projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Use symbolic values for the fixed channel map
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP		 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP		 99 return NULL;
100
0139418c
MH		 101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP		 106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH		 112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP		 119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH		 126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH		 137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP		 142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP		 163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP		 167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP		 174 }
175
73b2ec18
GP		 176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP		 196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
457f4850 223 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP		 227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM		 233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP		 235}
236
89bc500e
GP		 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP		 243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
c9b66675 255 __set_chan_timer(chan, HZ / 5);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP		 258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP		 270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP		 275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP		 287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP		 291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP		 293 chan->state = BT_OPEN;
294
71ba0e56
GP		 295 atomic_set(&chan->refcnt, 1);
296
48454079
GP		 297 return chan;
298}
299
23691d75 300void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 301{
23691d75
GP		 302 write_lock_bh(&chan_list_lock);
303 list_del(&chan->global_l);
304 write_unlock_bh(&chan_list_lock);
305
71ba0e56 306 chan_put(chan);
6ff5abbf
GP		 307}
308
48454079 309static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 310{
af05b30b 311 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 312 chan->psm, chan->dcid);
0139418c 313
2950f21a
MH		 314 conn->disc_reason = 0x13;
315
8c1d787b 316 chan->conn = conn;
0139418c 317
715ec005 318 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 319 if (conn->hcon->type == LE_LINK) {
320 /* LE connection */
0c1bc5c6 321 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 322 chan->scid = L2CAP_CID_LE_DATA;
323 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 324 } else {
325 /* Alloc CID for connection-oriented socket */
fe4128e0 326 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 327 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 328 }
715ec005 329 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 330 /* Connectionless socket */
fe4128e0
GP		 331 chan->scid = L2CAP_CID_CONN_LESS;
332 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 333 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 334 } else {
335 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 336 chan->scid = L2CAP_CID_SIGNALING;
337 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 338 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 339 }
340
8f7975b1
AE		 341 chan->local_id = L2CAP_BESTEFFORT_ID;
342 chan->local_stype = L2CAP_SERV_BESTEFFORT;
343 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
344 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
345 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
346 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
347
71ba0e56 348 chan_hold(chan);
baa7e1fa
GP		 349
350 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 351}
352
8e87d142 353/* Delete channel.
0139418c 354 * Must be called on the locked socket. */
4519de9a 355static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 356{
48454079 357 struct sock *sk = chan->sk;
8c1d787b 358 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 359 struct sock *parent = bt_sk(sk)->parent;
360
c9b66675 361 __clear_chan_timer(chan);
0139418c 362
49208c9c 363 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 364
8e87d142 365 if (conn) {
baa7e1fa
GP		 366 /* Delete from channel list */
367 write_lock_bh(&conn->chan_lock);
368 list_del(&chan->list);
369 write_unlock_bh(&conn->chan_lock);
71ba0e56 370 chan_put(chan);
baa7e1fa 371
8c1d787b 372 chan->conn = NULL;
0139418c
MH		 373 hci_conn_put(conn->hcon);
374 }
375
89bc500e 376 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 377 sock_set_flag(sk, SOCK_ZAPPED);
378
379 if (err)
380 sk->sk_err = err;
381
382 if (parent) {
383 bt_accept_unlink(sk);
384 parent->sk_data_ready(parent, 0);
385 } else
386 sk->sk_state_change(sk);
c13ffa62 387
c1360a1c
GP		 388 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
389 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 390 return;
2ead70b8 391
58d35f87 392 skb_queue_purge(&chan->tx_q);
c13ffa62 393
0c1bc5c6 394 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 395 struct srej_list *l, *tmp;
396
1a09bcb9
GP		 397 __clear_retrans_timer(chan);
398 __clear_monitor_timer(chan);
399 __clear_ack_timer(chan);
c13ffa62 400
f1c6775b 401 skb_queue_purge(&chan->srej_q);
c13ffa62 402
39d5a3ee 403 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 404 list_del(&l->list);
405 kfree(l);
406 }
407 }
0139418c
MH		 408}
409
4519de9a
GP		 410static void l2cap_chan_cleanup_listen(struct sock *parent)
411{
412 struct sock *sk;
413
414 BT_DBG("parent %p", parent);
415
416 /* Close not yet accepted channels */
0f852724 417 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 418 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 419 __clear_chan_timer(chan);
0f852724 420 lock_sock(sk);
ba3bd0ee 421 l2cap_chan_close(chan, ECONNRESET);
0f852724 422 release_sock(sk);
ba3bd0ee 423 chan->ops->close(chan->data);
0f852724 424 }
4519de9a
GP		 425}
426
0f852724 427void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 428{
429 struct l2cap_conn *conn = chan->conn;
430 struct sock *sk = chan->sk;
431
89bc500e 432 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 433
89bc500e 434 switch (chan->state) {
4519de9a
GP		 435 case BT_LISTEN:
436 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 437
438 l2cap_state_change(chan, BT_CLOSED);
439 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 440 break;
441
442 case BT_CONNECTED:
443 case BT_CONFIG:
715ec005 444 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 445 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 446 __clear_chan_timer(chan);
447 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 448 l2cap_send_disconn_req(conn, chan, reason);
449 } else
450 l2cap_chan_del(chan, reason);
451 break;
452
453 case BT_CONNECT2:
715ec005 454 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 455 conn->hcon->type == ACL_LINK) {
456 struct l2cap_conn_rsp rsp;
457 __u16 result;
458
459 if (bt_sk(sk)->defer_setup)
460 result = L2CAP_CR_SEC_BLOCK;
461 else
462 result = L2CAP_CR_BAD_PSM;
89bc500e 463 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 464
465 rsp.scid = cpu_to_le16(chan->dcid);
466 rsp.dcid = cpu_to_le16(chan->scid);
467 rsp.result = cpu_to_le16(result);
468 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
470 sizeof(rsp), &rsp);
471 }
472
473 l2cap_chan_del(chan, reason);
474 break;
475
476 case BT_CONNECT:
477 case BT_DISCONN:
478 l2cap_chan_del(chan, reason);
479 break;
480
481 default:
482 sock_set_flag(sk, SOCK_ZAPPED);
483 break;
484 }
485}
486
4343478f 487static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 488{
715ec005 489 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 490 switch (chan->sec_level) {
8556edd3
JH		 491 case BT_SECURITY_HIGH:
492 return HCI_AT_DEDICATED_BONDING_MITM;
493 case BT_SECURITY_MEDIUM:
494 return HCI_AT_DEDICATED_BONDING;
495 default:
496 return HCI_AT_NO_BONDING;
497 }
fe4128e0 498 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 499 if (chan->sec_level == BT_SECURITY_LOW)
500 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 501
4343478f 502 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 503 return HCI_AT_NO_BONDING_MITM;
00ae4af9 504 else
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 } else {
4343478f 507 switch (chan->sec_level) {
00ae4af9 508 case BT_SECURITY_HIGH:
8556edd3 509 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 510 case BT_SECURITY_MEDIUM:
8556edd3 511 return HCI_AT_GENERAL_BONDING;
00ae4af9 512 default:
8556edd3 513 return HCI_AT_NO_BONDING;
00ae4af9 514 }
0684e5f9 515 }
8556edd3
JH		 516}
517
518/* Service level security */
4343478f 519static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 520{
8c1d787b 521 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 522 __u8 auth_type;
523
4343478f 524 auth_type = l2cap_get_auth_type(chan);
79d554a6 525
4343478f 526 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 527}
528
b5ad8b7f 529static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 530{
531 u8 id;
532
533 /* Get next available identificator.
534 * 1 - 128 are used by kernel.
535 * 129 - 199 are reserved.
536 * 200 - 254 are used by utilities like l2ping, etc.
537 */
538
539 spin_lock_bh(&conn->lock);
540
541 if (++conn->tx_ident > 128)
542 conn->tx_ident = 1;
543
544 id = conn->tx_ident;
545
546 spin_unlock_bh(&conn->lock);
547
548 return id;
549}
550
4519de9a 551static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 552{
553 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 554 u8 flags;
4e8402a3
MH		 555
556 BT_DBG("code 0x%2.2x", code);
557
558 if (!skb)
9a9c6a34 559 return;
4e8402a3 560
e702112f
AE		 561 if (lmp_no_flush_capable(conn->hcon->hdev))
562 flags = ACL_START_NO_FLUSH;
563 else
564 flags = ACL_START;
565
14b12d0b 566 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 567 skb->priority = HCI_PRIO_MAX;
14b12d0b 568
73d80deb
LAD		 569 hci_send_acl(conn->hchan, skb, flags);
570}
571
572static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
573{
574 struct hci_conn *hcon = chan->conn->hcon;
575 u16 flags;
576
577 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
578 skb->priority);
579
580 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
581 lmp_no_flush_capable(hcon->hdev))
582 flags = ACL_START_NO_FLUSH;
583 else
584 flags = ACL_START;
585
586 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
587 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 588}
589
88843ab0 590static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 591{
592 struct sk_buff *skb;
593 struct l2cap_hdr *lh;
8c1d787b 594 struct l2cap_conn *conn = chan->conn;
e4ca6d98 595 int count, hlen;
fcc203c3 596
89bc500e 597 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 598 return;
599
e4ca6d98
AE		 600 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
601 hlen = L2CAP_EXT_HDR_SIZE;
602 else
603 hlen = L2CAP_ENH_HDR_SIZE;
604
47d1ec61 605 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 606 hlen += L2CAP_FCS_SIZE;
1c2acffb 607
88843ab0 608 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 609
fcc203c3 610 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 611
612 control |= __set_sframe(chan);
1c2acffb 613
e2ab4353 614 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 615 control |= __set_ctrl_final(chan);
9e917af1 616
e2ab4353 617 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 618 control |= __set_ctrl_poll(chan);
f0946ccf 619
1c2acffb
GP		 620 skb = bt_skb_alloc(count, GFP_ATOMIC);
621 if (!skb)
9a9c6a34 622 return;
1c2acffb
GP		 623
624 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 625 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 626 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 627
628 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 629
47d1ec61 630 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 631 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
632 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 633 }
634
73d80deb
LAD		 635 skb->priority = HCI_PRIO_MAX;
636 l2cap_do_send(chan, skb);
1c2acffb
GP		 637}
638
88843ab0 639static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 640{
e2ab4353 641 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 642 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 643 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 644 } else
ab784b73 645 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 646
0b209fae 647 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 648
525cd185 649 l2cap_send_sframe(chan, control);
7e743090
GP		 650}
651
b4450035 652static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 653{
c1360a1c 654 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 655}
656
fc7f8a7e 657static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 658{
8c1d787b 659 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 660
661 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 662 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
663 return;
664
4343478f
GP		 665 if (l2cap_check_security(chan) &&
666 __l2cap_no_conn_pending(chan)) {
b1235d79 667 struct l2cap_conn_req req;
fe4128e0
GP		 668 req.scid = cpu_to_le16(chan->scid);
669 req.psm = chan->psm;
79d554a6 670
fc7f8a7e 671 chan->ident = l2cap_get_ident(conn);
c1360a1c 672 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 673
fc7f8a7e
GP		 674 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
675 sizeof(req), &req);
b1235d79 676 }
79d554a6
MH		 677 } else {
678 struct l2cap_info_req req;
679 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
680
681 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
682 conn->info_ident = l2cap_get_ident(conn);
683
684 mod_timer(&conn->info_timer, jiffies +
685 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
686
687 l2cap_send_cmd(conn, conn->info_ident,
688 L2CAP_INFO_REQ, sizeof(req), &req);
689 }
690}
691
cf6c2c0b
GP		 692static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
693{
694 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 695 if (!disable_ertm)
cf6c2c0b
GP		 696 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
697
698 switch (mode) {
699 case L2CAP_MODE_ERTM:
700 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
701 case L2CAP_MODE_STREAMING:
702 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
703 default:
704 return 0x00;
705 }
706}
707
4519de9a 708static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 709{
e92c8e70 710 struct sock *sk;
22121fc9
GP		 711 struct l2cap_disconn_req req;
712
c13ffa62
GP		 713 if (!conn)
714 return;
715
e92c8e70
GP		 716 sk = chan->sk;
717
0c1bc5c6 718 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 719 __clear_retrans_timer(chan);
720 __clear_monitor_timer(chan);
721 __clear_ack_timer(chan);
c13ffa62
GP		 722 }
723
fe4128e0
GP		 724 req.dcid = cpu_to_le16(chan->dcid);
725 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 726 l2cap_send_cmd(conn, l2cap_get_ident(conn),
727 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 728
89bc500e 729 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 730 sk->sk_err = err;
22121fc9
GP		 731}
732
1da177e4 733/* ---- L2CAP connections ---- */
4e8402a3
MH		 734static void l2cap_conn_start(struct l2cap_conn *conn)
735{
820ffdb3 736 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 737
738 BT_DBG("conn %p", conn);
739
baa7e1fa 740 read_lock(&conn->chan_lock);
4e8402a3 741
820ffdb3 742 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 743 struct sock *sk = chan->sk;
baa7e1fa 744
4e8402a3
MH		 745 bh_lock_sock(sk);
746
715ec005 747 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 748 bh_unlock_sock(sk);
749 continue;
750 }
751
89bc500e 752 if (chan->state == BT_CONNECT) {
47731de7 753 struct l2cap_conn_req req;
79d554a6 754
4343478f 755 if (!l2cap_check_security(chan) ||
b4450035 756 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 757 bh_unlock_sock(sk);
758 continue;
759 }
79d554a6 760
c1360a1c
GP		 761 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
762 && test_bit(CONF_STATE2_DEVICE,
763 &chan->conf_state)) {
0f852724 764 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 765 * so release the lock */
2461daac 766 read_unlock(&conn->chan_lock);
89bc500e 767 l2cap_chan_close(chan, ECONNRESET);
2461daac 768 read_lock(&conn->chan_lock);
47731de7
GP		 769 bh_unlock_sock(sk);
770 continue;
b1235d79 771 }
47731de7 772
fe4128e0
GP		 773 req.scid = cpu_to_le16(chan->scid);
774 req.psm = chan->psm;
47731de7 775
fc7f8a7e 776 chan->ident = l2cap_get_ident(conn);
c1360a1c 777 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 778
fc7f8a7e
GP		 779 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
780 sizeof(req), &req);
47731de7 781
89bc500e 782 } else if (chan->state == BT_CONNECT2) {
79d554a6 783 struct l2cap_conn_rsp rsp;
e9aeb2dd 784 char buf[128];
fe4128e0
GP		 785 rsp.scid = cpu_to_le16(chan->dcid);
786 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 787
4343478f 788 if (l2cap_check_security(chan)) {
f66dc81f
MH		 789 if (bt_sk(sk)->defer_setup) {
790 struct sock *parent = bt_sk(sk)->parent;
791 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
792 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 793 if (parent)
794 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 795
796 } else {
89bc500e 797 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 798 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
799 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
800 }
79d554a6
MH		 801 } else {
802 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
803 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
804 }
805
fc7f8a7e
GP		 806 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
807 sizeof(rsp), &rsp);
e9aeb2dd 808
c1360a1c 809 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 810 rsp.result != L2CAP_CR_SUCCESS) {
811 bh_unlock_sock(sk);
812 continue;
813 }
814
c1360a1c 815 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 816 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 817 l2cap_build_conf_req(chan, buf), buf);
818 chan->num_conf_req++;
4e8402a3
MH		 819 }
820
821 bh_unlock_sock(sk);
822 }
823
baa7e1fa 824 read_unlock(&conn->chan_lock);
4e8402a3
MH		 825}
826
b62f328b
VT		 827/* Find socket with cid and source bdaddr.
828 * Returns closest match, locked.
829 */
23691d75 830static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 831{
23691d75 832 struct l2cap_chan *c, *c1 = NULL;
b62f328b 833
23691d75 834 read_lock(&chan_list_lock);
b62f328b 835
23691d75
GP		 836 list_for_each_entry(c, &chan_list, global_l) {
837 struct sock *sk = c->sk;
fe4128e0 838
89bc500e 839 if (state && c->state != state)
b62f328b
VT		 840 continue;
841
23691d75 842 if (c->scid == cid) {
b62f328b 843 /* Exact match. */
23691d75
GP		 844 if (!bacmp(&bt_sk(sk)->src, src)) {
845 read_unlock(&chan_list_lock);
846 return c;
847 }
b62f328b
VT		 848
849 /* Closest match */
850 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 851 c1 = c;
b62f328b
VT		 852 }
853 }
280f294f 854
23691d75 855 read_unlock(&chan_list_lock);
b62f328b 856
23691d75 857 return c1;
b62f328b
VT		 858}
859
860static void l2cap_le_conn_ready(struct l2cap_conn *conn)
861{
c916fbe4 862 struct sock *parent, *sk;
23691d75 863 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 864
865 BT_DBG("");
866
867 /* Check if we have socket listening on cid */
23691d75 868 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 869 conn->src);
23691d75 870 if (!pchan)
b62f328b
VT		 871 return;
872
23691d75
GP		 873 parent = pchan->sk;
874
62f3a2cf
GP		 875 bh_lock_sock(parent);
876
b62f328b
VT		 877 /* Check for backlog size */
878 if (sk_acceptq_is_full(parent)) {
879 BT_DBG("backlog full %d", parent->sk_ack_backlog);
880 goto clean;
881 }
882
80808e43
GP		 883 chan = pchan->ops->new_connection(pchan->data);
884 if (!chan)
b62f328b
VT		 885 goto clean;
886
80808e43 887 sk = chan->sk;
5d41ce1d 888
baa7e1fa 889 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 890
891 hci_conn_hold(conn->hcon);
892
b62f328b
VT		 893 bacpy(&bt_sk(sk)->src, conn->src);
894 bacpy(&bt_sk(sk)->dst, conn->dst);
895
d1010240
GP		 896 bt_accept_enqueue(parent, sk);
897
48454079
GP		 898 __l2cap_chan_add(conn, chan);
899
c9b66675 900 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 901
89bc500e 902 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 903 parent->sk_data_ready(parent, 0);
904
baa7e1fa 905 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 906
907clean:
908 bh_unlock_sock(parent);
909}
910
f1cb9af5
VCG		 911static void l2cap_chan_ready(struct sock *sk)
912{
913 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
914 struct sock *parent = bt_sk(sk)->parent;
915
916 BT_DBG("sk %p, parent %p", sk, parent);
917
918 chan->conf_state = 0;
919 __clear_chan_timer(chan);
920
43f3dc41 921 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 922 sk->sk_state_change(sk);
923
924 if (parent)
925 parent->sk_data_ready(parent, 0);
926}
927
4e8402a3
MH		 928static void l2cap_conn_ready(struct l2cap_conn *conn)
929{
48454079 930 struct l2cap_chan *chan;
4e8402a3 931
79d554a6 932 BT_DBG("conn %p", conn);
4e8402a3 933
b62f328b
VT		 934 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
935 l2cap_le_conn_ready(conn);
936
160dc6ac
VCG		 937 if (conn->hcon->out && conn->hcon->type == LE_LINK)
938 smp_conn_security(conn, conn->hcon->pending_sec_level);
939
baa7e1fa 940 read_lock(&conn->chan_lock);
4e8402a3 941
baa7e1fa 942 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 943 struct sock *sk = chan->sk;
baa7e1fa 944
79d554a6 945 bh_lock_sock(sk);
4e8402a3 946
63128451 947 if (conn->hcon->type == LE_LINK) {
b501d6a1 948 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 949 l2cap_chan_ready(sk);
acd7d370 950
63128451 951 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 952 __clear_chan_timer(chan);
89bc500e 953 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 954 sk->sk_state_change(sk);
b501d6a1 955
89bc500e 956 } else if (chan->state == BT_CONNECT)
fc7f8a7e 957 l2cap_do_start(chan);
4e8402a3 958
79d554a6 959 bh_unlock_sock(sk);
4e8402a3 960 }
79d554a6 961
baa7e1fa 962 read_unlock(&conn->chan_lock);
4e8402a3
MH		 963}
964
965/* Notify sockets that we cannot guaranty reliability anymore */
966static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
967{
48454079 968 struct l2cap_chan *chan;
4e8402a3
MH		 969
970 BT_DBG("conn %p", conn);
971
baa7e1fa 972 read_lock(&conn->chan_lock);
4e8402a3 973
baa7e1fa 974 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 975 struct sock *sk = chan->sk;
baa7e1fa 976
ecf61bdb 977 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 978 sk->sk_err = err;
979 }
980
baa7e1fa 981 read_unlock(&conn->chan_lock);
4e8402a3
MH		 982}
983
984static void l2cap_info_timeout(unsigned long arg)
985{
986 struct l2cap_conn *conn = (void *) arg;
987
984947dc 988 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 989 conn->info_ident = 0;
984947dc 990
4e8402a3
MH		 991 l2cap_conn_start(conn);
992}
993
5d3de7df
VCG		 994static void l2cap_conn_del(struct hci_conn *hcon, int err)
995{
996 struct l2cap_conn *conn = hcon->l2cap_data;
997 struct l2cap_chan *chan, *l;
998 struct sock *sk;
999
1000 if (!conn)
1001 return;
1002
1003 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1004
1005 kfree_skb(conn->rx_skb);
1006
1007 /* Kill channels */
1008 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1009 sk = chan->sk;
1010 bh_lock_sock(sk);
1011 l2cap_chan_del(chan, err);
1012 bh_unlock_sock(sk);
1013 chan->ops->close(chan->data);
1014 }
1015
73d80deb
LAD		 1016 hci_chan_del(conn->hchan);
1017
5d3de7df
VCG		 1018 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1019 del_timer_sync(&conn->info_timer);
1020
d26a2345 1021 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1022 del_timer(&conn->security_timer);
8aab4757 1023 smp_chan_destroy(conn);
d26a2345 1024 }
5d3de7df
VCG		 1025
1026 hcon->l2cap_data = NULL;
1027 kfree(conn);
1028}
1029
1030static void security_timeout(unsigned long arg)
1031{
1032 struct l2cap_conn *conn = (void *) arg;
1033
1034 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1035}
1036
1da177e4
LT		 1037static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1038{
0139418c 1039 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1040 struct hci_chan *hchan;
1da177e4 1041
0139418c 1042 if (conn || status)
1da177e4
LT		 1043 return conn;
1044
73d80deb
LAD		 1045 hchan = hci_chan_create(hcon);
1046 if (!hchan)
1047 return NULL;
1048
0139418c 1049 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1050 if (!conn) {
1051 hci_chan_del(hchan);
1da177e4 1052 return NULL;
73d80deb 1053 }
1da177e4
LT		 1054
1055 hcon->l2cap_data = conn;
1056 conn->hcon = hcon;
73d80deb 1057 conn->hchan = hchan;
1da177e4 1058
73d80deb 1059 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1060
acd7d370
VT		 1061 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1062 conn->mtu = hcon->hdev->le_mtu;
1063 else
1064 conn->mtu = hcon->hdev->acl_mtu;
1065
1da177e4
LT		 1066 conn->src = &hcon->hdev->bdaddr;
1067 conn->dst = &hcon->dst;
1068
4e8402a3
MH		 1069 conn->feat_mask = 0;
1070
1da177e4 1071 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1072 rwlock_init(&conn->chan_lock);
1073
1074 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1075
5d3de7df
VCG		 1076 if (hcon->type == LE_LINK)
1077 setup_timer(&conn->security_timer, security_timeout,
1078 (unsigned long) conn);
1079 else
b62f328b 1080 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1081 (unsigned long) conn);
1082
2950f21a
MH		 1083 conn->disc_reason = 0x13;
1084
1da177e4
LT		 1085 return conn;
1086}
1087
48454079 1088static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1089{
baa7e1fa 1090 write_lock_bh(&conn->chan_lock);
48454079 1091 __l2cap_chan_add(conn, chan);
baa7e1fa 1092 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1093}
1094
1da177e4 1095/* ---- Socket interface ---- */
1da177e4
LT		 1096
1097/* Find socket with psm and source bdaddr.
1098 * Returns closest match.
1099 */
23691d75 1100static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1101{
23691d75 1102 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1103
23691d75 1104 read_lock(&chan_list_lock);
e0f0cb56 1105
23691d75
GP		 1106 list_for_each_entry(c, &chan_list, global_l) {
1107 struct sock *sk = c->sk;
fe4128e0 1108
89bc500e 1109 if (state && c->state != state)
1da177e4
LT		 1110 continue;
1111
23691d75 1112 if (c->psm == psm) {
1da177e4 1113 /* Exact match. */
23691d75 1114 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1115 read_unlock(&chan_list_lock);
23691d75
GP		 1116 return c;
1117 }
1da177e4
LT		 1118
1119 /* Closest match */
1120 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1121 c1 = c;
1da177e4
LT		 1122 }
1123 }
1da177e4 1124
23691d75 1125 read_unlock(&chan_list_lock);
e0f0cb56 1126
23691d75 1127 return c1;
1da177e4
LT		 1128}
1129
77a74c7e 1130int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1131{
5d41ce1d 1132 struct sock *sk = chan->sk;
1da177e4
LT		 1133 bdaddr_t *src = &bt_sk(sk)->src;
1134 bdaddr_t *dst = &bt_sk(sk)->dst;
1135 struct l2cap_conn *conn;
1136 struct hci_conn *hcon;
1137 struct hci_dev *hdev;
09ab6f4c 1138 __u8 auth_type;
44d0e48e 1139 int err;
1da177e4 1140
f29972de 1141 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1142 chan->psm);
1da177e4 1143
af05b30b
GP		 1144 hdev = hci_get_route(dst, src);
1145 if (!hdev)
1da177e4
LT		 1146 return -EHOSTUNREACH;
1147
1148 hci_dev_lock_bh(hdev);
1149
4343478f 1150 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1151
fe4128e0 1152 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1153 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1154 chan->sec_level, auth_type);
acd7d370
VT		 1155 else
1156 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1157 chan->sec_level, auth_type);
acd7d370 1158
30e76272
VT		 1159 if (IS_ERR(hcon)) {
1160 err = PTR_ERR(hcon);
1da177e4 1161 goto done;
30e76272 1162 }
1da177e4
LT		 1163
1164 conn = l2cap_conn_add(hcon, 0);
1165 if (!conn) {
1166 hci_conn_put(hcon);
30e76272 1167 err = -ENOMEM;
1da177e4
LT		 1168 goto done;
1169 }
1170
1da177e4
LT		 1171 /* Update source addr of the socket */
1172 bacpy(src, conn->src);
1173
48454079
GP		 1174 l2cap_chan_add(conn, chan);
1175
89bc500e 1176 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1177 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1178
1179 if (hcon->state == BT_CONNECTED) {
715ec005 1180 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1181 __clear_chan_timer(chan);
4343478f 1182 if (l2cap_check_security(chan))
89bc500e 1183 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1184 } else
fc7f8a7e 1185 l2cap_do_start(chan);
1da177e4
LT		 1186 }
1187
30e76272
VT		 1188 err = 0;
1189
1da177e4
LT		 1190done:
1191 hci_dev_unlock_bh(hdev);
1192 hci_dev_put(hdev);
1193 return err;
1194}
1195
dcba0dba 1196int __l2cap_wait_ack(struct sock *sk)
6161c038 1197{
8c1d787b 1198 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1199 DECLARE_WAITQUEUE(wait, current);
1200 int err = 0;
1201 int timeo = HZ/5;
1202
2b0b05dd 1203 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1204 set_current_state(TASK_INTERRUPTIBLE);
1205 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1206 if (!timeo)
1207 timeo = HZ/5;
1208
1209 if (signal_pending(current)) {
1210 err = sock_intr_errno(timeo);
1211 break;
1212 }
1213
1214 release_sock(sk);
1215 timeo = schedule_timeout(timeo);
1216 lock_sock(sk);
a71a0cf4 1217 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1218
1219 err = sock_error(sk);
1220 if (err)
1221 break;
1222 }
1223 set_current_state(TASK_RUNNING);
2b0b05dd 1224 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1225 return err;
1226}
1227
e90bac06
GP		 1228static void l2cap_monitor_timeout(unsigned long arg)
1229{
525cd185
GP		 1230 struct l2cap_chan *chan = (void *) arg;
1231 struct sock *sk = chan->sk;
e90bac06 1232
525cd185 1233 BT_DBG("chan %p", chan);
0e98958d 1234
e686219a 1235 bh_lock_sock(sk);
2c03a7a4 1236 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1237 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1238 bh_unlock_sock(sk);
e90bac06
GP		 1239 return;
1240 }
1241
6a026610 1242 chan->retry_count++;
1a09bcb9 1243 __set_monitor_timer(chan);
e90bac06 1244
525cd185 1245 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1246 bh_unlock_sock(sk);
e90bac06
GP		 1247}
1248
1249static void l2cap_retrans_timeout(unsigned long arg)
1250{
525cd185
GP		 1251 struct l2cap_chan *chan = (void *) arg;
1252 struct sock *sk = chan->sk;
e90bac06 1253
49208c9c 1254 BT_DBG("chan %p", chan);
0e98958d 1255
e686219a 1256 bh_lock_sock(sk);
6a026610 1257 chan->retry_count = 1;
1a09bcb9 1258 __set_monitor_timer(chan);
e90bac06 1259
e2ab4353 1260 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1261
525cd185 1262 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1263 bh_unlock_sock(sk);
e90bac06
GP		 1264}
1265
42e5c802 1266static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1267{
1c2acffb 1268 struct sk_buff *skb;
1da177e4 1269
58d35f87 1270 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1271 chan->unacked_frames) {
42e5c802 1272 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1273 break;
1da177e4 1274
58d35f87 1275 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1276 kfree_skb(skb);
1da177e4 1277
6a026610 1278 chan->unacked_frames--;
1c2acffb 1279 }
1da177e4 1280
6a026610 1281 if (!chan->unacked_frames)
1a09bcb9 1282 __clear_retrans_timer(chan);
1c2acffb 1283}
1da177e4 1284
67c9e840 1285static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1286{
ccbb84af 1287 struct sk_buff *skb;
88843ab0
AE		 1288 u32 control;
1289 u16 fcs;
6840ed07 1290
58d35f87 1291 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1292 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1293 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1294 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1295
47d1ec61 1296 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1297 fcs = crc16(0, (u8 *)skb->data,
1298 skb->len - L2CAP_FCS_SIZE);
1299 put_unaligned_le16(fcs,
1300 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1301 }
1302
4343478f 1303 l2cap_do_send(chan, skb);
6840ed07 1304
836be934 1305 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1306 }
6840ed07
GP		 1307}
1308
fb45de7d 1309static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1310{
8f17154f 1311 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1312 u16 fcs;
1313 u32 control;
8f17154f 1314
58d35f87 1315 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1316 if (!skb)
1317 return;
8f17154f 1318
f11d676d
GP		 1319 do {
1320 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1321 break;
8f17154f 1322
58d35f87 1323 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1324 return;
8f17154f 1325
58d35f87 1326 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1327
2c03a7a4
GP		 1328 if (chan->remote_max_tx &&
1329 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1330 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1331 return;
1332 }
1333
1334 tx_skb = skb_clone(skb, GFP_ATOMIC);
1335 bt_cb(skb)->retries++;
88843ab0
AE		 1336
1337 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1338 control &= __get_sar_mask(chan);
3cb123d1 1339
e2ab4353 1340 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1341 control |= __set_ctrl_final(chan);
95ffa978 1342
0b209fae 1343 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1344 control |= __set_txseq(chan, tx_seq);
3cb123d1 1345
88843ab0 1346 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1347
47d1ec61 1348 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1349 fcs = crc16(0, (u8 *)tx_skb->data,
1350 tx_skb->len - L2CAP_FCS_SIZE);
1351 put_unaligned_le16(fcs,
1352 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1353 }
1354
4343478f 1355 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1356}
1357
67c9e840 1358static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1359{
1360 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1361 u16 fcs;
1362 u32 control;
9a9c6a34 1363 int nsent = 0;
1c2acffb 1364
89bc500e 1365 if (chan->state != BT_CONNECTED)
c13ffa62 1366 return -ENOTCONN;
e90bac06 1367
58d35f87 1368 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1369
2c03a7a4
GP		 1370 if (chan->remote_max_tx &&
1371 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1372 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1373 break;
1374 }
1375
e420aba3
AE		 1376 tx_skb = skb_clone(skb, GFP_ATOMIC);
1377
e90bac06
GP		 1378 bt_cb(skb)->retries++;
1379
88843ab0 1380 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1381 control &= __get_sar_mask(chan);
95ffa978 1382
e2ab4353 1383 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1384 control |= __set_ctrl_final(chan);
e2ab4353 1385
0b209fae 1386 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1387 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1388
88843ab0 1389 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1390
47d1ec61 1391 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1392 fcs = crc16(0, (u8 *)skb->data,
1393 tx_skb->len - L2CAP_FCS_SIZE);
1394 put_unaligned_le16(fcs, skb->data +
1395 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1396 }
1397
4343478f 1398 l2cap_do_send(chan, tx_skb);
9a9c6a34 1399
1a09bcb9 1400 __set_retrans_timer(chan);
1c2acffb 1401
42e5c802 1402 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1403
1404 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1405
23e9fde2 1406 if (bt_cb(skb)->retries == 1)
6a026610 1407 chan->unacked_frames++;
23e9fde2 1408
6a026610 1409 chan->frames_sent++;
1c2acffb 1410
58d35f87
GP		 1411 if (skb_queue_is_last(&chan->tx_q, skb))
1412 chan->tx_send_head = NULL;
1c2acffb 1413 else
58d35f87 1414 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1415
1416 nsent++;
1c2acffb
GP		 1417 }
1418
9e917af1
GP		 1419 return nsent;
1420}
1421
525cd185 1422static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1423{
dfc909be
GP		 1424 int ret;
1425
58d35f87
GP		 1426 if (!skb_queue_empty(&chan->tx_q))
1427 chan->tx_send_head = chan->tx_q.next;
dfc909be 1428
42e5c802 1429 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1430 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1431 return ret;
1432}
1433
525cd185 1434static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1435{
88843ab0 1436 u32 control = 0;
9e917af1 1437
0b209fae 1438 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1439
e2ab4353 1440 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1441 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1442 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1443 l2cap_send_sframe(chan, control);
9a9c6a34 1444 return;
9e917af1 1445 }
dfc909be 1446
525cd185 1447 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1448 return;
1449
ab784b73 1450 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1451 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1452}
1453
525cd185 1454static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1455{
1456 struct srej_list *tail;
88843ab0 1457 u32 control;
99b0d4b7 1458
ab784b73 1459 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1460 control |= __set_ctrl_final(chan);
99b0d4b7 1461
39d5a3ee 1462 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1463 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1464
525cd185 1465 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1466}
1467
1c2acffb
GP		 1468static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1469{
8c1d787b 1470 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1471 struct sk_buff **frag;
1472 int err, sent = 0;
1da177e4 1473
59203a21 1474 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1475 return -EFAULT;
1da177e4
LT		 1476
1477 sent += count;
1478 len -= count;
1479
1480 /* Continuation fragments (no L2CAP header) */
1481 frag = &skb_shinfo(skb)->frag_list;
1482 while (len) {
1483 count = min_t(unsigned int, conn->mtu, len);
1484
1485 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1486 if (!*frag)
0175d629 1487 return err;
1c2acffb
GP		 1488 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1489 return -EFAULT;
1da177e4 1490
5e59b791
LAD		 1491 (*frag)->priority = skb->priority;
1492
1da177e4
LT		 1493 sent += count;
1494 len -= count;
1495
1496 frag = &(*frag)->next;
1497 }
1da177e4
LT		 1498
1499 return sent;
1c2acffb 1500}
1da177e4 1501
5e59b791
LAD		 1502static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1503 struct msghdr *msg, size_t len,
1504 u32 priority)
1c2acffb 1505{
fe4128e0 1506 struct sock *sk = chan->sk;
8c1d787b 1507 struct l2cap_conn *conn = chan->conn;
1c2acffb 1508 struct sk_buff *skb;
03a51213 1509 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1510 struct l2cap_hdr *lh;
1511
5e59b791 1512 BT_DBG("sk %p len %d priority %u", sk, (int)len, priority);
1c2acffb
GP		 1513
1514 count = min_t(unsigned int, (conn->mtu - hlen), len);
1515 skb = bt_skb_send_alloc(sk, count + hlen,
1516 msg->msg_flags & MSG_DONTWAIT, &err);
1517 if (!skb)
0175d629 1518 return ERR_PTR(err);
1c2acffb 1519
5e59b791
LAD		 1520 skb->priority = priority;
1521
1c2acffb
GP		 1522 /* Create L2CAP header */
1523 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1524 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1525 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1526 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1527
1528 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1529 if (unlikely(err < 0)) {
1530 kfree_skb(skb);
1531 return ERR_PTR(err);
1532 }
1533 return skb;
1534}
1535
5e59b791
LAD		 1536static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1537 struct msghdr *msg, size_t len,
1538 u32 priority)
1c2acffb 1539{
fe4128e0 1540 struct sock *sk = chan->sk;
8c1d787b 1541 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1542 struct sk_buff *skb;
1543 int err, count, hlen = L2CAP_HDR_SIZE;
1544 struct l2cap_hdr *lh;
1545
1546 BT_DBG("sk %p len %d", sk, (int)len);
1547
1548 count = min_t(unsigned int, (conn->mtu - hlen), len);
1549 skb = bt_skb_send_alloc(sk, count + hlen,
1550 msg->msg_flags & MSG_DONTWAIT, &err);
1551 if (!skb)
0175d629 1552 return ERR_PTR(err);
1c2acffb 1553
5e59b791
LAD		 1554 skb->priority = priority;
1555
1c2acffb
GP		 1556 /* Create L2CAP header */
1557 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1558 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1559 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1560
1561 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1562 if (unlikely(err < 0)) {
1563 kfree_skb(skb);
1564 return ERR_PTR(err);
1565 }
1566 return skb;
1567}
1568
ab0ff76d
LAD		 1569static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1570 struct msghdr *msg, size_t len,
88843ab0 1571 u32 control, u16 sdulen)
1c2acffb 1572{
47d1ec61 1573 struct sock *sk = chan->sk;
8c1d787b 1574 struct l2cap_conn *conn = chan->conn;
1c2acffb 1575 struct sk_buff *skb;
e4ca6d98 1576 int err, count, hlen;
1c2acffb
GP		 1577 struct l2cap_hdr *lh;
1578
1579 BT_DBG("sk %p len %d", sk, (int)len);
1580
0ee0d208
GP		 1581 if (!conn)
1582 return ERR_PTR(-ENOTCONN);
1583
e4ca6d98
AE		 1584 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1585 hlen = L2CAP_EXT_HDR_SIZE;
1586 else
1587 hlen = L2CAP_ENH_HDR_SIZE;
1588
c74e560c 1589 if (sdulen)
03a51213 1590 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1591
47d1ec61 1592 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1593 hlen += L2CAP_FCS_SIZE;
fcc203c3 1594
1c2acffb
GP		 1595 count = min_t(unsigned int, (conn->mtu - hlen), len);
1596 skb = bt_skb_send_alloc(sk, count + hlen,
1597 msg->msg_flags & MSG_DONTWAIT, &err);
1598 if (!skb)
0175d629 1599 return ERR_PTR(err);
1c2acffb
GP		 1600
1601 /* Create L2CAP header */
1602 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1603 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1604 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1605
1606 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1607
c74e560c 1608 if (sdulen)
03a51213 1609 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb
GP		 1610
1611 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1612 if (unlikely(err < 0)) {
1613 kfree_skb(skb);
1614 return ERR_PTR(err);
1615 }
e90bac06 1616
47d1ec61 1617 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1618 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1619
e90bac06 1620 bt_cb(skb)->retries = 0;
1c2acffb 1621 return skb;
1da177e4
LT		 1622}
1623
67c9e840 1624static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1625{
c74e560c
GP		 1626 struct sk_buff *skb;
1627 struct sk_buff_head sar_queue;
88843ab0 1628 u32 control;
c74e560c
GP		 1629 size_t size = 0;
1630
ff12fd64 1631 skb_queue_head_init(&sar_queue);
7e0ef6ee 1632 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1633 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1634 if (IS_ERR(skb))
1635 return PTR_ERR(skb);
1636
1637 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1638 len -= chan->remote_mps;
1639 size += chan->remote_mps;
c74e560c
GP		 1640
1641 while (len > 0) {
1642 size_t buflen;
1643
2c03a7a4 1644 if (len > chan->remote_mps) {
7e0ef6ee 1645 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1646 buflen = chan->remote_mps;
c74e560c 1647 } else {
7e0ef6ee 1648 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1649 buflen = len;
1650 }
1651
47d1ec61 1652 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1653 if (IS_ERR(skb)) {
1654 skb_queue_purge(&sar_queue);
1655 return PTR_ERR(skb);
1656 }
1657
1658 __skb_queue_tail(&sar_queue, skb);
1659 len -= buflen;
1660 size += buflen;
c74e560c 1661 }
58d35f87
GP		 1662 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1663 if (chan->tx_send_head == NULL)
1664 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1665
1666 return size;
1667}
1668
5e59b791
LAD		 1669int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1670 u32 priority)
9a91a04a 1671{
9a91a04a 1672 struct sk_buff *skb;
88843ab0 1673 u32 control;
9a91a04a
GP		 1674 int err;
1675
1676 /* Connectionless channel */
715ec005 1677 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1678 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1679 if (IS_ERR(skb))
1680 return PTR_ERR(skb);
1681
1682 l2cap_do_send(chan, skb);
1683 return len;
1684 }
1685
1686 switch (chan->mode) {
1687 case L2CAP_MODE_BASIC:
1688 /* Check outgoing MTU */
1689 if (len > chan->omtu)
1690 return -EMSGSIZE;
1691
1692 /* Create a basic PDU */
5e59b791 1693 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1694 if (IS_ERR(skb))
1695 return PTR_ERR(skb);
1696
1697 l2cap_do_send(chan, skb);
1698 err = len;
1699 break;
1700
1701 case L2CAP_MODE_ERTM:
1702 case L2CAP_MODE_STREAMING:
1703 /* Entire SDU fits into one PDU */
1704 if (len <= chan->remote_mps) {
7e0ef6ee 1705 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1706 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1707 0);
1708 if (IS_ERR(skb))
1709 return PTR_ERR(skb);
1710
1711 __skb_queue_tail(&chan->tx_q, skb);
1712
1713 if (chan->tx_send_head == NULL)
1714 chan->tx_send_head = skb;
1715
1716 } else {
1717 /* Segment SDU into multiples PDUs */
1718 err = l2cap_sar_segment_sdu(chan, msg, len);
1719 if (err < 0)
1720 return err;
1721 }
1722
1723 if (chan->mode == L2CAP_MODE_STREAMING) {
1724 l2cap_streaming_send(chan);
1725 err = len;
1726 break;
1727 }
1728
e2ab4353
GP		 1729 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1730 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1731 err = len;
1732 break;
1733 }
1734
1735 err = l2cap_ertm_send(chan);
1736 if (err >= 0)
1737 err = len;
1738
1739 break;
1740
1741 default:
1742 BT_DBG("bad state %1.1x", chan->mode);
1743 err = -EBADFD;
1744 }
1745
1746 return err;
1747}
1748
1da177e4
LT		 1749/* Copy frame to all raw sockets on that connection */
1750static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1751{
1da177e4 1752 struct sk_buff *nskb;
48454079 1753 struct l2cap_chan *chan;
1da177e4
LT		 1754
1755 BT_DBG("conn %p", conn);
1756
baa7e1fa
GP		 1757 read_lock(&conn->chan_lock);
1758 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1759 struct sock *sk = chan->sk;
715ec005 1760 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1761 continue;
1762
1763 /* Don't send frame to the socket it came from */
1764 if (skb->sk == sk)
1765 continue;
af05b30b
GP		 1766 nskb = skb_clone(skb, GFP_ATOMIC);
1767 if (!nskb)
1da177e4
LT		 1768 continue;
1769
23070494 1770 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1771 kfree_skb(nskb);
1772 }
baa7e1fa 1773 read_unlock(&conn->chan_lock);
1da177e4
LT		 1774}
1775
1776/* ---- L2CAP signalling commands ---- */
1777static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1778 u8 code, u8 ident, u16 dlen, void *data)
1779{
1780 struct sk_buff *skb, **frag;
1781 struct l2cap_cmd_hdr *cmd;
1782 struct l2cap_hdr *lh;
1783 int len, count;
1784
af05b30b
GP		 1785 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1786 conn, code, ident, dlen);
1da177e4
LT		 1787
1788 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1789 count = min_t(unsigned int, conn->mtu, len);
1790
1791 skb = bt_skb_alloc(count, GFP_ATOMIC);
1792 if (!skb)
1793 return NULL;
1794
1795 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1796 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1797
1798 if (conn->hcon->type == LE_LINK)
1799 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1800 else
1801 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1802
1803 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1804 cmd->code = code;
1805 cmd->ident = ident;
aca3192c 1806 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1807
1808 if (dlen) {
1809 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1810 memcpy(skb_put(skb, count), data, count);
1811 data += count;
1812 }
1813
1814 len -= skb->len;
1815
1816 /* Continuation fragments (no L2CAP header) */
1817 frag = &skb_shinfo(skb)->frag_list;
1818 while (len) {
1819 count = min_t(unsigned int, conn->mtu, len);
1820
1821 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1822 if (!*frag)
1823 goto fail;
1824
1825 memcpy(skb_put(*frag, count), data, count);
1826
1827 len -= count;
1828 data += count;
1829
1830 frag = &(*frag)->next;
1831 }
1832
1833 return skb;
1834
1835fail:
1836 kfree_skb(skb);
1837 return NULL;
1838}
1839
1840static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1841{
1842 struct l2cap_conf_opt *opt = *ptr;
1843 int len;
1844
1845 len = L2CAP_CONF_OPT_SIZE + opt->len;
1846 *ptr += len;
1847
1848 *type = opt->type;
1849 *olen = opt->len;
1850
1851 switch (opt->len) {
1852 case 1:
1853 *val = *((u8 *) opt->val);
1854 break;
1855
1856 case 2:
bfaaeb3e 1857 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1858 break;
1859
1860 case 4:
bfaaeb3e 1861 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1862 break;
1863
1864 default:
1865 *val = (unsigned long) opt->val;
1866 break;
1867 }
1868
1869 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1870 return len;
1871}
1872
1da177e4
LT		 1873static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1874{
1875 struct l2cap_conf_opt *opt = *ptr;
1876
1877 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1878
1879 opt->type = type;
1880 opt->len = len;
1881
1882 switch (len) {
1883 case 1:
1884 *((u8 *) opt->val) = val;
1885 break;
1886
1887 case 2:
4f8b691c 1888 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1889 break;
1890
1891 case 4:
4f8b691c 1892 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1893 break;
1894
1895 default:
1896 memcpy(opt->val, (void *) val, len);
1897 break;
1898 }
1899
1900 *ptr += L2CAP_CONF_OPT_SIZE + len;
1901}
1902
f89cef09
AE		 1903static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1904{
1905 struct l2cap_conf_efs efs;
1906
1907 switch(chan->mode) {
1908 case L2CAP_MODE_ERTM:
1909 efs.id = chan->local_id;
1910 efs.stype = chan->local_stype;
1911 efs.msdu = cpu_to_le16(chan->local_msdu);
1912 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1913 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1914 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1915 break;
1916
1917 case L2CAP_MODE_STREAMING:
1918 efs.id = 1;
1919 efs.stype = L2CAP_SERV_BESTEFFORT;
1920 efs.msdu = cpu_to_le16(chan->local_msdu);
1921 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1922 efs.acc_lat = 0;
1923 efs.flush_to = 0;
1924 break;
1925
1926 default:
1927 return;
1928 }
1929
1930 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1931 (unsigned long) &efs);
1932}
1933
c1b4f43b
GP		 1934static void l2cap_ack_timeout(unsigned long arg)
1935{
525cd185 1936 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1937
525cd185
GP		 1938 bh_lock_sock(chan->sk);
1939 l2cap_send_ack(chan);
1940 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1941}
1942
525cd185 1943static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1944{
525cd185
GP		 1945 struct sock *sk = chan->sk;
1946
42e5c802 1947 chan->expected_ack_seq = 0;
6a026610 1948 chan->unacked_frames = 0;
42e5c802 1949 chan->buffer_seq = 0;
6a026610
GP		 1950 chan->num_acked = 0;
1951 chan->frames_sent = 0;
0565c1c2 1952
e92c8e70
GP		 1953 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1954 (unsigned long) chan);
1955 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1956 (unsigned long) chan);
1957 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1958
f1c6775b 1959 skb_queue_head_init(&chan->srej_q);
1890d36b 1960
39d5a3ee
GP		 1961 INIT_LIST_HEAD(&chan->srej_l);
1962
218bb9df
GP		 1963
1964 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1965}
1966
f2fcfcd6
GP		 1967static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1968{
1969 switch (mode) {
1970 case L2CAP_MODE_STREAMING:
1971 case L2CAP_MODE_ERTM:
1972 if (l2cap_mode_supported(mode, remote_feat_mask))
1973 return mode;
1974 /* fall through */
1975 default:
1976 return L2CAP_MODE_BASIC;
1977 }
1978}
1979
6327eb98
AE		 1980static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1981{
1982 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1983}
1984
f89cef09
AE		 1985static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1986{
1987 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1988}
1989
6327eb98
AE		 1990static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1991{
1992 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 1993 __l2cap_ews_supported(chan)) {
6327eb98
AE		 1994 /* use extended control field */
1995 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 1996 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
1997 } else {
6327eb98
AE		 1998 chan->tx_win = min_t(u16, chan->tx_win,
1999 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2000 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2001 }
6327eb98
AE		 2002}
2003
710f9b0a 2004static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2005{
1da177e4 2006 struct l2cap_conf_req *req = data;
0c1bc5c6 2007 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2008 void *ptr = req->data;
c8f79162 2009 u16 size;
1da177e4 2010
49208c9c 2011 BT_DBG("chan %p", chan);
1da177e4 2012
73ffa904 2013 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2014 goto done;
2015
0c1bc5c6 2016 switch (chan->mode) {
f2fcfcd6
GP		 2017 case L2CAP_MODE_STREAMING:
2018 case L2CAP_MODE_ERTM:
c1360a1c 2019 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2020 break;
85eb53c6 2021
f89cef09
AE		 2022 if (__l2cap_efs_supported(chan))
2023 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2024
2ba13ed6 2025 /* fall through */
f2fcfcd6 2026 default:
8c1d787b 2027 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2028 break;
2029 }
2030
2031done:
0c1bc5c6
GP		 2032 if (chan->imtu != L2CAP_DEFAULT_MTU)
2033 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2034
0c1bc5c6 2035 switch (chan->mode) {
65c7c491 2036 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2037 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2038 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2039 break;
2040
62547752
GP		 2041 rfc.mode = L2CAP_MODE_BASIC;
2042 rfc.txwin_size = 0;
2043 rfc.max_transmit = 0;
2044 rfc.retrans_timeout = 0;
2045 rfc.monitor_timeout = 0;
2046 rfc.max_pdu_size = 0;
2047
63406504
GP		 2048 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2049 (unsigned long) &rfc);
65c7c491
MH		 2050 break;
2051
2052 case L2CAP_MODE_ERTM:
2053 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2054 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2055 rfc.retrans_timeout = 0;
2056 rfc.monitor_timeout = 0;
c8f79162
AE		 2057
2058 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2059 L2CAP_EXT_HDR_SIZE -
2060 L2CAP_SDULEN_SIZE -
2061 L2CAP_FCS_SIZE);
2062 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2063
6327eb98
AE		 2064 l2cap_txwin_setup(chan);
2065
2066 rfc.txwin_size = min_t(u16, chan->tx_win,
2067 L2CAP_DEFAULT_TX_WINDOW);
2068
63406504
GP		 2069 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2070 (unsigned long) &rfc);
2071
f89cef09
AE		 2072 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2073 l2cap_add_opt_efs(&ptr, chan);
2074
8c1d787b 2075 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2076 break;
2077
47d1ec61 2078 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2079 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2080 chan->fcs = L2CAP_FCS_NONE;
2081 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2082 }
6327eb98
AE		 2083
2084 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2085 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2086 chan->tx_win);
f2fcfcd6
GP		 2087 break;
2088
2089 case L2CAP_MODE_STREAMING:
2090 rfc.mode = L2CAP_MODE_STREAMING;
2091 rfc.txwin_size = 0;
2092 rfc.max_transmit = 0;
2093 rfc.retrans_timeout = 0;
2094 rfc.monitor_timeout = 0;
c8f79162
AE		 2095
2096 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2097 L2CAP_EXT_HDR_SIZE -
2098 L2CAP_SDULEN_SIZE -
2099 L2CAP_FCS_SIZE);
2100 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2101
63406504
GP		 2102 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2103 (unsigned long) &rfc);
2104
f89cef09
AE		 2105 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2106 l2cap_add_opt_efs(&ptr, chan);
2107
8c1d787b 2108 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2109 break;
2110
47d1ec61 2111 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2112 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2113 chan->fcs = L2CAP_FCS_NONE;
2114 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2115 }
65c7c491
MH		 2116 break;
2117 }
1da177e4 2118
fe4128e0 2119 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2120 req->flags = cpu_to_le16(0);
1da177e4
LT		 2121
2122 return ptr - data;
2123}
2124
73ffa904 2125static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2126{
5dee9e7c
MH		 2127 struct l2cap_conf_rsp *rsp = data;
2128 void *ptr = rsp->data;
73ffa904
GP		 2129 void *req = chan->conf_req;
2130 int len = chan->conf_len;
5dee9e7c
MH		 2131 int type, hint, olen;
2132 unsigned long val;
6464f35f 2133 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2134 struct l2cap_conf_efs efs;
2135 u8 remote_efs = 0;
861d6882 2136 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2137 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2138 u16 size;
1da177e4 2139
73ffa904 2140 BT_DBG("chan %p", chan);
820ae1b8 2141
5dee9e7c
MH		 2142 while (len >= L2CAP_CONF_OPT_SIZE) {
2143 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2144
589d2746 2145 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2146 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2147
2148 switch (type) {
2149 case L2CAP_CONF_MTU:
861d6882 2150 mtu = val;
5dee9e7c
MH		 2151 break;
2152
2153 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2154 chan->flush_to = val;
5dee9e7c
MH		 2155 break;
2156
2157 case L2CAP_CONF_QOS:
2158 break;
2159
6464f35f
MH		 2160 case L2CAP_CONF_RFC:
2161 if (olen == sizeof(rfc))
2162 memcpy(&rfc, (void *) val, olen);
2163 break;
2164
fcc203c3
GP		 2165 case L2CAP_CONF_FCS:
2166 if (val == L2CAP_FCS_NONE)
c1360a1c 2167 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2168 break;
fcc203c3 2169
42dceae2
AE		 2170 case L2CAP_CONF_EFS:
2171 remote_efs = 1;
2172 if (olen == sizeof(efs))
2173 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2174 break;
2175
6327eb98
AE		 2176 case L2CAP_CONF_EWS:
2177 if (!enable_hs)
2178 return -ECONNREFUSED;
2179
2180 set_bit(FLAG_EXT_CTRL, &chan->flags);
2181 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2182 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98
AE		 2183 chan->remote_tx_win = val;
2184 break;
2185
5dee9e7c
MH		 2186 default:
2187 if (hint)
2188 break;
2189
2190 result = L2CAP_CONF_UNKNOWN;
2191 *((u8 *) ptr++) = type;
2192 break;
2193 }
2194 }
2195
73ffa904 2196 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2197 goto done;
2198
0c1bc5c6 2199 switch (chan->mode) {
f2fcfcd6
GP		 2200 case L2CAP_MODE_STREAMING:
2201 case L2CAP_MODE_ERTM:
c1360a1c 2202 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2203 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2204 chan->conn->feat_mask);
85eb53c6
GP		 2205 break;
2206 }
2207
42dceae2
AE		 2208 if (remote_efs) {
2209 if (__l2cap_efs_supported(chan))
2210 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2211 else
2212 return -ECONNREFUSED;
2213 }
2214
0c1bc5c6 2215 if (chan->mode != rfc.mode)
f2fcfcd6 2216 return -ECONNREFUSED;
742e519b 2217
f2fcfcd6 2218 break;
f2fcfcd6
GP		 2219 }
2220
2221done:
0c1bc5c6 2222 if (chan->mode != rfc.mode) {
f2fcfcd6 2223 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2224 rfc.mode = chan->mode;
f2fcfcd6 2225
73ffa904 2226 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2227 return -ECONNREFUSED;
2228
2229 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2230 sizeof(rfc), (unsigned long) &rfc);
2231 }
2232
5dee9e7c
MH		 2233 if (result == L2CAP_CONF_SUCCESS) {
2234 /* Configure output options and let the other side know
2235 * which ones we don't like. */
2236
f2fcfcd6
GP		 2237 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2238 result = L2CAP_CONF_UNACCEPT;
2239 else {
0c1bc5c6 2240 chan->omtu = mtu;
c1360a1c 2241 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2242 }
0c1bc5c6 2243 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2244
42dceae2
AE		 2245 if (remote_efs) {
2246 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2247 efs.stype != L2CAP_SERV_NOTRAFIC &&
2248 efs.stype != chan->local_stype) {
2249
2250 result = L2CAP_CONF_UNACCEPT;
2251
2252 if (chan->num_conf_req >= 1)
2253 return -ECONNREFUSED;
2254
2255 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2256 sizeof(efs),
42dceae2 2257 (unsigned long) &efs);
0e8b207e 2258 } else {
3e6b3b95 2259 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2260 result = L2CAP_CONF_PENDING;
2261 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2262 }
2263 }
2264
f2fcfcd6
GP		 2265 switch (rfc.mode) {
2266 case L2CAP_MODE_BASIC:
47d1ec61 2267 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2268 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2269 break;
2270
2271 case L2CAP_MODE_ERTM:
6327eb98
AE		 2272 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2273 chan->remote_tx_win = rfc.txwin_size;
2274 else
2275 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2276
2c03a7a4 2277 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2278
c8f79162
AE		 2279 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2280 chan->conn->mtu -
2281 L2CAP_EXT_HDR_SIZE -
2282 L2CAP_SDULEN_SIZE -
2283 L2CAP_FCS_SIZE);
2284 rfc.max_pdu_size = cpu_to_le16(size);
2285 chan->remote_mps = size;
f2fcfcd6 2286
10467e9e
GP		 2287 rfc.retrans_timeout =
2288 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2289 rfc.monitor_timeout =
2290 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2291
c1360a1c 2292 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2293
2294 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2295 sizeof(rfc), (unsigned long) &rfc);
2296
42dceae2
AE		 2297 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2298 chan->remote_id = efs.id;
2299 chan->remote_stype = efs.stype;
2300 chan->remote_msdu = le16_to_cpu(efs.msdu);
2301 chan->remote_flush_to =
2302 le32_to_cpu(efs.flush_to);
2303 chan->remote_acc_lat =
2304 le32_to_cpu(efs.acc_lat);
2305 chan->remote_sdu_itime =
2306 le32_to_cpu(efs.sdu_itime);
2307 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2308 sizeof(efs), (unsigned long) &efs);
2309 }
f2fcfcd6
GP		 2310 break;
2311
2312 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2313 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2314 chan->conn->mtu -
2315 L2CAP_EXT_HDR_SIZE -
2316 L2CAP_SDULEN_SIZE -
2317 L2CAP_FCS_SIZE);
2318 rfc.max_pdu_size = cpu_to_le16(size);
2319 chan->remote_mps = size;
f2fcfcd6 2320
c1360a1c 2321 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2322
2323 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2324 sizeof(rfc), (unsigned long) &rfc);
2325
f2fcfcd6
GP		 2326 break;
2327
2328 default:
5dee9e7c 2329 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2330
6464f35f 2331 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2332 rfc.mode = chan->mode;
f2fcfcd6 2333 }
6464f35f 2334
f2fcfcd6 2335 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2336 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2337 }
fe4128e0 2338 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2339 rsp->result = cpu_to_le16(result);
2340 rsp->flags = cpu_to_le16(0x0000);
2341
2342 return ptr - data;
1da177e4
LT		 2343}
2344
b4450035 2345static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2346{
f2fcfcd6
GP		 2347 struct l2cap_conf_req *req = data;
2348 void *ptr = req->data;
2349 int type, olen;
2350 unsigned long val;
2351 struct l2cap_conf_rfc rfc;
2352
fe4128e0 2353 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2354
2355 while (len >= L2CAP_CONF_OPT_SIZE) {
2356 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2357
2358 switch (type) {
2359 case L2CAP_CONF_MTU:
2360 if (val < L2CAP_DEFAULT_MIN_MTU) {
2361 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2362 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2363 } else
0c1bc5c6
GP		 2364 chan->imtu = val;
2365 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2366 break;
2367
2368 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2369 chan->flush_to = val;
f2fcfcd6 2370 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2371 2, chan->flush_to);
f2fcfcd6
GP		 2372 break;
2373
2374 case L2CAP_CONF_RFC:
2375 if (olen == sizeof(rfc))
2376 memcpy(&rfc, (void *)val, olen);
2377
c1360a1c 2378 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2379 rfc.mode != chan->mode)
f2fcfcd6
GP		 2380 return -ECONNREFUSED;
2381
47d1ec61 2382 chan->fcs = 0;
f2fcfcd6
GP		 2383
2384 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2385 sizeof(rfc), (unsigned long) &rfc);
2386 break;
6327eb98
AE		 2387
2388 case L2CAP_CONF_EWS:
2389 chan->tx_win = min_t(u16, val,
2390 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2391 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2392 chan->tx_win);
6327eb98 2393 break;
f2fcfcd6
GP		 2394 }
2395 }
2396
0c1bc5c6 2397 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2398 return -ECONNREFUSED;
2399
0c1bc5c6 2400 chan->mode = rfc.mode;
6c2ea7a8 2401
0e8b207e 2402 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2403 switch (rfc.mode) {
2404 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2405 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2406 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2407 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2408 break;
2409 case L2CAP_MODE_STREAMING:
47d1ec61 2410 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2411 }
2412 }
2413
fe4128e0 2414 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2415 req->flags = cpu_to_le16(0x0000);
2416
2417 return ptr - data;
2418}
2419
fe4128e0 2420static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2421{
2422 struct l2cap_conf_rsp *rsp = data;
2423 void *ptr = rsp->data;
1da177e4 2424
fe4128e0 2425 BT_DBG("chan %p", chan);
1da177e4 2426
fe4128e0 2427 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2428 rsp->result = cpu_to_le16(result);
aca3192c 2429 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2430
2431 return ptr - data;
2432}
2433
8c1d787b 2434void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2435{
2436 struct l2cap_conn_rsp rsp;
8c1d787b 2437 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2438 u8 buf[128];
2439
fe4128e0
GP		 2440 rsp.scid = cpu_to_le16(chan->dcid);
2441 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2442 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2443 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2444 l2cap_send_cmd(conn, chan->ident,
2445 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2446
c1360a1c 2447 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2448 return;
2449
710f9b0a
GP		 2450 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2451 l2cap_build_conf_req(chan, buf), buf);
2452 chan->num_conf_req++;
2453}
2454
47d1ec61 2455static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2456{
7b1c0049
GP		 2457 int type, olen;
2458 unsigned long val;
2459 struct l2cap_conf_rfc rfc;
2460
47d1ec61 2461 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2462
0c1bc5c6 2463 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2464 return;
2465
2466 while (len >= L2CAP_CONF_OPT_SIZE) {
2467 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2468
2469 switch (type) {
2470 case L2CAP_CONF_RFC:
2471 if (olen == sizeof(rfc))
2472 memcpy(&rfc, (void *)val, olen);
2473 goto done;
2474 }
2475 }
2476
2477done:
2478 switch (rfc.mode) {
2479 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2480 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2481 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2482 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2483 break;
2484 case L2CAP_MODE_STREAMING:
47d1ec61 2485 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2486 }
2487}
2488
4e8402a3
MH		 2489static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2490{
e2fd318e 2491 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2492
e2fd318e 2493 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2494 return 0;
2495
2496 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2497 cmd->ident == conn->info_ident) {
4e8402a3 2498 del_timer(&conn->info_timer);
984947dc
MH		 2499
2500 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2501 conn->info_ident = 0;
984947dc 2502
4e8402a3
MH		 2503 l2cap_conn_start(conn);
2504 }
2505
2506 return 0;
2507}
2508
1da177e4
LT		 2509static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2510{
1da177e4
LT		 2511 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2512 struct l2cap_conn_rsp rsp;
23691d75 2513 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2514 struct sock *parent, *sk = NULL;
e7c29cb1 2515 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2516
2517 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2518 __le16 psm = req->psm;
1da177e4
LT		 2519
2520 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2521
2522 /* Check if we have socket listening on psm */
23691d75
GP		 2523 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2524 if (!pchan) {
1da177e4
LT		 2525 result = L2CAP_CR_BAD_PSM;
2526 goto sendresp;
2527 }
2528
23691d75
GP		 2529 parent = pchan->sk;
2530
e0f0cb56
GP		 2531 bh_lock_sock(parent);
2532
e7c29cb1
MH		 2533 /* Check if the ACL is secure enough (if not SDP) */
2534 if (psm != cpu_to_le16(0x0001) &&
2535 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2536 conn->disc_reason = 0x05;
e7c29cb1
MH		 2537 result = L2CAP_CR_SEC_BLOCK;
2538 goto response;
2539 }
2540
1da177e4
LT		 2541 result = L2CAP_CR_NO_MEM;
2542
2543 /* Check for backlog size */
2544 if (sk_acceptq_is_full(parent)) {
8e87d142 2545 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2546 goto response;
2547 }
2548
80808e43
GP		 2549 chan = pchan->ops->new_connection(pchan->data);
2550 if (!chan)
1da177e4
LT		 2551 goto response;
2552
80808e43
GP		 2553 sk = chan->sk;
2554
baa7e1fa 2555 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2556
2557 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2558 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2559 write_unlock_bh(&conn->chan_lock);
1da177e4 2560 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2561 chan->ops->close(chan->data);
1da177e4
LT		 2562 goto response;
2563 }
2564
2565 hci_conn_hold(conn->hcon);
2566
1da177e4
LT		 2567 bacpy(&bt_sk(sk)->src, conn->src);
2568 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2569 chan->psm = psm;
2570 chan->dcid = scid;
1da177e4 2571
d1010240
GP		 2572 bt_accept_enqueue(parent, sk);
2573
48454079
GP		 2574 __l2cap_chan_add(conn, chan);
2575
fe4128e0 2576 dcid = chan->scid;
1da177e4 2577
c9b66675 2578 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2579
fc7f8a7e 2580 chan->ident = cmd->ident;
1da177e4 2581
984947dc 2582 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2583 if (l2cap_check_security(chan)) {
f66dc81f 2584 if (bt_sk(sk)->defer_setup) {
89bc500e 2585 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2586 result = L2CAP_CR_PEND;
2587 status = L2CAP_CS_AUTHOR_PEND;
2588 parent->sk_data_ready(parent, 0);
2589 } else {
89bc500e 2590 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2591 result = L2CAP_CR_SUCCESS;
2592 status = L2CAP_CS_NO_INFO;
2593 }
79d554a6 2594 } else {
89bc500e 2595 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2596 result = L2CAP_CR_PEND;
2597 status = L2CAP_CS_AUTHEN_PEND;
2598 }
2599 } else {
89bc500e 2600 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2601 result = L2CAP_CR_PEND;
2602 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2603 }
2604
baa7e1fa 2605 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2606
2607response:
2608 bh_unlock_sock(parent);
2609
2610sendresp:
aca3192c
YH		 2611 rsp.scid = cpu_to_le16(scid);
2612 rsp.dcid = cpu_to_le16(dcid);
2613 rsp.result = cpu_to_le16(result);
2614 rsp.status = cpu_to_le16(status);
1da177e4 2615 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2616
2617 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2618 struct l2cap_info_req info;
2619 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2620
2621 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2622 conn->info_ident = l2cap_get_ident(conn);
2623
2624 mod_timer(&conn->info_timer, jiffies +
2625 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2626
2627 l2cap_send_cmd(conn, conn->info_ident,
2628 L2CAP_INFO_REQ, sizeof(info), &info);
2629 }
2630
c1360a1c 2631 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2632 result == L2CAP_CR_SUCCESS) {
2633 u8 buf[128];
c1360a1c 2634 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2635 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2636 l2cap_build_conf_req(chan, buf), buf);
2637 chan->num_conf_req++;
e9aeb2dd
GP		 2638 }
2639
1da177e4
LT		 2640 return 0;
2641}
2642
2643static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2644{
2645 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2646 u16 scid, dcid, result, status;
48454079 2647 struct l2cap_chan *chan;
1da177e4
LT		 2648 struct sock *sk;
2649 u8 req[128];
2650
2651 scid = __le16_to_cpu(rsp->scid);
2652 dcid = __le16_to_cpu(rsp->dcid);
2653 result = __le16_to_cpu(rsp->result);
2654 status = __le16_to_cpu(rsp->status);
2655
2656 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2657
2658 if (scid) {
baa7e1fa 2659 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2660 if (!chan)
57d3b22b 2661 return -EFAULT;
1da177e4 2662 } else {
baa7e1fa 2663 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2664 if (!chan)
57d3b22b 2665 return -EFAULT;
1da177e4
LT		 2666 }
2667
48454079
GP		 2668 sk = chan->sk;
2669
1da177e4
LT		 2670 switch (result) {
2671 case L2CAP_CR_SUCCESS:
89bc500e 2672 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2673 chan->ident = 0;
fe4128e0 2674 chan->dcid = dcid;
c1360a1c 2675 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2676
c1360a1c 2677 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2678 break;
2679
1da177e4 2680 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2681 l2cap_build_conf_req(chan, req), req);
2682 chan->num_conf_req++;
1da177e4
LT		 2683 break;
2684
2685 case L2CAP_CR_PEND:
c1360a1c 2686 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2687 break;
2688
2689 default:
a49184c2
AE		 2690 /* don't delete l2cap channel if sk is owned by user */
2691 if (sock_owned_by_user(sk)) {
89bc500e 2692 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2693 __clear_chan_timer(chan);
2694 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2695 break;
2696 }
2697
48454079 2698 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2699 break;
2700 }
2701
2702 bh_unlock_sock(sk);
2703 return 0;
2704}
2705
47d1ec61 2706static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2707{
2708 /* FCS is enabled only in ERTM or streaming mode, if one or both
2709 * sides request it.
2710 */
0c1bc5c6 2711 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2712 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2713 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2714 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2715}
2716
88219a0f 2717static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2718{
2719 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2720 u16 dcid, flags;
2721 u8 rsp[64];
48454079 2722 struct l2cap_chan *chan;
1da177e4 2723 struct sock *sk;
5dee9e7c 2724 int len;
1da177e4
LT		 2725
2726 dcid = __le16_to_cpu(req->dcid);
2727 flags = __le16_to_cpu(req->flags);
2728
2729 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2730
baa7e1fa 2731 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2732 if (!chan)
1da177e4
LT		 2733 return -ENOENT;
2734
48454079
GP		 2735 sk = chan->sk;
2736
033b1142 2737 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2738 struct l2cap_cmd_rej_cid rej;
2739
2740 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2741 rej.scid = cpu_to_le16(chan->scid);
2742 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2743
df6bd743
GP		 2744 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2745 sizeof(rej), &rej);
354f60a9 2746 goto unlock;
df6bd743 2747 }
354f60a9 2748
5dee9e7c 2749 /* Reject if config buffer is too small. */
88219a0f 2750 len = cmd_len - sizeof(*req);
7ac28817 2751 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2752 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2753 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2754 L2CAP_CONF_REJECT, flags), rsp);
2755 goto unlock;
2756 }
2757
2758 /* Store config. */
73ffa904
GP		 2759 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2760 chan->conf_len += len;
1da177e4
LT		 2761
2762 if (flags & 0x0001) {
2763 /* Incomplete config. Send empty response. */
2764 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2765 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2766 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2767 goto unlock;
2768 }
2769
2770 /* Complete config. */
73ffa904 2771 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2772 if (len < 0) {
e92c8e70 2773 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2774 goto unlock;
f2fcfcd6 2775 }
1da177e4 2776
5dee9e7c 2777 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2778 chan->num_conf_rsp++;
5dee9e7c 2779
5dee9e7c 2780 /* Reset config buffer. */
73ffa904 2781 chan->conf_len = 0;
5dee9e7c 2782
c1360a1c 2783 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2784 goto unlock;
2785
c1360a1c 2786 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2787 set_default_fcs(chan);
fcc203c3 2788
89bc500e 2789 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2790
42e5c802
GP		 2791 chan->next_tx_seq = 0;
2792 chan->expected_tx_seq = 0;
58d35f87 2793 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2794 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2795 l2cap_ertm_init(chan);
0565c1c2 2796
1da177e4 2797 l2cap_chan_ready(sk);
876d9484
MH		 2798 goto unlock;
2799 }
2800
c1360a1c 2801 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2802 u8 buf[64];
1da177e4 2803 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2804 l2cap_build_conf_req(chan, buf), buf);
2805 chan->num_conf_req++;
1da177e4
LT		 2806 }
2807
0e8b207e
AE		 2808 /* Got Conf Rsp PENDING from remote side and asume we sent
2809 Conf Rsp PENDING in the code above */
2810 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2811 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2812
2813 /* check compatibility */
2814
2815 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2816 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2817
2818 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2819 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2820 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2821 }
2822
1da177e4
LT		 2823unlock:
2824 bh_unlock_sock(sk);
2825 return 0;
2826}
2827
2828static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2829{
2830 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2831 u16 scid, flags, result;
48454079 2832 struct l2cap_chan *chan;
1da177e4 2833 struct sock *sk;
7b1c0049 2834 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2835
2836 scid = __le16_to_cpu(rsp->scid);
2837 flags = __le16_to_cpu(rsp->flags);
2838 result = __le16_to_cpu(rsp->result);
2839
af05b30b
GP		 2840 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2841 scid, flags, result);
1da177e4 2842
baa7e1fa 2843 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2844 if (!chan)
1da177e4
LT		 2845 return 0;
2846
48454079
GP		 2847 sk = chan->sk;
2848
1da177e4
LT		 2849 switch (result) {
2850 case L2CAP_CONF_SUCCESS:
47d1ec61 2851 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2852 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2853 break;
2854
0e8b207e
AE		 2855 case L2CAP_CONF_PENDING:
2856 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2857
2858 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2859 char buf[64];
2860
2861 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2862 buf, &result);
2863 if (len < 0) {
2864 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2865 goto done;
2866 }
2867
2868 /* check compatibility */
2869
2870 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2871 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2872
2873 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2874 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2875 L2CAP_CONF_SUCCESS, 0x0000), buf);
2876 }
2877 goto done;
2878
1da177e4 2879 case L2CAP_CONF_UNACCEPT:
73ffa904 2880 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2881 char req[64];
2882
c2c77ec8 2883 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2884 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2885 goto done;
2886 }
2887
f2fcfcd6
GP		 2888 /* throw out any old stored conf requests */
2889 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2890 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2891 req, &result);
f2fcfcd6 2892 if (len < 0) {
e92c8e70 2893 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2894 goto done;
2895 }
2896
2897 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2898 L2CAP_CONF_REQ, len, req);
73ffa904 2899 chan->num_conf_req++;
f2fcfcd6
GP		 2900 if (result != L2CAP_CONF_SUCCESS)
2901 goto done;
2902 break;
1da177e4
LT		 2903 }
2904
8e87d142 2905 default:
b1235d79 2906 sk->sk_err = ECONNRESET;
c9b66675 2907 __set_chan_timer(chan, HZ * 5);
e92c8e70 2908 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2909 goto done;
2910 }
2911
2912 if (flags & 0x01)
2913 goto done;
2914
c1360a1c 2915 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2916
c1360a1c 2917 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2918 set_default_fcs(chan);
fcc203c3 2919
89bc500e 2920 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2921 chan->next_tx_seq = 0;
2922 chan->expected_tx_seq = 0;
58d35f87 2923 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2924 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2925 l2cap_ertm_init(chan);
0565c1c2 2926
1da177e4
LT		 2927 l2cap_chan_ready(sk);
2928 }
2929
2930done:
2931 bh_unlock_sock(sk);
2932 return 0;
2933}
2934
2935static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2936{
2937 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2938 struct l2cap_disconn_rsp rsp;
2939 u16 dcid, scid;
48454079 2940 struct l2cap_chan *chan;
1da177e4
LT		 2941 struct sock *sk;
2942
2943 scid = __le16_to_cpu(req->scid);
2944 dcid = __le16_to_cpu(req->dcid);
2945
2946 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2947
baa7e1fa 2948 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2949 if (!chan)
1da177e4
LT		 2950 return 0;
2951
48454079
GP		 2952 sk = chan->sk;
2953
fe4128e0
GP		 2954 rsp.dcid = cpu_to_le16(chan->scid);
2955 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2956 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2957
2958 sk->sk_shutdown = SHUTDOWN_MASK;
2959
a49184c2
AE		 2960 /* don't delete l2cap channel if sk is owned by user */
2961 if (sock_owned_by_user(sk)) {
89bc500e 2962 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2963 __clear_chan_timer(chan);
2964 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2965 bh_unlock_sock(sk);
2966 return 0;
2967 }
2968
48454079 2969 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2970 bh_unlock_sock(sk);
2971
ba3bd0ee 2972 chan->ops->close(chan->data);
1da177e4
LT		 2973 return 0;
2974}
2975
2976static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2977{
2978 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2979 u16 dcid, scid;
48454079 2980 struct l2cap_chan *chan;
1da177e4
LT		 2981 struct sock *sk;
2982
2983 scid = __le16_to_cpu(rsp->scid);
2984 dcid = __le16_to_cpu(rsp->dcid);
2985
2986 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2987
baa7e1fa 2988 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2989 if (!chan)
1da177e4
LT		 2990 return 0;
2991
48454079
GP		 2992 sk = chan->sk;
2993
a49184c2
AE		 2994 /* don't delete l2cap channel if sk is owned by user */
2995 if (sock_owned_by_user(sk)) {
89bc500e 2996 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2997 __clear_chan_timer(chan);
2998 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2999 bh_unlock_sock(sk);
3000 return 0;
3001 }
3002
48454079 3003 l2cap_chan_del(chan, 0);
1da177e4
LT		 3004 bh_unlock_sock(sk);
3005
ba3bd0ee 3006 chan->ops->close(chan->data);
1da177e4
LT		 3007 return 0;
3008}
3009
3010static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3011{
3012 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3013 u16 type;
3014
3015 type = __le16_to_cpu(req->type);
3016
3017 BT_DBG("type 0x%4.4x", type);
3018
f0709e03
MH		 3019 if (type == L2CAP_IT_FEAT_MASK) {
3020 u8 buf[8];
44dd46de 3021 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3022 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3023 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3024 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3025 if (!disable_ertm)
fcc203c3
GP		 3026 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3027 | L2CAP_FEAT_FCS;
a5fd6f30 3028 if (enable_hs)
6327eb98
AE		 3029 feat_mask |= L2CAP_FEAT_EXT_FLOW
3030 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3031
1b7bf4ed 3032 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3033 l2cap_send_cmd(conn, cmd->ident,
3034 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3035 } else if (type == L2CAP_IT_FIXED_CHAN) {
3036 u8 buf[12];
3037 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3038
3039 if (enable_hs)
3040 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3041 else
3042 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3043
e1027a7c
MH		 3044 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3045 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3046 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3047 l2cap_send_cmd(conn, cmd->ident,
3048 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3049 } else {
3050 struct l2cap_info_rsp rsp;
3051 rsp.type = cpu_to_le16(type);
3052 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3053 l2cap_send_cmd(conn, cmd->ident,
3054 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3055 }
1da177e4
LT		 3056
3057 return 0;
3058}
3059
3060static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3061{
3062 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3063 u16 type, result;
3064
3065 type = __le16_to_cpu(rsp->type);
3066 result = __le16_to_cpu(rsp->result);
3067
3068 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3069
e90165be
AE		 3070 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3071 if (cmd->ident != conn->info_ident ||
3072 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3073 return 0;
3074
4e8402a3
MH		 3075 del_timer(&conn->info_timer);
3076
adb08ede
VT		 3077 if (result != L2CAP_IR_SUCCESS) {
3078 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3079 conn->info_ident = 0;
3080
3081 l2cap_conn_start(conn);
3082
3083 return 0;
3084 }
3085
984947dc 3086 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3087 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3088
47ec1dcd 3089 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3090 struct l2cap_info_req req;
3091 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3092
3093 conn->info_ident = l2cap_get_ident(conn);
3094
3095 l2cap_send_cmd(conn, conn->info_ident,
3096 L2CAP_INFO_REQ, sizeof(req), &req);
3097 } else {
3098 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3099 conn->info_ident = 0;
3100
3101 l2cap_conn_start(conn);
3102 }
3103 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3104 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3105 conn->info_ident = 0;
984947dc
MH		 3106
3107 l2cap_conn_start(conn);
3108 }
4e8402a3 3109
1da177e4
LT		 3110 return 0;
3111}
3112
f94ff6ff
MM		 3113static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3114 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3115 void *data)
3116{
3117 struct l2cap_create_chan_req *req = data;
3118 struct l2cap_create_chan_rsp rsp;
3119 u16 psm, scid;
3120
3121 if (cmd_len != sizeof(*req))
3122 return -EPROTO;
3123
3124 if (!enable_hs)
3125 return -EINVAL;
3126
3127 psm = le16_to_cpu(req->psm);
3128 scid = le16_to_cpu(req->scid);
3129
3130 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3131
3132 /* Placeholder: Always reject */
3133 rsp.dcid = 0;
3134 rsp.scid = cpu_to_le16(scid);
3135 rsp.result = L2CAP_CR_NO_MEM;
3136 rsp.status = L2CAP_CS_NO_INFO;
3137
3138 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3139 sizeof(rsp), &rsp);
3140
3141 return 0;
3142}
3143
3144static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3145 struct l2cap_cmd_hdr *cmd, void *data)
3146{
3147 BT_DBG("conn %p", conn);
3148
3149 return l2cap_connect_rsp(conn, cmd, data);
3150}
3151
e2174ca4 3152static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3153 u16 to_multiplier)
3154{
3155 u16 max_latency;
3156
3157 if (min > max || min < 6 || max > 3200)
3158 return -EINVAL;
3159
3160 if (to_multiplier < 10 || to_multiplier > 3200)
3161 return -EINVAL;
3162
3163 if (max >= to_multiplier * 8)
3164 return -EINVAL;
3165
3166 max_latency = (to_multiplier * 8 / max) - 1;
3167 if (latency > 499 || latency > max_latency)
3168 return -EINVAL;
3169
3170 return 0;
3171}
3172
3173static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3174 struct l2cap_cmd_hdr *cmd, u8 *data)
3175{
3176 struct hci_conn *hcon = conn->hcon;
3177 struct l2cap_conn_param_update_req *req;
3178 struct l2cap_conn_param_update_rsp rsp;
3179 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3180 int err;
de73115a
CT		 3181
3182 if (!(hcon->link_mode & HCI_LM_MASTER))
3183 return -EINVAL;
3184
3185 cmd_len = __le16_to_cpu(cmd->len);
3186 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3187 return -EPROTO;
3188
3189 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3190 min = __le16_to_cpu(req->min);
3191 max = __le16_to_cpu(req->max);
de73115a
CT		 3192 latency = __le16_to_cpu(req->latency);
3193 to_multiplier = __le16_to_cpu(req->to_multiplier);
3194
3195 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3196 min, max, latency, to_multiplier);
3197
3198 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3199
3200 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3201 if (err)
de73115a
CT		 3202 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3203 else
3204 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3205
3206 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3207 sizeof(rsp), &rsp);
3208
2ce603eb
CT		 3209 if (!err)
3210 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3211
de73115a
CT		 3212 return 0;
3213}
3214
3300d9a9
CT		 3215static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3216 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3217{
3218 int err = 0;
3219
3220 switch (cmd->code) {
3221 case L2CAP_COMMAND_REJ:
3222 l2cap_command_rej(conn, cmd, data);
3223 break;
3224
3225 case L2CAP_CONN_REQ:
3226 err = l2cap_connect_req(conn, cmd, data);
3227 break;
3228
3229 case L2CAP_CONN_RSP:
3230 err = l2cap_connect_rsp(conn, cmd, data);
3231 break;
3232
3233 case L2CAP_CONF_REQ:
3234 err = l2cap_config_req(conn, cmd, cmd_len, data);
3235 break;
3236
3237 case L2CAP_CONF_RSP:
3238 err = l2cap_config_rsp(conn, cmd, data);
3239 break;
3240
3241 case L2CAP_DISCONN_REQ:
3242 err = l2cap_disconnect_req(conn, cmd, data);
3243 break;
3244
3245 case L2CAP_DISCONN_RSP:
3246 err = l2cap_disconnect_rsp(conn, cmd, data);
3247 break;
3248
3249 case L2CAP_ECHO_REQ:
3250 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3251 break;
3252
3253 case L2CAP_ECHO_RSP:
3254 break;
3255
3256 case L2CAP_INFO_REQ:
3257 err = l2cap_information_req(conn, cmd, data);
3258 break;
3259
3260 case L2CAP_INFO_RSP:
3261 err = l2cap_information_rsp(conn, cmd, data);
3262 break;
3263
f94ff6ff
MM		 3264 case L2CAP_CREATE_CHAN_REQ:
3265 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3266 break;
3267
3268 case L2CAP_CREATE_CHAN_RSP:
3269 err = l2cap_create_channel_rsp(conn, cmd, data);
3270 break;
3271
3300d9a9
CT		 3272 default:
3273 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3274 err = -EINVAL;
3275 break;
3276 }
3277
3278 return err;
3279}
3280
3281static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3282 struct l2cap_cmd_hdr *cmd, u8 *data)
3283{
3284 switch (cmd->code) {
3285 case L2CAP_COMMAND_REJ:
3286 return 0;
3287
3288 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3289 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3290
3291 case L2CAP_CONN_PARAM_UPDATE_RSP:
3292 return 0;
3293
3294 default:
3295 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3296 return -EINVAL;
3297 }
3298}
3299
3300static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3301 struct sk_buff *skb)
1da177e4
LT		 3302{
3303 u8 *data = skb->data;
3304 int len = skb->len;
3305 struct l2cap_cmd_hdr cmd;
3300d9a9 3306 int err;
1da177e4
LT		 3307
3308 l2cap_raw_recv(conn, skb);
3309
3310 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3311 u16 cmd_len;
1da177e4
LT		 3312 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3313 data += L2CAP_CMD_HDR_SIZE;
3314 len -= L2CAP_CMD_HDR_SIZE;
3315
88219a0f 3316 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3317
88219a0f 3318 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3319
88219a0f 3320 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3321 BT_DBG("corrupted command");
3322 break;
3323 }
3324
3300d9a9
CT		 3325 if (conn->hcon->type == LE_LINK)
3326 err = l2cap_le_sig_cmd(conn, &cmd, data);
3327 else
3328 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3329
3330 if (err) {
e2fd318e 3331 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3332
3333 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3334
3335 /* FIXME: Map err to a valid reason */
e2fd318e 3336 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3337 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3338 }
3339
88219a0f
AV		 3340 data += cmd_len;
3341 len -= cmd_len;
1da177e4
LT		 3342 }
3343
3344 kfree_skb(skb);
3345}
3346
47d1ec61 3347static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3348{
3349 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3350 int hdr_size;
3351
3352 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3353 hdr_size = L2CAP_EXT_HDR_SIZE;
3354 else
3355 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3356
47d1ec61 3357 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3358 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3359 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3360 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3361
3362 if (our_fcs != rcv_fcs)
7a560e5c 3363 return -EBADMSG;
fcc203c3
GP		 3364 }
3365 return 0;
3366}
3367
525cd185 3368static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3369{
88843ab0 3370 u32 control = 0;
d5392c8f 3371
6a026610 3372 chan->frames_sent = 0;
d5392c8f 3373
0b209fae 3374 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3375
e2ab4353 3376 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3377 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3378 l2cap_send_sframe(chan, control);
e2ab4353 3379 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3380 }
3381
e2ab4353 3382 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3383 l2cap_retransmit_frames(chan);
d5392c8f 3384
525cd185 3385 l2cap_ertm_send(chan);
d5392c8f 3386
e2ab4353 3387 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3388 chan->frames_sent == 0) {
ab784b73 3389 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3390 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3391 }
3392}
3393
fb45de7d 3394static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3395{
3396 struct sk_buff *next_skb;
bfbacc11 3397 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3398
3399 bt_cb(skb)->tx_seq = tx_seq;
3400 bt_cb(skb)->sar = sar;
3401
f1c6775b 3402 next_skb = skb_peek(&chan->srej_q);
8f17154f 3403 if (!next_skb) {
f1c6775b 3404 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3405 return 0;
8f17154f
GP		 3406 }
3407
836be934 3408 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3409
8f17154f 3410 do {
9b53350d
JPRV		 3411 if (bt_cb(next_skb)->tx_seq == tx_seq)
3412 return -EINVAL;
3413
836be934
AE		 3414 next_tx_seq_offset = __seq_offset(chan,
3415 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3416
3417 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3418 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3419 return 0;
8f17154f
GP		 3420 }
3421
f1c6775b 3422 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3423 break;
3424
f1c6775b 3425 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3426
f1c6775b 3427 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3428
3429 return 0;
8f17154f
GP		 3430}
3431
84084a31
MM		 3432static void append_skb_frag(struct sk_buff *skb,
3433 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3434{
84084a31
MM		 3435 /* skb->len reflects data in skb as well as all fragments
3436 * skb->data_len reflects only data in fragments
3437 */
3438 if (!skb_has_frag_list(skb))
3439 skb_shinfo(skb)->frag_list = new_frag;
3440
3441 new_frag->next = NULL;
3442
3443 (*last_frag)->next = new_frag;
3444 *last_frag = new_frag;
3445
3446 skb->len += new_frag->len;
3447 skb->data_len += new_frag->len;
3448 skb->truesize += new_frag->truesize;
3449}
3450
88843ab0 3451static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3452{
3453 int err = -EINVAL;
18778a63 3454
7e0ef6ee
AE		 3455 switch (__get_ctrl_sar(chan, control)) {
3456 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3457 if (chan->sdu)
3458 break;
18778a63 3459
84084a31
MM		 3460 err = chan->ops->recv(chan->data, skb);
3461 break;
18778a63 3462
7e0ef6ee 3463 case L2CAP_SAR_START:
84084a31
MM		 3464 if (chan->sdu)
3465 break;
18778a63 3466
6f61fd47 3467 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3468 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3469
84084a31
MM		 3470 if (chan->sdu_len > chan->imtu) {
3471 err = -EMSGSIZE;
3472 break;
3473 }
1890d36b 3474
84084a31
MM		 3475 if (skb->len >= chan->sdu_len)
3476 break;
18778a63 3477
84084a31
MM		 3478 chan->sdu = skb;
3479 chan->sdu_last_frag = skb;
18778a63 3480
84084a31
MM		 3481 skb = NULL;
3482 err = 0;
18778a63
GP		 3483 break;
3484
7e0ef6ee 3485 case L2CAP_SAR_CONTINUE:
6f61fd47 3486 if (!chan->sdu)
84084a31 3487 break;
18778a63 3488
84084a31
MM		 3489 append_skb_frag(chan->sdu, skb,
3490 &chan->sdu_last_frag);
3491 skb = NULL;
18778a63 3492
84084a31
MM		 3493 if (chan->sdu->len >= chan->sdu_len)
3494 break;
4178ba46 3495
84084a31 3496 err = 0;
18778a63
GP		 3497 break;
3498
7e0ef6ee 3499 case L2CAP_SAR_END:
6f61fd47 3500 if (!chan->sdu)
84084a31 3501 break;
18778a63 3502
84084a31
MM		 3503 append_skb_frag(chan->sdu, skb,
3504 &chan->sdu_last_frag);
3505 skb = NULL;
4178ba46 3506
84084a31
MM		 3507 if (chan->sdu->len != chan->sdu_len)
3508 break;
18778a63 3509
84084a31 3510 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3511
84084a31
MM		 3512 if (!err) {
3513 /* Reassembly complete */
3514 chan->sdu = NULL;
3515 chan->sdu_last_frag = NULL;
3516 chan->sdu_len = 0;
1890d36b 3517 }
18778a63
GP		 3518 break;
3519 }
3520
84084a31
MM		 3521 if (err) {
3522 kfree_skb(skb);
3523 kfree_skb(chan->sdu);
3524 chan->sdu = NULL;
3525 chan->sdu_last_frag = NULL;
3526 chan->sdu_len = 0;
3527 }
18778a63 3528
84084a31 3529 return err;
18778a63
GP		 3530}
3531
26f880d2 3532static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3533{
88843ab0 3534 u32 control;
712132eb 3535
26f880d2 3536 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3537
26f880d2
MM		 3538 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3539
0b209fae 3540 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3541 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3542 l2cap_send_sframe(chan, control);
3543
3544 set_bit(CONN_RNR_SENT, &chan->conn_state);
3545
3546 __clear_ack_timer(chan);
3547}
3548
3549static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3550{
88843ab0 3551 u32 control;
712132eb 3552
e2ab4353 3553 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3554 goto done;
3555
0b209fae 3556 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3557 control |= __set_ctrl_poll(chan);
ab784b73 3558 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3559 l2cap_send_sframe(chan, control);
6a026610 3560 chan->retry_count = 1;
712132eb 3561
1a09bcb9
GP		 3562 __clear_retrans_timer(chan);
3563 __set_monitor_timer(chan);
712132eb 3564
e2ab4353 3565 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3566
3567done:
e2ab4353
GP		 3568 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3569 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3570
49208c9c 3571 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3572}
3573
e328140f 3574void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3575{
e328140f
MM		 3576 if (chan->mode == L2CAP_MODE_ERTM) {
3577 if (busy)
3578 l2cap_ertm_enter_local_busy(chan);
3579 else
3580 l2cap_ertm_exit_local_busy(chan);
1890d36b 3581 }
1890d36b
GP		 3582}
3583
fb45de7d 3584static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3585{
3586 struct sk_buff *skb;
88843ab0 3587 u32 control;
8f17154f 3588
e328140f
MM		 3589 while ((skb = skb_peek(&chan->srej_q)) &&
3590 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3591 int err;
3592
8f17154f
GP		 3593 if (bt_cb(skb)->tx_seq != tx_seq)
3594 break;
3595
f1c6775b 3596 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3597 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3598 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3599
3600 if (err < 0) {
3601 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3602 break;
3603 }
3604
836be934
AE		 3605 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3606 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3607 }
3608}
3609
fb45de7d 3610static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3611{
8f17154f 3612 struct srej_list *l, *tmp;
88843ab0 3613 u32 control;
8f17154f 3614
39d5a3ee 3615 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3616 if (l->tx_seq == tx_seq) {
3617 list_del(&l->list);
3618 kfree(l);
3619 return;
3620 }
ab784b73 3621 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3622 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3623 l2cap_send_sframe(chan, control);
8f17154f 3624 list_del(&l->list);
39d5a3ee 3625 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3626 }
3627}
3628
fb45de7d 3629static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3630{
8f17154f 3631 struct srej_list *new;
88843ab0 3632 u32 control;
8f17154f 3633
42e5c802 3634 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3635 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3636 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3637 l2cap_send_sframe(chan, control);
8f17154f
GP		 3638
3639 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802 3640 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3641
3642 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3643
39d5a3ee 3644 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3645 }
836be934
AE		 3646
3647 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f
GP		 3648}
3649
88843ab0 3650static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3651{
fb45de7d 3652 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3653 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3654 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3655 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3656 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3657 int err = 0;
3658
88843ab0 3659 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3660 tx_seq, rx_control);
1c2acffb 3661
03f6715d 3662 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3663 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3664 __clear_monitor_timer(chan);
6a026610 3665 if (chan->unacked_frames > 0)
1a09bcb9 3666 __set_retrans_timer(chan);
e2ab4353 3667 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3668 }
3669
42e5c802
GP		 3670 chan->expected_ack_seq = req_seq;
3671 l2cap_drop_acked_frames(chan);
9f121a5a 3672
836be934 3673 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3674
3675 /* invalid tx_seq */
47d1ec61 3676 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3677 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3678 goto drop;
3679 }
3680
e2ab4353 3681 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3682 goto drop;
3683
02f1b641
MM		 3684 if (tx_seq == chan->expected_tx_seq)
3685 goto expected;
3686
e2ab4353 3687 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3688 struct srej_list *first;
30afb5b2 3689
39d5a3ee 3690 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3691 struct srej_list, list);
3692 if (tx_seq == first->tx_seq) {
42e5c802 3693 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3694 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3695
3696 list_del(&first->list);
3697 kfree(first);
3698
39d5a3ee 3699 if (list_empty(&chan->srej_l)) {
42e5c802 3700 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3701 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3702 l2cap_send_ack(chan);
49208c9c 3703 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3704 }
3705 } else {
3706 struct srej_list *l;
9b53350d
JPRV		 3707
3708 /* duplicated tx_seq */
42e5c802 3709 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3710 goto drop;
8f17154f 3711
39d5a3ee 3712 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3713 if (l->tx_seq == tx_seq) {
525cd185 3714 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3715 return 0;
3716 }
3717 }
525cd185 3718 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3719 }
3720 } else {
836be934
AE		 3721 expected_tx_seq_offset = __seq_offset(chan,
3722 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3723
3724 /* duplicated tx_seq */
3725 if (tx_seq_offset < expected_tx_seq_offset)
3726 goto drop;
3727
e2ab4353 3728 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3729
49208c9c 3730 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3731
39d5a3ee 3732 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3733 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3734
f1c6775b 3735 __skb_queue_head_init(&chan->srej_q);
42e5c802 3736 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3737
e2ab4353 3738 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3739
525cd185 3740 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3741
1a09bcb9 3742 __clear_ack_timer(chan);
1c2acffb 3743 }
30afb5b2
GP		 3744 return 0;
3745
8f17154f 3746expected:
836be934 3747 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3748
e2ab4353 3749 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3750 bt_cb(skb)->tx_seq = tx_seq;
3751 bt_cb(skb)->sar = sar;
f1c6775b 3752 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3753 return 0;
3754 }
3755
84084a31 3756 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3757 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3758
e328140f
MM		 3759 if (err < 0) {
3760 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3761 return err;
3762 }
2ece3684 3763
03f6715d 3764 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3765 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3766 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3767 }
3768
1a09bcb9 3769 __set_ack_timer(chan);
c1b4f43b 3770
6a026610
GP		 3771 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3772 if (chan->num_acked == num_to_ack - 1)
525cd185 3773 l2cap_send_ack(chan);
9e917af1 3774
8f17154f 3775 return 0;
9b53350d
JPRV		 3776
3777drop:
3778 kfree_skb(skb);
3779 return 0;
1c2acffb
GP		 3780}
3781
88843ab0 3782static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3783{
88843ab0 3784 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3785 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3786
0b209fae 3787 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3788 l2cap_drop_acked_frames(chan);
1c2acffb 3789
e3781735 3790 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3791 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3792 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3793 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3794 (chan->unacked_frames > 0))
1a09bcb9 3795 __set_retrans_timer(chan);
05fbd89d 3796
e2ab4353 3797 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3798 l2cap_send_srejtail(chan);
05fbd89d 3799 } else {
525cd185 3800 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3801 }
1d8f5d16 3802
03f6715d 3803 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3804 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3805
e2ab4353 3806 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3807 l2cap_retransmit_frames(chan);
2246b2f1 3808
e072745f 3809 } else {
e2ab4353 3810 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3811 (chan->unacked_frames > 0))
1a09bcb9 3812 __set_retrans_timer(chan);
1c2acffb 3813
e2ab4353
GP		 3814 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3815 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3816 l2cap_send_ack(chan);
894718a6 3817 else
525cd185 3818 l2cap_ertm_send(chan);
e072745f
GP		 3819 }
3820}
2246b2f1 3821
88843ab0 3822static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3823{
0b209fae 3824 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3825
88843ab0 3826 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3827
e2ab4353 3828 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3829
42e5c802
GP		 3830 chan->expected_ack_seq = tx_seq;
3831 l2cap_drop_acked_frames(chan);
e072745f 3832
03f6715d 3833 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3834 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3835 l2cap_retransmit_frames(chan);
e072745f 3836 } else {
525cd185 3837 l2cap_retransmit_frames(chan);
30afb5b2 3838
e2ab4353
GP		 3839 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3840 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3841 }
3842}
88843ab0 3843static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3844{
0b209fae 3845 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3846
88843ab0 3847 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3848
e2ab4353 3849 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3850
e3781735 3851 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 3852 chan->expected_ack_seq = tx_seq;
3853 l2cap_drop_acked_frames(chan);
3cb123d1 3854
e2ab4353 3855 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3856 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3857
525cd185 3858 l2cap_ertm_send(chan);
dfc909be 3859
e2ab4353 3860 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3861 chan->srej_save_reqseq = tx_seq;
e2ab4353 3862 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3863 }
03f6715d 3864 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3865 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3866 chan->srej_save_reqseq == tx_seq)
e2ab4353 3867 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3868 else
525cd185 3869 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3870 } else {
525cd185 3871 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3872 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3873 chan->srej_save_reqseq = tx_seq;
e2ab4353 3874 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3875 }
e072745f
GP		 3876 }
3877}
3878
88843ab0 3879static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3880{
0b209fae 3881 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 3882
88843ab0 3883 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3884
e2ab4353 3885 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3886 chan->expected_ack_seq = tx_seq;
3887 l2cap_drop_acked_frames(chan);
e072745f 3888
e3781735 3889 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 3890 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3891
e2ab4353 3892 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3893 __clear_retrans_timer(chan);
e3781735 3894 if (__is_ctrl_poll(chan, rx_control))
525cd185 3895 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3896 return;
e072745f 3897 }
99b0d4b7 3898
e3781735 3899 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 3900 l2cap_send_srejtail(chan);
ab784b73
AE		 3901 } else {
3902 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
3903 l2cap_send_sframe(chan, rx_control);
3904 }
e072745f
GP		 3905}
3906
88843ab0 3907static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 3908{
88843ab0 3909 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 3910
03f6715d 3911 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3912 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3913 __clear_monitor_timer(chan);
6a026610 3914 if (chan->unacked_frames > 0)
1a09bcb9 3915 __set_retrans_timer(chan);
e2ab4353 3916 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3917 }
3918
ab784b73
AE		 3919 switch (__get_ctrl_super(chan, rx_control)) {
3920 case L2CAP_SUPER_RR:
525cd185 3921 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3922 break;
3923
ab784b73 3924 case L2CAP_SUPER_REJ:
525cd185 3925 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3926 break;
2246b2f1 3927
ab784b73 3928 case L2CAP_SUPER_SREJ:
525cd185 3929 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3930 break;
3931
ab784b73 3932 case L2CAP_SUPER_RNR:
525cd185 3933 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3934 break;
3935 }
3936
faaebd19 3937 kfree_skb(skb);
1c2acffb
GP		 3938 return 0;
3939}
3940
218bb9df
GP		 3941static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3942{
525cd185 3943 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 3944 u32 control;
0b209fae 3945 u16 req_seq;
218bb9df
GP		 3946 int len, next_tx_seq_offset, req_seq_offset;
3947
88843ab0
AE		 3948 control = __get_control(chan, skb->data);
3949 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 3950 len = skb->len;
3951
3952 /*
3953 * We can just drop the corrupted I-frame here.
3954 * Receiver will miss it and start proper recovery
3955 * procedures and ask retransmission.
3956 */
47d1ec61 3957 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3958 goto drop;
3959
793c2f1c 3960 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 3961 len -= L2CAP_SDULEN_SIZE;
218bb9df 3962
47d1ec61 3963 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 3964 len -= L2CAP_FCS_SIZE;
218bb9df 3965
47d1ec61 3966 if (len > chan->mps) {
8c1d787b 3967 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3968 goto drop;
3969 }
3970
0b209fae 3971 req_seq = __get_reqseq(chan, control);
218bb9df 3972
836be934
AE		 3973 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
3974
3975 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
3976 chan->expected_ack_seq);
218bb9df
GP		 3977
3978 /* check for invalid req-seq */
3979 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3980 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3981 goto drop;
3982 }
3983
793c2f1c 3984 if (!__is_sframe(chan, control)) {
218bb9df 3985 if (len < 0) {
8c1d787b 3986 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3987 goto drop;
3988 }
3989
525cd185 3990 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3991 } else {
3992 if (len != 0) {
3993 BT_ERR("%d", len);
8c1d787b 3994 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3995 goto drop;
3996 }
3997
525cd185 3998 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3999 }
4000
4001 return 0;
4002
4003drop:
4004 kfree_skb(skb);
4005 return 0;
4006}
4007
1da177e4
LT		 4008static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4009{
48454079 4010 struct l2cap_chan *chan;
bf734843 4011 struct sock *sk = NULL;
88843ab0 4012 u32 control;
fb45de7d 4013 u16 tx_seq;
218bb9df 4014 int len;
1da177e4 4015
baa7e1fa 4016 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4017 if (!chan) {
1da177e4
LT		 4018 BT_DBG("unknown cid 0x%4.4x", cid);
4019 goto drop;
4020 }
4021
48454079 4022 sk = chan->sk;
6840ed07 4023
49208c9c 4024 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4025
89bc500e 4026 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4027 goto drop;
4028
0c1bc5c6 4029 switch (chan->mode) {
1c2acffb
GP		 4030 case L2CAP_MODE_BASIC:
4031 /* If socket recv buffers overflows we drop data here
4032 * which is *bad* because L2CAP has to be reliable.
4033 * But we don't have any other choice. L2CAP doesn't
4034 * provide flow control mechanism. */
1da177e4 4035
0c1bc5c6 4036 if (chan->imtu < skb->len)
1c2acffb 4037 goto drop;
1da177e4 4038
23070494 4039 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4040 goto done;
4041 break;
4042
4043 case L2CAP_MODE_ERTM:
218bb9df
GP		 4044 if (!sock_owned_by_user(sk)) {
4045 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4046 } else {
218bb9df 4047 if (sk_add_backlog(sk, skb))
277ffbe3 4048 goto drop;
277ffbe3 4049 }
1c2acffb 4050
fcafde2e 4051 goto done;
1c2acffb 4052
6840ed07 4053 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4054 control = __get_control(chan, skb->data);
4055 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4056 len = skb->len;
4057
47d1ec61 4058 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4059 goto drop;
4060
7e0ef6ee 4061 if (__is_sar_start(chan, control))
03a51213 4062 len -= L2CAP_SDULEN_SIZE;
6840ed07 4063
47d1ec61 4064 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4065 len -= L2CAP_FCS_SIZE;
fcc203c3 4066
793c2f1c 4067 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4068 goto drop;
4069
fb45de7d 4070 tx_seq = __get_txseq(chan, control);
6840ed07 4071
84084a31
MM		 4072 if (chan->expected_tx_seq != tx_seq) {
4073 /* Frame(s) missing - must discard partial SDU */
4074 kfree_skb(chan->sdu);
4075 chan->sdu = NULL;
4076 chan->sdu_last_frag = NULL;
4077 chan->sdu_len = 0;
6840ed07 4078
84084a31
MM		 4079 /* TODO: Notify userland of missing data */
4080 }
4081
836be934 4082 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4083
4084 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4085 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4086
4087 goto done;
4088
1c2acffb 4089 default:
0c1bc5c6 4090 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4091 break;
4092 }
1da177e4
LT		 4093
4094drop:
4095 kfree_skb(skb);
4096
4097done:
0139418c
MH		 4098 if (sk)
4099 bh_unlock_sock(sk);
4100
1da177e4
LT		 4101 return 0;
4102}
4103
8e036fc3 4104static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4105{
6dcae1ea 4106 struct sock *sk = NULL;
23691d75 4107 struct l2cap_chan *chan;
1da177e4 4108
23691d75
GP		 4109 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4110 if (!chan)
1da177e4
LT		 4111 goto drop;
4112
23691d75
GP		 4113 sk = chan->sk;
4114
e0f0cb56
GP		 4115 bh_lock_sock(sk);
4116
1da177e4
LT		 4117 BT_DBG("sk %p, len %d", sk, skb->len);
4118
89bc500e 4119 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4120 goto drop;
4121
e13e21dc 4122 if (chan->imtu < skb->len)
1da177e4
LT		 4123 goto drop;
4124
23070494 4125 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4126 goto done;
4127
4128drop:
4129 kfree_skb(skb);
4130
4131done:
af05b30b
GP		 4132 if (sk)
4133 bh_unlock_sock(sk);
1da177e4
LT		 4134 return 0;
4135}
4136
9f69bda6
GP		 4137static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4138{
6dcae1ea 4139 struct sock *sk = NULL;
23691d75 4140 struct l2cap_chan *chan;
9f69bda6 4141
23691d75
GP		 4142 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4143 if (!chan)
9f69bda6
GP		 4144 goto drop;
4145
23691d75
GP		 4146 sk = chan->sk;
4147
9f69bda6
GP		 4148 bh_lock_sock(sk);
4149
4150 BT_DBG("sk %p, len %d", sk, skb->len);
4151
89bc500e 4152 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4153 goto drop;
4154
e13e21dc 4155 if (chan->imtu < skb->len)
9f69bda6
GP		 4156 goto drop;
4157
23070494 4158 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4159 goto done;
4160
4161drop:
4162 kfree_skb(skb);
4163
4164done:
4165 if (sk)
4166 bh_unlock_sock(sk);
4167 return 0;
4168}
4169
1da177e4
LT		 4170static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4171{
4172 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4173 u16 cid, len;
4174 __le16 psm;
1da177e4
LT		 4175
4176 skb_pull(skb, L2CAP_HDR_SIZE);
4177 cid = __le16_to_cpu(lh->cid);
4178 len = __le16_to_cpu(lh->len);
4179
1c2acffb
GP		 4180 if (len != skb->len) {
4181 kfree_skb(skb);
4182 return;
4183 }
4184
1da177e4
LT		 4185 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4186
4187 switch (cid) {
3300d9a9 4188 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4189 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4190 l2cap_sig_channel(conn, skb);
4191 break;
4192
8db4dc46 4193 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4194 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4195 skb_pull(skb, 2);
4196 l2cap_conless_channel(conn, psm, skb);
4197 break;
4198
9f69bda6
GP		 4199 case L2CAP_CID_LE_DATA:
4200 l2cap_att_channel(conn, cid, skb);
4201 break;
4202
b501d6a1
AB		 4203 case L2CAP_CID_SMP:
4204 if (smp_sig_channel(conn, skb))
4205 l2cap_conn_del(conn->hcon, EACCES);
4206 break;
4207
1da177e4
LT		 4208 default:
4209 l2cap_data_channel(conn, cid, skb);
4210 break;
4211 }
4212}
4213
4214/* ---- L2CAP interface with lower layer (HCI) ---- */
4215
4216static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4217{
4218 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4219 struct l2cap_chan *c;
1da177e4
LT		 4220
4221 if (type != ACL_LINK)
963cf687 4222 return -EINVAL;
1da177e4
LT		 4223
4224 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4225
4226 /* Find listening sockets and check their link_mode */
23691d75
GP		 4227 read_lock(&chan_list_lock);
4228 list_for_each_entry(c, &chan_list, global_l) {
4229 struct sock *sk = c->sk;
4343478f 4230
89bc500e 4231 if (c->state != BT_LISTEN)
1da177e4
LT		 4232 continue;
4233
4234 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4235 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4236 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4237 lm1 |= HCI_LM_MASTER;
1da177e4 4238 exact++;
2af6b9d5
MH		 4239 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4240 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4241 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4242 lm2 |= HCI_LM_MASTER;
4243 }
1da177e4 4244 }
23691d75 4245 read_unlock(&chan_list_lock);
1da177e4
LT		 4246
4247 return exact ? lm1 : lm2;
4248}
4249
4250static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4251{
0139418c
MH		 4252 struct l2cap_conn *conn;
4253
1da177e4
LT		 4254 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4255
acd7d370 4256 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4257 return -EINVAL;
1da177e4
LT		 4258
4259 if (!status) {
1da177e4
LT		 4260 conn = l2cap_conn_add(hcon, status);
4261 if (conn)
4262 l2cap_conn_ready(conn);
0139418c 4263 } else
e175072f 4264 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4265
4266 return 0;
4267}
4268
2950f21a
MH		 4269static int l2cap_disconn_ind(struct hci_conn *hcon)
4270{
4271 struct l2cap_conn *conn = hcon->l2cap_data;
4272
4273 BT_DBG("hcon %p", hcon);
4274
b5694506 4275 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4276 return 0x13;
4277
4278 return conn->disc_reason;
4279}
4280
4281static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4282{
4283 BT_DBG("hcon %p reason %d", hcon, reason);
4284
acd7d370 4285 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4286 return -EINVAL;
1da177e4 4287
e175072f 4288 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4289
1da177e4
LT		 4290 return 0;
4291}
4292
4343478f 4293static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4294{
715ec005 4295 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4296 return;
4297
f62e4323 4298 if (encrypt == 0x00) {
4343478f 4299 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4300 __clear_chan_timer(chan);
4301 __set_chan_timer(chan, HZ * 5);
4343478f 4302 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4303 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4304 } else {
4343478f 4305 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4306 __clear_chan_timer(chan);
f62e4323
MH		 4307 }
4308}
4309
8c1b2355 4310static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4311{
0139418c 4312 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4313 struct l2cap_chan *chan;
1da177e4 4314
0139418c 4315 if (!conn)
1da177e4 4316 return 0;
0139418c 4317
1da177e4
LT		 4318 BT_DBG("conn %p", conn);
4319
160dc6ac
VCG		 4320 if (hcon->type == LE_LINK) {
4321 smp_distribute_keys(conn, 0);
4322 del_timer(&conn->security_timer);
4323 }
4324
baa7e1fa 4325 read_lock(&conn->chan_lock);
1da177e4 4326
baa7e1fa 4327 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4328 struct sock *sk = chan->sk;
baa7e1fa 4329
1da177e4
LT		 4330 bh_lock_sock(sk);
4331
f1cb9af5
VCG		 4332 BT_DBG("chan->scid %d", chan->scid);
4333
4334 if (chan->scid == L2CAP_CID_LE_DATA) {
4335 if (!status && encrypt) {
4336 chan->sec_level = hcon->sec_level;
4337 l2cap_chan_ready(sk);
4338 }
4339
4340 bh_unlock_sock(sk);
4341 continue;
4342 }
4343
c1360a1c 4344 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4345 bh_unlock_sock(sk);
4346 continue;
4347 }
4348
89bc500e
GP		 4349 if (!status && (chan->state == BT_CONNECTED ||
4350 chan->state == BT_CONFIG)) {
4343478f 4351 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4352 bh_unlock_sock(sk);
4353 continue;
4354 }
4355
89bc500e 4356 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4357 if (!status) {
4358 struct l2cap_conn_req req;
fe4128e0
GP		 4359 req.scid = cpu_to_le16(chan->scid);
4360 req.psm = chan->psm;
1da177e4 4361
fc7f8a7e 4362 chan->ident = l2cap_get_ident(conn);
c1360a1c 4363 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4364
fc7f8a7e 4365 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4366 L2CAP_CONN_REQ, sizeof(req), &req);
4367 } else {
c9b66675
GP		 4368 __clear_chan_timer(chan);
4369 __set_chan_timer(chan, HZ / 10);
b1235d79 4370 }
89bc500e 4371 } else if (chan->state == BT_CONNECT2) {
b1235d79 4372 struct l2cap_conn_rsp rsp;
df3c3931 4373 __u16 res, stat;
1da177e4 4374
b1235d79 4375 if (!status) {
df3c3931
JH		 4376 if (bt_sk(sk)->defer_setup) {
4377 struct sock *parent = bt_sk(sk)->parent;
4378 res = L2CAP_CR_PEND;
4379 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4380 if (parent)
4381 parent->sk_data_ready(parent, 0);
df3c3931 4382 } else {
05558911 4383 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4384 res = L2CAP_CR_SUCCESS;
4385 stat = L2CAP_CS_NO_INFO;
4386 }
b1235d79 4387 } else {
89bc500e 4388 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4389 __set_chan_timer(chan, HZ / 10);
df3c3931
JH		 4390 res = L2CAP_CR_SEC_BLOCK;
4391 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4392 }
4393
fe4128e0
GP		 4394 rsp.scid = cpu_to_le16(chan->dcid);
4395 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4396 rsp.result = cpu_to_le16(res);
4397 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4398 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4399 sizeof(rsp), &rsp);
b1235d79 4400 }
1da177e4
LT		 4401
4402 bh_unlock_sock(sk);
4403 }
4404
baa7e1fa 4405 read_unlock(&conn->chan_lock);
b1235d79 4406
1da177e4
LT		 4407 return 0;
4408}
4409
4410static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4411{
4412 struct l2cap_conn *conn = hcon->l2cap_data;
4413
5a08ecce
AE		 4414 if (!conn)
4415 conn = l2cap_conn_add(hcon, 0);
4416
4417 if (!conn)
1da177e4
LT		 4418 goto drop;
4419
4420 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4421
e702112f 4422 if (!(flags & ACL_CONT)) {
1da177e4 4423 struct l2cap_hdr *hdr;
48454079 4424 struct l2cap_chan *chan;
89794813 4425 u16 cid;
1da177e4
LT		 4426 int len;
4427
4428 if (conn->rx_len) {
4429 BT_ERR("Unexpected start frame (len %d)", skb->len);
4430 kfree_skb(conn->rx_skb);
4431 conn->rx_skb = NULL;
4432 conn->rx_len = 0;
4433 l2cap_conn_unreliable(conn, ECOMM);
4434 }
4435
aae7fe22
AE		 4436 /* Start fragment always begin with Basic L2CAP header */
4437 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4438 BT_ERR("Frame is too short (len %d)", skb->len);
4439 l2cap_conn_unreliable(conn, ECOMM);
4440 goto drop;
4441 }
4442
4443 hdr = (struct l2cap_hdr *) skb->data;
4444 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4445 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4446
4447 if (len == skb->len) {
4448 /* Complete frame received */
4449 l2cap_recv_frame(conn, skb);
4450 return 0;
4451 }
4452
4453 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4454
4455 if (skb->len > len) {
4456 BT_ERR("Frame is too long (len %d, expected len %d)",
4457 skb->len, len);
4458 l2cap_conn_unreliable(conn, ECOMM);
4459 goto drop;
4460 }
4461
baa7e1fa 4462 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4463
48454079
GP		 4464 if (chan && chan->sk) {
4465 struct sock *sk = chan->sk;
89794813 4466
0c1bc5c6 4467 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4468 BT_ERR("Frame exceeding recv MTU (len %d, "
4469 "MTU %d)", len,
0c1bc5c6 4470 chan->imtu);
48454079
GP		 4471 bh_unlock_sock(sk);
4472 l2cap_conn_unreliable(conn, ECOMM);
4473 goto drop;
4474 }
89794813 4475 bh_unlock_sock(sk);
48454079 4476 }
89794813 4477
1da177e4 4478 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4479 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4480 if (!conn->rx_skb)
1da177e4
LT		 4481 goto drop;
4482
d626f62b 4483 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4484 skb->len);
1da177e4
LT		 4485 conn->rx_len = len - skb->len;
4486 } else {
4487 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4488
4489 if (!conn->rx_len) {
4490 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4491 l2cap_conn_unreliable(conn, ECOMM);
4492 goto drop;
4493 }
4494
4495 if (skb->len > conn->rx_len) {
4496 BT_ERR("Fragment is too long (len %d, expected %d)",
4497 skb->len, conn->rx_len);
4498 kfree_skb(conn->rx_skb);
4499 conn->rx_skb = NULL;
4500 conn->rx_len = 0;
4501 l2cap_conn_unreliable(conn, ECOMM);
4502 goto drop;
4503 }
4504
d626f62b 4505 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4506 skb->len);
1da177e4
LT		 4507 conn->rx_len -= skb->len;
4508
4509 if (!conn->rx_len) {
4510 /* Complete frame received */
4511 l2cap_recv_frame(conn, conn->rx_skb);
4512 conn->rx_skb = NULL;
4513 }
4514 }
4515
4516drop:
4517 kfree_skb(skb);
4518 return 0;
4519}
4520
aef7d97c 4521static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4522{
23691d75 4523 struct l2cap_chan *c;
1da177e4 4524
23691d75 4525 read_lock_bh(&chan_list_lock);
1da177e4 4526
23691d75
GP		 4527 list_for_each_entry(c, &chan_list, global_l) {
4528 struct sock *sk = c->sk;
101545f6 4529
903d343e 4530 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4531 batostr(&bt_sk(sk)->src),
4532 batostr(&bt_sk(sk)->dst),
89bc500e 4533 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4534 c->scid, c->dcid, c->imtu, c->omtu,
4535 c->sec_level, c->mode);
05558911 4536}
1da177e4 4537
23691d75 4538 read_unlock_bh(&chan_list_lock);
1da177e4 4539
aef7d97c 4540 return 0;
1da177e4
LT		 4541}
4542
aef7d97c
MH		 4543static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4544{
4545 return single_open(file, l2cap_debugfs_show, inode->i_private);
4546}
4547
4548static const struct file_operations l2cap_debugfs_fops = {
4549 .open = l2cap_debugfs_open,
4550 .read = seq_read,
4551 .llseek = seq_lseek,
4552 .release = single_release,
4553};
4554
4555static struct dentry *l2cap_debugfs;
1da177e4 4556
1da177e4
LT		 4557static struct hci_proto l2cap_hci_proto = {
4558 .name = "L2CAP",
4559 .id = HCI_PROTO_L2CAP,
4560 .connect_ind = l2cap_connect_ind,
4561 .connect_cfm = l2cap_connect_cfm,
4562 .disconn_ind = l2cap_disconn_ind,
2950f21a 4563 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4564 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4565 .recv_acldata = l2cap_recv_acldata
4566};
4567
64274518 4568int __init l2cap_init(void)
1da177e4
LT		 4569{
4570 int err;
be9d1227 4571
bb58f747 4572 err = l2cap_init_sockets();
1da177e4
LT		 4573 if (err < 0)
4574 return err;
4575
1da177e4
LT		 4576 err = hci_register_proto(&l2cap_hci_proto);
4577 if (err < 0) {
4578 BT_ERR("L2CAP protocol registration failed");
4579 bt_sock_unregister(BTPROTO_L2CAP);
4580 goto error;
4581 }
4582
aef7d97c
MH		 4583 if (bt_debugfs) {
4584 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4585 bt_debugfs, NULL, &l2cap_debugfs_fops);
4586 if (!l2cap_debugfs)
4587 BT_ERR("Failed to create L2CAP debug file");
4588 }
1da177e4 4589
1da177e4
LT		 4590 return 0;
4591
4592error:
bb58f747 4593 l2cap_cleanup_sockets();
1da177e4
LT		 4594 return err;
4595}
4596
64274518 4597void l2cap_exit(void)
1da177e4 4598{
aef7d97c 4599 debugfs_remove(l2cap_debugfs);
1da177e4 4600
1da177e4
LT		 4601 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4602 BT_ERR("L2CAP protocol unregistration failed");
4603
bb58f747 4604 l2cap_cleanup_sockets();
1da177e4
LT		 4605}
4606
d1c4a17d
GP		 4607module_param(disable_ertm, bool, 0644);
4608MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE		 4609
4610module_param(enable_hs, bool, 0644);
4611MODULE_PARM_DESC(enable_hs, "Enable High Speed");
kernel source for telekom puls (alcatel/mediatek)