projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: EWS: handling different Control fields
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP		 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP		 99 return NULL;
100
0139418c
MH		 101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP		 106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH		 112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP		 119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH		 126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH		 137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP		 142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP		 163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP		 167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP		 174 }
175
73b2ec18
GP		 176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP		 196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
774e5651 223 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP		 227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM		 233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP		 235}
236
89bc500e
GP		 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP		 243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
c9b66675 255 __set_chan_timer(chan, HZ / 5);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP		 258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP		 270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP		 275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP		 287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP		 291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP		 293 chan->state = BT_OPEN;
294
71ba0e56
GP		 295 atomic_set(&chan->refcnt, 1);
296
48454079
GP		 297 return chan;
298}
299
23691d75 300void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 301{
23691d75
GP		 302 write_lock_bh(&chan_list_lock);
303 list_del(&chan->global_l);
304 write_unlock_bh(&chan_list_lock);
305
71ba0e56 306 chan_put(chan);
6ff5abbf
GP		 307}
308
48454079 309static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 310{
af05b30b 311 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 312 chan->psm, chan->dcid);
0139418c 313
2950f21a
MH		 314 conn->disc_reason = 0x13;
315
8c1d787b 316 chan->conn = conn;
0139418c 317
715ec005 318 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 319 if (conn->hcon->type == LE_LINK) {
320 /* LE connection */
0c1bc5c6 321 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 322 chan->scid = L2CAP_CID_LE_DATA;
323 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 324 } else {
325 /* Alloc CID for connection-oriented socket */
fe4128e0 326 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 327 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 328 }
715ec005 329 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 330 /* Connectionless socket */
fe4128e0
GP		 331 chan->scid = L2CAP_CID_CONN_LESS;
332 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 333 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 334 } else {
335 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 336 chan->scid = L2CAP_CID_SIGNALING;
337 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 338 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 339 }
340
8f7975b1
AE		 341 chan->local_id = L2CAP_BESTEFFORT_ID;
342 chan->local_stype = L2CAP_SERV_BESTEFFORT;
343 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
344 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
345 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
346 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
347
71ba0e56 348 chan_hold(chan);
baa7e1fa
GP		 349
350 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 351}
352
8e87d142 353/* Delete channel.
0139418c 354 * Must be called on the locked socket. */
4519de9a 355static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 356{
48454079 357 struct sock *sk = chan->sk;
8c1d787b 358 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 359 struct sock *parent = bt_sk(sk)->parent;
360
c9b66675 361 __clear_chan_timer(chan);
0139418c 362
49208c9c 363 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 364
8e87d142 365 if (conn) {
baa7e1fa
GP		 366 /* Delete from channel list */
367 write_lock_bh(&conn->chan_lock);
368 list_del(&chan->list);
369 write_unlock_bh(&conn->chan_lock);
71ba0e56 370 chan_put(chan);
baa7e1fa 371
8c1d787b 372 chan->conn = NULL;
0139418c
MH		 373 hci_conn_put(conn->hcon);
374 }
375
89bc500e 376 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 377 sock_set_flag(sk, SOCK_ZAPPED);
378
379 if (err)
380 sk->sk_err = err;
381
382 if (parent) {
383 bt_accept_unlink(sk);
384 parent->sk_data_ready(parent, 0);
385 } else
386 sk->sk_state_change(sk);
c13ffa62 387
c1360a1c
GP		 388 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
389 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 390 return;
2ead70b8 391
58d35f87 392 skb_queue_purge(&chan->tx_q);
c13ffa62 393
0c1bc5c6 394 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 395 struct srej_list *l, *tmp;
396
1a09bcb9
GP		 397 __clear_retrans_timer(chan);
398 __clear_monitor_timer(chan);
399 __clear_ack_timer(chan);
c13ffa62 400
f1c6775b 401 skb_queue_purge(&chan->srej_q);
c13ffa62 402
39d5a3ee 403 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 404 list_del(&l->list);
405 kfree(l);
406 }
407 }
0139418c
MH		 408}
409
4519de9a
GP		 410static void l2cap_chan_cleanup_listen(struct sock *parent)
411{
412 struct sock *sk;
413
414 BT_DBG("parent %p", parent);
415
416 /* Close not yet accepted channels */
0f852724 417 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 418 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 419 __clear_chan_timer(chan);
0f852724 420 lock_sock(sk);
ba3bd0ee 421 l2cap_chan_close(chan, ECONNRESET);
0f852724 422 release_sock(sk);
ba3bd0ee 423 chan->ops->close(chan->data);
0f852724 424 }
4519de9a
GP		 425}
426
0f852724 427void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 428{
429 struct l2cap_conn *conn = chan->conn;
430 struct sock *sk = chan->sk;
431
89bc500e 432 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 433
89bc500e 434 switch (chan->state) {
4519de9a
GP		 435 case BT_LISTEN:
436 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 437
438 l2cap_state_change(chan, BT_CLOSED);
439 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 440 break;
441
442 case BT_CONNECTED:
443 case BT_CONFIG:
715ec005 444 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 445 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 446 __clear_chan_timer(chan);
447 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 448 l2cap_send_disconn_req(conn, chan, reason);
449 } else
450 l2cap_chan_del(chan, reason);
451 break;
452
453 case BT_CONNECT2:
715ec005 454 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 455 conn->hcon->type == ACL_LINK) {
456 struct l2cap_conn_rsp rsp;
457 __u16 result;
458
459 if (bt_sk(sk)->defer_setup)
460 result = L2CAP_CR_SEC_BLOCK;
461 else
462 result = L2CAP_CR_BAD_PSM;
89bc500e 463 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 464
465 rsp.scid = cpu_to_le16(chan->dcid);
466 rsp.dcid = cpu_to_le16(chan->scid);
467 rsp.result = cpu_to_le16(result);
468 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
470 sizeof(rsp), &rsp);
471 }
472
473 l2cap_chan_del(chan, reason);
474 break;
475
476 case BT_CONNECT:
477 case BT_DISCONN:
478 l2cap_chan_del(chan, reason);
479 break;
480
481 default:
482 sock_set_flag(sk, SOCK_ZAPPED);
483 break;
484 }
485}
486
4343478f 487static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 488{
715ec005 489 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 490 switch (chan->sec_level) {
8556edd3
JH		 491 case BT_SECURITY_HIGH:
492 return HCI_AT_DEDICATED_BONDING_MITM;
493 case BT_SECURITY_MEDIUM:
494 return HCI_AT_DEDICATED_BONDING;
495 default:
496 return HCI_AT_NO_BONDING;
497 }
fe4128e0 498 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 499 if (chan->sec_level == BT_SECURITY_LOW)
500 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 501
4343478f 502 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 503 return HCI_AT_NO_BONDING_MITM;
00ae4af9 504 else
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 } else {
4343478f 507 switch (chan->sec_level) {
00ae4af9 508 case BT_SECURITY_HIGH:
8556edd3 509 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 510 case BT_SECURITY_MEDIUM:
8556edd3 511 return HCI_AT_GENERAL_BONDING;
00ae4af9 512 default:
8556edd3 513 return HCI_AT_NO_BONDING;
00ae4af9 514 }
0684e5f9 515 }
8556edd3
JH		 516}
517
518/* Service level security */
4343478f 519static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 520{
8c1d787b 521 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 522 __u8 auth_type;
523
4343478f 524 auth_type = l2cap_get_auth_type(chan);
79d554a6 525
4343478f 526 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 527}
528
b5ad8b7f 529static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 530{
531 u8 id;
532
533 /* Get next available identificator.
534 * 1 - 128 are used by kernel.
535 * 129 - 199 are reserved.
536 * 200 - 254 are used by utilities like l2ping, etc.
537 */
538
539 spin_lock_bh(&conn->lock);
540
541 if (++conn->tx_ident > 128)
542 conn->tx_ident = 1;
543
544 id = conn->tx_ident;
545
546 spin_unlock_bh(&conn->lock);
547
548 return id;
549}
550
4519de9a 551static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 552{
553 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 554 u8 flags;
4e8402a3
MH		 555
556 BT_DBG("code 0x%2.2x", code);
557
558 if (!skb)
9a9c6a34 559 return;
4e8402a3 560
e702112f
AE		 561 if (lmp_no_flush_capable(conn->hcon->hdev))
562 flags = ACL_START_NO_FLUSH;
563 else
564 flags = ACL_START;
565
14b12d0b
JG		 566 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
567
e702112f 568 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 569}
570
88843ab0 571static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 572{
573 struct sk_buff *skb;
574 struct l2cap_hdr *lh;
8c1d787b 575 struct l2cap_conn *conn = chan->conn;
e4ca6d98 576 int count, hlen;
e702112f 577 u8 flags;
fcc203c3 578
89bc500e 579 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 580 return;
581
e4ca6d98
AE		 582 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
583 hlen = L2CAP_EXT_HDR_SIZE;
584 else
585 hlen = L2CAP_ENH_HDR_SIZE;
586
47d1ec61 587 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3 588 hlen += 2;
1c2acffb 589
88843ab0 590 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 591
fcc203c3 592 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 593
594 control |= __set_sframe(chan);
1c2acffb 595
e2ab4353 596 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 597 control |= __set_ctrl_final(chan);
9e917af1 598
e2ab4353 599 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 600 control |= __set_ctrl_poll(chan);
f0946ccf 601
1c2acffb
GP		 602 skb = bt_skb_alloc(count, GFP_ATOMIC);
603 if (!skb)
9a9c6a34 604 return;
1c2acffb
GP		 605
606 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 607 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 608 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 609
610 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 611
47d1ec61 612 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 613 u16 fcs = crc16(0, (u8 *)lh, count - 2);
614 put_unaligned_le16(fcs, skb_put(skb, 2));
615 }
616
e702112f
AE		 617 if (lmp_no_flush_capable(conn->hcon->hdev))
618 flags = ACL_START_NO_FLUSH;
619 else
620 flags = ACL_START;
621
15770b1a 622 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b 623
8c1d787b 624 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 625}
626
88843ab0 627static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 628{
e2ab4353 629 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 630 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 631 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 632 } else
ab784b73 633 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 634
0b209fae 635 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 636
525cd185 637 l2cap_send_sframe(chan, control);
7e743090
GP		 638}
639
b4450035 640static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 641{
c1360a1c 642 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 643}
644
fc7f8a7e 645static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 646{
8c1d787b 647 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 648
649 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 650 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
651 return;
652
4343478f
GP		 653 if (l2cap_check_security(chan) &&
654 __l2cap_no_conn_pending(chan)) {
b1235d79 655 struct l2cap_conn_req req;
fe4128e0
GP		 656 req.scid = cpu_to_le16(chan->scid);
657 req.psm = chan->psm;
79d554a6 658
fc7f8a7e 659 chan->ident = l2cap_get_ident(conn);
c1360a1c 660 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 661
fc7f8a7e
GP		 662 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
663 sizeof(req), &req);
b1235d79 664 }
79d554a6
MH		 665 } else {
666 struct l2cap_info_req req;
667 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
668
669 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
670 conn->info_ident = l2cap_get_ident(conn);
671
672 mod_timer(&conn->info_timer, jiffies +
673 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
674
675 l2cap_send_cmd(conn, conn->info_ident,
676 L2CAP_INFO_REQ, sizeof(req), &req);
677 }
678}
679
cf6c2c0b
GP		 680static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
681{
682 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 683 if (!disable_ertm)
cf6c2c0b
GP		 684 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
685
686 switch (mode) {
687 case L2CAP_MODE_ERTM:
688 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
689 case L2CAP_MODE_STREAMING:
690 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
691 default:
692 return 0x00;
693 }
694}
695
4519de9a 696static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 697{
e92c8e70 698 struct sock *sk;
22121fc9
GP		 699 struct l2cap_disconn_req req;
700
c13ffa62
GP		 701 if (!conn)
702 return;
703
e92c8e70
GP		 704 sk = chan->sk;
705
0c1bc5c6 706 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 707 __clear_retrans_timer(chan);
708 __clear_monitor_timer(chan);
709 __clear_ack_timer(chan);
c13ffa62
GP		 710 }
711
fe4128e0
GP		 712 req.dcid = cpu_to_le16(chan->dcid);
713 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 714 l2cap_send_cmd(conn, l2cap_get_ident(conn),
715 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 716
89bc500e 717 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 718 sk->sk_err = err;
22121fc9
GP		 719}
720
1da177e4 721/* ---- L2CAP connections ---- */
4e8402a3
MH		 722static void l2cap_conn_start(struct l2cap_conn *conn)
723{
820ffdb3 724 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 725
726 BT_DBG("conn %p", conn);
727
baa7e1fa 728 read_lock(&conn->chan_lock);
4e8402a3 729
820ffdb3 730 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 731 struct sock *sk = chan->sk;
baa7e1fa 732
4e8402a3
MH		 733 bh_lock_sock(sk);
734
715ec005 735 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 736 bh_unlock_sock(sk);
737 continue;
738 }
739
89bc500e 740 if (chan->state == BT_CONNECT) {
47731de7 741 struct l2cap_conn_req req;
79d554a6 742
4343478f 743 if (!l2cap_check_security(chan) ||
b4450035 744 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 745 bh_unlock_sock(sk);
746 continue;
747 }
79d554a6 748
c1360a1c
GP		 749 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
750 && test_bit(CONF_STATE2_DEVICE,
751 &chan->conf_state)) {
0f852724 752 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 753 * so release the lock */
2461daac 754 read_unlock(&conn->chan_lock);
89bc500e 755 l2cap_chan_close(chan, ECONNRESET);
2461daac 756 read_lock(&conn->chan_lock);
47731de7
GP		 757 bh_unlock_sock(sk);
758 continue;
b1235d79 759 }
47731de7 760
fe4128e0
GP		 761 req.scid = cpu_to_le16(chan->scid);
762 req.psm = chan->psm;
47731de7 763
fc7f8a7e 764 chan->ident = l2cap_get_ident(conn);
c1360a1c 765 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 766
fc7f8a7e
GP		 767 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
768 sizeof(req), &req);
47731de7 769
89bc500e 770 } else if (chan->state == BT_CONNECT2) {
79d554a6 771 struct l2cap_conn_rsp rsp;
e9aeb2dd 772 char buf[128];
fe4128e0
GP		 773 rsp.scid = cpu_to_le16(chan->dcid);
774 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 775
4343478f 776 if (l2cap_check_security(chan)) {
f66dc81f
MH		 777 if (bt_sk(sk)->defer_setup) {
778 struct sock *parent = bt_sk(sk)->parent;
779 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
780 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 781 if (parent)
782 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 783
784 } else {
89bc500e 785 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 786 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
787 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
788 }
79d554a6
MH		 789 } else {
790 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
791 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
792 }
793
fc7f8a7e
GP		 794 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
795 sizeof(rsp), &rsp);
e9aeb2dd 796
c1360a1c 797 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 798 rsp.result != L2CAP_CR_SUCCESS) {
799 bh_unlock_sock(sk);
800 continue;
801 }
802
c1360a1c 803 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 804 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 805 l2cap_build_conf_req(chan, buf), buf);
806 chan->num_conf_req++;
4e8402a3
MH		 807 }
808
809 bh_unlock_sock(sk);
810 }
811
baa7e1fa 812 read_unlock(&conn->chan_lock);
4e8402a3
MH		 813}
814
b62f328b
VT		 815/* Find socket with cid and source bdaddr.
816 * Returns closest match, locked.
817 */
23691d75 818static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 819{
23691d75 820 struct l2cap_chan *c, *c1 = NULL;
b62f328b 821
23691d75 822 read_lock(&chan_list_lock);
b62f328b 823
23691d75
GP		 824 list_for_each_entry(c, &chan_list, global_l) {
825 struct sock *sk = c->sk;
fe4128e0 826
89bc500e 827 if (state && c->state != state)
b62f328b
VT		 828 continue;
829
23691d75 830 if (c->scid == cid) {
b62f328b 831 /* Exact match. */
23691d75
GP		 832 if (!bacmp(&bt_sk(sk)->src, src)) {
833 read_unlock(&chan_list_lock);
834 return c;
835 }
b62f328b
VT		 836
837 /* Closest match */
838 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 839 c1 = c;
b62f328b
VT		 840 }
841 }
280f294f 842
23691d75 843 read_unlock(&chan_list_lock);
b62f328b 844
23691d75 845 return c1;
b62f328b
VT		 846}
847
848static void l2cap_le_conn_ready(struct l2cap_conn *conn)
849{
c916fbe4 850 struct sock *parent, *sk;
23691d75 851 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 852
853 BT_DBG("");
854
855 /* Check if we have socket listening on cid */
23691d75 856 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 857 conn->src);
23691d75 858 if (!pchan)
b62f328b
VT		 859 return;
860
23691d75
GP		 861 parent = pchan->sk;
862
62f3a2cf
GP		 863 bh_lock_sock(parent);
864
b62f328b
VT		 865 /* Check for backlog size */
866 if (sk_acceptq_is_full(parent)) {
867 BT_DBG("backlog full %d", parent->sk_ack_backlog);
868 goto clean;
869 }
870
80808e43
GP		 871 chan = pchan->ops->new_connection(pchan->data);
872 if (!chan)
b62f328b
VT		 873 goto clean;
874
80808e43 875 sk = chan->sk;
5d41ce1d 876
baa7e1fa 877 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 878
879 hci_conn_hold(conn->hcon);
880
b62f328b
VT		 881 bacpy(&bt_sk(sk)->src, conn->src);
882 bacpy(&bt_sk(sk)->dst, conn->dst);
883
d1010240
GP		 884 bt_accept_enqueue(parent, sk);
885
48454079
GP		 886 __l2cap_chan_add(conn, chan);
887
c9b66675 888 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 889
89bc500e 890 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 891 parent->sk_data_ready(parent, 0);
892
baa7e1fa 893 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 894
895clean:
896 bh_unlock_sock(parent);
897}
898
f1cb9af5
VCG		 899static void l2cap_chan_ready(struct sock *sk)
900{
901 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
902 struct sock *parent = bt_sk(sk)->parent;
903
904 BT_DBG("sk %p, parent %p", sk, parent);
905
906 chan->conf_state = 0;
907 __clear_chan_timer(chan);
908
43f3dc41 909 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 910 sk->sk_state_change(sk);
911
912 if (parent)
913 parent->sk_data_ready(parent, 0);
914}
915
4e8402a3
MH		 916static void l2cap_conn_ready(struct l2cap_conn *conn)
917{
48454079 918 struct l2cap_chan *chan;
4e8402a3 919
79d554a6 920 BT_DBG("conn %p", conn);
4e8402a3 921
b62f328b
VT		 922 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
923 l2cap_le_conn_ready(conn);
924
160dc6ac
VCG		 925 if (conn->hcon->out && conn->hcon->type == LE_LINK)
926 smp_conn_security(conn, conn->hcon->pending_sec_level);
927
baa7e1fa 928 read_lock(&conn->chan_lock);
4e8402a3 929
baa7e1fa 930 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 931 struct sock *sk = chan->sk;
baa7e1fa 932
79d554a6 933 bh_lock_sock(sk);
4e8402a3 934
63128451 935 if (conn->hcon->type == LE_LINK) {
b501d6a1 936 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 937 l2cap_chan_ready(sk);
acd7d370 938
63128451 939 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 940 __clear_chan_timer(chan);
89bc500e 941 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 942 sk->sk_state_change(sk);
b501d6a1 943
89bc500e 944 } else if (chan->state == BT_CONNECT)
fc7f8a7e 945 l2cap_do_start(chan);
4e8402a3 946
79d554a6 947 bh_unlock_sock(sk);
4e8402a3 948 }
79d554a6 949
baa7e1fa 950 read_unlock(&conn->chan_lock);
4e8402a3
MH		 951}
952
953/* Notify sockets that we cannot guaranty reliability anymore */
954static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
955{
48454079 956 struct l2cap_chan *chan;
4e8402a3
MH		 957
958 BT_DBG("conn %p", conn);
959
baa7e1fa 960 read_lock(&conn->chan_lock);
4e8402a3 961
baa7e1fa 962 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 963 struct sock *sk = chan->sk;
baa7e1fa 964
ecf61bdb 965 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 966 sk->sk_err = err;
967 }
968
baa7e1fa 969 read_unlock(&conn->chan_lock);
4e8402a3
MH		 970}
971
972static void l2cap_info_timeout(unsigned long arg)
973{
974 struct l2cap_conn *conn = (void *) arg;
975
984947dc 976 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 977 conn->info_ident = 0;
984947dc 978
4e8402a3
MH		 979 l2cap_conn_start(conn);
980}
981
5d3de7df
VCG		 982static void l2cap_conn_del(struct hci_conn *hcon, int err)
983{
984 struct l2cap_conn *conn = hcon->l2cap_data;
985 struct l2cap_chan *chan, *l;
986 struct sock *sk;
987
988 if (!conn)
989 return;
990
991 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
992
993 kfree_skb(conn->rx_skb);
994
995 /* Kill channels */
996 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
997 sk = chan->sk;
998 bh_lock_sock(sk);
999 l2cap_chan_del(chan, err);
1000 bh_unlock_sock(sk);
1001 chan->ops->close(chan->data);
1002 }
1003
1004 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1005 del_timer_sync(&conn->info_timer);
1006
d26a2345 1007 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1008 del_timer(&conn->security_timer);
8aab4757 1009 smp_chan_destroy(conn);
d26a2345 1010 }
5d3de7df
VCG		 1011
1012 hcon->l2cap_data = NULL;
1013 kfree(conn);
1014}
1015
1016static void security_timeout(unsigned long arg)
1017{
1018 struct l2cap_conn *conn = (void *) arg;
1019
1020 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1021}
1022
1da177e4
LT		 1023static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1024{
0139418c 1025 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1026
0139418c 1027 if (conn || status)
1da177e4
LT		 1028 return conn;
1029
0139418c
MH		 1030 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1031 if (!conn)
1da177e4 1032 return NULL;
1da177e4
LT		 1033
1034 hcon->l2cap_data = conn;
1035 conn->hcon = hcon;
1036
0139418c
MH		 1037 BT_DBG("hcon %p conn %p", hcon, conn);
1038
acd7d370
VT		 1039 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1040 conn->mtu = hcon->hdev->le_mtu;
1041 else
1042 conn->mtu = hcon->hdev->acl_mtu;
1043
1da177e4
LT		 1044 conn->src = &hcon->hdev->bdaddr;
1045 conn->dst = &hcon->dst;
1046
4e8402a3
MH		 1047 conn->feat_mask = 0;
1048
1da177e4 1049 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1050 rwlock_init(&conn->chan_lock);
1051
1052 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1053
5d3de7df
VCG		 1054 if (hcon->type == LE_LINK)
1055 setup_timer(&conn->security_timer, security_timeout,
1056 (unsigned long) conn);
1057 else
b62f328b 1058 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1059 (unsigned long) conn);
1060
2950f21a
MH		 1061 conn->disc_reason = 0x13;
1062
1da177e4
LT		 1063 return conn;
1064}
1065
48454079 1066static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1067{
baa7e1fa 1068 write_lock_bh(&conn->chan_lock);
48454079 1069 __l2cap_chan_add(conn, chan);
baa7e1fa 1070 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1071}
1072
1da177e4 1073/* ---- Socket interface ---- */
1da177e4
LT		 1074
1075/* Find socket with psm and source bdaddr.
1076 * Returns closest match.
1077 */
23691d75 1078static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1079{
23691d75 1080 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1081
23691d75 1082 read_lock(&chan_list_lock);
e0f0cb56 1083
23691d75
GP		 1084 list_for_each_entry(c, &chan_list, global_l) {
1085 struct sock *sk = c->sk;
fe4128e0 1086
89bc500e 1087 if (state && c->state != state)
1da177e4
LT		 1088 continue;
1089
23691d75 1090 if (c->psm == psm) {
1da177e4 1091 /* Exact match. */
23691d75 1092 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1093 read_unlock(&chan_list_lock);
23691d75
GP		 1094 return c;
1095 }
1da177e4
LT		 1096
1097 /* Closest match */
1098 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1099 c1 = c;
1da177e4
LT		 1100 }
1101 }
1da177e4 1102
23691d75 1103 read_unlock(&chan_list_lock);
e0f0cb56 1104
23691d75 1105 return c1;
1da177e4
LT		 1106}
1107
77a74c7e 1108int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1109{
5d41ce1d 1110 struct sock *sk = chan->sk;
1da177e4
LT		 1111 bdaddr_t *src = &bt_sk(sk)->src;
1112 bdaddr_t *dst = &bt_sk(sk)->dst;
1113 struct l2cap_conn *conn;
1114 struct hci_conn *hcon;
1115 struct hci_dev *hdev;
09ab6f4c 1116 __u8 auth_type;
44d0e48e 1117 int err;
1da177e4 1118
f29972de 1119 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1120 chan->psm);
1da177e4 1121
af05b30b
GP		 1122 hdev = hci_get_route(dst, src);
1123 if (!hdev)
1da177e4
LT		 1124 return -EHOSTUNREACH;
1125
1126 hci_dev_lock_bh(hdev);
1127
4343478f 1128 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1129
fe4128e0 1130 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1131 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1132 chan->sec_level, auth_type);
acd7d370
VT		 1133 else
1134 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1135 chan->sec_level, auth_type);
acd7d370 1136
30e76272
VT		 1137 if (IS_ERR(hcon)) {
1138 err = PTR_ERR(hcon);
1da177e4 1139 goto done;
30e76272 1140 }
1da177e4
LT		 1141
1142 conn = l2cap_conn_add(hcon, 0);
1143 if (!conn) {
1144 hci_conn_put(hcon);
30e76272 1145 err = -ENOMEM;
1da177e4
LT		 1146 goto done;
1147 }
1148
1da177e4
LT		 1149 /* Update source addr of the socket */
1150 bacpy(src, conn->src);
1151
48454079
GP		 1152 l2cap_chan_add(conn, chan);
1153
89bc500e 1154 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1155 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1156
1157 if (hcon->state == BT_CONNECTED) {
715ec005 1158 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1159 __clear_chan_timer(chan);
4343478f 1160 if (l2cap_check_security(chan))
89bc500e 1161 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1162 } else
fc7f8a7e 1163 l2cap_do_start(chan);
1da177e4
LT		 1164 }
1165
30e76272
VT		 1166 err = 0;
1167
1da177e4
LT		 1168done:
1169 hci_dev_unlock_bh(hdev);
1170 hci_dev_put(hdev);
1171 return err;
1172}
1173
dcba0dba 1174int __l2cap_wait_ack(struct sock *sk)
6161c038 1175{
8c1d787b 1176 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1177 DECLARE_WAITQUEUE(wait, current);
1178 int err = 0;
1179 int timeo = HZ/5;
1180
2b0b05dd 1181 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1182 set_current_state(TASK_INTERRUPTIBLE);
1183 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1184 if (!timeo)
1185 timeo = HZ/5;
1186
1187 if (signal_pending(current)) {
1188 err = sock_intr_errno(timeo);
1189 break;
1190 }
1191
1192 release_sock(sk);
1193 timeo = schedule_timeout(timeo);
1194 lock_sock(sk);
a71a0cf4 1195 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1196
1197 err = sock_error(sk);
1198 if (err)
1199 break;
1200 }
1201 set_current_state(TASK_RUNNING);
2b0b05dd 1202 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1203 return err;
1204}
1205
e90bac06
GP		 1206static void l2cap_monitor_timeout(unsigned long arg)
1207{
525cd185
GP		 1208 struct l2cap_chan *chan = (void *) arg;
1209 struct sock *sk = chan->sk;
e90bac06 1210
525cd185 1211 BT_DBG("chan %p", chan);
0e98958d 1212
e686219a 1213 bh_lock_sock(sk);
2c03a7a4 1214 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1215 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1216 bh_unlock_sock(sk);
e90bac06
GP		 1217 return;
1218 }
1219
6a026610 1220 chan->retry_count++;
1a09bcb9 1221 __set_monitor_timer(chan);
e90bac06 1222
525cd185 1223 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1224 bh_unlock_sock(sk);
e90bac06
GP		 1225}
1226
1227static void l2cap_retrans_timeout(unsigned long arg)
1228{
525cd185
GP		 1229 struct l2cap_chan *chan = (void *) arg;
1230 struct sock *sk = chan->sk;
e90bac06 1231
49208c9c 1232 BT_DBG("chan %p", chan);
0e98958d 1233
e686219a 1234 bh_lock_sock(sk);
6a026610 1235 chan->retry_count = 1;
1a09bcb9 1236 __set_monitor_timer(chan);
e90bac06 1237
e2ab4353 1238 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1239
525cd185 1240 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1241 bh_unlock_sock(sk);
e90bac06
GP		 1242}
1243
42e5c802 1244static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1245{
1c2acffb 1246 struct sk_buff *skb;
1da177e4 1247
58d35f87 1248 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1249 chan->unacked_frames) {
42e5c802 1250 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1251 break;
1da177e4 1252
58d35f87 1253 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1254 kfree_skb(skb);
1da177e4 1255
6a026610 1256 chan->unacked_frames--;
1c2acffb 1257 }
1da177e4 1258
6a026610 1259 if (!chan->unacked_frames)
1a09bcb9 1260 __clear_retrans_timer(chan);
1c2acffb 1261}
1da177e4 1262
67c9e840 1263static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1264{
8c1d787b 1265 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1266 u16 flags;
1c2acffb 1267
4343478f 1268 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1269
d57b0e8b
AE		 1270 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
1271 lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1272 flags = ACL_START_NO_FLUSH;
1273 else
1274 flags = ACL_START;
1275
15770b1a 1276 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
e702112f 1277 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1278}
1279
67c9e840 1280static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1281{
ccbb84af 1282 struct sk_buff *skb;
88843ab0
AE		 1283 u32 control;
1284 u16 fcs;
6840ed07 1285
58d35f87 1286 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1287 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1288 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1289 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1290
47d1ec61 1291 if (chan->fcs == L2CAP_FCS_CRC16) {
ccbb84af
GP		 1292 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1293 put_unaligned_le16(fcs, skb->data + skb->len - 2);
fcc203c3
GP		 1294 }
1295
4343478f 1296 l2cap_do_send(chan, skb);
6840ed07 1297
42e5c802 1298 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
6840ed07 1299 }
6840ed07
GP		 1300}
1301
fb45de7d 1302static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1303{
8f17154f 1304 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1305 u16 fcs;
1306 u32 control;
8f17154f 1307
58d35f87 1308 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1309 if (!skb)
1310 return;
8f17154f 1311
f11d676d
GP		 1312 do {
1313 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1314 break;
8f17154f 1315
58d35f87 1316 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1317 return;
8f17154f 1318
58d35f87 1319 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1320
2c03a7a4
GP		 1321 if (chan->remote_max_tx &&
1322 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1323 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1324 return;
1325 }
1326
1327 tx_skb = skb_clone(skb, GFP_ATOMIC);
1328 bt_cb(skb)->retries++;
88843ab0
AE		 1329
1330 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1331 control &= __get_sar_mask(chan);
3cb123d1 1332
e2ab4353 1333 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1334 control |= __set_ctrl_final(chan);
95ffa978 1335
0b209fae 1336 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1337 control |= __set_txseq(chan, tx_seq);
3cb123d1 1338
88843ab0 1339 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1340
47d1ec61 1341 if (chan->fcs == L2CAP_FCS_CRC16) {
f11d676d
GP		 1342 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1343 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1344 }
1345
4343478f 1346 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1347}
1348
67c9e840 1349static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1350{
1351 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1352 u16 fcs;
1353 u32 control;
9a9c6a34 1354 int nsent = 0;
1c2acffb 1355
89bc500e 1356 if (chan->state != BT_CONNECTED)
c13ffa62 1357 return -ENOTCONN;
e90bac06 1358
58d35f87 1359 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1360
2c03a7a4
GP		 1361 if (chan->remote_max_tx &&
1362 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1363 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1364 break;
1365 }
1366
e420aba3
AE		 1367 tx_skb = skb_clone(skb, GFP_ATOMIC);
1368
e90bac06
GP		 1369 bt_cb(skb)->retries++;
1370
88843ab0 1371 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1372 control &= __get_sar_mask(chan);
95ffa978 1373
e2ab4353 1374 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1375 control |= __set_ctrl_final(chan);
e2ab4353 1376
0b209fae 1377 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1378 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1379
88843ab0 1380 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1381
47d1ec61 1382 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1383 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1384 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1385 }
1386
4343478f 1387 l2cap_do_send(chan, tx_skb);
9a9c6a34 1388
1a09bcb9 1389 __set_retrans_timer(chan);
1c2acffb 1390
42e5c802
GP		 1391 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1392 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1c2acffb 1393
23e9fde2 1394 if (bt_cb(skb)->retries == 1)
6a026610 1395 chan->unacked_frames++;
23e9fde2 1396
6a026610 1397 chan->frames_sent++;
1c2acffb 1398
58d35f87
GP		 1399 if (skb_queue_is_last(&chan->tx_q, skb))
1400 chan->tx_send_head = NULL;
1c2acffb 1401 else
58d35f87 1402 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1403
1404 nsent++;
1c2acffb
GP		 1405 }
1406
9e917af1
GP		 1407 return nsent;
1408}
1409
525cd185 1410static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1411{
dfc909be
GP		 1412 int ret;
1413
58d35f87
GP		 1414 if (!skb_queue_empty(&chan->tx_q))
1415 chan->tx_send_head = chan->tx_q.next;
dfc909be 1416
42e5c802 1417 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1418 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1419 return ret;
1420}
1421
525cd185 1422static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1423{
88843ab0 1424 u32 control = 0;
9e917af1 1425
0b209fae 1426 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1427
e2ab4353 1428 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1429 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1430 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1431 l2cap_send_sframe(chan, control);
9a9c6a34 1432 return;
9e917af1 1433 }
dfc909be 1434
525cd185 1435 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1436 return;
1437
ab784b73 1438 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1439 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1440}
1441
525cd185 1442static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1443{
1444 struct srej_list *tail;
88843ab0 1445 u32 control;
99b0d4b7 1446
ab784b73 1447 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1448 control |= __set_ctrl_final(chan);
99b0d4b7 1449
39d5a3ee 1450 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1451 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1452
525cd185 1453 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1454}
1455
1c2acffb
GP		 1456static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1457{
8c1d787b 1458 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1459 struct sk_buff **frag;
1460 int err, sent = 0;
1da177e4 1461
59203a21 1462 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1463 return -EFAULT;
1da177e4
LT		 1464
1465 sent += count;
1466 len -= count;
1467
1468 /* Continuation fragments (no L2CAP header) */
1469 frag = &skb_shinfo(skb)->frag_list;
1470 while (len) {
1471 count = min_t(unsigned int, conn->mtu, len);
1472
1473 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1474 if (!*frag)
0175d629 1475 return err;
1c2acffb
GP		 1476 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1477 return -EFAULT;
1da177e4
LT		 1478
1479 sent += count;
1480 len -= count;
1481
1482 frag = &(*frag)->next;
1483 }
1da177e4
LT		 1484
1485 return sent;
1c2acffb 1486}
1da177e4 1487
67c9e840 1488static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1489{
fe4128e0 1490 struct sock *sk = chan->sk;
8c1d787b 1491 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1492 struct sk_buff *skb;
1493 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1494 struct l2cap_hdr *lh;
1495
1496 BT_DBG("sk %p len %d", sk, (int)len);
1497
1498 count = min_t(unsigned int, (conn->mtu - hlen), len);
1499 skb = bt_skb_send_alloc(sk, count + hlen,
1500 msg->msg_flags & MSG_DONTWAIT, &err);
1501 if (!skb)
0175d629 1502 return ERR_PTR(err);
1c2acffb
GP		 1503
1504 /* Create L2CAP header */
1505 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1506 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1507 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1508 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1509
1510 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1511 if (unlikely(err < 0)) {
1512 kfree_skb(skb);
1513 return ERR_PTR(err);
1514 }
1515 return skb;
1516}
1517
67c9e840 1518static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1519{
fe4128e0 1520 struct sock *sk = chan->sk;
8c1d787b 1521 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1522 struct sk_buff *skb;
1523 int err, count, hlen = L2CAP_HDR_SIZE;
1524 struct l2cap_hdr *lh;
1525
1526 BT_DBG("sk %p len %d", sk, (int)len);
1527
1528 count = min_t(unsigned int, (conn->mtu - hlen), len);
1529 skb = bt_skb_send_alloc(sk, count + hlen,
1530 msg->msg_flags & MSG_DONTWAIT, &err);
1531 if (!skb)
0175d629 1532 return ERR_PTR(err);
1c2acffb
GP		 1533
1534 /* Create L2CAP header */
1535 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1536 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1537 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1538
1539 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1540 if (unlikely(err < 0)) {
1541 kfree_skb(skb);
1542 return ERR_PTR(err);
1543 }
1544 return skb;
1545}
1546
ab0ff76d
LAD		 1547static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1548 struct msghdr *msg, size_t len,
88843ab0 1549 u32 control, u16 sdulen)
1c2acffb 1550{
47d1ec61 1551 struct sock *sk = chan->sk;
8c1d787b 1552 struct l2cap_conn *conn = chan->conn;
1c2acffb 1553 struct sk_buff *skb;
e4ca6d98 1554 int err, count, hlen;
1c2acffb
GP		 1555 struct l2cap_hdr *lh;
1556
1557 BT_DBG("sk %p len %d", sk, (int)len);
1558
0ee0d208
GP		 1559 if (!conn)
1560 return ERR_PTR(-ENOTCONN);
1561
e4ca6d98
AE		 1562 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1563 hlen = L2CAP_EXT_HDR_SIZE;
1564 else
1565 hlen = L2CAP_ENH_HDR_SIZE;
1566
c74e560c
GP		 1567 if (sdulen)
1568 hlen += 2;
1569
47d1ec61 1570 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1571 hlen += 2;
1572
1c2acffb
GP		 1573 count = min_t(unsigned int, (conn->mtu - hlen), len);
1574 skb = bt_skb_send_alloc(sk, count + hlen,
1575 msg->msg_flags & MSG_DONTWAIT, &err);
1576 if (!skb)
0175d629 1577 return ERR_PTR(err);
1c2acffb
GP		 1578
1579 /* Create L2CAP header */
1580 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1581 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1582 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1583
1584 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1585
c74e560c
GP		 1586 if (sdulen)
1587 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1588
1589 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1590 if (unlikely(err < 0)) {
1591 kfree_skb(skb);
1592 return ERR_PTR(err);
1593 }
e90bac06 1594
47d1ec61 1595 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 1596 put_unaligned_le16(0, skb_put(skb, 2));
1597
e90bac06 1598 bt_cb(skb)->retries = 0;
1c2acffb 1599 return skb;
1da177e4
LT		 1600}
1601
67c9e840 1602static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1603{
c74e560c
GP		 1604 struct sk_buff *skb;
1605 struct sk_buff_head sar_queue;
88843ab0 1606 u32 control;
c74e560c
GP		 1607 size_t size = 0;
1608
ff12fd64 1609 skb_queue_head_init(&sar_queue);
7e0ef6ee 1610 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1611 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1612 if (IS_ERR(skb))
1613 return PTR_ERR(skb);
1614
1615 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1616 len -= chan->remote_mps;
1617 size += chan->remote_mps;
c74e560c
GP		 1618
1619 while (len > 0) {
1620 size_t buflen;
1621
2c03a7a4 1622 if (len > chan->remote_mps) {
7e0ef6ee 1623 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1624 buflen = chan->remote_mps;
c74e560c 1625 } else {
7e0ef6ee 1626 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1627 buflen = len;
1628 }
1629
47d1ec61 1630 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1631 if (IS_ERR(skb)) {
1632 skb_queue_purge(&sar_queue);
1633 return PTR_ERR(skb);
1634 }
1635
1636 __skb_queue_tail(&sar_queue, skb);
1637 len -= buflen;
1638 size += buflen;
c74e560c 1639 }
58d35f87
GP		 1640 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1641 if (chan->tx_send_head == NULL)
1642 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1643
1644 return size;
1645}
1646
9a91a04a
GP		 1647int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1648{
9a91a04a 1649 struct sk_buff *skb;
88843ab0 1650 u32 control;
9a91a04a
GP		 1651 int err;
1652
1653 /* Connectionless channel */
715ec005 1654 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1655 skb = l2cap_create_connless_pdu(chan, msg, len);
1656 if (IS_ERR(skb))
1657 return PTR_ERR(skb);
1658
1659 l2cap_do_send(chan, skb);
1660 return len;
1661 }
1662
1663 switch (chan->mode) {
1664 case L2CAP_MODE_BASIC:
1665 /* Check outgoing MTU */
1666 if (len > chan->omtu)
1667 return -EMSGSIZE;
1668
1669 /* Create a basic PDU */
1670 skb = l2cap_create_basic_pdu(chan, msg, len);
1671 if (IS_ERR(skb))
1672 return PTR_ERR(skb);
1673
1674 l2cap_do_send(chan, skb);
1675 err = len;
1676 break;
1677
1678 case L2CAP_MODE_ERTM:
1679 case L2CAP_MODE_STREAMING:
1680 /* Entire SDU fits into one PDU */
1681 if (len <= chan->remote_mps) {
7e0ef6ee 1682 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1683 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1684 0);
1685 if (IS_ERR(skb))
1686 return PTR_ERR(skb);
1687
1688 __skb_queue_tail(&chan->tx_q, skb);
1689
1690 if (chan->tx_send_head == NULL)
1691 chan->tx_send_head = skb;
1692
1693 } else {
1694 /* Segment SDU into multiples PDUs */
1695 err = l2cap_sar_segment_sdu(chan, msg, len);
1696 if (err < 0)
1697 return err;
1698 }
1699
1700 if (chan->mode == L2CAP_MODE_STREAMING) {
1701 l2cap_streaming_send(chan);
1702 err = len;
1703 break;
1704 }
1705
e2ab4353
GP		 1706 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1707 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1708 err = len;
1709 break;
1710 }
1711
1712 err = l2cap_ertm_send(chan);
1713 if (err >= 0)
1714 err = len;
1715
1716 break;
1717
1718 default:
1719 BT_DBG("bad state %1.1x", chan->mode);
1720 err = -EBADFD;
1721 }
1722
1723 return err;
1724}
1725
1da177e4
LT		 1726/* Copy frame to all raw sockets on that connection */
1727static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1728{
1da177e4 1729 struct sk_buff *nskb;
48454079 1730 struct l2cap_chan *chan;
1da177e4
LT		 1731
1732 BT_DBG("conn %p", conn);
1733
baa7e1fa
GP		 1734 read_lock(&conn->chan_lock);
1735 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1736 struct sock *sk = chan->sk;
715ec005 1737 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1738 continue;
1739
1740 /* Don't send frame to the socket it came from */
1741 if (skb->sk == sk)
1742 continue;
af05b30b
GP		 1743 nskb = skb_clone(skb, GFP_ATOMIC);
1744 if (!nskb)
1da177e4
LT		 1745 continue;
1746
23070494 1747 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1748 kfree_skb(nskb);
1749 }
baa7e1fa 1750 read_unlock(&conn->chan_lock);
1da177e4
LT		 1751}
1752
1753/* ---- L2CAP signalling commands ---- */
1754static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1755 u8 code, u8 ident, u16 dlen, void *data)
1756{
1757 struct sk_buff *skb, **frag;
1758 struct l2cap_cmd_hdr *cmd;
1759 struct l2cap_hdr *lh;
1760 int len, count;
1761
af05b30b
GP		 1762 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1763 conn, code, ident, dlen);
1da177e4
LT		 1764
1765 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1766 count = min_t(unsigned int, conn->mtu, len);
1767
1768 skb = bt_skb_alloc(count, GFP_ATOMIC);
1769 if (!skb)
1770 return NULL;
1771
1772 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1773 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1774
1775 if (conn->hcon->type == LE_LINK)
1776 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1777 else
1778 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1779
1780 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1781 cmd->code = code;
1782 cmd->ident = ident;
aca3192c 1783 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1784
1785 if (dlen) {
1786 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1787 memcpy(skb_put(skb, count), data, count);
1788 data += count;
1789 }
1790
1791 len -= skb->len;
1792
1793 /* Continuation fragments (no L2CAP header) */
1794 frag = &skb_shinfo(skb)->frag_list;
1795 while (len) {
1796 count = min_t(unsigned int, conn->mtu, len);
1797
1798 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1799 if (!*frag)
1800 goto fail;
1801
1802 memcpy(skb_put(*frag, count), data, count);
1803
1804 len -= count;
1805 data += count;
1806
1807 frag = &(*frag)->next;
1808 }
1809
1810 return skb;
1811
1812fail:
1813 kfree_skb(skb);
1814 return NULL;
1815}
1816
1817static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1818{
1819 struct l2cap_conf_opt *opt = *ptr;
1820 int len;
1821
1822 len = L2CAP_CONF_OPT_SIZE + opt->len;
1823 *ptr += len;
1824
1825 *type = opt->type;
1826 *olen = opt->len;
1827
1828 switch (opt->len) {
1829 case 1:
1830 *val = *((u8 *) opt->val);
1831 break;
1832
1833 case 2:
bfaaeb3e 1834 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1835 break;
1836
1837 case 4:
bfaaeb3e 1838 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1839 break;
1840
1841 default:
1842 *val = (unsigned long) opt->val;
1843 break;
1844 }
1845
1846 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1847 return len;
1848}
1849
1da177e4
LT		 1850static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1851{
1852 struct l2cap_conf_opt *opt = *ptr;
1853
1854 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1855
1856 opt->type = type;
1857 opt->len = len;
1858
1859 switch (len) {
1860 case 1:
1861 *((u8 *) opt->val) = val;
1862 break;
1863
1864 case 2:
4f8b691c 1865 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1866 break;
1867
1868 case 4:
4f8b691c 1869 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1870 break;
1871
1872 default:
1873 memcpy(opt->val, (void *) val, len);
1874 break;
1875 }
1876
1877 *ptr += L2CAP_CONF_OPT_SIZE + len;
1878}
1879
f89cef09
AE		 1880static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1881{
1882 struct l2cap_conf_efs efs;
1883
1884 switch(chan->mode) {
1885 case L2CAP_MODE_ERTM:
1886 efs.id = chan->local_id;
1887 efs.stype = chan->local_stype;
1888 efs.msdu = cpu_to_le16(chan->local_msdu);
1889 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1890 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1891 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1892 break;
1893
1894 case L2CAP_MODE_STREAMING:
1895 efs.id = 1;
1896 efs.stype = L2CAP_SERV_BESTEFFORT;
1897 efs.msdu = cpu_to_le16(chan->local_msdu);
1898 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1899 efs.acc_lat = 0;
1900 efs.flush_to = 0;
1901 break;
1902
1903 default:
1904 return;
1905 }
1906
1907 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1908 (unsigned long) &efs);
1909}
1910
c1b4f43b
GP		 1911static void l2cap_ack_timeout(unsigned long arg)
1912{
525cd185 1913 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1914
525cd185
GP		 1915 bh_lock_sock(chan->sk);
1916 l2cap_send_ack(chan);
1917 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1918}
1919
525cd185 1920static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1921{
525cd185
GP		 1922 struct sock *sk = chan->sk;
1923
42e5c802 1924 chan->expected_ack_seq = 0;
6a026610 1925 chan->unacked_frames = 0;
42e5c802 1926 chan->buffer_seq = 0;
6a026610
GP		 1927 chan->num_acked = 0;
1928 chan->frames_sent = 0;
0565c1c2 1929
e92c8e70
GP		 1930 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1931 (unsigned long) chan);
1932 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1933 (unsigned long) chan);
1934 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1935
f1c6775b 1936 skb_queue_head_init(&chan->srej_q);
1890d36b 1937
39d5a3ee
GP		 1938 INIT_LIST_HEAD(&chan->srej_l);
1939
218bb9df
GP		 1940
1941 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1942}
1943
f2fcfcd6
GP		 1944static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1945{
1946 switch (mode) {
1947 case L2CAP_MODE_STREAMING:
1948 case L2CAP_MODE_ERTM:
1949 if (l2cap_mode_supported(mode, remote_feat_mask))
1950 return mode;
1951 /* fall through */
1952 default:
1953 return L2CAP_MODE_BASIC;
1954 }
1955}
1956
6327eb98
AE		 1957static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1958{
1959 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1960}
1961
f89cef09
AE		 1962static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1963{
1964 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1965}
1966
6327eb98
AE		 1967static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1968{
1969 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
1970 __l2cap_ews_supported(chan))
1971 /* use extended control field */
1972 set_bit(FLAG_EXT_CTRL, &chan->flags);
1973 else
1974 chan->tx_win = min_t(u16, chan->tx_win,
1975 L2CAP_DEFAULT_TX_WINDOW);
1976}
1977
710f9b0a 1978static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1979{
1da177e4 1980 struct l2cap_conf_req *req = data;
0c1bc5c6 1981 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4
LT		 1982 void *ptr = req->data;
1983
49208c9c 1984 BT_DBG("chan %p", chan);
1da177e4 1985
73ffa904 1986 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1987 goto done;
1988
0c1bc5c6 1989 switch (chan->mode) {
f2fcfcd6
GP		 1990 case L2CAP_MODE_STREAMING:
1991 case L2CAP_MODE_ERTM:
c1360a1c 1992 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 1993 break;
85eb53c6 1994
f89cef09
AE		 1995 if (__l2cap_efs_supported(chan))
1996 set_bit(FLAG_EFS_ENABLE, &chan->flags);
1997
2ba13ed6 1998 /* fall through */
f2fcfcd6 1999 default:
8c1d787b 2000 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2001 break;
2002 }
2003
2004done:
0c1bc5c6
GP		 2005 if (chan->imtu != L2CAP_DEFAULT_MTU)
2006 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2007
0c1bc5c6 2008 switch (chan->mode) {
65c7c491 2009 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2010 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2011 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2012 break;
2013
62547752
GP		 2014 rfc.mode = L2CAP_MODE_BASIC;
2015 rfc.txwin_size = 0;
2016 rfc.max_transmit = 0;
2017 rfc.retrans_timeout = 0;
2018 rfc.monitor_timeout = 0;
2019 rfc.max_pdu_size = 0;
2020
63406504
GP		 2021 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2022 (unsigned long) &rfc);
65c7c491
MH		 2023 break;
2024
2025 case L2CAP_MODE_ERTM:
2026 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2027 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2028 rfc.retrans_timeout = 0;
2029 rfc.monitor_timeout = 0;
c74e560c 2030 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 2031 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
2032 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
f2fcfcd6 2033
6327eb98
AE		 2034 l2cap_txwin_setup(chan);
2035
2036 rfc.txwin_size = min_t(u16, chan->tx_win,
2037 L2CAP_DEFAULT_TX_WINDOW);
2038
63406504
GP		 2039 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2040 (unsigned long) &rfc);
2041
f89cef09
AE		 2042 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2043 l2cap_add_opt_efs(&ptr, chan);
2044
8c1d787b 2045 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2046 break;
2047
47d1ec61 2048 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2049 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2050 chan->fcs = L2CAP_FCS_NONE;
2051 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2052 }
6327eb98
AE		 2053
2054 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2055 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2056 chan->tx_win);
f2fcfcd6
GP		 2057 break;
2058
2059 case L2CAP_MODE_STREAMING:
2060 rfc.mode = L2CAP_MODE_STREAMING;
2061 rfc.txwin_size = 0;
2062 rfc.max_transmit = 0;
2063 rfc.retrans_timeout = 0;
2064 rfc.monitor_timeout = 0;
c74e560c 2065 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
8c1d787b
GP		 2066 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
2067 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
65c7c491 2068
63406504
GP		 2069 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2070 (unsigned long) &rfc);
2071
f89cef09
AE		 2072 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2073 l2cap_add_opt_efs(&ptr, chan);
2074
8c1d787b 2075 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2076 break;
2077
47d1ec61 2078 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2079 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2080 chan->fcs = L2CAP_FCS_NONE;
2081 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2082 }
65c7c491
MH		 2083 break;
2084 }
1da177e4 2085
fe4128e0 2086 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2087 req->flags = cpu_to_le16(0);
1da177e4
LT		 2088
2089 return ptr - data;
2090}
2091
73ffa904 2092static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2093{
5dee9e7c
MH		 2094 struct l2cap_conf_rsp *rsp = data;
2095 void *ptr = rsp->data;
73ffa904
GP		 2096 void *req = chan->conf_req;
2097 int len = chan->conf_len;
5dee9e7c
MH		 2098 int type, hint, olen;
2099 unsigned long val;
6464f35f 2100 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2101 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2102 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2103
73ffa904 2104 BT_DBG("chan %p", chan);
820ae1b8 2105
5dee9e7c
MH		 2106 while (len >= L2CAP_CONF_OPT_SIZE) {
2107 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2108
589d2746 2109 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2110 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2111
2112 switch (type) {
2113 case L2CAP_CONF_MTU:
861d6882 2114 mtu = val;
5dee9e7c
MH		 2115 break;
2116
2117 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2118 chan->flush_to = val;
5dee9e7c
MH		 2119 break;
2120
2121 case L2CAP_CONF_QOS:
2122 break;
2123
6464f35f
MH		 2124 case L2CAP_CONF_RFC:
2125 if (olen == sizeof(rfc))
2126 memcpy(&rfc, (void *) val, olen);
2127 break;
2128
fcc203c3
GP		 2129 case L2CAP_CONF_FCS:
2130 if (val == L2CAP_FCS_NONE)
c1360a1c 2131 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
fcc203c3
GP		 2132
2133 break;
2134
6327eb98
AE		 2135 case L2CAP_CONF_EWS:
2136 if (!enable_hs)
2137 return -ECONNREFUSED;
2138
2139 set_bit(FLAG_EXT_CTRL, &chan->flags);
2140 set_bit(CONF_EWS_RECV, &chan->conf_state);
2141 chan->remote_tx_win = val;
2142 break;
2143
5dee9e7c
MH		 2144 default:
2145 if (hint)
2146 break;
2147
2148 result = L2CAP_CONF_UNKNOWN;
2149 *((u8 *) ptr++) = type;
2150 break;
2151 }
2152 }
2153
73ffa904 2154 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2155 goto done;
2156
0c1bc5c6 2157 switch (chan->mode) {
f2fcfcd6
GP		 2158 case L2CAP_MODE_STREAMING:
2159 case L2CAP_MODE_ERTM:
c1360a1c 2160 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2161 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2162 chan->conn->feat_mask);
85eb53c6
GP		 2163 break;
2164 }
2165
0c1bc5c6 2166 if (chan->mode != rfc.mode)
f2fcfcd6 2167 return -ECONNREFUSED;
742e519b 2168
f2fcfcd6 2169 break;
f2fcfcd6
GP		 2170 }
2171
2172done:
0c1bc5c6 2173 if (chan->mode != rfc.mode) {
f2fcfcd6 2174 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2175 rfc.mode = chan->mode;
f2fcfcd6 2176
73ffa904 2177 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2178 return -ECONNREFUSED;
2179
2180 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2181 sizeof(rfc), (unsigned long) &rfc);
2182 }
2183
2184
5dee9e7c
MH		 2185 if (result == L2CAP_CONF_SUCCESS) {
2186 /* Configure output options and let the other side know
2187 * which ones we don't like. */
2188
f2fcfcd6
GP		 2189 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2190 result = L2CAP_CONF_UNACCEPT;
2191 else {
0c1bc5c6 2192 chan->omtu = mtu;
c1360a1c 2193 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2194 }
0c1bc5c6 2195 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2196
f2fcfcd6
GP		 2197 switch (rfc.mode) {
2198 case L2CAP_MODE_BASIC:
47d1ec61 2199 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2200 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2201 break;
2202
2203 case L2CAP_MODE_ERTM:
6327eb98
AE		 2204 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2205 chan->remote_tx_win = rfc.txwin_size;
2206 else
2207 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2208
2c03a7a4 2209 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2210
8c1d787b
GP		 2211 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2212 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2213
2c03a7a4 2214 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2215
10467e9e
GP		 2216 rfc.retrans_timeout =
2217 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2218 rfc.monitor_timeout =
2219 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2220
c1360a1c 2221 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2222
2223 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2224 sizeof(rfc), (unsigned long) &rfc);
2225
f2fcfcd6
GP		 2226 break;
2227
2228 case L2CAP_MODE_STREAMING:
8c1d787b
GP		 2229 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2230 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1c762159 2231
2c03a7a4 2232 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2233
c1360a1c 2234 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2235
2236 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2237 sizeof(rfc), (unsigned long) &rfc);
2238
f2fcfcd6
GP		 2239 break;
2240
2241 default:
5dee9e7c 2242 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2243
6464f35f 2244 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2245 rfc.mode = chan->mode;
f2fcfcd6 2246 }
6464f35f 2247
f2fcfcd6 2248 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2249 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2250 }
fe4128e0 2251 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2252 rsp->result = cpu_to_le16(result);
2253 rsp->flags = cpu_to_le16(0x0000);
2254
2255 return ptr - data;
1da177e4
LT		 2256}
2257
b4450035 2258static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2259{
f2fcfcd6
GP		 2260 struct l2cap_conf_req *req = data;
2261 void *ptr = req->data;
2262 int type, olen;
2263 unsigned long val;
2264 struct l2cap_conf_rfc rfc;
2265
fe4128e0 2266 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2267
2268 while (len >= L2CAP_CONF_OPT_SIZE) {
2269 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2270
2271 switch (type) {
2272 case L2CAP_CONF_MTU:
2273 if (val < L2CAP_DEFAULT_MIN_MTU) {
2274 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2275 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2276 } else
0c1bc5c6
GP		 2277 chan->imtu = val;
2278 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2279 break;
2280
2281 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2282 chan->flush_to = val;
f2fcfcd6 2283 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2284 2, chan->flush_to);
f2fcfcd6
GP		 2285 break;
2286
2287 case L2CAP_CONF_RFC:
2288 if (olen == sizeof(rfc))
2289 memcpy(&rfc, (void *)val, olen);
2290
c1360a1c 2291 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2292 rfc.mode != chan->mode)
f2fcfcd6
GP		 2293 return -ECONNREFUSED;
2294
47d1ec61 2295 chan->fcs = 0;
f2fcfcd6
GP		 2296
2297 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2298 sizeof(rfc), (unsigned long) &rfc);
2299 break;
6327eb98
AE		 2300
2301 case L2CAP_CONF_EWS:
2302 chan->tx_win = min_t(u16, val,
2303 L2CAP_DEFAULT_EXT_WINDOW);
2304 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS,
2305 2, chan->tx_win);
2306 break;
f2fcfcd6
GP		 2307 }
2308 }
2309
0c1bc5c6 2310 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2311 return -ECONNREFUSED;
2312
0c1bc5c6 2313 chan->mode = rfc.mode;
6c2ea7a8 2314
f2fcfcd6
GP		 2315 if (*result == L2CAP_CONF_SUCCESS) {
2316 switch (rfc.mode) {
2317 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2318 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2319 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2320 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2321 break;
2322 case L2CAP_MODE_STREAMING:
47d1ec61 2323 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2324 }
2325 }
2326
fe4128e0 2327 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2328 req->flags = cpu_to_le16(0x0000);
2329
2330 return ptr - data;
2331}
2332
fe4128e0 2333static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2334{
2335 struct l2cap_conf_rsp *rsp = data;
2336 void *ptr = rsp->data;
1da177e4 2337
fe4128e0 2338 BT_DBG("chan %p", chan);
1da177e4 2339
fe4128e0 2340 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2341 rsp->result = cpu_to_le16(result);
aca3192c 2342 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2343
2344 return ptr - data;
2345}
2346
8c1d787b 2347void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2348{
2349 struct l2cap_conn_rsp rsp;
8c1d787b 2350 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2351 u8 buf[128];
2352
fe4128e0
GP		 2353 rsp.scid = cpu_to_le16(chan->dcid);
2354 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2355 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2356 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2357 l2cap_send_cmd(conn, chan->ident,
2358 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2359
c1360a1c 2360 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2361 return;
2362
710f9b0a
GP		 2363 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2364 l2cap_build_conf_req(chan, buf), buf);
2365 chan->num_conf_req++;
2366}
2367
47d1ec61 2368static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2369{
7b1c0049
GP		 2370 int type, olen;
2371 unsigned long val;
2372 struct l2cap_conf_rfc rfc;
2373
47d1ec61 2374 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2375
0c1bc5c6 2376 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2377 return;
2378
2379 while (len >= L2CAP_CONF_OPT_SIZE) {
2380 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2381
2382 switch (type) {
2383 case L2CAP_CONF_RFC:
2384 if (olen == sizeof(rfc))
2385 memcpy(&rfc, (void *)val, olen);
2386 goto done;
2387 }
2388 }
2389
2390done:
2391 switch (rfc.mode) {
2392 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2393 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2394 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2395 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2396 break;
2397 case L2CAP_MODE_STREAMING:
47d1ec61 2398 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2399 }
2400}
2401
4e8402a3
MH		 2402static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2403{
e2fd318e 2404 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2405
e2fd318e 2406 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2407 return 0;
2408
2409 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2410 cmd->ident == conn->info_ident) {
4e8402a3 2411 del_timer(&conn->info_timer);
984947dc
MH		 2412
2413 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2414 conn->info_ident = 0;
984947dc 2415
4e8402a3
MH		 2416 l2cap_conn_start(conn);
2417 }
2418
2419 return 0;
2420}
2421
1da177e4
LT		 2422static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2423{
1da177e4
LT		 2424 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2425 struct l2cap_conn_rsp rsp;
23691d75 2426 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2427 struct sock *parent, *sk = NULL;
e7c29cb1 2428 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2429
2430 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2431 __le16 psm = req->psm;
1da177e4
LT		 2432
2433 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2434
2435 /* Check if we have socket listening on psm */
23691d75
GP		 2436 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2437 if (!pchan) {
1da177e4
LT		 2438 result = L2CAP_CR_BAD_PSM;
2439 goto sendresp;
2440 }
2441
23691d75
GP		 2442 parent = pchan->sk;
2443
e0f0cb56
GP		 2444 bh_lock_sock(parent);
2445
e7c29cb1
MH		 2446 /* Check if the ACL is secure enough (if not SDP) */
2447 if (psm != cpu_to_le16(0x0001) &&
2448 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2449 conn->disc_reason = 0x05;
e7c29cb1
MH		 2450 result = L2CAP_CR_SEC_BLOCK;
2451 goto response;
2452 }
2453
1da177e4
LT		 2454 result = L2CAP_CR_NO_MEM;
2455
2456 /* Check for backlog size */
2457 if (sk_acceptq_is_full(parent)) {
8e87d142 2458 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2459 goto response;
2460 }
2461
80808e43
GP		 2462 chan = pchan->ops->new_connection(pchan->data);
2463 if (!chan)
1da177e4
LT		 2464 goto response;
2465
80808e43
GP		 2466 sk = chan->sk;
2467
baa7e1fa 2468 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2469
2470 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2471 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2472 write_unlock_bh(&conn->chan_lock);
1da177e4 2473 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2474 chan->ops->close(chan->data);
1da177e4
LT		 2475 goto response;
2476 }
2477
2478 hci_conn_hold(conn->hcon);
2479
1da177e4
LT		 2480 bacpy(&bt_sk(sk)->src, conn->src);
2481 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2482 chan->psm = psm;
2483 chan->dcid = scid;
1da177e4 2484
d1010240
GP		 2485 bt_accept_enqueue(parent, sk);
2486
48454079
GP		 2487 __l2cap_chan_add(conn, chan);
2488
fe4128e0 2489 dcid = chan->scid;
1da177e4 2490
c9b66675 2491 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2492
fc7f8a7e 2493 chan->ident = cmd->ident;
1da177e4 2494
984947dc 2495 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2496 if (l2cap_check_security(chan)) {
f66dc81f 2497 if (bt_sk(sk)->defer_setup) {
89bc500e 2498 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2499 result = L2CAP_CR_PEND;
2500 status = L2CAP_CS_AUTHOR_PEND;
2501 parent->sk_data_ready(parent, 0);
2502 } else {
89bc500e 2503 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2504 result = L2CAP_CR_SUCCESS;
2505 status = L2CAP_CS_NO_INFO;
2506 }
79d554a6 2507 } else {
89bc500e 2508 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2509 result = L2CAP_CR_PEND;
2510 status = L2CAP_CS_AUTHEN_PEND;
2511 }
2512 } else {
89bc500e 2513 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2514 result = L2CAP_CR_PEND;
2515 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2516 }
2517
baa7e1fa 2518 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2519
2520response:
2521 bh_unlock_sock(parent);
2522
2523sendresp:
aca3192c
YH		 2524 rsp.scid = cpu_to_le16(scid);
2525 rsp.dcid = cpu_to_le16(dcid);
2526 rsp.result = cpu_to_le16(result);
2527 rsp.status = cpu_to_le16(status);
1da177e4 2528 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2529
2530 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2531 struct l2cap_info_req info;
2532 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2533
2534 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2535 conn->info_ident = l2cap_get_ident(conn);
2536
2537 mod_timer(&conn->info_timer, jiffies +
2538 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2539
2540 l2cap_send_cmd(conn, conn->info_ident,
2541 L2CAP_INFO_REQ, sizeof(info), &info);
2542 }
2543
c1360a1c 2544 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2545 result == L2CAP_CR_SUCCESS) {
2546 u8 buf[128];
c1360a1c 2547 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2548 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2549 l2cap_build_conf_req(chan, buf), buf);
2550 chan->num_conf_req++;
e9aeb2dd
GP		 2551 }
2552
1da177e4
LT		 2553 return 0;
2554}
2555
2556static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2557{
2558 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2559 u16 scid, dcid, result, status;
48454079 2560 struct l2cap_chan *chan;
1da177e4
LT		 2561 struct sock *sk;
2562 u8 req[128];
2563
2564 scid = __le16_to_cpu(rsp->scid);
2565 dcid = __le16_to_cpu(rsp->dcid);
2566 result = __le16_to_cpu(rsp->result);
2567 status = __le16_to_cpu(rsp->status);
2568
2569 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2570
2571 if (scid) {
baa7e1fa 2572 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2573 if (!chan)
57d3b22b 2574 return -EFAULT;
1da177e4 2575 } else {
baa7e1fa 2576 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2577 if (!chan)
57d3b22b 2578 return -EFAULT;
1da177e4
LT		 2579 }
2580
48454079
GP		 2581 sk = chan->sk;
2582
1da177e4
LT		 2583 switch (result) {
2584 case L2CAP_CR_SUCCESS:
89bc500e 2585 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2586 chan->ident = 0;
fe4128e0 2587 chan->dcid = dcid;
c1360a1c 2588 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2589
c1360a1c 2590 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2591 break;
2592
1da177e4 2593 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2594 l2cap_build_conf_req(chan, req), req);
2595 chan->num_conf_req++;
1da177e4
LT		 2596 break;
2597
2598 case L2CAP_CR_PEND:
c1360a1c 2599 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2600 break;
2601
2602 default:
a49184c2
AE		 2603 /* don't delete l2cap channel if sk is owned by user */
2604 if (sock_owned_by_user(sk)) {
89bc500e 2605 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2606 __clear_chan_timer(chan);
2607 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2608 break;
2609 }
2610
48454079 2611 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2612 break;
2613 }
2614
2615 bh_unlock_sock(sk);
2616 return 0;
2617}
2618
47d1ec61 2619static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2620{
2621 /* FCS is enabled only in ERTM or streaming mode, if one or both
2622 * sides request it.
2623 */
0c1bc5c6 2624 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2625 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2626 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2627 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2628}
2629
88219a0f 2630static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2631{
2632 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2633 u16 dcid, flags;
2634 u8 rsp[64];
48454079 2635 struct l2cap_chan *chan;
1da177e4 2636 struct sock *sk;
5dee9e7c 2637 int len;
1da177e4
LT		 2638
2639 dcid = __le16_to_cpu(req->dcid);
2640 flags = __le16_to_cpu(req->flags);
2641
2642 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2643
baa7e1fa 2644 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2645 if (!chan)
1da177e4
LT		 2646 return -ENOENT;
2647
48454079
GP		 2648 sk = chan->sk;
2649
033b1142 2650 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2651 struct l2cap_cmd_rej_cid rej;
2652
2653 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2654 rej.scid = cpu_to_le16(chan->scid);
2655 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2656
df6bd743
GP		 2657 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2658 sizeof(rej), &rej);
354f60a9 2659 goto unlock;
df6bd743 2660 }
354f60a9 2661
5dee9e7c 2662 /* Reject if config buffer is too small. */
88219a0f 2663 len = cmd_len - sizeof(*req);
7ac28817 2664 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2665 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2666 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2667 L2CAP_CONF_REJECT, flags), rsp);
2668 goto unlock;
2669 }
2670
2671 /* Store config. */
73ffa904
GP		 2672 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2673 chan->conf_len += len;
1da177e4
LT		 2674
2675 if (flags & 0x0001) {
2676 /* Incomplete config. Send empty response. */
2677 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2678 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2679 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2680 goto unlock;
2681 }
2682
2683 /* Complete config. */
73ffa904 2684 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2685 if (len < 0) {
e92c8e70 2686 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2687 goto unlock;
f2fcfcd6 2688 }
1da177e4 2689
5dee9e7c 2690 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2691 chan->num_conf_rsp++;
5dee9e7c 2692
5dee9e7c 2693 /* Reset config buffer. */
73ffa904 2694 chan->conf_len = 0;
5dee9e7c 2695
c1360a1c 2696 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2697 goto unlock;
2698
c1360a1c 2699 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2700 set_default_fcs(chan);
fcc203c3 2701
89bc500e 2702 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2703
42e5c802
GP		 2704 chan->next_tx_seq = 0;
2705 chan->expected_tx_seq = 0;
58d35f87 2706 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2707 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2708 l2cap_ertm_init(chan);
0565c1c2 2709
1da177e4 2710 l2cap_chan_ready(sk);
876d9484
MH		 2711 goto unlock;
2712 }
2713
c1360a1c 2714 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2715 u8 buf[64];
1da177e4 2716 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2717 l2cap_build_conf_req(chan, buf), buf);
2718 chan->num_conf_req++;
1da177e4
LT		 2719 }
2720
2721unlock:
2722 bh_unlock_sock(sk);
2723 return 0;
2724}
2725
2726static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2727{
2728 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2729 u16 scid, flags, result;
48454079 2730 struct l2cap_chan *chan;
1da177e4 2731 struct sock *sk;
7b1c0049 2732 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2733
2734 scid = __le16_to_cpu(rsp->scid);
2735 flags = __le16_to_cpu(rsp->flags);
2736 result = __le16_to_cpu(rsp->result);
2737
af05b30b
GP		 2738 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2739 scid, flags, result);
1da177e4 2740
baa7e1fa 2741 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2742 if (!chan)
1da177e4
LT		 2743 return 0;
2744
48454079
GP		 2745 sk = chan->sk;
2746
1da177e4
LT		 2747 switch (result) {
2748 case L2CAP_CONF_SUCCESS:
47d1ec61 2749 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2750 break;
2751
2752 case L2CAP_CONF_UNACCEPT:
73ffa904 2753 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2754 char req[64];
2755
c2c77ec8 2756 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2757 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2758 goto done;
2759 }
2760
f2fcfcd6
GP		 2761 /* throw out any old stored conf requests */
2762 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2763 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2764 req, &result);
f2fcfcd6 2765 if (len < 0) {
e92c8e70 2766 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2767 goto done;
2768 }
2769
2770 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2771 L2CAP_CONF_REQ, len, req);
73ffa904 2772 chan->num_conf_req++;
f2fcfcd6
GP		 2773 if (result != L2CAP_CONF_SUCCESS)
2774 goto done;
2775 break;
1da177e4
LT		 2776 }
2777
8e87d142 2778 default:
b1235d79 2779 sk->sk_err = ECONNRESET;
c9b66675 2780 __set_chan_timer(chan, HZ * 5);
e92c8e70 2781 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2782 goto done;
2783 }
2784
2785 if (flags & 0x01)
2786 goto done;
2787
c1360a1c 2788 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2789
c1360a1c 2790 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2791 set_default_fcs(chan);
fcc203c3 2792
89bc500e 2793 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2794 chan->next_tx_seq = 0;
2795 chan->expected_tx_seq = 0;
58d35f87 2796 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2797 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2798 l2cap_ertm_init(chan);
0565c1c2 2799
1da177e4
LT		 2800 l2cap_chan_ready(sk);
2801 }
2802
2803done:
2804 bh_unlock_sock(sk);
2805 return 0;
2806}
2807
2808static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2809{
2810 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2811 struct l2cap_disconn_rsp rsp;
2812 u16 dcid, scid;
48454079 2813 struct l2cap_chan *chan;
1da177e4
LT		 2814 struct sock *sk;
2815
2816 scid = __le16_to_cpu(req->scid);
2817 dcid = __le16_to_cpu(req->dcid);
2818
2819 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2820
baa7e1fa 2821 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2822 if (!chan)
1da177e4
LT		 2823 return 0;
2824
48454079
GP		 2825 sk = chan->sk;
2826
fe4128e0
GP		 2827 rsp.dcid = cpu_to_le16(chan->scid);
2828 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2829 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2830
2831 sk->sk_shutdown = SHUTDOWN_MASK;
2832
a49184c2
AE		 2833 /* don't delete l2cap channel if sk is owned by user */
2834 if (sock_owned_by_user(sk)) {
89bc500e 2835 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2836 __clear_chan_timer(chan);
2837 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2838 bh_unlock_sock(sk);
2839 return 0;
2840 }
2841
48454079 2842 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2843 bh_unlock_sock(sk);
2844
ba3bd0ee 2845 chan->ops->close(chan->data);
1da177e4
LT		 2846 return 0;
2847}
2848
2849static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2850{
2851 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2852 u16 dcid, scid;
48454079 2853 struct l2cap_chan *chan;
1da177e4
LT		 2854 struct sock *sk;
2855
2856 scid = __le16_to_cpu(rsp->scid);
2857 dcid = __le16_to_cpu(rsp->dcid);
2858
2859 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2860
baa7e1fa 2861 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2862 if (!chan)
1da177e4
LT		 2863 return 0;
2864
48454079
GP		 2865 sk = chan->sk;
2866
a49184c2
AE		 2867 /* don't delete l2cap channel if sk is owned by user */
2868 if (sock_owned_by_user(sk)) {
89bc500e 2869 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2870 __clear_chan_timer(chan);
2871 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2872 bh_unlock_sock(sk);
2873 return 0;
2874 }
2875
48454079 2876 l2cap_chan_del(chan, 0);
1da177e4
LT		 2877 bh_unlock_sock(sk);
2878
ba3bd0ee 2879 chan->ops->close(chan->data);
1da177e4
LT		 2880 return 0;
2881}
2882
2883static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2884{
2885 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2886 u16 type;
2887
2888 type = __le16_to_cpu(req->type);
2889
2890 BT_DBG("type 0x%4.4x", type);
2891
f0709e03
MH		 2892 if (type == L2CAP_IT_FEAT_MASK) {
2893 u8 buf[8];
44dd46de 2894 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2895 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2896 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2897 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2898 if (!disable_ertm)
fcc203c3
GP		 2899 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2900 | L2CAP_FEAT_FCS;
a5fd6f30 2901 if (enable_hs)
6327eb98
AE		 2902 feat_mask |= L2CAP_FEAT_EXT_FLOW
2903 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 2904
1b7bf4ed 2905 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2906 l2cap_send_cmd(conn, cmd->ident,
2907 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2908 } else if (type == L2CAP_IT_FIXED_CHAN) {
2909 u8 buf[12];
2910 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2911 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2912 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2913 memcpy(buf + 4, l2cap_fixed_chan, 8);
2914 l2cap_send_cmd(conn, cmd->ident,
2915 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2916 } else {
2917 struct l2cap_info_rsp rsp;
2918 rsp.type = cpu_to_le16(type);
2919 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2920 l2cap_send_cmd(conn, cmd->ident,
2921 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2922 }
1da177e4
LT		 2923
2924 return 0;
2925}
2926
2927static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2928{
2929 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2930 u16 type, result;
2931
2932 type = __le16_to_cpu(rsp->type);
2933 result = __le16_to_cpu(rsp->result);
2934
2935 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2936
e90165be
AE		 2937 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2938 if (cmd->ident != conn->info_ident ||
2939 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2940 return 0;
2941
4e8402a3
MH		 2942 del_timer(&conn->info_timer);
2943
adb08ede
VT		 2944 if (result != L2CAP_IR_SUCCESS) {
2945 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2946 conn->info_ident = 0;
2947
2948 l2cap_conn_start(conn);
2949
2950 return 0;
2951 }
2952
984947dc 2953 if (type == L2CAP_IT_FEAT_MASK) {
83985319 2954 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 2955
47ec1dcd 2956 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 2957 struct l2cap_info_req req;
2958 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2959
2960 conn->info_ident = l2cap_get_ident(conn);
2961
2962 l2cap_send_cmd(conn, conn->info_ident,
2963 L2CAP_INFO_REQ, sizeof(req), &req);
2964 } else {
2965 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2966 conn->info_ident = 0;
2967
2968 l2cap_conn_start(conn);
2969 }
2970 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 2971 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2972 conn->info_ident = 0;
984947dc
MH		 2973
2974 l2cap_conn_start(conn);
2975 }
4e8402a3 2976
1da177e4
LT		 2977 return 0;
2978}
2979
e2174ca4 2980static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 2981 u16 to_multiplier)
2982{
2983 u16 max_latency;
2984
2985 if (min > max || min < 6 || max > 3200)
2986 return -EINVAL;
2987
2988 if (to_multiplier < 10 || to_multiplier > 3200)
2989 return -EINVAL;
2990
2991 if (max >= to_multiplier * 8)
2992 return -EINVAL;
2993
2994 max_latency = (to_multiplier * 8 / max) - 1;
2995 if (latency > 499 || latency > max_latency)
2996 return -EINVAL;
2997
2998 return 0;
2999}
3000
3001static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3002 struct l2cap_cmd_hdr *cmd, u8 *data)
3003{
3004 struct hci_conn *hcon = conn->hcon;
3005 struct l2cap_conn_param_update_req *req;
3006 struct l2cap_conn_param_update_rsp rsp;
3007 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3008 int err;
de73115a
CT		 3009
3010 if (!(hcon->link_mode & HCI_LM_MASTER))
3011 return -EINVAL;
3012
3013 cmd_len = __le16_to_cpu(cmd->len);
3014 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3015 return -EPROTO;
3016
3017 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3018 min = __le16_to_cpu(req->min);
3019 max = __le16_to_cpu(req->max);
de73115a
CT		 3020 latency = __le16_to_cpu(req->latency);
3021 to_multiplier = __le16_to_cpu(req->to_multiplier);
3022
3023 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3024 min, max, latency, to_multiplier);
3025
3026 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3027
3028 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3029 if (err)
de73115a
CT		 3030 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3031 else
3032 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3033
3034 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3035 sizeof(rsp), &rsp);
3036
2ce603eb
CT		 3037 if (!err)
3038 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3039
de73115a
CT		 3040 return 0;
3041}
3042
3300d9a9
CT		 3043static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3044 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3045{
3046 int err = 0;
3047
3048 switch (cmd->code) {
3049 case L2CAP_COMMAND_REJ:
3050 l2cap_command_rej(conn, cmd, data);
3051 break;
3052
3053 case L2CAP_CONN_REQ:
3054 err = l2cap_connect_req(conn, cmd, data);
3055 break;
3056
3057 case L2CAP_CONN_RSP:
3058 err = l2cap_connect_rsp(conn, cmd, data);
3059 break;
3060
3061 case L2CAP_CONF_REQ:
3062 err = l2cap_config_req(conn, cmd, cmd_len, data);
3063 break;
3064
3065 case L2CAP_CONF_RSP:
3066 err = l2cap_config_rsp(conn, cmd, data);
3067 break;
3068
3069 case L2CAP_DISCONN_REQ:
3070 err = l2cap_disconnect_req(conn, cmd, data);
3071 break;
3072
3073 case L2CAP_DISCONN_RSP:
3074 err = l2cap_disconnect_rsp(conn, cmd, data);
3075 break;
3076
3077 case L2CAP_ECHO_REQ:
3078 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3079 break;
3080
3081 case L2CAP_ECHO_RSP:
3082 break;
3083
3084 case L2CAP_INFO_REQ:
3085 err = l2cap_information_req(conn, cmd, data);
3086 break;
3087
3088 case L2CAP_INFO_RSP:
3089 err = l2cap_information_rsp(conn, cmd, data);
3090 break;
3091
3092 default:
3093 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3094 err = -EINVAL;
3095 break;
3096 }
3097
3098 return err;
3099}
3100
3101static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3102 struct l2cap_cmd_hdr *cmd, u8 *data)
3103{
3104 switch (cmd->code) {
3105 case L2CAP_COMMAND_REJ:
3106 return 0;
3107
3108 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3109 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3110
3111 case L2CAP_CONN_PARAM_UPDATE_RSP:
3112 return 0;
3113
3114 default:
3115 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3116 return -EINVAL;
3117 }
3118}
3119
3120static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3121 struct sk_buff *skb)
1da177e4
LT		 3122{
3123 u8 *data = skb->data;
3124 int len = skb->len;
3125 struct l2cap_cmd_hdr cmd;
3300d9a9 3126 int err;
1da177e4
LT		 3127
3128 l2cap_raw_recv(conn, skb);
3129
3130 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3131 u16 cmd_len;
1da177e4
LT		 3132 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3133 data += L2CAP_CMD_HDR_SIZE;
3134 len -= L2CAP_CMD_HDR_SIZE;
3135
88219a0f 3136 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3137
88219a0f 3138 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3139
88219a0f 3140 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3141 BT_DBG("corrupted command");
3142 break;
3143 }
3144
3300d9a9
CT		 3145 if (conn->hcon->type == LE_LINK)
3146 err = l2cap_le_sig_cmd(conn, &cmd, data);
3147 else
3148 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3149
3150 if (err) {
e2fd318e 3151 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3152
3153 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3154
3155 /* FIXME: Map err to a valid reason */
e2fd318e 3156 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3157 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3158 }
3159
88219a0f
AV		 3160 data += cmd_len;
3161 len -= cmd_len;
1da177e4
LT		 3162 }
3163
3164 kfree_skb(skb);
3165}
3166
47d1ec61 3167static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3168{
3169 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3170 int hdr_size;
3171
3172 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3173 hdr_size = L2CAP_EXT_HDR_SIZE;
3174 else
3175 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3176
47d1ec61 3177 if (chan->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 3178 skb_trim(skb, skb->len - 2);
3179 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3180 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3181
3182 if (our_fcs != rcv_fcs)
7a560e5c 3183 return -EBADMSG;
fcc203c3
GP		 3184 }
3185 return 0;
3186}
3187
525cd185 3188static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3189{
88843ab0 3190 u32 control = 0;
d5392c8f 3191
6a026610 3192 chan->frames_sent = 0;
d5392c8f 3193
0b209fae 3194 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3195
e2ab4353 3196 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3197 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3198 l2cap_send_sframe(chan, control);
e2ab4353 3199 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3200 }
3201
e2ab4353 3202 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3203 l2cap_retransmit_frames(chan);
d5392c8f 3204
525cd185 3205 l2cap_ertm_send(chan);
d5392c8f 3206
e2ab4353 3207 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3208 chan->frames_sent == 0) {
ab784b73 3209 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3210 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3211 }
3212}
3213
fb45de7d 3214static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3215{
3216 struct sk_buff *next_skb;
bfbacc11 3217 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3218
3219 bt_cb(skb)->tx_seq = tx_seq;
3220 bt_cb(skb)->sar = sar;
3221
f1c6775b 3222 next_skb = skb_peek(&chan->srej_q);
8f17154f 3223 if (!next_skb) {
f1c6775b 3224 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3225 return 0;
8f17154f
GP		 3226 }
3227
42e5c802 3228 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
bfbacc11
JPRV		 3229 if (tx_seq_offset < 0)
3230 tx_seq_offset += 64;
3231
8f17154f 3232 do {
9b53350d
JPRV		 3233 if (bt_cb(next_skb)->tx_seq == tx_seq)
3234 return -EINVAL;
3235
bfbacc11 3236 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
42e5c802 3237 chan->buffer_seq) % 64;
bfbacc11
JPRV		 3238 if (next_tx_seq_offset < 0)
3239 next_tx_seq_offset += 64;
3240
3241 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3242 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3243 return 0;
8f17154f
GP		 3244 }
3245
f1c6775b 3246 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3247 break;
3248
f1c6775b 3249 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3250
f1c6775b 3251 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3252
3253 return 0;
8f17154f
GP		 3254}
3255
84084a31
MM		 3256static void append_skb_frag(struct sk_buff *skb,
3257 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3258{
84084a31
MM		 3259 /* skb->len reflects data in skb as well as all fragments
3260 * skb->data_len reflects only data in fragments
3261 */
3262 if (!skb_has_frag_list(skb))
3263 skb_shinfo(skb)->frag_list = new_frag;
3264
3265 new_frag->next = NULL;
3266
3267 (*last_frag)->next = new_frag;
3268 *last_frag = new_frag;
3269
3270 skb->len += new_frag->len;
3271 skb->data_len += new_frag->len;
3272 skb->truesize += new_frag->truesize;
3273}
3274
88843ab0 3275static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3276{
3277 int err = -EINVAL;
18778a63 3278
7e0ef6ee
AE		 3279 switch (__get_ctrl_sar(chan, control)) {
3280 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3281 if (chan->sdu)
3282 break;
18778a63 3283
84084a31
MM		 3284 err = chan->ops->recv(chan->data, skb);
3285 break;
18778a63 3286
7e0ef6ee 3287 case L2CAP_SAR_START:
84084a31
MM		 3288 if (chan->sdu)
3289 break;
18778a63 3290
6f61fd47 3291 chan->sdu_len = get_unaligned_le16(skb->data);
84084a31 3292 skb_pull(skb, 2);
18778a63 3293
84084a31
MM		 3294 if (chan->sdu_len > chan->imtu) {
3295 err = -EMSGSIZE;
3296 break;
3297 }
1890d36b 3298
84084a31
MM		 3299 if (skb->len >= chan->sdu_len)
3300 break;
18778a63 3301
84084a31
MM		 3302 chan->sdu = skb;
3303 chan->sdu_last_frag = skb;
18778a63 3304
84084a31
MM		 3305 skb = NULL;
3306 err = 0;
18778a63
GP		 3307 break;
3308
7e0ef6ee 3309 case L2CAP_SAR_CONTINUE:
6f61fd47 3310 if (!chan->sdu)
84084a31 3311 break;
18778a63 3312
84084a31
MM		 3313 append_skb_frag(chan->sdu, skb,
3314 &chan->sdu_last_frag);
3315 skb = NULL;
18778a63 3316
84084a31
MM		 3317 if (chan->sdu->len >= chan->sdu_len)
3318 break;
4178ba46 3319
84084a31 3320 err = 0;
18778a63
GP		 3321 break;
3322
7e0ef6ee 3323 case L2CAP_SAR_END:
6f61fd47 3324 if (!chan->sdu)
84084a31 3325 break;
18778a63 3326
84084a31
MM		 3327 append_skb_frag(chan->sdu, skb,
3328 &chan->sdu_last_frag);
3329 skb = NULL;
4178ba46 3330
84084a31
MM		 3331 if (chan->sdu->len != chan->sdu_len)
3332 break;
18778a63 3333
84084a31 3334 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3335
84084a31
MM		 3336 if (!err) {
3337 /* Reassembly complete */
3338 chan->sdu = NULL;
3339 chan->sdu_last_frag = NULL;
3340 chan->sdu_len = 0;
1890d36b 3341 }
18778a63
GP		 3342 break;
3343 }
3344
84084a31
MM		 3345 if (err) {
3346 kfree_skb(skb);
3347 kfree_skb(chan->sdu);
3348 chan->sdu = NULL;
3349 chan->sdu_last_frag = NULL;
3350 chan->sdu_len = 0;
3351 }
18778a63 3352
84084a31 3353 return err;
18778a63
GP		 3354}
3355
26f880d2 3356static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3357{
88843ab0 3358 u32 control;
712132eb 3359
26f880d2 3360 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3361
26f880d2
MM		 3362 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3363
0b209fae 3364 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3365 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3366 l2cap_send_sframe(chan, control);
3367
3368 set_bit(CONN_RNR_SENT, &chan->conn_state);
3369
3370 __clear_ack_timer(chan);
3371}
3372
3373static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3374{
88843ab0 3375 u32 control;
712132eb 3376
e2ab4353 3377 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3378 goto done;
3379
0b209fae 3380 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3381 control |= __set_ctrl_poll(chan);
ab784b73 3382 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3383 l2cap_send_sframe(chan, control);
6a026610 3384 chan->retry_count = 1;
712132eb 3385
1a09bcb9
GP		 3386 __clear_retrans_timer(chan);
3387 __set_monitor_timer(chan);
712132eb 3388
e2ab4353 3389 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3390
3391done:
e2ab4353
GP		 3392 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3393 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3394
49208c9c 3395 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3396}
3397
e328140f 3398void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3399{
e328140f
MM		 3400 if (chan->mode == L2CAP_MODE_ERTM) {
3401 if (busy)
3402 l2cap_ertm_enter_local_busy(chan);
3403 else
3404 l2cap_ertm_exit_local_busy(chan);
1890d36b 3405 }
1890d36b
GP		 3406}
3407
fb45de7d 3408static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3409{
3410 struct sk_buff *skb;
88843ab0 3411 u32 control;
8f17154f 3412
e328140f
MM		 3413 while ((skb = skb_peek(&chan->srej_q)) &&
3414 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3415 int err;
3416
8f17154f
GP		 3417 if (bt_cb(skb)->tx_seq != tx_seq)
3418 break;
3419
f1c6775b 3420 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3421 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3422 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3423
3424 if (err < 0) {
3425 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3426 break;
3427 }
3428
42e5c802
GP		 3429 chan->buffer_seq_srej =
3430 (chan->buffer_seq_srej + 1) % 64;
8ff50ec0 3431 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3432 }
3433}
3434
fb45de7d 3435static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3436{
8f17154f 3437 struct srej_list *l, *tmp;
88843ab0 3438 u32 control;
8f17154f 3439
39d5a3ee 3440 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3441 if (l->tx_seq == tx_seq) {
3442 list_del(&l->list);
3443 kfree(l);
3444 return;
3445 }
ab784b73 3446 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3447 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3448 l2cap_send_sframe(chan, control);
8f17154f 3449 list_del(&l->list);
39d5a3ee 3450 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3451 }
3452}
3453
fb45de7d 3454static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3455{
8f17154f 3456 struct srej_list *new;
88843ab0 3457 u32 control;
8f17154f 3458
42e5c802 3459 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3460 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3461 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3462 l2cap_send_sframe(chan, control);
8f17154f
GP		 3463
3464 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802
GP		 3465 new->tx_seq = chan->expected_tx_seq;
3466 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
39d5a3ee 3467 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3468 }
42e5c802 3469 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f
GP		 3470}
3471
88843ab0 3472static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3473{
fb45de7d 3474 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3475 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3476 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3477 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3478 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3479 int err = 0;
3480
88843ab0 3481 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3482 tx_seq, rx_control);
1c2acffb 3483
03f6715d 3484 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3485 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3486 __clear_monitor_timer(chan);
6a026610 3487 if (chan->unacked_frames > 0)
1a09bcb9 3488 __set_retrans_timer(chan);
e2ab4353 3489 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3490 }
3491
42e5c802
GP		 3492 chan->expected_ack_seq = req_seq;
3493 l2cap_drop_acked_frames(chan);
9f121a5a 3494
42e5c802 3495 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3496 if (tx_seq_offset < 0)
3497 tx_seq_offset += 64;
3498
3499 /* invalid tx_seq */
47d1ec61 3500 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3501 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3502 goto drop;
3503 }
3504
e2ab4353 3505 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3506 goto drop;
3507
02f1b641
MM		 3508 if (tx_seq == chan->expected_tx_seq)
3509 goto expected;
3510
e2ab4353 3511 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3512 struct srej_list *first;
30afb5b2 3513
39d5a3ee 3514 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3515 struct srej_list, list);
3516 if (tx_seq == first->tx_seq) {
42e5c802 3517 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3518 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3519
3520 list_del(&first->list);
3521 kfree(first);
3522
39d5a3ee 3523 if (list_empty(&chan->srej_l)) {
42e5c802 3524 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3525 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3526 l2cap_send_ack(chan);
49208c9c 3527 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3528 }
3529 } else {
3530 struct srej_list *l;
9b53350d
JPRV		 3531
3532 /* duplicated tx_seq */
42e5c802 3533 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3534 goto drop;
8f17154f 3535
39d5a3ee 3536 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3537 if (l->tx_seq == tx_seq) {
525cd185 3538 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3539 return 0;
3540 }
3541 }
525cd185 3542 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3543 }
3544 } else {
9b53350d 3545 expected_tx_seq_offset =
42e5c802 3546 (chan->expected_tx_seq - chan->buffer_seq) % 64;
9b53350d
JPRV		 3547 if (expected_tx_seq_offset < 0)
3548 expected_tx_seq_offset += 64;
3549
3550 /* duplicated tx_seq */
3551 if (tx_seq_offset < expected_tx_seq_offset)
3552 goto drop;
3553
e2ab4353 3554 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3555
49208c9c 3556 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3557
39d5a3ee 3558 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3559 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3560
f1c6775b 3561 __skb_queue_head_init(&chan->srej_q);
42e5c802 3562 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3563
e2ab4353 3564 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3565
525cd185 3566 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3567
1a09bcb9 3568 __clear_ack_timer(chan);
1c2acffb 3569 }
30afb5b2
GP		 3570 return 0;
3571
8f17154f 3572expected:
42e5c802 3573 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
8f17154f 3574
e2ab4353 3575 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3576 bt_cb(skb)->tx_seq = tx_seq;
3577 bt_cb(skb)->sar = sar;
f1c6775b 3578 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3579 return 0;
3580 }
3581
84084a31 3582 err = l2cap_reassemble_sdu(chan, skb, rx_control);
fadd192e 3583 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
e328140f
MM		 3584 if (err < 0) {
3585 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3586 return err;
3587 }
2ece3684 3588
03f6715d 3589 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3590 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3591 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3592 }
3593
1a09bcb9 3594 __set_ack_timer(chan);
c1b4f43b 3595
6a026610
GP		 3596 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3597 if (chan->num_acked == num_to_ack - 1)
525cd185 3598 l2cap_send_ack(chan);
9e917af1 3599
8f17154f 3600 return 0;
9b53350d
JPRV		 3601
3602drop:
3603 kfree_skb(skb);
3604 return 0;
1c2acffb
GP		 3605}
3606
88843ab0 3607static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3608{
88843ab0 3609 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3610 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3611
0b209fae 3612 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3613 l2cap_drop_acked_frames(chan);
1c2acffb 3614
e3781735 3615 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3616 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3617 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3618 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3619 (chan->unacked_frames > 0))
1a09bcb9 3620 __set_retrans_timer(chan);
05fbd89d 3621
e2ab4353 3622 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3623 l2cap_send_srejtail(chan);
05fbd89d 3624 } else {
525cd185 3625 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3626 }
1d8f5d16 3627
03f6715d 3628 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3629 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3630
e2ab4353 3631 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3632 l2cap_retransmit_frames(chan);
2246b2f1 3633
e072745f 3634 } else {
e2ab4353 3635 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3636 (chan->unacked_frames > 0))
1a09bcb9 3637 __set_retrans_timer(chan);
1c2acffb 3638
e2ab4353
GP		 3639 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3640 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3641 l2cap_send_ack(chan);
894718a6 3642 else
525cd185 3643 l2cap_ertm_send(chan);
e072745f
GP		 3644 }
3645}
2246b2f1 3646
88843ab0 3647static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3648{
0b209fae 3649 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3650
88843ab0 3651 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3652
e2ab4353 3653 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3654
42e5c802
GP		 3655 chan->expected_ack_seq = tx_seq;
3656 l2cap_drop_acked_frames(chan);
e072745f 3657
03f6715d 3658 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3659 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3660 l2cap_retransmit_frames(chan);
e072745f 3661 } else {
525cd185 3662 l2cap_retransmit_frames(chan);
30afb5b2 3663
e2ab4353
GP		 3664 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3665 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3666 }
3667}
88843ab0 3668static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3669{
0b209fae 3670 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3671
88843ab0 3672 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3673
e2ab4353 3674 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3675
e3781735 3676 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 3677 chan->expected_ack_seq = tx_seq;
3678 l2cap_drop_acked_frames(chan);
3cb123d1 3679
e2ab4353 3680 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3681 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3682
525cd185 3683 l2cap_ertm_send(chan);
dfc909be 3684
e2ab4353 3685 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3686 chan->srej_save_reqseq = tx_seq;
e2ab4353 3687 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3688 }
03f6715d 3689 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3690 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3691 chan->srej_save_reqseq == tx_seq)
e2ab4353 3692 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3693 else
525cd185 3694 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3695 } else {
525cd185 3696 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3697 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3698 chan->srej_save_reqseq = tx_seq;
e2ab4353 3699 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3700 }
e072745f
GP		 3701 }
3702}
3703
88843ab0 3704static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3705{
0b209fae 3706 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 3707
88843ab0 3708 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3709
e2ab4353 3710 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3711 chan->expected_ack_seq = tx_seq;
3712 l2cap_drop_acked_frames(chan);
e072745f 3713
e3781735 3714 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 3715 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3716
e2ab4353 3717 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3718 __clear_retrans_timer(chan);
e3781735 3719 if (__is_ctrl_poll(chan, rx_control))
525cd185 3720 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3721 return;
e072745f 3722 }
99b0d4b7 3723
e3781735 3724 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 3725 l2cap_send_srejtail(chan);
ab784b73
AE		 3726 } else {
3727 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
3728 l2cap_send_sframe(chan, rx_control);
3729 }
e072745f
GP		 3730}
3731
88843ab0 3732static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 3733{
88843ab0 3734 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 3735
03f6715d 3736 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3737 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3738 __clear_monitor_timer(chan);
6a026610 3739 if (chan->unacked_frames > 0)
1a09bcb9 3740 __set_retrans_timer(chan);
e2ab4353 3741 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3742 }
3743
ab784b73
AE		 3744 switch (__get_ctrl_super(chan, rx_control)) {
3745 case L2CAP_SUPER_RR:
525cd185 3746 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3747 break;
3748
ab784b73 3749 case L2CAP_SUPER_REJ:
525cd185 3750 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3751 break;
2246b2f1 3752
ab784b73 3753 case L2CAP_SUPER_SREJ:
525cd185 3754 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3755 break;
3756
ab784b73 3757 case L2CAP_SUPER_RNR:
525cd185 3758 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3759 break;
3760 }
3761
faaebd19 3762 kfree_skb(skb);
1c2acffb
GP		 3763 return 0;
3764}
3765
218bb9df
GP		 3766static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3767{
525cd185 3768 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 3769 u32 control;
0b209fae 3770 u16 req_seq;
218bb9df
GP		 3771 int len, next_tx_seq_offset, req_seq_offset;
3772
88843ab0
AE		 3773 control = __get_control(chan, skb->data);
3774 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 3775 len = skb->len;
3776
3777 /*
3778 * We can just drop the corrupted I-frame here.
3779 * Receiver will miss it and start proper recovery
3780 * procedures and ask retransmission.
3781 */
47d1ec61 3782 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3783 goto drop;
3784
793c2f1c 3785 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
218bb9df
GP		 3786 len -= 2;
3787
47d1ec61 3788 if (chan->fcs == L2CAP_FCS_CRC16)
218bb9df
GP		 3789 len -= 2;
3790
47d1ec61 3791 if (len > chan->mps) {
8c1d787b 3792 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3793 goto drop;
3794 }
3795
0b209fae 3796 req_seq = __get_reqseq(chan, control);
42e5c802 3797 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3798 if (req_seq_offset < 0)
3799 req_seq_offset += 64;
3800
3801 next_tx_seq_offset =
42e5c802 3802 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
218bb9df
GP		 3803 if (next_tx_seq_offset < 0)
3804 next_tx_seq_offset += 64;
3805
3806 /* check for invalid req-seq */
3807 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3808 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3809 goto drop;
3810 }
3811
793c2f1c 3812 if (!__is_sframe(chan, control)) {
218bb9df 3813 if (len < 0) {
8c1d787b 3814 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3815 goto drop;
3816 }
3817
525cd185 3818 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3819 } else {
3820 if (len != 0) {
3821 BT_ERR("%d", len);
8c1d787b 3822 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3823 goto drop;
3824 }
3825
525cd185 3826 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3827 }
3828
3829 return 0;
3830
3831drop:
3832 kfree_skb(skb);
3833 return 0;
3834}
3835
1da177e4
LT		 3836static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3837{
48454079 3838 struct l2cap_chan *chan;
bf734843 3839 struct sock *sk = NULL;
88843ab0 3840 u32 control;
fb45de7d 3841 u16 tx_seq;
218bb9df 3842 int len;
1da177e4 3843
baa7e1fa 3844 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3845 if (!chan) {
1da177e4
LT		 3846 BT_DBG("unknown cid 0x%4.4x", cid);
3847 goto drop;
3848 }
3849
48454079 3850 sk = chan->sk;
6840ed07 3851
49208c9c 3852 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3853
89bc500e 3854 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3855 goto drop;
3856
0c1bc5c6 3857 switch (chan->mode) {
1c2acffb
GP		 3858 case L2CAP_MODE_BASIC:
3859 /* If socket recv buffers overflows we drop data here
3860 * which is *bad* because L2CAP has to be reliable.
3861 * But we don't have any other choice. L2CAP doesn't
3862 * provide flow control mechanism. */
1da177e4 3863
0c1bc5c6 3864 if (chan->imtu < skb->len)
1c2acffb 3865 goto drop;
1da177e4 3866
23070494 3867 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3868 goto done;
3869 break;
3870
3871 case L2CAP_MODE_ERTM:
218bb9df
GP		 3872 if (!sock_owned_by_user(sk)) {
3873 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3874 } else {
218bb9df 3875 if (sk_add_backlog(sk, skb))
277ffbe3 3876 goto drop;
277ffbe3 3877 }
1c2acffb 3878
fcafde2e 3879 goto done;
1c2acffb 3880
6840ed07 3881 case L2CAP_MODE_STREAMING:
88843ab0
AE		 3882 control = __get_control(chan, skb->data);
3883 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 3884 len = skb->len;
3885
47d1ec61 3886 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3887 goto drop;
3888
7e0ef6ee 3889 if (__is_sar_start(chan, control))
6840ed07
GP		 3890 len -= 2;
3891
47d1ec61 3892 if (chan->fcs == L2CAP_FCS_CRC16)
fcc203c3
GP		 3893 len -= 2;
3894
793c2f1c 3895 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 3896 goto drop;
3897
fb45de7d 3898 tx_seq = __get_txseq(chan, control);
6840ed07 3899
84084a31
MM		 3900 if (chan->expected_tx_seq != tx_seq) {
3901 /* Frame(s) missing - must discard partial SDU */
3902 kfree_skb(chan->sdu);
3903 chan->sdu = NULL;
3904 chan->sdu_last_frag = NULL;
3905 chan->sdu_len = 0;
6840ed07 3906
84084a31
MM		 3907 /* TODO: Notify userland of missing data */
3908 }
3909
3910 chan->expected_tx_seq = (tx_seq + 1) % 64;
3911
3912 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
3913 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 3914
3915 goto done;
3916
1c2acffb 3917 default:
0c1bc5c6 3918 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3919 break;
3920 }
1da177e4
LT		 3921
3922drop:
3923 kfree_skb(skb);
3924
3925done:
0139418c
MH		 3926 if (sk)
3927 bh_unlock_sock(sk);
3928
1da177e4
LT		 3929 return 0;
3930}
3931
8e036fc3 3932static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3933{
6dcae1ea 3934 struct sock *sk = NULL;
23691d75 3935 struct l2cap_chan *chan;
1da177e4 3936
23691d75
GP		 3937 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3938 if (!chan)
1da177e4
LT		 3939 goto drop;
3940
23691d75
GP		 3941 sk = chan->sk;
3942
e0f0cb56
GP		 3943 bh_lock_sock(sk);
3944
1da177e4
LT		 3945 BT_DBG("sk %p, len %d", sk, skb->len);
3946
89bc500e 3947 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 3948 goto drop;
3949
e13e21dc 3950 if (chan->imtu < skb->len)
1da177e4
LT		 3951 goto drop;
3952
23070494 3953 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 3954 goto done;
3955
3956drop:
3957 kfree_skb(skb);
3958
3959done:
af05b30b
GP		 3960 if (sk)
3961 bh_unlock_sock(sk);
1da177e4
LT		 3962 return 0;
3963}
3964
9f69bda6
GP		 3965static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3966{
6dcae1ea 3967 struct sock *sk = NULL;
23691d75 3968 struct l2cap_chan *chan;
9f69bda6 3969
23691d75
GP		 3970 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3971 if (!chan)
9f69bda6
GP		 3972 goto drop;
3973
23691d75
GP		 3974 sk = chan->sk;
3975
9f69bda6
GP		 3976 bh_lock_sock(sk);
3977
3978 BT_DBG("sk %p, len %d", sk, skb->len);
3979
89bc500e 3980 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 3981 goto drop;
3982
e13e21dc 3983 if (chan->imtu < skb->len)
9f69bda6
GP		 3984 goto drop;
3985
23070494 3986 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 3987 goto done;
3988
3989drop:
3990 kfree_skb(skb);
3991
3992done:
3993 if (sk)
3994 bh_unlock_sock(sk);
3995 return 0;
3996}
3997
1da177e4
LT		 3998static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3999{
4000 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4001 u16 cid, len;
4002 __le16 psm;
1da177e4
LT		 4003
4004 skb_pull(skb, L2CAP_HDR_SIZE);
4005 cid = __le16_to_cpu(lh->cid);
4006 len = __le16_to_cpu(lh->len);
4007
1c2acffb
GP		 4008 if (len != skb->len) {
4009 kfree_skb(skb);
4010 return;
4011 }
4012
1da177e4
LT		 4013 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4014
4015 switch (cid) {
3300d9a9 4016 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4017 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4018 l2cap_sig_channel(conn, skb);
4019 break;
4020
8db4dc46 4021 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4022 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4023 skb_pull(skb, 2);
4024 l2cap_conless_channel(conn, psm, skb);
4025 break;
4026
9f69bda6
GP		 4027 case L2CAP_CID_LE_DATA:
4028 l2cap_att_channel(conn, cid, skb);
4029 break;
4030
b501d6a1
AB		 4031 case L2CAP_CID_SMP:
4032 if (smp_sig_channel(conn, skb))
4033 l2cap_conn_del(conn->hcon, EACCES);
4034 break;
4035
1da177e4
LT		 4036 default:
4037 l2cap_data_channel(conn, cid, skb);
4038 break;
4039 }
4040}
4041
4042/* ---- L2CAP interface with lower layer (HCI) ---- */
4043
4044static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4045{
4046 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4047 struct l2cap_chan *c;
1da177e4
LT		 4048
4049 if (type != ACL_LINK)
963cf687 4050 return -EINVAL;
1da177e4
LT		 4051
4052 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4053
4054 /* Find listening sockets and check their link_mode */
23691d75
GP		 4055 read_lock(&chan_list_lock);
4056 list_for_each_entry(c, &chan_list, global_l) {
4057 struct sock *sk = c->sk;
4343478f 4058
89bc500e 4059 if (c->state != BT_LISTEN)
1da177e4
LT		 4060 continue;
4061
4062 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4063 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4064 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4065 lm1 |= HCI_LM_MASTER;
1da177e4 4066 exact++;
2af6b9d5
MH		 4067 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4068 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4069 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4070 lm2 |= HCI_LM_MASTER;
4071 }
1da177e4 4072 }
23691d75 4073 read_unlock(&chan_list_lock);
1da177e4
LT		 4074
4075 return exact ? lm1 : lm2;
4076}
4077
4078static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4079{
0139418c
MH		 4080 struct l2cap_conn *conn;
4081
1da177e4
LT		 4082 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4083
acd7d370 4084 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4085 return -EINVAL;
1da177e4
LT		 4086
4087 if (!status) {
1da177e4
LT		 4088 conn = l2cap_conn_add(hcon, status);
4089 if (conn)
4090 l2cap_conn_ready(conn);
0139418c 4091 } else
e175072f 4092 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4093
4094 return 0;
4095}
4096
2950f21a
MH		 4097static int l2cap_disconn_ind(struct hci_conn *hcon)
4098{
4099 struct l2cap_conn *conn = hcon->l2cap_data;
4100
4101 BT_DBG("hcon %p", hcon);
4102
b5694506 4103 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4104 return 0x13;
4105
4106 return conn->disc_reason;
4107}
4108
4109static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4110{
4111 BT_DBG("hcon %p reason %d", hcon, reason);
4112
acd7d370 4113 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4114 return -EINVAL;
1da177e4 4115
e175072f 4116 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4117
1da177e4
LT		 4118 return 0;
4119}
4120
4343478f 4121static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4122{
715ec005 4123 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4124 return;
4125
f62e4323 4126 if (encrypt == 0x00) {
4343478f 4127 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4128 __clear_chan_timer(chan);
4129 __set_chan_timer(chan, HZ * 5);
4343478f 4130 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4131 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4132 } else {
4343478f 4133 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4134 __clear_chan_timer(chan);
f62e4323
MH		 4135 }
4136}
4137
8c1b2355 4138static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4139{
0139418c 4140 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4141 struct l2cap_chan *chan;
1da177e4 4142
0139418c 4143 if (!conn)
1da177e4 4144 return 0;
0139418c 4145
1da177e4
LT		 4146 BT_DBG("conn %p", conn);
4147
160dc6ac
VCG		 4148 if (hcon->type == LE_LINK) {
4149 smp_distribute_keys(conn, 0);
4150 del_timer(&conn->security_timer);
4151 }
4152
baa7e1fa 4153 read_lock(&conn->chan_lock);
1da177e4 4154
baa7e1fa 4155 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4156 struct sock *sk = chan->sk;
baa7e1fa 4157
1da177e4
LT		 4158 bh_lock_sock(sk);
4159
f1cb9af5
VCG		 4160 BT_DBG("chan->scid %d", chan->scid);
4161
4162 if (chan->scid == L2CAP_CID_LE_DATA) {
4163 if (!status && encrypt) {
4164 chan->sec_level = hcon->sec_level;
4165 l2cap_chan_ready(sk);
4166 }
4167
4168 bh_unlock_sock(sk);
4169 continue;
4170 }
4171
c1360a1c 4172 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4173 bh_unlock_sock(sk);
4174 continue;
4175 }
4176
89bc500e
GP		 4177 if (!status && (chan->state == BT_CONNECTED ||
4178 chan->state == BT_CONFIG)) {
4343478f 4179 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4180 bh_unlock_sock(sk);
4181 continue;
4182 }
4183
89bc500e 4184 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4185 if (!status) {
4186 struct l2cap_conn_req req;
fe4128e0
GP		 4187 req.scid = cpu_to_le16(chan->scid);
4188 req.psm = chan->psm;
1da177e4 4189
fc7f8a7e 4190 chan->ident = l2cap_get_ident(conn);
c1360a1c 4191 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4192
fc7f8a7e 4193 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4194 L2CAP_CONN_REQ, sizeof(req), &req);
4195 } else {
c9b66675
GP		 4196 __clear_chan_timer(chan);
4197 __set_chan_timer(chan, HZ / 10);
b1235d79 4198 }
89bc500e 4199 } else if (chan->state == BT_CONNECT2) {
b1235d79 4200 struct l2cap_conn_rsp rsp;
df3c3931 4201 __u16 res, stat;
1da177e4 4202
b1235d79 4203 if (!status) {
df3c3931
JH		 4204 if (bt_sk(sk)->defer_setup) {
4205 struct sock *parent = bt_sk(sk)->parent;
4206 res = L2CAP_CR_PEND;
4207 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4208 if (parent)
4209 parent->sk_data_ready(parent, 0);
df3c3931 4210 } else {
05558911 4211 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4212 res = L2CAP_CR_SUCCESS;
4213 stat = L2CAP_CS_NO_INFO;
4214 }
b1235d79 4215 } else {
89bc500e 4216 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4217 __set_chan_timer(chan, HZ / 10);
df3c3931
JH		 4218 res = L2CAP_CR_SEC_BLOCK;
4219 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4220 }
4221
fe4128e0
GP		 4222 rsp.scid = cpu_to_le16(chan->dcid);
4223 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4224 rsp.result = cpu_to_le16(res);
4225 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4226 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4227 sizeof(rsp), &rsp);
b1235d79 4228 }
1da177e4
LT		 4229
4230 bh_unlock_sock(sk);
4231 }
4232
baa7e1fa 4233 read_unlock(&conn->chan_lock);
b1235d79 4234
1da177e4
LT		 4235 return 0;
4236}
4237
4238static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4239{
4240 struct l2cap_conn *conn = hcon->l2cap_data;
4241
5a08ecce
AE		 4242 if (!conn)
4243 conn = l2cap_conn_add(hcon, 0);
4244
4245 if (!conn)
1da177e4
LT		 4246 goto drop;
4247
4248 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4249
e702112f 4250 if (!(flags & ACL_CONT)) {
1da177e4 4251 struct l2cap_hdr *hdr;
48454079 4252 struct l2cap_chan *chan;
89794813 4253 u16 cid;
1da177e4
LT		 4254 int len;
4255
4256 if (conn->rx_len) {
4257 BT_ERR("Unexpected start frame (len %d)", skb->len);
4258 kfree_skb(conn->rx_skb);
4259 conn->rx_skb = NULL;
4260 conn->rx_len = 0;
4261 l2cap_conn_unreliable(conn, ECOMM);
4262 }
4263
aae7fe22
AE		 4264 /* Start fragment always begin with Basic L2CAP header */
4265 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4266 BT_ERR("Frame is too short (len %d)", skb->len);
4267 l2cap_conn_unreliable(conn, ECOMM);
4268 goto drop;
4269 }
4270
4271 hdr = (struct l2cap_hdr *) skb->data;
4272 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4273 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4274
4275 if (len == skb->len) {
4276 /* Complete frame received */
4277 l2cap_recv_frame(conn, skb);
4278 return 0;
4279 }
4280
4281 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4282
4283 if (skb->len > len) {
4284 BT_ERR("Frame is too long (len %d, expected len %d)",
4285 skb->len, len);
4286 l2cap_conn_unreliable(conn, ECOMM);
4287 goto drop;
4288 }
4289
baa7e1fa 4290 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4291
48454079
GP		 4292 if (chan && chan->sk) {
4293 struct sock *sk = chan->sk;
89794813 4294
0c1bc5c6 4295 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4296 BT_ERR("Frame exceeding recv MTU (len %d, "
4297 "MTU %d)", len,
0c1bc5c6 4298 chan->imtu);
48454079
GP		 4299 bh_unlock_sock(sk);
4300 l2cap_conn_unreliable(conn, ECOMM);
4301 goto drop;
4302 }
89794813 4303 bh_unlock_sock(sk);
48454079 4304 }
89794813 4305
1da177e4 4306 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4307 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4308 if (!conn->rx_skb)
1da177e4
LT		 4309 goto drop;
4310
d626f62b 4311 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4312 skb->len);
1da177e4
LT		 4313 conn->rx_len = len - skb->len;
4314 } else {
4315 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4316
4317 if (!conn->rx_len) {
4318 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4319 l2cap_conn_unreliable(conn, ECOMM);
4320 goto drop;
4321 }
4322
4323 if (skb->len > conn->rx_len) {
4324 BT_ERR("Fragment is too long (len %d, expected %d)",
4325 skb->len, conn->rx_len);
4326 kfree_skb(conn->rx_skb);
4327 conn->rx_skb = NULL;
4328 conn->rx_len = 0;
4329 l2cap_conn_unreliable(conn, ECOMM);
4330 goto drop;
4331 }
4332
d626f62b 4333 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4334 skb->len);
1da177e4
LT		 4335 conn->rx_len -= skb->len;
4336
4337 if (!conn->rx_len) {
4338 /* Complete frame received */
4339 l2cap_recv_frame(conn, conn->rx_skb);
4340 conn->rx_skb = NULL;
4341 }
4342 }
4343
4344drop:
4345 kfree_skb(skb);
4346 return 0;
4347}
4348
aef7d97c 4349static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4350{
23691d75 4351 struct l2cap_chan *c;
1da177e4 4352
23691d75 4353 read_lock_bh(&chan_list_lock);
1da177e4 4354
23691d75
GP		 4355 list_for_each_entry(c, &chan_list, global_l) {
4356 struct sock *sk = c->sk;
101545f6 4357
903d343e 4358 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4359 batostr(&bt_sk(sk)->src),
4360 batostr(&bt_sk(sk)->dst),
89bc500e 4361 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4362 c->scid, c->dcid, c->imtu, c->omtu,
4363 c->sec_level, c->mode);
05558911 4364}
1da177e4 4365
23691d75 4366 read_unlock_bh(&chan_list_lock);
1da177e4 4367
aef7d97c 4368 return 0;
1da177e4
LT		 4369}
4370
aef7d97c
MH		 4371static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4372{
4373 return single_open(file, l2cap_debugfs_show, inode->i_private);
4374}
4375
4376static const struct file_operations l2cap_debugfs_fops = {
4377 .open = l2cap_debugfs_open,
4378 .read = seq_read,
4379 .llseek = seq_lseek,
4380 .release = single_release,
4381};
4382
4383static struct dentry *l2cap_debugfs;
1da177e4 4384
1da177e4
LT		 4385static struct hci_proto l2cap_hci_proto = {
4386 .name = "L2CAP",
4387 .id = HCI_PROTO_L2CAP,
4388 .connect_ind = l2cap_connect_ind,
4389 .connect_cfm = l2cap_connect_cfm,
4390 .disconn_ind = l2cap_disconn_ind,
2950f21a 4391 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4392 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4393 .recv_acldata = l2cap_recv_acldata
4394};
4395
64274518 4396int __init l2cap_init(void)
1da177e4
LT		 4397{
4398 int err;
be9d1227 4399
bb58f747 4400 err = l2cap_init_sockets();
1da177e4
LT		 4401 if (err < 0)
4402 return err;
4403
1da177e4
LT		 4404 err = hci_register_proto(&l2cap_hci_proto);
4405 if (err < 0) {
4406 BT_ERR("L2CAP protocol registration failed");
4407 bt_sock_unregister(BTPROTO_L2CAP);
4408 goto error;
4409 }
4410
aef7d97c
MH		 4411 if (bt_debugfs) {
4412 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4413 bt_debugfs, NULL, &l2cap_debugfs_fops);
4414 if (!l2cap_debugfs)
4415 BT_ERR("Failed to create L2CAP debug file");
4416 }
1da177e4 4417
1da177e4
LT		 4418 return 0;
4419
4420error:
bb58f747 4421 l2cap_cleanup_sockets();
1da177e4
LT		 4422 return err;
4423}
4424
64274518 4425void l2cap_exit(void)
1da177e4 4426{
aef7d97c 4427 debugfs_remove(l2cap_debugfs);
1da177e4 4428
1da177e4
LT		 4429 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4430 BT_ERR("L2CAP protocol unregistration failed");
4431
bb58f747 4432 l2cap_cleanup_sockets();
1da177e4
LT		 4433}
4434
d1c4a17d
GP		 4435module_param(disable_ertm, bool, 0644);
4436MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE		 4437
4438module_param(enable_hs, bool, 0644);
4439MODULE_PARM_DESC(enable_hs, "Enable High Speed");
kernel source for telekom puls (alcatel/mediatek)