projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add AR30XX device ID on Asus laptops
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
1da177e4
LT		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
8e87d142
YH		 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 25 SOFTWARE IS DISCLAIMED.
26*/
27
bb58f747 28/* Bluetooth L2CAP core. */
1da177e4 29
1da177e4
LT		 30#include <linux/module.h>
31
32#include <linux/types.h>
4fc268d2 33#include <linux/capability.h>
1da177e4
LT		 34#include <linux/errno.h>
35#include <linux/kernel.h>
1da177e4
LT		 36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/poll.h>
39#include <linux/fcntl.h>
40#include <linux/init.h>
41#include <linux/interrupt.h>
42#include <linux/socket.h>
43#include <linux/skbuff.h>
1da177e4 44#include <linux/list.h>
be9d1227 45#include <linux/device.h>
aef7d97c
MH		 46#include <linux/debugfs.h>
47#include <linux/seq_file.h>
af05b30b 48#include <linux/uaccess.h>
fcc203c3 49#include <linux/crc16.h>
1da177e4
LT		 50#include <net/sock.h>
51
52#include <asm/system.h>
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
eb939922 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
0139418c 76/* ---- L2CAP channels ---- */
71ba0e56 77
baa7e1fa 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 79{
3d57dc68 80 struct l2cap_chan *c, *r = NULL;
baa7e1fa 81
3d57dc68
GP		 82 rcu_read_lock();
83
84 list_for_each_entry_rcu(c, &conn->chan_l, list) {
85 if (c->dcid == cid) {
86 r = c;
87 break;
88 }
0139418c 89 }
3d57dc68
GP		 90
91 rcu_read_unlock();
92 return r;
0139418c
MH		 93}
94
baa7e1fa 95static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 96{
3d57dc68 97 struct l2cap_chan *c, *r = NULL;
baa7e1fa 98
3d57dc68
GP		 99 rcu_read_lock();
100
101 list_for_each_entry_rcu(c, &conn->chan_l, list) {
102 if (c->scid == cid) {
103 r = c;
104 break;
105 }
0139418c 106 }
3d57dc68
GP		 107
108 rcu_read_unlock();
109 return r;
0139418c
MH		 110}
111
112/* Find channel with given SCID.
113 * Returns locked socket */
baa7e1fa 114static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 115{
48454079 116 struct l2cap_chan *c;
baa7e1fa 117
baa7e1fa 118 c = __l2cap_get_chan_by_scid(conn, cid);
48454079 119 if (c)
aa2ac881 120 lock_sock(c->sk);
48454079 121 return c;
0139418c
MH		 122}
123
baa7e1fa 124static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 125{
3d57dc68 126 struct l2cap_chan *c, *r = NULL;
baa7e1fa 127
3d57dc68
GP		 128 rcu_read_lock();
129
130 list_for_each_entry_rcu(c, &conn->chan_l, list) {
131 if (c->ident == ident) {
132 r = c;
133 break;
134 }
0139418c 135 }
3d57dc68
GP		 136
137 rcu_read_unlock();
138 return r;
0139418c
MH		 139}
140
baa7e1fa 141static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 142{
48454079 143 struct l2cap_chan *c;
baa7e1fa 144
baa7e1fa 145 c = __l2cap_get_chan_by_ident(conn, ident);
48454079 146 if (c)
aa2ac881 147 lock_sock(c->sk);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 157 return c;
9e4425ff 158 }
250938cb 159 return NULL;
9e4425ff
GP		 160}
161
162int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
163{
73b2ec18
GP		 164 int err;
165
333055f2 166 write_lock(&chan_list_lock);
9e4425ff 167
23691d75 168 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 169 err = -EADDRINUSE;
170 goto done;
9e4425ff
GP		 171 }
172
73b2ec18
GP		 173 if (psm) {
174 chan->psm = psm;
175 chan->sport = psm;
176 err = 0;
177 } else {
178 u16 p;
179
180 err = -EINVAL;
181 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 182 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 183 chan->psm = cpu_to_le16(p);
184 chan->sport = cpu_to_le16(p);
185 err = 0;
186 break;
187 }
188 }
9e4425ff 189
73b2ec18 190done:
333055f2 191 write_unlock(&chan_list_lock);
73b2ec18 192 return err;
9e4425ff
GP		 193}
194
195int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
196{
333055f2 197 write_lock(&chan_list_lock);
9e4425ff
GP		 198
199 chan->scid = scid;
200
333055f2 201 write_unlock(&chan_list_lock);
9e4425ff
GP		 202
203 return 0;
204}
205
baa7e1fa 206static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 207{
8db4dc46 208 u16 cid = L2CAP_CID_DYN_START;
0139418c 209
8db4dc46 210 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 211 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 212 return cid;
213 }
214
215 return 0;
216}
217
89bc500e
GP		 218static void l2cap_state_change(struct l2cap_chan *chan, int state)
219{
42d2d87c 220 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 221 state_to_string(state));
222
89bc500e
GP		 223 chan->state = state;
224 chan->ops->state_change(chan->data, state);
225}
226
721c4181 227static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 228{
721c4181
GP		 229 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
230 chan_timer.work);
ab07801d
GP		 231 struct sock *sk = chan->sk;
232 int reason;
233
e05dcc32 234 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 235
721c4181 236 lock_sock(sk);
ab07801d 237
89bc500e 238 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 239 reason = ECONNREFUSED;
89bc500e 240 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 241 chan->sec_level != BT_SECURITY_SDP)
242 reason = ECONNREFUSED;
243 else
244 reason = ETIMEDOUT;
245
0f852724 246 l2cap_chan_close(chan, reason);
ab07801d 247
721c4181 248 release_sock(sk);
ab07801d 249
ba3bd0ee 250 chan->ops->close(chan->data);
371fd835 251 l2cap_chan_put(chan);
ab07801d
GP		 252}
253
23691d75 254struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 255{
256 struct l2cap_chan *chan;
257
258 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
259 if (!chan)
260 return NULL;
261
262 chan->sk = sk;
263
333055f2 264 write_lock(&chan_list_lock);
23691d75 265 list_add(&chan->global_l, &chan_list);
333055f2 266 write_unlock(&chan_list_lock);
23691d75 267
721c4181 268 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 269
89bc500e
GP		 270 chan->state = BT_OPEN;
271
71ba0e56
GP		 272 atomic_set(&chan->refcnt, 1);
273
abc545b8
SJ		 274 BT_DBG("sk %p chan %p", sk, chan);
275
48454079
GP		 276 return chan;
277}
278
23691d75 279void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 280{
333055f2 281 write_lock(&chan_list_lock);
23691d75 282 list_del(&chan->global_l);
333055f2 283 write_unlock(&chan_list_lock);
23691d75 284
371fd835 285 l2cap_chan_put(chan);
6ff5abbf
GP		 286}
287
3d57dc68 288static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 289{
af05b30b 290 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 291 chan->psm, chan->dcid);
0139418c 292
9f5a0d7b 293 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 294
8c1d787b 295 chan->conn = conn;
0139418c 296
5491120e
AE		 297 switch (chan->chan_type) {
298 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 299 if (conn->hcon->type == LE_LINK) {
300 /* LE connection */
0c1bc5c6 301 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 302 chan->scid = L2CAP_CID_LE_DATA;
303 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 304 } else {
305 /* Alloc CID for connection-oriented socket */
fe4128e0 306 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 307 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 308 }
5491120e
AE		 309 break;
310
311 case L2CAP_CHAN_CONN_LESS:
0139418c 312 /* Connectionless socket */
fe4128e0
GP		 313 chan->scid = L2CAP_CID_CONN_LESS;
314 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 315 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 316 break;
317
318 default:
0139418c 319 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 320 chan->scid = L2CAP_CID_SIGNALING;
321 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 322 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 323 }
324
8f7975b1
AE		 325 chan->local_id = L2CAP_BESTEFFORT_ID;
326 chan->local_stype = L2CAP_SERV_BESTEFFORT;
327 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
328 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
329 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
330 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
331
371fd835 332 l2cap_chan_hold(chan);
baa7e1fa 333
3d57dc68 334 list_add_rcu(&chan->list, &conn->chan_l);
0139418c
MH		 335}
336
8e87d142 337/* Delete channel.
0139418c 338 * Must be called on the locked socket. */
4519de9a 339static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 340{
48454079 341 struct sock *sk = chan->sk;
8c1d787b 342 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 343 struct sock *parent = bt_sk(sk)->parent;
344
c9b66675 345 __clear_chan_timer(chan);
0139418c 346
49208c9c 347 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 348
8e87d142 349 if (conn) {
baa7e1fa 350 /* Delete from channel list */
3d57dc68
GP		 351 list_del_rcu(&chan->list);
352 synchronize_rcu();
353
371fd835 354 l2cap_chan_put(chan);
baa7e1fa 355
8c1d787b 356 chan->conn = NULL;
0139418c
MH		 357 hci_conn_put(conn->hcon);
358 }
359
89bc500e 360 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 361 sock_set_flag(sk, SOCK_ZAPPED);
362
363 if (err)
364 sk->sk_err = err;
365
366 if (parent) {
367 bt_accept_unlink(sk);
368 parent->sk_data_ready(parent, 0);
369 } else
370 sk->sk_state_change(sk);
c13ffa62 371
c1360a1c
GP		 372 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
373 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 374 return;
2ead70b8 375
58d35f87 376 skb_queue_purge(&chan->tx_q);
c13ffa62 377
0c1bc5c6 378 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 379 struct srej_list *l, *tmp;
380
1a09bcb9
GP		 381 __clear_retrans_timer(chan);
382 __clear_monitor_timer(chan);
383 __clear_ack_timer(chan);
c13ffa62 384
f1c6775b 385 skb_queue_purge(&chan->srej_q);
c13ffa62 386
39d5a3ee 387 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 388 list_del(&l->list);
389 kfree(l);
390 }
391 }
0139418c
MH		 392}
393
4519de9a
GP		 394static void l2cap_chan_cleanup_listen(struct sock *parent)
395{
396 struct sock *sk;
397
398 BT_DBG("parent %p", parent);
399
400 /* Close not yet accepted channels */
0f852724 401 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 402 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 403 __clear_chan_timer(chan);
0f852724 404 lock_sock(sk);
ba3bd0ee 405 l2cap_chan_close(chan, ECONNRESET);
0f852724 406 release_sock(sk);
ba3bd0ee 407 chan->ops->close(chan->data);
0f852724 408 }
4519de9a
GP		 409}
410
0f852724 411void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 412{
413 struct l2cap_conn *conn = chan->conn;
414 struct sock *sk = chan->sk;
415
e05dcc32
AE		 416 BT_DBG("chan %p state %s sk %p", chan,
417 state_to_string(chan->state), sk);
4519de9a 418
89bc500e 419 switch (chan->state) {
4519de9a
GP		 420 case BT_LISTEN:
421 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 422
423 l2cap_state_change(chan, BT_CLOSED);
424 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 425 break;
426
427 case BT_CONNECTED:
428 case BT_CONFIG:
715ec005 429 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 430 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 431 __clear_chan_timer(chan);
432 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 433 l2cap_send_disconn_req(conn, chan, reason);
434 } else
435 l2cap_chan_del(chan, reason);
436 break;
437
438 case BT_CONNECT2:
715ec005 439 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 440 conn->hcon->type == ACL_LINK) {
441 struct l2cap_conn_rsp rsp;
442 __u16 result;
443
444 if (bt_sk(sk)->defer_setup)
445 result = L2CAP_CR_SEC_BLOCK;
446 else
447 result = L2CAP_CR_BAD_PSM;
89bc500e 448 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 449
450 rsp.scid = cpu_to_le16(chan->dcid);
451 rsp.dcid = cpu_to_le16(chan->scid);
452 rsp.result = cpu_to_le16(result);
453 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
454 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
455 sizeof(rsp), &rsp);
456 }
457
458 l2cap_chan_del(chan, reason);
459 break;
460
461 case BT_CONNECT:
462 case BT_DISCONN:
463 l2cap_chan_del(chan, reason);
464 break;
465
466 default:
467 sock_set_flag(sk, SOCK_ZAPPED);
468 break;
469 }
470}
471
4343478f 472static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 473{
715ec005 474 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 475 switch (chan->sec_level) {
8556edd3
JH		 476 case BT_SECURITY_HIGH:
477 return HCI_AT_DEDICATED_BONDING_MITM;
478 case BT_SECURITY_MEDIUM:
479 return HCI_AT_DEDICATED_BONDING;
480 default:
481 return HCI_AT_NO_BONDING;
482 }
fe4128e0 483 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 484 if (chan->sec_level == BT_SECURITY_LOW)
485 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 486
4343478f 487 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 488 return HCI_AT_NO_BONDING_MITM;
00ae4af9 489 else
8556edd3 490 return HCI_AT_NO_BONDING;
00ae4af9 491 } else {
4343478f 492 switch (chan->sec_level) {
00ae4af9 493 case BT_SECURITY_HIGH:
8556edd3 494 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 495 case BT_SECURITY_MEDIUM:
8556edd3 496 return HCI_AT_GENERAL_BONDING;
00ae4af9 497 default:
8556edd3 498 return HCI_AT_NO_BONDING;
00ae4af9 499 }
0684e5f9 500 }
8556edd3
JH		 501}
502
503/* Service level security */
d45fc423 504int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 505{
8c1d787b 506 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 507 __u8 auth_type;
508
4343478f 509 auth_type = l2cap_get_auth_type(chan);
79d554a6 510
4343478f 511 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 512}
513
b5ad8b7f 514static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 515{
516 u8 id;
517
518 /* Get next available identificator.
519 * 1 - 128 are used by kernel.
520 * 129 - 199 are reserved.
521 * 200 - 254 are used by utilities like l2ping, etc.
522 */
523
333055f2 524 spin_lock(&conn->lock);
4e8402a3
MH		 525
526 if (++conn->tx_ident > 128)
527 conn->tx_ident = 1;
528
529 id = conn->tx_ident;
530
333055f2 531 spin_unlock(&conn->lock);
4e8402a3
MH		 532
533 return id;
534}
535
4519de9a 536static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 537{
538 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 539 u8 flags;
4e8402a3
MH		 540
541 BT_DBG("code 0x%2.2x", code);
542
543 if (!skb)
9a9c6a34 544 return;
4e8402a3 545
e702112f
AE		 546 if (lmp_no_flush_capable(conn->hcon->hdev))
547 flags = ACL_START_NO_FLUSH;
548 else
549 flags = ACL_START;
550
14b12d0b 551 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 552 skb->priority = HCI_PRIO_MAX;
14b12d0b 553
73d80deb
LAD		 554 hci_send_acl(conn->hchan, skb, flags);
555}
556
557static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
558{
559 struct hci_conn *hcon = chan->conn->hcon;
560 u16 flags;
561
562 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
563 skb->priority);
564
565 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
566 lmp_no_flush_capable(hcon->hdev))
567 flags = ACL_START_NO_FLUSH;
568 else
569 flags = ACL_START;
14b12d0b 570
73d80deb
LAD		 571 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
572 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 573}
574
88843ab0 575static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 576{
577 struct sk_buff *skb;
578 struct l2cap_hdr *lh;
8c1d787b 579 struct l2cap_conn *conn = chan->conn;
e4ca6d98 580 int count, hlen;
fcc203c3 581
89bc500e 582 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 583 return;
584
e4ca6d98
AE		 585 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
586 hlen = L2CAP_EXT_HDR_SIZE;
587 else
588 hlen = L2CAP_ENH_HDR_SIZE;
589
47d1ec61 590 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 591 hlen += L2CAP_FCS_SIZE;
1c2acffb 592
88843ab0 593 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 594
fcc203c3 595 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 596
597 control |= __set_sframe(chan);
1c2acffb 598
e2ab4353 599 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 600 control |= __set_ctrl_final(chan);
9e917af1 601
e2ab4353 602 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 603 control |= __set_ctrl_poll(chan);
f0946ccf 604
1c2acffb
GP		 605 skb = bt_skb_alloc(count, GFP_ATOMIC);
606 if (!skb)
9a9c6a34 607 return;
1c2acffb
GP		 608
609 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 610 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 611 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 612
613 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 614
47d1ec61 615 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 616 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
617 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 618 }
619
73d80deb
LAD		 620 skb->priority = HCI_PRIO_MAX;
621 l2cap_do_send(chan, skb);
1c2acffb
GP		 622}
623
88843ab0 624static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 625{
e2ab4353 626 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 627 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 628 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 629 } else
ab784b73 630 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 631
0b209fae 632 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 633
525cd185 634 l2cap_send_sframe(chan, control);
7e743090
GP		 635}
636
b4450035 637static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 638{
c1360a1c 639 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 640}
641
fc7f8a7e 642static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 643{
8c1d787b 644 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 645
646 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 647 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
648 return;
649
d45fc423 650 if (l2cap_chan_check_security(chan) &&
4343478f 651 __l2cap_no_conn_pending(chan)) {
b1235d79 652 struct l2cap_conn_req req;
fe4128e0
GP		 653 req.scid = cpu_to_le16(chan->scid);
654 req.psm = chan->psm;
79d554a6 655
fc7f8a7e 656 chan->ident = l2cap_get_ident(conn);
c1360a1c 657 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 658
fc7f8a7e
GP		 659 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
660 sizeof(req), &req);
b1235d79 661 }
79d554a6
MH		 662 } else {
663 struct l2cap_info_req req;
664 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
665
666 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
667 conn->info_ident = l2cap_get_ident(conn);
668
030013d8 669 schedule_delayed_work(&conn->info_timer,
79d554a6
MH		 670 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
671
672 l2cap_send_cmd(conn, conn->info_ident,
673 L2CAP_INFO_REQ, sizeof(req), &req);
674 }
675}
676
cf6c2c0b
GP		 677static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
678{
679 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 680 if (!disable_ertm)
cf6c2c0b
GP		 681 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
682
683 switch (mode) {
684 case L2CAP_MODE_ERTM:
685 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
686 case L2CAP_MODE_STREAMING:
687 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
688 default:
689 return 0x00;
690 }
691}
692
4519de9a 693static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 694{
e92c8e70 695 struct sock *sk;
22121fc9
GP		 696 struct l2cap_disconn_req req;
697
c13ffa62
GP		 698 if (!conn)
699 return;
700
e92c8e70
GP		 701 sk = chan->sk;
702
0c1bc5c6 703 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 704 __clear_retrans_timer(chan);
705 __clear_monitor_timer(chan);
706 __clear_ack_timer(chan);
c13ffa62
GP		 707 }
708
fe4128e0
GP		 709 req.dcid = cpu_to_le16(chan->dcid);
710 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 711 l2cap_send_cmd(conn, l2cap_get_ident(conn),
712 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 713
89bc500e 714 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 715 sk->sk_err = err;
22121fc9
GP		 716}
717
1da177e4 718/* ---- L2CAP connections ---- */
4e8402a3
MH		 719static void l2cap_conn_start(struct l2cap_conn *conn)
720{
3d57dc68 721 struct l2cap_chan *chan;
4e8402a3
MH		 722
723 BT_DBG("conn %p", conn);
724
3d57dc68 725 rcu_read_lock();
4e8402a3 726
3d57dc68 727 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 728 struct sock *sk = chan->sk;
baa7e1fa 729
4e8402a3
MH		 730 bh_lock_sock(sk);
731
715ec005 732 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 733 bh_unlock_sock(sk);
734 continue;
735 }
736
89bc500e 737 if (chan->state == BT_CONNECT) {
47731de7 738 struct l2cap_conn_req req;
79d554a6 739
d45fc423 740 if (!l2cap_chan_check_security(chan) ||
b4450035 741 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 742 bh_unlock_sock(sk);
743 continue;
744 }
79d554a6 745
c1360a1c
GP		 746 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
747 && test_bit(CONF_STATE2_DEVICE,
748 &chan->conf_state)) {
0f852724 749 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 750 * so release the lock */
89bc500e 751 l2cap_chan_close(chan, ECONNRESET);
47731de7
GP		 752 bh_unlock_sock(sk);
753 continue;
b1235d79 754 }
47731de7 755
fe4128e0
GP		 756 req.scid = cpu_to_le16(chan->scid);
757 req.psm = chan->psm;
47731de7 758
fc7f8a7e 759 chan->ident = l2cap_get_ident(conn);
c1360a1c 760 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 761
fc7f8a7e
GP		 762 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
763 sizeof(req), &req);
47731de7 764
89bc500e 765 } else if (chan->state == BT_CONNECT2) {
79d554a6 766 struct l2cap_conn_rsp rsp;
e9aeb2dd 767 char buf[128];
fe4128e0
GP		 768 rsp.scid = cpu_to_le16(chan->dcid);
769 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 770
d45fc423 771 if (l2cap_chan_check_security(chan)) {
f66dc81f
MH		 772 if (bt_sk(sk)->defer_setup) {
773 struct sock *parent = bt_sk(sk)->parent;
774 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
775 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 776 if (parent)
777 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 778
779 } else {
89bc500e 780 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 781 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
782 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
783 }
79d554a6
MH		 784 } else {
785 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
786 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
787 }
788
fc7f8a7e
GP		 789 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
790 sizeof(rsp), &rsp);
e9aeb2dd 791
c1360a1c 792 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 793 rsp.result != L2CAP_CR_SUCCESS) {
794 bh_unlock_sock(sk);
795 continue;
796 }
797
c1360a1c 798 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 799 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 800 l2cap_build_conf_req(chan, buf), buf);
801 chan->num_conf_req++;
4e8402a3
MH		 802 }
803
804 bh_unlock_sock(sk);
805 }
806
3d57dc68 807 rcu_read_unlock();
4e8402a3
MH		 808}
809
b62f328b
VT		 810/* Find socket with cid and source bdaddr.
811 * Returns closest match, locked.
812 */
23691d75 813static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 814{
23691d75 815 struct l2cap_chan *c, *c1 = NULL;
b62f328b 816
23691d75 817 read_lock(&chan_list_lock);
b62f328b 818
23691d75
GP		 819 list_for_each_entry(c, &chan_list, global_l) {
820 struct sock *sk = c->sk;
fe4128e0 821
89bc500e 822 if (state && c->state != state)
b62f328b
VT		 823 continue;
824
23691d75 825 if (c->scid == cid) {
b62f328b 826 /* Exact match. */
23691d75
GP		 827 if (!bacmp(&bt_sk(sk)->src, src)) {
828 read_unlock(&chan_list_lock);
829 return c;
830 }
b62f328b
VT		 831
832 /* Closest match */
833 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 834 c1 = c;
b62f328b
VT		 835 }
836 }
280f294f 837
23691d75 838 read_unlock(&chan_list_lock);
b62f328b 839
23691d75 840 return c1;
b62f328b
VT		 841}
842
843static void l2cap_le_conn_ready(struct l2cap_conn *conn)
844{
c916fbe4 845 struct sock *parent, *sk;
23691d75 846 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 847
848 BT_DBG("");
849
850 /* Check if we have socket listening on cid */
23691d75 851 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 852 conn->src);
23691d75 853 if (!pchan)
b62f328b
VT		 854 return;
855
23691d75
GP		 856 parent = pchan->sk;
857
aa2ac881 858 lock_sock(parent);
62f3a2cf 859
b62f328b
VT		 860 /* Check for backlog size */
861 if (sk_acceptq_is_full(parent)) {
862 BT_DBG("backlog full %d", parent->sk_ack_backlog);
863 goto clean;
864 }
865
80808e43
GP		 866 chan = pchan->ops->new_connection(pchan->data);
867 if (!chan)
b62f328b
VT		 868 goto clean;
869
80808e43 870 sk = chan->sk;
5d41ce1d 871
b62f328b
VT		 872 hci_conn_hold(conn->hcon);
873
b62f328b
VT		 874 bacpy(&bt_sk(sk)->src, conn->src);
875 bacpy(&bt_sk(sk)->dst, conn->dst);
876
d1010240
GP		 877 bt_accept_enqueue(parent, sk);
878
3d57dc68 879 l2cap_chan_add(conn, chan);
48454079 880
c9b66675 881 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 882
89bc500e 883 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 884 parent->sk_data_ready(parent, 0);
885
b62f328b 886clean:
aa2ac881 887 release_sock(parent);
b62f328b
VT		 888}
889
cf4cd009 890static void l2cap_chan_ready(struct l2cap_chan *chan)
f1cb9af5 891{
cf4cd009 892 struct sock *sk = chan->sk;
f1cb9af5
VCG		 893 struct sock *parent = bt_sk(sk)->parent;
894
895 BT_DBG("sk %p, parent %p", sk, parent);
896
897 chan->conf_state = 0;
898 __clear_chan_timer(chan);
899
43f3dc41 900 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 901 sk->sk_state_change(sk);
902
903 if (parent)
904 parent->sk_data_ready(parent, 0);
905}
906
4e8402a3
MH		 907static void l2cap_conn_ready(struct l2cap_conn *conn)
908{
48454079 909 struct l2cap_chan *chan;
4e8402a3 910
79d554a6 911 BT_DBG("conn %p", conn);
4e8402a3 912
b62f328b
VT		 913 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
914 l2cap_le_conn_ready(conn);
915
160dc6ac
VCG		 916 if (conn->hcon->out && conn->hcon->type == LE_LINK)
917 smp_conn_security(conn, conn->hcon->pending_sec_level);
918
3d57dc68 919 rcu_read_lock();
4e8402a3 920
3d57dc68 921 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 922 struct sock *sk = chan->sk;
baa7e1fa 923
79d554a6 924 bh_lock_sock(sk);
4e8402a3 925
63128451 926 if (conn->hcon->type == LE_LINK) {
b501d6a1 927 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 928 l2cap_chan_ready(chan);
acd7d370 929
63128451 930 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 931 __clear_chan_timer(chan);
89bc500e 932 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 933 sk->sk_state_change(sk);
b501d6a1 934
89bc500e 935 } else if (chan->state == BT_CONNECT)
fc7f8a7e 936 l2cap_do_start(chan);
4e8402a3 937
79d554a6 938 bh_unlock_sock(sk);
4e8402a3 939 }
79d554a6 940
3d57dc68 941 rcu_read_unlock();
4e8402a3
MH		 942}
943
944/* Notify sockets that we cannot guaranty reliability anymore */
945static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
946{
48454079 947 struct l2cap_chan *chan;
4e8402a3
MH		 948
949 BT_DBG("conn %p", conn);
950
3d57dc68 951 rcu_read_lock();
4e8402a3 952
3d57dc68 953 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 954 struct sock *sk = chan->sk;
baa7e1fa 955
ecf61bdb 956 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 957 sk->sk_err = err;
958 }
959
3d57dc68 960 rcu_read_unlock();
4e8402a3
MH		 961}
962
f878fcad 963static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 964{
f878fcad 965 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 966 info_timer.work);
4e8402a3 967
984947dc 968 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 969 conn->info_ident = 0;
984947dc 970
4e8402a3
MH		 971 l2cap_conn_start(conn);
972}
973
5d3de7df
VCG		 974static void l2cap_conn_del(struct hci_conn *hcon, int err)
975{
976 struct l2cap_conn *conn = hcon->l2cap_data;
977 struct l2cap_chan *chan, *l;
978 struct sock *sk;
979
980 if (!conn)
981 return;
982
983 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
984
985 kfree_skb(conn->rx_skb);
986
987 /* Kill channels */
988 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
989 sk = chan->sk;
aa2ac881 990 lock_sock(sk);
5d3de7df 991 l2cap_chan_del(chan, err);
aa2ac881 992 release_sock(sk);
5d3de7df
VCG		 993 chan->ops->close(chan->data);
994 }
995
73d80deb
LAD		 996 hci_chan_del(conn->hchan);
997
5d3de7df 998 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 999 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1000
51a8efd7 1001 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1002 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1003 smp_chan_destroy(conn);
d26a2345 1004 }
5d3de7df
VCG		 1005
1006 hcon->l2cap_data = NULL;
1007 kfree(conn);
1008}
1009
6c9d42a1 1010static void security_timeout(struct work_struct *work)
5d3de7df 1011{
6c9d42a1
GP		 1012 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1013 security_timer.work);
5d3de7df
VCG		 1014
1015 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1016}
1017
1da177e4
LT		 1018static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1019{
0139418c 1020 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1021 struct hci_chan *hchan;
1da177e4 1022
0139418c 1023 if (conn || status)
1da177e4
LT		 1024 return conn;
1025
73d80deb
LAD		 1026 hchan = hci_chan_create(hcon);
1027 if (!hchan)
1028 return NULL;
1029
0139418c 1030 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1031 if (!conn) {
1032 hci_chan_del(hchan);
1da177e4 1033 return NULL;
73d80deb 1034 }
1da177e4
LT		 1035
1036 hcon->l2cap_data = conn;
1037 conn->hcon = hcon;
73d80deb 1038 conn->hchan = hchan;
1da177e4 1039
73d80deb 1040 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1041
acd7d370
VT		 1042 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1043 conn->mtu = hcon->hdev->le_mtu;
1044 else
1045 conn->mtu = hcon->hdev->acl_mtu;
1046
1da177e4
LT		 1047 conn->src = &hcon->hdev->bdaddr;
1048 conn->dst = &hcon->dst;
1049
4e8402a3
MH		 1050 conn->feat_mask = 0;
1051
1da177e4 1052 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1053
1054 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1055
5d3de7df 1056 if (hcon->type == LE_LINK)
6c9d42a1 1057 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1058 else
030013d8 1059 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1060
9f5a0d7b 1061 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1062
1da177e4
LT		 1063 return conn;
1064}
1065
1da177e4 1066/* ---- Socket interface ---- */
1da177e4
LT		 1067
1068/* Find socket with psm and source bdaddr.
1069 * Returns closest match.
1070 */
23691d75 1071static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1072{
23691d75 1073 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1074
23691d75 1075 read_lock(&chan_list_lock);
e0f0cb56 1076
23691d75
GP		 1077 list_for_each_entry(c, &chan_list, global_l) {
1078 struct sock *sk = c->sk;
fe4128e0 1079
89bc500e 1080 if (state && c->state != state)
1da177e4
LT		 1081 continue;
1082
23691d75 1083 if (c->psm == psm) {
1da177e4 1084 /* Exact match. */
23691d75 1085 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1086 read_unlock(&chan_list_lock);
23691d75
GP		 1087 return c;
1088 }
1da177e4
LT		 1089
1090 /* Closest match */
1091 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1092 c1 = c;
1da177e4
LT		 1093 }
1094 }
1da177e4 1095
23691d75 1096 read_unlock(&chan_list_lock);
e0f0cb56 1097
23691d75 1098 return c1;
1da177e4
LT		 1099}
1100
cbe8fed4 1101int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1da177e4 1102{
5d41ce1d 1103 struct sock *sk = chan->sk;
1da177e4 1104 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1105 struct l2cap_conn *conn;
1106 struct hci_conn *hcon;
1107 struct hci_dev *hdev;
09ab6f4c 1108 __u8 auth_type;
44d0e48e 1109 int err;
1da177e4 1110
f29972de 1111 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1112 chan->psm);
1da177e4 1113
af05b30b
GP		 1114 hdev = hci_get_route(dst, src);
1115 if (!hdev)
1da177e4
LT		 1116 return -EHOSTUNREACH;
1117
09fd0de5 1118 hci_dev_lock(hdev);
1da177e4 1119
03a00194
GP		 1120 lock_sock(sk);
1121
1122 /* PSM must be odd and lsb of upper byte must be 0 */
1123 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1124 chan->chan_type != L2CAP_CHAN_RAW) {
1125 err = -EINVAL;
1126 goto done;
1127 }
1128
1129 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1130 err = -EINVAL;
1131 goto done;
1132 }
1133
1134 switch (chan->mode) {
1135 case L2CAP_MODE_BASIC:
1136 break;
1137 case L2CAP_MODE_ERTM:
1138 case L2CAP_MODE_STREAMING:
1139 if (!disable_ertm)
1140 break;
1141 /* fall through */
1142 default:
1143 err = -ENOTSUPP;
1144 goto done;
1145 }
1146
1147 switch (sk->sk_state) {
1148 case BT_CONNECT:
1149 case BT_CONNECT2:
1150 case BT_CONFIG:
1151 /* Already connecting */
1152 err = 0;
1153 goto done;
1154
1155 case BT_CONNECTED:
1156 /* Already connected */
1157 err = -EISCONN;
1158 goto done;
1159
1160 case BT_OPEN:
1161 case BT_BOUND:
1162 /* Can connect */
1163 break;
1164
1165 default:
1166 err = -EBADFD;
1167 goto done;
1168 }
1169
1170 /* Set destination address and psm */
9219b2a0 1171 bacpy(&bt_sk(sk)->dst, dst);
03a00194
GP		 1172 chan->psm = psm;
1173 chan->dcid = cid;
1da177e4 1174
4343478f 1175 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1176
fe4128e0 1177 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1178 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1179 chan->sec_level, auth_type);
acd7d370
VT		 1180 else
1181 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1182 chan->sec_level, auth_type);
acd7d370 1183
30e76272
VT		 1184 if (IS_ERR(hcon)) {
1185 err = PTR_ERR(hcon);
1da177e4 1186 goto done;
30e76272 1187 }
1da177e4
LT		 1188
1189 conn = l2cap_conn_add(hcon, 0);
1190 if (!conn) {
1191 hci_conn_put(hcon);
30e76272 1192 err = -ENOMEM;
1da177e4
LT		 1193 goto done;
1194 }
1195
1da177e4
LT		 1196 /* Update source addr of the socket */
1197 bacpy(src, conn->src);
1198
48454079
GP		 1199 l2cap_chan_add(conn, chan);
1200
89bc500e 1201 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1202 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1203
1204 if (hcon->state == BT_CONNECTED) {
715ec005 1205 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1206 __clear_chan_timer(chan);
d45fc423 1207 if (l2cap_chan_check_security(chan))
89bc500e 1208 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1209 } else
fc7f8a7e 1210 l2cap_do_start(chan);
1da177e4
LT		 1211 }
1212
30e76272
VT		 1213 err = 0;
1214
1da177e4 1215done:
09fd0de5 1216 hci_dev_unlock(hdev);
1da177e4
LT		 1217 hci_dev_put(hdev);
1218 return err;
1219}
1220
dcba0dba 1221int __l2cap_wait_ack(struct sock *sk)
6161c038 1222{
8c1d787b 1223 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1224 DECLARE_WAITQUEUE(wait, current);
1225 int err = 0;
1226 int timeo = HZ/5;
1227
2b0b05dd 1228 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1229 set_current_state(TASK_INTERRUPTIBLE);
1230 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1231 if (!timeo)
1232 timeo = HZ/5;
1233
1234 if (signal_pending(current)) {
1235 err = sock_intr_errno(timeo);
1236 break;
1237 }
1238
1239 release_sock(sk);
1240 timeo = schedule_timeout(timeo);
1241 lock_sock(sk);
a71a0cf4 1242 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1243
1244 err = sock_error(sk);
1245 if (err)
1246 break;
1247 }
1248 set_current_state(TASK_RUNNING);
2b0b05dd 1249 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1250 return err;
1251}
1252
721c4181 1253static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1254{
721c4181
GP		 1255 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1256 monitor_timer.work);
525cd185 1257 struct sock *sk = chan->sk;
e90bac06 1258
525cd185 1259 BT_DBG("chan %p", chan);
0e98958d 1260
721c4181 1261 lock_sock(sk);
2c03a7a4 1262 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1263 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
721c4181 1264 release_sock(sk);
e90bac06
GP		 1265 return;
1266 }
1267
6a026610 1268 chan->retry_count++;
1a09bcb9 1269 __set_monitor_timer(chan);
e90bac06 1270
525cd185 1271 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1272 release_sock(sk);
e90bac06
GP		 1273}
1274
721c4181 1275static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1276{
721c4181
GP		 1277 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1278 retrans_timer.work);
525cd185 1279 struct sock *sk = chan->sk;
e90bac06 1280
49208c9c 1281 BT_DBG("chan %p", chan);
0e98958d 1282
721c4181 1283 lock_sock(sk);
6a026610 1284 chan->retry_count = 1;
1a09bcb9 1285 __set_monitor_timer(chan);
e90bac06 1286
e2ab4353 1287 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1288
525cd185 1289 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1290 release_sock(sk);
e90bac06
GP		 1291}
1292
42e5c802 1293static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1294{
1c2acffb 1295 struct sk_buff *skb;
1da177e4 1296
58d35f87 1297 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1298 chan->unacked_frames) {
42e5c802 1299 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1300 break;
1da177e4 1301
58d35f87 1302 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1303 kfree_skb(skb);
1da177e4 1304
6a026610 1305 chan->unacked_frames--;
1c2acffb 1306 }
1da177e4 1307
6a026610 1308 if (!chan->unacked_frames)
1a09bcb9 1309 __clear_retrans_timer(chan);
1c2acffb 1310}
1da177e4 1311
67c9e840 1312static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1313{
ccbb84af 1314 struct sk_buff *skb;
88843ab0
AE		 1315 u32 control;
1316 u16 fcs;
6840ed07 1317
58d35f87 1318 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1319 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1320 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1321 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1322
47d1ec61 1323 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1324 fcs = crc16(0, (u8 *)skb->data,
1325 skb->len - L2CAP_FCS_SIZE);
1326 put_unaligned_le16(fcs,
1327 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1328 }
1329
4343478f 1330 l2cap_do_send(chan, skb);
6840ed07 1331
836be934 1332 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1333 }
6840ed07
GP		 1334}
1335
fb45de7d 1336static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1337{
8f17154f 1338 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1339 u16 fcs;
1340 u32 control;
8f17154f 1341
58d35f87 1342 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1343 if (!skb)
1344 return;
8f17154f 1345
d1726b6d 1346 while (bt_cb(skb)->tx_seq != tx_seq) {
58d35f87 1347 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1348 return;
8f17154f 1349
d1726b6d
SJ		 1350 skb = skb_queue_next(&chan->tx_q, skb);
1351 }
8f17154f 1352
2c03a7a4
GP		 1353 if (chan->remote_max_tx &&
1354 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1355 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1356 return;
1357 }
1358
1359 tx_skb = skb_clone(skb, GFP_ATOMIC);
1360 bt_cb(skb)->retries++;
88843ab0
AE		 1361
1362 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1363 control &= __get_sar_mask(chan);
3cb123d1 1364
e2ab4353 1365 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1366 control |= __set_ctrl_final(chan);
95ffa978 1367
0b209fae 1368 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1369 control |= __set_txseq(chan, tx_seq);
3cb123d1 1370
88843ab0 1371 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1372
47d1ec61 1373 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1374 fcs = crc16(0, (u8 *)tx_skb->data,
1375 tx_skb->len - L2CAP_FCS_SIZE);
1376 put_unaligned_le16(fcs,
1377 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1378 }
1379
4343478f 1380 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1381}
1382
67c9e840 1383static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1384{
1385 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1386 u16 fcs;
1387 u32 control;
9a9c6a34 1388 int nsent = 0;
1c2acffb 1389
89bc500e 1390 if (chan->state != BT_CONNECTED)
c13ffa62 1391 return -ENOTCONN;
e90bac06 1392
58d35f87 1393 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1394
2c03a7a4
GP		 1395 if (chan->remote_max_tx &&
1396 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1397 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1398 break;
1399 }
1400
e420aba3
AE		 1401 tx_skb = skb_clone(skb, GFP_ATOMIC);
1402
e90bac06
GP		 1403 bt_cb(skb)->retries++;
1404
88843ab0 1405 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1406 control &= __get_sar_mask(chan);
95ffa978 1407
e2ab4353 1408 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1409 control |= __set_ctrl_final(chan);
e2ab4353 1410
0b209fae 1411 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1412 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1413
88843ab0 1414 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1415
47d1ec61 1416 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1417 fcs = crc16(0, (u8 *)skb->data,
1418 tx_skb->len - L2CAP_FCS_SIZE);
1419 put_unaligned_le16(fcs, skb->data +
1420 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1421 }
1422
4343478f 1423 l2cap_do_send(chan, tx_skb);
9a9c6a34 1424
1a09bcb9 1425 __set_retrans_timer(chan);
1c2acffb 1426
42e5c802 1427 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1428
1429 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1430
8ed7a0ae 1431 if (bt_cb(skb)->retries == 1) {
6a026610 1432 chan->unacked_frames++;
930fa4ae
SJ		 1433
1434 if (!nsent++)
1435 __clear_ack_timer(chan);
8ed7a0ae 1436 }
23e9fde2 1437
6a026610 1438 chan->frames_sent++;
1c2acffb 1439
58d35f87
GP		 1440 if (skb_queue_is_last(&chan->tx_q, skb))
1441 chan->tx_send_head = NULL;
1c2acffb 1442 else
58d35f87 1443 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1444 }
1445
9e917af1
GP		 1446 return nsent;
1447}
1448
525cd185 1449static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1450{
dfc909be
GP		 1451 int ret;
1452
58d35f87
GP		 1453 if (!skb_queue_empty(&chan->tx_q))
1454 chan->tx_send_head = chan->tx_q.next;
dfc909be 1455
42e5c802 1456 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1457 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1458 return ret;
1459}
1460
b17e73bb 1461static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1462{
88843ab0 1463 u32 control = 0;
9e917af1 1464
0b209fae 1465 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1466
e2ab4353 1467 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1468 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1469 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1470 l2cap_send_sframe(chan, control);
9a9c6a34 1471 return;
9e917af1 1472 }
dfc909be 1473
525cd185 1474 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1475 return;
1476
ab784b73 1477 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1478 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1479}
1480
b17e73bb
SJ		 1481static void l2cap_send_ack(struct l2cap_chan *chan)
1482{
1483 __clear_ack_timer(chan);
1484 __l2cap_send_ack(chan);
1485}
1486
525cd185 1487static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1488{
1489 struct srej_list *tail;
88843ab0 1490 u32 control;
99b0d4b7 1491
ab784b73 1492 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1493 control |= __set_ctrl_final(chan);
99b0d4b7 1494
39d5a3ee 1495 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1496 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1497
525cd185 1498 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1499}
1500
0952a57a 1501static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1c2acffb 1502{
0952a57a 1503 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1504 struct sk_buff **frag;
1505 int err, sent = 0;
1da177e4 1506
59203a21 1507 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1508 return -EFAULT;
1da177e4
LT		 1509
1510 sent += count;
1511 len -= count;
1512
1513 /* Continuation fragments (no L2CAP header) */
1514 frag = &skb_shinfo(skb)->frag_list;
1515 while (len) {
1516 count = min_t(unsigned int, conn->mtu, len);
1517
2f7719ce
AE		 1518 *frag = chan->ops->alloc_skb(chan, count,
1519 msg->msg_flags & MSG_DONTWAIT, &err);
1520
1da177e4 1521 if (!*frag)
0175d629 1522 return err;
1c2acffb
GP		 1523 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1524 return -EFAULT;
1da177e4 1525
5e59b791
LAD		 1526 (*frag)->priority = skb->priority;
1527
1da177e4
LT		 1528 sent += count;
1529 len -= count;
1530
1531 frag = &(*frag)->next;
1532 }
1da177e4
LT		 1533
1534 return sent;
1c2acffb 1535}
1da177e4 1536
5e59b791
LAD		 1537static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1538 struct msghdr *msg, size_t len,
1539 u32 priority)
1c2acffb 1540{
8c1d787b 1541 struct l2cap_conn *conn = chan->conn;
1c2acffb 1542 struct sk_buff *skb;
03a51213 1543 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1544 struct l2cap_hdr *lh;
1545
6d5922b0 1546 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1547
1548 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1549
1550 skb = chan->ops->alloc_skb(chan, count + hlen,
1551 msg->msg_flags & MSG_DONTWAIT, &err);
1552
1c2acffb 1553 if (!skb)
0175d629 1554 return ERR_PTR(err);
1c2acffb 1555
5e59b791
LAD		 1556 skb->priority = priority;
1557
1c2acffb
GP		 1558 /* Create L2CAP header */
1559 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1560 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1561 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1562 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb 1563
0952a57a 1564 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1565 if (unlikely(err < 0)) {
1566 kfree_skb(skb);
1567 return ERR_PTR(err);
1568 }
1569 return skb;
1570}
1571
5e59b791
LAD		 1572static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1573 struct msghdr *msg, size_t len,
1574 u32 priority)
1c2acffb 1575{
8c1d787b 1576 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1577 struct sk_buff *skb;
1578 int err, count, hlen = L2CAP_HDR_SIZE;
1579 struct l2cap_hdr *lh;
1580
6d5922b0 1581 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb
GP		 1582
1583 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1584
1585 skb = chan->ops->alloc_skb(chan, count + hlen,
1586 msg->msg_flags & MSG_DONTWAIT, &err);
1587
1c2acffb 1588 if (!skb)
0175d629 1589 return ERR_PTR(err);
1c2acffb 1590
5e59b791
LAD		 1591 skb->priority = priority;
1592
1c2acffb
GP		 1593 /* Create L2CAP header */
1594 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1595 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1596 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1597
0952a57a 1598 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1599 if (unlikely(err < 0)) {
1600 kfree_skb(skb);
1601 return ERR_PTR(err);
1602 }
1603 return skb;
1604}
1605
ab0ff76d
LAD		 1606static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1607 struct msghdr *msg, size_t len,
88843ab0 1608 u32 control, u16 sdulen)
1c2acffb 1609{
8c1d787b 1610 struct l2cap_conn *conn = chan->conn;
1c2acffb 1611 struct sk_buff *skb;
e4ca6d98 1612 int err, count, hlen;
1c2acffb
GP		 1613 struct l2cap_hdr *lh;
1614
6d5922b0 1615 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1616
0ee0d208
GP		 1617 if (!conn)
1618 return ERR_PTR(-ENOTCONN);
1619
e4ca6d98
AE		 1620 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1621 hlen = L2CAP_EXT_HDR_SIZE;
1622 else
1623 hlen = L2CAP_ENH_HDR_SIZE;
1624
c74e560c 1625 if (sdulen)
03a51213 1626 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1627
47d1ec61 1628 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1629 hlen += L2CAP_FCS_SIZE;
fcc203c3 1630
1c2acffb 1631 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1632
1633 skb = chan->ops->alloc_skb(chan, count + hlen,
1634 msg->msg_flags & MSG_DONTWAIT, &err);
1635
1c2acffb 1636 if (!skb)
0175d629 1637 return ERR_PTR(err);
1c2acffb
GP		 1638
1639 /* Create L2CAP header */
1640 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1641 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1642 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1643
1644 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1645
c74e560c 1646 if (sdulen)
03a51213 1647 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1648
0952a57a 1649 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1650 if (unlikely(err < 0)) {
1651 kfree_skb(skb);
1652 return ERR_PTR(err);
1653 }
e90bac06 1654
47d1ec61 1655 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1656 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1657
e90bac06 1658 bt_cb(skb)->retries = 0;
1c2acffb 1659 return skb;
1da177e4
LT		 1660}
1661
67c9e840 1662static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1663{
c74e560c
GP		 1664 struct sk_buff *skb;
1665 struct sk_buff_head sar_queue;
88843ab0 1666 u32 control;
c74e560c
GP		 1667 size_t size = 0;
1668
ff12fd64 1669 skb_queue_head_init(&sar_queue);
7e0ef6ee 1670 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1671 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1672 if (IS_ERR(skb))
1673 return PTR_ERR(skb);
1674
1675 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1676 len -= chan->remote_mps;
1677 size += chan->remote_mps;
c74e560c
GP		 1678
1679 while (len > 0) {
1680 size_t buflen;
1681
2c03a7a4 1682 if (len > chan->remote_mps) {
7e0ef6ee 1683 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1684 buflen = chan->remote_mps;
c74e560c 1685 } else {
7e0ef6ee 1686 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1687 buflen = len;
1688 }
1689
47d1ec61 1690 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1691 if (IS_ERR(skb)) {
1692 skb_queue_purge(&sar_queue);
1693 return PTR_ERR(skb);
1694 }
1695
1696 __skb_queue_tail(&sar_queue, skb);
1697 len -= buflen;
1698 size += buflen;
c74e560c 1699 }
58d35f87
GP		 1700 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1701 if (chan->tx_send_head == NULL)
1702 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1703
1704 return size;
1705}
1706
5e59b791
LAD		 1707int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1708 u32 priority)
9a91a04a 1709{
9a91a04a 1710 struct sk_buff *skb;
88843ab0 1711 u32 control;
9a91a04a
GP		 1712 int err;
1713
1714 /* Connectionless channel */
715ec005 1715 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1716 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1717 if (IS_ERR(skb))
1718 return PTR_ERR(skb);
1719
1720 l2cap_do_send(chan, skb);
1721 return len;
1722 }
1723
1724 switch (chan->mode) {
1725 case L2CAP_MODE_BASIC:
1726 /* Check outgoing MTU */
1727 if (len > chan->omtu)
1728 return -EMSGSIZE;
1729
1730 /* Create a basic PDU */
5e59b791 1731 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1732 if (IS_ERR(skb))
1733 return PTR_ERR(skb);
1734
1735 l2cap_do_send(chan, skb);
1736 err = len;
1737 break;
1738
1739 case L2CAP_MODE_ERTM:
1740 case L2CAP_MODE_STREAMING:
1741 /* Entire SDU fits into one PDU */
1742 if (len <= chan->remote_mps) {
7e0ef6ee 1743 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1744 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1745 0);
1746 if (IS_ERR(skb))
1747 return PTR_ERR(skb);
1748
1749 __skb_queue_tail(&chan->tx_q, skb);
1750
1751 if (chan->tx_send_head == NULL)
1752 chan->tx_send_head = skb;
1753
1754 } else {
1755 /* Segment SDU into multiples PDUs */
1756 err = l2cap_sar_segment_sdu(chan, msg, len);
1757 if (err < 0)
1758 return err;
1759 }
1760
1761 if (chan->mode == L2CAP_MODE_STREAMING) {
1762 l2cap_streaming_send(chan);
1763 err = len;
1764 break;
1765 }
1766
e2ab4353
GP		 1767 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1768 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1769 err = len;
1770 break;
1771 }
1772
1773 err = l2cap_ertm_send(chan);
1774 if (err >= 0)
1775 err = len;
1776
1777 break;
1778
1779 default:
1780 BT_DBG("bad state %1.1x", chan->mode);
1781 err = -EBADFD;
1782 }
1783
1784 return err;
1785}
1786
1da177e4
LT		 1787/* Copy frame to all raw sockets on that connection */
1788static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1789{
1da177e4 1790 struct sk_buff *nskb;
48454079 1791 struct l2cap_chan *chan;
1da177e4
LT		 1792
1793 BT_DBG("conn %p", conn);
1794
3d57dc68
GP		 1795 rcu_read_lock();
1796
1797 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 1798 struct sock *sk = chan->sk;
715ec005 1799 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1800 continue;
1801
1802 /* Don't send frame to the socket it came from */
1803 if (skb->sk == sk)
1804 continue;
af05b30b
GP		 1805 nskb = skb_clone(skb, GFP_ATOMIC);
1806 if (!nskb)
1da177e4
LT		 1807 continue;
1808
23070494 1809 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1810 kfree_skb(nskb);
1811 }
3d57dc68
GP		 1812
1813 rcu_read_unlock();
1da177e4
LT		 1814}
1815
1816/* ---- L2CAP signalling commands ---- */
1817static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1818 u8 code, u8 ident, u16 dlen, void *data)
1819{
1820 struct sk_buff *skb, **frag;
1821 struct l2cap_cmd_hdr *cmd;
1822 struct l2cap_hdr *lh;
1823 int len, count;
1824
af05b30b
GP		 1825 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1826 conn, code, ident, dlen);
1da177e4
LT		 1827
1828 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1829 count = min_t(unsigned int, conn->mtu, len);
1830
1831 skb = bt_skb_alloc(count, GFP_ATOMIC);
1832 if (!skb)
1833 return NULL;
1834
1835 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1836 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1837
1838 if (conn->hcon->type == LE_LINK)
1839 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1840 else
1841 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1842
1843 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1844 cmd->code = code;
1845 cmd->ident = ident;
aca3192c 1846 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1847
1848 if (dlen) {
1849 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1850 memcpy(skb_put(skb, count), data, count);
1851 data += count;
1852 }
1853
1854 len -= skb->len;
1855
1856 /* Continuation fragments (no L2CAP header) */
1857 frag = &skb_shinfo(skb)->frag_list;
1858 while (len) {
1859 count = min_t(unsigned int, conn->mtu, len);
1860
1861 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1862 if (!*frag)
1863 goto fail;
1864
1865 memcpy(skb_put(*frag, count), data, count);
1866
1867 len -= count;
1868 data += count;
1869
1870 frag = &(*frag)->next;
1871 }
1872
1873 return skb;
1874
1875fail:
1876 kfree_skb(skb);
1877 return NULL;
1878}
1879
1880static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1881{
1882 struct l2cap_conf_opt *opt = *ptr;
1883 int len;
1884
1885 len = L2CAP_CONF_OPT_SIZE + opt->len;
1886 *ptr += len;
1887
1888 *type = opt->type;
1889 *olen = opt->len;
1890
1891 switch (opt->len) {
1892 case 1:
1893 *val = *((u8 *) opt->val);
1894 break;
1895
1896 case 2:
bfaaeb3e 1897 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1898 break;
1899
1900 case 4:
bfaaeb3e 1901 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1902 break;
1903
1904 default:
1905 *val = (unsigned long) opt->val;
1906 break;
1907 }
1908
1909 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1910 return len;
1911}
1912
1da177e4
LT		 1913static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1914{
1915 struct l2cap_conf_opt *opt = *ptr;
1916
1917 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1918
1919 opt->type = type;
1920 opt->len = len;
1921
1922 switch (len) {
1923 case 1:
1924 *((u8 *) opt->val) = val;
1925 break;
1926
1927 case 2:
4f8b691c 1928 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1929 break;
1930
1931 case 4:
4f8b691c 1932 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1933 break;
1934
1935 default:
1936 memcpy(opt->val, (void *) val, len);
1937 break;
1938 }
1939
1940 *ptr += L2CAP_CONF_OPT_SIZE + len;
1941}
1942
f89cef09
AE		 1943static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1944{
1945 struct l2cap_conf_efs efs;
1946
1ec918ce 1947 switch (chan->mode) {
f89cef09
AE		 1948 case L2CAP_MODE_ERTM:
1949 efs.id = chan->local_id;
1950 efs.stype = chan->local_stype;
1951 efs.msdu = cpu_to_le16(chan->local_msdu);
1952 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1953 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1954 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1955 break;
1956
1957 case L2CAP_MODE_STREAMING:
1958 efs.id = 1;
1959 efs.stype = L2CAP_SERV_BESTEFFORT;
1960 efs.msdu = cpu_to_le16(chan->local_msdu);
1961 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1962 efs.acc_lat = 0;
1963 efs.flush_to = 0;
1964 break;
1965
1966 default:
1967 return;
1968 }
1969
1970 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1971 (unsigned long) &efs);
1972}
1973
721c4181 1974static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 1975{
721c4181
GP		 1976 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1977 ack_timer.work);
c1b4f43b 1978
2fb9b3d4
GP		 1979 BT_DBG("chan %p", chan);
1980
721c4181 1981 lock_sock(chan->sk);
b17e73bb 1982 __l2cap_send_ack(chan);
721c4181 1983 release_sock(chan->sk);
09bfb2ee
SJ		 1984
1985 l2cap_chan_put(chan);
c1b4f43b
GP		 1986}
1987
525cd185 1988static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1989{
42e5c802 1990 chan->expected_ack_seq = 0;
6a026610 1991 chan->unacked_frames = 0;
42e5c802 1992 chan->buffer_seq = 0;
6a026610
GP		 1993 chan->num_acked = 0;
1994 chan->frames_sent = 0;
0565c1c2 1995
721c4181
GP		 1996 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
1997 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
1998 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 1999
f1c6775b 2000 skb_queue_head_init(&chan->srej_q);
1890d36b 2001
39d5a3ee 2002 INIT_LIST_HEAD(&chan->srej_l);
0565c1c2
GP		 2003}
2004
f2fcfcd6
GP		 2005static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2006{
2007 switch (mode) {
2008 case L2CAP_MODE_STREAMING:
2009 case L2CAP_MODE_ERTM:
2010 if (l2cap_mode_supported(mode, remote_feat_mask))
2011 return mode;
2012 /* fall through */
2013 default:
2014 return L2CAP_MODE_BASIC;
2015 }
2016}
2017
6327eb98
AE		 2018static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2019{
2020 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2021}
2022
f89cef09
AE		 2023static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2024{
2025 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2026}
2027
6327eb98
AE		 2028static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2029{
2030 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2031 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2032 /* use extended control field */
2033 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2034 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2035 } else {
6327eb98
AE		 2036 chan->tx_win = min_t(u16, chan->tx_win,
2037 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2038 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2039 }
6327eb98
AE		 2040}
2041
710f9b0a 2042static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2043{
1da177e4 2044 struct l2cap_conf_req *req = data;
0c1bc5c6 2045 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2046 void *ptr = req->data;
c8f79162 2047 u16 size;
1da177e4 2048
49208c9c 2049 BT_DBG("chan %p", chan);
1da177e4 2050
73ffa904 2051 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2052 goto done;
2053
0c1bc5c6 2054 switch (chan->mode) {
f2fcfcd6
GP		 2055 case L2CAP_MODE_STREAMING:
2056 case L2CAP_MODE_ERTM:
c1360a1c 2057 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2058 break;
85eb53c6 2059
f89cef09
AE		 2060 if (__l2cap_efs_supported(chan))
2061 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2062
2ba13ed6 2063 /* fall through */
f2fcfcd6 2064 default:
8c1d787b 2065 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2066 break;
2067 }
2068
2069done:
0c1bc5c6
GP		 2070 if (chan->imtu != L2CAP_DEFAULT_MTU)
2071 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2072
0c1bc5c6 2073 switch (chan->mode) {
65c7c491 2074 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2075 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2076 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2077 break;
2078
62547752
GP		 2079 rfc.mode = L2CAP_MODE_BASIC;
2080 rfc.txwin_size = 0;
2081 rfc.max_transmit = 0;
2082 rfc.retrans_timeout = 0;
2083 rfc.monitor_timeout = 0;
2084 rfc.max_pdu_size = 0;
2085
63406504
GP		 2086 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2087 (unsigned long) &rfc);
65c7c491
MH		 2088 break;
2089
2090 case L2CAP_MODE_ERTM:
2091 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2092 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2093 rfc.retrans_timeout = 0;
2094 rfc.monitor_timeout = 0;
c8f79162
AE		 2095
2096 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2097 L2CAP_EXT_HDR_SIZE -
2098 L2CAP_SDULEN_SIZE -
2099 L2CAP_FCS_SIZE);
2100 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2101
6327eb98
AE		 2102 l2cap_txwin_setup(chan);
2103
2104 rfc.txwin_size = min_t(u16, chan->tx_win,
2105 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2106
63406504
GP		 2107 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2108 (unsigned long) &rfc);
2109
f89cef09
AE		 2110 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2111 l2cap_add_opt_efs(&ptr, chan);
2112
8c1d787b 2113 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2114 break;
2115
47d1ec61 2116 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2117 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2118 chan->fcs = L2CAP_FCS_NONE;
2119 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2120 }
6327eb98
AE		 2121
2122 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2123 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2124 chan->tx_win);
f2fcfcd6
GP		 2125 break;
2126
2127 case L2CAP_MODE_STREAMING:
2128 rfc.mode = L2CAP_MODE_STREAMING;
2129 rfc.txwin_size = 0;
2130 rfc.max_transmit = 0;
2131 rfc.retrans_timeout = 0;
2132 rfc.monitor_timeout = 0;
c8f79162
AE		 2133
2134 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2135 L2CAP_EXT_HDR_SIZE -
2136 L2CAP_SDULEN_SIZE -
2137 L2CAP_FCS_SIZE);
2138 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2139
63406504
GP		 2140 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2141 (unsigned long) &rfc);
2142
f89cef09
AE		 2143 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2144 l2cap_add_opt_efs(&ptr, chan);
2145
8c1d787b 2146 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2147 break;
2148
47d1ec61 2149 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2150 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2151 chan->fcs = L2CAP_FCS_NONE;
2152 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2153 }
65c7c491
MH		 2154 break;
2155 }
1da177e4 2156
fe4128e0 2157 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2158 req->flags = cpu_to_le16(0);
1da177e4
LT		 2159
2160 return ptr - data;
2161}
2162
73ffa904 2163static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2164{
5dee9e7c
MH		 2165 struct l2cap_conf_rsp *rsp = data;
2166 void *ptr = rsp->data;
73ffa904
GP		 2167 void *req = chan->conf_req;
2168 int len = chan->conf_len;
5dee9e7c
MH		 2169 int type, hint, olen;
2170 unsigned long val;
6464f35f 2171 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2172 struct l2cap_conf_efs efs;
2173 u8 remote_efs = 0;
861d6882 2174 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2175 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2176 u16 size;
1da177e4 2177
73ffa904 2178 BT_DBG("chan %p", chan);
820ae1b8 2179
5dee9e7c
MH		 2180 while (len >= L2CAP_CONF_OPT_SIZE) {
2181 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2182
589d2746 2183 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2184 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2185
2186 switch (type) {
2187 case L2CAP_CONF_MTU:
861d6882 2188 mtu = val;
5dee9e7c
MH		 2189 break;
2190
2191 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2192 chan->flush_to = val;
5dee9e7c
MH		 2193 break;
2194
2195 case L2CAP_CONF_QOS:
2196 break;
2197
6464f35f
MH		 2198 case L2CAP_CONF_RFC:
2199 if (olen == sizeof(rfc))
2200 memcpy(&rfc, (void *) val, olen);
2201 break;
2202
fcc203c3
GP		 2203 case L2CAP_CONF_FCS:
2204 if (val == L2CAP_FCS_NONE)
c1360a1c 2205 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2206 break;
fcc203c3 2207
42dceae2
AE		 2208 case L2CAP_CONF_EFS:
2209 remote_efs = 1;
2210 if (olen == sizeof(efs))
2211 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2212 break;
2213
6327eb98
AE		 2214 case L2CAP_CONF_EWS:
2215 if (!enable_hs)
2216 return -ECONNREFUSED;
fcc203c3 2217
6327eb98
AE		 2218 set_bit(FLAG_EXT_CTRL, &chan->flags);
2219 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2220 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2221 chan->remote_tx_win = val;
fcc203c3
GP		 2222 break;
2223
5dee9e7c
MH		 2224 default:
2225 if (hint)
2226 break;
2227
2228 result = L2CAP_CONF_UNKNOWN;
2229 *((u8 *) ptr++) = type;
2230 break;
2231 }
2232 }
2233
73ffa904 2234 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2235 goto done;
2236
0c1bc5c6 2237 switch (chan->mode) {
f2fcfcd6
GP		 2238 case L2CAP_MODE_STREAMING:
2239 case L2CAP_MODE_ERTM:
c1360a1c 2240 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2241 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2242 chan->conn->feat_mask);
85eb53c6
GP		 2243 break;
2244 }
2245
42dceae2
AE		 2246 if (remote_efs) {
2247 if (__l2cap_efs_supported(chan))
2248 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2249 else
2250 return -ECONNREFUSED;
2251 }
2252
0c1bc5c6 2253 if (chan->mode != rfc.mode)
f2fcfcd6 2254 return -ECONNREFUSED;
742e519b 2255
f2fcfcd6 2256 break;
f2fcfcd6
GP		 2257 }
2258
2259done:
0c1bc5c6 2260 if (chan->mode != rfc.mode) {
f2fcfcd6 2261 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2262 rfc.mode = chan->mode;
f2fcfcd6 2263
73ffa904 2264 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2265 return -ECONNREFUSED;
2266
2267 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2268 sizeof(rfc), (unsigned long) &rfc);
2269 }
2270
5dee9e7c
MH		 2271 if (result == L2CAP_CONF_SUCCESS) {
2272 /* Configure output options and let the other side know
2273 * which ones we don't like. */
2274
f2fcfcd6
GP		 2275 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2276 result = L2CAP_CONF_UNACCEPT;
2277 else {
0c1bc5c6 2278 chan->omtu = mtu;
c1360a1c 2279 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2280 }
0c1bc5c6 2281 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2282
42dceae2
AE		 2283 if (remote_efs) {
2284 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2285 efs.stype != L2CAP_SERV_NOTRAFIC &&
2286 efs.stype != chan->local_stype) {
2287
2288 result = L2CAP_CONF_UNACCEPT;
2289
2290 if (chan->num_conf_req >= 1)
2291 return -ECONNREFUSED;
2292
2293 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2294 sizeof(efs),
42dceae2 2295 (unsigned long) &efs);
0e8b207e 2296 } else {
3e6b3b95 2297 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2298 result = L2CAP_CONF_PENDING;
2299 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2300 }
2301 }
2302
f2fcfcd6
GP		 2303 switch (rfc.mode) {
2304 case L2CAP_MODE_BASIC:
47d1ec61 2305 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2306 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2307 break;
2308
2309 case L2CAP_MODE_ERTM:
6327eb98
AE		 2310 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2311 chan->remote_tx_win = rfc.txwin_size;
2312 else
2313 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2314
2c03a7a4 2315 chan->remote_max_tx = rfc.max_transmit;
1c762159 2316
c8f79162
AE		 2317 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2318 chan->conn->mtu -
2319 L2CAP_EXT_HDR_SIZE -
2320 L2CAP_SDULEN_SIZE -
2321 L2CAP_FCS_SIZE);
2322 rfc.max_pdu_size = cpu_to_le16(size);
2323 chan->remote_mps = size;
f2fcfcd6 2324
10467e9e
GP		 2325 rfc.retrans_timeout =
2326 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2327 rfc.monitor_timeout =
2328 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2329
c1360a1c 2330 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2331
2332 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2333 sizeof(rfc), (unsigned long) &rfc);
2334
42dceae2
AE		 2335 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2336 chan->remote_id = efs.id;
2337 chan->remote_stype = efs.stype;
2338 chan->remote_msdu = le16_to_cpu(efs.msdu);
2339 chan->remote_flush_to =
2340 le32_to_cpu(efs.flush_to);
2341 chan->remote_acc_lat =
2342 le32_to_cpu(efs.acc_lat);
2343 chan->remote_sdu_itime =
2344 le32_to_cpu(efs.sdu_itime);
2345 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2346 sizeof(efs), (unsigned long) &efs);
2347 }
f2fcfcd6
GP		 2348 break;
2349
2350 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2351 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2352 chan->conn->mtu -
2353 L2CAP_EXT_HDR_SIZE -
2354 L2CAP_SDULEN_SIZE -
2355 L2CAP_FCS_SIZE);
2356 rfc.max_pdu_size = cpu_to_le16(size);
2357 chan->remote_mps = size;
f2fcfcd6 2358
c1360a1c 2359 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2360
2361 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2362 sizeof(rfc), (unsigned long) &rfc);
2363
f2fcfcd6
GP		 2364 break;
2365
2366 default:
5dee9e7c 2367 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2368
6464f35f 2369 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2370 rfc.mode = chan->mode;
f2fcfcd6 2371 }
6464f35f 2372
f2fcfcd6 2373 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2374 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2375 }
fe4128e0 2376 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2377 rsp->result = cpu_to_le16(result);
2378 rsp->flags = cpu_to_le16(0x0000);
2379
2380 return ptr - data;
1da177e4
LT		 2381}
2382
b4450035 2383static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2384{
f2fcfcd6
GP		 2385 struct l2cap_conf_req *req = data;
2386 void *ptr = req->data;
2387 int type, olen;
2388 unsigned long val;
36e999a8 2389 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2390 struct l2cap_conf_efs efs;
f2fcfcd6 2391
fe4128e0 2392 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2393
2394 while (len >= L2CAP_CONF_OPT_SIZE) {
2395 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2396
2397 switch (type) {
2398 case L2CAP_CONF_MTU:
2399 if (val < L2CAP_DEFAULT_MIN_MTU) {
2400 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2401 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2402 } else
0c1bc5c6
GP		 2403 chan->imtu = val;
2404 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2405 break;
2406
2407 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2408 chan->flush_to = val;
f2fcfcd6 2409 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2410 2, chan->flush_to);
f2fcfcd6
GP		 2411 break;
2412
2413 case L2CAP_CONF_RFC:
2414 if (olen == sizeof(rfc))
2415 memcpy(&rfc, (void *)val, olen);
2416
c1360a1c 2417 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2418 rfc.mode != chan->mode)
f2fcfcd6
GP		 2419 return -ECONNREFUSED;
2420
47d1ec61 2421 chan->fcs = 0;
f2fcfcd6
GP		 2422
2423 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2424 sizeof(rfc), (unsigned long) &rfc);
2425 break;
6327eb98
AE		 2426
2427 case L2CAP_CONF_EWS:
2428 chan->tx_win = min_t(u16, val,
2429 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2430 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2431 chan->tx_win);
6327eb98 2432 break;
66af7aaf
AE		 2433
2434 case L2CAP_CONF_EFS:
2435 if (olen == sizeof(efs))
2436 memcpy(&efs, (void *)val, olen);
2437
2438 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2439 efs.stype != L2CAP_SERV_NOTRAFIC &&
2440 efs.stype != chan->local_stype)
2441 return -ECONNREFUSED;
2442
2443 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2444 sizeof(efs), (unsigned long) &efs);
2445 break;
f2fcfcd6
GP		 2446 }
2447 }
2448
0c1bc5c6 2449 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2450 return -ECONNREFUSED;
2451
0c1bc5c6 2452 chan->mode = rfc.mode;
6c2ea7a8 2453
0e8b207e 2454 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2455 switch (rfc.mode) {
2456 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2457 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2458 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2459 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2460
2461 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2462 chan->local_msdu = le16_to_cpu(efs.msdu);
2463 chan->local_sdu_itime =
2464 le32_to_cpu(efs.sdu_itime);
2465 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2466 chan->local_flush_to =
2467 le32_to_cpu(efs.flush_to);
2468 }
f2fcfcd6 2469 break;
66af7aaf 2470
f2fcfcd6 2471 case L2CAP_MODE_STREAMING:
47d1ec61 2472 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2473 }
2474 }
2475
fe4128e0 2476 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2477 req->flags = cpu_to_le16(0x0000);
2478
2479 return ptr - data;
2480}
2481
fe4128e0 2482static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2483{
2484 struct l2cap_conf_rsp *rsp = data;
2485 void *ptr = rsp->data;
1da177e4 2486
fe4128e0 2487 BT_DBG("chan %p", chan);
1da177e4 2488
fe4128e0 2489 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2490 rsp->result = cpu_to_le16(result);
aca3192c 2491 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2492
2493 return ptr - data;
2494}
2495
8c1d787b 2496void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2497{
2498 struct l2cap_conn_rsp rsp;
8c1d787b 2499 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2500 u8 buf[128];
2501
fe4128e0
GP		 2502 rsp.scid = cpu_to_le16(chan->dcid);
2503 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2504 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2505 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2506 l2cap_send_cmd(conn, chan->ident,
2507 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2508
c1360a1c 2509 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2510 return;
2511
710f9b0a
GP		 2512 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2513 l2cap_build_conf_req(chan, buf), buf);
2514 chan->num_conf_req++;
2515}
2516
47d1ec61 2517static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2518{
7b1c0049
GP		 2519 int type, olen;
2520 unsigned long val;
2521 struct l2cap_conf_rfc rfc;
2522
47d1ec61 2523 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2524
0c1bc5c6 2525 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2526 return;
2527
2528 while (len >= L2CAP_CONF_OPT_SIZE) {
2529 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2530
2531 switch (type) {
2532 case L2CAP_CONF_RFC:
2533 if (olen == sizeof(rfc))
2534 memcpy(&rfc, (void *)val, olen);
2535 goto done;
2536 }
2537 }
2538
36e999a8
MM		 2539 /* Use sane default values in case a misbehaving remote device
2540 * did not send an RFC option.
2541 */
2542 rfc.mode = chan->mode;
2543 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2544 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2545 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2546
2547 BT_ERR("Expected RFC option was not found, using defaults");
2548
7b1c0049
GP		 2549done:
2550 switch (rfc.mode) {
2551 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2552 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2553 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2554 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2555 break;
2556 case L2CAP_MODE_STREAMING:
47d1ec61 2557 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2558 }
2559}
2560
4e8402a3
MH		 2561static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2562{
e2fd318e 2563 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2564
e2fd318e 2565 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2566 return 0;
2567
2568 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2569 cmd->ident == conn->info_ident) {
17cd3f37 2570 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2571
2572 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2573 conn->info_ident = 0;
984947dc 2574
4e8402a3
MH		 2575 l2cap_conn_start(conn);
2576 }
2577
2578 return 0;
2579}
2580
1da177e4
LT		 2581static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2582{
1da177e4
LT		 2583 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2584 struct l2cap_conn_rsp rsp;
23691d75 2585 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2586 struct sock *parent, *sk = NULL;
e7c29cb1 2587 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2588
2589 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2590 __le16 psm = req->psm;
1da177e4
LT		 2591
2592 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2593
2594 /* Check if we have socket listening on psm */
23691d75
GP		 2595 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2596 if (!pchan) {
1da177e4
LT		 2597 result = L2CAP_CR_BAD_PSM;
2598 goto sendresp;
2599 }
2600
23691d75
GP		 2601 parent = pchan->sk;
2602
aa2ac881 2603 lock_sock(parent);
e0f0cb56 2604
e7c29cb1
MH		 2605 /* Check if the ACL is secure enough (if not SDP) */
2606 if (psm != cpu_to_le16(0x0001) &&
2607 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2608 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2609 result = L2CAP_CR_SEC_BLOCK;
2610 goto response;
2611 }
2612
1da177e4
LT		 2613 result = L2CAP_CR_NO_MEM;
2614
2615 /* Check for backlog size */
2616 if (sk_acceptq_is_full(parent)) {
8e87d142 2617 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2618 goto response;
2619 }
2620
80808e43
GP		 2621 chan = pchan->ops->new_connection(pchan->data);
2622 if (!chan)
1da177e4
LT		 2623 goto response;
2624
80808e43
GP		 2625 sk = chan->sk;
2626
1da177e4 2627 /* Check if we already have channel with that dcid */
baa7e1fa 2628 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 2629 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2630 chan->ops->close(chan->data);
1da177e4
LT		 2631 goto response;
2632 }
2633
2634 hci_conn_hold(conn->hcon);
2635
1da177e4
LT		 2636 bacpy(&bt_sk(sk)->src, conn->src);
2637 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2638 chan->psm = psm;
2639 chan->dcid = scid;
1da177e4 2640
d1010240
GP		 2641 bt_accept_enqueue(parent, sk);
2642
3d57dc68 2643 l2cap_chan_add(conn, chan);
48454079 2644
fe4128e0 2645 dcid = chan->scid;
1da177e4 2646
c9b66675 2647 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2648
fc7f8a7e 2649 chan->ident = cmd->ident;
1da177e4 2650
984947dc 2651 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2652 if (l2cap_chan_check_security(chan)) {
f66dc81f 2653 if (bt_sk(sk)->defer_setup) {
89bc500e 2654 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2655 result = L2CAP_CR_PEND;
2656 status = L2CAP_CS_AUTHOR_PEND;
2657 parent->sk_data_ready(parent, 0);
2658 } else {
89bc500e 2659 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2660 result = L2CAP_CR_SUCCESS;
2661 status = L2CAP_CS_NO_INFO;
2662 }
79d554a6 2663 } else {
89bc500e 2664 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2665 result = L2CAP_CR_PEND;
2666 status = L2CAP_CS_AUTHEN_PEND;
2667 }
2668 } else {
89bc500e 2669 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2670 result = L2CAP_CR_PEND;
2671 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2672 }
2673
1da177e4 2674response:
aa2ac881 2675 release_sock(parent);
1da177e4
LT		 2676
2677sendresp:
aca3192c
YH		 2678 rsp.scid = cpu_to_le16(scid);
2679 rsp.dcid = cpu_to_le16(dcid);
2680 rsp.result = cpu_to_le16(result);
2681 rsp.status = cpu_to_le16(status);
1da177e4 2682 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2683
2684 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2685 struct l2cap_info_req info;
2686 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2687
2688 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2689 conn->info_ident = l2cap_get_ident(conn);
2690
030013d8 2691 schedule_delayed_work(&conn->info_timer,
79d554a6
MH		 2692 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2693
2694 l2cap_send_cmd(conn, conn->info_ident,
2695 L2CAP_INFO_REQ, sizeof(info), &info);
2696 }
2697
c1360a1c 2698 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2699 result == L2CAP_CR_SUCCESS) {
2700 u8 buf[128];
c1360a1c 2701 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2702 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2703 l2cap_build_conf_req(chan, buf), buf);
2704 chan->num_conf_req++;
e9aeb2dd
GP		 2705 }
2706
1da177e4
LT		 2707 return 0;
2708}
2709
2710static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2711{
2712 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2713 u16 scid, dcid, result, status;
48454079 2714 struct l2cap_chan *chan;
1da177e4
LT		 2715 struct sock *sk;
2716 u8 req[128];
2717
2718 scid = __le16_to_cpu(rsp->scid);
2719 dcid = __le16_to_cpu(rsp->dcid);
2720 result = __le16_to_cpu(rsp->result);
2721 status = __le16_to_cpu(rsp->status);
2722
2723 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2724
2725 if (scid) {
baa7e1fa 2726 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2727 if (!chan)
57d3b22b 2728 return -EFAULT;
1da177e4 2729 } else {
baa7e1fa 2730 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2731 if (!chan)
57d3b22b 2732 return -EFAULT;
1da177e4
LT		 2733 }
2734
48454079
GP		 2735 sk = chan->sk;
2736
1da177e4
LT		 2737 switch (result) {
2738 case L2CAP_CR_SUCCESS:
89bc500e 2739 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2740 chan->ident = 0;
fe4128e0 2741 chan->dcid = dcid;
c1360a1c 2742 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2743
c1360a1c 2744 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2745 break;
2746
1da177e4 2747 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2748 l2cap_build_conf_req(chan, req), req);
2749 chan->num_conf_req++;
1da177e4
LT		 2750 break;
2751
2752 case L2CAP_CR_PEND:
c1360a1c 2753 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2754 break;
2755
2756 default:
48454079 2757 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2758 break;
2759 }
2760
aa2ac881 2761 release_sock(sk);
1da177e4
LT		 2762 return 0;
2763}
2764
47d1ec61 2765static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2766{
2767 /* FCS is enabled only in ERTM or streaming mode, if one or both
2768 * sides request it.
2769 */
0c1bc5c6 2770 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2771 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2772 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2773 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2774}
2775
88219a0f 2776static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2777{
2778 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2779 u16 dcid, flags;
2780 u8 rsp[64];
48454079 2781 struct l2cap_chan *chan;
1da177e4 2782 struct sock *sk;
5dee9e7c 2783 int len;
1da177e4
LT		 2784
2785 dcid = __le16_to_cpu(req->dcid);
2786 flags = __le16_to_cpu(req->flags);
2787
2788 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2789
baa7e1fa 2790 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2791 if (!chan)
1da177e4
LT		 2792 return -ENOENT;
2793
48454079
GP		 2794 sk = chan->sk;
2795
033b1142 2796 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2797 struct l2cap_cmd_rej_cid rej;
2798
2799 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2800 rej.scid = cpu_to_le16(chan->scid);
2801 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2802
df6bd743
GP		 2803 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2804 sizeof(rej), &rej);
354f60a9 2805 goto unlock;
df6bd743 2806 }
354f60a9 2807
5dee9e7c 2808 /* Reject if config buffer is too small. */
88219a0f 2809 len = cmd_len - sizeof(*req);
7ac28817 2810 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2811 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2812 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2813 L2CAP_CONF_REJECT, flags), rsp);
2814 goto unlock;
2815 }
2816
2817 /* Store config. */
73ffa904
GP		 2818 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2819 chan->conf_len += len;
1da177e4
LT		 2820
2821 if (flags & 0x0001) {
2822 /* Incomplete config. Send empty response. */
2823 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2824 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2825 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2826 goto unlock;
2827 }
2828
2829 /* Complete config. */
73ffa904 2830 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2831 if (len < 0) {
e92c8e70 2832 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2833 goto unlock;
f2fcfcd6 2834 }
1da177e4 2835
5dee9e7c 2836 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2837 chan->num_conf_rsp++;
5dee9e7c 2838
5dee9e7c 2839 /* Reset config buffer. */
73ffa904 2840 chan->conf_len = 0;
5dee9e7c 2841
c1360a1c 2842 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2843 goto unlock;
2844
c1360a1c 2845 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2846 set_default_fcs(chan);
fcc203c3 2847
89bc500e 2848 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2849
42e5c802
GP		 2850 chan->next_tx_seq = 0;
2851 chan->expected_tx_seq = 0;
58d35f87 2852 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2853 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2854 l2cap_ertm_init(chan);
0565c1c2 2855
cf4cd009 2856 l2cap_chan_ready(chan);
876d9484
MH		 2857 goto unlock;
2858 }
2859
c1360a1c 2860 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2861 u8 buf[64];
1da177e4 2862 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2863 l2cap_build_conf_req(chan, buf), buf);
2864 chan->num_conf_req++;
1da177e4
LT		 2865 }
2866
0e8b207e
AE		 2867 /* Got Conf Rsp PENDING from remote side and asume we sent
2868 Conf Rsp PENDING in the code above */
2869 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2870 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2871
2872 /* check compatibility */
2873
2874 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2875 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2876
2877 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2878 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2879 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2880 }
2881
1da177e4 2882unlock:
aa2ac881 2883 release_sock(sk);
1da177e4
LT		 2884 return 0;
2885}
2886
2887static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2888{
2889 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2890 u16 scid, flags, result;
48454079 2891 struct l2cap_chan *chan;
1da177e4 2892 struct sock *sk;
7b1c0049 2893 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2894
2895 scid = __le16_to_cpu(rsp->scid);
2896 flags = __le16_to_cpu(rsp->flags);
2897 result = __le16_to_cpu(rsp->result);
2898
af05b30b
GP		 2899 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2900 scid, flags, result);
1da177e4 2901
baa7e1fa 2902 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2903 if (!chan)
1da177e4
LT		 2904 return 0;
2905
48454079
GP		 2906 sk = chan->sk;
2907
1da177e4
LT		 2908 switch (result) {
2909 case L2CAP_CONF_SUCCESS:
47d1ec61 2910 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2911 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2912 break;
2913
0e8b207e
AE		 2914 case L2CAP_CONF_PENDING:
2915 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2916
2917 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2918 char buf[64];
2919
2920 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2921 buf, &result);
2922 if (len < 0) {
2923 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2924 goto done;
2925 }
2926
2927 /* check compatibility */
2928
2929 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2930 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2931
2932 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2933 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2934 L2CAP_CONF_SUCCESS, 0x0000), buf);
2935 }
2936 goto done;
2937
1da177e4 2938 case L2CAP_CONF_UNACCEPT:
73ffa904 2939 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2940 char req[64];
2941
c2c77ec8 2942 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2943 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2944 goto done;
2945 }
2946
f2fcfcd6
GP		 2947 /* throw out any old stored conf requests */
2948 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2949 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2950 req, &result);
f2fcfcd6 2951 if (len < 0) {
e92c8e70 2952 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2953 goto done;
2954 }
2955
2956 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2957 L2CAP_CONF_REQ, len, req);
73ffa904 2958 chan->num_conf_req++;
f2fcfcd6
GP		 2959 if (result != L2CAP_CONF_SUCCESS)
2960 goto done;
2961 break;
1da177e4
LT		 2962 }
2963
8e87d142 2964 default:
b1235d79 2965 sk->sk_err = ECONNRESET;
b83ddfe2
AK		 2966 __set_chan_timer(chan,
2967 msecs_to_jiffies(L2CAP_DISC_REJ_TIMEOUT));
e92c8e70 2968 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2969 goto done;
2970 }
2971
2972 if (flags & 0x01)
2973 goto done;
2974
c1360a1c 2975 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2976
c1360a1c 2977 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2978 set_default_fcs(chan);
fcc203c3 2979
89bc500e 2980 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2981 chan->next_tx_seq = 0;
2982 chan->expected_tx_seq = 0;
58d35f87 2983 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2984 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2985 l2cap_ertm_init(chan);
0565c1c2 2986
cf4cd009 2987 l2cap_chan_ready(chan);
1da177e4
LT		 2988 }
2989
2990done:
aa2ac881 2991 release_sock(sk);
1da177e4
LT		 2992 return 0;
2993}
2994
2995static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2996{
2997 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2998 struct l2cap_disconn_rsp rsp;
2999 u16 dcid, scid;
48454079 3000 struct l2cap_chan *chan;
1da177e4
LT		 3001 struct sock *sk;
3002
3003 scid = __le16_to_cpu(req->scid);
3004 dcid = __le16_to_cpu(req->dcid);
3005
3006 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3007
baa7e1fa 3008 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3009 if (!chan)
1da177e4
LT		 3010 return 0;
3011
48454079
GP		 3012 sk = chan->sk;
3013
fe4128e0
GP		 3014 rsp.dcid = cpu_to_le16(chan->scid);
3015 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3016 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3017
3018 sk->sk_shutdown = SHUTDOWN_MASK;
3019
48454079 3020 l2cap_chan_del(chan, ECONNRESET);
aa2ac881 3021 release_sock(sk);
1da177e4 3022
ba3bd0ee 3023 chan->ops->close(chan->data);
1da177e4
LT		 3024 return 0;
3025}
3026
3027static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3028{
3029 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3030 u16 dcid, scid;
48454079 3031 struct l2cap_chan *chan;
1da177e4
LT		 3032 struct sock *sk;
3033
3034 scid = __le16_to_cpu(rsp->scid);
3035 dcid = __le16_to_cpu(rsp->dcid);
3036
3037 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3038
baa7e1fa 3039 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3040 if (!chan)
1da177e4
LT		 3041 return 0;
3042
48454079
GP		 3043 sk = chan->sk;
3044
48454079 3045 l2cap_chan_del(chan, 0);
aa2ac881 3046 release_sock(sk);
1da177e4 3047
ba3bd0ee 3048 chan->ops->close(chan->data);
1da177e4
LT		 3049 return 0;
3050}
3051
3052static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3053{
3054 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3055 u16 type;
3056
3057 type = __le16_to_cpu(req->type);
3058
3059 BT_DBG("type 0x%4.4x", type);
3060
f0709e03
MH		 3061 if (type == L2CAP_IT_FEAT_MASK) {
3062 u8 buf[8];
44dd46de 3063 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3064 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3065 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3066 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3067 if (!disable_ertm)
fcc203c3
GP		 3068 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3069 | L2CAP_FEAT_FCS;
a5fd6f30 3070 if (enable_hs)
6327eb98
AE		 3071 feat_mask |= L2CAP_FEAT_EXT_FLOW
3072 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3073
1b7bf4ed 3074 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3075 l2cap_send_cmd(conn, cmd->ident,
3076 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3077 } else if (type == L2CAP_IT_FIXED_CHAN) {
3078 u8 buf[12];
3079 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3080
3081 if (enable_hs)
3082 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3083 else
3084 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3085
e1027a7c
MH		 3086 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3087 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3088 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3089 l2cap_send_cmd(conn, cmd->ident,
3090 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3091 } else {
3092 struct l2cap_info_rsp rsp;
3093 rsp.type = cpu_to_le16(type);
3094 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3095 l2cap_send_cmd(conn, cmd->ident,
3096 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3097 }
1da177e4
LT		 3098
3099 return 0;
3100}
3101
3102static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3103{
3104 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3105 u16 type, result;
3106
3107 type = __le16_to_cpu(rsp->type);
3108 result = __le16_to_cpu(rsp->result);
3109
3110 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3111
e90165be
AE		 3112 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3113 if (cmd->ident != conn->info_ident ||
3114 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3115 return 0;
3116
17cd3f37 3117 cancel_delayed_work(&conn->info_timer);
4e8402a3 3118
adb08ede
VT		 3119 if (result != L2CAP_IR_SUCCESS) {
3120 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3121 conn->info_ident = 0;
3122
3123 l2cap_conn_start(conn);
3124
3125 return 0;
3126 }
3127
984947dc 3128 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3129 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3130
47ec1dcd 3131 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3132 struct l2cap_info_req req;
3133 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3134
3135 conn->info_ident = l2cap_get_ident(conn);
3136
3137 l2cap_send_cmd(conn, conn->info_ident,
3138 L2CAP_INFO_REQ, sizeof(req), &req);
3139 } else {
3140 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3141 conn->info_ident = 0;
3142
3143 l2cap_conn_start(conn);
3144 }
3145 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3146 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3147 conn->info_ident = 0;
984947dc
MH		 3148
3149 l2cap_conn_start(conn);
3150 }
4e8402a3 3151
1da177e4
LT		 3152 return 0;
3153}
3154
f94ff6ff
MM		 3155static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3156 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3157 void *data)
3158{
3159 struct l2cap_create_chan_req *req = data;
3160 struct l2cap_create_chan_rsp rsp;
3161 u16 psm, scid;
3162
3163 if (cmd_len != sizeof(*req))
3164 return -EPROTO;
3165
3166 if (!enable_hs)
3167 return -EINVAL;
3168
3169 psm = le16_to_cpu(req->psm);
3170 scid = le16_to_cpu(req->scid);
3171
3172 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3173
3174 /* Placeholder: Always reject */
3175 rsp.dcid = 0;
3176 rsp.scid = cpu_to_le16(scid);
3177 rsp.result = L2CAP_CR_NO_MEM;
3178 rsp.status = L2CAP_CS_NO_INFO;
3179
3180 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3181 sizeof(rsp), &rsp);
3182
3183 return 0;
3184}
3185
3186static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3187 struct l2cap_cmd_hdr *cmd, void *data)
3188{
3189 BT_DBG("conn %p", conn);
3190
3191 return l2cap_connect_rsp(conn, cmd, data);
3192}
3193
8d5a04a1
MM		 3194static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3195 u16 icid, u16 result)
3196{
3197 struct l2cap_move_chan_rsp rsp;
3198
3199 BT_DBG("icid %d, result %d", icid, result);
3200
3201 rsp.icid = cpu_to_le16(icid);
3202 rsp.result = cpu_to_le16(result);
3203
3204 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3205}
3206
3207static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3208 struct l2cap_chan *chan, u16 icid, u16 result)
3209{
3210 struct l2cap_move_chan_cfm cfm;
3211 u8 ident;
3212
3213 BT_DBG("icid %d, result %d", icid, result);
3214
3215 ident = l2cap_get_ident(conn);
3216 if (chan)
3217 chan->ident = ident;
3218
3219 cfm.icid = cpu_to_le16(icid);
3220 cfm.result = cpu_to_le16(result);
3221
3222 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3223}
3224
3225static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3226 u16 icid)
3227{
3228 struct l2cap_move_chan_cfm_rsp rsp;
3229
3230 BT_DBG("icid %d", icid);
3231
3232 rsp.icid = cpu_to_le16(icid);
3233 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3234}
3235
3236static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3237 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3238{
3239 struct l2cap_move_chan_req *req = data;
3240 u16 icid = 0;
3241 u16 result = L2CAP_MR_NOT_ALLOWED;
3242
3243 if (cmd_len != sizeof(*req))
3244 return -EPROTO;
3245
3246 icid = le16_to_cpu(req->icid);
3247
3248 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3249
3250 if (!enable_hs)
3251 return -EINVAL;
3252
3253 /* Placeholder: Always refuse */
3254 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3255
3256 return 0;
3257}
3258
3259static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3260 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3261{
3262 struct l2cap_move_chan_rsp *rsp = data;
3263 u16 icid, result;
3264
3265 if (cmd_len != sizeof(*rsp))
3266 return -EPROTO;
3267
3268 icid = le16_to_cpu(rsp->icid);
3269 result = le16_to_cpu(rsp->result);
3270
3271 BT_DBG("icid %d, result %d", icid, result);
3272
3273 /* Placeholder: Always unconfirmed */
3274 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3275
3276 return 0;
3277}
3278
3279static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3280 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3281{
3282 struct l2cap_move_chan_cfm *cfm = data;
3283 u16 icid, result;
3284
3285 if (cmd_len != sizeof(*cfm))
3286 return -EPROTO;
3287
3288 icid = le16_to_cpu(cfm->icid);
3289 result = le16_to_cpu(cfm->result);
3290
3291 BT_DBG("icid %d, result %d", icid, result);
3292
3293 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3294
3295 return 0;
3296}
3297
3298static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3299 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3300{
3301 struct l2cap_move_chan_cfm_rsp *rsp = data;
3302 u16 icid;
3303
3304 if (cmd_len != sizeof(*rsp))
3305 return -EPROTO;
3306
3307 icid = le16_to_cpu(rsp->icid);
3308
3309 BT_DBG("icid %d", icid);
3310
3311 return 0;
3312}
3313
e2174ca4 3314static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3315 u16 to_multiplier)
3316{
3317 u16 max_latency;
3318
3319 if (min > max || min < 6 || max > 3200)
3320 return -EINVAL;
3321
3322 if (to_multiplier < 10 || to_multiplier > 3200)
3323 return -EINVAL;
3324
3325 if (max >= to_multiplier * 8)
3326 return -EINVAL;
3327
3328 max_latency = (to_multiplier * 8 / max) - 1;
3329 if (latency > 499 || latency > max_latency)
3330 return -EINVAL;
3331
3332 return 0;
3333}
3334
3335static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3336 struct l2cap_cmd_hdr *cmd, u8 *data)
3337{
3338 struct hci_conn *hcon = conn->hcon;
3339 struct l2cap_conn_param_update_req *req;
3340 struct l2cap_conn_param_update_rsp rsp;
3341 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3342 int err;
de73115a
CT		 3343
3344 if (!(hcon->link_mode & HCI_LM_MASTER))
3345 return -EINVAL;
3346
3347 cmd_len = __le16_to_cpu(cmd->len);
3348 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3349 return -EPROTO;
3350
3351 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3352 min = __le16_to_cpu(req->min);
3353 max = __le16_to_cpu(req->max);
de73115a
CT		 3354 latency = __le16_to_cpu(req->latency);
3355 to_multiplier = __le16_to_cpu(req->to_multiplier);
3356
3357 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3358 min, max, latency, to_multiplier);
3359
3360 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3361
3362 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3363 if (err)
de73115a
CT		 3364 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3365 else
3366 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3367
3368 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3369 sizeof(rsp), &rsp);
3370
2ce603eb
CT		 3371 if (!err)
3372 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3373
de73115a
CT		 3374 return 0;
3375}
3376
3300d9a9
CT		 3377static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3378 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3379{
3380 int err = 0;
3381
3382 switch (cmd->code) {
3383 case L2CAP_COMMAND_REJ:
3384 l2cap_command_rej(conn, cmd, data);
3385 break;
3386
3387 case L2CAP_CONN_REQ:
3388 err = l2cap_connect_req(conn, cmd, data);
3389 break;
3390
3391 case L2CAP_CONN_RSP:
3392 err = l2cap_connect_rsp(conn, cmd, data);
3393 break;
3394
3395 case L2CAP_CONF_REQ:
3396 err = l2cap_config_req(conn, cmd, cmd_len, data);
3397 break;
3398
3399 case L2CAP_CONF_RSP:
3400 err = l2cap_config_rsp(conn, cmd, data);
3401 break;
3402
3403 case L2CAP_DISCONN_REQ:
3404 err = l2cap_disconnect_req(conn, cmd, data);
3405 break;
3406
3407 case L2CAP_DISCONN_RSP:
3408 err = l2cap_disconnect_rsp(conn, cmd, data);
3409 break;
3410
3411 case L2CAP_ECHO_REQ:
3412 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3413 break;
3414
3415 case L2CAP_ECHO_RSP:
3416 break;
3417
3418 case L2CAP_INFO_REQ:
3419 err = l2cap_information_req(conn, cmd, data);
3420 break;
3421
3422 case L2CAP_INFO_RSP:
3423 err = l2cap_information_rsp(conn, cmd, data);
3424 break;
3425
f94ff6ff
MM		 3426 case L2CAP_CREATE_CHAN_REQ:
3427 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3428 break;
3429
3430 case L2CAP_CREATE_CHAN_RSP:
3431 err = l2cap_create_channel_rsp(conn, cmd, data);
3432 break;
3433
8d5a04a1
MM		 3434 case L2CAP_MOVE_CHAN_REQ:
3435 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3436 break;
3437
3438 case L2CAP_MOVE_CHAN_RSP:
3439 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3440 break;
3441
3442 case L2CAP_MOVE_CHAN_CFM:
3443 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3444 break;
3445
3446 case L2CAP_MOVE_CHAN_CFM_RSP:
3447 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3448 break;
3449
3300d9a9
CT		 3450 default:
3451 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3452 err = -EINVAL;
3453 break;
3454 }
3455
3456 return err;
3457}
3458
3459static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3460 struct l2cap_cmd_hdr *cmd, u8 *data)
3461{
3462 switch (cmd->code) {
3463 case L2CAP_COMMAND_REJ:
3464 return 0;
3465
3466 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3467 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3468
3469 case L2CAP_CONN_PARAM_UPDATE_RSP:
3470 return 0;
3471
3472 default:
3473 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3474 return -EINVAL;
3475 }
3476}
3477
3478static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3479 struct sk_buff *skb)
1da177e4
LT		 3480{
3481 u8 *data = skb->data;
3482 int len = skb->len;
3483 struct l2cap_cmd_hdr cmd;
3300d9a9 3484 int err;
1da177e4
LT		 3485
3486 l2cap_raw_recv(conn, skb);
3487
3488 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3489 u16 cmd_len;
1da177e4
LT		 3490 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3491 data += L2CAP_CMD_HDR_SIZE;
3492 len -= L2CAP_CMD_HDR_SIZE;
3493
88219a0f 3494 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3495
88219a0f 3496 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3497
88219a0f 3498 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3499 BT_DBG("corrupted command");
3500 break;
3501 }
3502
3300d9a9
CT		 3503 if (conn->hcon->type == LE_LINK)
3504 err = l2cap_le_sig_cmd(conn, &cmd, data);
3505 else
3506 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3507
3508 if (err) {
e2fd318e 3509 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3510
3511 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3512
3513 /* FIXME: Map err to a valid reason */
e2fd318e 3514 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3515 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3516 }
3517
88219a0f
AV		 3518 data += cmd_len;
3519 len -= cmd_len;
1da177e4
LT		 3520 }
3521
3522 kfree_skb(skb);
3523}
3524
47d1ec61 3525static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3526{
3527 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3528 int hdr_size;
3529
3530 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3531 hdr_size = L2CAP_EXT_HDR_SIZE;
3532 else
3533 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3534
47d1ec61 3535 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3536 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3537 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3538 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3539
3540 if (our_fcs != rcv_fcs)
7a560e5c 3541 return -EBADMSG;
fcc203c3
GP		 3542 }
3543 return 0;
3544}
3545
525cd185 3546static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3547{
88843ab0 3548 u32 control = 0;
d5392c8f 3549
6a026610 3550 chan->frames_sent = 0;
d5392c8f 3551
0b209fae 3552 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3553
e2ab4353 3554 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3555 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3556 l2cap_send_sframe(chan, control);
e2ab4353 3557 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3558 }
3559
e2ab4353 3560 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3561 l2cap_retransmit_frames(chan);
d5392c8f 3562
525cd185 3563 l2cap_ertm_send(chan);
d5392c8f 3564
e2ab4353 3565 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3566 chan->frames_sent == 0) {
ab784b73 3567 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3568 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3569 }
3570}
3571
fb45de7d 3572static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3573{
3574 struct sk_buff *next_skb;
bfbacc11 3575 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3576
3577 bt_cb(skb)->tx_seq = tx_seq;
3578 bt_cb(skb)->sar = sar;
3579
f1c6775b 3580 next_skb = skb_peek(&chan->srej_q);
8f17154f 3581
836be934 3582 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3583
039d9572 3584 while (next_skb) {
9b53350d
JPRV		 3585 if (bt_cb(next_skb)->tx_seq == tx_seq)
3586 return -EINVAL;
3587
836be934
AE		 3588 next_tx_seq_offset = __seq_offset(chan,
3589 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3590
3591 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3592 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3593 return 0;
8f17154f
GP		 3594 }
3595
f1c6775b 3596 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3597 next_skb = NULL;
3598 else
3599 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3600 }
8f17154f 3601
f1c6775b 3602 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3603
3604 return 0;
8f17154f
GP		 3605}
3606
84084a31
MM		 3607static void append_skb_frag(struct sk_buff *skb,
3608 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3609{
84084a31
MM		 3610 /* skb->len reflects data in skb as well as all fragments
3611 * skb->data_len reflects only data in fragments
3612 */
3613 if (!skb_has_frag_list(skb))
3614 skb_shinfo(skb)->frag_list = new_frag;
3615
3616 new_frag->next = NULL;
3617
3618 (*last_frag)->next = new_frag;
3619 *last_frag = new_frag;
3620
3621 skb->len += new_frag->len;
3622 skb->data_len += new_frag->len;
3623 skb->truesize += new_frag->truesize;
3624}
3625
88843ab0 3626static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3627{
3628 int err = -EINVAL;
18778a63 3629
7e0ef6ee
AE		 3630 switch (__get_ctrl_sar(chan, control)) {
3631 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3632 if (chan->sdu)
3633 break;
18778a63 3634
84084a31
MM		 3635 err = chan->ops->recv(chan->data, skb);
3636 break;
18778a63 3637
7e0ef6ee 3638 case L2CAP_SAR_START:
84084a31
MM		 3639 if (chan->sdu)
3640 break;
18778a63 3641
6f61fd47 3642 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3643 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3644
84084a31
MM		 3645 if (chan->sdu_len > chan->imtu) {
3646 err = -EMSGSIZE;
3647 break;
3648 }
1890d36b 3649
84084a31
MM		 3650 if (skb->len >= chan->sdu_len)
3651 break;
18778a63 3652
84084a31
MM		 3653 chan->sdu = skb;
3654 chan->sdu_last_frag = skb;
18778a63 3655
84084a31
MM		 3656 skb = NULL;
3657 err = 0;
18778a63
GP		 3658 break;
3659
7e0ef6ee 3660 case L2CAP_SAR_CONTINUE:
6f61fd47 3661 if (!chan->sdu)
84084a31 3662 break;
18778a63 3663
84084a31
MM		 3664 append_skb_frag(chan->sdu, skb,
3665 &chan->sdu_last_frag);
3666 skb = NULL;
18778a63 3667
84084a31
MM		 3668 if (chan->sdu->len >= chan->sdu_len)
3669 break;
4178ba46 3670
84084a31 3671 err = 0;
18778a63
GP		 3672 break;
3673
7e0ef6ee 3674 case L2CAP_SAR_END:
6f61fd47 3675 if (!chan->sdu)
84084a31 3676 break;
18778a63 3677
84084a31
MM		 3678 append_skb_frag(chan->sdu, skb,
3679 &chan->sdu_last_frag);
3680 skb = NULL;
4178ba46 3681
84084a31
MM		 3682 if (chan->sdu->len != chan->sdu_len)
3683 break;
18778a63 3684
84084a31 3685 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3686
84084a31
MM		 3687 if (!err) {
3688 /* Reassembly complete */
3689 chan->sdu = NULL;
3690 chan->sdu_last_frag = NULL;
3691 chan->sdu_len = 0;
1890d36b 3692 }
18778a63
GP		 3693 break;
3694 }
3695
84084a31
MM		 3696 if (err) {
3697 kfree_skb(skb);
3698 kfree_skb(chan->sdu);
3699 chan->sdu = NULL;
3700 chan->sdu_last_frag = NULL;
3701 chan->sdu_len = 0;
3702 }
18778a63 3703
84084a31 3704 return err;
18778a63
GP		 3705}
3706
26f880d2 3707static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3708{
26f880d2 3709 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3710
26f880d2
MM		 3711 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3712
77f918bc 3713 __set_ack_timer(chan);
26f880d2
MM		 3714}
3715
3716static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3717{
88843ab0 3718 u32 control;
712132eb 3719
e2ab4353 3720 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3721 goto done;
3722
0b209fae 3723 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3724 control |= __set_ctrl_poll(chan);
ab784b73 3725 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3726 l2cap_send_sframe(chan, control);
6a026610 3727 chan->retry_count = 1;
712132eb 3728
1a09bcb9
GP		 3729 __clear_retrans_timer(chan);
3730 __set_monitor_timer(chan);
712132eb 3731
e2ab4353 3732 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3733
3734done:
e2ab4353
GP		 3735 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3736 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3737
49208c9c 3738 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3739}
3740
e328140f 3741void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3742{
e328140f
MM		 3743 if (chan->mode == L2CAP_MODE_ERTM) {
3744 if (busy)
3745 l2cap_ertm_enter_local_busy(chan);
3746 else
3747 l2cap_ertm_exit_local_busy(chan);
1890d36b 3748 }
1890d36b
GP		 3749}
3750
fb45de7d 3751static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3752{
3753 struct sk_buff *skb;
88843ab0 3754 u32 control;
8f17154f 3755
e328140f
MM		 3756 while ((skb = skb_peek(&chan->srej_q)) &&
3757 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3758 int err;
3759
8f17154f
GP		 3760 if (bt_cb(skb)->tx_seq != tx_seq)
3761 break;
3762
f1c6775b 3763 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3764 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3765 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3766
3767 if (err < 0) {
3768 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3769 break;
3770 }
3771
836be934
AE		 3772 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3773 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3774 }
3775}
3776
fb45de7d 3777static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3778{
8f17154f 3779 struct srej_list *l, *tmp;
88843ab0 3780 u32 control;
8f17154f 3781
39d5a3ee 3782 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3783 if (l->tx_seq == tx_seq) {
3784 list_del(&l->list);
3785 kfree(l);
3786 return;
3787 }
ab784b73 3788 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3789 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3790 l2cap_send_sframe(chan, control);
8f17154f 3791 list_del(&l->list);
39d5a3ee 3792 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3793 }
3794}
3795
aef89f21 3796static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3797{
8f17154f 3798 struct srej_list *new;
88843ab0 3799 u32 control;
8f17154f 3800
42e5c802 3801 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3802 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3803 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3804 l2cap_send_sframe(chan, control);
8f17154f
GP		 3805
3806 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 3807 if (!new)
3808 return -ENOMEM;
3809
42e5c802 3810 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3811
3812 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3813
39d5a3ee 3814 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3815 }
836be934
AE		 3816
3817 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 3818
3819 return 0;
8f17154f
GP		 3820}
3821
88843ab0 3822static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3823{
fb45de7d 3824 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3825 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3826 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3827 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3828 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3829 int err = 0;
3830
88843ab0 3831 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3832 tx_seq, rx_control);
1c2acffb 3833
03f6715d 3834 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3835 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3836 __clear_monitor_timer(chan);
6a026610 3837 if (chan->unacked_frames > 0)
1a09bcb9 3838 __set_retrans_timer(chan);
e2ab4353 3839 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3840 }
3841
42e5c802
GP		 3842 chan->expected_ack_seq = req_seq;
3843 l2cap_drop_acked_frames(chan);
9f121a5a 3844
836be934 3845 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3846
3847 /* invalid tx_seq */
47d1ec61 3848 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3849 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3850 goto drop;
3851 }
3852
77f918bc
SJ		 3853 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3854 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3855 l2cap_send_ack(chan);
1890d36b 3856 goto drop;
77f918bc 3857 }
1890d36b 3858
02f1b641
MM		 3859 if (tx_seq == chan->expected_tx_seq)
3860 goto expected;
3861
e2ab4353 3862 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3863 struct srej_list *first;
30afb5b2 3864
39d5a3ee 3865 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3866 struct srej_list, list);
3867 if (tx_seq == first->tx_seq) {
42e5c802 3868 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3869 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3870
3871 list_del(&first->list);
3872 kfree(first);
3873
39d5a3ee 3874 if (list_empty(&chan->srej_l)) {
42e5c802 3875 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3876 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3877 l2cap_send_ack(chan);
49208c9c 3878 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3879 }
3880 } else {
3881 struct srej_list *l;
9b53350d
JPRV		 3882
3883 /* duplicated tx_seq */
42e5c802 3884 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3885 goto drop;
8f17154f 3886
39d5a3ee 3887 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3888 if (l->tx_seq == tx_seq) {
525cd185 3889 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3890 return 0;
3891 }
3892 }
aef89f21
SJ		 3893
3894 err = l2cap_send_srejframe(chan, tx_seq);
3895 if (err < 0) {
3896 l2cap_send_disconn_req(chan->conn, chan, -err);
3897 return err;
3898 }
30afb5b2
GP		 3899 }
3900 } else {
836be934
AE		 3901 expected_tx_seq_offset = __seq_offset(chan,
3902 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3903
3904 /* duplicated tx_seq */
3905 if (tx_seq_offset < expected_tx_seq_offset)
3906 goto drop;
3907
e2ab4353 3908 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3909
49208c9c 3910 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3911
39d5a3ee 3912 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3913 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3914
f1c6775b 3915 __skb_queue_head_init(&chan->srej_q);
42e5c802 3916 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3917
0ef3ef0f
SJ		 3918 /* Set P-bit only if there are some I-frames to ack. */
3919 if (__clear_ack_timer(chan))
3920 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3921
aef89f21
SJ		 3922 err = l2cap_send_srejframe(chan, tx_seq);
3923 if (err < 0) {
3924 l2cap_send_disconn_req(chan->conn, chan, -err);
3925 return err;
3926 }
1c2acffb 3927 }
30afb5b2
GP		 3928 return 0;
3929
8f17154f 3930expected:
836be934 3931 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3932
e2ab4353 3933 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3934 bt_cb(skb)->tx_seq = tx_seq;
3935 bt_cb(skb)->sar = sar;
f1c6775b 3936 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3937 return 0;
3938 }
3939
84084a31 3940 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3941 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3942
e328140f
MM		 3943 if (err < 0) {
3944 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3945 return err;
3946 }
2ece3684 3947
03f6715d 3948 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3949 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3950 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3951 }
3952
c1b4f43b 3953
6a026610
GP		 3954 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3955 if (chan->num_acked == num_to_ack - 1)
525cd185 3956 l2cap_send_ack(chan);
4d611e4d
GP		 3957 else
3958 __set_ack_timer(chan);
9e917af1 3959
8f17154f 3960 return 0;
9b53350d
JPRV		 3961
3962drop:
3963 kfree_skb(skb);
3964 return 0;
1c2acffb
GP		 3965}
3966
88843ab0 3967static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3968{
88843ab0 3969 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3970 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3971
0b209fae 3972 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3973 l2cap_drop_acked_frames(chan);
1c2acffb 3974
e3781735 3975 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3976 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3977 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3978 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3979 (chan->unacked_frames > 0))
1a09bcb9 3980 __set_retrans_timer(chan);
05fbd89d 3981
e2ab4353 3982 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3983 l2cap_send_srejtail(chan);
05fbd89d 3984 } else {
525cd185 3985 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3986 }
1d8f5d16 3987
03f6715d 3988 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3989 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3990
e2ab4353 3991 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3992 l2cap_retransmit_frames(chan);
2246b2f1 3993
e072745f 3994 } else {
e2ab4353 3995 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3996 (chan->unacked_frames > 0))
1a09bcb9 3997 __set_retrans_timer(chan);
1c2acffb 3998
e2ab4353
GP		 3999 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4000 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4001 l2cap_send_ack(chan);
894718a6 4002 else
525cd185 4003 l2cap_ertm_send(chan);
e072745f
GP		 4004 }
4005}
2246b2f1 4006
88843ab0 4007static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4008{
0b209fae 4009 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4010
88843ab0 4011 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4012
e2ab4353 4013 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4014
42e5c802
GP		 4015 chan->expected_ack_seq = tx_seq;
4016 l2cap_drop_acked_frames(chan);
e072745f 4017
03f6715d 4018 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4019 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4020 l2cap_retransmit_frames(chan);
e072745f 4021 } else {
525cd185 4022 l2cap_retransmit_frames(chan);
30afb5b2 4023
e2ab4353
GP		 4024 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4025 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4026 }
4027}
88843ab0 4028static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4029{
0b209fae 4030 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4031
88843ab0 4032 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4033
e2ab4353 4034 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4035
e3781735 4036 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4037 chan->expected_ack_seq = tx_seq;
4038 l2cap_drop_acked_frames(chan);
3cb123d1 4039
e2ab4353 4040 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4041 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4042
525cd185 4043 l2cap_ertm_send(chan);
dfc909be 4044
e2ab4353 4045 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4046 chan->srej_save_reqseq = tx_seq;
e2ab4353 4047 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4048 }
03f6715d 4049 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4050 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4051 chan->srej_save_reqseq == tx_seq)
e2ab4353 4052 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4053 else
525cd185 4054 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4055 } else {
525cd185 4056 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4057 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4058 chan->srej_save_reqseq = tx_seq;
e2ab4353 4059 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4060 }
e072745f
GP		 4061 }
4062}
4063
88843ab0 4064static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4065{
0b209fae 4066 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4067
88843ab0 4068 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4069
e2ab4353 4070 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4071 chan->expected_ack_seq = tx_seq;
4072 l2cap_drop_acked_frames(chan);
e072745f 4073
e3781735 4074 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4075 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4076
e2ab4353 4077 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4078 __clear_retrans_timer(chan);
e3781735 4079 if (__is_ctrl_poll(chan, rx_control))
525cd185 4080 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4081 return;
e072745f 4082 }
99b0d4b7 4083
e3781735 4084 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4085 l2cap_send_srejtail(chan);
ab784b73
AE		 4086 } else {
4087 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4088 l2cap_send_sframe(chan, rx_control);
4089 }
e072745f
GP		 4090}
4091
88843ab0 4092static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4093{
88843ab0 4094 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4095
03f6715d 4096 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4097 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4098 __clear_monitor_timer(chan);
6a026610 4099 if (chan->unacked_frames > 0)
1a09bcb9 4100 __set_retrans_timer(chan);
e2ab4353 4101 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4102 }
4103
ab784b73
AE		 4104 switch (__get_ctrl_super(chan, rx_control)) {
4105 case L2CAP_SUPER_RR:
525cd185 4106 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4107 break;
4108
ab784b73 4109 case L2CAP_SUPER_REJ:
525cd185 4110 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4111 break;
2246b2f1 4112
ab784b73 4113 case L2CAP_SUPER_SREJ:
525cd185 4114 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4115 break;
4116
ab784b73 4117 case L2CAP_SUPER_RNR:
525cd185 4118 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4119 break;
4120 }
4121
faaebd19 4122 kfree_skb(skb);
1c2acffb
GP		 4123 return 0;
4124}
4125
cad8f1d0 4126static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4127{
88843ab0 4128 u32 control;
0b209fae 4129 u16 req_seq;
218bb9df
GP		 4130 int len, next_tx_seq_offset, req_seq_offset;
4131
88843ab0
AE		 4132 control = __get_control(chan, skb->data);
4133 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4134 len = skb->len;
4135
4136 /*
4137 * We can just drop the corrupted I-frame here.
4138 * Receiver will miss it and start proper recovery
4139 * procedures and ask retransmission.
4140 */
47d1ec61 4141 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4142 goto drop;
4143
793c2f1c 4144 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4145 len -= L2CAP_SDULEN_SIZE;
218bb9df 4146
47d1ec61 4147 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4148 len -= L2CAP_FCS_SIZE;
218bb9df 4149
47d1ec61 4150 if (len > chan->mps) {
8c1d787b 4151 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4152 goto drop;
4153 }
4154
0b209fae 4155 req_seq = __get_reqseq(chan, control);
218bb9df 4156
836be934
AE		 4157 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4158
4159 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4160 chan->expected_ack_seq);
218bb9df
GP		 4161
4162 /* check for invalid req-seq */
4163 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4164 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4165 goto drop;
4166 }
4167
793c2f1c 4168 if (!__is_sframe(chan, control)) {
218bb9df 4169 if (len < 0) {
8c1d787b 4170 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4171 goto drop;
4172 }
4173
525cd185 4174 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4175 } else {
4176 if (len != 0) {
4177 BT_ERR("%d", len);
8c1d787b 4178 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4179 goto drop;
4180 }
4181
525cd185 4182 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4183 }
4184
4185 return 0;
4186
4187drop:
4188 kfree_skb(skb);
4189 return 0;
4190}
4191
1da177e4
LT		 4192static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4193{
48454079 4194 struct l2cap_chan *chan;
bf734843 4195 struct sock *sk = NULL;
88843ab0 4196 u32 control;
fb45de7d 4197 u16 tx_seq;
218bb9df 4198 int len;
1da177e4 4199
baa7e1fa 4200 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4201 if (!chan) {
1da177e4
LT		 4202 BT_DBG("unknown cid 0x%4.4x", cid);
4203 goto drop;
4204 }
4205
48454079 4206 sk = chan->sk;
6840ed07 4207
49208c9c 4208 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4209
89bc500e 4210 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4211 goto drop;
4212
0c1bc5c6 4213 switch (chan->mode) {
1c2acffb
GP		 4214 case L2CAP_MODE_BASIC:
4215 /* If socket recv buffers overflows we drop data here
4216 * which is *bad* because L2CAP has to be reliable.
4217 * But we don't have any other choice. L2CAP doesn't
4218 * provide flow control mechanism. */
1da177e4 4219
0c1bc5c6 4220 if (chan->imtu < skb->len)
1c2acffb 4221 goto drop;
1da177e4 4222
23070494 4223 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4224 goto done;
4225 break;
4226
4227 case L2CAP_MODE_ERTM:
5ef8cb9e 4228 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4229
fcafde2e 4230 goto done;
1c2acffb 4231
6840ed07 4232 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4233 control = __get_control(chan, skb->data);
4234 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4235 len = skb->len;
4236
47d1ec61 4237 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4238 goto drop;
4239
7e0ef6ee 4240 if (__is_sar_start(chan, control))
03a51213 4241 len -= L2CAP_SDULEN_SIZE;
6840ed07 4242
47d1ec61 4243 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4244 len -= L2CAP_FCS_SIZE;
fcc203c3 4245
793c2f1c 4246 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4247 goto drop;
4248
fb45de7d 4249 tx_seq = __get_txseq(chan, control);
6840ed07 4250
84084a31
MM		 4251 if (chan->expected_tx_seq != tx_seq) {
4252 /* Frame(s) missing - must discard partial SDU */
4253 kfree_skb(chan->sdu);
4254 chan->sdu = NULL;
4255 chan->sdu_last_frag = NULL;
4256 chan->sdu_len = 0;
6840ed07 4257
84084a31
MM		 4258 /* TODO: Notify userland of missing data */
4259 }
4260
836be934 4261 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4262
4263 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4264 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4265
4266 goto done;
4267
1c2acffb 4268 default:
0c1bc5c6 4269 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4270 break;
4271 }
1da177e4
LT		 4272
4273drop:
4274 kfree_skb(skb);
4275
4276done:
0139418c 4277 if (sk)
aa2ac881 4278 release_sock(sk);
0139418c 4279
1da177e4
LT		 4280 return 0;
4281}
4282
8e036fc3 4283static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4284{
6dcae1ea 4285 struct sock *sk = NULL;
23691d75 4286 struct l2cap_chan *chan;
1da177e4 4287
23691d75
GP		 4288 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4289 if (!chan)
1da177e4
LT		 4290 goto drop;
4291
23691d75
GP		 4292 sk = chan->sk;
4293
aa2ac881 4294 lock_sock(sk);
e0f0cb56 4295
1da177e4
LT		 4296 BT_DBG("sk %p, len %d", sk, skb->len);
4297
89bc500e 4298 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4299 goto drop;
4300
e13e21dc 4301 if (chan->imtu < skb->len)
1da177e4
LT		 4302 goto drop;
4303
23070494 4304 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4305 goto done;
4306
4307drop:
4308 kfree_skb(skb);
4309
4310done:
af05b30b 4311 if (sk)
aa2ac881 4312 release_sock(sk);
1da177e4
LT		 4313 return 0;
4314}
4315
9f69bda6
GP		 4316static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4317{
6dcae1ea 4318 struct sock *sk = NULL;
23691d75 4319 struct l2cap_chan *chan;
9f69bda6 4320
23691d75
GP		 4321 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4322 if (!chan)
9f69bda6
GP		 4323 goto drop;
4324
23691d75
GP		 4325 sk = chan->sk;
4326
aa2ac881 4327 lock_sock(sk);
9f69bda6
GP		 4328
4329 BT_DBG("sk %p, len %d", sk, skb->len);
4330
89bc500e 4331 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4332 goto drop;
4333
e13e21dc 4334 if (chan->imtu < skb->len)
9f69bda6
GP		 4335 goto drop;
4336
23070494 4337 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4338 goto done;
4339
4340drop:
4341 kfree_skb(skb);
4342
4343done:
4344 if (sk)
aa2ac881 4345 release_sock(sk);
9f69bda6
GP		 4346 return 0;
4347}
4348
1da177e4
LT		 4349static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4350{
4351 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4352 u16 cid, len;
4353 __le16 psm;
1da177e4
LT		 4354
4355 skb_pull(skb, L2CAP_HDR_SIZE);
4356 cid = __le16_to_cpu(lh->cid);
4357 len = __le16_to_cpu(lh->len);
4358
1c2acffb
GP		 4359 if (len != skb->len) {
4360 kfree_skb(skb);
4361 return;
4362 }
4363
1da177e4
LT		 4364 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4365
4366 switch (cid) {
3300d9a9 4367 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4368 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4369 l2cap_sig_channel(conn, skb);
4370 break;
4371
8db4dc46 4372 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4373 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4374 skb_pull(skb, 2);
4375 l2cap_conless_channel(conn, psm, skb);
4376 break;
4377
9f69bda6
GP		 4378 case L2CAP_CID_LE_DATA:
4379 l2cap_att_channel(conn, cid, skb);
4380 break;
4381
b501d6a1
AB		 4382 case L2CAP_CID_SMP:
4383 if (smp_sig_channel(conn, skb))
4384 l2cap_conn_del(conn->hcon, EACCES);
4385 break;
4386
1da177e4
LT		 4387 default:
4388 l2cap_data_channel(conn, cid, skb);
4389 break;
4390 }
4391}
4392
4393/* ---- L2CAP interface with lower layer (HCI) ---- */
4394
686ebf28 4395int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4396{
4397 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4398 struct l2cap_chan *c;
1da177e4 4399
1da177e4
LT		 4400 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4401
4402 /* Find listening sockets and check their link_mode */
23691d75
GP		 4403 read_lock(&chan_list_lock);
4404 list_for_each_entry(c, &chan_list, global_l) {
4405 struct sock *sk = c->sk;
4343478f 4406
89bc500e 4407 if (c->state != BT_LISTEN)
1da177e4
LT		 4408 continue;
4409
4410 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4411 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4412 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4413 lm1 |= HCI_LM_MASTER;
1da177e4 4414 exact++;
2af6b9d5
MH		 4415 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4416 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4417 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4418 lm2 |= HCI_LM_MASTER;
4419 }
1da177e4 4420 }
23691d75 4421 read_unlock(&chan_list_lock);
1da177e4
LT		 4422
4423 return exact ? lm1 : lm2;
4424}
4425
686ebf28 4426int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4427{
0139418c
MH		 4428 struct l2cap_conn *conn;
4429
1da177e4
LT		 4430 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4431
1da177e4 4432 if (!status) {
1da177e4
LT		 4433 conn = l2cap_conn_add(hcon, status);
4434 if (conn)
4435 l2cap_conn_ready(conn);
0139418c 4436 } else
e175072f 4437 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4438
4439 return 0;
4440}
4441
686ebf28 4442int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4443{
4444 struct l2cap_conn *conn = hcon->l2cap_data;
4445
4446 BT_DBG("hcon %p", hcon);
4447
686ebf28 4448 if (!conn)
9f5a0d7b 4449 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4450 return conn->disc_reason;
4451}
4452
686ebf28 4453int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4454{
4455 BT_DBG("hcon %p reason %d", hcon, reason);
4456
e175072f 4457 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4458 return 0;
4459}
4460
4343478f 4461static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4462{
715ec005 4463 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4464 return;
4465
f62e4323 4466 if (encrypt == 0x00) {
4343478f 4467 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675 4468 __clear_chan_timer(chan);
b83ddfe2
AK		 4469 __set_chan_timer(chan,
4470 msecs_to_jiffies(L2CAP_ENC_TIMEOUT));
4343478f 4471 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4472 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4473 } else {
4343478f 4474 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4475 __clear_chan_timer(chan);
f62e4323
MH		 4476 }
4477}
4478
686ebf28 4479int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4480{
0139418c 4481 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4482 struct l2cap_chan *chan;
1da177e4 4483
0139418c 4484 if (!conn)
1da177e4 4485 return 0;
0139418c 4486
1da177e4
LT		 4487 BT_DBG("conn %p", conn);
4488
160dc6ac
VCG		 4489 if (hcon->type == LE_LINK) {
4490 smp_distribute_keys(conn, 0);
17cd3f37 4491 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4492 }
4493
3d57dc68 4494 rcu_read_lock();
1da177e4 4495
3d57dc68 4496 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 4497 struct sock *sk = chan->sk;
baa7e1fa 4498
1da177e4
LT		 4499 bh_lock_sock(sk);
4500
f1cb9af5
VCG		 4501 BT_DBG("chan->scid %d", chan->scid);
4502
4503 if (chan->scid == L2CAP_CID_LE_DATA) {
4504 if (!status && encrypt) {
4505 chan->sec_level = hcon->sec_level;
cf4cd009 4506 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4507 }
4508
4509 bh_unlock_sock(sk);
4510 continue;
4511 }
4512
c1360a1c 4513 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4514 bh_unlock_sock(sk);
4515 continue;
4516 }
4517
89bc500e
GP		 4518 if (!status && (chan->state == BT_CONNECTED ||
4519 chan->state == BT_CONFIG)) {
4343478f 4520 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4521 bh_unlock_sock(sk);
4522 continue;
4523 }
4524
89bc500e 4525 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4526 if (!status) {
4527 struct l2cap_conn_req req;
fe4128e0
GP		 4528 req.scid = cpu_to_le16(chan->scid);
4529 req.psm = chan->psm;
1da177e4 4530
fc7f8a7e 4531 chan->ident = l2cap_get_ident(conn);
c1360a1c 4532 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4533
fc7f8a7e 4534 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4535 L2CAP_CONN_REQ, sizeof(req), &req);
4536 } else {
c9b66675 4537 __clear_chan_timer(chan);
b83ddfe2
AK		 4538 __set_chan_timer(chan,
4539 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
b1235d79 4540 }
89bc500e 4541 } else if (chan->state == BT_CONNECT2) {
b1235d79 4542 struct l2cap_conn_rsp rsp;
df3c3931 4543 __u16 res, stat;
1da177e4 4544
b1235d79 4545 if (!status) {
df3c3931
JH		 4546 if (bt_sk(sk)->defer_setup) {
4547 struct sock *parent = bt_sk(sk)->parent;
4548 res = L2CAP_CR_PEND;
4549 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4550 if (parent)
4551 parent->sk_data_ready(parent, 0);
df3c3931 4552 } else {
05558911 4553 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4554 res = L2CAP_CR_SUCCESS;
4555 stat = L2CAP_CS_NO_INFO;
4556 }
b1235d79 4557 } else {
89bc500e 4558 l2cap_state_change(chan, BT_DISCONN);
b83ddfe2
AK		 4559 __set_chan_timer(chan,
4560 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
df3c3931
JH		 4561 res = L2CAP_CR_SEC_BLOCK;
4562 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4563 }
4564
fe4128e0
GP		 4565 rsp.scid = cpu_to_le16(chan->dcid);
4566 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4567 rsp.result = cpu_to_le16(res);
4568 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4569 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4570 sizeof(rsp), &rsp);
b1235d79 4571 }
1da177e4
LT		 4572
4573 bh_unlock_sock(sk);
4574 }
4575
3d57dc68 4576 rcu_read_unlock();
b1235d79 4577
1da177e4
LT		 4578 return 0;
4579}
4580
686ebf28 4581int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4582{
4583 struct l2cap_conn *conn = hcon->l2cap_data;
4584
5a08ecce
AE		 4585 if (!conn)
4586 conn = l2cap_conn_add(hcon, 0);
4587
4588 if (!conn)
1da177e4
LT		 4589 goto drop;
4590
4591 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4592
e702112f 4593 if (!(flags & ACL_CONT)) {
1da177e4 4594 struct l2cap_hdr *hdr;
48454079 4595 struct l2cap_chan *chan;
89794813 4596 u16 cid;
1da177e4
LT		 4597 int len;
4598
4599 if (conn->rx_len) {
4600 BT_ERR("Unexpected start frame (len %d)", skb->len);
4601 kfree_skb(conn->rx_skb);
4602 conn->rx_skb = NULL;
4603 conn->rx_len = 0;
4604 l2cap_conn_unreliable(conn, ECOMM);
4605 }
4606
aae7fe22
AE		 4607 /* Start fragment always begin with Basic L2CAP header */
4608 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4609 BT_ERR("Frame is too short (len %d)", skb->len);
4610 l2cap_conn_unreliable(conn, ECOMM);
4611 goto drop;
4612 }
4613
4614 hdr = (struct l2cap_hdr *) skb->data;
4615 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4616 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4617
4618 if (len == skb->len) {
4619 /* Complete frame received */
4620 l2cap_recv_frame(conn, skb);
4621 return 0;
4622 }
4623
4624 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4625
4626 if (skb->len > len) {
4627 BT_ERR("Frame is too long (len %d, expected len %d)",
4628 skb->len, len);
4629 l2cap_conn_unreliable(conn, ECOMM);
4630 goto drop;
4631 }
4632
baa7e1fa 4633 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4634
48454079
GP		 4635 if (chan && chan->sk) {
4636 struct sock *sk = chan->sk;
89794813 4637
0c1bc5c6 4638 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4639 BT_ERR("Frame exceeding recv MTU (len %d, "
4640 "MTU %d)", len,
0c1bc5c6 4641 chan->imtu);
aa2ac881 4642 release_sock(sk);
48454079
GP		 4643 l2cap_conn_unreliable(conn, ECOMM);
4644 goto drop;
4645 }
aa2ac881 4646 release_sock(sk);
48454079 4647 }
89794813 4648
1da177e4 4649 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4650 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4651 if (!conn->rx_skb)
1da177e4
LT		 4652 goto drop;
4653
d626f62b 4654 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4655 skb->len);
1da177e4
LT		 4656 conn->rx_len = len - skb->len;
4657 } else {
4658 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4659
4660 if (!conn->rx_len) {
4661 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4662 l2cap_conn_unreliable(conn, ECOMM);
4663 goto drop;
4664 }
4665
4666 if (skb->len > conn->rx_len) {
4667 BT_ERR("Fragment is too long (len %d, expected %d)",
4668 skb->len, conn->rx_len);
4669 kfree_skb(conn->rx_skb);
4670 conn->rx_skb = NULL;
4671 conn->rx_len = 0;
4672 l2cap_conn_unreliable(conn, ECOMM);
4673 goto drop;
4674 }
4675
d626f62b 4676 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4677 skb->len);
1da177e4
LT		 4678 conn->rx_len -= skb->len;
4679
4680 if (!conn->rx_len) {
4681 /* Complete frame received */
4682 l2cap_recv_frame(conn, conn->rx_skb);
4683 conn->rx_skb = NULL;
4684 }
4685 }
4686
4687drop:
4688 kfree_skb(skb);
4689 return 0;
4690}
4691
aef7d97c 4692static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4693{
23691d75 4694 struct l2cap_chan *c;
1da177e4 4695
333055f2 4696 read_lock(&chan_list_lock);
1da177e4 4697
23691d75
GP		 4698 list_for_each_entry(c, &chan_list, global_l) {
4699 struct sock *sk = c->sk;
101545f6 4700
903d343e 4701 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4702 batostr(&bt_sk(sk)->src),
4703 batostr(&bt_sk(sk)->dst),
89bc500e 4704 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4705 c->scid, c->dcid, c->imtu, c->omtu,
4706 c->sec_level, c->mode);
61e1b4b7 4707 }
1da177e4 4708
333055f2 4709 read_unlock(&chan_list_lock);
1da177e4 4710
aef7d97c 4711 return 0;
1da177e4
LT		 4712}
4713
aef7d97c
MH		 4714static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4715{
4716 return single_open(file, l2cap_debugfs_show, inode->i_private);
4717}
4718
4719static const struct file_operations l2cap_debugfs_fops = {
4720 .open = l2cap_debugfs_open,
4721 .read = seq_read,
4722 .llseek = seq_lseek,
4723 .release = single_release,
4724};
4725
4726static struct dentry *l2cap_debugfs;
1da177e4 4727
64274518 4728int __init l2cap_init(void)
1da177e4
LT		 4729{
4730 int err;
be9d1227 4731
bb58f747 4732 err = l2cap_init_sockets();
1da177e4
LT		 4733 if (err < 0)
4734 return err;
4735
aef7d97c
MH		 4736 if (bt_debugfs) {
4737 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4738 bt_debugfs, NULL, &l2cap_debugfs_fops);
4739 if (!l2cap_debugfs)
4740 BT_ERR("Failed to create L2CAP debug file");
4741 }
1da177e4 4742
1da177e4 4743 return 0;
1da177e4
LT		 4744}
4745
64274518 4746void l2cap_exit(void)
1da177e4 4747{
aef7d97c 4748 debugfs_remove(l2cap_debugfs);
bb58f747 4749 l2cap_cleanup_sockets();
1da177e4
LT		 4750}
4751
d1c4a17d
GP		 4752module_param(disable_ertm, bool, 0644);
4753MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)