Bluetooth: Fix mgmt response when adapter goes down or is removed
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT
6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH
17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT
20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH
22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT
24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT
29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT
33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT
35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH
45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT
49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT
52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB
65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT
68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP
70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP
73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP
76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP
79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP
94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP
99 return NULL;
100
0139418c
MH
101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP
106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH
112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP
119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP
122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH
126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP
131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH
137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP
142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP
145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH
149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP
155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP
157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP
163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP
167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP
172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP
174 }
175
73b2ec18
GP
176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP
186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP
196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP
201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP
205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH
215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
457f4850 223 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP
227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM
233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP
235}
236
89bc500e
GP
237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP
243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP
250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
c9b66675 255 __set_chan_timer(chan, HZ / 5);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP
258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP
264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP
270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP
275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP
278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP
287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP
291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP
293 chan->state = BT_OPEN;
294
71ba0e56
GP
295 atomic_set(&chan->refcnt, 1);
296
48454079
GP
297 return chan;
298}
299
23691d75 300void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 301{
23691d75
GP
302 write_lock_bh(&chan_list_lock);
303 list_del(&chan->global_l);
304 write_unlock_bh(&chan_list_lock);
305
71ba0e56 306 chan_put(chan);
6ff5abbf
GP
307}
308
48454079 309static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 310{
af05b30b 311 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 312 chan->psm, chan->dcid);
0139418c 313
2950f21a
MH
314 conn->disc_reason = 0x13;
315
8c1d787b 316 chan->conn = conn;
0139418c 317
715ec005 318 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT
319 if (conn->hcon->type == LE_LINK) {
320 /* LE connection */
0c1bc5c6 321 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP
322 chan->scid = L2CAP_CID_LE_DATA;
323 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT
324 } else {
325 /* Alloc CID for connection-oriented socket */
fe4128e0 326 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 327 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 328 }
715ec005 329 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 330 /* Connectionless socket */
fe4128e0
GP
331 chan->scid = L2CAP_CID_CONN_LESS;
332 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 333 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH
334 } else {
335 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP
336 chan->scid = L2CAP_CID_SIGNALING;
337 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 338 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH
339 }
340
8f7975b1
AE
341 chan->local_id = L2CAP_BESTEFFORT_ID;
342 chan->local_stype = L2CAP_SERV_BESTEFFORT;
343 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
344 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
345 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
346 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
347
71ba0e56 348 chan_hold(chan);
baa7e1fa
GP
349
350 list_add(&chan->list, &conn->chan_l);
0139418c
MH
351}
352
8e87d142 353/* Delete channel.
0139418c 354 * Must be called on the locked socket. */
4519de9a 355static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 356{
48454079 357 struct sock *sk = chan->sk;
8c1d787b 358 struct l2cap_conn *conn = chan->conn;
0139418c
MH
359 struct sock *parent = bt_sk(sk)->parent;
360
c9b66675 361 __clear_chan_timer(chan);
0139418c 362
49208c9c 363 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 364
8e87d142 365 if (conn) {
baa7e1fa
GP
366 /* Delete from channel list */
367 write_lock_bh(&conn->chan_lock);
368 list_del(&chan->list);
369 write_unlock_bh(&conn->chan_lock);
71ba0e56 370 chan_put(chan);
baa7e1fa 371
8c1d787b 372 chan->conn = NULL;
0139418c
MH
373 hci_conn_put(conn->hcon);
374 }
375
89bc500e 376 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH
377 sock_set_flag(sk, SOCK_ZAPPED);
378
379 if (err)
380 sk->sk_err = err;
381
382 if (parent) {
383 bt_accept_unlink(sk);
384 parent->sk_data_ready(parent, 0);
385 } else
386 sk->sk_state_change(sk);
c13ffa62 387
c1360a1c
GP
388 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
389 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 390 return;
2ead70b8 391
58d35f87 392 skb_queue_purge(&chan->tx_q);
c13ffa62 393
0c1bc5c6 394 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP
395 struct srej_list *l, *tmp;
396
1a09bcb9
GP
397 __clear_retrans_timer(chan);
398 __clear_monitor_timer(chan);
399 __clear_ack_timer(chan);
c13ffa62 400
f1c6775b 401 skb_queue_purge(&chan->srej_q);
c13ffa62 402
39d5a3ee 403 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP
404 list_del(&l->list);
405 kfree(l);
406 }
407 }
0139418c
MH
408}
409
4519de9a
GP
410static void l2cap_chan_cleanup_listen(struct sock *parent)
411{
412 struct sock *sk;
413
414 BT_DBG("parent %p", parent);
415
416 /* Close not yet accepted channels */
0f852724 417 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 418 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 419 __clear_chan_timer(chan);
0f852724 420 lock_sock(sk);
ba3bd0ee 421 l2cap_chan_close(chan, ECONNRESET);
0f852724 422 release_sock(sk);
ba3bd0ee 423 chan->ops->close(chan->data);
0f852724 424 }
4519de9a
GP
425}
426
0f852724 427void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP
428{
429 struct l2cap_conn *conn = chan->conn;
430 struct sock *sk = chan->sk;
431
89bc500e 432 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 433
89bc500e 434 switch (chan->state) {
4519de9a
GP
435 case BT_LISTEN:
436 l2cap_chan_cleanup_listen(sk);
89bc500e
GP
437
438 l2cap_state_change(chan, BT_CLOSED);
439 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP
440 break;
441
442 case BT_CONNECTED:
443 case BT_CONFIG:
715ec005 444 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 445 conn->hcon->type == ACL_LINK) {
c9b66675
GP
446 __clear_chan_timer(chan);
447 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP
448 l2cap_send_disconn_req(conn, chan, reason);
449 } else
450 l2cap_chan_del(chan, reason);
451 break;
452
453 case BT_CONNECT2:
715ec005 454 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP
455 conn->hcon->type == ACL_LINK) {
456 struct l2cap_conn_rsp rsp;
457 __u16 result;
458
459 if (bt_sk(sk)->defer_setup)
460 result = L2CAP_CR_SEC_BLOCK;
461 else
462 result = L2CAP_CR_BAD_PSM;
89bc500e 463 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP
464
465 rsp.scid = cpu_to_le16(chan->dcid);
466 rsp.dcid = cpu_to_le16(chan->scid);
467 rsp.result = cpu_to_le16(result);
468 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
470 sizeof(rsp), &rsp);
471 }
472
473 l2cap_chan_del(chan, reason);
474 break;
475
476 case BT_CONNECT:
477 case BT_DISCONN:
478 l2cap_chan_del(chan, reason);
479 break;
480
481 default:
482 sock_set_flag(sk, SOCK_ZAPPED);
483 break;
484 }
485}
486
4343478f 487static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 488{
715ec005 489 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 490 switch (chan->sec_level) {
8556edd3
JH
491 case BT_SECURITY_HIGH:
492 return HCI_AT_DEDICATED_BONDING_MITM;
493 case BT_SECURITY_MEDIUM:
494 return HCI_AT_DEDICATED_BONDING;
495 default:
496 return HCI_AT_NO_BONDING;
497 }
fe4128e0 498 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP
499 if (chan->sec_level == BT_SECURITY_LOW)
500 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 501
4343478f 502 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 503 return HCI_AT_NO_BONDING_MITM;
00ae4af9 504 else
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 } else {
4343478f 507 switch (chan->sec_level) {
00ae4af9 508 case BT_SECURITY_HIGH:
8556edd3 509 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 510 case BT_SECURITY_MEDIUM:
8556edd3 511 return HCI_AT_GENERAL_BONDING;
00ae4af9 512 default:
8556edd3 513 return HCI_AT_NO_BONDING;
00ae4af9 514 }
0684e5f9 515 }
8556edd3
JH
516}
517
518/* Service level security */
4343478f 519static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 520{
8c1d787b 521 struct l2cap_conn *conn = chan->conn;
8556edd3
JH
522 __u8 auth_type;
523
4343478f 524 auth_type = l2cap_get_auth_type(chan);
79d554a6 525
4343478f 526 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH
527}
528
b5ad8b7f 529static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH
530{
531 u8 id;
532
533 /* Get next available identificator.
534 * 1 - 128 are used by kernel.
535 * 129 - 199 are reserved.
536 * 200 - 254 are used by utilities like l2ping, etc.
537 */
538
539 spin_lock_bh(&conn->lock);
540
541 if (++conn->tx_ident > 128)
542 conn->tx_ident = 1;
543
544 id = conn->tx_ident;
545
546 spin_unlock_bh(&conn->lock);
547
548 return id;
549}
550
4519de9a 551static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH
552{
553 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 554 u8 flags;
4e8402a3
MH
555
556 BT_DBG("code 0x%2.2x", code);
557
558 if (!skb)
9a9c6a34 559 return;
4e8402a3 560
e702112f
AE
561 if (lmp_no_flush_capable(conn->hcon->hdev))
562 flags = ACL_START_NO_FLUSH;
563 else
564 flags = ACL_START;
565
14b12d0b 566 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 567 skb->priority = HCI_PRIO_MAX;
14b12d0b 568
73d80deb
LAD
569 hci_send_acl(conn->hchan, skb, flags);
570}
571
572static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
573{
574 struct hci_conn *hcon = chan->conn->hcon;
575 u16 flags;
576
577 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
578 skb->priority);
579
580 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
581 lmp_no_flush_capable(hcon->hdev))
582 flags = ACL_START_NO_FLUSH;
583 else
584 flags = ACL_START;
585
586 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
587 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH
588}
589
88843ab0 590static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP
591{
592 struct sk_buff *skb;
593 struct l2cap_hdr *lh;
8c1d787b 594 struct l2cap_conn *conn = chan->conn;
e4ca6d98 595 int count, hlen;
fcc203c3 596
89bc500e 597 if (chan->state != BT_CONNECTED)
c13ffa62
GP
598 return;
599
e4ca6d98
AE
600 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
601 hlen = L2CAP_EXT_HDR_SIZE;
602 else
603 hlen = L2CAP_ENH_HDR_SIZE;
604
47d1ec61 605 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 606 hlen += L2CAP_FCS_SIZE;
1c2acffb 607
88843ab0 608 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 609
fcc203c3 610 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE
611
612 control |= __set_sframe(chan);
1c2acffb 613
e2ab4353 614 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 615 control |= __set_ctrl_final(chan);
9e917af1 616
e2ab4353 617 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 618 control |= __set_ctrl_poll(chan);
f0946ccf 619
1c2acffb
GP
620 skb = bt_skb_alloc(count, GFP_ATOMIC);
621 if (!skb)
9a9c6a34 622 return;
1c2acffb
GP
623
624 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 625 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 626 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE
627
628 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 629
47d1ec61 630 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE
631 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
632 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP
633 }
634
73d80deb
LAD
635 skb->priority = HCI_PRIO_MAX;
636 l2cap_do_send(chan, skb);
1c2acffb
GP
637}
638
88843ab0 639static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 640{
e2ab4353 641 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 642 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 643 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 644 } else
ab784b73 645 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 646
0b209fae 647 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 648
525cd185 649 l2cap_send_sframe(chan, control);
7e743090
GP
650}
651
b4450035 652static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 653{
c1360a1c 654 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE
655}
656
fc7f8a7e 657static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 658{
8c1d787b 659 struct l2cap_conn *conn = chan->conn;
79d554a6
MH
660
661 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH
662 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
663 return;
664
4343478f
GP
665 if (l2cap_check_security(chan) &&
666 __l2cap_no_conn_pending(chan)) {
b1235d79 667 struct l2cap_conn_req req;
fe4128e0
GP
668 req.scid = cpu_to_le16(chan->scid);
669 req.psm = chan->psm;
79d554a6 670
fc7f8a7e 671 chan->ident = l2cap_get_ident(conn);
c1360a1c 672 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 673
fc7f8a7e
GP
674 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
675 sizeof(req), &req);
b1235d79 676 }
79d554a6
MH
677 } else {
678 struct l2cap_info_req req;
679 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
680
681 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
682 conn->info_ident = l2cap_get_ident(conn);
683
684 mod_timer(&conn->info_timer, jiffies +
685 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
686
687 l2cap_send_cmd(conn, conn->info_ident,
688 L2CAP_INFO_REQ, sizeof(req), &req);
689 }
690}
691
cf6c2c0b
GP
692static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
693{
694 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 695 if (!disable_ertm)
cf6c2c0b
GP
696 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
697
698 switch (mode) {
699 case L2CAP_MODE_ERTM:
700 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
701 case L2CAP_MODE_STREAMING:
702 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
703 default:
704 return 0x00;
705 }
706}
707
4519de9a 708static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 709{
e92c8e70 710 struct sock *sk;
22121fc9
GP
711 struct l2cap_disconn_req req;
712
c13ffa62
GP
713 if (!conn)
714 return;
715
e92c8e70
GP
716 sk = chan->sk;
717
0c1bc5c6 718 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP
719 __clear_retrans_timer(chan);
720 __clear_monitor_timer(chan);
721 __clear_ack_timer(chan);
c13ffa62
GP
722 }
723
fe4128e0
GP
724 req.dcid = cpu_to_le16(chan->dcid);
725 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP
726 l2cap_send_cmd(conn, l2cap_get_ident(conn),
727 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 728
89bc500e 729 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 730 sk->sk_err = err;
22121fc9
GP
731}
732
1da177e4 733/* ---- L2CAP connections ---- */
4e8402a3
MH
734static void l2cap_conn_start(struct l2cap_conn *conn)
735{
820ffdb3 736 struct l2cap_chan *chan, *tmp;
4e8402a3
MH
737
738 BT_DBG("conn %p", conn);
739
baa7e1fa 740 read_lock(&conn->chan_lock);
4e8402a3 741
820ffdb3 742 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 743 struct sock *sk = chan->sk;
baa7e1fa 744
4e8402a3
MH
745 bh_lock_sock(sk);
746
715ec005 747 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH
748 bh_unlock_sock(sk);
749 continue;
750 }
751
89bc500e 752 if (chan->state == BT_CONNECT) {
47731de7 753 struct l2cap_conn_req req;
79d554a6 754
4343478f 755 if (!l2cap_check_security(chan) ||
b4450035 756 !__l2cap_no_conn_pending(chan)) {
47731de7
GP
757 bh_unlock_sock(sk);
758 continue;
759 }
79d554a6 760
c1360a1c
GP
761 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
762 && test_bit(CONF_STATE2_DEVICE,
763 &chan->conf_state)) {
0f852724 764 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 765 * so release the lock */
2461daac 766 read_unlock(&conn->chan_lock);
89bc500e 767 l2cap_chan_close(chan, ECONNRESET);
2461daac 768 read_lock(&conn->chan_lock);
47731de7
GP
769 bh_unlock_sock(sk);
770 continue;
b1235d79 771 }
47731de7 772
fe4128e0
GP
773 req.scid = cpu_to_le16(chan->scid);
774 req.psm = chan->psm;
47731de7 775
fc7f8a7e 776 chan->ident = l2cap_get_ident(conn);
c1360a1c 777 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 778
fc7f8a7e
GP
779 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
780 sizeof(req), &req);
47731de7 781
89bc500e 782 } else if (chan->state == BT_CONNECT2) {
79d554a6 783 struct l2cap_conn_rsp rsp;
e9aeb2dd 784 char buf[128];
fe4128e0
GP
785 rsp.scid = cpu_to_le16(chan->dcid);
786 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 787
4343478f 788 if (l2cap_check_security(chan)) {
f66dc81f
MH
789 if (bt_sk(sk)->defer_setup) {
790 struct sock *parent = bt_sk(sk)->parent;
791 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
792 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK
793 if (parent)
794 parent->sk_data_ready(parent, 0);
f66dc81f
MH
795
796 } else {
89bc500e 797 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH
798 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
799 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
800 }
79d554a6
MH
801 } else {
802 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
803 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
804 }
805
fc7f8a7e
GP
806 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
807 sizeof(rsp), &rsp);
e9aeb2dd 808
c1360a1c 809 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP
810 rsp.result != L2CAP_CR_SUCCESS) {
811 bh_unlock_sock(sk);
812 continue;
813 }
814
c1360a1c 815 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 816 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP
817 l2cap_build_conf_req(chan, buf), buf);
818 chan->num_conf_req++;
4e8402a3
MH
819 }
820
821 bh_unlock_sock(sk);
822 }
823
baa7e1fa 824 read_unlock(&conn->chan_lock);
4e8402a3
MH
825}
826
b62f328b
VT
827/* Find socket with cid and source bdaddr.
828 * Returns closest match, locked.
829 */
23691d75 830static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 831{
23691d75 832 struct l2cap_chan *c, *c1 = NULL;
b62f328b 833
23691d75 834 read_lock(&chan_list_lock);
b62f328b 835
23691d75
GP
836 list_for_each_entry(c, &chan_list, global_l) {
837 struct sock *sk = c->sk;
fe4128e0 838
89bc500e 839 if (state && c->state != state)
b62f328b
VT
840 continue;
841
23691d75 842 if (c->scid == cid) {
b62f328b 843 /* Exact match. */
23691d75
GP
844 if (!bacmp(&bt_sk(sk)->src, src)) {
845 read_unlock(&chan_list_lock);
846 return c;
847 }
b62f328b
VT
848
849 /* Closest match */
850 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 851 c1 = c;
b62f328b
VT
852 }
853 }
280f294f 854
23691d75 855 read_unlock(&chan_list_lock);
b62f328b 856
23691d75 857 return c1;
b62f328b
VT
858}
859
860static void l2cap_le_conn_ready(struct l2cap_conn *conn)
861{
c916fbe4 862 struct sock *parent, *sk;
23691d75 863 struct l2cap_chan *chan, *pchan;
b62f328b
VT
864
865 BT_DBG("");
866
867 /* Check if we have socket listening on cid */
23691d75 868 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 869 conn->src);
23691d75 870 if (!pchan)
b62f328b
VT
871 return;
872
23691d75
GP
873 parent = pchan->sk;
874
62f3a2cf
GP
875 bh_lock_sock(parent);
876
b62f328b
VT
877 /* Check for backlog size */
878 if (sk_acceptq_is_full(parent)) {
879 BT_DBG("backlog full %d", parent->sk_ack_backlog);
880 goto clean;
881 }
882
80808e43
GP
883 chan = pchan->ops->new_connection(pchan->data);
884 if (!chan)
b62f328b
VT
885 goto clean;
886
80808e43 887 sk = chan->sk;
5d41ce1d 888
baa7e1fa 889 write_lock_bh(&conn->chan_lock);
b62f328b
VT
890
891 hci_conn_hold(conn->hcon);
892
b62f328b
VT
893 bacpy(&bt_sk(sk)->src, conn->src);
894 bacpy(&bt_sk(sk)->dst, conn->dst);
895
d1010240
GP
896 bt_accept_enqueue(parent, sk);
897
48454079
GP
898 __l2cap_chan_add(conn, chan);
899
c9b66675 900 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 901
89bc500e 902 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT
903 parent->sk_data_ready(parent, 0);
904
baa7e1fa 905 write_unlock_bh(&conn->chan_lock);
b62f328b
VT
906
907clean:
908 bh_unlock_sock(parent);
909}
910
f1cb9af5
VCG
911static void l2cap_chan_ready(struct sock *sk)
912{
913 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
914 struct sock *parent = bt_sk(sk)->parent;
915
916 BT_DBG("sk %p, parent %p", sk, parent);
917
918 chan->conf_state = 0;
919 __clear_chan_timer(chan);
920
43f3dc41 921 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG
922 sk->sk_state_change(sk);
923
924 if (parent)
925 parent->sk_data_ready(parent, 0);
926}
927
4e8402a3
MH
928static void l2cap_conn_ready(struct l2cap_conn *conn)
929{
48454079 930 struct l2cap_chan *chan;
4e8402a3 931
79d554a6 932 BT_DBG("conn %p", conn);
4e8402a3 933
b62f328b
VT
934 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
935 l2cap_le_conn_ready(conn);
936
160dc6ac
VCG
937 if (conn->hcon->out && conn->hcon->type == LE_LINK)
938 smp_conn_security(conn, conn->hcon->pending_sec_level);
939
baa7e1fa 940 read_lock(&conn->chan_lock);
4e8402a3 941
baa7e1fa 942 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 943 struct sock *sk = chan->sk;
baa7e1fa 944
79d554a6 945 bh_lock_sock(sk);
4e8402a3 946
63128451 947 if (conn->hcon->type == LE_LINK) {
b501d6a1 948 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 949 l2cap_chan_ready(sk);
acd7d370 950
63128451 951 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 952 __clear_chan_timer(chan);
89bc500e 953 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 954 sk->sk_state_change(sk);
b501d6a1 955
89bc500e 956 } else if (chan->state == BT_CONNECT)
fc7f8a7e 957 l2cap_do_start(chan);
4e8402a3 958
79d554a6 959 bh_unlock_sock(sk);
4e8402a3 960 }
79d554a6 961
baa7e1fa 962 read_unlock(&conn->chan_lock);
4e8402a3
MH
963}
964
965/* Notify sockets that we cannot guaranty reliability anymore */
966static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
967{
48454079 968 struct l2cap_chan *chan;
4e8402a3
MH
969
970 BT_DBG("conn %p", conn);
971
baa7e1fa 972 read_lock(&conn->chan_lock);
4e8402a3 973
baa7e1fa 974 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 975 struct sock *sk = chan->sk;
baa7e1fa 976
ecf61bdb 977 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH
978 sk->sk_err = err;
979 }
980
baa7e1fa 981 read_unlock(&conn->chan_lock);
4e8402a3
MH
982}
983
984static void l2cap_info_timeout(unsigned long arg)
985{
986 struct l2cap_conn *conn = (void *) arg;
987
984947dc 988 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 989 conn->info_ident = 0;
984947dc 990
4e8402a3
MH
991 l2cap_conn_start(conn);
992}
993
5d3de7df
VCG
994static void l2cap_conn_del(struct hci_conn *hcon, int err)
995{
996 struct l2cap_conn *conn = hcon->l2cap_data;
997 struct l2cap_chan *chan, *l;
998 struct sock *sk;
999
1000 if (!conn)
1001 return;
1002
1003 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1004
1005 kfree_skb(conn->rx_skb);
1006
1007 /* Kill channels */
1008 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1009 sk = chan->sk;
1010 bh_lock_sock(sk);
1011 l2cap_chan_del(chan, err);
1012 bh_unlock_sock(sk);
1013 chan->ops->close(chan->data);
1014 }
1015
73d80deb
LAD
1016 hci_chan_del(conn->hchan);
1017
5d3de7df
VCG
1018 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1019 del_timer_sync(&conn->info_timer);
1020
d26a2345 1021 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1022 del_timer(&conn->security_timer);
8aab4757 1023 smp_chan_destroy(conn);
d26a2345 1024 }
5d3de7df
VCG
1025
1026 hcon->l2cap_data = NULL;
1027 kfree(conn);
1028}
1029
1030static void security_timeout(unsigned long arg)
1031{
1032 struct l2cap_conn *conn = (void *) arg;
1033
1034 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1035}
1036
1da177e4
LT
1037static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1038{
0139418c 1039 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1040 struct hci_chan *hchan;
1da177e4 1041
0139418c 1042 if (conn || status)
1da177e4
LT
1043 return conn;
1044
73d80deb
LAD
1045 hchan = hci_chan_create(hcon);
1046 if (!hchan)
1047 return NULL;
1048
0139418c 1049 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD
1050 if (!conn) {
1051 hci_chan_del(hchan);
1da177e4 1052 return NULL;
73d80deb 1053 }
1da177e4
LT
1054
1055 hcon->l2cap_data = conn;
1056 conn->hcon = hcon;
73d80deb 1057 conn->hchan = hchan;
1da177e4 1058
73d80deb 1059 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1060
acd7d370
VT
1061 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1062 conn->mtu = hcon->hdev->le_mtu;
1063 else
1064 conn->mtu = hcon->hdev->acl_mtu;
1065
1da177e4
LT
1066 conn->src = &hcon->hdev->bdaddr;
1067 conn->dst = &hcon->dst;
1068
4e8402a3
MH
1069 conn->feat_mask = 0;
1070
1da177e4 1071 spin_lock_init(&conn->lock);
baa7e1fa
GP
1072 rwlock_init(&conn->chan_lock);
1073
1074 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1075
5d3de7df
VCG
1076 if (hcon->type == LE_LINK)
1077 setup_timer(&conn->security_timer, security_timeout,
1078 (unsigned long) conn);
1079 else
b62f328b 1080 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY
1081 (unsigned long) conn);
1082
2950f21a
MH
1083 conn->disc_reason = 0x13;
1084
1da177e4
LT
1085 return conn;
1086}
1087
48454079 1088static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1089{
baa7e1fa 1090 write_lock_bh(&conn->chan_lock);
48454079 1091 __l2cap_chan_add(conn, chan);
baa7e1fa 1092 write_unlock_bh(&conn->chan_lock);
1da177e4
LT
1093}
1094
1da177e4 1095/* ---- Socket interface ---- */
1da177e4
LT
1096
1097/* Find socket with psm and source bdaddr.
1098 * Returns closest match.
1099 */
23691d75 1100static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1101{
23691d75 1102 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1103
23691d75 1104 read_lock(&chan_list_lock);
e0f0cb56 1105
23691d75
GP
1106 list_for_each_entry(c, &chan_list, global_l) {
1107 struct sock *sk = c->sk;
fe4128e0 1108
89bc500e 1109 if (state && c->state != state)
1da177e4
LT
1110 continue;
1111
23691d75 1112 if (c->psm == psm) {
1da177e4 1113 /* Exact match. */
23691d75 1114 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1115 read_unlock(&chan_list_lock);
23691d75
GP
1116 return c;
1117 }
1da177e4
LT
1118
1119 /* Closest match */
1120 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1121 c1 = c;
1da177e4
LT
1122 }
1123 }
1da177e4 1124
23691d75 1125 read_unlock(&chan_list_lock);
e0f0cb56 1126
23691d75 1127 return c1;
1da177e4
LT
1128}
1129
77a74c7e 1130int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1131{
5d41ce1d 1132 struct sock *sk = chan->sk;
1da177e4
LT
1133 bdaddr_t *src = &bt_sk(sk)->src;
1134 bdaddr_t *dst = &bt_sk(sk)->dst;
1135 struct l2cap_conn *conn;
1136 struct hci_conn *hcon;
1137 struct hci_dev *hdev;
09ab6f4c 1138 __u8 auth_type;
44d0e48e 1139 int err;
1da177e4 1140
f29972de 1141 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1142 chan->psm);
1da177e4 1143
af05b30b
GP
1144 hdev = hci_get_route(dst, src);
1145 if (!hdev)
1da177e4
LT
1146 return -EHOSTUNREACH;
1147
1148 hci_dev_lock_bh(hdev);
1149
4343478f 1150 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1151
fe4128e0 1152 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1153 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1154 chan->sec_level, auth_type);
acd7d370
VT
1155 else
1156 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1157 chan->sec_level, auth_type);
acd7d370 1158
30e76272
VT
1159 if (IS_ERR(hcon)) {
1160 err = PTR_ERR(hcon);
1da177e4 1161 goto done;
30e76272 1162 }
1da177e4
LT
1163
1164 conn = l2cap_conn_add(hcon, 0);
1165 if (!conn) {
1166 hci_conn_put(hcon);
30e76272 1167 err = -ENOMEM;
1da177e4
LT
1168 goto done;
1169 }
1170
1da177e4
LT
1171 /* Update source addr of the socket */
1172 bacpy(src, conn->src);
1173
48454079
GP
1174 l2cap_chan_add(conn, chan);
1175
89bc500e 1176 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1177 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT
1178
1179 if (hcon->state == BT_CONNECTED) {
715ec005 1180 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1181 __clear_chan_timer(chan);
4343478f 1182 if (l2cap_check_security(chan))
89bc500e 1183 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1184 } else
fc7f8a7e 1185 l2cap_do_start(chan);
1da177e4
LT
1186 }
1187
30e76272
VT
1188 err = 0;
1189
1da177e4
LT
1190done:
1191 hci_dev_unlock_bh(hdev);
1192 hci_dev_put(hdev);
1193 return err;
1194}
1195
dcba0dba 1196int __l2cap_wait_ack(struct sock *sk)
6161c038 1197{
8c1d787b 1198 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP
1199 DECLARE_WAITQUEUE(wait, current);
1200 int err = 0;
1201 int timeo = HZ/5;
1202
2b0b05dd 1203 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH
1204 set_current_state(TASK_INTERRUPTIBLE);
1205 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP
1206 if (!timeo)
1207 timeo = HZ/5;
1208
1209 if (signal_pending(current)) {
1210 err = sock_intr_errno(timeo);
1211 break;
1212 }
1213
1214 release_sock(sk);
1215 timeo = schedule_timeout(timeo);
1216 lock_sock(sk);
a71a0cf4 1217 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP
1218
1219 err = sock_error(sk);
1220 if (err)
1221 break;
1222 }
1223 set_current_state(TASK_RUNNING);
2b0b05dd 1224 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP
1225 return err;
1226}
1227
e90bac06
GP
1228static void l2cap_monitor_timeout(unsigned long arg)
1229{
525cd185
GP
1230 struct l2cap_chan *chan = (void *) arg;
1231 struct sock *sk = chan->sk;
e90bac06 1232
525cd185 1233 BT_DBG("chan %p", chan);
0e98958d 1234
e686219a 1235 bh_lock_sock(sk);
2c03a7a4 1236 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1237 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1238 bh_unlock_sock(sk);
e90bac06
GP
1239 return;
1240 }
1241
6a026610 1242 chan->retry_count++;
1a09bcb9 1243 __set_monitor_timer(chan);
e90bac06 1244
525cd185 1245 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1246 bh_unlock_sock(sk);
e90bac06
GP
1247}
1248
1249static void l2cap_retrans_timeout(unsigned long arg)
1250{
525cd185
GP
1251 struct l2cap_chan *chan = (void *) arg;
1252 struct sock *sk = chan->sk;
e90bac06 1253
49208c9c 1254 BT_DBG("chan %p", chan);
0e98958d 1255
e686219a 1256 bh_lock_sock(sk);
6a026610 1257 chan->retry_count = 1;
1a09bcb9 1258 __set_monitor_timer(chan);
e90bac06 1259
e2ab4353 1260 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1261
525cd185 1262 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1263 bh_unlock_sock(sk);
e90bac06
GP
1264}
1265
42e5c802 1266static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1267{
1c2acffb 1268 struct sk_buff *skb;
1da177e4 1269
58d35f87 1270 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1271 chan->unacked_frames) {
42e5c802 1272 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1273 break;
1da177e4 1274
58d35f87 1275 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1276 kfree_skb(skb);
1da177e4 1277
6a026610 1278 chan->unacked_frames--;
1c2acffb 1279 }
1da177e4 1280
6a026610 1281 if (!chan->unacked_frames)
1a09bcb9 1282 __clear_retrans_timer(chan);
1c2acffb 1283}
1da177e4 1284
67c9e840 1285static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1286{
ccbb84af 1287 struct sk_buff *skb;
88843ab0
AE
1288 u32 control;
1289 u16 fcs;
6840ed07 1290
58d35f87 1291 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1292 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1293 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1294 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1295
47d1ec61 1296 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE
1297 fcs = crc16(0, (u8 *)skb->data,
1298 skb->len - L2CAP_FCS_SIZE);
1299 put_unaligned_le16(fcs,
1300 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP
1301 }
1302
4343478f 1303 l2cap_do_send(chan, skb);
6840ed07 1304
836be934 1305 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1306 }
6840ed07
GP
1307}
1308
fb45de7d 1309static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1310{
8f17154f 1311 struct sk_buff *skb, *tx_skb;
88843ab0
AE
1312 u16 fcs;
1313 u32 control;
8f17154f 1314
58d35f87 1315 skb = skb_peek(&chan->tx_q);
f11d676d
GP
1316 if (!skb)
1317 return;
8f17154f 1318
f11d676d
GP
1319 do {
1320 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1321 break;
8f17154f 1322
58d35f87 1323 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1324 return;
8f17154f 1325
58d35f87 1326 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1327
2c03a7a4
GP
1328 if (chan->remote_max_tx &&
1329 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1330 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP
1331 return;
1332 }
1333
1334 tx_skb = skb_clone(skb, GFP_ATOMIC);
1335 bt_cb(skb)->retries++;
88843ab0
AE
1336
1337 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1338 control &= __get_sar_mask(chan);
3cb123d1 1339
e2ab4353 1340 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1341 control |= __set_ctrl_final(chan);
95ffa978 1342
0b209fae 1343 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1344 control |= __set_txseq(chan, tx_seq);
3cb123d1 1345
88843ab0 1346 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1347
47d1ec61 1348 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE
1349 fcs = crc16(0, (u8 *)tx_skb->data,
1350 tx_skb->len - L2CAP_FCS_SIZE);
1351 put_unaligned_le16(fcs,
1352 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP
1353 }
1354
4343478f 1355 l2cap_do_send(chan, tx_skb);
8f17154f
GP
1356}
1357
67c9e840 1358static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP
1359{
1360 struct sk_buff *skb, *tx_skb;
88843ab0
AE
1361 u16 fcs;
1362 u32 control;
9a9c6a34 1363 int nsent = 0;
1c2acffb 1364
89bc500e 1365 if (chan->state != BT_CONNECTED)
c13ffa62 1366 return -ENOTCONN;
e90bac06 1367
58d35f87 1368 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1369
2c03a7a4
GP
1370 if (chan->remote_max_tx &&
1371 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1372 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP
1373 break;
1374 }
1375
e420aba3
AE
1376 tx_skb = skb_clone(skb, GFP_ATOMIC);
1377
e90bac06
GP
1378 bt_cb(skb)->retries++;
1379
88843ab0 1380 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1381 control &= __get_sar_mask(chan);
95ffa978 1382
e2ab4353 1383 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1384 control |= __set_ctrl_final(chan);
e2ab4353 1385
0b209fae 1386 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1387 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1388
88843ab0 1389 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1390
47d1ec61 1391 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE
1392 fcs = crc16(0, (u8 *)skb->data,
1393 tx_skb->len - L2CAP_FCS_SIZE);
1394 put_unaligned_le16(fcs, skb->data +
1395 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP
1396 }
1397
4343478f 1398 l2cap_do_send(chan, tx_skb);
9a9c6a34 1399
1a09bcb9 1400 __set_retrans_timer(chan);
1c2acffb 1401
42e5c802 1402 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE
1403
1404 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1405
23e9fde2 1406 if (bt_cb(skb)->retries == 1)
6a026610 1407 chan->unacked_frames++;
23e9fde2 1408
6a026610 1409 chan->frames_sent++;
1c2acffb 1410
58d35f87
GP
1411 if (skb_queue_is_last(&chan->tx_q, skb))
1412 chan->tx_send_head = NULL;
1c2acffb 1413 else
58d35f87 1414 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP
1415
1416 nsent++;
1c2acffb
GP
1417 }
1418
9e917af1
GP
1419 return nsent;
1420}
1421
525cd185 1422static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1423{
dfc909be
GP
1424 int ret;
1425
58d35f87
GP
1426 if (!skb_queue_empty(&chan->tx_q))
1427 chan->tx_send_head = chan->tx_q.next;
dfc909be 1428
42e5c802 1429 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1430 ret = l2cap_ertm_send(chan);
dfc909be
GP
1431 return ret;
1432}
1433
525cd185 1434static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1435{
88843ab0 1436 u32 control = 0;
9e917af1 1437
0b209fae 1438 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1439
e2ab4353 1440 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1441 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1442 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1443 l2cap_send_sframe(chan, control);
9a9c6a34 1444 return;
9e917af1 1445 }
dfc909be 1446
525cd185 1447 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP
1448 return;
1449
ab784b73 1450 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1451 l2cap_send_sframe(chan, control);
1c2acffb
GP
1452}
1453
525cd185 1454static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP
1455{
1456 struct srej_list *tail;
88843ab0 1457 u32 control;
99b0d4b7 1458
ab784b73 1459 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1460 control |= __set_ctrl_final(chan);
99b0d4b7 1461
39d5a3ee 1462 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1463 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1464
525cd185 1465 l2cap_send_sframe(chan, control);
99b0d4b7
GP
1466}
1467
1c2acffb
GP
1468static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1469{
8c1d787b 1470 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP
1471 struct sk_buff **frag;
1472 int err, sent = 0;
1da177e4 1473
59203a21 1474 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1475 return -EFAULT;
1da177e4
LT
1476
1477 sent += count;
1478 len -= count;
1479
1480 /* Continuation fragments (no L2CAP header) */
1481 frag = &skb_shinfo(skb)->frag_list;
1482 while (len) {
1483 count = min_t(unsigned int, conn->mtu, len);
1484
1485 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1486 if (!*frag)
0175d629 1487 return err;
1c2acffb
GP
1488 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1489 return -EFAULT;
1da177e4 1490
5e59b791
LAD
1491 (*frag)->priority = skb->priority;
1492
1da177e4
LT
1493 sent += count;
1494 len -= count;
1495
1496 frag = &(*frag)->next;
1497 }
1da177e4
LT
1498
1499 return sent;
1c2acffb 1500}
1da177e4 1501
5e59b791
LAD
1502static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1503 struct msghdr *msg, size_t len,
1504 u32 priority)
1c2acffb 1505{
fe4128e0 1506 struct sock *sk = chan->sk;
8c1d787b 1507 struct l2cap_conn *conn = chan->conn;
1c2acffb 1508 struct sk_buff *skb;
03a51213 1509 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP
1510 struct l2cap_hdr *lh;
1511
5e59b791 1512 BT_DBG("sk %p len %d priority %u", sk, (int)len, priority);
1c2acffb
GP
1513
1514 count = min_t(unsigned int, (conn->mtu - hlen), len);
1515 skb = bt_skb_send_alloc(sk, count + hlen,
1516 msg->msg_flags & MSG_DONTWAIT, &err);
1517 if (!skb)
0175d629 1518 return ERR_PTR(err);
1c2acffb 1519
5e59b791
LAD
1520 skb->priority = priority;
1521
1c2acffb
GP
1522 /* Create L2CAP header */
1523 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1524 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1525 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1526 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP
1527
1528 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1529 if (unlikely(err < 0)) {
1530 kfree_skb(skb);
1531 return ERR_PTR(err);
1532 }
1533 return skb;
1534}
1535
5e59b791
LAD
1536static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1537 struct msghdr *msg, size_t len,
1538 u32 priority)
1c2acffb 1539{
fe4128e0 1540 struct sock *sk = chan->sk;
8c1d787b 1541 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP
1542 struct sk_buff *skb;
1543 int err, count, hlen = L2CAP_HDR_SIZE;
1544 struct l2cap_hdr *lh;
1545
1546 BT_DBG("sk %p len %d", sk, (int)len);
1547
1548 count = min_t(unsigned int, (conn->mtu - hlen), len);
1549 skb = bt_skb_send_alloc(sk, count + hlen,
1550 msg->msg_flags & MSG_DONTWAIT, &err);
1551 if (!skb)
0175d629 1552 return ERR_PTR(err);
1c2acffb 1553
5e59b791
LAD
1554 skb->priority = priority;
1555
1c2acffb
GP
1556 /* Create L2CAP header */
1557 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1558 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP
1559 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1560
1561 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1562 if (unlikely(err < 0)) {
1563 kfree_skb(skb);
1564 return ERR_PTR(err);
1565 }
1566 return skb;
1567}
1568
ab0ff76d
LAD
1569static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1570 struct msghdr *msg, size_t len,
88843ab0 1571 u32 control, u16 sdulen)
1c2acffb 1572{
47d1ec61 1573 struct sock *sk = chan->sk;
8c1d787b 1574 struct l2cap_conn *conn = chan->conn;
1c2acffb 1575 struct sk_buff *skb;
e4ca6d98 1576 int err, count, hlen;
1c2acffb
GP
1577 struct l2cap_hdr *lh;
1578
1579 BT_DBG("sk %p len %d", sk, (int)len);
1580
0ee0d208
GP
1581 if (!conn)
1582 return ERR_PTR(-ENOTCONN);
1583
e4ca6d98
AE
1584 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1585 hlen = L2CAP_EXT_HDR_SIZE;
1586 else
1587 hlen = L2CAP_ENH_HDR_SIZE;
1588
c74e560c 1589 if (sdulen)
03a51213 1590 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1591
47d1ec61 1592 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1593 hlen += L2CAP_FCS_SIZE;
fcc203c3 1594
1c2acffb
GP
1595 count = min_t(unsigned int, (conn->mtu - hlen), len);
1596 skb = bt_skb_send_alloc(sk, count + hlen,
1597 msg->msg_flags & MSG_DONTWAIT, &err);
1598 if (!skb)
0175d629 1599 return ERR_PTR(err);
1c2acffb
GP
1600
1601 /* Create L2CAP header */
1602 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1603 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1604 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE
1605
1606 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1607
c74e560c 1608 if (sdulen)
03a51213 1609 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb
GP
1610
1611 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1612 if (unlikely(err < 0)) {
1613 kfree_skb(skb);
1614 return ERR_PTR(err);
1615 }
e90bac06 1616
47d1ec61 1617 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1618 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1619
e90bac06 1620 bt_cb(skb)->retries = 0;
1c2acffb 1621 return skb;
1da177e4
LT
1622}
1623
67c9e840 1624static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1625{
c74e560c
GP
1626 struct sk_buff *skb;
1627 struct sk_buff_head sar_queue;
88843ab0 1628 u32 control;
c74e560c
GP
1629 size_t size = 0;
1630
ff12fd64 1631 skb_queue_head_init(&sar_queue);
7e0ef6ee 1632 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1633 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP
1634 if (IS_ERR(skb))
1635 return PTR_ERR(skb);
1636
1637 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP
1638 len -= chan->remote_mps;
1639 size += chan->remote_mps;
c74e560c
GP
1640
1641 while (len > 0) {
1642 size_t buflen;
1643
2c03a7a4 1644 if (len > chan->remote_mps) {
7e0ef6ee 1645 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1646 buflen = chan->remote_mps;
c74e560c 1647 } else {
7e0ef6ee 1648 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP
1649 buflen = len;
1650 }
1651
47d1ec61 1652 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP
1653 if (IS_ERR(skb)) {
1654 skb_queue_purge(&sar_queue);
1655 return PTR_ERR(skb);
1656 }
1657
1658 __skb_queue_tail(&sar_queue, skb);
1659 len -= buflen;
1660 size += buflen;
c74e560c 1661 }
58d35f87
GP
1662 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1663 if (chan->tx_send_head == NULL)
1664 chan->tx_send_head = sar_queue.next;
c74e560c
GP
1665
1666 return size;
1667}
1668
5e59b791
LAD
1669int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1670 u32 priority)
9a91a04a 1671{
9a91a04a 1672 struct sk_buff *skb;
88843ab0 1673 u32 control;
9a91a04a
GP
1674 int err;
1675
1676 /* Connectionless channel */
715ec005 1677 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1678 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP
1679 if (IS_ERR(skb))
1680 return PTR_ERR(skb);
1681
1682 l2cap_do_send(chan, skb);
1683 return len;
1684 }
1685
1686 switch (chan->mode) {
1687 case L2CAP_MODE_BASIC:
1688 /* Check outgoing MTU */
1689 if (len > chan->omtu)
1690 return -EMSGSIZE;
1691
1692 /* Create a basic PDU */
5e59b791 1693 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP
1694 if (IS_ERR(skb))
1695 return PTR_ERR(skb);
1696
1697 l2cap_do_send(chan, skb);
1698 err = len;
1699 break;
1700
1701 case L2CAP_MODE_ERTM:
1702 case L2CAP_MODE_STREAMING:
1703 /* Entire SDU fits into one PDU */
1704 if (len <= chan->remote_mps) {
7e0ef6ee 1705 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP
1706 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1707 0);
1708 if (IS_ERR(skb))
1709 return PTR_ERR(skb);
1710
1711 __skb_queue_tail(&chan->tx_q, skb);
1712
1713 if (chan->tx_send_head == NULL)
1714 chan->tx_send_head = skb;
1715
1716 } else {
1717 /* Segment SDU into multiples PDUs */
1718 err = l2cap_sar_segment_sdu(chan, msg, len);
1719 if (err < 0)
1720 return err;
1721 }
1722
1723 if (chan->mode == L2CAP_MODE_STREAMING) {
1724 l2cap_streaming_send(chan);
1725 err = len;
1726 break;
1727 }
1728
e2ab4353
GP
1729 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1730 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP
1731 err = len;
1732 break;
1733 }
1734
1735 err = l2cap_ertm_send(chan);
1736 if (err >= 0)
1737 err = len;
1738
1739 break;
1740
1741 default:
1742 BT_DBG("bad state %1.1x", chan->mode);
1743 err = -EBADFD;
1744 }
1745
1746 return err;
1747}
1748
1da177e4
LT
1749/* Copy frame to all raw sockets on that connection */
1750static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1751{
1da177e4 1752 struct sk_buff *nskb;
48454079 1753 struct l2cap_chan *chan;
1da177e4
LT
1754
1755 BT_DBG("conn %p", conn);
1756
baa7e1fa
GP
1757 read_lock(&conn->chan_lock);
1758 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1759 struct sock *sk = chan->sk;
715ec005 1760 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT
1761 continue;
1762
1763 /* Don't send frame to the socket it came from */
1764 if (skb->sk == sk)
1765 continue;
af05b30b
GP
1766 nskb = skb_clone(skb, GFP_ATOMIC);
1767 if (!nskb)
1da177e4
LT
1768 continue;
1769
23070494 1770 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT
1771 kfree_skb(nskb);
1772 }
baa7e1fa 1773 read_unlock(&conn->chan_lock);
1da177e4
LT
1774}
1775
1776/* ---- L2CAP signalling commands ---- */
1777static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1778 u8 code, u8 ident, u16 dlen, void *data)
1779{
1780 struct sk_buff *skb, **frag;
1781 struct l2cap_cmd_hdr *cmd;
1782 struct l2cap_hdr *lh;
1783 int len, count;
1784
af05b30b
GP
1785 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1786 conn, code, ident, dlen);
1da177e4
LT
1787
1788 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1789 count = min_t(unsigned int, conn->mtu, len);
1790
1791 skb = bt_skb_alloc(count, GFP_ATOMIC);
1792 if (!skb)
1793 return NULL;
1794
1795 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1796 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT
1797
1798 if (conn->hcon->type == LE_LINK)
1799 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1800 else
1801 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT
1802
1803 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1804 cmd->code = code;
1805 cmd->ident = ident;
aca3192c 1806 cmd->len = cpu_to_le16(dlen);
1da177e4
LT
1807
1808 if (dlen) {
1809 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1810 memcpy(skb_put(skb, count), data, count);
1811 data += count;
1812 }
1813
1814 len -= skb->len;
1815
1816 /* Continuation fragments (no L2CAP header) */
1817 frag = &skb_shinfo(skb)->frag_list;
1818 while (len) {
1819 count = min_t(unsigned int, conn->mtu, len);
1820
1821 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1822 if (!*frag)
1823 goto fail;
1824
1825 memcpy(skb_put(*frag, count), data, count);
1826
1827 len -= count;
1828 data += count;
1829
1830 frag = &(*frag)->next;
1831 }
1832
1833 return skb;
1834
1835fail:
1836 kfree_skb(skb);
1837 return NULL;
1838}
1839
1840static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1841{
1842 struct l2cap_conf_opt *opt = *ptr;
1843 int len;
1844
1845 len = L2CAP_CONF_OPT_SIZE + opt->len;
1846 *ptr += len;
1847
1848 *type = opt->type;
1849 *olen = opt->len;
1850
1851 switch (opt->len) {
1852 case 1:
1853 *val = *((u8 *) opt->val);
1854 break;
1855
1856 case 2:
bfaaeb3e 1857 *val = get_unaligned_le16(opt->val);
1da177e4
LT
1858 break;
1859
1860 case 4:
bfaaeb3e 1861 *val = get_unaligned_le32(opt->val);
1da177e4
LT
1862 break;
1863
1864 default:
1865 *val = (unsigned long) opt->val;
1866 break;
1867 }
1868
1869 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1870 return len;
1871}
1872
1da177e4
LT
1873static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1874{
1875 struct l2cap_conf_opt *opt = *ptr;
1876
1877 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1878
1879 opt->type = type;
1880 opt->len = len;
1881
1882 switch (len) {
1883 case 1:
1884 *((u8 *) opt->val) = val;
1885 break;
1886
1887 case 2:
4f8b691c 1888 put_unaligned_le16(val, opt->val);
1da177e4
LT
1889 break;
1890
1891 case 4:
4f8b691c 1892 put_unaligned_le32(val, opt->val);
1da177e4
LT
1893 break;
1894
1895 default:
1896 memcpy(opt->val, (void *) val, len);
1897 break;
1898 }
1899
1900 *ptr += L2CAP_CONF_OPT_SIZE + len;
1901}
1902
f89cef09
AE
1903static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1904{
1905 struct l2cap_conf_efs efs;
1906
1907 switch(chan->mode) {
1908 case L2CAP_MODE_ERTM:
1909 efs.id = chan->local_id;
1910 efs.stype = chan->local_stype;
1911 efs.msdu = cpu_to_le16(chan->local_msdu);
1912 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1913 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1914 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1915 break;
1916
1917 case L2CAP_MODE_STREAMING:
1918 efs.id = 1;
1919 efs.stype = L2CAP_SERV_BESTEFFORT;
1920 efs.msdu = cpu_to_le16(chan->local_msdu);
1921 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1922 efs.acc_lat = 0;
1923 efs.flush_to = 0;
1924 break;
1925
1926 default:
1927 return;
1928 }
1929
1930 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1931 (unsigned long) &efs);
1932}
1933
c1b4f43b
GP
1934static void l2cap_ack_timeout(unsigned long arg)
1935{
525cd185 1936 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1937
525cd185
GP
1938 bh_lock_sock(chan->sk);
1939 l2cap_send_ack(chan);
1940 bh_unlock_sock(chan->sk);
c1b4f43b
GP
1941}
1942
525cd185 1943static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1944{
525cd185
GP
1945 struct sock *sk = chan->sk;
1946
42e5c802 1947 chan->expected_ack_seq = 0;
6a026610 1948 chan->unacked_frames = 0;
42e5c802 1949 chan->buffer_seq = 0;
6a026610
GP
1950 chan->num_acked = 0;
1951 chan->frames_sent = 0;
0565c1c2 1952
e92c8e70
GP
1953 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1954 (unsigned long) chan);
1955 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1956 (unsigned long) chan);
1957 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1958
f1c6775b 1959 skb_queue_head_init(&chan->srej_q);
1890d36b 1960
39d5a3ee
GP
1961 INIT_LIST_HEAD(&chan->srej_l);
1962
218bb9df
GP
1963
1964 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP
1965}
1966
f2fcfcd6
GP
1967static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1968{
1969 switch (mode) {
1970 case L2CAP_MODE_STREAMING:
1971 case L2CAP_MODE_ERTM:
1972 if (l2cap_mode_supported(mode, remote_feat_mask))
1973 return mode;
1974 /* fall through */
1975 default:
1976 return L2CAP_MODE_BASIC;
1977 }
1978}
1979
6327eb98
AE
1980static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1981{
1982 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1983}
1984
f89cef09
AE
1985static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1986{
1987 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1988}
1989
6327eb98
AE
1990static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1991{
1992 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 1993 __l2cap_ews_supported(chan)) {
6327eb98
AE
1994 /* use extended control field */
1995 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE
1996 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
1997 } else {
6327eb98
AE
1998 chan->tx_win = min_t(u16, chan->tx_win,
1999 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE
2000 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2001 }
6327eb98
AE
2002}
2003
710f9b0a 2004static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2005{
1da177e4 2006 struct l2cap_conf_req *req = data;
0c1bc5c6 2007 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2008 void *ptr = req->data;
c8f79162 2009 u16 size;
1da177e4 2010
49208c9c 2011 BT_DBG("chan %p", chan);
1da177e4 2012
73ffa904 2013 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP
2014 goto done;
2015
0c1bc5c6 2016 switch (chan->mode) {
f2fcfcd6
GP
2017 case L2CAP_MODE_STREAMING:
2018 case L2CAP_MODE_ERTM:
c1360a1c 2019 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2020 break;
85eb53c6 2021
f89cef09
AE
2022 if (__l2cap_efs_supported(chan))
2023 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2024
2ba13ed6 2025 /* fall through */
f2fcfcd6 2026 default:
8c1d787b 2027 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP
2028 break;
2029 }
2030
2031done:
0c1bc5c6
GP
2032 if (chan->imtu != L2CAP_DEFAULT_MTU)
2033 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2034
0c1bc5c6 2035 switch (chan->mode) {
65c7c491 2036 case L2CAP_MODE_BASIC:
8c1d787b
GP
2037 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2038 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP
2039 break;
2040
62547752
GP
2041 rfc.mode = L2CAP_MODE_BASIC;
2042 rfc.txwin_size = 0;
2043 rfc.max_transmit = 0;
2044 rfc.retrans_timeout = 0;
2045 rfc.monitor_timeout = 0;
2046 rfc.max_pdu_size = 0;
2047
63406504
GP
2048 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2049 (unsigned long) &rfc);
65c7c491
MH
2050 break;
2051
2052 case L2CAP_MODE_ERTM:
2053 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2054 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP
2055 rfc.retrans_timeout = 0;
2056 rfc.monitor_timeout = 0;
c8f79162
AE
2057
2058 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2059 L2CAP_EXT_HDR_SIZE -
2060 L2CAP_SDULEN_SIZE -
2061 L2CAP_FCS_SIZE);
2062 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2063
6327eb98
AE
2064 l2cap_txwin_setup(chan);
2065
2066 rfc.txwin_size = min_t(u16, chan->tx_win,
2067 L2CAP_DEFAULT_TX_WINDOW);
2068
63406504
GP
2069 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2070 (unsigned long) &rfc);
2071
f89cef09
AE
2072 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2073 l2cap_add_opt_efs(&ptr, chan);
2074
8c1d787b 2075 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP
2076 break;
2077
47d1ec61 2078 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2079 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP
2080 chan->fcs = L2CAP_FCS_NONE;
2081 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2082 }
6327eb98
AE
2083
2084 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2085 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2086 chan->tx_win);
f2fcfcd6
GP
2087 break;
2088
2089 case L2CAP_MODE_STREAMING:
2090 rfc.mode = L2CAP_MODE_STREAMING;
2091 rfc.txwin_size = 0;
2092 rfc.max_transmit = 0;
2093 rfc.retrans_timeout = 0;
2094 rfc.monitor_timeout = 0;
c8f79162
AE
2095
2096 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2097 L2CAP_EXT_HDR_SIZE -
2098 L2CAP_SDULEN_SIZE -
2099 L2CAP_FCS_SIZE);
2100 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2101
63406504
GP
2102 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2103 (unsigned long) &rfc);
2104
f89cef09
AE
2105 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2106 l2cap_add_opt_efs(&ptr, chan);
2107
8c1d787b 2108 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP
2109 break;
2110
47d1ec61 2111 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2112 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP
2113 chan->fcs = L2CAP_FCS_NONE;
2114 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2115 }
65c7c491
MH
2116 break;
2117 }
1da177e4 2118
fe4128e0 2119 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2120 req->flags = cpu_to_le16(0);
1da177e4
LT
2121
2122 return ptr - data;
2123}
2124
73ffa904 2125static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2126{
5dee9e7c
MH
2127 struct l2cap_conf_rsp *rsp = data;
2128 void *ptr = rsp->data;
73ffa904
GP
2129 void *req = chan->conf_req;
2130 int len = chan->conf_len;
5dee9e7c
MH
2131 int type, hint, olen;
2132 unsigned long val;
6464f35f 2133 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE
2134 struct l2cap_conf_efs efs;
2135 u8 remote_efs = 0;
861d6882 2136 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2137 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2138 u16 size;
1da177e4 2139
73ffa904 2140 BT_DBG("chan %p", chan);
820ae1b8 2141
5dee9e7c
MH
2142 while (len >= L2CAP_CONF_OPT_SIZE) {
2143 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2144
589d2746 2145 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2146 type &= L2CAP_CONF_MASK;
5dee9e7c
MH
2147
2148 switch (type) {
2149 case L2CAP_CONF_MTU:
861d6882 2150 mtu = val;
5dee9e7c
MH
2151 break;
2152
2153 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2154 chan->flush_to = val;
5dee9e7c
MH
2155 break;
2156
2157 case L2CAP_CONF_QOS:
2158 break;
2159
6464f35f
MH
2160 case L2CAP_CONF_RFC:
2161 if (olen == sizeof(rfc))
2162 memcpy(&rfc, (void *) val, olen);
2163 break;
2164
fcc203c3
GP
2165 case L2CAP_CONF_FCS:
2166 if (val == L2CAP_FCS_NONE)
c1360a1c 2167 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2168 break;
fcc203c3 2169
42dceae2
AE
2170 case L2CAP_CONF_EFS:
2171 remote_efs = 1;
2172 if (olen == sizeof(efs))
2173 memcpy(&efs, (void *) val, olen);
fcc203c3
GP
2174 break;
2175
6327eb98
AE
2176 case L2CAP_CONF_EWS:
2177 if (!enable_hs)
2178 return -ECONNREFUSED;
2179
2180 set_bit(FLAG_EXT_CTRL, &chan->flags);
2181 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2182 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98
AE
2183 chan->remote_tx_win = val;
2184 break;
2185
5dee9e7c
MH
2186 default:
2187 if (hint)
2188 break;
2189
2190 result = L2CAP_CONF_UNKNOWN;
2191 *((u8 *) ptr++) = type;
2192 break;
2193 }
2194 }
2195
73ffa904 2196 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP
2197 goto done;
2198
0c1bc5c6 2199 switch (chan->mode) {
f2fcfcd6
GP
2200 case L2CAP_MODE_STREAMING:
2201 case L2CAP_MODE_ERTM:
c1360a1c 2202 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2203 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2204 chan->conn->feat_mask);
85eb53c6
GP
2205 break;
2206 }
2207
42dceae2
AE
2208 if (remote_efs) {
2209 if (__l2cap_efs_supported(chan))
2210 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2211 else
2212 return -ECONNREFUSED;
2213 }
2214
0c1bc5c6 2215 if (chan->mode != rfc.mode)
f2fcfcd6 2216 return -ECONNREFUSED;
742e519b 2217
f2fcfcd6 2218 break;
f2fcfcd6
GP
2219 }
2220
2221done:
0c1bc5c6 2222 if (chan->mode != rfc.mode) {
f2fcfcd6 2223 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2224 rfc.mode = chan->mode;
f2fcfcd6 2225
73ffa904 2226 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP
2227 return -ECONNREFUSED;
2228
2229 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2230 sizeof(rfc), (unsigned long) &rfc);
2231 }
2232
5dee9e7c
MH
2233 if (result == L2CAP_CONF_SUCCESS) {
2234 /* Configure output options and let the other side know
2235 * which ones we don't like. */
2236
f2fcfcd6
GP
2237 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2238 result = L2CAP_CONF_UNACCEPT;
2239 else {
0c1bc5c6 2240 chan->omtu = mtu;
c1360a1c 2241 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2242 }
0c1bc5c6 2243 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2244
42dceae2
AE
2245 if (remote_efs) {
2246 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2247 efs.stype != L2CAP_SERV_NOTRAFIC &&
2248 efs.stype != chan->local_stype) {
2249
2250 result = L2CAP_CONF_UNACCEPT;
2251
2252 if (chan->num_conf_req >= 1)
2253 return -ECONNREFUSED;
2254
2255 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2256 sizeof(efs),
42dceae2 2257 (unsigned long) &efs);
0e8b207e 2258 } else {
3e6b3b95 2259 /* Send PENDING Conf Rsp */
0e8b207e
AE
2260 result = L2CAP_CONF_PENDING;
2261 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE
2262 }
2263 }
2264
f2fcfcd6
GP
2265 switch (rfc.mode) {
2266 case L2CAP_MODE_BASIC:
47d1ec61 2267 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2268 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP
2269 break;
2270
2271 case L2CAP_MODE_ERTM:
6327eb98
AE
2272 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2273 chan->remote_tx_win = rfc.txwin_size;
2274 else
2275 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2276
2c03a7a4 2277 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2278
c8f79162
AE
2279 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2280 chan->conn->mtu -
2281 L2CAP_EXT_HDR_SIZE -
2282 L2CAP_SDULEN_SIZE -
2283 L2CAP_FCS_SIZE);
2284 rfc.max_pdu_size = cpu_to_le16(size);
2285 chan->remote_mps = size;
f2fcfcd6 2286
10467e9e
GP
2287 rfc.retrans_timeout =
2288 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2289 rfc.monitor_timeout =
2290 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2291
c1360a1c 2292 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP
2293
2294 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2295 sizeof(rfc), (unsigned long) &rfc);
2296
42dceae2
AE
2297 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2298 chan->remote_id = efs.id;
2299 chan->remote_stype = efs.stype;
2300 chan->remote_msdu = le16_to_cpu(efs.msdu);
2301 chan->remote_flush_to =
2302 le32_to_cpu(efs.flush_to);
2303 chan->remote_acc_lat =
2304 le32_to_cpu(efs.acc_lat);
2305 chan->remote_sdu_itime =
2306 le32_to_cpu(efs.sdu_itime);
2307 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2308 sizeof(efs), (unsigned long) &efs);
2309 }
f2fcfcd6
GP
2310 break;
2311
2312 case L2CAP_MODE_STREAMING:
c8f79162
AE
2313 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2314 chan->conn->mtu -
2315 L2CAP_EXT_HDR_SIZE -
2316 L2CAP_SDULEN_SIZE -
2317 L2CAP_FCS_SIZE);
2318 rfc.max_pdu_size = cpu_to_le16(size);
2319 chan->remote_mps = size;
f2fcfcd6 2320
c1360a1c 2321 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP
2322
2323 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2324 sizeof(rfc), (unsigned long) &rfc);
2325
f2fcfcd6
GP
2326 break;
2327
2328 default:
5dee9e7c 2329 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2330
6464f35f 2331 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2332 rfc.mode = chan->mode;
f2fcfcd6 2333 }
6464f35f 2334
f2fcfcd6 2335 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2336 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2337 }
fe4128e0 2338 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH
2339 rsp->result = cpu_to_le16(result);
2340 rsp->flags = cpu_to_le16(0x0000);
2341
2342 return ptr - data;
1da177e4
LT
2343}
2344
b4450035 2345static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2346{
f2fcfcd6
GP
2347 struct l2cap_conf_req *req = data;
2348 void *ptr = req->data;
2349 int type, olen;
2350 unsigned long val;
2351 struct l2cap_conf_rfc rfc;
2352
fe4128e0 2353 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP
2354
2355 while (len >= L2CAP_CONF_OPT_SIZE) {
2356 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2357
2358 switch (type) {
2359 case L2CAP_CONF_MTU:
2360 if (val < L2CAP_DEFAULT_MIN_MTU) {
2361 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2362 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2363 } else
0c1bc5c6
GP
2364 chan->imtu = val;
2365 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP
2366 break;
2367
2368 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2369 chan->flush_to = val;
f2fcfcd6 2370 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2371 2, chan->flush_to);
f2fcfcd6
GP
2372 break;
2373
2374 case L2CAP_CONF_RFC:
2375 if (olen == sizeof(rfc))
2376 memcpy(&rfc, (void *)val, olen);
2377
c1360a1c 2378 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2379 rfc.mode != chan->mode)
f2fcfcd6
GP
2380 return -ECONNREFUSED;
2381
47d1ec61 2382 chan->fcs = 0;
f2fcfcd6
GP
2383
2384 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2385 sizeof(rfc), (unsigned long) &rfc);
2386 break;
6327eb98
AE
2387
2388 case L2CAP_CONF_EWS:
2389 chan->tx_win = min_t(u16, val,
2390 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP
2391 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2392 chan->tx_win);
6327eb98 2393 break;
f2fcfcd6
GP
2394 }
2395 }
2396
0c1bc5c6 2397 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP
2398 return -ECONNREFUSED;
2399
0c1bc5c6 2400 chan->mode = rfc.mode;
6c2ea7a8 2401
0e8b207e 2402 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP
2403 switch (rfc.mode) {
2404 case L2CAP_MODE_ERTM:
47d1ec61
GP
2405 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2406 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2407 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP
2408 break;
2409 case L2CAP_MODE_STREAMING:
47d1ec61 2410 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP
2411 }
2412 }
2413
fe4128e0 2414 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP
2415 req->flags = cpu_to_le16(0x0000);
2416
2417 return ptr - data;
2418}
2419
fe4128e0 2420static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT
2421{
2422 struct l2cap_conf_rsp *rsp = data;
2423 void *ptr = rsp->data;
1da177e4 2424
fe4128e0 2425 BT_DBG("chan %p", chan);
1da177e4 2426
fe4128e0 2427 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2428 rsp->result = cpu_to_le16(result);
aca3192c 2429 rsp->flags = cpu_to_le16(flags);
1da177e4
LT
2430
2431 return ptr - data;
2432}
2433
8c1d787b 2434void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP
2435{
2436 struct l2cap_conn_rsp rsp;
8c1d787b 2437 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP
2438 u8 buf[128];
2439
fe4128e0
GP
2440 rsp.scid = cpu_to_le16(chan->dcid);
2441 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP
2442 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2443 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2444 l2cap_send_cmd(conn, chan->ident,
2445 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2446
c1360a1c 2447 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP
2448 return;
2449
710f9b0a
GP
2450 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2451 l2cap_build_conf_req(chan, buf), buf);
2452 chan->num_conf_req++;
2453}
2454
47d1ec61 2455static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2456{
7b1c0049
GP
2457 int type, olen;
2458 unsigned long val;
2459 struct l2cap_conf_rfc rfc;
2460
47d1ec61 2461 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2462
0c1bc5c6 2463 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP
2464 return;
2465
2466 while (len >= L2CAP_CONF_OPT_SIZE) {
2467 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2468
2469 switch (type) {
2470 case L2CAP_CONF_RFC:
2471 if (olen == sizeof(rfc))
2472 memcpy(&rfc, (void *)val, olen);
2473 goto done;
2474 }
2475 }
2476
2477done:
2478 switch (rfc.mode) {
2479 case L2CAP_MODE_ERTM:
47d1ec61
GP
2480 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2481 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2482 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP
2483 break;
2484 case L2CAP_MODE_STREAMING:
47d1ec61 2485 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP
2486 }
2487}
2488
4e8402a3
MH
2489static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2490{
e2fd318e 2491 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2492
e2fd318e 2493 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH
2494 return 0;
2495
2496 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2497 cmd->ident == conn->info_ident) {
4e8402a3 2498 del_timer(&conn->info_timer);
984947dc
MH
2499
2500 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2501 conn->info_ident = 0;
984947dc 2502
4e8402a3
MH
2503 l2cap_conn_start(conn);
2504 }
2505
2506 return 0;
2507}
2508
1da177e4
LT
2509static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2510{
1da177e4
LT
2511 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2512 struct l2cap_conn_rsp rsp;
23691d75 2513 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2514 struct sock *parent, *sk = NULL;
e7c29cb1 2515 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT
2516
2517 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2518 __le16 psm = req->psm;
1da177e4
LT
2519
2520 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2521
2522 /* Check if we have socket listening on psm */
23691d75
GP
2523 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2524 if (!pchan) {
1da177e4
LT
2525 result = L2CAP_CR_BAD_PSM;
2526 goto sendresp;
2527 }
2528
23691d75
GP
2529 parent = pchan->sk;
2530
e0f0cb56
GP
2531 bh_lock_sock(parent);
2532
e7c29cb1
MH
2533 /* Check if the ACL is secure enough (if not SDP) */
2534 if (psm != cpu_to_le16(0x0001) &&
2535 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2536 conn->disc_reason = 0x05;
e7c29cb1
MH
2537 result = L2CAP_CR_SEC_BLOCK;
2538 goto response;
2539 }
2540
1da177e4
LT
2541 result = L2CAP_CR_NO_MEM;
2542
2543 /* Check for backlog size */
2544 if (sk_acceptq_is_full(parent)) {
8e87d142 2545 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT
2546 goto response;
2547 }
2548
80808e43
GP
2549 chan = pchan->ops->new_connection(pchan->data);
2550 if (!chan)
1da177e4
LT
2551 goto response;
2552
80808e43
GP
2553 sk = chan->sk;
2554
baa7e1fa 2555 write_lock_bh(&conn->chan_lock);
1da177e4
LT
2556
2557 /* Check if we already have channel with that dcid */
baa7e1fa
GP
2558 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2559 write_unlock_bh(&conn->chan_lock);
1da177e4 2560 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2561 chan->ops->close(chan->data);
1da177e4
LT
2562 goto response;
2563 }
2564
2565 hci_conn_hold(conn->hcon);
2566
1da177e4
LT
2567 bacpy(&bt_sk(sk)->src, conn->src);
2568 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP
2569 chan->psm = psm;
2570 chan->dcid = scid;
1da177e4 2571
d1010240
GP
2572 bt_accept_enqueue(parent, sk);
2573
48454079
GP
2574 __l2cap_chan_add(conn, chan);
2575
fe4128e0 2576 dcid = chan->scid;
1da177e4 2577
c9b66675 2578 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2579
fc7f8a7e 2580 chan->ident = cmd->ident;
1da177e4 2581
984947dc 2582 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2583 if (l2cap_check_security(chan)) {
f66dc81f 2584 if (bt_sk(sk)->defer_setup) {
89bc500e 2585 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH
2586 result = L2CAP_CR_PEND;
2587 status = L2CAP_CS_AUTHOR_PEND;
2588 parent->sk_data_ready(parent, 0);
2589 } else {
89bc500e 2590 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH
2591 result = L2CAP_CR_SUCCESS;
2592 status = L2CAP_CS_NO_INFO;
2593 }
79d554a6 2594 } else {
89bc500e 2595 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH
2596 result = L2CAP_CR_PEND;
2597 status = L2CAP_CS_AUTHEN_PEND;
2598 }
2599 } else {
89bc500e 2600 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH
2601 result = L2CAP_CR_PEND;
2602 status = L2CAP_CS_NO_INFO;
1da177e4
LT
2603 }
2604
baa7e1fa 2605 write_unlock_bh(&conn->chan_lock);
1da177e4
LT
2606
2607response:
2608 bh_unlock_sock(parent);
2609
2610sendresp:
aca3192c
YH
2611 rsp.scid = cpu_to_le16(scid);
2612 rsp.dcid = cpu_to_le16(dcid);
2613 rsp.result = cpu_to_le16(result);
2614 rsp.status = cpu_to_le16(status);
1da177e4 2615 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH
2616
2617 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2618 struct l2cap_info_req info;
2619 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2620
2621 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2622 conn->info_ident = l2cap_get_ident(conn);
2623
2624 mod_timer(&conn->info_timer, jiffies +
2625 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2626
2627 l2cap_send_cmd(conn, conn->info_ident,
2628 L2CAP_INFO_REQ, sizeof(info), &info);
2629 }
2630
c1360a1c 2631 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP
2632 result == L2CAP_CR_SUCCESS) {
2633 u8 buf[128];
c1360a1c 2634 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2635 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP
2636 l2cap_build_conf_req(chan, buf), buf);
2637 chan->num_conf_req++;
e9aeb2dd
GP
2638 }
2639
1da177e4
LT
2640 return 0;
2641}
2642
2643static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2644{
2645 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2646 u16 scid, dcid, result, status;
48454079 2647 struct l2cap_chan *chan;
1da177e4
LT
2648 struct sock *sk;
2649 u8 req[128];
2650
2651 scid = __le16_to_cpu(rsp->scid);
2652 dcid = __le16_to_cpu(rsp->dcid);
2653 result = __le16_to_cpu(rsp->result);
2654 status = __le16_to_cpu(rsp->status);
2655
2656 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2657
2658 if (scid) {
baa7e1fa 2659 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2660 if (!chan)
57d3b22b 2661 return -EFAULT;
1da177e4 2662 } else {
baa7e1fa 2663 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2664 if (!chan)
57d3b22b 2665 return -EFAULT;
1da177e4
LT
2666 }
2667
48454079
GP
2668 sk = chan->sk;
2669
1da177e4
LT
2670 switch (result) {
2671 case L2CAP_CR_SUCCESS:
89bc500e 2672 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2673 chan->ident = 0;
fe4128e0 2674 chan->dcid = dcid;
c1360a1c 2675 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2676
c1360a1c 2677 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP
2678 break;
2679
1da177e4 2680 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP
2681 l2cap_build_conf_req(chan, req), req);
2682 chan->num_conf_req++;
1da177e4
LT
2683 break;
2684
2685 case L2CAP_CR_PEND:
c1360a1c 2686 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT
2687 break;
2688
2689 default:
a49184c2
AE
2690 /* don't delete l2cap channel if sk is owned by user */
2691 if (sock_owned_by_user(sk)) {
89bc500e 2692 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP
2693 __clear_chan_timer(chan);
2694 __set_chan_timer(chan, HZ / 5);
a49184c2
AE
2695 break;
2696 }
2697
48454079 2698 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT
2699 break;
2700 }
2701
2702 bh_unlock_sock(sk);
2703 return 0;
2704}
2705
47d1ec61 2706static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM
2707{
2708 /* FCS is enabled only in ERTM or streaming mode, if one or both
2709 * sides request it.
2710 */
0c1bc5c6 2711 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2712 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2713 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2714 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM
2715}
2716
88219a0f 2717static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT
2718{
2719 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2720 u16 dcid, flags;
2721 u8 rsp[64];
48454079 2722 struct l2cap_chan *chan;
1da177e4 2723 struct sock *sk;
5dee9e7c 2724 int len;
1da177e4
LT
2725
2726 dcid = __le16_to_cpu(req->dcid);
2727 flags = __le16_to_cpu(req->flags);
2728
2729 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2730
baa7e1fa 2731 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2732 if (!chan)
1da177e4
LT
2733 return -ENOENT;
2734
48454079
GP
2735 sk = chan->sk;
2736
033b1142 2737 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK
2738 struct l2cap_cmd_rej_cid rej;
2739
2740 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2741 rej.scid = cpu_to_le16(chan->scid);
2742 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2743
df6bd743
GP
2744 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2745 sizeof(rej), &rej);
354f60a9 2746 goto unlock;
df6bd743 2747 }
354f60a9 2748
5dee9e7c 2749 /* Reject if config buffer is too small. */
88219a0f 2750 len = cmd_len - sizeof(*req);
7ac28817 2751 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2752 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2753 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH
2754 L2CAP_CONF_REJECT, flags), rsp);
2755 goto unlock;
2756 }
2757
2758 /* Store config. */
73ffa904
GP
2759 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2760 chan->conf_len += len;
1da177e4
LT
2761
2762 if (flags & 0x0001) {
2763 /* Incomplete config. Send empty response. */
2764 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2765 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2766 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT
2767 goto unlock;
2768 }
2769
2770 /* Complete config. */
73ffa904 2771 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2772 if (len < 0) {
e92c8e70 2773 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2774 goto unlock;
f2fcfcd6 2775 }
1da177e4 2776
5dee9e7c 2777 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2778 chan->num_conf_rsp++;
5dee9e7c 2779
5dee9e7c 2780 /* Reset config buffer. */
73ffa904 2781 chan->conf_len = 0;
5dee9e7c 2782
c1360a1c 2783 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH
2784 goto unlock;
2785
c1360a1c 2786 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2787 set_default_fcs(chan);
fcc203c3 2788
89bc500e 2789 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2790
42e5c802
GP
2791 chan->next_tx_seq = 0;
2792 chan->expected_tx_seq = 0;
58d35f87 2793 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2794 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2795 l2cap_ertm_init(chan);
0565c1c2 2796
1da177e4 2797 l2cap_chan_ready(sk);
876d9484
MH
2798 goto unlock;
2799 }
2800
c1360a1c 2801 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2802 u8 buf[64];
1da177e4 2803 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP
2804 l2cap_build_conf_req(chan, buf), buf);
2805 chan->num_conf_req++;
1da177e4
LT
2806 }
2807
0e8b207e
AE
2808 /* Got Conf Rsp PENDING from remote side and asume we sent
2809 Conf Rsp PENDING in the code above */
2810 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2811 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2812
2813 /* check compatibility */
2814
2815 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2816 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2817
2818 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2819 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE
2820 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2821 }
2822
1da177e4
LT
2823unlock:
2824 bh_unlock_sock(sk);
2825 return 0;
2826}
2827
2828static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2829{
2830 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2831 u16 scid, flags, result;
48454079 2832 struct l2cap_chan *chan;
1da177e4 2833 struct sock *sk;
7b1c0049 2834 int len = cmd->len - sizeof(*rsp);
1da177e4
LT
2835
2836 scid = __le16_to_cpu(rsp->scid);
2837 flags = __le16_to_cpu(rsp->flags);
2838 result = __le16_to_cpu(rsp->result);
2839
af05b30b
GP
2840 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2841 scid, flags, result);
1da177e4 2842
baa7e1fa 2843 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2844 if (!chan)
1da177e4
LT
2845 return 0;
2846
48454079
GP
2847 sk = chan->sk;
2848
1da177e4
LT
2849 switch (result) {
2850 case L2CAP_CONF_SUCCESS:
47d1ec61 2851 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2852 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT
2853 break;
2854
0e8b207e
AE
2855 case L2CAP_CONF_PENDING:
2856 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2857
2858 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2859 char buf[64];
2860
2861 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2862 buf, &result);
2863 if (len < 0) {
2864 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2865 goto done;
2866 }
2867
2868 /* check compatibility */
2869
2870 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2871 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2872
2873 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2874 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE
2875 L2CAP_CONF_SUCCESS, 0x0000), buf);
2876 }
2877 goto done;
2878
1da177e4 2879 case L2CAP_CONF_UNACCEPT:
73ffa904 2880 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP
2881 char req[64];
2882
c2c77ec8 2883 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2884 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE
2885 goto done;
2886 }
2887
f2fcfcd6
GP
2888 /* throw out any old stored conf requests */
2889 result = L2CAP_CONF_SUCCESS;
b4450035
GP
2890 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2891 req, &result);
f2fcfcd6 2892 if (len < 0) {
e92c8e70 2893 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP
2894 goto done;
2895 }
2896
2897 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2898 L2CAP_CONF_REQ, len, req);
73ffa904 2899 chan->num_conf_req++;
f2fcfcd6
GP
2900 if (result != L2CAP_CONF_SUCCESS)
2901 goto done;
2902 break;
1da177e4
LT
2903 }
2904
8e87d142 2905 default:
b1235d79 2906 sk->sk_err = ECONNRESET;
c9b66675 2907 __set_chan_timer(chan, HZ * 5);
e92c8e70 2908 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT
2909 goto done;
2910 }
2911
2912 if (flags & 0x01)
2913 goto done;
2914
c1360a1c 2915 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2916
c1360a1c 2917 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2918 set_default_fcs(chan);
fcc203c3 2919
89bc500e 2920 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP
2921 chan->next_tx_seq = 0;
2922 chan->expected_tx_seq = 0;
58d35f87 2923 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2924 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2925 l2cap_ertm_init(chan);
0565c1c2 2926
1da177e4
LT
2927 l2cap_chan_ready(sk);
2928 }
2929
2930done:
2931 bh_unlock_sock(sk);
2932 return 0;
2933}
2934
2935static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2936{
2937 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2938 struct l2cap_disconn_rsp rsp;
2939 u16 dcid, scid;
48454079 2940 struct l2cap_chan *chan;
1da177e4
LT
2941 struct sock *sk;
2942
2943 scid = __le16_to_cpu(req->scid);
2944 dcid = __le16_to_cpu(req->dcid);
2945
2946 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2947
baa7e1fa 2948 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2949 if (!chan)
1da177e4
LT
2950 return 0;
2951
48454079
GP
2952 sk = chan->sk;
2953
fe4128e0
GP
2954 rsp.dcid = cpu_to_le16(chan->scid);
2955 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT
2956 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2957
2958 sk->sk_shutdown = SHUTDOWN_MASK;
2959
a49184c2
AE
2960 /* don't delete l2cap channel if sk is owned by user */
2961 if (sock_owned_by_user(sk)) {
89bc500e 2962 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP
2963 __clear_chan_timer(chan);
2964 __set_chan_timer(chan, HZ / 5);
a49184c2
AE
2965 bh_unlock_sock(sk);
2966 return 0;
2967 }
2968
48454079 2969 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT
2970 bh_unlock_sock(sk);
2971
ba3bd0ee 2972 chan->ops->close(chan->data);
1da177e4
LT
2973 return 0;
2974}
2975
2976static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2977{
2978 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2979 u16 dcid, scid;
48454079 2980 struct l2cap_chan *chan;
1da177e4
LT
2981 struct sock *sk;
2982
2983 scid = __le16_to_cpu(rsp->scid);
2984 dcid = __le16_to_cpu(rsp->dcid);
2985
2986 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2987
baa7e1fa 2988 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2989 if (!chan)
1da177e4
LT
2990 return 0;
2991
48454079
GP
2992 sk = chan->sk;
2993
a49184c2
AE
2994 /* don't delete l2cap channel if sk is owned by user */
2995 if (sock_owned_by_user(sk)) {
89bc500e 2996 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP
2997 __clear_chan_timer(chan);
2998 __set_chan_timer(chan, HZ / 5);
a49184c2
AE
2999 bh_unlock_sock(sk);
3000 return 0;
3001 }
3002
48454079 3003 l2cap_chan_del(chan, 0);
1da177e4
LT
3004 bh_unlock_sock(sk);
3005
ba3bd0ee 3006 chan->ops->close(chan->data);
1da177e4
LT
3007 return 0;
3008}
3009
3010static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3011{
3012 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT
3013 u16 type;
3014
3015 type = __le16_to_cpu(req->type);
3016
3017 BT_DBG("type 0x%4.4x", type);
3018
f0709e03
MH
3019 if (type == L2CAP_IT_FEAT_MASK) {
3020 u8 buf[8];
44dd46de 3021 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH
3022 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3023 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3024 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3025 if (!disable_ertm)
fcc203c3
GP
3026 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3027 | L2CAP_FEAT_FCS;
a5fd6f30 3028 if (enable_hs)
6327eb98
AE
3029 feat_mask |= L2CAP_FEAT_EXT_FLOW
3030 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3031
1b7bf4ed 3032 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH
3033 l2cap_send_cmd(conn, cmd->ident,
3034 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH
3035 } else if (type == L2CAP_IT_FIXED_CHAN) {
3036 u8 buf[12];
3037 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM
3038
3039 if (enable_hs)
3040 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3041 else
3042 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3043
e1027a7c
MH
3044 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3045 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3046 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH
3047 l2cap_send_cmd(conn, cmd->ident,
3048 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH
3049 } else {
3050 struct l2cap_info_rsp rsp;
3051 rsp.type = cpu_to_le16(type);
3052 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3053 l2cap_send_cmd(conn, cmd->ident,
3054 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3055 }
1da177e4
LT
3056
3057 return 0;
3058}
3059
3060static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3061{
3062 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3063 u16 type, result;
3064
3065 type = __le16_to_cpu(rsp->type);
3066 result = __le16_to_cpu(rsp->result);
3067
3068 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3069
e90165be
AE
3070 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3071 if (cmd->ident != conn->info_ident ||
3072 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3073 return 0;
3074
4e8402a3
MH
3075 del_timer(&conn->info_timer);
3076
adb08ede
VT
3077 if (result != L2CAP_IR_SUCCESS) {
3078 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3079 conn->info_ident = 0;
3080
3081 l2cap_conn_start(conn);
3082
3083 return 0;
3084 }
3085
984947dc 3086 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3087 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3088
47ec1dcd 3089 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH
3090 struct l2cap_info_req req;
3091 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3092
3093 conn->info_ident = l2cap_get_ident(conn);
3094
3095 l2cap_send_cmd(conn, conn->info_ident,
3096 L2CAP_INFO_REQ, sizeof(req), &req);
3097 } else {
3098 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3099 conn->info_ident = 0;
3100
3101 l2cap_conn_start(conn);
3102 }
3103 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3104 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3105 conn->info_ident = 0;
984947dc
MH
3106
3107 l2cap_conn_start(conn);
3108 }
4e8402a3 3109
1da177e4
LT
3110 return 0;
3111}
3112
f94ff6ff
MM
3113static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3114 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3115 void *data)
3116{
3117 struct l2cap_create_chan_req *req = data;
3118 struct l2cap_create_chan_rsp rsp;
3119 u16 psm, scid;
3120
3121 if (cmd_len != sizeof(*req))
3122 return -EPROTO;
3123
3124 if (!enable_hs)
3125 return -EINVAL;
3126
3127 psm = le16_to_cpu(req->psm);
3128 scid = le16_to_cpu(req->scid);
3129
3130 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3131
3132 /* Placeholder: Always reject */
3133 rsp.dcid = 0;
3134 rsp.scid = cpu_to_le16(scid);
3135 rsp.result = L2CAP_CR_NO_MEM;
3136 rsp.status = L2CAP_CS_NO_INFO;
3137
3138 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3139 sizeof(rsp), &rsp);
3140
3141 return 0;
3142}
3143
3144static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3145 struct l2cap_cmd_hdr *cmd, void *data)
3146{
3147 BT_DBG("conn %p", conn);
3148
3149 return l2cap_connect_rsp(conn, cmd, data);
3150}
3151
8d5a04a1
MM
3152static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3153 u16 icid, u16 result)
3154{
3155 struct l2cap_move_chan_rsp rsp;
3156
3157 BT_DBG("icid %d, result %d", icid, result);
3158
3159 rsp.icid = cpu_to_le16(icid);
3160 rsp.result = cpu_to_le16(result);
3161
3162 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3163}
3164
3165static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3166 struct l2cap_chan *chan, u16 icid, u16 result)
3167{
3168 struct l2cap_move_chan_cfm cfm;
3169 u8 ident;
3170
3171 BT_DBG("icid %d, result %d", icid, result);
3172
3173 ident = l2cap_get_ident(conn);
3174 if (chan)
3175 chan->ident = ident;
3176
3177 cfm.icid = cpu_to_le16(icid);
3178 cfm.result = cpu_to_le16(result);
3179
3180 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3181}
3182
3183static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3184 u16 icid)
3185{
3186 struct l2cap_move_chan_cfm_rsp rsp;
3187
3188 BT_DBG("icid %d", icid);
3189
3190 rsp.icid = cpu_to_le16(icid);
3191 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3192}
3193
3194static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3195 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3196{
3197 struct l2cap_move_chan_req *req = data;
3198 u16 icid = 0;
3199 u16 result = L2CAP_MR_NOT_ALLOWED;
3200
3201 if (cmd_len != sizeof(*req))
3202 return -EPROTO;
3203
3204 icid = le16_to_cpu(req->icid);
3205
3206 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3207
3208 if (!enable_hs)
3209 return -EINVAL;
3210
3211 /* Placeholder: Always refuse */
3212 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3213
3214 return 0;
3215}
3216
3217static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3218 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3219{
3220 struct l2cap_move_chan_rsp *rsp = data;
3221 u16 icid, result;
3222
3223 if (cmd_len != sizeof(*rsp))
3224 return -EPROTO;
3225
3226 icid = le16_to_cpu(rsp->icid);
3227 result = le16_to_cpu(rsp->result);
3228
3229 BT_DBG("icid %d, result %d", icid, result);
3230
3231 /* Placeholder: Always unconfirmed */
3232 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3233
3234 return 0;
3235}
3236
3237static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3238 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3239{
3240 struct l2cap_move_chan_cfm *cfm = data;
3241 u16 icid, result;
3242
3243 if (cmd_len != sizeof(*cfm))
3244 return -EPROTO;
3245
3246 icid = le16_to_cpu(cfm->icid);
3247 result = le16_to_cpu(cfm->result);
3248
3249 BT_DBG("icid %d, result %d", icid, result);
3250
3251 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3252
3253 return 0;
3254}
3255
3256static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3257 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3258{
3259 struct l2cap_move_chan_cfm_rsp *rsp = data;
3260 u16 icid;
3261
3262 if (cmd_len != sizeof(*rsp))
3263 return -EPROTO;
3264
3265 icid = le16_to_cpu(rsp->icid);
3266
3267 BT_DBG("icid %d", icid);
3268
3269 return 0;
3270}
3271
e2174ca4 3272static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT
3273 u16 to_multiplier)
3274{
3275 u16 max_latency;
3276
3277 if (min > max || min < 6 || max > 3200)
3278 return -EINVAL;
3279
3280 if (to_multiplier < 10 || to_multiplier > 3200)
3281 return -EINVAL;
3282
3283 if (max >= to_multiplier * 8)
3284 return -EINVAL;
3285
3286 max_latency = (to_multiplier * 8 / max) - 1;
3287 if (latency > 499 || latency > max_latency)
3288 return -EINVAL;
3289
3290 return 0;
3291}
3292
3293static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3294 struct l2cap_cmd_hdr *cmd, u8 *data)
3295{
3296 struct hci_conn *hcon = conn->hcon;
3297 struct l2cap_conn_param_update_req *req;
3298 struct l2cap_conn_param_update_rsp rsp;
3299 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3300 int err;
de73115a
CT
3301
3302 if (!(hcon->link_mode & HCI_LM_MASTER))
3303 return -EINVAL;
3304
3305 cmd_len = __le16_to_cpu(cmd->len);
3306 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3307 return -EPROTO;
3308
3309 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP
3310 min = __le16_to_cpu(req->min);
3311 max = __le16_to_cpu(req->max);
de73115a
CT
3312 latency = __le16_to_cpu(req->latency);
3313 to_multiplier = __le16_to_cpu(req->to_multiplier);
3314
3315 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3316 min, max, latency, to_multiplier);
3317
3318 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT
3319
3320 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3321 if (err)
de73115a
CT
3322 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3323 else
3324 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3325
3326 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3327 sizeof(rsp), &rsp);
3328
2ce603eb
CT
3329 if (!err)
3330 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3331
de73115a
CT
3332 return 0;
3333}
3334
3300d9a9
CT
3335static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3336 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3337{
3338 int err = 0;
3339
3340 switch (cmd->code) {
3341 case L2CAP_COMMAND_REJ:
3342 l2cap_command_rej(conn, cmd, data);
3343 break;
3344
3345 case L2CAP_CONN_REQ:
3346 err = l2cap_connect_req(conn, cmd, data);
3347 break;
3348
3349 case L2CAP_CONN_RSP:
3350 err = l2cap_connect_rsp(conn, cmd, data);
3351 break;
3352
3353 case L2CAP_CONF_REQ:
3354 err = l2cap_config_req(conn, cmd, cmd_len, data);
3355 break;
3356
3357 case L2CAP_CONF_RSP:
3358 err = l2cap_config_rsp(conn, cmd, data);
3359 break;
3360
3361 case L2CAP_DISCONN_REQ:
3362 err = l2cap_disconnect_req(conn, cmd, data);
3363 break;
3364
3365 case L2CAP_DISCONN_RSP:
3366 err = l2cap_disconnect_rsp(conn, cmd, data);
3367 break;
3368
3369 case L2CAP_ECHO_REQ:
3370 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3371 break;
3372
3373 case L2CAP_ECHO_RSP:
3374 break;
3375
3376 case L2CAP_INFO_REQ:
3377 err = l2cap_information_req(conn, cmd, data);
3378 break;
3379
3380 case L2CAP_INFO_RSP:
3381 err = l2cap_information_rsp(conn, cmd, data);
3382 break;
3383
f94ff6ff
MM
3384 case L2CAP_CREATE_CHAN_REQ:
3385 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3386 break;
3387
3388 case L2CAP_CREATE_CHAN_RSP:
3389 err = l2cap_create_channel_rsp(conn, cmd, data);
3390 break;
3391
8d5a04a1
MM
3392 case L2CAP_MOVE_CHAN_REQ:
3393 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3394 break;
3395
3396 case L2CAP_MOVE_CHAN_RSP:
3397 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3398 break;
3399
3400 case L2CAP_MOVE_CHAN_CFM:
3401 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3402 break;
3403
3404 case L2CAP_MOVE_CHAN_CFM_RSP:
3405 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3406 break;
3407
3300d9a9
CT
3408 default:
3409 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3410 err = -EINVAL;
3411 break;
3412 }
3413
3414 return err;
3415}
3416
3417static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3418 struct l2cap_cmd_hdr *cmd, u8 *data)
3419{
3420 switch (cmd->code) {
3421 case L2CAP_COMMAND_REJ:
3422 return 0;
3423
3424 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3425 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT
3426
3427 case L2CAP_CONN_PARAM_UPDATE_RSP:
3428 return 0;
3429
3430 default:
3431 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3432 return -EINVAL;
3433 }
3434}
3435
3436static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3437 struct sk_buff *skb)
1da177e4
LT
3438{
3439 u8 *data = skb->data;
3440 int len = skb->len;
3441 struct l2cap_cmd_hdr cmd;
3300d9a9 3442 int err;
1da177e4
LT
3443
3444 l2cap_raw_recv(conn, skb);
3445
3446 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3447 u16 cmd_len;
1da177e4
LT
3448 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3449 data += L2CAP_CMD_HDR_SIZE;
3450 len -= L2CAP_CMD_HDR_SIZE;
3451
88219a0f 3452 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3453
88219a0f 3454 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3455
88219a0f 3456 if (cmd_len > len || !cmd.ident) {
1da177e4
LT
3457 BT_DBG("corrupted command");
3458 break;
3459 }
3460
3300d9a9
CT
3461 if (conn->hcon->type == LE_LINK)
3462 err = l2cap_le_sig_cmd(conn, &cmd, data);
3463 else
3464 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT
3465
3466 if (err) {
e2fd318e 3467 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP
3468
3469 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT
3470
3471 /* FIXME: Map err to a valid reason */
e2fd318e 3472 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT
3473 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3474 }
3475
88219a0f
AV
3476 data += cmd_len;
3477 len -= cmd_len;
1da177e4
LT
3478 }
3479
3480 kfree_skb(skb);
3481}
3482
47d1ec61 3483static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP
3484{
3485 u16 our_fcs, rcv_fcs;
e4ca6d98
AE
3486 int hdr_size;
3487
3488 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3489 hdr_size = L2CAP_EXT_HDR_SIZE;
3490 else
3491 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3492
47d1ec61 3493 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3494 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP
3495 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3496 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3497
3498 if (our_fcs != rcv_fcs)
7a560e5c 3499 return -EBADMSG;
fcc203c3
GP
3500 }
3501 return 0;
3502}
3503
525cd185 3504static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3505{
88843ab0 3506 u32 control = 0;
d5392c8f 3507
6a026610 3508 chan->frames_sent = 0;
d5392c8f 3509
0b209fae 3510 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3511
e2ab4353 3512 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3513 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3514 l2cap_send_sframe(chan, control);
e2ab4353 3515 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP
3516 }
3517
e2ab4353 3518 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3519 l2cap_retransmit_frames(chan);
d5392c8f 3520
525cd185 3521 l2cap_ertm_send(chan);
d5392c8f 3522
e2ab4353 3523 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3524 chan->frames_sent == 0) {
ab784b73 3525 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3526 l2cap_send_sframe(chan, control);
d5392c8f
GP
3527 }
3528}
3529
fb45de7d 3530static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP
3531{
3532 struct sk_buff *next_skb;
bfbacc11 3533 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP
3534
3535 bt_cb(skb)->tx_seq = tx_seq;
3536 bt_cb(skb)->sar = sar;
3537
f1c6775b 3538 next_skb = skb_peek(&chan->srej_q);
8f17154f 3539 if (!next_skb) {
f1c6775b 3540 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3541 return 0;
8f17154f
GP
3542 }
3543
836be934 3544 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3545
8f17154f 3546 do {
9b53350d
JPRV
3547 if (bt_cb(next_skb)->tx_seq == tx_seq)
3548 return -EINVAL;
3549
836be934
AE
3550 next_tx_seq_offset = __seq_offset(chan,
3551 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV
3552
3553 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3554 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3555 return 0;
8f17154f
GP
3556 }
3557
f1c6775b 3558 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP
3559 break;
3560
f1c6775b 3561 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3562
f1c6775b 3563 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV
3564
3565 return 0;
8f17154f
GP
3566}
3567
84084a31
MM
3568static void append_skb_frag(struct sk_buff *skb,
3569 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3570{
84084a31
MM
3571 /* skb->len reflects data in skb as well as all fragments
3572 * skb->data_len reflects only data in fragments
3573 */
3574 if (!skb_has_frag_list(skb))
3575 skb_shinfo(skb)->frag_list = new_frag;
3576
3577 new_frag->next = NULL;
3578
3579 (*last_frag)->next = new_frag;
3580 *last_frag = new_frag;
3581
3582 skb->len += new_frag->len;
3583 skb->data_len += new_frag->len;
3584 skb->truesize += new_frag->truesize;
3585}
3586
88843ab0 3587static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM
3588{
3589 int err = -EINVAL;
18778a63 3590
7e0ef6ee
AE
3591 switch (__get_ctrl_sar(chan, control)) {
3592 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM
3593 if (chan->sdu)
3594 break;
18778a63 3595
84084a31
MM
3596 err = chan->ops->recv(chan->data, skb);
3597 break;
18778a63 3598
7e0ef6ee 3599 case L2CAP_SAR_START:
84084a31
MM
3600 if (chan->sdu)
3601 break;
18778a63 3602
6f61fd47 3603 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3604 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3605
84084a31
MM
3606 if (chan->sdu_len > chan->imtu) {
3607 err = -EMSGSIZE;
3608 break;
3609 }
1890d36b 3610
84084a31
MM
3611 if (skb->len >= chan->sdu_len)
3612 break;
18778a63 3613
84084a31
MM
3614 chan->sdu = skb;
3615 chan->sdu_last_frag = skb;
18778a63 3616
84084a31
MM
3617 skb = NULL;
3618 err = 0;
18778a63
GP
3619 break;
3620
7e0ef6ee 3621 case L2CAP_SAR_CONTINUE:
6f61fd47 3622 if (!chan->sdu)
84084a31 3623 break;
18778a63 3624
84084a31
MM
3625 append_skb_frag(chan->sdu, skb,
3626 &chan->sdu_last_frag);
3627 skb = NULL;
18778a63 3628
84084a31
MM
3629 if (chan->sdu->len >= chan->sdu_len)
3630 break;
4178ba46 3631
84084a31 3632 err = 0;
18778a63
GP
3633 break;
3634
7e0ef6ee 3635 case L2CAP_SAR_END:
6f61fd47 3636 if (!chan->sdu)
84084a31 3637 break;
18778a63 3638
84084a31
MM
3639 append_skb_frag(chan->sdu, skb,
3640 &chan->sdu_last_frag);
3641 skb = NULL;
4178ba46 3642
84084a31
MM
3643 if (chan->sdu->len != chan->sdu_len)
3644 break;
18778a63 3645
84084a31 3646 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3647
84084a31
MM
3648 if (!err) {
3649 /* Reassembly complete */
3650 chan->sdu = NULL;
3651 chan->sdu_last_frag = NULL;
3652 chan->sdu_len = 0;
1890d36b 3653 }
18778a63
GP
3654 break;
3655 }
3656
84084a31
MM
3657 if (err) {
3658 kfree_skb(skb);
3659 kfree_skb(chan->sdu);
3660 chan->sdu = NULL;
3661 chan->sdu_last_frag = NULL;
3662 chan->sdu_len = 0;
3663 }
18778a63 3664
84084a31 3665 return err;
18778a63
GP
3666}
3667
26f880d2 3668static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3669{
88843ab0 3670 u32 control;
712132eb 3671
26f880d2 3672 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3673
26f880d2
MM
3674 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3675
0b209fae 3676 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3677 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM
3678 l2cap_send_sframe(chan, control);
3679
3680 set_bit(CONN_RNR_SENT, &chan->conn_state);
3681
3682 __clear_ack_timer(chan);
3683}
3684
3685static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3686{
88843ab0 3687 u32 control;
712132eb 3688
e2ab4353 3689 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP
3690 goto done;
3691
0b209fae 3692 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3693 control |= __set_ctrl_poll(chan);
ab784b73 3694 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3695 l2cap_send_sframe(chan, control);
6a026610 3696 chan->retry_count = 1;
712132eb 3697
1a09bcb9
GP
3698 __clear_retrans_timer(chan);
3699 __set_monitor_timer(chan);
712132eb 3700
e2ab4353 3701 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP
3702
3703done:
e2ab4353
GP
3704 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3705 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3706
49208c9c 3707 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP
3708}
3709
e328140f 3710void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3711{
e328140f
MM
3712 if (chan->mode == L2CAP_MODE_ERTM) {
3713 if (busy)
3714 l2cap_ertm_enter_local_busy(chan);
3715 else
3716 l2cap_ertm_exit_local_busy(chan);
1890d36b 3717 }
1890d36b
GP
3718}
3719
fb45de7d 3720static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP
3721{
3722 struct sk_buff *skb;
88843ab0 3723 u32 control;
8f17154f 3724
e328140f
MM
3725 while ((skb = skb_peek(&chan->srej_q)) &&
3726 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3727 int err;
3728
8f17154f
GP
3729 if (bt_cb(skb)->tx_seq != tx_seq)
3730 break;
3731
f1c6775b 3732 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3733 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3734 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM
3735
3736 if (err < 0) {
3737 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3738 break;
3739 }
3740
836be934
AE
3741 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3742 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP
3743 }
3744}
3745
fb45de7d 3746static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3747{
8f17154f 3748 struct srej_list *l, *tmp;
88843ab0 3749 u32 control;
8f17154f 3750
39d5a3ee 3751 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP
3752 if (l->tx_seq == tx_seq) {
3753 list_del(&l->list);
3754 kfree(l);
3755 return;
3756 }
ab784b73 3757 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3758 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3759 l2cap_send_sframe(chan, control);
8f17154f 3760 list_del(&l->list);
39d5a3ee 3761 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP
3762 }
3763}
3764
fb45de7d 3765static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3766{
8f17154f 3767 struct srej_list *new;
88843ab0 3768 u32 control;
8f17154f 3769
42e5c802 3770 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3771 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3772 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3773 l2cap_send_sframe(chan, control);
8f17154f
GP
3774
3775 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802 3776 new->tx_seq = chan->expected_tx_seq;
836be934
AE
3777
3778 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3779
39d5a3ee 3780 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3781 }
836be934
AE
3782
3783 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f
GP
3784}
3785
88843ab0 3786static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3787{
fb45de7d 3788 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3789 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3790 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3791 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3792 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP
3793 int err = 0;
3794
88843ab0 3795 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3796 tx_seq, rx_control);
1c2acffb 3797
03f6715d 3798 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3799 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3800 __clear_monitor_timer(chan);
6a026610 3801 if (chan->unacked_frames > 0)
1a09bcb9 3802 __set_retrans_timer(chan);
e2ab4353 3803 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP
3804 }
3805
42e5c802
GP
3806 chan->expected_ack_seq = req_seq;
3807 l2cap_drop_acked_frames(chan);
9f121a5a 3808
836be934 3809 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV
3810
3811 /* invalid tx_seq */
47d1ec61 3812 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3813 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV
3814 goto drop;
3815 }
3816
e2ab4353 3817 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP
3818 goto drop;
3819
02f1b641
MM
3820 if (tx_seq == chan->expected_tx_seq)
3821 goto expected;
3822
e2ab4353 3823 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3824 struct srej_list *first;
30afb5b2 3825
39d5a3ee 3826 first = list_first_entry(&chan->srej_l,
8f17154f
GP
3827 struct srej_list, list);
3828 if (tx_seq == first->tx_seq) {
42e5c802 3829 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3830 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP
3831
3832 list_del(&first->list);
3833 kfree(first);
3834
39d5a3ee 3835 if (list_empty(&chan->srej_l)) {
42e5c802 3836 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3837 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3838 l2cap_send_ack(chan);
49208c9c 3839 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP
3840 }
3841 } else {
3842 struct srej_list *l;
9b53350d
JPRV
3843
3844 /* duplicated tx_seq */
42e5c802 3845 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3846 goto drop;
8f17154f 3847
39d5a3ee 3848 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3849 if (l->tx_seq == tx_seq) {
525cd185 3850 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP
3851 return 0;
3852 }
3853 }
525cd185 3854 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP
3855 }
3856 } else {
836be934
AE
3857 expected_tx_seq_offset = __seq_offset(chan,
3858 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV
3859
3860 /* duplicated tx_seq */
3861 if (tx_seq_offset < expected_tx_seq_offset)
3862 goto drop;
3863
e2ab4353 3864 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3865
49208c9c 3866 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3867
39d5a3ee 3868 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3869 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3870
f1c6775b 3871 __skb_queue_head_init(&chan->srej_q);
42e5c802 3872 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3873
e2ab4353 3874 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3875
525cd185 3876 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3877
1a09bcb9 3878 __clear_ack_timer(chan);
1c2acffb 3879 }
30afb5b2
GP
3880 return 0;
3881
8f17154f 3882expected:
836be934 3883 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3884
e2ab4353 3885 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP
3886 bt_cb(skb)->tx_seq = tx_seq;
3887 bt_cb(skb)->sar = sar;
f1c6775b 3888 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP
3889 return 0;
3890 }
3891
84084a31 3892 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE
3893 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3894
e328140f
MM
3895 if (err < 0) {
3896 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3897 return err;
3898 }
2ece3684 3899
03f6715d 3900 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3901 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3902 l2cap_retransmit_frames(chan);
4ec10d97
GP
3903 }
3904
1a09bcb9 3905 __set_ack_timer(chan);
c1b4f43b 3906
6a026610
GP
3907 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3908 if (chan->num_acked == num_to_ack - 1)
525cd185 3909 l2cap_send_ack(chan);
9e917af1 3910
8f17154f 3911 return 0;
9b53350d
JPRV
3912
3913drop:
3914 kfree_skb(skb);
3915 return 0;
1c2acffb
GP
3916}
3917
88843ab0 3918static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3919{
88843ab0 3920 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3921 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3922
0b209fae 3923 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3924 l2cap_drop_acked_frames(chan);
1c2acffb 3925
e3781735 3926 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP
3927 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3928 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3929 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3930 (chan->unacked_frames > 0))
1a09bcb9 3931 __set_retrans_timer(chan);
05fbd89d 3932
e2ab4353 3933 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3934 l2cap_send_srejtail(chan);
05fbd89d 3935 } else {
525cd185 3936 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3937 }
1d8f5d16 3938
03f6715d 3939 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3940 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3941
e2ab4353 3942 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3943 l2cap_retransmit_frames(chan);
2246b2f1 3944
e072745f 3945 } else {
e2ab4353 3946 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3947 (chan->unacked_frames > 0))
1a09bcb9 3948 __set_retrans_timer(chan);
1c2acffb 3949
e2ab4353
GP
3950 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3951 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3952 l2cap_send_ack(chan);
894718a6 3953 else
525cd185 3954 l2cap_ertm_send(chan);
e072745f
GP
3955 }
3956}
2246b2f1 3957
88843ab0 3958static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3959{
0b209fae 3960 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3961
88843ab0 3962 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3963
e2ab4353 3964 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3965
42e5c802
GP
3966 chan->expected_ack_seq = tx_seq;
3967 l2cap_drop_acked_frames(chan);
e072745f 3968
03f6715d 3969 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3970 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3971 l2cap_retransmit_frames(chan);
e072745f 3972 } else {
525cd185 3973 l2cap_retransmit_frames(chan);
30afb5b2 3974
e2ab4353
GP
3975 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3976 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP
3977 }
3978}
88843ab0 3979static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3980{
0b209fae 3981 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3982
88843ab0 3983 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3984
e2ab4353 3985 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3986
e3781735 3987 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP
3988 chan->expected_ack_seq = tx_seq;
3989 l2cap_drop_acked_frames(chan);
3cb123d1 3990
e2ab4353 3991 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3992 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3993
525cd185 3994 l2cap_ertm_send(chan);
dfc909be 3995
e2ab4353 3996 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3997 chan->srej_save_reqseq = tx_seq;
e2ab4353 3998 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3999 }
03f6715d 4000 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4001 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4002 chan->srej_save_reqseq == tx_seq)
e2ab4353 4003 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4004 else
525cd185 4005 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4006 } else {
525cd185 4007 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4008 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4009 chan->srej_save_reqseq = tx_seq;
e2ab4353 4010 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4011 }
e072745f
GP
4012 }
4013}
4014
88843ab0 4015static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4016{
0b209fae 4017 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4018
88843ab0 4019 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4020
e2ab4353 4021 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP
4022 chan->expected_ack_seq = tx_seq;
4023 l2cap_drop_acked_frames(chan);
e072745f 4024
e3781735 4025 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4026 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4027
e2ab4353 4028 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4029 __clear_retrans_timer(chan);
e3781735 4030 if (__is_ctrl_poll(chan, rx_control))
525cd185 4031 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4032 return;
e072745f 4033 }
99b0d4b7 4034
e3781735 4035 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4036 l2cap_send_srejtail(chan);
ab784b73
AE
4037 } else {
4038 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4039 l2cap_send_sframe(chan, rx_control);
4040 }
e072745f
GP
4041}
4042
88843ab0 4043static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4044{
88843ab0 4045 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4046
03f6715d 4047 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4048 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4049 __clear_monitor_timer(chan);
6a026610 4050 if (chan->unacked_frames > 0)
1a09bcb9 4051 __set_retrans_timer(chan);
e2ab4353 4052 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP
4053 }
4054
ab784b73
AE
4055 switch (__get_ctrl_super(chan, rx_control)) {
4056 case L2CAP_SUPER_RR:
525cd185 4057 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP
4058 break;
4059
ab784b73 4060 case L2CAP_SUPER_REJ:
525cd185 4061 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4062 break;
2246b2f1 4063
ab784b73 4064 case L2CAP_SUPER_SREJ:
525cd185 4065 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP
4066 break;
4067
ab784b73 4068 case L2CAP_SUPER_RNR:
525cd185 4069 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP
4070 break;
4071 }
4072
faaebd19 4073 kfree_skb(skb);
1c2acffb
GP
4074 return 0;
4075}
4076
218bb9df
GP
4077static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4078{
525cd185 4079 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 4080 u32 control;
0b209fae 4081 u16 req_seq;
218bb9df
GP
4082 int len, next_tx_seq_offset, req_seq_offset;
4083
88843ab0
AE
4084 control = __get_control(chan, skb->data);
4085 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP
4086 len = skb->len;
4087
4088 /*
4089 * We can just drop the corrupted I-frame here.
4090 * Receiver will miss it and start proper recovery
4091 * procedures and ask retransmission.
4092 */
47d1ec61 4093 if (l2cap_check_fcs(chan, skb))
218bb9df
GP
4094 goto drop;
4095
793c2f1c 4096 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4097 len -= L2CAP_SDULEN_SIZE;
218bb9df 4098
47d1ec61 4099 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4100 len -= L2CAP_FCS_SIZE;
218bb9df 4101
47d1ec61 4102 if (len > chan->mps) {
8c1d787b 4103 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP
4104 goto drop;
4105 }
4106
0b209fae 4107 req_seq = __get_reqseq(chan, control);
218bb9df 4108
836be934
AE
4109 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4110
4111 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4112 chan->expected_ack_seq);
218bb9df
GP
4113
4114 /* check for invalid req-seq */
4115 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4116 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP
4117 goto drop;
4118 }
4119
793c2f1c 4120 if (!__is_sframe(chan, control)) {
218bb9df 4121 if (len < 0) {
8c1d787b 4122 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP
4123 goto drop;
4124 }
4125
525cd185 4126 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP
4127 } else {
4128 if (len != 0) {
4129 BT_ERR("%d", len);
8c1d787b 4130 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP
4131 goto drop;
4132 }
4133
525cd185 4134 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP
4135 }
4136
4137 return 0;
4138
4139drop:
4140 kfree_skb(skb);
4141 return 0;
4142}
4143
1da177e4
LT
4144static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4145{
48454079 4146 struct l2cap_chan *chan;
bf734843 4147 struct sock *sk = NULL;
88843ab0 4148 u32 control;
fb45de7d 4149 u16 tx_seq;
218bb9df 4150 int len;
1da177e4 4151
baa7e1fa 4152 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4153 if (!chan) {
1da177e4
LT
4154 BT_DBG("unknown cid 0x%4.4x", cid);
4155 goto drop;
4156 }
4157
48454079 4158 sk = chan->sk;
6840ed07 4159
49208c9c 4160 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4161
89bc500e 4162 if (chan->state != BT_CONNECTED)
1da177e4
LT
4163 goto drop;
4164
0c1bc5c6 4165 switch (chan->mode) {
1c2acffb
GP
4166 case L2CAP_MODE_BASIC:
4167 /* If socket recv buffers overflows we drop data here
4168 * which is *bad* because L2CAP has to be reliable.
4169 * But we don't have any other choice. L2CAP doesn't
4170 * provide flow control mechanism. */
1da177e4 4171
0c1bc5c6 4172 if (chan->imtu < skb->len)
1c2acffb 4173 goto drop;
1da177e4 4174
23070494 4175 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP
4176 goto done;
4177 break;
4178
4179 case L2CAP_MODE_ERTM:
218bb9df
GP
4180 if (!sock_owned_by_user(sk)) {
4181 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4182 } else {
218bb9df 4183 if (sk_add_backlog(sk, skb))
277ffbe3 4184 goto drop;
277ffbe3 4185 }
1c2acffb 4186
fcafde2e 4187 goto done;
1c2acffb 4188
6840ed07 4189 case L2CAP_MODE_STREAMING:
88843ab0
AE
4190 control = __get_control(chan, skb->data);
4191 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP
4192 len = skb->len;
4193
47d1ec61 4194 if (l2cap_check_fcs(chan, skb))
26000089
GP
4195 goto drop;
4196
7e0ef6ee 4197 if (__is_sar_start(chan, control))
03a51213 4198 len -= L2CAP_SDULEN_SIZE;
6840ed07 4199
47d1ec61 4200 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4201 len -= L2CAP_FCS_SIZE;
fcc203c3 4202
793c2f1c 4203 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP
4204 goto drop;
4205
fb45de7d 4206 tx_seq = __get_txseq(chan, control);
6840ed07 4207
84084a31
MM
4208 if (chan->expected_tx_seq != tx_seq) {
4209 /* Frame(s) missing - must discard partial SDU */
4210 kfree_skb(chan->sdu);
4211 chan->sdu = NULL;
4212 chan->sdu_last_frag = NULL;
4213 chan->sdu_len = 0;
6840ed07 4214
84084a31
MM
4215 /* TODO: Notify userland of missing data */
4216 }
4217
836be934 4218 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM
4219
4220 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4221 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP
4222
4223 goto done;
4224
1c2acffb 4225 default:
0c1bc5c6 4226 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP
4227 break;
4228 }
1da177e4
LT
4229
4230drop:
4231 kfree_skb(skb);
4232
4233done:
0139418c
MH
4234 if (sk)
4235 bh_unlock_sock(sk);
4236
1da177e4
LT
4237 return 0;
4238}
4239
8e036fc3 4240static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4241{
6dcae1ea 4242 struct sock *sk = NULL;
23691d75 4243 struct l2cap_chan *chan;
1da177e4 4244
23691d75
GP
4245 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4246 if (!chan)
1da177e4
LT
4247 goto drop;
4248
23691d75
GP
4249 sk = chan->sk;
4250
e0f0cb56
GP
4251 bh_lock_sock(sk);
4252
1da177e4
LT
4253 BT_DBG("sk %p, len %d", sk, skb->len);
4254
89bc500e 4255 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT
4256 goto drop;
4257
e13e21dc 4258 if (chan->imtu < skb->len)
1da177e4
LT
4259 goto drop;
4260
23070494 4261 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT
4262 goto done;
4263
4264drop:
4265 kfree_skb(skb);
4266
4267done:
af05b30b
GP
4268 if (sk)
4269 bh_unlock_sock(sk);
1da177e4
LT
4270 return 0;
4271}
4272
9f69bda6
GP
4273static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4274{
6dcae1ea 4275 struct sock *sk = NULL;
23691d75 4276 struct l2cap_chan *chan;
9f69bda6 4277
23691d75
GP
4278 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4279 if (!chan)
9f69bda6
GP
4280 goto drop;
4281
23691d75
GP
4282 sk = chan->sk;
4283
9f69bda6
GP
4284 bh_lock_sock(sk);
4285
4286 BT_DBG("sk %p, len %d", sk, skb->len);
4287
89bc500e 4288 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP
4289 goto drop;
4290
e13e21dc 4291 if (chan->imtu < skb->len)
9f69bda6
GP
4292 goto drop;
4293
23070494 4294 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP
4295 goto done;
4296
4297drop:
4298 kfree_skb(skb);
4299
4300done:
4301 if (sk)
4302 bh_unlock_sock(sk);
4303 return 0;
4304}
4305
1da177e4
LT
4306static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4307{
4308 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV
4309 u16 cid, len;
4310 __le16 psm;
1da177e4
LT
4311
4312 skb_pull(skb, L2CAP_HDR_SIZE);
4313 cid = __le16_to_cpu(lh->cid);
4314 len = __le16_to_cpu(lh->len);
4315
1c2acffb
GP
4316 if (len != skb->len) {
4317 kfree_skb(skb);
4318 return;
4319 }
4320
1da177e4
LT
4321 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4322
4323 switch (cid) {
3300d9a9 4324 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4325 case L2CAP_CID_SIGNALING:
1da177e4
LT
4326 l2cap_sig_channel(conn, skb);
4327 break;
4328
8db4dc46 4329 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4330 psm = get_unaligned_le16(skb->data);
1da177e4
LT
4331 skb_pull(skb, 2);
4332 l2cap_conless_channel(conn, psm, skb);
4333 break;
4334
9f69bda6
GP
4335 case L2CAP_CID_LE_DATA:
4336 l2cap_att_channel(conn, cid, skb);
4337 break;
4338
b501d6a1
AB
4339 case L2CAP_CID_SMP:
4340 if (smp_sig_channel(conn, skb))
4341 l2cap_conn_del(conn->hcon, EACCES);
4342 break;
4343
1da177e4
LT
4344 default:
4345 l2cap_data_channel(conn, cid, skb);
4346 break;
4347 }
4348}
4349
4350/* ---- L2CAP interface with lower layer (HCI) ---- */
4351
4352static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4353{
4354 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4355 struct l2cap_chan *c;
1da177e4
LT
4356
4357 if (type != ACL_LINK)
963cf687 4358 return -EINVAL;
1da177e4
LT
4359
4360 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4361
4362 /* Find listening sockets and check their link_mode */
23691d75
GP
4363 read_lock(&chan_list_lock);
4364 list_for_each_entry(c, &chan_list, global_l) {
4365 struct sock *sk = c->sk;
4343478f 4366
89bc500e 4367 if (c->state != BT_LISTEN)
1da177e4
LT
4368 continue;
4369
4370 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4371 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4372 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4373 lm1 |= HCI_LM_MASTER;
1da177e4 4374 exact++;
2af6b9d5
MH
4375 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4376 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4377 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH
4378 lm2 |= HCI_LM_MASTER;
4379 }
1da177e4 4380 }
23691d75 4381 read_unlock(&chan_list_lock);
1da177e4
LT
4382
4383 return exact ? lm1 : lm2;
4384}
4385
4386static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4387{
0139418c
MH
4388 struct l2cap_conn *conn;
4389
1da177e4
LT
4390 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4391
acd7d370 4392 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4393 return -EINVAL;
1da177e4
LT
4394
4395 if (!status) {
1da177e4
LT
4396 conn = l2cap_conn_add(hcon, status);
4397 if (conn)
4398 l2cap_conn_ready(conn);
0139418c 4399 } else
e175072f 4400 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT
4401
4402 return 0;
4403}
4404
2950f21a
MH
4405static int l2cap_disconn_ind(struct hci_conn *hcon)
4406{
4407 struct l2cap_conn *conn = hcon->l2cap_data;
4408
4409 BT_DBG("hcon %p", hcon);
4410
b5694506 4411 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH
4412 return 0x13;
4413
4414 return conn->disc_reason;
4415}
4416
4417static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT
4418{
4419 BT_DBG("hcon %p reason %d", hcon, reason);
4420
acd7d370 4421 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4422 return -EINVAL;
1da177e4 4423
e175072f 4424 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4425
1da177e4
LT
4426 return 0;
4427}
4428
4343478f 4429static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4430{
715ec005 4431 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH
4432 return;
4433
f62e4323 4434 if (encrypt == 0x00) {
4343478f 4435 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP
4436 __clear_chan_timer(chan);
4437 __set_chan_timer(chan, HZ * 5);
4343478f 4438 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4439 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4440 } else {
4343478f 4441 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4442 __clear_chan_timer(chan);
f62e4323
MH
4443 }
4444}
4445
8c1b2355 4446static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4447{
0139418c 4448 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4449 struct l2cap_chan *chan;
1da177e4 4450
0139418c 4451 if (!conn)
1da177e4 4452 return 0;
0139418c 4453
1da177e4
LT
4454 BT_DBG("conn %p", conn);
4455
160dc6ac
VCG
4456 if (hcon->type == LE_LINK) {
4457 smp_distribute_keys(conn, 0);
4458 del_timer(&conn->security_timer);
4459 }
4460
baa7e1fa 4461 read_lock(&conn->chan_lock);
1da177e4 4462
baa7e1fa 4463 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4464 struct sock *sk = chan->sk;
baa7e1fa 4465
1da177e4
LT
4466 bh_lock_sock(sk);
4467
f1cb9af5
VCG
4468 BT_DBG("chan->scid %d", chan->scid);
4469
4470 if (chan->scid == L2CAP_CID_LE_DATA) {
4471 if (!status && encrypt) {
4472 chan->sec_level = hcon->sec_level;
4473 l2cap_chan_ready(sk);
4474 }
4475
4476 bh_unlock_sock(sk);
4477 continue;
4478 }
4479
c1360a1c 4480 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH
4481 bh_unlock_sock(sk);
4482 continue;
4483 }
4484
89bc500e
GP
4485 if (!status && (chan->state == BT_CONNECTED ||
4486 chan->state == BT_CONFIG)) {
4343478f 4487 l2cap_check_encryption(chan, encrypt);
9719f8af
MH
4488 bh_unlock_sock(sk);
4489 continue;
4490 }
4491
89bc500e 4492 if (chan->state == BT_CONNECT) {
b1235d79
MH
4493 if (!status) {
4494 struct l2cap_conn_req req;
fe4128e0
GP
4495 req.scid = cpu_to_le16(chan->scid);
4496 req.psm = chan->psm;
1da177e4 4497
fc7f8a7e 4498 chan->ident = l2cap_get_ident(conn);
c1360a1c 4499 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4500
fc7f8a7e 4501 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH
4502 L2CAP_CONN_REQ, sizeof(req), &req);
4503 } else {
c9b66675
GP
4504 __clear_chan_timer(chan);
4505 __set_chan_timer(chan, HZ / 10);
b1235d79 4506 }
89bc500e 4507 } else if (chan->state == BT_CONNECT2) {
b1235d79 4508 struct l2cap_conn_rsp rsp;
df3c3931 4509 __u16 res, stat;
1da177e4 4510
b1235d79 4511 if (!status) {
df3c3931
JH
4512 if (bt_sk(sk)->defer_setup) {
4513 struct sock *parent = bt_sk(sk)->parent;
4514 res = L2CAP_CR_PEND;
4515 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK
4516 if (parent)
4517 parent->sk_data_ready(parent, 0);
df3c3931 4518 } else {
05558911 4519 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH
4520 res = L2CAP_CR_SUCCESS;
4521 stat = L2CAP_CS_NO_INFO;
4522 }
b1235d79 4523 } else {
89bc500e 4524 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4525 __set_chan_timer(chan, HZ / 10);
df3c3931
JH
4526 res = L2CAP_CR_SEC_BLOCK;
4527 stat = L2CAP_CS_NO_INFO;
b1235d79
MH
4528 }
4529
fe4128e0
GP
4530 rsp.scid = cpu_to_le16(chan->dcid);
4531 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH
4532 rsp.result = cpu_to_le16(res);
4533 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP
4534 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4535 sizeof(rsp), &rsp);
b1235d79 4536 }
1da177e4
LT
4537
4538 bh_unlock_sock(sk);
4539 }
4540
baa7e1fa 4541 read_unlock(&conn->chan_lock);
b1235d79 4542
1da177e4
LT
4543 return 0;
4544}
4545
4546static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4547{
4548 struct l2cap_conn *conn = hcon->l2cap_data;
4549
5a08ecce
AE
4550 if (!conn)
4551 conn = l2cap_conn_add(hcon, 0);
4552
4553 if (!conn)
1da177e4
LT
4554 goto drop;
4555
4556 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4557
e702112f 4558 if (!(flags & ACL_CONT)) {
1da177e4 4559 struct l2cap_hdr *hdr;
48454079 4560 struct l2cap_chan *chan;
89794813 4561 u16 cid;
1da177e4
LT
4562 int len;
4563
4564 if (conn->rx_len) {
4565 BT_ERR("Unexpected start frame (len %d)", skb->len);
4566 kfree_skb(conn->rx_skb);
4567 conn->rx_skb = NULL;
4568 conn->rx_len = 0;
4569 l2cap_conn_unreliable(conn, ECOMM);
4570 }
4571
aae7fe22
AE
4572 /* Start fragment always begin with Basic L2CAP header */
4573 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT
4574 BT_ERR("Frame is too short (len %d)", skb->len);
4575 l2cap_conn_unreliable(conn, ECOMM);
4576 goto drop;
4577 }
4578
4579 hdr = (struct l2cap_hdr *) skb->data;
4580 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4581 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT
4582
4583 if (len == skb->len) {
4584 /* Complete frame received */
4585 l2cap_recv_frame(conn, skb);
4586 return 0;
4587 }
4588
4589 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4590
4591 if (skb->len > len) {
4592 BT_ERR("Frame is too long (len %d, expected len %d)",
4593 skb->len, len);
4594 l2cap_conn_unreliable(conn, ECOMM);
4595 goto drop;
4596 }
4597
baa7e1fa 4598 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4599
48454079
GP
4600 if (chan && chan->sk) {
4601 struct sock *sk = chan->sk;
89794813 4602
0c1bc5c6 4603 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP
4604 BT_ERR("Frame exceeding recv MTU (len %d, "
4605 "MTU %d)", len,
0c1bc5c6 4606 chan->imtu);
48454079
GP
4607 bh_unlock_sock(sk);
4608 l2cap_conn_unreliable(conn, ECOMM);
4609 goto drop;
4610 }
89794813 4611 bh_unlock_sock(sk);
48454079 4612 }
89794813 4613
1da177e4 4614 /* Allocate skb for the complete frame (with header) */
af05b30b
GP
4615 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4616 if (!conn->rx_skb)
1da177e4
LT
4617 goto drop;
4618
d626f62b 4619 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4620 skb->len);
1da177e4
LT
4621 conn->rx_len = len - skb->len;
4622 } else {
4623 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4624
4625 if (!conn->rx_len) {
4626 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4627 l2cap_conn_unreliable(conn, ECOMM);
4628 goto drop;
4629 }
4630
4631 if (skb->len > conn->rx_len) {
4632 BT_ERR("Fragment is too long (len %d, expected %d)",
4633 skb->len, conn->rx_len);
4634 kfree_skb(conn->rx_skb);
4635 conn->rx_skb = NULL;
4636 conn->rx_len = 0;
4637 l2cap_conn_unreliable(conn, ECOMM);
4638 goto drop;
4639 }
4640
d626f62b 4641 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4642 skb->len);
1da177e4
LT
4643 conn->rx_len -= skb->len;
4644
4645 if (!conn->rx_len) {
4646 /* Complete frame received */
4647 l2cap_recv_frame(conn, conn->rx_skb);
4648 conn->rx_skb = NULL;
4649 }
4650 }
4651
4652drop:
4653 kfree_skb(skb);
4654 return 0;
4655}
4656
aef7d97c 4657static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4658{
23691d75 4659 struct l2cap_chan *c;
1da177e4 4660
23691d75 4661 read_lock_bh(&chan_list_lock);
1da177e4 4662
23691d75
GP
4663 list_for_each_entry(c, &chan_list, global_l) {
4664 struct sock *sk = c->sk;
101545f6 4665
903d343e 4666 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH
4667 batostr(&bt_sk(sk)->src),
4668 batostr(&bt_sk(sk)->dst),
89bc500e 4669 c->state, __le16_to_cpu(c->psm),
23691d75
GP
4670 c->scid, c->dcid, c->imtu, c->omtu,
4671 c->sec_level, c->mode);
05558911 4672}
1da177e4 4673
23691d75 4674 read_unlock_bh(&chan_list_lock);
1da177e4 4675
aef7d97c 4676 return 0;
1da177e4
LT
4677}
4678
aef7d97c
MH
4679static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4680{
4681 return single_open(file, l2cap_debugfs_show, inode->i_private);
4682}
4683
4684static const struct file_operations l2cap_debugfs_fops = {
4685 .open = l2cap_debugfs_open,
4686 .read = seq_read,
4687 .llseek = seq_lseek,
4688 .release = single_release,
4689};
4690
4691static struct dentry *l2cap_debugfs;
1da177e4 4692
1da177e4
LT
4693static struct hci_proto l2cap_hci_proto = {
4694 .name = "L2CAP",
4695 .id = HCI_PROTO_L2CAP,
4696 .connect_ind = l2cap_connect_ind,
4697 .connect_cfm = l2cap_connect_cfm,
4698 .disconn_ind = l2cap_disconn_ind,
2950f21a 4699 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4700 .security_cfm = l2cap_security_cfm,
1da177e4
LT
4701 .recv_acldata = l2cap_recv_acldata
4702};
4703
64274518 4704int __init l2cap_init(void)
1da177e4
LT
4705{
4706 int err;
be9d1227 4707
bb58f747 4708 err = l2cap_init_sockets();
1da177e4
LT
4709 if (err < 0)
4710 return err;
4711
1da177e4
LT
4712 err = hci_register_proto(&l2cap_hci_proto);
4713 if (err < 0) {
4714 BT_ERR("L2CAP protocol registration failed");
4715 bt_sock_unregister(BTPROTO_L2CAP);
4716 goto error;
4717 }
4718
aef7d97c
MH
4719 if (bt_debugfs) {
4720 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4721 bt_debugfs, NULL, &l2cap_debugfs_fops);
4722 if (!l2cap_debugfs)
4723 BT_ERR("Failed to create L2CAP debug file");
4724 }
1da177e4 4725
1da177e4
LT
4726 return 0;
4727
4728error:
bb58f747 4729 l2cap_cleanup_sockets();
1da177e4
LT
4730 return err;
4731}
4732
64274518 4733void l2cap_exit(void)
1da177e4 4734{
aef7d97c 4735 debugfs_remove(l2cap_debugfs);
1da177e4 4736
1da177e4
LT
4737 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4738 BT_ERR("L2CAP protocol unregistration failed");
4739
bb58f747 4740 l2cap_cleanup_sockets();
1da177e4
LT
4741}
4742
d1c4a17d
GP
4743module_param(disable_ertm, bool, 0644);
4744MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE
4745
4746module_param(enable_hs, bool, 0644);
4747MODULE_PARM_DESC(enable_hs, "Enable High Speed");