996
4997 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4998
e702112f 4999 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5000 struct l2cap_hdr *hdr;
5001 int len;
5002
5003 if (conn->rx_len) {
5004 BT_ERR("Unexpected start frame (len %d)", skb->len);
5005 kfree_skb(conn->rx_skb);
5006 conn->rx_skb = NULL;
5007 conn->rx_len = 0;
5008 l2cap_conn_unreliable(conn, ECOMM);
5009 }
5010
aae7fe22
AE		 5011 /* Start fragment always begin with Basic L2CAP header */
5012 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5013 BT_ERR("Frame is too short (len %d)", skb->len);
5014 l2cap_conn_unreliable(conn, ECOMM);
5015 goto drop;
5016 }
5017
5018 hdr = (struct l2cap_hdr *) skb->data;
5019 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5020
5021 if (len == skb->len) {
5022 /* Complete frame received */
5023 l2cap_recv_frame(conn, skb);
5024 return 0;
5025 }
5026
5027 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5028
5029 if (skb->len > len) {
5030 BT_ERR("Frame is too long (len %d, expected len %d)",
5031 skb->len, len);
5032 l2cap_conn_unreliable(conn, ECOMM);
5033 goto drop;
5034 }
5035
5036 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5037 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5038 if (!conn->rx_skb)
1da177e4
LT		 5039 goto drop;
5040
d626f62b 5041 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5042 skb->len);
1da177e4
LT		 5043 conn->rx_len = len - skb->len;
5044 } else {
5045 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5046
5047 if (!conn->rx_len) {
5048 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5049 l2cap_conn_unreliable(conn, ECOMM);
5050 goto drop;
5051 }
5052
5053 if (skb->len > conn->rx_len) {
5054 BT_ERR("Fragment is too long (len %d, expected %d)",
5055 skb->len, conn->rx_len);
5056 kfree_skb(conn->rx_skb);
5057 conn->rx_skb = NULL;
5058 conn->rx_len = 0;
5059 l2cap_conn_unreliable(conn, ECOMM);
5060 goto drop;
5061 }
5062
d626f62b 5063 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5064 skb->len);
1da177e4
LT		 5065 conn->rx_len -= skb->len;
5066
5067 if (!conn->rx_len) {
5068 /* Complete frame received */
5069 l2cap_recv_frame(conn, conn->rx_skb);
5070 conn->rx_skb = NULL;
5071 }
5072 }
5073
5074drop:
5075 kfree_skb(skb);
5076 return 0;
5077}
5078
aef7d97c 5079static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5080{
23691d75 5081 struct l2cap_chan *c;
1da177e4 5082
333055f2 5083 read_lock(&chan_list_lock);
1da177e4 5084
23691d75
GP		 5085 list_for_each_entry(c, &chan_list, global_l) {
5086 struct sock *sk = c->sk;
101545f6 5087
903d343e 5088 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5089 batostr(&bt_sk(sk)->src),
5090 batostr(&bt_sk(sk)->dst),
89bc500e 5091 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5092 c->scid, c->dcid, c->imtu, c->omtu,
5093 c->sec_level, c->mode);
61e1b4b7 5094 }
1da177e4 5095
333055f2 5096 read_unlock(&chan_list_lock);
1da177e4 5097
aef7d97c 5098 return 0;
1da177e4
LT		 5099}
5100
aef7d97c
MH		 5101static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5102{
5103 return single_open(file, l2cap_debugfs_show, inode->i_private);
5104}
5105
5106static const struct file_operations l2cap_debugfs_fops = {
5107 .open = l2cap_debugfs_open,
5108 .read = seq_read,
5109 .llseek = seq_lseek,
5110 .release = single_release,
5111};
5112
5113static struct dentry *l2cap_debugfs;
1da177e4 5114
64274518 5115int __init l2cap_init(void)
1da177e4
LT		 5116{
5117 int err;
be9d1227 5118
bb58f747 5119 err = l2cap_init_sockets();
1da177e4
LT		 5120 if (err < 0)
5121 return err;
5122
aef7d97c
MH		 5123 if (bt_debugfs) {
5124 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5125 bt_debugfs, NULL, &l2cap_debugfs_fops);
5126 if (!l2cap_debugfs)
5127 BT_ERR("Failed to create L2CAP debug file");
5128 }
1da177e4 5129
1da177e4 5130 return 0;
1da177e4
LT		 5131}
5132
64274518 5133void l2cap_exit(void)
1da177e4 5134{
aef7d97c 5135 debugfs_remove(l2cap_debugfs);
bb58f747 5136 l2cap_cleanup_sockets();
1da177e4
LT		 5137}
5138
d1c4a17d
GP		 5139module_param(disable_ertm, bool, 0644);
5140MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)