projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Make better use of l2cap_chan reference counting
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
1da177e4
LT		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
8e87d142
YH		 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 25 SOFTWARE IS DISCLAIMED.
26*/
27
bb58f747 28/* Bluetooth L2CAP core. */
1da177e4 29
1da177e4
LT		 30#include <linux/module.h>
31
32#include <linux/types.h>
4fc268d2 33#include <linux/capability.h>
1da177e4
LT		 34#include <linux/errno.h>
35#include <linux/kernel.h>
1da177e4
LT		 36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/poll.h>
39#include <linux/fcntl.h>
40#include <linux/init.h>
41#include <linux/interrupt.h>
42#include <linux/socket.h>
43#include <linux/skbuff.h>
1da177e4 44#include <linux/list.h>
be9d1227 45#include <linux/device.h>
aef7d97c
MH		 46#include <linux/debugfs.h>
47#include <linux/seq_file.h>
af05b30b 48#include <linux/uaccess.h>
fcc203c3 49#include <linux/crc16.h>
1da177e4
LT		 50#include <net/sock.h>
51
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
eb939922 59bool disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 62static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 63
b5ad8b7f
JB		 64static LIST_HEAD(chan_list);
65static DEFINE_RWLOCK(chan_list_lock);
1da177e4 66
1da177e4
LT		 67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
710f9b0a 71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
1da177e4 74
0139418c 75/* ---- L2CAP channels ---- */
71ba0e56 76
baa7e1fa 77static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->dcid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
baa7e1fa 88static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 89{
3df91ea2 90 struct l2cap_chan *c;
3d57dc68 91
3df91ea2
AE		 92 list_for_each_entry(c, &conn->chan_l, list) {
93 if (c->scid == cid)
94 return c;
0139418c 95 }
3df91ea2 96 return NULL;
0139418c
MH		 97}
98
99/* Find channel with given SCID.
100 * Returns locked socket */
baa7e1fa 101static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 102{
48454079 103 struct l2cap_chan *c;
baa7e1fa 104
3df91ea2 105 mutex_lock(&conn->chan_lock);
baa7e1fa 106 c = __l2cap_get_chan_by_scid(conn, cid);
3df91ea2
AE		 107 mutex_unlock(&conn->chan_lock);
108
48454079 109 return c;
0139418c
MH		 110}
111
baa7e1fa 112static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 113{
3df91ea2 114 struct l2cap_chan *c;
3d57dc68 115
3df91ea2
AE		 116 list_for_each_entry(c, &conn->chan_l, list) {
117 if (c->ident == ident)
118 return c;
0139418c 119 }
3df91ea2 120 return NULL;
0139418c
MH		 121}
122
23691d75 123static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 124{
23691d75 125 struct l2cap_chan *c;
9e4425ff 126
23691d75
GP		 127 list_for_each_entry(c, &chan_list, global_l) {
128 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 129 return c;
9e4425ff 130 }
250938cb 131 return NULL;
9e4425ff
GP		 132}
133
134int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
135{
73b2ec18
GP		 136 int err;
137
333055f2 138 write_lock(&chan_list_lock);
9e4425ff 139
23691d75 140 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 141 err = -EADDRINUSE;
142 goto done;
9e4425ff
GP		 143 }
144
73b2ec18
GP		 145 if (psm) {
146 chan->psm = psm;
147 chan->sport = psm;
148 err = 0;
149 } else {
150 u16 p;
151
152 err = -EINVAL;
153 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 154 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 155 chan->psm = cpu_to_le16(p);
156 chan->sport = cpu_to_le16(p);
157 err = 0;
158 break;
159 }
160 }
9e4425ff 161
73b2ec18 162done:
333055f2 163 write_unlock(&chan_list_lock);
73b2ec18 164 return err;
9e4425ff
GP		 165}
166
167int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
168{
333055f2 169 write_lock(&chan_list_lock);
9e4425ff
GP		 170
171 chan->scid = scid;
172
333055f2 173 write_unlock(&chan_list_lock);
9e4425ff
GP		 174
175 return 0;
176}
177
baa7e1fa 178static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 179{
8db4dc46 180 u16 cid = L2CAP_CID_DYN_START;
0139418c 181
8db4dc46 182 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 183 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 184 return cid;
185 }
186
187 return 0;
188}
189
0e587be7 190static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 191{
42d2d87c 192 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 193 state_to_string(state));
194
89bc500e
GP		 195 chan->state = state;
196 chan->ops->state_change(chan->data, state);
197}
198
0e587be7
AE		 199static void l2cap_state_change(struct l2cap_chan *chan, int state)
200{
201 struct sock *sk = chan->sk;
202
203 lock_sock(sk);
204 __l2cap_state_change(chan, state);
205 release_sock(sk);
206}
207
2e0052e4
AE		 208static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
209{
210 struct sock *sk = chan->sk;
211
212 sk->sk_err = err;
213}
214
215static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
216{
217 struct sock *sk = chan->sk;
218
219 lock_sock(sk);
220 __l2cap_chan_set_err(chan, err);
221 release_sock(sk);
222}
223
3c588192
MM		 224/* ---- L2CAP sequence number lists ---- */
225
226/* For ERTM, ordered lists of sequence numbers must be tracked for
227 * SREJ requests that are received and for frames that are to be
228 * retransmitted. These seq_list functions implement a singly-linked
229 * list in an array, where membership in the list can also be checked
230 * in constant time. Items can also be added to the tail of the list
231 * and removed from the head in constant time, without further memory
232 * allocs or frees.
233 */
234
235static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
236{
237 size_t alloc_size, i;
238
239 /* Allocated size is a power of 2 to map sequence numbers
240 * (which may be up to 14 bits) in to a smaller array that is
241 * sized for the negotiated ERTM transmit windows.
242 */
243 alloc_size = roundup_pow_of_two(size);
244
245 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
246 if (!seq_list->list)
247 return -ENOMEM;
248
249 seq_list->mask = alloc_size - 1;
250 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
251 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
252 for (i = 0; i < alloc_size; i++)
253 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
254
255 return 0;
256}
257
258static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
259{
260 kfree(seq_list->list);
261}
262
263static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
264 u16 seq)
265{
266 /* Constant-time check for list membership */
267 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
268}
269
270static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
271{
272 u16 mask = seq_list->mask;
273
274 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
275 /* In case someone tries to pop the head of an empty list */
276 return L2CAP_SEQ_LIST_CLEAR;
277 } else if (seq_list->head == seq) {
278 /* Head can be removed in constant time */
279 seq_list->head = seq_list->list[seq & mask];
280 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
281
282 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
283 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
284 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
285 }
286 } else {
287 /* Walk the list to find the sequence number */
288 u16 prev = seq_list->head;
289 while (seq_list->list[prev & mask] != seq) {
290 prev = seq_list->list[prev & mask];
291 if (prev == L2CAP_SEQ_LIST_TAIL)
292 return L2CAP_SEQ_LIST_CLEAR;
293 }
294
295 /* Unlink the number from the list and clear it */
296 seq_list->list[prev & mask] = seq_list->list[seq & mask];
297 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
298 if (seq_list->tail == seq)
299 seq_list->tail = prev;
300 }
301 return seq;
302}
303
304static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
305{
306 /* Remove the head in constant time */
307 return l2cap_seq_list_remove(seq_list, seq_list->head);
308}
309
310static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
311{
312 if (seq_list->head != L2CAP_SEQ_LIST_CLEAR) {
313 u16 i;
314 for (i = 0; i <= seq_list->mask; i++)
315 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
316
317 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
318 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
319 }
320}
321
322static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
323{
324 u16 mask = seq_list->mask;
325
326 /* All appends happen in constant time */
327
328 if (seq_list->list[seq & mask] == L2CAP_SEQ_LIST_CLEAR) {
329 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
330 seq_list->head = seq;
331 else
332 seq_list->list[seq_list->tail & mask] = seq;
333
334 seq_list->tail = seq;
335 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
336 }
337}
338
721c4181 339static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 340{
721c4181
GP		 341 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
342 chan_timer.work);
3df91ea2 343 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 344 int reason;
345
e05dcc32 346 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 347
3df91ea2 348 mutex_lock(&conn->chan_lock);
6be36555 349 l2cap_chan_lock(chan);
ab07801d 350
89bc500e 351 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 352 reason = ECONNREFUSED;
89bc500e 353 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 354 chan->sec_level != BT_SECURITY_SDP)
355 reason = ECONNREFUSED;
356 else
357 reason = ETIMEDOUT;
358
0f852724 359 l2cap_chan_close(chan, reason);
ab07801d 360
6be36555 361 l2cap_chan_unlock(chan);
ab07801d 362
ba3bd0ee 363 chan->ops->close(chan->data);
3df91ea2
AE		 364 mutex_unlock(&conn->chan_lock);
365
371fd835 366 l2cap_chan_put(chan);
ab07801d
GP		 367}
368
eef1d9b6 369struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 370{
371 struct l2cap_chan *chan;
372
373 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
374 if (!chan)
375 return NULL;
376
c03b355e
AE		 377 mutex_init(&chan->lock);
378
333055f2 379 write_lock(&chan_list_lock);
23691d75 380 list_add(&chan->global_l, &chan_list);
333055f2 381 write_unlock(&chan_list_lock);
23691d75 382
721c4181 383 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 384
89bc500e
GP		 385 chan->state = BT_OPEN;
386
71ba0e56
GP		 387 atomic_set(&chan->refcnt, 1);
388
eef1d9b6 389 BT_DBG("chan %p", chan);
abc545b8 390
48454079
GP		 391 return chan;
392}
393
23691d75 394void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 395{
333055f2 396 write_lock(&chan_list_lock);
23691d75 397 list_del(&chan->global_l);
333055f2 398 write_unlock(&chan_list_lock);
23691d75 399
371fd835 400 l2cap_chan_put(chan);
6ff5abbf
GP		 401}
402
bd4b1653
AE		 403void l2cap_chan_set_defaults(struct l2cap_chan *chan)
404{
405 chan->fcs = L2CAP_FCS_CRC16;
406 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
407 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
408 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
409 chan->sec_level = BT_SECURITY_LOW;
410
411 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
412}
413
14a28491 414static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 415{
af05b30b 416 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 417 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 418
9f5a0d7b 419 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 420
8c1d787b 421 chan->conn = conn;
0139418c 422
5491120e
AE		 423 switch (chan->chan_type) {
424 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 425 if (conn->hcon->type == LE_LINK) {
426 /* LE connection */
0c1bc5c6 427 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 428 chan->scid = L2CAP_CID_LE_DATA;
429 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 430 } else {
431 /* Alloc CID for connection-oriented socket */
fe4128e0 432 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 433 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 434 }
5491120e
AE		 435 break;
436
437 case L2CAP_CHAN_CONN_LESS:
0139418c 438 /* Connectionless socket */
fe4128e0
GP		 439 chan->scid = L2CAP_CID_CONN_LESS;
440 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 441 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 442 break;
443
444 default:
0139418c 445 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 446 chan->scid = L2CAP_CID_SIGNALING;
447 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 448 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 449 }
450
8f7975b1
AE		 451 chan->local_id = L2CAP_BESTEFFORT_ID;
452 chan->local_stype = L2CAP_SERV_BESTEFFORT;
453 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
454 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
455 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
456 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
457
371fd835 458 l2cap_chan_hold(chan);
baa7e1fa 459
3df91ea2 460 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 461}
462
14a28491 463static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 464{
465 mutex_lock(&conn->chan_lock);
466 __l2cap_chan_add(conn, chan);
3df91ea2 467 mutex_unlock(&conn->chan_lock);
0139418c
MH		 468}
469
4519de9a 470static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 471{
48454079 472 struct sock *sk = chan->sk;
8c1d787b 473 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 474 struct sock *parent = bt_sk(sk)->parent;
475
c9b66675 476 __clear_chan_timer(chan);
0139418c 477
49208c9c 478 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 479
8e87d142 480 if (conn) {
baa7e1fa 481 /* Delete from channel list */
3df91ea2 482 list_del(&chan->list);
3d57dc68 483
371fd835 484 l2cap_chan_put(chan);
baa7e1fa 485
8c1d787b 486 chan->conn = NULL;
0139418c
MH		 487 hci_conn_put(conn->hcon);
488 }
489
6be36555
AE		 490 lock_sock(sk);
491
0e587be7 492 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 493 sock_set_flag(sk, SOCK_ZAPPED);
494
495 if (err)
2e0052e4 496 __l2cap_chan_set_err(chan, err);
0139418c
MH		 497
498 if (parent) {
499 bt_accept_unlink(sk);
500 parent->sk_data_ready(parent, 0);
501 } else
502 sk->sk_state_change(sk);
c13ffa62 503
6be36555
AE		 504 release_sock(sk);
505
c1360a1c
GP		 506 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
507 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 508 return;
2ead70b8 509
58d35f87 510 skb_queue_purge(&chan->tx_q);
c13ffa62 511
0c1bc5c6 512 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 513 struct srej_list *l, *tmp;
514
1a09bcb9
GP		 515 __clear_retrans_timer(chan);
516 __clear_monitor_timer(chan);
517 __clear_ack_timer(chan);
c13ffa62 518
f1c6775b 519 skb_queue_purge(&chan->srej_q);
c13ffa62 520
3c588192
MM		 521 l2cap_seq_list_free(&chan->srej_list);
522 l2cap_seq_list_free(&chan->retrans_list);
39d5a3ee 523 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 524 list_del(&l->list);
525 kfree(l);
526 }
527 }
0139418c
MH		 528}
529
4519de9a
GP		 530static void l2cap_chan_cleanup_listen(struct sock *parent)
531{
532 struct sock *sk;
533
534 BT_DBG("parent %p", parent);
535
536 /* Close not yet accepted channels */
0f852724 537 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 538 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 539
6be36555 540 l2cap_chan_lock(chan);
c9b66675 541 __clear_chan_timer(chan);
ba3bd0ee 542 l2cap_chan_close(chan, ECONNRESET);
6be36555 543 l2cap_chan_unlock(chan);
3df91ea2 544
ba3bd0ee 545 chan->ops->close(chan->data);
0f852724 546 }
4519de9a
GP		 547}
548
0f852724 549void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 550{
551 struct l2cap_conn *conn = chan->conn;
552 struct sock *sk = chan->sk;
553
e05dcc32
AE		 554 BT_DBG("chan %p state %s sk %p", chan,
555 state_to_string(chan->state), sk);
4519de9a 556
89bc500e 557 switch (chan->state) {
4519de9a 558 case BT_LISTEN:
6be36555 559 lock_sock(sk);
4519de9a 560 l2cap_chan_cleanup_listen(sk);
89bc500e 561
0e587be7 562 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 563 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 564 release_sock(sk);
4519de9a
GP		 565 break;
566
567 case BT_CONNECTED:
568 case BT_CONFIG:
715ec005 569 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 570 conn->hcon->type == ACL_LINK) {
c9b66675 571 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 572 l2cap_send_disconn_req(conn, chan, reason);
573 } else
574 l2cap_chan_del(chan, reason);
575 break;
576
577 case BT_CONNECT2:
715ec005 578 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 579 conn->hcon->type == ACL_LINK) {
580 struct l2cap_conn_rsp rsp;
581 __u16 result;
582
583 if (bt_sk(sk)->defer_setup)
584 result = L2CAP_CR_SEC_BLOCK;
585 else
586 result = L2CAP_CR_BAD_PSM;
89bc500e 587 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 588
589 rsp.scid = cpu_to_le16(chan->dcid);
590 rsp.dcid = cpu_to_le16(chan->scid);
591 rsp.result = cpu_to_le16(result);
592 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
593 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
594 sizeof(rsp), &rsp);
595 }
596
597 l2cap_chan_del(chan, reason);
598 break;
599
600 case BT_CONNECT:
601 case BT_DISCONN:
602 l2cap_chan_del(chan, reason);
603 break;
604
605 default:
6be36555 606 lock_sock(sk);
4519de9a 607 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 608 release_sock(sk);
4519de9a
GP		 609 break;
610 }
611}
612
4343478f 613static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 614{
715ec005 615 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 616 switch (chan->sec_level) {
8556edd3
JH		 617 case BT_SECURITY_HIGH:
618 return HCI_AT_DEDICATED_BONDING_MITM;
619 case BT_SECURITY_MEDIUM:
620 return HCI_AT_DEDICATED_BONDING;
621 default:
622 return HCI_AT_NO_BONDING;
623 }
fe4128e0 624 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 625 if (chan->sec_level == BT_SECURITY_LOW)
626 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 627
4343478f 628 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 629 return HCI_AT_NO_BONDING_MITM;
00ae4af9 630 else
8556edd3 631 return HCI_AT_NO_BONDING;
00ae4af9 632 } else {
4343478f 633 switch (chan->sec_level) {
00ae4af9 634 case BT_SECURITY_HIGH:
8556edd3 635 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 636 case BT_SECURITY_MEDIUM:
8556edd3 637 return HCI_AT_GENERAL_BONDING;
00ae4af9 638 default:
8556edd3 639 return HCI_AT_NO_BONDING;
00ae4af9 640 }
0684e5f9 641 }
8556edd3
JH		 642}
643
644/* Service level security */
d45fc423 645int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 646{
8c1d787b 647 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 648 __u8 auth_type;
649
4343478f 650 auth_type = l2cap_get_auth_type(chan);
79d554a6 651
4343478f 652 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 653}
654
b5ad8b7f 655static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 656{
657 u8 id;
658
659 /* Get next available identificator.
660 * 1 - 128 are used by kernel.
661 * 129 - 199 are reserved.
662 * 200 - 254 are used by utilities like l2ping, etc.
663 */
664
333055f2 665 spin_lock(&conn->lock);
4e8402a3
MH		 666
667 if (++conn->tx_ident > 128)
668 conn->tx_ident = 1;
669
670 id = conn->tx_ident;
671
333055f2 672 spin_unlock(&conn->lock);
4e8402a3
MH		 673
674 return id;
675}
676
4519de9a 677static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 678{
679 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 680 u8 flags;
4e8402a3
MH		 681
682 BT_DBG("code 0x%2.2x", code);
683
684 if (!skb)
9a9c6a34 685 return;
4e8402a3 686
e702112f
AE		 687 if (lmp_no_flush_capable(conn->hcon->hdev))
688 flags = ACL_START_NO_FLUSH;
689 else
690 flags = ACL_START;
691
14b12d0b 692 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 693 skb->priority = HCI_PRIO_MAX;
14b12d0b 694
73d80deb
LAD		 695 hci_send_acl(conn->hchan, skb, flags);
696}
697
698static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
699{
700 struct hci_conn *hcon = chan->conn->hcon;
701 u16 flags;
702
703 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
704 skb->priority);
705
706 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
707 lmp_no_flush_capable(hcon->hdev))
708 flags = ACL_START_NO_FLUSH;
709 else
710 flags = ACL_START;
14b12d0b 711
73d80deb
LAD		 712 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
713 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 714}
715
b76bbd66
MM		 716static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
717{
718 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
719 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
720
721 if (enh & L2CAP_CTRL_FRAME_TYPE) {
722 /* S-Frame */
723 control->sframe = 1;
724 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
725 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
726
727 control->sar = 0;
728 control->txseq = 0;
729 } else {
730 /* I-Frame */
731 control->sframe = 0;
732 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
733 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
734
735 control->poll = 0;
736 control->super = 0;
737 }
738}
739
b76bbd66
MM		 740static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
741{
742 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
743 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
744
745 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
746 /* S-Frame */
747 control->sframe = 1;
748 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
749 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
750
751 control->sar = 0;
752 control->txseq = 0;
753 } else {
754 /* I-Frame */
755 control->sframe = 0;
756 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
757 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
758
759 control->poll = 0;
760 control->super = 0;
761 }
762}
763
764static inline void __unpack_control(struct l2cap_chan *chan,
765 struct sk_buff *skb)
766{
767 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
768 __unpack_extended_control(get_unaligned_le32(skb->data),
769 &bt_cb(skb)->control);
770 } else {
771 __unpack_enhanced_control(get_unaligned_le16(skb->data),
772 &bt_cb(skb)->control);
773 }
774}
775
b5c6aaed
MM		 776static u32 __pack_extended_control(struct l2cap_ctrl *control)
777{
778 u32 packed;
779
780 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
781 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
782
783 if (control->sframe) {
784 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
785 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
786 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
787 } else {
788 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
789 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
790 }
791
792 return packed;
793}
794
795static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
796{
797 u16 packed;
798
799 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
800 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
801
802 if (control->sframe) {
803 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
804 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
805 packed |= L2CAP_CTRL_FRAME_TYPE;
806 } else {
807 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
808 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
809 }
810
811 return packed;
812}
813
b76bbd66
MM		 814static inline void __pack_control(struct l2cap_chan *chan,
815 struct l2cap_ctrl *control,
816 struct sk_buff *skb)
817{
818 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
819 put_unaligned_le32(__pack_extended_control(control),
820 skb->data + L2CAP_HDR_SIZE);
821 } else {
822 put_unaligned_le16(__pack_enhanced_control(control),
823 skb->data + L2CAP_HDR_SIZE);
824 }
825}
826
b5c6aaed
MM		 827static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
828{
829 struct sk_buff *skb;
830 struct l2cap_hdr *lh;
831 struct l2cap_conn *conn = chan->conn;
832 int count, hlen;
833
834 if (chan->state != BT_CONNECTED)
835 return;
836
837 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
838 hlen = L2CAP_EXT_HDR_SIZE;
839 else
840 hlen = L2CAP_ENH_HDR_SIZE;
841
842 if (chan->fcs == L2CAP_FCS_CRC16)
843 hlen += L2CAP_FCS_SIZE;
844
845 BT_DBG("chan %p, control 0x%8.8x", chan, control);
846
847 count = min_t(unsigned int, conn->mtu, hlen);
848
849 control |= __set_sframe(chan);
850
851 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
852 control |= __set_ctrl_final(chan);
853
854 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
855 control |= __set_ctrl_poll(chan);
856
857 skb = bt_skb_alloc(count, GFP_ATOMIC);
858 if (!skb)
859 return;
860
861 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
862 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
863 lh->cid = cpu_to_le16(chan->dcid);
864
865 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
866
867 if (chan->fcs == L2CAP_FCS_CRC16) {
868 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
869 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
870 }
871
872 skb->priority = HCI_PRIO_MAX;
873 l2cap_do_send(chan, skb);
874}
875
876static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
877{
878 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
879 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
880 set_bit(CONN_RNR_SENT, &chan->conn_state);
881 } else
882 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
883
884 control |= __set_reqseq(chan, chan->buffer_seq);
885
886 l2cap_send_sframe(chan, control);
887}
888
b4450035 889static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 890{
c1360a1c 891 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 892}
893
9b27f350
AE		 894static void l2cap_send_conn_req(struct l2cap_chan *chan)
895{
896 struct l2cap_conn *conn = chan->conn;
897 struct l2cap_conn_req req;
898
899 req.scid = cpu_to_le16(chan->scid);
900 req.psm = chan->psm;
901
902 chan->ident = l2cap_get_ident(conn);
903
904 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
905
906 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
907}
908
9f0caeb1
VCG		 909static void l2cap_chan_ready(struct l2cap_chan *chan)
910{
911 struct sock *sk = chan->sk;
912 struct sock *parent;
913
914 lock_sock(sk);
915
916 parent = bt_sk(sk)->parent;
917
918 BT_DBG("sk %p, parent %p", sk, parent);
919
920 chan->conf_state = 0;
921 __clear_chan_timer(chan);
922
923 __l2cap_state_change(chan, BT_CONNECTED);
924 sk->sk_state_change(sk);
925
926 if (parent)
927 parent->sk_data_ready(parent, 0);
928
929 release_sock(sk);
930}
931
fc7f8a7e 932static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 933{
8c1d787b 934 struct l2cap_conn *conn = chan->conn;
79d554a6 935
9f0caeb1
VCG		 936 if (conn->hcon->type == LE_LINK) {
937 l2cap_chan_ready(chan);
938 return;
939 }
940
79d554a6 941 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 942 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
943 return;
944
d45fc423 945 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 946 __l2cap_no_conn_pending(chan))
947 l2cap_send_conn_req(chan);
79d554a6
MH		 948 } else {
949 struct l2cap_info_req req;
950 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
951
952 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
953 conn->info_ident = l2cap_get_ident(conn);
954
ba13ccd9 955 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 956
957 l2cap_send_cmd(conn, conn->info_ident,
958 L2CAP_INFO_REQ, sizeof(req), &req);
959 }
960}
961
cf6c2c0b
GP		 962static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
963{
964 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 965 if (!disable_ertm)
cf6c2c0b
GP		 966 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
967
968 switch (mode) {
969 case L2CAP_MODE_ERTM:
970 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
971 case L2CAP_MODE_STREAMING:
972 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
973 default:
974 return 0x00;
975 }
976}
977
4519de9a 978static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 979{
6be36555 980 struct sock *sk = chan->sk;
22121fc9
GP		 981 struct l2cap_disconn_req req;
982
c13ffa62
GP		 983 if (!conn)
984 return;
985
0c1bc5c6 986 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 987 __clear_retrans_timer(chan);
988 __clear_monitor_timer(chan);
989 __clear_ack_timer(chan);
c13ffa62
GP		 990 }
991
fe4128e0
GP		 992 req.dcid = cpu_to_le16(chan->dcid);
993 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 994 l2cap_send_cmd(conn, l2cap_get_ident(conn),
995 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 996
6be36555 997 lock_sock(sk);
0e587be7 998 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 999 __l2cap_chan_set_err(chan, err);
6be36555 1000 release_sock(sk);
22121fc9
GP		 1001}
1002
1da177e4 1003/* ---- L2CAP connections ---- */
4e8402a3
MH		 1004static void l2cap_conn_start(struct l2cap_conn *conn)
1005{
3df91ea2 1006 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1007
1008 BT_DBG("conn %p", conn);
1009
3df91ea2 1010 mutex_lock(&conn->chan_lock);
4e8402a3 1011
3df91ea2 1012 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1013 struct sock *sk = chan->sk;
baa7e1fa 1014
6be36555 1015 l2cap_chan_lock(chan);
4e8402a3 1016
715ec005 1017 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1018 l2cap_chan_unlock(chan);
79d554a6
MH		 1019 continue;
1020 }
1021
89bc500e 1022 if (chan->state == BT_CONNECT) {
d45fc423 1023 if (!l2cap_chan_check_security(chan) ||
b4450035 1024 !__l2cap_no_conn_pending(chan)) {
6be36555 1025 l2cap_chan_unlock(chan);
47731de7
GP		 1026 continue;
1027 }
79d554a6 1028
c1360a1c
GP		 1029 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1030 && test_bit(CONF_STATE2_DEVICE,
1031 &chan->conf_state)) {
89bc500e 1032 l2cap_chan_close(chan, ECONNRESET);
6be36555 1033 l2cap_chan_unlock(chan);
47731de7 1034 continue;
b1235d79 1035 }
47731de7 1036
9b27f350 1037 l2cap_send_conn_req(chan);
47731de7 1038
89bc500e 1039 } else if (chan->state == BT_CONNECT2) {
79d554a6 1040 struct l2cap_conn_rsp rsp;
e9aeb2dd 1041 char buf[128];
fe4128e0
GP		 1042 rsp.scid = cpu_to_le16(chan->dcid);
1043 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1044
d45fc423 1045 if (l2cap_chan_check_security(chan)) {
6be36555 1046 lock_sock(sk);
f66dc81f
MH		 1047 if (bt_sk(sk)->defer_setup) {
1048 struct sock *parent = bt_sk(sk)->parent;
1049 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1050 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1051 if (parent)
1052 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1053
1054 } else {
0e587be7 1055 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1056 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1057 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1058 }
6be36555 1059 release_sock(sk);
79d554a6
MH		 1060 } else {
1061 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1062 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1063 }
1064
fc7f8a7e
GP		 1065 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1066 sizeof(rsp), &rsp);
e9aeb2dd 1067
c1360a1c 1068 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1069 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1070 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1071 continue;
1072 }
1073
c1360a1c 1074 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1075 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1076 l2cap_build_conf_req(chan, buf), buf);
1077 chan->num_conf_req++;
4e8402a3
MH		 1078 }
1079
6be36555 1080 l2cap_chan_unlock(chan);
4e8402a3
MH		 1081 }
1082
3df91ea2 1083 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1084}
1085
c2287681 1086/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1087 * Returns closest match, locked.
1088 */
d9b88702 1089static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1090 bdaddr_t *src,
1091 bdaddr_t *dst)
b62f328b 1092{
23691d75 1093 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1094
23691d75 1095 read_lock(&chan_list_lock);
b62f328b 1096
23691d75
GP		 1097 list_for_each_entry(c, &chan_list, global_l) {
1098 struct sock *sk = c->sk;
fe4128e0 1099
89bc500e 1100 if (state && c->state != state)
b62f328b
VT		 1101 continue;
1102
23691d75 1103 if (c->scid == cid) {
c2287681
IY		 1104 int src_match, dst_match;
1105 int src_any, dst_any;
1106
b62f328b 1107 /* Exact match. */
c2287681
IY		 1108 src_match = !bacmp(&bt_sk(sk)->src, src);
1109 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1110 if (src_match && dst_match) {
23691d75
GP		 1111 read_unlock(&chan_list_lock);
1112 return c;
1113 }
b62f328b
VT		 1114
1115 /* Closest match */
c2287681
IY		 1116 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1117 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1118 if ((src_match && dst_any) || (src_any && dst_match) ||
1119 (src_any && dst_any))
23691d75 1120 c1 = c;
b62f328b
VT		 1121 }
1122 }
280f294f 1123
23691d75 1124 read_unlock(&chan_list_lock);
b62f328b 1125
23691d75 1126 return c1;
b62f328b
VT		 1127}
1128
1129static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1130{
c916fbe4 1131 struct sock *parent, *sk;
23691d75 1132 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1133
1134 BT_DBG("");
1135
1136 /* Check if we have socket listening on cid */
23691d75 1137 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1138 conn->src, conn->dst);
23691d75 1139 if (!pchan)
b62f328b
VT		 1140 return;
1141
23691d75
GP		 1142 parent = pchan->sk;
1143
aa2ac881 1144 lock_sock(parent);
62f3a2cf 1145
b62f328b
VT		 1146 /* Check for backlog size */
1147 if (sk_acceptq_is_full(parent)) {
1148 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1149 goto clean;
1150 }
1151
80808e43
GP		 1152 chan = pchan->ops->new_connection(pchan->data);
1153 if (!chan)
b62f328b
VT		 1154 goto clean;
1155
80808e43 1156 sk = chan->sk;
5d41ce1d 1157
b62f328b
VT		 1158 hci_conn_hold(conn->hcon);
1159
b62f328b
VT		 1160 bacpy(&bt_sk(sk)->src, conn->src);
1161 bacpy(&bt_sk(sk)->dst, conn->dst);
1162
d1010240
GP		 1163 bt_accept_enqueue(parent, sk);
1164
3d57dc68 1165 l2cap_chan_add(conn, chan);
48454079 1166
c9b66675 1167 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1168
0e587be7 1169 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1170 parent->sk_data_ready(parent, 0);
1171
b62f328b 1172clean:
aa2ac881 1173 release_sock(parent);
b62f328b
VT		 1174}
1175
4e8402a3
MH		 1176static void l2cap_conn_ready(struct l2cap_conn *conn)
1177{
48454079 1178 struct l2cap_chan *chan;
4e8402a3 1179
79d554a6 1180 BT_DBG("conn %p", conn);
4e8402a3 1181
b62f328b
VT		 1182 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1183 l2cap_le_conn_ready(conn);
1184
160dc6ac
VCG		 1185 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1186 smp_conn_security(conn, conn->hcon->pending_sec_level);
1187
3df91ea2 1188 mutex_lock(&conn->chan_lock);
4e8402a3 1189
3df91ea2 1190 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1191
6be36555 1192 l2cap_chan_lock(chan);
4e8402a3 1193
63128451 1194 if (conn->hcon->type == LE_LINK) {
b501d6a1 1195 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1196 l2cap_chan_ready(chan);
acd7d370 1197
63128451 1198 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1199 struct sock *sk = chan->sk;
c9b66675 1200 __clear_chan_timer(chan);
6be36555 1201 lock_sock(sk);
0e587be7 1202 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1203 sk->sk_state_change(sk);
6be36555 1204 release_sock(sk);
b501d6a1 1205
89bc500e 1206 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1207 l2cap_do_start(chan);
4e8402a3 1208
6be36555 1209 l2cap_chan_unlock(chan);
4e8402a3 1210 }
79d554a6 1211
3df91ea2 1212 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1213}
1214
1215/* Notify sockets that we cannot guaranty reliability anymore */
1216static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1217{
48454079 1218 struct l2cap_chan *chan;
4e8402a3
MH		 1219
1220 BT_DBG("conn %p", conn);
1221
3df91ea2 1222 mutex_lock(&conn->chan_lock);
4e8402a3 1223
3df91ea2 1224 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1225 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1226 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1227 }
1228
3df91ea2 1229 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1230}
1231
f878fcad 1232static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1233{
f878fcad 1234 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1235 info_timer.work);
4e8402a3 1236
984947dc 1237 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1238 conn->info_ident = 0;
984947dc 1239
4e8402a3
MH		 1240 l2cap_conn_start(conn);
1241}
1242
5d3de7df
VCG		 1243static void l2cap_conn_del(struct hci_conn *hcon, int err)
1244{
1245 struct l2cap_conn *conn = hcon->l2cap_data;
1246 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1247
1248 if (!conn)
1249 return;
1250
1251 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1252
1253 kfree_skb(conn->rx_skb);
1254
3df91ea2
AE		 1255 mutex_lock(&conn->chan_lock);
1256
5d3de7df
VCG		 1257 /* Kill channels */
1258 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1259 l2cap_chan_hold(chan);
6be36555
AE		 1260 l2cap_chan_lock(chan);
1261
5d3de7df 1262 l2cap_chan_del(chan, err);
6be36555
AE		 1263
1264 l2cap_chan_unlock(chan);
1265
5d3de7df 1266 chan->ops->close(chan->data);
61d6ef3e 1267 l2cap_chan_put(chan);
5d3de7df
VCG		 1268 }
1269
3df91ea2
AE		 1270 mutex_unlock(&conn->chan_lock);
1271
73d80deb
LAD		 1272 hci_chan_del(conn->hchan);
1273
5d3de7df 1274 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1275 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1276
51a8efd7 1277 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1278 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1279 smp_chan_destroy(conn);
d26a2345 1280 }
5d3de7df
VCG		 1281
1282 hcon->l2cap_data = NULL;
1283 kfree(conn);
1284}
1285
6c9d42a1 1286static void security_timeout(struct work_struct *work)
5d3de7df 1287{
6c9d42a1
GP		 1288 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1289 security_timer.work);
5d3de7df
VCG		 1290
1291 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1292}
1293
1da177e4
LT		 1294static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1295{
0139418c 1296 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1297 struct hci_chan *hchan;
1da177e4 1298
0139418c 1299 if (conn || status)
1da177e4
LT		 1300 return conn;
1301
73d80deb
LAD		 1302 hchan = hci_chan_create(hcon);
1303 if (!hchan)
1304 return NULL;
1305
0139418c 1306 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1307 if (!conn) {
1308 hci_chan_del(hchan);
1da177e4 1309 return NULL;
73d80deb 1310 }
1da177e4
LT		 1311
1312 hcon->l2cap_data = conn;
1313 conn->hcon = hcon;
73d80deb 1314 conn->hchan = hchan;
1da177e4 1315
73d80deb 1316 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1317
acd7d370
VT		 1318 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1319 conn->mtu = hcon->hdev->le_mtu;
1320 else
1321 conn->mtu = hcon->hdev->acl_mtu;
1322
1da177e4
LT		 1323 conn->src = &hcon->hdev->bdaddr;
1324 conn->dst = &hcon->dst;
1325
4e8402a3
MH		 1326 conn->feat_mask = 0;
1327
1da177e4 1328 spin_lock_init(&conn->lock);
3df91ea2 1329 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1330
1331 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1332
5d3de7df 1333 if (hcon->type == LE_LINK)
6c9d42a1 1334 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1335 else
030013d8 1336 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1337
9f5a0d7b 1338 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1339
1da177e4
LT		 1340 return conn;
1341}
1342
1da177e4 1343/* ---- Socket interface ---- */
1da177e4 1344
c2287681 1345/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1346 * Returns closest match.
1347 */
c2287681
IY		 1348static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1349 bdaddr_t *src,
1350 bdaddr_t *dst)
1da177e4 1351{
23691d75 1352 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1353
23691d75 1354 read_lock(&chan_list_lock);
e0f0cb56 1355
23691d75
GP		 1356 list_for_each_entry(c, &chan_list, global_l) {
1357 struct sock *sk = c->sk;
fe4128e0 1358
89bc500e 1359 if (state && c->state != state)
1da177e4
LT		 1360 continue;
1361
23691d75 1362 if (c->psm == psm) {
c2287681
IY		 1363 int src_match, dst_match;
1364 int src_any, dst_any;
1365
1da177e4 1366 /* Exact match. */
c2287681
IY		 1367 src_match = !bacmp(&bt_sk(sk)->src, src);
1368 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1369 if (src_match && dst_match) {
a7567b20 1370 read_unlock(&chan_list_lock);
23691d75
GP		 1371 return c;
1372 }
1da177e4
LT		 1373
1374 /* Closest match */
c2287681
IY		 1375 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1376 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1377 if ((src_match && dst_any) || (src_any && dst_match) ||
1378 (src_any && dst_any))
23691d75 1379 c1 = c;
1da177e4
LT		 1380 }
1381 }
1da177e4 1382
23691d75 1383 read_unlock(&chan_list_lock);
e0f0cb56 1384
23691d75 1385 return c1;
1da177e4
LT		 1386}
1387
8e9f9892
AG		 1388int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1389 bdaddr_t *dst, u8 dst_type)
1da177e4 1390{
5d41ce1d 1391 struct sock *sk = chan->sk;
1da177e4 1392 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1393 struct l2cap_conn *conn;
1394 struct hci_conn *hcon;
1395 struct hci_dev *hdev;
09ab6f4c 1396 __u8 auth_type;
44d0e48e 1397 int err;
1da177e4 1398
8e9f9892
AG		 1399 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1400 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1401
af05b30b
GP		 1402 hdev = hci_get_route(dst, src);
1403 if (!hdev)
1da177e4
LT		 1404 return -EHOSTUNREACH;
1405
09fd0de5 1406 hci_dev_lock(hdev);
1da177e4 1407
6be36555 1408 l2cap_chan_lock(chan);
03a00194
GP		 1409
1410 /* PSM must be odd and lsb of upper byte must be 0 */
1411 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1412 chan->chan_type != L2CAP_CHAN_RAW) {
1413 err = -EINVAL;
1414 goto done;
1415 }
1416
1417 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1418 err = -EINVAL;
1419 goto done;
1420 }
1421
1422 switch (chan->mode) {
1423 case L2CAP_MODE_BASIC:
1424 break;
1425 case L2CAP_MODE_ERTM:
1426 case L2CAP_MODE_STREAMING:
1427 if (!disable_ertm)
1428 break;
1429 /* fall through */
1430 default:
1431 err = -ENOTSUPP;
1432 goto done;
1433 }
1434
6be36555
AE		 1435 lock_sock(sk);
1436
03a00194
GP		 1437 switch (sk->sk_state) {
1438 case BT_CONNECT:
1439 case BT_CONNECT2:
1440 case BT_CONFIG:
1441 /* Already connecting */
1442 err = 0;
6be36555 1443 release_sock(sk);
03a00194
GP		 1444 goto done;
1445
1446 case BT_CONNECTED:
1447 /* Already connected */
1448 err = -EISCONN;
6be36555 1449 release_sock(sk);
03a00194
GP		 1450 goto done;
1451
1452 case BT_OPEN:
1453 case BT_BOUND:
1454 /* Can connect */
1455 break;
1456
1457 default:
1458 err = -EBADFD;
6be36555 1459 release_sock(sk);
03a00194
GP		 1460 goto done;
1461 }
1462
1463 /* Set destination address and psm */
9219b2a0 1464 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1465
1466 release_sock(sk);
1467
03a00194
GP		 1468 chan->psm = psm;
1469 chan->dcid = cid;
1da177e4 1470
4343478f 1471 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1472
fe4128e0 1473 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1474 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1475 chan->sec_level, auth_type);
acd7d370 1476 else
8e9f9892 1477 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1478 chan->sec_level, auth_type);
acd7d370 1479
30e76272
VT		 1480 if (IS_ERR(hcon)) {
1481 err = PTR_ERR(hcon);
1da177e4 1482 goto done;
30e76272 1483 }
1da177e4
LT		 1484
1485 conn = l2cap_conn_add(hcon, 0);
1486 if (!conn) {
1487 hci_conn_put(hcon);
30e76272 1488 err = -ENOMEM;
1da177e4
LT		 1489 goto done;
1490 }
1491
9f0caeb1
VCG		 1492 if (hcon->type == LE_LINK) {
1493 err = 0;
1494
1495 if (!list_empty(&conn->chan_l)) {
1496 err = -EBUSY;
1497 hci_conn_put(hcon);
1498 }
1499
1500 if (err)
1501 goto done;
1502 }
1503
1da177e4
LT		 1504 /* Update source addr of the socket */
1505 bacpy(src, conn->src);
1506
6be36555 1507 l2cap_chan_unlock(chan);
48454079 1508 l2cap_chan_add(conn, chan);
6be36555 1509 l2cap_chan_lock(chan);
48454079 1510
6be36555 1511 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1512 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1513
1514 if (hcon->state == BT_CONNECTED) {
715ec005 1515 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1516 __clear_chan_timer(chan);
d45fc423 1517 if (l2cap_chan_check_security(chan))
6be36555 1518 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1519 } else
fc7f8a7e 1520 l2cap_do_start(chan);
1da177e4
LT		 1521 }
1522
30e76272
VT		 1523 err = 0;
1524
1da177e4 1525done:
6be36555 1526 l2cap_chan_unlock(chan);
09fd0de5 1527 hci_dev_unlock(hdev);
1da177e4
LT		 1528 hci_dev_put(hdev);
1529 return err;
1530}
1531
dcba0dba 1532int __l2cap_wait_ack(struct sock *sk)
6161c038 1533{
8c1d787b 1534 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1535 DECLARE_WAITQUEUE(wait, current);
1536 int err = 0;
1537 int timeo = HZ/5;
1538
2b0b05dd 1539 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1540 set_current_state(TASK_INTERRUPTIBLE);
1541 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1542 if (!timeo)
1543 timeo = HZ/5;
1544
1545 if (signal_pending(current)) {
1546 err = sock_intr_errno(timeo);
1547 break;
1548 }
1549
1550 release_sock(sk);
1551 timeo = schedule_timeout(timeo);
1552 lock_sock(sk);
a71a0cf4 1553 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1554
1555 err = sock_error(sk);
1556 if (err)
1557 break;
1558 }
1559 set_current_state(TASK_RUNNING);
2b0b05dd 1560 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1561 return err;
1562}
1563
721c4181 1564static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1565{
721c4181
GP		 1566 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1567 monitor_timer.work);
e90bac06 1568
525cd185 1569 BT_DBG("chan %p", chan);
0e98958d 1570
6be36555
AE		 1571 l2cap_chan_lock(chan);
1572
2c03a7a4 1573 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1574 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1575 l2cap_chan_unlock(chan);
8d7e1c7f 1576 l2cap_chan_put(chan);
e90bac06
GP		 1577 return;
1578 }
1579
6a026610 1580 chan->retry_count++;
1a09bcb9 1581 __set_monitor_timer(chan);
e90bac06 1582
525cd185 1583 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1584 l2cap_chan_unlock(chan);
8d7e1c7f 1585 l2cap_chan_put(chan);
e90bac06
GP		 1586}
1587
721c4181 1588static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1589{
721c4181
GP		 1590 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1591 retrans_timer.work);
e90bac06 1592
49208c9c 1593 BT_DBG("chan %p", chan);
0e98958d 1594
6be36555
AE		 1595 l2cap_chan_lock(chan);
1596
6a026610 1597 chan->retry_count = 1;
1a09bcb9 1598 __set_monitor_timer(chan);
e90bac06 1599
e2ab4353 1600 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1601
525cd185 1602 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1603
1604 l2cap_chan_unlock(chan);
8d7e1c7f 1605 l2cap_chan_put(chan);
e90bac06
GP		 1606}
1607
42e5c802 1608static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1609{
1c2acffb 1610 struct sk_buff *skb;
1da177e4 1611
58d35f87 1612 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1613 chan->unacked_frames) {
3ce3514f 1614 if (bt_cb(skb)->control.txseq == chan->expected_ack_seq)
1c2acffb 1615 break;
1da177e4 1616
58d35f87 1617 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1618 kfree_skb(skb);
1da177e4 1619
6a026610 1620 chan->unacked_frames--;
1c2acffb 1621 }
1da177e4 1622
6a026610 1623 if (!chan->unacked_frames)
1a09bcb9 1624 __clear_retrans_timer(chan);
1c2acffb 1625}
1da177e4 1626
67c9e840 1627static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1628{
ccbb84af 1629 struct sk_buff *skb;
88843ab0
AE		 1630 u32 control;
1631 u16 fcs;
6840ed07 1632
58d35f87 1633 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1634 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1635 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1636 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1637
47d1ec61 1638 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1639 fcs = crc16(0, (u8 *)skb->data,
1640 skb->len - L2CAP_FCS_SIZE);
1641 put_unaligned_le16(fcs,
1642 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1643 }
1644
4343478f 1645 l2cap_do_send(chan, skb);
6840ed07 1646
836be934 1647 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1648 }
6840ed07
GP		 1649}
1650
fb45de7d 1651static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1652{
8f17154f 1653 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1654 u16 fcs;
1655 u32 control;
8f17154f 1656
58d35f87 1657 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1658 if (!skb)
1659 return;
8f17154f 1660
3ce3514f 1661 while (bt_cb(skb)->control.txseq != tx_seq) {
58d35f87 1662 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1663 return;
8f17154f 1664
d1726b6d
SJ		 1665 skb = skb_queue_next(&chan->tx_q, skb);
1666 }
8f17154f 1667
3ce3514f
MM		 1668 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1669 chan->remote_max_tx) {
8c1d787b 1670 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1671 return;
1672 }
1673
1674 tx_skb = skb_clone(skb, GFP_ATOMIC);
3ce3514f 1675 bt_cb(skb)->control.retries++;
88843ab0
AE		 1676
1677 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1678 control &= __get_sar_mask(chan);
3cb123d1 1679
e2ab4353 1680 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1681 control |= __set_ctrl_final(chan);
95ffa978 1682
0b209fae 1683 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1684 control |= __set_txseq(chan, tx_seq);
3cb123d1 1685
88843ab0 1686 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1687
47d1ec61 1688 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1689 fcs = crc16(0, (u8 *)tx_skb->data,
1690 tx_skb->len - L2CAP_FCS_SIZE);
1691 put_unaligned_le16(fcs,
1692 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1693 }
1694
4343478f 1695 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1696}
1697
67c9e840 1698static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1699{
1700 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1701 u16 fcs;
1702 u32 control;
9a9c6a34 1703 int nsent = 0;
1c2acffb 1704
89bc500e 1705 if (chan->state != BT_CONNECTED)
c13ffa62 1706 return -ENOTCONN;
e90bac06 1707
58d35f87 1708 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1709
3ce3514f
MM		 1710 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1711 chan->remote_max_tx) {
8c1d787b 1712 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1713 break;
1714 }
1715
e420aba3
AE		 1716 tx_skb = skb_clone(skb, GFP_ATOMIC);
1717
3ce3514f 1718 bt_cb(skb)->control.retries++;
e90bac06 1719
88843ab0 1720 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1721 control &= __get_sar_mask(chan);
95ffa978 1722
e2ab4353 1723 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1724 control |= __set_ctrl_final(chan);
e2ab4353 1725
0b209fae 1726 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1727 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1728
88843ab0 1729 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1730
47d1ec61 1731 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1732 fcs = crc16(0, (u8 *)skb->data,
1733 tx_skb->len - L2CAP_FCS_SIZE);
1734 put_unaligned_le16(fcs, skb->data +
1735 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1736 }
1737
4343478f 1738 l2cap_do_send(chan, tx_skb);
9a9c6a34 1739
1a09bcb9 1740 __set_retrans_timer(chan);
1c2acffb 1741
3ce3514f 1742 bt_cb(skb)->control.txseq = chan->next_tx_seq;
836be934
AE		 1743
1744 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1745
3ce3514f 1746 if (bt_cb(skb)->control.retries == 1) {
6a026610 1747 chan->unacked_frames++;
930fa4ae
SJ		 1748
1749 if (!nsent++)
1750 __clear_ack_timer(chan);
8ed7a0ae 1751 }
23e9fde2 1752
6a026610 1753 chan->frames_sent++;
1c2acffb 1754
58d35f87
GP		 1755 if (skb_queue_is_last(&chan->tx_q, skb))
1756 chan->tx_send_head = NULL;
1c2acffb 1757 else
58d35f87 1758 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1759 }
1760
9e917af1
GP		 1761 return nsent;
1762}
1763
525cd185 1764static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1765{
dfc909be
GP		 1766 int ret;
1767
58d35f87
GP		 1768 if (!skb_queue_empty(&chan->tx_q))
1769 chan->tx_send_head = chan->tx_q.next;
dfc909be 1770
42e5c802 1771 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1772 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1773 return ret;
1774}
1775
b17e73bb 1776static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1777{
88843ab0 1778 u32 control = 0;
9e917af1 1779
0b209fae 1780 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1781
e2ab4353 1782 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1783 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1784 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1785 l2cap_send_sframe(chan, control);
9a9c6a34 1786 return;
9e917af1 1787 }
dfc909be 1788
525cd185 1789 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1790 return;
1791
ab784b73 1792 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1793 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1794}
1795
b17e73bb
SJ		 1796static void l2cap_send_ack(struct l2cap_chan *chan)
1797{
1798 __clear_ack_timer(chan);
1799 __l2cap_send_ack(chan);
1800}
1801
525cd185 1802static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1803{
1804 struct srej_list *tail;
88843ab0 1805 u32 control;
99b0d4b7 1806
ab784b73 1807 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1808 control |= __set_ctrl_final(chan);
99b0d4b7 1809
39d5a3ee 1810 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1811 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1812
525cd185 1813 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1814}
1815
04124681
GP		 1816static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1817 struct msghdr *msg, int len,
1818 int count, struct sk_buff *skb)
1c2acffb 1819{
0952a57a 1820 struct l2cap_conn *conn = chan->conn;
1c2acffb 1821 struct sk_buff **frag;
90338947 1822 int sent = 0;
1da177e4 1823
59203a21 1824 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1825 return -EFAULT;
1da177e4
LT		 1826
1827 sent += count;
1828 len -= count;
1829
1830 /* Continuation fragments (no L2CAP header) */
1831 frag = &skb_shinfo(skb)->frag_list;
1832 while (len) {
1833 count = min_t(unsigned int, conn->mtu, len);
1834
2f7719ce 1835 *frag = chan->ops->alloc_skb(chan, count,
90338947 1836 msg->msg_flags & MSG_DONTWAIT);
2f7719ce 1837
90338947
GP		 1838 if (IS_ERR(*frag))
1839 return PTR_ERR(*frag);
1c2acffb
GP		 1840 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1841 return -EFAULT;
1da177e4 1842
5e59b791
LAD		 1843 (*frag)->priority = skb->priority;
1844
1da177e4
LT		 1845 sent += count;
1846 len -= count;
1847
1848 frag = &(*frag)->next;
1849 }
1da177e4
LT		 1850
1851 return sent;
1c2acffb 1852}
1da177e4 1853
5e59b791
LAD		 1854static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1855 struct msghdr *msg, size_t len,
1856 u32 priority)
1c2acffb 1857{
8c1d787b 1858 struct l2cap_conn *conn = chan->conn;
1c2acffb 1859 struct sk_buff *skb;
03a51213 1860 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1861 struct l2cap_hdr *lh;
1862
6d5922b0 1863 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1864
1865 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1866
1867 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1868 msg->msg_flags & MSG_DONTWAIT);
1869 if (IS_ERR(skb))
1870 return skb;
1c2acffb 1871
5e59b791
LAD		 1872 skb->priority = priority;
1873
1c2acffb
GP		 1874 /* Create L2CAP header */
1875 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1876 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1877 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
097db76c 1878 put_unaligned(chan->psm, skb_put(skb, 2));
1c2acffb 1879
0952a57a 1880 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1881 if (unlikely(err < 0)) {
1882 kfree_skb(skb);
1883 return ERR_PTR(err);
1884 }
1885 return skb;
1886}
1887
5e59b791
LAD		 1888static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1889 struct msghdr *msg, size_t len,
1890 u32 priority)
1c2acffb 1891{
8c1d787b 1892 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1893 struct sk_buff *skb;
1894 int err, count, hlen = L2CAP_HDR_SIZE;
1895 struct l2cap_hdr *lh;
1896
6d5922b0 1897 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb
GP		 1898
1899 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1900
1901 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1902 msg->msg_flags & MSG_DONTWAIT);
1903 if (IS_ERR(skb))
1904 return skb;
1c2acffb 1905
5e59b791
LAD		 1906 skb->priority = priority;
1907
1c2acffb
GP		 1908 /* Create L2CAP header */
1909 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1910 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1911 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1912
0952a57a 1913 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1914 if (unlikely(err < 0)) {
1915 kfree_skb(skb);
1916 return ERR_PTR(err);
1917 }
1918 return skb;
1919}
1920
ab0ff76d
LAD		 1921static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1922 struct msghdr *msg, size_t len,
88843ab0 1923 u32 control, u16 sdulen)
1c2acffb 1924{
8c1d787b 1925 struct l2cap_conn *conn = chan->conn;
1c2acffb 1926 struct sk_buff *skb;
e4ca6d98 1927 int err, count, hlen;
1c2acffb
GP		 1928 struct l2cap_hdr *lh;
1929
6d5922b0 1930 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1931
0ee0d208
GP		 1932 if (!conn)
1933 return ERR_PTR(-ENOTCONN);
1934
e4ca6d98
AE		 1935 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1936 hlen = L2CAP_EXT_HDR_SIZE;
1937 else
1938 hlen = L2CAP_ENH_HDR_SIZE;
1939
c74e560c 1940 if (sdulen)
03a51213 1941 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1942
47d1ec61 1943 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1944 hlen += L2CAP_FCS_SIZE;
fcc203c3 1945
1c2acffb 1946 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1947
1948 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1949 msg->msg_flags & MSG_DONTWAIT);
1950 if (IS_ERR(skb))
1951 return skb;
1c2acffb
GP		 1952
1953 /* Create L2CAP header */
1954 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1955 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1956 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1957
1958 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1959
c74e560c 1960 if (sdulen)
03a51213 1961 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1962
0952a57a 1963 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1964 if (unlikely(err < 0)) {
1965 kfree_skb(skb);
1966 return ERR_PTR(err);
1967 }
e90bac06 1968
47d1ec61 1969 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1970 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1971
3ce3514f 1972 bt_cb(skb)->control.retries = 0;
1c2acffb 1973 return skb;
1da177e4
LT		 1974}
1975
67c9e840 1976static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1977{
c74e560c
GP		 1978 struct sk_buff *skb;
1979 struct sk_buff_head sar_queue;
88843ab0 1980 u32 control;
c74e560c
GP		 1981 size_t size = 0;
1982
ff12fd64 1983 skb_queue_head_init(&sar_queue);
7e0ef6ee 1984 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1985 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1986 if (IS_ERR(skb))
1987 return PTR_ERR(skb);
1988
1989 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1990 len -= chan->remote_mps;
1991 size += chan->remote_mps;
c74e560c
GP		 1992
1993 while (len > 0) {
1994 size_t buflen;
1995
2c03a7a4 1996 if (len > chan->remote_mps) {
7e0ef6ee 1997 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1998 buflen = chan->remote_mps;
c74e560c 1999 } else {
7e0ef6ee 2000 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 2001 buflen = len;
2002 }
2003
47d1ec61 2004 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 2005 if (IS_ERR(skb)) {
2006 skb_queue_purge(&sar_queue);
2007 return PTR_ERR(skb);
2008 }
2009
2010 __skb_queue_tail(&sar_queue, skb);
2011 len -= buflen;
2012 size += buflen;
c74e560c 2013 }
58d35f87
GP		 2014 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
2015 if (chan->tx_send_head == NULL)
2016 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 2017
2018 return size;
2019}
2020
5e59b791
LAD		 2021int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2022 u32 priority)
9a91a04a 2023{
9a91a04a 2024 struct sk_buff *skb;
88843ab0 2025 u32 control;
9a91a04a
GP		 2026 int err;
2027
2028 /* Connectionless channel */
715ec005 2029 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2030 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2031 if (IS_ERR(skb))
2032 return PTR_ERR(skb);
2033
2034 l2cap_do_send(chan, skb);
2035 return len;
2036 }
2037
2038 switch (chan->mode) {
2039 case L2CAP_MODE_BASIC:
2040 /* Check outgoing MTU */
2041 if (len > chan->omtu)
2042 return -EMSGSIZE;
2043
2044 /* Create a basic PDU */
5e59b791 2045 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2046 if (IS_ERR(skb))
2047 return PTR_ERR(skb);
2048
2049 l2cap_do_send(chan, skb);
2050 err = len;
2051 break;
2052
2053 case L2CAP_MODE_ERTM:
2054 case L2CAP_MODE_STREAMING:
2055 /* Entire SDU fits into one PDU */
2056 if (len <= chan->remote_mps) {
7e0ef6ee 2057 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 2058 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
2059 0);
2060 if (IS_ERR(skb))
2061 return PTR_ERR(skb);
2062
2063 __skb_queue_tail(&chan->tx_q, skb);
2064
2065 if (chan->tx_send_head == NULL)
2066 chan->tx_send_head = skb;
2067
2068 } else {
2069 /* Segment SDU into multiples PDUs */
2070 err = l2cap_sar_segment_sdu(chan, msg, len);
2071 if (err < 0)
2072 return err;
2073 }
2074
2075 if (chan->mode == L2CAP_MODE_STREAMING) {
2076 l2cap_streaming_send(chan);
2077 err = len;
2078 break;
2079 }
2080
e2ab4353
GP		 2081 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
2082 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 2083 err = len;
2084 break;
2085 }
2086
2087 err = l2cap_ertm_send(chan);
2088 if (err >= 0)
2089 err = len;
2090
2091 break;
2092
2093 default:
2094 BT_DBG("bad state %1.1x", chan->mode);
2095 err = -EBADFD;
2096 }
2097
2098 return err;
2099}
2100
1da177e4
LT		 2101/* Copy frame to all raw sockets on that connection */
2102static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2103{
1da177e4 2104 struct sk_buff *nskb;
48454079 2105 struct l2cap_chan *chan;
1da177e4
LT		 2106
2107 BT_DBG("conn %p", conn);
2108
3df91ea2 2109 mutex_lock(&conn->chan_lock);
3d57dc68 2110
3df91ea2 2111 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2112 struct sock *sk = chan->sk;
715ec005 2113 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2114 continue;
2115
2116 /* Don't send frame to the socket it came from */
2117 if (skb->sk == sk)
2118 continue;
af05b30b
GP		 2119 nskb = skb_clone(skb, GFP_ATOMIC);
2120 if (!nskb)
1da177e4
LT		 2121 continue;
2122
23070494 2123 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2124 kfree_skb(nskb);
2125 }
3d57dc68 2126
3df91ea2 2127 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2128}
2129
2130/* ---- L2CAP signalling commands ---- */
2131static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2132 u8 code, u8 ident, u16 dlen, void *data)
2133{
2134 struct sk_buff *skb, **frag;
2135 struct l2cap_cmd_hdr *cmd;
2136 struct l2cap_hdr *lh;
2137 int len, count;
2138
af05b30b
GP		 2139 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2140 conn, code, ident, dlen);
1da177e4
LT		 2141
2142 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2143 count = min_t(unsigned int, conn->mtu, len);
2144
2145 skb = bt_skb_alloc(count, GFP_ATOMIC);
2146 if (!skb)
2147 return NULL;
2148
2149 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2150 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2151
2152 if (conn->hcon->type == LE_LINK)
2153 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2154 else
2155 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2156
2157 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2158 cmd->code = code;
2159 cmd->ident = ident;
aca3192c 2160 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2161
2162 if (dlen) {
2163 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2164 memcpy(skb_put(skb, count), data, count);
2165 data += count;
2166 }
2167
2168 len -= skb->len;
2169
2170 /* Continuation fragments (no L2CAP header) */
2171 frag = &skb_shinfo(skb)->frag_list;
2172 while (len) {
2173 count = min_t(unsigned int, conn->mtu, len);
2174
2175 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2176 if (!*frag)
2177 goto fail;
2178
2179 memcpy(skb_put(*frag, count), data, count);
2180
2181 len -= count;
2182 data += count;
2183
2184 frag = &(*frag)->next;
2185 }
2186
2187 return skb;
2188
2189fail:
2190 kfree_skb(skb);
2191 return NULL;
2192}
2193
2194static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2195{
2196 struct l2cap_conf_opt *opt = *ptr;
2197 int len;
2198
2199 len = L2CAP_CONF_OPT_SIZE + opt->len;
2200 *ptr += len;
2201
2202 *type = opt->type;
2203 *olen = opt->len;
2204
2205 switch (opt->len) {
2206 case 1:
2207 *val = *((u8 *) opt->val);
2208 break;
2209
2210 case 2:
bfaaeb3e 2211 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2212 break;
2213
2214 case 4:
bfaaeb3e 2215 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2216 break;
2217
2218 default:
2219 *val = (unsigned long) opt->val;
2220 break;
2221 }
2222
2223 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2224 return len;
2225}
2226
1da177e4
LT		 2227static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2228{
2229 struct l2cap_conf_opt *opt = *ptr;
2230
2231 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2232
2233 opt->type = type;
2234 opt->len = len;
2235
2236 switch (len) {
2237 case 1:
2238 *((u8 *) opt->val) = val;
2239 break;
2240
2241 case 2:
4f8b691c 2242 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2243 break;
2244
2245 case 4:
4f8b691c 2246 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2247 break;
2248
2249 default:
2250 memcpy(opt->val, (void *) val, len);
2251 break;
2252 }
2253
2254 *ptr += L2CAP_CONF_OPT_SIZE + len;
2255}
2256
f89cef09
AE		 2257static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2258{
2259 struct l2cap_conf_efs efs;
2260
1ec918ce 2261 switch (chan->mode) {
f89cef09
AE		 2262 case L2CAP_MODE_ERTM:
2263 efs.id = chan->local_id;
2264 efs.stype = chan->local_stype;
2265 efs.msdu = cpu_to_le16(chan->local_msdu);
2266 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2267 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2268 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2269 break;
2270
2271 case L2CAP_MODE_STREAMING:
2272 efs.id = 1;
2273 efs.stype = L2CAP_SERV_BESTEFFORT;
2274 efs.msdu = cpu_to_le16(chan->local_msdu);
2275 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2276 efs.acc_lat = 0;
2277 efs.flush_to = 0;
2278 break;
2279
2280 default:
2281 return;
2282 }
2283
2284 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2285 (unsigned long) &efs);
2286}
2287
721c4181 2288static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2289{
721c4181
GP		 2290 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2291 ack_timer.work);
c1b4f43b 2292
2fb9b3d4
GP		 2293 BT_DBG("chan %p", chan);
2294
6be36555
AE		 2295 l2cap_chan_lock(chan);
2296
b17e73bb 2297 __l2cap_send_ack(chan);
6be36555
AE		 2298
2299 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2300
2301 l2cap_chan_put(chan);
c1b4f43b
GP		 2302}
2303
3c588192 2304static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2305{
3c588192
MM		 2306 int err;
2307
105bdf9e
MM		 2308 chan->next_tx_seq = 0;
2309 chan->expected_tx_seq = 0;
42e5c802 2310 chan->expected_ack_seq = 0;
6a026610 2311 chan->unacked_frames = 0;
42e5c802 2312 chan->buffer_seq = 0;
6a026610
GP		 2313 chan->num_acked = 0;
2314 chan->frames_sent = 0;
105bdf9e
MM		 2315 chan->last_acked_seq = 0;
2316 chan->sdu = NULL;
2317 chan->sdu_last_frag = NULL;
2318 chan->sdu_len = 0;
2319
2320 if (chan->mode != L2CAP_MODE_ERTM)
2321 return 0;
2322
2323 chan->rx_state = L2CAP_RX_STATE_RECV;
2324 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2325
721c4181
GP		 2326 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2327 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2328 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2329
f1c6775b 2330 skb_queue_head_init(&chan->srej_q);
105bdf9e 2331 skb_queue_head_init(&chan->tx_q);
1890d36b 2332
39d5a3ee 2333 INIT_LIST_HEAD(&chan->srej_l);
3c588192
MM		 2334 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2335 if (err < 0)
2336 return err;
2337
2338 return l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
0565c1c2
GP		 2339}
2340
f2fcfcd6
GP		 2341static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2342{
2343 switch (mode) {
2344 case L2CAP_MODE_STREAMING:
2345 case L2CAP_MODE_ERTM:
2346 if (l2cap_mode_supported(mode, remote_feat_mask))
2347 return mode;
2348 /* fall through */
2349 default:
2350 return L2CAP_MODE_BASIC;
2351 }
2352}
2353
6327eb98
AE		 2354static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2355{
2356 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2357}
2358
f89cef09
AE		 2359static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2360{
2361 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2362}
2363
6327eb98
AE		 2364static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2365{
2366 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2367 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2368 /* use extended control field */
2369 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2370 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2371 } else {
6327eb98
AE		 2372 chan->tx_win = min_t(u16, chan->tx_win,
2373 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2374 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2375 }
6327eb98
AE		 2376}
2377
710f9b0a 2378static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2379{
1da177e4 2380 struct l2cap_conf_req *req = data;
0c1bc5c6 2381 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2382 void *ptr = req->data;
c8f79162 2383 u16 size;
1da177e4 2384
49208c9c 2385 BT_DBG("chan %p", chan);
1da177e4 2386
73ffa904 2387 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2388 goto done;
2389
0c1bc5c6 2390 switch (chan->mode) {
f2fcfcd6
GP		 2391 case L2CAP_MODE_STREAMING:
2392 case L2CAP_MODE_ERTM:
c1360a1c 2393 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2394 break;
85eb53c6 2395
f89cef09
AE		 2396 if (__l2cap_efs_supported(chan))
2397 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2398
2ba13ed6 2399 /* fall through */
f2fcfcd6 2400 default:
8c1d787b 2401 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2402 break;
2403 }
2404
2405done:
0c1bc5c6
GP		 2406 if (chan->imtu != L2CAP_DEFAULT_MTU)
2407 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2408
0c1bc5c6 2409 switch (chan->mode) {
65c7c491 2410 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2411 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2412 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2413 break;
2414
62547752
GP		 2415 rfc.mode = L2CAP_MODE_BASIC;
2416 rfc.txwin_size = 0;
2417 rfc.max_transmit = 0;
2418 rfc.retrans_timeout = 0;
2419 rfc.monitor_timeout = 0;
2420 rfc.max_pdu_size = 0;
2421
63406504
GP		 2422 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2423 (unsigned long) &rfc);
65c7c491
MH		 2424 break;
2425
2426 case L2CAP_MODE_ERTM:
2427 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2428 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2429 rfc.retrans_timeout = 0;
2430 rfc.monitor_timeout = 0;
c8f79162
AE		 2431
2432 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2433 L2CAP_EXT_HDR_SIZE -
2434 L2CAP_SDULEN_SIZE -
2435 L2CAP_FCS_SIZE);
2436 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2437
6327eb98
AE		 2438 l2cap_txwin_setup(chan);
2439
2440 rfc.txwin_size = min_t(u16, chan->tx_win,
2441 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2442
63406504
GP		 2443 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2444 (unsigned long) &rfc);
2445
f89cef09
AE		 2446 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2447 l2cap_add_opt_efs(&ptr, chan);
2448
8c1d787b 2449 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2450 break;
2451
47d1ec61 2452 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2453 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2454 chan->fcs = L2CAP_FCS_NONE;
2455 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2456 }
6327eb98
AE		 2457
2458 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2459 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2460 chan->tx_win);
f2fcfcd6
GP		 2461 break;
2462
2463 case L2CAP_MODE_STREAMING:
2464 rfc.mode = L2CAP_MODE_STREAMING;
2465 rfc.txwin_size = 0;
2466 rfc.max_transmit = 0;
2467 rfc.retrans_timeout = 0;
2468 rfc.monitor_timeout = 0;
c8f79162
AE		 2469
2470 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2471 L2CAP_EXT_HDR_SIZE -
2472 L2CAP_SDULEN_SIZE -
2473 L2CAP_FCS_SIZE);
2474 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2475
63406504
GP		 2476 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2477 (unsigned long) &rfc);
2478
f89cef09
AE		 2479 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2480 l2cap_add_opt_efs(&ptr, chan);
2481
8c1d787b 2482 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2483 break;
2484
47d1ec61 2485 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2486 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2487 chan->fcs = L2CAP_FCS_NONE;
2488 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2489 }
65c7c491
MH		 2490 break;
2491 }
1da177e4 2492
fe4128e0 2493 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2494 req->flags = cpu_to_le16(0);
1da177e4
LT		 2495
2496 return ptr - data;
2497}
2498
73ffa904 2499static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2500{
5dee9e7c
MH		 2501 struct l2cap_conf_rsp *rsp = data;
2502 void *ptr = rsp->data;
73ffa904
GP		 2503 void *req = chan->conf_req;
2504 int len = chan->conf_len;
5dee9e7c
MH		 2505 int type, hint, olen;
2506 unsigned long val;
6464f35f 2507 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2508 struct l2cap_conf_efs efs;
2509 u8 remote_efs = 0;
861d6882 2510 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2511 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2512 u16 size;
1da177e4 2513
73ffa904 2514 BT_DBG("chan %p", chan);
820ae1b8 2515
5dee9e7c
MH		 2516 while (len >= L2CAP_CONF_OPT_SIZE) {
2517 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2518
589d2746 2519 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2520 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2521
2522 switch (type) {
2523 case L2CAP_CONF_MTU:
861d6882 2524 mtu = val;
5dee9e7c
MH		 2525 break;
2526
2527 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2528 chan->flush_to = val;
5dee9e7c
MH		 2529 break;
2530
2531 case L2CAP_CONF_QOS:
2532 break;
2533
6464f35f
MH		 2534 case L2CAP_CONF_RFC:
2535 if (olen == sizeof(rfc))
2536 memcpy(&rfc, (void *) val, olen);
2537 break;
2538
fcc203c3
GP		 2539 case L2CAP_CONF_FCS:
2540 if (val == L2CAP_FCS_NONE)
c1360a1c 2541 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2542 break;
fcc203c3 2543
42dceae2
AE		 2544 case L2CAP_CONF_EFS:
2545 remote_efs = 1;
2546 if (olen == sizeof(efs))
2547 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2548 break;
2549
6327eb98
AE		 2550 case L2CAP_CONF_EWS:
2551 if (!enable_hs)
2552 return -ECONNREFUSED;
fcc203c3 2553
6327eb98
AE		 2554 set_bit(FLAG_EXT_CTRL, &chan->flags);
2555 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2556 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2557 chan->remote_tx_win = val;
fcc203c3
GP		 2558 break;
2559
5dee9e7c
MH		 2560 default:
2561 if (hint)
2562 break;
2563
2564 result = L2CAP_CONF_UNKNOWN;
2565 *((u8 *) ptr++) = type;
2566 break;
2567 }
2568 }
2569
73ffa904 2570 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2571 goto done;
2572
0c1bc5c6 2573 switch (chan->mode) {
f2fcfcd6
GP		 2574 case L2CAP_MODE_STREAMING:
2575 case L2CAP_MODE_ERTM:
c1360a1c 2576 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2577 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2578 chan->conn->feat_mask);
85eb53c6
GP		 2579 break;
2580 }
2581
42dceae2
AE		 2582 if (remote_efs) {
2583 if (__l2cap_efs_supported(chan))
2584 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2585 else
2586 return -ECONNREFUSED;
2587 }
2588
0c1bc5c6 2589 if (chan->mode != rfc.mode)
f2fcfcd6 2590 return -ECONNREFUSED;
742e519b 2591
f2fcfcd6 2592 break;
f2fcfcd6
GP		 2593 }
2594
2595done:
0c1bc5c6 2596 if (chan->mode != rfc.mode) {
f2fcfcd6 2597 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2598 rfc.mode = chan->mode;
f2fcfcd6 2599
73ffa904 2600 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2601 return -ECONNREFUSED;
2602
2603 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2604 sizeof(rfc), (unsigned long) &rfc);
2605 }
2606
5dee9e7c
MH		 2607 if (result == L2CAP_CONF_SUCCESS) {
2608 /* Configure output options and let the other side know
2609 * which ones we don't like. */
2610
f2fcfcd6
GP		 2611 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2612 result = L2CAP_CONF_UNACCEPT;
2613 else {
0c1bc5c6 2614 chan->omtu = mtu;
c1360a1c 2615 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2616 }
0c1bc5c6 2617 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2618
42dceae2
AE		 2619 if (remote_efs) {
2620 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2621 efs.stype != L2CAP_SERV_NOTRAFIC &&
2622 efs.stype != chan->local_stype) {
2623
2624 result = L2CAP_CONF_UNACCEPT;
2625
2626 if (chan->num_conf_req >= 1)
2627 return -ECONNREFUSED;
2628
2629 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2630 sizeof(efs),
42dceae2 2631 (unsigned long) &efs);
0e8b207e 2632 } else {
3e6b3b95 2633 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2634 result = L2CAP_CONF_PENDING;
2635 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2636 }
2637 }
2638
f2fcfcd6
GP		 2639 switch (rfc.mode) {
2640 case L2CAP_MODE_BASIC:
47d1ec61 2641 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2642 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2643 break;
2644
2645 case L2CAP_MODE_ERTM:
6327eb98
AE		 2646 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2647 chan->remote_tx_win = rfc.txwin_size;
2648 else
2649 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2650
2c03a7a4 2651 chan->remote_max_tx = rfc.max_transmit;
1c762159 2652
c8f79162
AE		 2653 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2654 chan->conn->mtu -
2655 L2CAP_EXT_HDR_SIZE -
2656 L2CAP_SDULEN_SIZE -
2657 L2CAP_FCS_SIZE);
2658 rfc.max_pdu_size = cpu_to_le16(size);
2659 chan->remote_mps = size;
f2fcfcd6 2660
10467e9e 2661 rfc.retrans_timeout =
4fd21a88 2662 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2663 rfc.monitor_timeout =
4fd21a88 2664 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2665
c1360a1c 2666 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2667
2668 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2669 sizeof(rfc), (unsigned long) &rfc);
2670
42dceae2
AE		 2671 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2672 chan->remote_id = efs.id;
2673 chan->remote_stype = efs.stype;
2674 chan->remote_msdu = le16_to_cpu(efs.msdu);
2675 chan->remote_flush_to =
2676 le32_to_cpu(efs.flush_to);
2677 chan->remote_acc_lat =
2678 le32_to_cpu(efs.acc_lat);
2679 chan->remote_sdu_itime =
2680 le32_to_cpu(efs.sdu_itime);
2681 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2682 sizeof(efs), (unsigned long) &efs);
2683 }
f2fcfcd6
GP		 2684 break;
2685
2686 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2687 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2688 chan->conn->mtu -
2689 L2CAP_EXT_HDR_SIZE -
2690 L2CAP_SDULEN_SIZE -
2691 L2CAP_FCS_SIZE);
2692 rfc.max_pdu_size = cpu_to_le16(size);
2693 chan->remote_mps = size;
f2fcfcd6 2694
c1360a1c 2695 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2696
2697 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2698 sizeof(rfc), (unsigned long) &rfc);
2699
f2fcfcd6
GP		 2700 break;
2701
2702 default:
5dee9e7c 2703 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2704
6464f35f 2705 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2706 rfc.mode = chan->mode;
f2fcfcd6 2707 }
6464f35f 2708
f2fcfcd6 2709 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2710 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2711 }
fe4128e0 2712 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2713 rsp->result = cpu_to_le16(result);
2714 rsp->flags = cpu_to_le16(0x0000);
2715
2716 return ptr - data;
1da177e4
LT		 2717}
2718
b4450035 2719static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2720{
f2fcfcd6
GP		 2721 struct l2cap_conf_req *req = data;
2722 void *ptr = req->data;
2723 int type, olen;
2724 unsigned long val;
36e999a8 2725 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2726 struct l2cap_conf_efs efs;
f2fcfcd6 2727
fe4128e0 2728 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2729
2730 while (len >= L2CAP_CONF_OPT_SIZE) {
2731 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2732
2733 switch (type) {
2734 case L2CAP_CONF_MTU:
2735 if (val < L2CAP_DEFAULT_MIN_MTU) {
2736 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2737 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2738 } else
0c1bc5c6
GP		 2739 chan->imtu = val;
2740 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2741 break;
2742
2743 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2744 chan->flush_to = val;
f2fcfcd6 2745 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2746 2, chan->flush_to);
f2fcfcd6
GP		 2747 break;
2748
2749 case L2CAP_CONF_RFC:
2750 if (olen == sizeof(rfc))
2751 memcpy(&rfc, (void *)val, olen);
2752
c1360a1c 2753 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2754 rfc.mode != chan->mode)
f2fcfcd6
GP		 2755 return -ECONNREFUSED;
2756
47d1ec61 2757 chan->fcs = 0;
f2fcfcd6
GP		 2758
2759 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2760 sizeof(rfc), (unsigned long) &rfc);
2761 break;
6327eb98
AE		 2762
2763 case L2CAP_CONF_EWS:
2764 chan->tx_win = min_t(u16, val,
2765 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2766 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2767 chan->tx_win);
6327eb98 2768 break;
66af7aaf
AE		 2769
2770 case L2CAP_CONF_EFS:
2771 if (olen == sizeof(efs))
2772 memcpy(&efs, (void *)val, olen);
2773
2774 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2775 efs.stype != L2CAP_SERV_NOTRAFIC &&
2776 efs.stype != chan->local_stype)
2777 return -ECONNREFUSED;
2778
2779 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2780 sizeof(efs), (unsigned long) &efs);
2781 break;
f2fcfcd6
GP		 2782 }
2783 }
2784
0c1bc5c6 2785 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2786 return -ECONNREFUSED;
2787
0c1bc5c6 2788 chan->mode = rfc.mode;
6c2ea7a8 2789
0e8b207e 2790 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2791 switch (rfc.mode) {
2792 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2793 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2794 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2795 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2796
2797 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2798 chan->local_msdu = le16_to_cpu(efs.msdu);
2799 chan->local_sdu_itime =
2800 le32_to_cpu(efs.sdu_itime);
2801 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2802 chan->local_flush_to =
2803 le32_to_cpu(efs.flush_to);
2804 }
f2fcfcd6 2805 break;
66af7aaf 2806
f2fcfcd6 2807 case L2CAP_MODE_STREAMING:
47d1ec61 2808 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2809 }
2810 }
2811
fe4128e0 2812 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2813 req->flags = cpu_to_le16(0x0000);
2814
2815 return ptr - data;
2816}
2817
fe4128e0 2818static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2819{
2820 struct l2cap_conf_rsp *rsp = data;
2821 void *ptr = rsp->data;
1da177e4 2822
fe4128e0 2823 BT_DBG("chan %p", chan);
1da177e4 2824
fe4128e0 2825 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2826 rsp->result = cpu_to_le16(result);
aca3192c 2827 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2828
2829 return ptr - data;
2830}
2831
8c1d787b 2832void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2833{
2834 struct l2cap_conn_rsp rsp;
8c1d787b 2835 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2836 u8 buf[128];
2837
fe4128e0
GP		 2838 rsp.scid = cpu_to_le16(chan->dcid);
2839 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2840 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2841 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2842 l2cap_send_cmd(conn, chan->ident,
2843 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2844
c1360a1c 2845 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2846 return;
2847
710f9b0a
GP		 2848 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2849 l2cap_build_conf_req(chan, buf), buf);
2850 chan->num_conf_req++;
2851}
2852
47d1ec61 2853static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2854{
7b1c0049
GP		 2855 int type, olen;
2856 unsigned long val;
2857 struct l2cap_conf_rfc rfc;
2858
47d1ec61 2859 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2860
0c1bc5c6 2861 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2862 return;
2863
2864 while (len >= L2CAP_CONF_OPT_SIZE) {
2865 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2866
2867 switch (type) {
2868 case L2CAP_CONF_RFC:
2869 if (olen == sizeof(rfc))
2870 memcpy(&rfc, (void *)val, olen);
2871 goto done;
2872 }
2873 }
2874
36e999a8
MM		 2875 /* Use sane default values in case a misbehaving remote device
2876 * did not send an RFC option.
2877 */
2878 rfc.mode = chan->mode;
2879 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2880 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2881 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2882
2883 BT_ERR("Expected RFC option was not found, using defaults");
2884
7b1c0049
GP		 2885done:
2886 switch (rfc.mode) {
2887 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2888 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2889 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2890 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2891 break;
2892 case L2CAP_MODE_STREAMING:
47d1ec61 2893 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2894 }
2895}
2896
4e8402a3
MH		 2897static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2898{
e2fd318e 2899 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2900
e2fd318e 2901 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2902 return 0;
2903
2904 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2905 cmd->ident == conn->info_ident) {
17cd3f37 2906 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2907
2908 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2909 conn->info_ident = 0;
984947dc 2910
4e8402a3
MH		 2911 l2cap_conn_start(conn);
2912 }
2913
2914 return 0;
2915}
2916
1da177e4
LT		 2917static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2918{
1da177e4
LT		 2919 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2920 struct l2cap_conn_rsp rsp;
23691d75 2921 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2922 struct sock *parent, *sk = NULL;
e7c29cb1 2923 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2924
2925 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2926 __le16 psm = req->psm;
1da177e4 2927
097db76c 2928 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 2929
2930 /* Check if we have socket listening on psm */
c2287681 2931 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 2932 if (!pchan) {
1da177e4
LT		 2933 result = L2CAP_CR_BAD_PSM;
2934 goto sendresp;
2935 }
2936
23691d75
GP		 2937 parent = pchan->sk;
2938
3df91ea2 2939 mutex_lock(&conn->chan_lock);
aa2ac881 2940 lock_sock(parent);
e0f0cb56 2941
e7c29cb1
MH		 2942 /* Check if the ACL is secure enough (if not SDP) */
2943 if (psm != cpu_to_le16(0x0001) &&
2944 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2945 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2946 result = L2CAP_CR_SEC_BLOCK;
2947 goto response;
2948 }
2949
1da177e4
LT		 2950 result = L2CAP_CR_NO_MEM;
2951
2952 /* Check for backlog size */
2953 if (sk_acceptq_is_full(parent)) {
8e87d142 2954 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2955 goto response;
2956 }
2957
80808e43
GP		 2958 chan = pchan->ops->new_connection(pchan->data);
2959 if (!chan)
1da177e4
LT		 2960 goto response;
2961
80808e43
GP		 2962 sk = chan->sk;
2963
1da177e4 2964 /* Check if we already have channel with that dcid */
baa7e1fa 2965 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 2966 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2967 chan->ops->close(chan->data);
1da177e4
LT		 2968 goto response;
2969 }
2970
2971 hci_conn_hold(conn->hcon);
2972
1da177e4
LT		 2973 bacpy(&bt_sk(sk)->src, conn->src);
2974 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2975 chan->psm = psm;
2976 chan->dcid = scid;
1da177e4 2977
d1010240
GP		 2978 bt_accept_enqueue(parent, sk);
2979
6be36555 2980 __l2cap_chan_add(conn, chan);
48454079 2981
fe4128e0 2982 dcid = chan->scid;
1da177e4 2983
c9b66675 2984 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2985
fc7f8a7e 2986 chan->ident = cmd->ident;
1da177e4 2987
984947dc 2988 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2989 if (l2cap_chan_check_security(chan)) {
f66dc81f 2990 if (bt_sk(sk)->defer_setup) {
0e587be7 2991 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2992 result = L2CAP_CR_PEND;
2993 status = L2CAP_CS_AUTHOR_PEND;
2994 parent->sk_data_ready(parent, 0);
2995 } else {
0e587be7 2996 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2997 result = L2CAP_CR_SUCCESS;
2998 status = L2CAP_CS_NO_INFO;
2999 }
79d554a6 3000 } else {
0e587be7 3001 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3002 result = L2CAP_CR_PEND;
3003 status = L2CAP_CS_AUTHEN_PEND;
3004 }
3005 } else {
0e587be7 3006 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3007 result = L2CAP_CR_PEND;
3008 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3009 }
3010
1da177e4 3011response:
aa2ac881 3012 release_sock(parent);
3df91ea2 3013 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3014
3015sendresp:
aca3192c
YH		 3016 rsp.scid = cpu_to_le16(scid);
3017 rsp.dcid = cpu_to_le16(dcid);
3018 rsp.result = cpu_to_le16(result);
3019 rsp.status = cpu_to_le16(status);
1da177e4 3020 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3021
3022 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3023 struct l2cap_info_req info;
3024 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3025
3026 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3027 conn->info_ident = l2cap_get_ident(conn);
3028
ba13ccd9 3029 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3030
3031 l2cap_send_cmd(conn, conn->info_ident,
3032 L2CAP_INFO_REQ, sizeof(info), &info);
3033 }
3034
c1360a1c 3035 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3036 result == L2CAP_CR_SUCCESS) {
3037 u8 buf[128];
c1360a1c 3038 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3039 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3040 l2cap_build_conf_req(chan, buf), buf);
3041 chan->num_conf_req++;
e9aeb2dd
GP		 3042 }
3043
1da177e4
LT		 3044 return 0;
3045}
3046
3047static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3048{
3049 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3050 u16 scid, dcid, result, status;
48454079 3051 struct l2cap_chan *chan;
1da177e4 3052 u8 req[128];
3df91ea2 3053 int err;
1da177e4
LT		 3054
3055 scid = __le16_to_cpu(rsp->scid);
3056 dcid = __le16_to_cpu(rsp->dcid);
3057 result = __le16_to_cpu(rsp->result);
3058 status = __le16_to_cpu(rsp->status);
3059
1b009c98
AE		 3060 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3061 dcid, scid, result, status);
1da177e4 3062
3df91ea2
AE		 3063 mutex_lock(&conn->chan_lock);
3064
1da177e4 3065 if (scid) {
3df91ea2
AE		 3066 chan = __l2cap_get_chan_by_scid(conn, scid);
3067 if (!chan) {
3068 err = -EFAULT;
3069 goto unlock;
3070 }
1da177e4 3071 } else {
3df91ea2
AE		 3072 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3073 if (!chan) {
3074 err = -EFAULT;
3075 goto unlock;
3076 }
1da177e4
LT		 3077 }
3078
3df91ea2
AE		 3079 err = 0;
3080
6be36555 3081 l2cap_chan_lock(chan);
48454079 3082
1da177e4
LT		 3083 switch (result) {
3084 case L2CAP_CR_SUCCESS:
89bc500e 3085 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3086 chan->ident = 0;
fe4128e0 3087 chan->dcid = dcid;
c1360a1c 3088 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3089
c1360a1c 3090 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3091 break;
3092
1da177e4 3093 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3094 l2cap_build_conf_req(chan, req), req);
3095 chan->num_conf_req++;
1da177e4
LT		 3096 break;
3097
3098 case L2CAP_CR_PEND:
c1360a1c 3099 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3100 break;
3101
3102 default:
48454079 3103 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3104 break;
3105 }
3106
6be36555 3107 l2cap_chan_unlock(chan);
3df91ea2
AE		 3108
3109unlock:
3110 mutex_unlock(&conn->chan_lock);
3111
3112 return err;
1da177e4
LT		 3113}
3114
47d1ec61 3115static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3116{
3117 /* FCS is enabled only in ERTM or streaming mode, if one or both
3118 * sides request it.
3119 */
0c1bc5c6 3120 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3121 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3122 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3123 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3124}
3125
88219a0f 3126static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3127{
3128 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3129 u16 dcid, flags;
3130 u8 rsp[64];
48454079 3131 struct l2cap_chan *chan;
3c588192 3132 int len, err = 0;
1da177e4
LT		 3133
3134 dcid = __le16_to_cpu(req->dcid);
3135 flags = __le16_to_cpu(req->flags);
3136
3137 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3138
baa7e1fa 3139 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3140 if (!chan)
1da177e4
LT		 3141 return -ENOENT;
3142
6be36555 3143 l2cap_chan_lock(chan);
48454079 3144
033b1142 3145 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3146 struct l2cap_cmd_rej_cid rej;
3147
3148 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3149 rej.scid = cpu_to_le16(chan->scid);
3150 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3151
df6bd743
GP		 3152 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3153 sizeof(rej), &rej);
354f60a9 3154 goto unlock;
df6bd743 3155 }
354f60a9 3156
5dee9e7c 3157 /* Reject if config buffer is too small. */
88219a0f 3158 len = cmd_len - sizeof(*req);
7ac28817 3159 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3160 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3161 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3162 L2CAP_CONF_REJECT, flags), rsp);
3163 goto unlock;
3164 }
3165
3166 /* Store config. */
73ffa904
GP		 3167 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3168 chan->conf_len += len;
1da177e4
LT		 3169
3170 if (flags & 0x0001) {
3171 /* Incomplete config. Send empty response. */
3172 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3173 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3174 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3175 goto unlock;
3176 }
3177
3178 /* Complete config. */
73ffa904 3179 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3180 if (len < 0) {
e92c8e70 3181 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3182 goto unlock;
f2fcfcd6 3183 }
1da177e4 3184
5dee9e7c 3185 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3186 chan->num_conf_rsp++;
5dee9e7c 3187
5dee9e7c 3188 /* Reset config buffer. */
73ffa904 3189 chan->conf_len = 0;
5dee9e7c 3190
c1360a1c 3191 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3192 goto unlock;
3193
c1360a1c 3194 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3195 set_default_fcs(chan);
fcc203c3 3196
89bc500e 3197 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3198
105bdf9e
MM		 3199 if (chan->mode == L2CAP_MODE_ERTM ||
3200 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3201 err = l2cap_ertm_init(chan);
3202
3203 if (err < 0)
3204 l2cap_send_disconn_req(chan->conn, chan, -err);
3205 else
3206 l2cap_chan_ready(chan);
0565c1c2 3207
876d9484
MH		 3208 goto unlock;
3209 }
3210
c1360a1c 3211 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3212 u8 buf[64];
1da177e4 3213 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3214 l2cap_build_conf_req(chan, buf), buf);
3215 chan->num_conf_req++;
1da177e4
LT		 3216 }
3217
0e8b207e
AE		 3218 /* Got Conf Rsp PENDING from remote side and asume we sent
3219 Conf Rsp PENDING in the code above */
3220 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3221 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3222
3223 /* check compatibility */
3224
3225 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3226 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3227
3228 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3229 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3230 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3231 }
3232
1da177e4 3233unlock:
6be36555 3234 l2cap_chan_unlock(chan);
3c588192 3235 return err;
1da177e4
LT		 3236}
3237
3238static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3239{
3240 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3241 u16 scid, flags, result;
48454079 3242 struct l2cap_chan *chan;
61386cba 3243 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3244 int err = 0;
1da177e4
LT		 3245
3246 scid = __le16_to_cpu(rsp->scid);
3247 flags = __le16_to_cpu(rsp->flags);
3248 result = __le16_to_cpu(rsp->result);
3249
61386cba
AE		 3250 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3251 result, len);
1da177e4 3252
baa7e1fa 3253 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3254 if (!chan)
1da177e4
LT		 3255 return 0;
3256
6be36555 3257 l2cap_chan_lock(chan);
48454079 3258
1da177e4
LT		 3259 switch (result) {
3260 case L2CAP_CONF_SUCCESS:
47d1ec61 3261 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3262 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3263 break;
3264
0e8b207e
AE		 3265 case L2CAP_CONF_PENDING:
3266 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3267
3268 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3269 char buf[64];
3270
3271 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3272 buf, &result);
3273 if (len < 0) {
3274 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3275 goto done;
3276 }
3277
3278 /* check compatibility */
3279
3280 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3281 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3282
3283 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3284 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3285 L2CAP_CONF_SUCCESS, 0x0000), buf);
3286 }
3287 goto done;
3288
1da177e4 3289 case L2CAP_CONF_UNACCEPT:
73ffa904 3290 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3291 char req[64];
3292
c2c77ec8 3293 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3294 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3295 goto done;
3296 }
3297
f2fcfcd6
GP		 3298 /* throw out any old stored conf requests */
3299 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3300 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3301 req, &result);
f2fcfcd6 3302 if (len < 0) {
e92c8e70 3303 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3304 goto done;
3305 }
3306
3307 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3308 L2CAP_CONF_REQ, len, req);
73ffa904 3309 chan->num_conf_req++;
f2fcfcd6
GP		 3310 if (result != L2CAP_CONF_SUCCESS)
3311 goto done;
3312 break;
1da177e4
LT		 3313 }
3314
8e87d142 3315 default:
6be36555 3316 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3317
ba13ccd9 3318 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3319 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3320 goto done;
3321 }
3322
3323 if (flags & 0x01)
3324 goto done;
3325
c1360a1c 3326 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3327
c1360a1c 3328 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3329 set_default_fcs(chan);
fcc203c3 3330
89bc500e 3331 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3332 if (chan->mode == L2CAP_MODE_ERTM ||
3333 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3334 err = l2cap_ertm_init(chan);
0565c1c2 3335
3c588192
MM		 3336 if (err < 0)
3337 l2cap_send_disconn_req(chan->conn, chan, -err);
3338 else
3339 l2cap_chan_ready(chan);
1da177e4
LT		 3340 }
3341
3342done:
6be36555 3343 l2cap_chan_unlock(chan);
3c588192 3344 return err;
1da177e4
LT		 3345}
3346
3347static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3348{
3349 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3350 struct l2cap_disconn_rsp rsp;
3351 u16 dcid, scid;
48454079 3352 struct l2cap_chan *chan;
1da177e4
LT		 3353 struct sock *sk;
3354
3355 scid = __le16_to_cpu(req->scid);
3356 dcid = __le16_to_cpu(req->dcid);
3357
3358 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3359
3df91ea2
AE		 3360 mutex_lock(&conn->chan_lock);
3361
3362 chan = __l2cap_get_chan_by_scid(conn, dcid);
3363 if (!chan) {
3364 mutex_unlock(&conn->chan_lock);
1da177e4 3365 return 0;
3df91ea2 3366 }
1da177e4 3367
6be36555
AE		 3368 l2cap_chan_lock(chan);
3369
48454079
GP		 3370 sk = chan->sk;
3371
fe4128e0
GP		 3372 rsp.dcid = cpu_to_le16(chan->scid);
3373 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3374 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3375
6be36555 3376 lock_sock(sk);
1da177e4 3377 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3378 release_sock(sk);
1da177e4 3379
61d6ef3e 3380 l2cap_chan_hold(chan);
48454079 3381 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3382
3383 l2cap_chan_unlock(chan);
1da177e4 3384
ba3bd0ee 3385 chan->ops->close(chan->data);
61d6ef3e 3386 l2cap_chan_put(chan);
3df91ea2
AE		 3387
3388 mutex_unlock(&conn->chan_lock);
3389
1da177e4
LT		 3390 return 0;
3391}
3392
3393static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3394{
3395 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3396 u16 dcid, scid;
48454079 3397 struct l2cap_chan *chan;
1da177e4
LT		 3398
3399 scid = __le16_to_cpu(rsp->scid);
3400 dcid = __le16_to_cpu(rsp->dcid);
3401
3402 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3403
3df91ea2
AE		 3404 mutex_lock(&conn->chan_lock);
3405
3406 chan = __l2cap_get_chan_by_scid(conn, scid);
3407 if (!chan) {
3408 mutex_unlock(&conn->chan_lock);
1da177e4 3409 return 0;
3df91ea2 3410 }
1da177e4 3411
6be36555 3412 l2cap_chan_lock(chan);
48454079 3413
61d6ef3e 3414 l2cap_chan_hold(chan);
48454079 3415 l2cap_chan_del(chan, 0);
6be36555
AE		 3416
3417 l2cap_chan_unlock(chan);
1da177e4 3418
ba3bd0ee 3419 chan->ops->close(chan->data);
61d6ef3e 3420 l2cap_chan_put(chan);
3df91ea2
AE		 3421
3422 mutex_unlock(&conn->chan_lock);
3423
1da177e4
LT		 3424 return 0;
3425}
3426
3427static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3428{
3429 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3430 u16 type;
3431
3432 type = __le16_to_cpu(req->type);
3433
3434 BT_DBG("type 0x%4.4x", type);
3435
f0709e03
MH		 3436 if (type == L2CAP_IT_FEAT_MASK) {
3437 u8 buf[8];
44dd46de 3438 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3439 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3440 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3441 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3442 if (!disable_ertm)
fcc203c3
GP		 3443 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3444 | L2CAP_FEAT_FCS;
a5fd6f30 3445 if (enable_hs)
6327eb98
AE		 3446 feat_mask |= L2CAP_FEAT_EXT_FLOW
3447 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3448
1b7bf4ed 3449 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3450 l2cap_send_cmd(conn, cmd->ident,
3451 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3452 } else if (type == L2CAP_IT_FIXED_CHAN) {
3453 u8 buf[12];
3454 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3455
3456 if (enable_hs)
3457 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3458 else
3459 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3460
e1027a7c
MH		 3461 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3462 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3463 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3464 l2cap_send_cmd(conn, cmd->ident,
3465 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3466 } else {
3467 struct l2cap_info_rsp rsp;
3468 rsp.type = cpu_to_le16(type);
3469 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3470 l2cap_send_cmd(conn, cmd->ident,
3471 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3472 }
1da177e4
LT		 3473
3474 return 0;
3475}
3476
3477static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3478{
3479 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3480 u16 type, result;
3481
3482 type = __le16_to_cpu(rsp->type);
3483 result = __le16_to_cpu(rsp->result);
3484
3485 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3486
e90165be
AE		 3487 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3488 if (cmd->ident != conn->info_ident ||
3489 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3490 return 0;
3491
17cd3f37 3492 cancel_delayed_work(&conn->info_timer);
4e8402a3 3493
adb08ede
VT		 3494 if (result != L2CAP_IR_SUCCESS) {
3495 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3496 conn->info_ident = 0;
3497
3498 l2cap_conn_start(conn);
3499
3500 return 0;
3501 }
3502
978c93b9
AE		 3503 switch (type) {
3504 case L2CAP_IT_FEAT_MASK:
83985319 3505 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3506
47ec1dcd 3507 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3508 struct l2cap_info_req req;
3509 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3510
3511 conn->info_ident = l2cap_get_ident(conn);
3512
3513 l2cap_send_cmd(conn, conn->info_ident,
3514 L2CAP_INFO_REQ, sizeof(req), &req);
3515 } else {
3516 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3517 conn->info_ident = 0;
3518
3519 l2cap_conn_start(conn);
3520 }
978c93b9
AE		 3521 break;
3522
3523 case L2CAP_IT_FIXED_CHAN:
3524 conn->fixed_chan_mask = rsp->data[0];
984947dc 3525 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3526 conn->info_ident = 0;
984947dc
MH		 3527
3528 l2cap_conn_start(conn);
978c93b9 3529 break;
984947dc 3530 }
4e8402a3 3531
1da177e4
LT		 3532 return 0;
3533}
3534
f94ff6ff
MM		 3535static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3536 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3537 void *data)
3538{
3539 struct l2cap_create_chan_req *req = data;
3540 struct l2cap_create_chan_rsp rsp;
3541 u16 psm, scid;
3542
3543 if (cmd_len != sizeof(*req))
3544 return -EPROTO;
3545
3546 if (!enable_hs)
3547 return -EINVAL;
3548
3549 psm = le16_to_cpu(req->psm);
3550 scid = le16_to_cpu(req->scid);
3551
3552 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3553
3554 /* Placeholder: Always reject */
3555 rsp.dcid = 0;
3556 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3557 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3558 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3559
3560 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3561 sizeof(rsp), &rsp);
3562
3563 return 0;
3564}
3565
3566static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3567 struct l2cap_cmd_hdr *cmd, void *data)
3568{
3569 BT_DBG("conn %p", conn);
3570
3571 return l2cap_connect_rsp(conn, cmd, data);
3572}
3573
8d5a04a1
MM		 3574static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3575 u16 icid, u16 result)
3576{
3577 struct l2cap_move_chan_rsp rsp;
3578
3579 BT_DBG("icid %d, result %d", icid, result);
3580
3581 rsp.icid = cpu_to_le16(icid);
3582 rsp.result = cpu_to_le16(result);
3583
3584 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3585}
3586
3587static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3588 struct l2cap_chan *chan, u16 icid, u16 result)
3589{
3590 struct l2cap_move_chan_cfm cfm;
3591 u8 ident;
3592
3593 BT_DBG("icid %d, result %d", icid, result);
3594
3595 ident = l2cap_get_ident(conn);
3596 if (chan)
3597 chan->ident = ident;
3598
3599 cfm.icid = cpu_to_le16(icid);
3600 cfm.result = cpu_to_le16(result);
3601
3602 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3603}
3604
3605static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3606 u16 icid)
3607{
3608 struct l2cap_move_chan_cfm_rsp rsp;
3609
3610 BT_DBG("icid %d", icid);
3611
3612 rsp.icid = cpu_to_le16(icid);
3613 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3614}
3615
3616static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3617 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3618{
3619 struct l2cap_move_chan_req *req = data;
3620 u16 icid = 0;
3621 u16 result = L2CAP_MR_NOT_ALLOWED;
3622
3623 if (cmd_len != sizeof(*req))
3624 return -EPROTO;
3625
3626 icid = le16_to_cpu(req->icid);
3627
3628 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3629
3630 if (!enable_hs)
3631 return -EINVAL;
3632
3633 /* Placeholder: Always refuse */
3634 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3635
3636 return 0;
3637}
3638
3639static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3640 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3641{
3642 struct l2cap_move_chan_rsp *rsp = data;
3643 u16 icid, result;
3644
3645 if (cmd_len != sizeof(*rsp))
3646 return -EPROTO;
3647
3648 icid = le16_to_cpu(rsp->icid);
3649 result = le16_to_cpu(rsp->result);
3650
3651 BT_DBG("icid %d, result %d", icid, result);
3652
3653 /* Placeholder: Always unconfirmed */
3654 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3655
3656 return 0;
3657}
3658
3659static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3660 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3661{
3662 struct l2cap_move_chan_cfm *cfm = data;
3663 u16 icid, result;
3664
3665 if (cmd_len != sizeof(*cfm))
3666 return -EPROTO;
3667
3668 icid = le16_to_cpu(cfm->icid);
3669 result = le16_to_cpu(cfm->result);
3670
3671 BT_DBG("icid %d, result %d", icid, result);
3672
3673 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3674
3675 return 0;
3676}
3677
3678static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3679 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3680{
3681 struct l2cap_move_chan_cfm_rsp *rsp = data;
3682 u16 icid;
3683
3684 if (cmd_len != sizeof(*rsp))
3685 return -EPROTO;
3686
3687 icid = le16_to_cpu(rsp->icid);
3688
3689 BT_DBG("icid %d", icid);
3690
3691 return 0;
3692}
3693
e2174ca4 3694static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3695 u16 to_multiplier)
3696{
3697 u16 max_latency;
3698
3699 if (min > max || min < 6 || max > 3200)
3700 return -EINVAL;
3701
3702 if (to_multiplier < 10 || to_multiplier > 3200)
3703 return -EINVAL;
3704
3705 if (max >= to_multiplier * 8)
3706 return -EINVAL;
3707
3708 max_latency = (to_multiplier * 8 / max) - 1;
3709 if (latency > 499 || latency > max_latency)
3710 return -EINVAL;
3711
3712 return 0;
3713}
3714
3715static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3716 struct l2cap_cmd_hdr *cmd, u8 *data)
3717{
3718 struct hci_conn *hcon = conn->hcon;
3719 struct l2cap_conn_param_update_req *req;
3720 struct l2cap_conn_param_update_rsp rsp;
3721 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3722 int err;
de73115a
CT		 3723
3724 if (!(hcon->link_mode & HCI_LM_MASTER))
3725 return -EINVAL;
3726
3727 cmd_len = __le16_to_cpu(cmd->len);
3728 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3729 return -EPROTO;
3730
3731 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3732 min = __le16_to_cpu(req->min);
3733 max = __le16_to_cpu(req->max);
de73115a
CT		 3734 latency = __le16_to_cpu(req->latency);
3735 to_multiplier = __le16_to_cpu(req->to_multiplier);
3736
3737 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3738 min, max, latency, to_multiplier);
3739
3740 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3741
3742 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3743 if (err)
de73115a
CT		 3744 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3745 else
3746 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3747
3748 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3749 sizeof(rsp), &rsp);
3750
2ce603eb
CT		 3751 if (!err)
3752 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3753
de73115a
CT		 3754 return 0;
3755}
3756
3300d9a9
CT		 3757static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3758 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3759{
3760 int err = 0;
3761
3762 switch (cmd->code) {
3763 case L2CAP_COMMAND_REJ:
3764 l2cap_command_rej(conn, cmd, data);
3765 break;
3766
3767 case L2CAP_CONN_REQ:
3768 err = l2cap_connect_req(conn, cmd, data);
3769 break;
3770
3771 case L2CAP_CONN_RSP:
3772 err = l2cap_connect_rsp(conn, cmd, data);
3773 break;
3774
3775 case L2CAP_CONF_REQ:
3776 err = l2cap_config_req(conn, cmd, cmd_len, data);
3777 break;
3778
3779 case L2CAP_CONF_RSP:
3780 err = l2cap_config_rsp(conn, cmd, data);
3781 break;
3782
3783 case L2CAP_DISCONN_REQ:
3784 err = l2cap_disconnect_req(conn, cmd, data);
3785 break;
3786
3787 case L2CAP_DISCONN_RSP:
3788 err = l2cap_disconnect_rsp(conn, cmd, data);
3789 break;
3790
3791 case L2CAP_ECHO_REQ:
3792 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3793 break;
3794
3795 case L2CAP_ECHO_RSP:
3796 break;
3797
3798 case L2CAP_INFO_REQ:
3799 err = l2cap_information_req(conn, cmd, data);
3800 break;
3801
3802 case L2CAP_INFO_RSP:
3803 err = l2cap_information_rsp(conn, cmd, data);
3804 break;
3805
f94ff6ff
MM		 3806 case L2CAP_CREATE_CHAN_REQ:
3807 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3808 break;
3809
3810 case L2CAP_CREATE_CHAN_RSP:
3811 err = l2cap_create_channel_rsp(conn, cmd, data);
3812 break;
3813
8d5a04a1
MM		 3814 case L2CAP_MOVE_CHAN_REQ:
3815 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3816 break;
3817
3818 case L2CAP_MOVE_CHAN_RSP:
3819 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3820 break;
3821
3822 case L2CAP_MOVE_CHAN_CFM:
3823 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3824 break;
3825
3826 case L2CAP_MOVE_CHAN_CFM_RSP:
3827 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3828 break;
3829
3300d9a9
CT		 3830 default:
3831 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3832 err = -EINVAL;
3833 break;
3834 }
3835
3836 return err;
3837}
3838
3839static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3840 struct l2cap_cmd_hdr *cmd, u8 *data)
3841{
3842 switch (cmd->code) {
3843 case L2CAP_COMMAND_REJ:
3844 return 0;
3845
3846 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3847 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3848
3849 case L2CAP_CONN_PARAM_UPDATE_RSP:
3850 return 0;
3851
3852 default:
3853 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3854 return -EINVAL;
3855 }
3856}
3857
3858static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3859 struct sk_buff *skb)
1da177e4
LT		 3860{
3861 u8 *data = skb->data;
3862 int len = skb->len;
3863 struct l2cap_cmd_hdr cmd;
3300d9a9 3864 int err;
1da177e4
LT		 3865
3866 l2cap_raw_recv(conn, skb);
3867
3868 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3869 u16 cmd_len;
1da177e4
LT		 3870 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3871 data += L2CAP_CMD_HDR_SIZE;
3872 len -= L2CAP_CMD_HDR_SIZE;
3873
88219a0f 3874 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3875
88219a0f 3876 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3877
88219a0f 3878 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3879 BT_DBG("corrupted command");
3880 break;
3881 }
3882
3300d9a9
CT		 3883 if (conn->hcon->type == LE_LINK)
3884 err = l2cap_le_sig_cmd(conn, &cmd, data);
3885 else
3886 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3887
3888 if (err) {
e2fd318e 3889 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3890
3891 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3892
3893 /* FIXME: Map err to a valid reason */
e2fd318e 3894 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3895 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3896 }
3897
88219a0f
AV		 3898 data += cmd_len;
3899 len -= cmd_len;
1da177e4
LT		 3900 }
3901
3902 kfree_skb(skb);
3903}
3904
47d1ec61 3905static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3906{
3907 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3908 int hdr_size;
3909
3910 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3911 hdr_size = L2CAP_EXT_HDR_SIZE;
3912 else
3913 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3914
47d1ec61 3915 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3916 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3917 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3918 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3919
3920 if (our_fcs != rcv_fcs)
7a560e5c 3921 return -EBADMSG;
fcc203c3
GP		 3922 }
3923 return 0;
3924}
3925
525cd185 3926static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3927{
88843ab0 3928 u32 control = 0;
d5392c8f 3929
6a026610 3930 chan->frames_sent = 0;
d5392c8f 3931
0b209fae 3932 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3933
e2ab4353 3934 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3935 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3936 l2cap_send_sframe(chan, control);
e2ab4353 3937 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3938 }
3939
e2ab4353 3940 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3941 l2cap_retransmit_frames(chan);
d5392c8f 3942
525cd185 3943 l2cap_ertm_send(chan);
d5392c8f 3944
e2ab4353 3945 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3946 chan->frames_sent == 0) {
ab784b73 3947 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3948 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3949 }
3950}
3951
fb45de7d 3952static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3953{
3954 struct sk_buff *next_skb;
bfbacc11 3955 int tx_seq_offset, next_tx_seq_offset;
8f17154f 3956
3ce3514f
MM		 3957 bt_cb(skb)->control.txseq = tx_seq;
3958 bt_cb(skb)->control.sar = sar;
8f17154f 3959
f1c6775b 3960 next_skb = skb_peek(&chan->srej_q);
8f17154f 3961
836be934 3962 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3963
039d9572 3964 while (next_skb) {
3ce3514f 3965 if (bt_cb(next_skb)->control.txseq == tx_seq)
9b53350d
JPRV		 3966 return -EINVAL;
3967
836be934 3968 next_tx_seq_offset = __seq_offset(chan,
3ce3514f 3969 bt_cb(next_skb)->control.txseq, chan->buffer_seq);
bfbacc11
JPRV		 3970
3971 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3972 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3973 return 0;
8f17154f
GP		 3974 }
3975
f1c6775b 3976 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3977 next_skb = NULL;
3978 else
3979 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3980 }
8f17154f 3981
f1c6775b 3982 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3983
3984 return 0;
8f17154f
GP		 3985}
3986
84084a31
MM		 3987static void append_skb_frag(struct sk_buff *skb,
3988 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3989{
84084a31
MM		 3990 /* skb->len reflects data in skb as well as all fragments
3991 * skb->data_len reflects only data in fragments
3992 */
3993 if (!skb_has_frag_list(skb))
3994 skb_shinfo(skb)->frag_list = new_frag;
3995
3996 new_frag->next = NULL;
3997
3998 (*last_frag)->next = new_frag;
3999 *last_frag = new_frag;
4000
4001 skb->len += new_frag->len;
4002 skb->data_len += new_frag->len;
4003 skb->truesize += new_frag->truesize;
4004}
4005
88843ab0 4006static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 4007{
4008 int err = -EINVAL;
18778a63 4009
7e0ef6ee
AE		 4010 switch (__get_ctrl_sar(chan, control)) {
4011 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4012 if (chan->sdu)
4013 break;
18778a63 4014
84084a31
MM		 4015 err = chan->ops->recv(chan->data, skb);
4016 break;
18778a63 4017
7e0ef6ee 4018 case L2CAP_SAR_START:
84084a31
MM		 4019 if (chan->sdu)
4020 break;
18778a63 4021
6f61fd47 4022 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4023 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4024
84084a31
MM		 4025 if (chan->sdu_len > chan->imtu) {
4026 err = -EMSGSIZE;
4027 break;
4028 }
1890d36b 4029
84084a31
MM		 4030 if (skb->len >= chan->sdu_len)
4031 break;
18778a63 4032
84084a31
MM		 4033 chan->sdu = skb;
4034 chan->sdu_last_frag = skb;
18778a63 4035
84084a31
MM		 4036 skb = NULL;
4037 err = 0;
18778a63
GP		 4038 break;
4039
7e0ef6ee 4040 case L2CAP_SAR_CONTINUE:
6f61fd47 4041 if (!chan->sdu)
84084a31 4042 break;
18778a63 4043
84084a31
MM		 4044 append_skb_frag(chan->sdu, skb,
4045 &chan->sdu_last_frag);
4046 skb = NULL;
18778a63 4047
84084a31
MM		 4048 if (chan->sdu->len >= chan->sdu_len)
4049 break;
4178ba46 4050
84084a31 4051 err = 0;
18778a63
GP		 4052 break;
4053
7e0ef6ee 4054 case L2CAP_SAR_END:
6f61fd47 4055 if (!chan->sdu)
84084a31 4056 break;
18778a63 4057
84084a31
MM		 4058 append_skb_frag(chan->sdu, skb,
4059 &chan->sdu_last_frag);
4060 skb = NULL;
4178ba46 4061
84084a31
MM		 4062 if (chan->sdu->len != chan->sdu_len)
4063 break;
18778a63 4064
84084a31 4065 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4066
84084a31
MM		 4067 if (!err) {
4068 /* Reassembly complete */
4069 chan->sdu = NULL;
4070 chan->sdu_last_frag = NULL;
4071 chan->sdu_len = 0;
1890d36b 4072 }
18778a63
GP		 4073 break;
4074 }
4075
84084a31
MM		 4076 if (err) {
4077 kfree_skb(skb);
4078 kfree_skb(chan->sdu);
4079 chan->sdu = NULL;
4080 chan->sdu_last_frag = NULL;
4081 chan->sdu_len = 0;
4082 }
18778a63 4083
84084a31 4084 return err;
18778a63
GP		 4085}
4086
26f880d2 4087static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 4088{
26f880d2 4089 BT_DBG("chan %p, Enter local busy", chan);
712132eb 4090
26f880d2 4091 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3c588192 4092 l2cap_seq_list_clear(&chan->srej_list);
26f880d2 4093
77f918bc 4094 __set_ack_timer(chan);
26f880d2
MM		 4095}
4096
4097static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4098{
88843ab0 4099 u32 control;
712132eb 4100
e2ab4353 4101 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 4102 goto done;
4103
0b209fae 4104 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 4105 control |= __set_ctrl_poll(chan);
ab784b73 4106 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 4107 l2cap_send_sframe(chan, control);
6a026610 4108 chan->retry_count = 1;
712132eb 4109
1a09bcb9
GP		 4110 __clear_retrans_timer(chan);
4111 __set_monitor_timer(chan);
712132eb 4112
e2ab4353 4113 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 4114
4115done:
e2ab4353
GP		 4116 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4117 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 4118
49208c9c 4119 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 4120}
4121
e328140f 4122void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 4123{
e328140f
MM		 4124 if (chan->mode == L2CAP_MODE_ERTM) {
4125 if (busy)
4126 l2cap_ertm_enter_local_busy(chan);
4127 else
4128 l2cap_ertm_exit_local_busy(chan);
1890d36b 4129 }
1890d36b
GP		 4130}
4131
fb45de7d 4132static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 4133{
4134 struct sk_buff *skb;
88843ab0 4135 u32 control;
8f17154f 4136
e328140f
MM		 4137 while ((skb = skb_peek(&chan->srej_q)) &&
4138 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4139 int err;
4140
3ce3514f 4141 if (bt_cb(skb)->control.txseq != tx_seq)
8f17154f
GP		 4142 break;
4143
f1c6775b 4144 skb = skb_dequeue(&chan->srej_q);
3ce3514f 4145 control = __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
84084a31 4146 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 4147
4148 if (err < 0) {
4149 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4150 break;
4151 }
4152
836be934
AE		 4153 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
4154 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 4155 }
4156}
4157
fb45de7d 4158static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4159{
8f17154f 4160 struct srej_list *l, *tmp;
88843ab0 4161 u32 control;
8f17154f 4162
39d5a3ee 4163 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 4164 if (l->tx_seq == tx_seq) {
4165 list_del(&l->list);
4166 kfree(l);
4167 return;
4168 }
ab784b73 4169 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4170 control |= __set_reqseq(chan, l->tx_seq);
525cd185 4171 l2cap_send_sframe(chan, control);
8f17154f 4172 list_del(&l->list);
39d5a3ee 4173 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 4174 }
4175}
4176
aef89f21 4177static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4178{
8f17154f 4179 struct srej_list *new;
88843ab0 4180 u32 control;
8f17154f 4181
42e5c802 4182 while (tx_seq != chan->expected_tx_seq) {
ab784b73 4183 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4184 control |= __set_reqseq(chan, chan->expected_tx_seq);
3c588192 4185 l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
525cd185 4186 l2cap_send_sframe(chan, control);
8f17154f
GP		 4187
4188 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 4189 if (!new)
4190 return -ENOMEM;
4191
42e5c802 4192 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 4193
4194 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4195
39d5a3ee 4196 list_add_tail(&new->list, &chan->srej_l);
8f17154f 4197 }
836be934
AE		 4198
4199 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 4200
4201 return 0;
8f17154f
GP		 4202}
4203
88843ab0 4204static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 4205{
fb45de7d 4206 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 4207 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 4208 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 4209 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 4210 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 4211 int err = 0;
4212
88843ab0 4213 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 4214 tx_seq, rx_control);
1c2acffb 4215
03f6715d 4216 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4217 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4218 __clear_monitor_timer(chan);
6a026610 4219 if (chan->unacked_frames > 0)
1a09bcb9 4220 __set_retrans_timer(chan);
e2ab4353 4221 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 4222 }
4223
42e5c802
GP		 4224 chan->expected_ack_seq = req_seq;
4225 l2cap_drop_acked_frames(chan);
9f121a5a 4226
836be934 4227 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4228
4229 /* invalid tx_seq */
47d1ec61 4230 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 4231 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 4232 goto drop;
4233 }
4234
77f918bc
SJ		 4235 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4236 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4237 l2cap_send_ack(chan);
1890d36b 4238 goto drop;
77f918bc 4239 }
1890d36b 4240
02f1b641
MM		 4241 if (tx_seq == chan->expected_tx_seq)
4242 goto expected;
4243
e2ab4353 4244 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 4245 struct srej_list *first;
30afb5b2 4246
39d5a3ee 4247 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 4248 struct srej_list, list);
4249 if (tx_seq == first->tx_seq) {
42e5c802 4250 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 4251 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 4252
4253 list_del(&first->list);
4254 kfree(first);
4255
39d5a3ee 4256 if (list_empty(&chan->srej_l)) {
42e5c802 4257 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 4258 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 4259 l2cap_send_ack(chan);
49208c9c 4260 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 4261 }
4262 } else {
4263 struct srej_list *l;
9b53350d
JPRV		 4264
4265 /* duplicated tx_seq */
42e5c802 4266 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 4267 goto drop;
8f17154f 4268
39d5a3ee 4269 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 4270 if (l->tx_seq == tx_seq) {
525cd185 4271 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 4272 return 0;
4273 }
4274 }
aef89f21
SJ		 4275
4276 err = l2cap_send_srejframe(chan, tx_seq);
4277 if (err < 0) {
4278 l2cap_send_disconn_req(chan->conn, chan, -err);
4279 return err;
4280 }
30afb5b2
GP		 4281 }
4282 } else {
836be934
AE		 4283 expected_tx_seq_offset = __seq_offset(chan,
4284 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4285
4286 /* duplicated tx_seq */
4287 if (tx_seq_offset < expected_tx_seq_offset)
4288 goto drop;
4289
e2ab4353 4290 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 4291
49208c9c 4292 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 4293
39d5a3ee 4294 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 4295 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 4296
f1c6775b 4297 __skb_queue_head_init(&chan->srej_q);
42e5c802 4298 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 4299
0ef3ef0f
SJ		 4300 /* Set P-bit only if there are some I-frames to ack. */
4301 if (__clear_ack_timer(chan))
4302 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 4303
aef89f21
SJ		 4304 err = l2cap_send_srejframe(chan, tx_seq);
4305 if (err < 0) {
4306 l2cap_send_disconn_req(chan->conn, chan, -err);
4307 return err;
4308 }
1c2acffb 4309 }
30afb5b2
GP		 4310 return 0;
4311
8f17154f 4312expected:
836be934 4313 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 4314
e2ab4353 4315 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3ce3514f
MM		 4316 bt_cb(skb)->control.txseq = tx_seq;
4317 bt_cb(skb)->control.sar = sar;
f1c6775b 4318 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 4319 return 0;
4320 }
4321
84084a31 4322 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 4323 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4324
e328140f
MM		 4325 if (err < 0) {
4326 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4327 return err;
4328 }
2ece3684 4329
03f6715d 4330 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4331 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4332 l2cap_retransmit_frames(chan);
4ec10d97
GP		 4333 }
4334
c1b4f43b 4335
6a026610
GP		 4336 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4337 if (chan->num_acked == num_to_ack - 1)
525cd185 4338 l2cap_send_ack(chan);
4d611e4d
GP		 4339 else
4340 __set_ack_timer(chan);
9e917af1 4341
8f17154f 4342 return 0;
9b53350d
JPRV		 4343
4344drop:
4345 kfree_skb(skb);
4346 return 0;
1c2acffb
GP		 4347}
4348
88843ab0 4349static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 4350{
88843ab0 4351 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 4352 __get_reqseq(chan, rx_control), rx_control);
0e98958d 4353
0b209fae 4354 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 4355 l2cap_drop_acked_frames(chan);
1c2acffb 4356
e3781735 4357 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4358 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4359 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4360 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4361 (chan->unacked_frames > 0))
1a09bcb9 4362 __set_retrans_timer(chan);
05fbd89d 4363
e2ab4353 4364 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4365 l2cap_send_srejtail(chan);
05fbd89d 4366 } else {
525cd185 4367 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4368 }
1d8f5d16 4369
03f6715d 4370 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4371 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4372
e2ab4353 4373 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4374 l2cap_retransmit_frames(chan);
2246b2f1 4375
e072745f 4376 } else {
e2ab4353 4377 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4378 (chan->unacked_frames > 0))
1a09bcb9 4379 __set_retrans_timer(chan);
1c2acffb 4380
e2ab4353
GP		 4381 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4382 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4383 l2cap_send_ack(chan);
894718a6 4384 else
525cd185 4385 l2cap_ertm_send(chan);
e072745f
GP		 4386 }
4387}
2246b2f1 4388
88843ab0 4389static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4390{
0b209fae 4391 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4392
88843ab0 4393 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4394
e2ab4353 4395 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4396
42e5c802
GP		 4397 chan->expected_ack_seq = tx_seq;
4398 l2cap_drop_acked_frames(chan);
e072745f 4399
03f6715d 4400 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4401 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4402 l2cap_retransmit_frames(chan);
e072745f 4403 } else {
525cd185 4404 l2cap_retransmit_frames(chan);
30afb5b2 4405
e2ab4353
GP		 4406 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4407 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4408 }
4409}
88843ab0 4410static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4411{
0b209fae 4412 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4413
88843ab0 4414 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4415
e2ab4353 4416 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4417
e3781735 4418 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4419 chan->expected_ack_seq = tx_seq;
4420 l2cap_drop_acked_frames(chan);
3cb123d1 4421
e2ab4353 4422 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4423 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4424
525cd185 4425 l2cap_ertm_send(chan);
dfc909be 4426
e2ab4353 4427 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4428 chan->srej_save_reqseq = tx_seq;
e2ab4353 4429 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4430 }
03f6715d 4431 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4432 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4433 chan->srej_save_reqseq == tx_seq)
e2ab4353 4434 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4435 else
525cd185 4436 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4437 } else {
525cd185 4438 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4439 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4440 chan->srej_save_reqseq = tx_seq;
e2ab4353 4441 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4442 }
e072745f
GP		 4443 }
4444}
4445
88843ab0 4446static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4447{
0b209fae 4448 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4449
88843ab0 4450 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4451
e2ab4353 4452 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4453 chan->expected_ack_seq = tx_seq;
4454 l2cap_drop_acked_frames(chan);
e072745f 4455
e3781735 4456 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4457 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4458
e2ab4353 4459 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4460 __clear_retrans_timer(chan);
e3781735 4461 if (__is_ctrl_poll(chan, rx_control))
525cd185 4462 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4463 return;
e072745f 4464 }
99b0d4b7 4465
e3781735 4466 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4467 l2cap_send_srejtail(chan);
ab784b73
AE		 4468 } else {
4469 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4470 l2cap_send_sframe(chan, rx_control);
4471 }
e072745f
GP		 4472}
4473
88843ab0 4474static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4475{
88843ab0 4476 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4477
03f6715d 4478 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4479 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4480 __clear_monitor_timer(chan);
6a026610 4481 if (chan->unacked_frames > 0)
1a09bcb9 4482 __set_retrans_timer(chan);
e2ab4353 4483 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4484 }
4485
ab784b73
AE		 4486 switch (__get_ctrl_super(chan, rx_control)) {
4487 case L2CAP_SUPER_RR:
525cd185 4488 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4489 break;
4490
ab784b73 4491 case L2CAP_SUPER_REJ:
525cd185 4492 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4493 break;
2246b2f1 4494
ab784b73 4495 case L2CAP_SUPER_SREJ:
525cd185 4496 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4497 break;
4498
ab784b73 4499 case L2CAP_SUPER_RNR:
525cd185 4500 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4501 break;
4502 }
4503
faaebd19 4504 kfree_skb(skb);
1c2acffb
GP		 4505 return 0;
4506}
4507
cad8f1d0 4508static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4509{
88843ab0 4510 u32 control;
0b209fae 4511 u16 req_seq;
218bb9df
GP		 4512 int len, next_tx_seq_offset, req_seq_offset;
4513
b76bbd66
MM		 4514 __unpack_control(chan, skb);
4515
88843ab0
AE		 4516 control = __get_control(chan, skb->data);
4517 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4518 len = skb->len;
4519
4520 /*
4521 * We can just drop the corrupted I-frame here.
4522 * Receiver will miss it and start proper recovery
4523 * procedures and ask retransmission.
4524 */
47d1ec61 4525 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4526 goto drop;
4527
793c2f1c 4528 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4529 len -= L2CAP_SDULEN_SIZE;
218bb9df 4530
47d1ec61 4531 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4532 len -= L2CAP_FCS_SIZE;
218bb9df 4533
47d1ec61 4534 if (len > chan->mps) {
8c1d787b 4535 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4536 goto drop;
4537 }
4538
0b209fae 4539 req_seq = __get_reqseq(chan, control);
218bb9df 4540
836be934
AE		 4541 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4542
4543 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4544 chan->expected_ack_seq);
218bb9df
GP		 4545
4546 /* check for invalid req-seq */
4547 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4548 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4549 goto drop;
4550 }
4551
793c2f1c 4552 if (!__is_sframe(chan, control)) {
218bb9df 4553 if (len < 0) {
8c1d787b 4554 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4555 goto drop;
4556 }
4557
525cd185 4558 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4559 } else {
4560 if (len != 0) {
4561 BT_ERR("%d", len);
8c1d787b 4562 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4563 goto drop;
4564 }
4565
525cd185 4566 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4567 }
4568
4569 return 0;
4570
4571drop:
4572 kfree_skb(skb);
4573 return 0;
4574}
4575
1da177e4
LT		 4576static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4577{
48454079 4578 struct l2cap_chan *chan;
88843ab0 4579 u32 control;
fb45de7d 4580 u16 tx_seq;
218bb9df 4581 int len;
1da177e4 4582
baa7e1fa 4583 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4584 if (!chan) {
1da177e4 4585 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4586 /* Drop packet and return */
3379013b 4587 kfree_skb(skb);
6be36555 4588 return 0;
1da177e4
LT		 4589 }
4590
6be36555 4591 l2cap_chan_lock(chan);
6840ed07 4592
49208c9c 4593 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4594
89bc500e 4595 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4596 goto drop;
4597
0c1bc5c6 4598 switch (chan->mode) {
1c2acffb
GP		 4599 case L2CAP_MODE_BASIC:
4600 /* If socket recv buffers overflows we drop data here
4601 * which is *bad* because L2CAP has to be reliable.
4602 * But we don't have any other choice. L2CAP doesn't
4603 * provide flow control mechanism. */
1da177e4 4604
0c1bc5c6 4605 if (chan->imtu < skb->len)
1c2acffb 4606 goto drop;
1da177e4 4607
23070494 4608 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4609 goto done;
4610 break;
4611
4612 case L2CAP_MODE_ERTM:
5ef8cb9e 4613 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4614
fcafde2e 4615 goto done;
1c2acffb 4616
6840ed07 4617 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4618 control = __get_control(chan, skb->data);
4619 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4620 len = skb->len;
4621
47d1ec61 4622 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4623 goto drop;
4624
7e0ef6ee 4625 if (__is_sar_start(chan, control))
03a51213 4626 len -= L2CAP_SDULEN_SIZE;
6840ed07 4627
47d1ec61 4628 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4629 len -= L2CAP_FCS_SIZE;
fcc203c3 4630
793c2f1c 4631 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4632 goto drop;
4633
fb45de7d 4634 tx_seq = __get_txseq(chan, control);
6840ed07 4635
84084a31
MM		 4636 if (chan->expected_tx_seq != tx_seq) {
4637 /* Frame(s) missing - must discard partial SDU */
4638 kfree_skb(chan->sdu);
4639 chan->sdu = NULL;
4640 chan->sdu_last_frag = NULL;
4641 chan->sdu_len = 0;
6840ed07 4642
84084a31
MM		 4643 /* TODO: Notify userland of missing data */
4644 }
4645
836be934 4646 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4647
4648 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4649 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4650
4651 goto done;
4652
1c2acffb 4653 default:
0c1bc5c6 4654 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4655 break;
4656 }
1da177e4
LT		 4657
4658drop:
4659 kfree_skb(skb);
4660
4661done:
6be36555 4662 l2cap_chan_unlock(chan);
0139418c 4663
1da177e4
LT		 4664 return 0;
4665}
4666
8e036fc3 4667static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4668{
23691d75 4669 struct l2cap_chan *chan;
1da177e4 4670
c2287681 4671 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4672 if (!chan)
1da177e4
LT		 4673 goto drop;
4674
5b4cedaa 4675 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4676
89bc500e 4677 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4678 goto drop;
4679
e13e21dc 4680 if (chan->imtu < skb->len)
1da177e4
LT		 4681 goto drop;
4682
23070494 4683 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4684 return 0;
1da177e4
LT		 4685
4686drop:
4687 kfree_skb(skb);
4688
1da177e4
LT		 4689 return 0;
4690}
4691
d9b88702
AE		 4692static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4693 struct sk_buff *skb)
9f69bda6 4694{
23691d75 4695 struct l2cap_chan *chan;
9f69bda6 4696
c2287681 4697 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4698 if (!chan)
9f69bda6
GP		 4699 goto drop;
4700
5b4cedaa 4701 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4702
89bc500e 4703 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4704 goto drop;
4705
e13e21dc 4706 if (chan->imtu < skb->len)
9f69bda6
GP		 4707 goto drop;
4708
23070494 4709 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4710 return 0;
9f69bda6
GP		 4711
4712drop:
4713 kfree_skb(skb);
4714
9f69bda6
GP		 4715 return 0;
4716}
4717
1da177e4
LT		 4718static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4719{
4720 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4721 u16 cid, len;
4722 __le16 psm;
1da177e4
LT		 4723
4724 skb_pull(skb, L2CAP_HDR_SIZE);
4725 cid = __le16_to_cpu(lh->cid);
4726 len = __le16_to_cpu(lh->len);
4727
1c2acffb
GP		 4728 if (len != skb->len) {
4729 kfree_skb(skb);
4730 return;
4731 }
4732
1da177e4
LT		 4733 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4734
4735 switch (cid) {
3300d9a9 4736 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4737 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4738 l2cap_sig_channel(conn, skb);
4739 break;
4740
8db4dc46 4741 case L2CAP_CID_CONN_LESS:
097db76c 4742 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4743 skb_pull(skb, 2);
4744 l2cap_conless_channel(conn, psm, skb);
4745 break;
4746
9f69bda6
GP		 4747 case L2CAP_CID_LE_DATA:
4748 l2cap_att_channel(conn, cid, skb);
4749 break;
4750
b501d6a1
AB		 4751 case L2CAP_CID_SMP:
4752 if (smp_sig_channel(conn, skb))
4753 l2cap_conn_del(conn->hcon, EACCES);
4754 break;
4755
1da177e4
LT		 4756 default:
4757 l2cap_data_channel(conn, cid, skb);
4758 break;
4759 }
4760}
4761
4762/* ---- L2CAP interface with lower layer (HCI) ---- */
4763
686ebf28 4764int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4765{
4766 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4767 struct l2cap_chan *c;
1da177e4 4768
1da177e4
LT		 4769 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4770
4771 /* Find listening sockets and check their link_mode */
23691d75
GP		 4772 read_lock(&chan_list_lock);
4773 list_for_each_entry(c, &chan_list, global_l) {
4774 struct sock *sk = c->sk;
4343478f 4775
89bc500e 4776 if (c->state != BT_LISTEN)
1da177e4
LT		 4777 continue;
4778
4779 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4780 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4781 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4782 lm1 |= HCI_LM_MASTER;
1da177e4 4783 exact++;
2af6b9d5
MH		 4784 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4785 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4786 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4787 lm2 |= HCI_LM_MASTER;
4788 }
1da177e4 4789 }
23691d75 4790 read_unlock(&chan_list_lock);
1da177e4
LT		 4791
4792 return exact ? lm1 : lm2;
4793}
4794
686ebf28 4795int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4796{
0139418c
MH		 4797 struct l2cap_conn *conn;
4798
1da177e4
LT		 4799 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4800
1da177e4 4801 if (!status) {
1da177e4
LT		 4802 conn = l2cap_conn_add(hcon, status);
4803 if (conn)
4804 l2cap_conn_ready(conn);
0139418c 4805 } else
e175072f 4806 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4807
4808 return 0;
4809}
4810
686ebf28 4811int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4812{
4813 struct l2cap_conn *conn = hcon->l2cap_data;
4814
4815 BT_DBG("hcon %p", hcon);
4816
686ebf28 4817 if (!conn)
9f5a0d7b 4818 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4819 return conn->disc_reason;
4820}
4821
686ebf28 4822int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4823{
4824 BT_DBG("hcon %p reason %d", hcon, reason);
4825
e175072f 4826 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4827 return 0;
4828}
4829
4343478f 4830static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4831{
715ec005 4832 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4833 return;
4834
f62e4323 4835 if (encrypt == 0x00) {
4343478f 4836 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4837 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4838 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4839 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4840 } else {
4343478f 4841 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4842 __clear_chan_timer(chan);
f62e4323
MH		 4843 }
4844}
4845
686ebf28 4846int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4847{
0139418c 4848 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4849 struct l2cap_chan *chan;
1da177e4 4850
0139418c 4851 if (!conn)
1da177e4 4852 return 0;
0139418c 4853
1da177e4
LT		 4854 BT_DBG("conn %p", conn);
4855
160dc6ac 4856 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4857 if (!status && encrypt)
4858 smp_distribute_keys(conn, 0);
17cd3f37 4859 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4860 }
4861
3df91ea2 4862 mutex_lock(&conn->chan_lock);
1da177e4 4863
3df91ea2 4864 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4865 l2cap_chan_lock(chan);
1da177e4 4866
f1cb9af5
VCG		 4867 BT_DBG("chan->scid %d", chan->scid);
4868
4869 if (chan->scid == L2CAP_CID_LE_DATA) {
4870 if (!status && encrypt) {
4871 chan->sec_level = hcon->sec_level;
cf4cd009 4872 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4873 }
4874
6be36555 4875 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4876 continue;
4877 }
4878
c1360a1c 4879 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4880 l2cap_chan_unlock(chan);
6a8d3010
MH		 4881 continue;
4882 }
4883
89bc500e
GP		 4884 if (!status && (chan->state == BT_CONNECTED ||
4885 chan->state == BT_CONFIG)) {
4343478f 4886 l2cap_check_encryption(chan, encrypt);
6be36555 4887 l2cap_chan_unlock(chan);
9719f8af
MH		 4888 continue;
4889 }
4890
89bc500e 4891 if (chan->state == BT_CONNECT) {
b1235d79 4892 if (!status) {
9b27f350 4893 l2cap_send_conn_req(chan);
b1235d79 4894 } else {
ba13ccd9 4895 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4896 }
89bc500e 4897 } else if (chan->state == BT_CONNECT2) {
6be36555 4898 struct sock *sk = chan->sk;
b1235d79 4899 struct l2cap_conn_rsp rsp;
df3c3931 4900 __u16 res, stat;
1da177e4 4901
6be36555
AE		 4902 lock_sock(sk);
4903
b1235d79 4904 if (!status) {
df3c3931
JH		 4905 if (bt_sk(sk)->defer_setup) {
4906 struct sock *parent = bt_sk(sk)->parent;
4907 res = L2CAP_CR_PEND;
4908 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4909 if (parent)
4910 parent->sk_data_ready(parent, 0);
df3c3931 4911 } else {
0e587be7 4912 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4913 res = L2CAP_CR_SUCCESS;
4914 stat = L2CAP_CS_NO_INFO;
4915 }
b1235d79 4916 } else {
0e587be7 4917 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4918 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4919 res = L2CAP_CR_SEC_BLOCK;
4920 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4921 }
4922
6be36555
AE		 4923 release_sock(sk);
4924
fe4128e0
GP		 4925 rsp.scid = cpu_to_le16(chan->dcid);
4926 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4927 rsp.result = cpu_to_le16(res);
4928 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4929 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4930 sizeof(rsp), &rsp);
b1235d79 4931 }
1da177e4 4932
6be36555 4933 l2cap_chan_unlock(chan);
1da177e4
LT		 4934 }
4935
3df91ea2 4936 mutex_unlock(&conn->chan_lock);
b1235d79 4937
1da177e4
LT		 4938 return 0;
4939}
4940
686ebf28 4941int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4942{
4943 struct l2cap_conn *conn = hcon->l2cap_data;
4944
5a08ecce
AE		 4945 if (!conn)
4946 conn = l2cap_conn_add(hcon, 0);
4947
4948 if (!conn)
1da177e4
LT		 4949 goto drop;
4950
4951 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4952
e702112f 4953 if (!(flags & ACL_CONT)) {
1da177e4 4954 struct l2cap_hdr *hdr;
48454079 4955 struct l2cap_chan *chan;
89794813 4956 u16 cid;
1da177e4
LT		 4957 int len;
4958
4959 if (conn->rx_len) {
4960 BT_ERR("Unexpected start frame (len %d)", skb->len);
4961 kfree_skb(conn->rx_skb);
4962 conn->rx_skb = NULL;
4963 conn->rx_len = 0;
4964 l2cap_conn_unreliable(conn, ECOMM);
4965 }
4966
aae7fe22
AE		 4967 /* Start fragment always begin with Basic L2CAP header */
4968 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4969 BT_ERR("Frame is too short (len %d)", skb->len);
4970 l2cap_conn_unreliable(conn, ECOMM);
4971 goto drop;
4972 }
4973
4974 hdr = (struct l2cap_hdr *) skb->data;
4975 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4976 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4977
4978 if (len == skb->len) {
4979 /* Complete frame received */
4980 l2cap_recv_frame(conn, skb);
4981 return 0;
4982 }
4983
4984 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4985
4986 if (skb->len > len) {
4987 BT_ERR("Frame is too long (len %d, expected len %d)",
4988 skb->len, len);
4989 l2cap_conn_unreliable(conn, ECOMM);
4990 goto drop;
4991 }
4992
baa7e1fa 4993 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4994
48454079
GP		 4995 if (chan && chan->sk) {
4996 struct sock *sk = chan->sk;
3df91ea2 4997 lock_sock(sk);
89794813 4998
0c1bc5c6 4999 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 5000 BT_ERR("Frame exceeding recv MTU (len %d, "
5001 "MTU %d)", len,
0c1bc5c6 5002 chan->imtu);
aa2ac881 5003 release_sock(sk);
48454079
GP		 5004 l2cap_conn_unreliable(conn, ECOMM);
5005 goto drop;
5006 }
aa2ac881 5007 release_sock(sk);
48454079 5008 }
89794813 5009
1da177e4 5010 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5011 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5012 if (!conn->rx_skb)
1da177e4
LT		 5013 goto drop;
5014
d626f62b 5015 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5016 skb->len);
1da177e4
LT		 5017 conn->rx_len = len - skb->len;
5018 } else {
5019 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5020
5021 if (!conn->rx_len) {
5022 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5023 l2cap_conn_unreliable(conn, ECOMM);
5024 goto drop;
5025 }
5026
5027 if (skb->len > conn->rx_len) {
5028 BT_ERR("Fragment is too long (len %d, expected %d)",
5029 skb->len, conn->rx_len);
5030 kfree_skb(conn->rx_skb);
5031 conn->rx_skb = NULL;
5032 conn->rx_len = 0;
5033 l2cap_conn_unreliable(conn, ECOMM);
5034 goto drop;
5035 }
5036
d626f62b 5037 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5038 skb->len);
1da177e4
LT		 5039 conn->rx_len -= skb->len;
5040
5041 if (!conn->rx_len) {
5042 /* Complete frame received */
5043 l2cap_recv_frame(conn, conn->rx_skb);
5044 conn->rx_skb = NULL;
5045 }
5046 }
5047
5048drop:
5049 kfree_skb(skb);
5050 return 0;
5051}
5052
aef7d97c 5053static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5054{
23691d75 5055 struct l2cap_chan *c;
1da177e4 5056
333055f2 5057 read_lock(&chan_list_lock);
1da177e4 5058
23691d75
GP		 5059 list_for_each_entry(c, &chan_list, global_l) {
5060 struct sock *sk = c->sk;
101545f6 5061
903d343e 5062 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5063 batostr(&bt_sk(sk)->src),
5064 batostr(&bt_sk(sk)->dst),
89bc500e 5065 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5066 c->scid, c->dcid, c->imtu, c->omtu,
5067 c->sec_level, c->mode);
61e1b4b7 5068 }
1da177e4 5069
333055f2 5070 read_unlock(&chan_list_lock);
1da177e4 5071
aef7d97c 5072 return 0;
1da177e4
LT		 5073}
5074
aef7d97c
MH		 5075static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5076{
5077 return single_open(file, l2cap_debugfs_show, inode->i_private);
5078}
5079
5080static const struct file_operations l2cap_debugfs_fops = {
5081 .open = l2cap_debugfs_open,
5082 .read = seq_read,
5083 .llseek = seq_lseek,
5084 .release = single_release,
5085};
5086
5087static struct dentry *l2cap_debugfs;
1da177e4 5088
64274518 5089int __init l2cap_init(void)
1da177e4
LT		 5090{
5091 int err;
be9d1227 5092
bb58f747 5093 err = l2cap_init_sockets();
1da177e4
LT		 5094 if (err < 0)
5095 return err;
5096
aef7d97c
MH		 5097 if (bt_debugfs) {
5098 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5099 bt_debugfs, NULL, &l2cap_debugfs_fops);
5100 if (!l2cap_debugfs)
5101 BT_ERR("Failed to create L2CAP debug file");
5102 }
1da177e4 5103
1da177e4 5104 return 0;
1da177e4
LT		 5105}
5106
64274518 5107void l2cap_exit(void)
1da177e4 5108{
aef7d97c 5109 debugfs_remove(l2cap_debugfs);
bb58f747 5110 l2cap_cleanup_sockets();
1da177e4
LT		 5111}
5112
d1c4a17d
GP		 5113module_param(disable_ertm, bool, 0644);
5114MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)