projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add l2cap_chan_lock
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
1da177e4
LT		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
8e87d142
YH		 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 25 SOFTWARE IS DISCLAIMED.
26*/
27
bb58f747 28/* Bluetooth L2CAP core. */
1da177e4 29
1da177e4
LT		 30#include <linux/module.h>
31
32#include <linux/types.h>
4fc268d2 33#include <linux/capability.h>
1da177e4
LT		 34#include <linux/errno.h>
35#include <linux/kernel.h>
1da177e4
LT		 36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/poll.h>
39#include <linux/fcntl.h>
40#include <linux/init.h>
41#include <linux/interrupt.h>
42#include <linux/socket.h>
43#include <linux/skbuff.h>
1da177e4 44#include <linux/list.h>
be9d1227 45#include <linux/device.h>
aef7d97c
MH		 46#include <linux/debugfs.h>
47#include <linux/seq_file.h>
af05b30b 48#include <linux/uaccess.h>
fcc203c3 49#include <linux/crc16.h>
1da177e4
LT		 50#include <net/sock.h>
51
52#include <asm/system.h>
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
eb939922 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
0139418c 76/* ---- L2CAP channels ---- */
71ba0e56 77
baa7e1fa 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 79{
3df91ea2 80 struct l2cap_chan *c;
3d57dc68 81
3df91ea2
AE		 82 list_for_each_entry(c, &conn->chan_l, list) {
83 if (c->dcid == cid)
84 return c;
0139418c 85 }
3df91ea2 86 return NULL;
0139418c
MH		 87}
88
baa7e1fa 89static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
101 * Returns locked socket */
baa7e1fa 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 103{
48454079 104 struct l2cap_chan *c;
baa7e1fa 105
3df91ea2 106 mutex_lock(&conn->chan_lock);
baa7e1fa 107 c = __l2cap_get_chan_by_scid(conn, cid);
3df91ea2
AE		 108 mutex_unlock(&conn->chan_lock);
109
48454079 110 return c;
0139418c
MH		 111}
112
baa7e1fa 113static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 114{
3df91ea2 115 struct l2cap_chan *c;
3d57dc68 116
3df91ea2
AE		 117 list_for_each_entry(c, &conn->chan_l, list) {
118 if (c->ident == ident)
119 return c;
0139418c 120 }
3df91ea2 121 return NULL;
0139418c
MH		 122}
123
baa7e1fa 124static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 125{
48454079 126 struct l2cap_chan *c;
baa7e1fa 127
3df91ea2 128 mutex_lock(&conn->chan_lock);
baa7e1fa 129 c = __l2cap_get_chan_by_ident(conn, ident);
3df91ea2
AE		 130 mutex_unlock(&conn->chan_lock);
131
48454079 132 return c;
0139418c
MH		 133}
134
23691d75 135static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 136{
23691d75 137 struct l2cap_chan *c;
9e4425ff 138
23691d75
GP		 139 list_for_each_entry(c, &chan_list, global_l) {
140 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 141 return c;
9e4425ff 142 }
250938cb 143 return NULL;
9e4425ff
GP		 144}
145
146int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
147{
73b2ec18
GP		 148 int err;
149
333055f2 150 write_lock(&chan_list_lock);
9e4425ff 151
23691d75 152 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 153 err = -EADDRINUSE;
154 goto done;
9e4425ff
GP		 155 }
156
73b2ec18
GP		 157 if (psm) {
158 chan->psm = psm;
159 chan->sport = psm;
160 err = 0;
161 } else {
162 u16 p;
163
164 err = -EINVAL;
165 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 166 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 167 chan->psm = cpu_to_le16(p);
168 chan->sport = cpu_to_le16(p);
169 err = 0;
170 break;
171 }
172 }
9e4425ff 173
73b2ec18 174done:
333055f2 175 write_unlock(&chan_list_lock);
73b2ec18 176 return err;
9e4425ff
GP		 177}
178
179int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
180{
333055f2 181 write_lock(&chan_list_lock);
9e4425ff
GP		 182
183 chan->scid = scid;
184
333055f2 185 write_unlock(&chan_list_lock);
9e4425ff
GP		 186
187 return 0;
188}
189
baa7e1fa 190static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 191{
8db4dc46 192 u16 cid = L2CAP_CID_DYN_START;
0139418c 193
8db4dc46 194 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 195 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 196 return cid;
197 }
198
199 return 0;
200}
201
89bc500e
GP		 202static void l2cap_state_change(struct l2cap_chan *chan, int state)
203{
42d2d87c 204 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 205 state_to_string(state));
206
89bc500e
GP		 207 chan->state = state;
208 chan->ops->state_change(chan->data, state);
209}
210
721c4181 211static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 212{
721c4181
GP		 213 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
214 chan_timer.work);
3df91ea2 215 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 216 struct sock *sk = chan->sk;
217 int reason;
218
e05dcc32 219 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 220
3df91ea2 221 mutex_lock(&conn->chan_lock);
721c4181 222 lock_sock(sk);
ab07801d 223
89bc500e 224 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 225 reason = ECONNREFUSED;
89bc500e 226 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 227 chan->sec_level != BT_SECURITY_SDP)
228 reason = ECONNREFUSED;
229 else
230 reason = ETIMEDOUT;
231
0f852724 232 l2cap_chan_close(chan, reason);
ab07801d 233
721c4181 234 release_sock(sk);
ab07801d 235
ba3bd0ee 236 chan->ops->close(chan->data);
3df91ea2
AE		 237 mutex_unlock(&conn->chan_lock);
238
371fd835 239 l2cap_chan_put(chan);
ab07801d
GP		 240}
241
23691d75 242struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 243{
244 struct l2cap_chan *chan;
245
246 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
247 if (!chan)
248 return NULL;
249
c03b355e
AE		 250 mutex_init(&chan->lock);
251
48454079
GP		 252 chan->sk = sk;
253
333055f2 254 write_lock(&chan_list_lock);
23691d75 255 list_add(&chan->global_l, &chan_list);
333055f2 256 write_unlock(&chan_list_lock);
23691d75 257
721c4181 258 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 259
89bc500e
GP		 260 chan->state = BT_OPEN;
261
71ba0e56
GP		 262 atomic_set(&chan->refcnt, 1);
263
abc545b8
SJ		 264 BT_DBG("sk %p chan %p", sk, chan);
265
48454079
GP		 266 return chan;
267}
268
23691d75 269void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 270{
333055f2 271 write_lock(&chan_list_lock);
23691d75 272 list_del(&chan->global_l);
333055f2 273 write_unlock(&chan_list_lock);
23691d75 274
371fd835 275 l2cap_chan_put(chan);
6ff5abbf
GP		 276}
277
3d57dc68 278static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 279{
af05b30b 280 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 281 chan->psm, chan->dcid);
0139418c 282
9f5a0d7b 283 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 284
8c1d787b 285 chan->conn = conn;
0139418c 286
5491120e
AE		 287 switch (chan->chan_type) {
288 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 289 if (conn->hcon->type == LE_LINK) {
290 /* LE connection */
0c1bc5c6 291 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 292 chan->scid = L2CAP_CID_LE_DATA;
293 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 294 } else {
295 /* Alloc CID for connection-oriented socket */
fe4128e0 296 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 297 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 298 }
5491120e
AE		 299 break;
300
301 case L2CAP_CHAN_CONN_LESS:
0139418c 302 /* Connectionless socket */
fe4128e0
GP		 303 chan->scid = L2CAP_CID_CONN_LESS;
304 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 305 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 306 break;
307
308 default:
0139418c 309 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 310 chan->scid = L2CAP_CID_SIGNALING;
311 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 312 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 313 }
314
8f7975b1
AE		 315 chan->local_id = L2CAP_BESTEFFORT_ID;
316 chan->local_stype = L2CAP_SERV_BESTEFFORT;
317 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
318 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
319 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
320 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
321
371fd835 322 l2cap_chan_hold(chan);
baa7e1fa 323
3df91ea2
AE		 324 mutex_lock(&conn->chan_lock);
325 list_add(&chan->list, &conn->chan_l);
326 mutex_unlock(&conn->chan_lock);
0139418c
MH		 327}
328
8e87d142 329/* Delete channel.
0139418c 330 * Must be called on the locked socket. */
4519de9a 331static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 332{
48454079 333 struct sock *sk = chan->sk;
8c1d787b 334 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 335 struct sock *parent = bt_sk(sk)->parent;
336
c9b66675 337 __clear_chan_timer(chan);
0139418c 338
49208c9c 339 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 340
8e87d142 341 if (conn) {
baa7e1fa 342 /* Delete from channel list */
3df91ea2 343 list_del(&chan->list);
3d57dc68 344
371fd835 345 l2cap_chan_put(chan);
baa7e1fa 346
8c1d787b 347 chan->conn = NULL;
0139418c
MH		 348 hci_conn_put(conn->hcon);
349 }
350
89bc500e 351 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 352 sock_set_flag(sk, SOCK_ZAPPED);
353
354 if (err)
355 sk->sk_err = err;
356
357 if (parent) {
358 bt_accept_unlink(sk);
359 parent->sk_data_ready(parent, 0);
360 } else
361 sk->sk_state_change(sk);
c13ffa62 362
c1360a1c
GP		 363 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
364 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 365 return;
2ead70b8 366
58d35f87 367 skb_queue_purge(&chan->tx_q);
c13ffa62 368
0c1bc5c6 369 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 370 struct srej_list *l, *tmp;
371
1a09bcb9
GP		 372 __clear_retrans_timer(chan);
373 __clear_monitor_timer(chan);
374 __clear_ack_timer(chan);
c13ffa62 375
f1c6775b 376 skb_queue_purge(&chan->srej_q);
c13ffa62 377
39d5a3ee 378 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 379 list_del(&l->list);
380 kfree(l);
381 }
382 }
0139418c
MH		 383}
384
4519de9a
GP		 385static void l2cap_chan_cleanup_listen(struct sock *parent)
386{
387 struct sock *sk;
388
389 BT_DBG("parent %p", parent);
390
391 /* Close not yet accepted channels */
0f852724 392 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 393 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 394
c9b66675 395 __clear_chan_timer(chan);
0f852724 396 lock_sock(sk);
ba3bd0ee 397 l2cap_chan_close(chan, ECONNRESET);
0f852724 398 release_sock(sk);
3df91ea2 399
ba3bd0ee 400 chan->ops->close(chan->data);
0f852724 401 }
4519de9a
GP		 402}
403
0f852724 404void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 405{
406 struct l2cap_conn *conn = chan->conn;
407 struct sock *sk = chan->sk;
408
e05dcc32
AE		 409 BT_DBG("chan %p state %s sk %p", chan,
410 state_to_string(chan->state), sk);
4519de9a 411
89bc500e 412 switch (chan->state) {
4519de9a
GP		 413 case BT_LISTEN:
414 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 415
416 l2cap_state_change(chan, BT_CLOSED);
417 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 418 break;
419
420 case BT_CONNECTED:
421 case BT_CONFIG:
715ec005 422 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 423 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 424 __clear_chan_timer(chan);
425 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 426 l2cap_send_disconn_req(conn, chan, reason);
427 } else
428 l2cap_chan_del(chan, reason);
429 break;
430
431 case BT_CONNECT2:
715ec005 432 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 433 conn->hcon->type == ACL_LINK) {
434 struct l2cap_conn_rsp rsp;
435 __u16 result;
436
437 if (bt_sk(sk)->defer_setup)
438 result = L2CAP_CR_SEC_BLOCK;
439 else
440 result = L2CAP_CR_BAD_PSM;
89bc500e 441 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 442
443 rsp.scid = cpu_to_le16(chan->dcid);
444 rsp.dcid = cpu_to_le16(chan->scid);
445 rsp.result = cpu_to_le16(result);
446 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
447 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
448 sizeof(rsp), &rsp);
449 }
450
451 l2cap_chan_del(chan, reason);
452 break;
453
454 case BT_CONNECT:
455 case BT_DISCONN:
456 l2cap_chan_del(chan, reason);
457 break;
458
459 default:
460 sock_set_flag(sk, SOCK_ZAPPED);
461 break;
462 }
463}
464
4343478f 465static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 466{
715ec005 467 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 468 switch (chan->sec_level) {
8556edd3
JH		 469 case BT_SECURITY_HIGH:
470 return HCI_AT_DEDICATED_BONDING_MITM;
471 case BT_SECURITY_MEDIUM:
472 return HCI_AT_DEDICATED_BONDING;
473 default:
474 return HCI_AT_NO_BONDING;
475 }
fe4128e0 476 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 477 if (chan->sec_level == BT_SECURITY_LOW)
478 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 479
4343478f 480 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 481 return HCI_AT_NO_BONDING_MITM;
00ae4af9 482 else
8556edd3 483 return HCI_AT_NO_BONDING;
00ae4af9 484 } else {
4343478f 485 switch (chan->sec_level) {
00ae4af9 486 case BT_SECURITY_HIGH:
8556edd3 487 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 488 case BT_SECURITY_MEDIUM:
8556edd3 489 return HCI_AT_GENERAL_BONDING;
00ae4af9 490 default:
8556edd3 491 return HCI_AT_NO_BONDING;
00ae4af9 492 }
0684e5f9 493 }
8556edd3
JH		 494}
495
496/* Service level security */
d45fc423 497int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 498{
8c1d787b 499 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 500 __u8 auth_type;
501
4343478f 502 auth_type = l2cap_get_auth_type(chan);
79d554a6 503
4343478f 504 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 505}
506
b5ad8b7f 507static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 508{
509 u8 id;
510
511 /* Get next available identificator.
512 * 1 - 128 are used by kernel.
513 * 129 - 199 are reserved.
514 * 200 - 254 are used by utilities like l2ping, etc.
515 */
516
333055f2 517 spin_lock(&conn->lock);
4e8402a3
MH		 518
519 if (++conn->tx_ident > 128)
520 conn->tx_ident = 1;
521
522 id = conn->tx_ident;
523
333055f2 524 spin_unlock(&conn->lock);
4e8402a3
MH		 525
526 return id;
527}
528
4519de9a 529static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 530{
531 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 532 u8 flags;
4e8402a3
MH		 533
534 BT_DBG("code 0x%2.2x", code);
535
536 if (!skb)
9a9c6a34 537 return;
4e8402a3 538
e702112f
AE		 539 if (lmp_no_flush_capable(conn->hcon->hdev))
540 flags = ACL_START_NO_FLUSH;
541 else
542 flags = ACL_START;
543
14b12d0b 544 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 545 skb->priority = HCI_PRIO_MAX;
14b12d0b 546
73d80deb
LAD		 547 hci_send_acl(conn->hchan, skb, flags);
548}
549
550static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
551{
552 struct hci_conn *hcon = chan->conn->hcon;
553 u16 flags;
554
555 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
556 skb->priority);
557
558 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
559 lmp_no_flush_capable(hcon->hdev))
560 flags = ACL_START_NO_FLUSH;
561 else
562 flags = ACL_START;
14b12d0b 563
73d80deb
LAD		 564 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
565 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 566}
567
88843ab0 568static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 569{
570 struct sk_buff *skb;
571 struct l2cap_hdr *lh;
8c1d787b 572 struct l2cap_conn *conn = chan->conn;
e4ca6d98 573 int count, hlen;
fcc203c3 574
89bc500e 575 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 576 return;
577
e4ca6d98
AE		 578 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
579 hlen = L2CAP_EXT_HDR_SIZE;
580 else
581 hlen = L2CAP_ENH_HDR_SIZE;
582
47d1ec61 583 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 584 hlen += L2CAP_FCS_SIZE;
1c2acffb 585
88843ab0 586 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 587
fcc203c3 588 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 589
590 control |= __set_sframe(chan);
1c2acffb 591
e2ab4353 592 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 593 control |= __set_ctrl_final(chan);
9e917af1 594
e2ab4353 595 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 596 control |= __set_ctrl_poll(chan);
f0946ccf 597
1c2acffb
GP		 598 skb = bt_skb_alloc(count, GFP_ATOMIC);
599 if (!skb)
9a9c6a34 600 return;
1c2acffb
GP		 601
602 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 603 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 604 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 605
606 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 607
47d1ec61 608 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 609 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
610 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 611 }
612
73d80deb
LAD		 613 skb->priority = HCI_PRIO_MAX;
614 l2cap_do_send(chan, skb);
1c2acffb
GP		 615}
616
88843ab0 617static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 618{
e2ab4353 619 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 620 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 621 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 622 } else
ab784b73 623 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 624
0b209fae 625 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 626
525cd185 627 l2cap_send_sframe(chan, control);
7e743090
GP		 628}
629
b4450035 630static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 631{
c1360a1c 632 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 633}
634
fc7f8a7e 635static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 636{
8c1d787b 637 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 638
639 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 640 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
641 return;
642
d45fc423 643 if (l2cap_chan_check_security(chan) &&
4343478f 644 __l2cap_no_conn_pending(chan)) {
b1235d79 645 struct l2cap_conn_req req;
fe4128e0
GP		 646 req.scid = cpu_to_le16(chan->scid);
647 req.psm = chan->psm;
79d554a6 648
fc7f8a7e 649 chan->ident = l2cap_get_ident(conn);
c1360a1c 650 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 651
fc7f8a7e
GP		 652 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
653 sizeof(req), &req);
b1235d79 654 }
79d554a6
MH		 655 } else {
656 struct l2cap_info_req req;
657 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
658
659 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
660 conn->info_ident = l2cap_get_ident(conn);
661
030013d8 662 schedule_delayed_work(&conn->info_timer,
79d554a6
MH		 663 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
664
665 l2cap_send_cmd(conn, conn->info_ident,
666 L2CAP_INFO_REQ, sizeof(req), &req);
667 }
668}
669
cf6c2c0b
GP		 670static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
671{
672 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 673 if (!disable_ertm)
cf6c2c0b
GP		 674 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
675
676 switch (mode) {
677 case L2CAP_MODE_ERTM:
678 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
679 case L2CAP_MODE_STREAMING:
680 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
681 default:
682 return 0x00;
683 }
684}
685
4519de9a 686static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 687{
e92c8e70 688 struct sock *sk;
22121fc9
GP		 689 struct l2cap_disconn_req req;
690
c13ffa62
GP		 691 if (!conn)
692 return;
693
e92c8e70
GP		 694 sk = chan->sk;
695
0c1bc5c6 696 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 697 __clear_retrans_timer(chan);
698 __clear_monitor_timer(chan);
699 __clear_ack_timer(chan);
c13ffa62
GP		 700 }
701
fe4128e0
GP		 702 req.dcid = cpu_to_le16(chan->dcid);
703 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 704 l2cap_send_cmd(conn, l2cap_get_ident(conn),
705 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 706
89bc500e 707 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 708 sk->sk_err = err;
22121fc9
GP		 709}
710
1da177e4 711/* ---- L2CAP connections ---- */
4e8402a3
MH		 712static void l2cap_conn_start(struct l2cap_conn *conn)
713{
3df91ea2 714 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 715
716 BT_DBG("conn %p", conn);
717
3df91ea2 718 mutex_lock(&conn->chan_lock);
4e8402a3 719
3df91ea2 720 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 721 struct sock *sk = chan->sk;
baa7e1fa 722
4e8402a3
MH		 723 bh_lock_sock(sk);
724
715ec005 725 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 726 bh_unlock_sock(sk);
727 continue;
728 }
729
89bc500e 730 if (chan->state == BT_CONNECT) {
47731de7 731 struct l2cap_conn_req req;
79d554a6 732
d45fc423 733 if (!l2cap_chan_check_security(chan) ||
b4450035 734 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 735 bh_unlock_sock(sk);
736 continue;
737 }
79d554a6 738
c1360a1c
GP		 739 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
740 && test_bit(CONF_STATE2_DEVICE,
741 &chan->conf_state)) {
0f852724 742 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 743 * so release the lock */
89bc500e 744 l2cap_chan_close(chan, ECONNRESET);
47731de7
GP		 745 bh_unlock_sock(sk);
746 continue;
b1235d79 747 }
47731de7 748
fe4128e0
GP		 749 req.scid = cpu_to_le16(chan->scid);
750 req.psm = chan->psm;
47731de7 751
fc7f8a7e 752 chan->ident = l2cap_get_ident(conn);
c1360a1c 753 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 754
fc7f8a7e
GP		 755 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
756 sizeof(req), &req);
47731de7 757
89bc500e 758 } else if (chan->state == BT_CONNECT2) {
79d554a6 759 struct l2cap_conn_rsp rsp;
e9aeb2dd 760 char buf[128];
fe4128e0
GP		 761 rsp.scid = cpu_to_le16(chan->dcid);
762 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 763
d45fc423 764 if (l2cap_chan_check_security(chan)) {
f66dc81f
MH		 765 if (bt_sk(sk)->defer_setup) {
766 struct sock *parent = bt_sk(sk)->parent;
767 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
768 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 769 if (parent)
770 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 771
772 } else {
89bc500e 773 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 774 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
775 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
776 }
79d554a6
MH		 777 } else {
778 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
779 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
780 }
781
fc7f8a7e
GP		 782 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
783 sizeof(rsp), &rsp);
e9aeb2dd 784
c1360a1c 785 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 786 rsp.result != L2CAP_CR_SUCCESS) {
787 bh_unlock_sock(sk);
788 continue;
789 }
790
c1360a1c 791 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 792 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 793 l2cap_build_conf_req(chan, buf), buf);
794 chan->num_conf_req++;
4e8402a3
MH		 795 }
796
797 bh_unlock_sock(sk);
798 }
799
3df91ea2 800 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 801}
802
b62f328b
VT		 803/* Find socket with cid and source bdaddr.
804 * Returns closest match, locked.
805 */
23691d75 806static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 807{
23691d75 808 struct l2cap_chan *c, *c1 = NULL;
b62f328b 809
23691d75 810 read_lock(&chan_list_lock);
b62f328b 811
23691d75
GP		 812 list_for_each_entry(c, &chan_list, global_l) {
813 struct sock *sk = c->sk;
fe4128e0 814
89bc500e 815 if (state && c->state != state)
b62f328b
VT		 816 continue;
817
23691d75 818 if (c->scid == cid) {
b62f328b 819 /* Exact match. */
23691d75
GP		 820 if (!bacmp(&bt_sk(sk)->src, src)) {
821 read_unlock(&chan_list_lock);
822 return c;
823 }
b62f328b
VT		 824
825 /* Closest match */
826 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 827 c1 = c;
b62f328b
VT		 828 }
829 }
280f294f 830
23691d75 831 read_unlock(&chan_list_lock);
b62f328b 832
23691d75 833 return c1;
b62f328b
VT		 834}
835
836static void l2cap_le_conn_ready(struct l2cap_conn *conn)
837{
c916fbe4 838 struct sock *parent, *sk;
23691d75 839 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 840
841 BT_DBG("");
842
843 /* Check if we have socket listening on cid */
23691d75 844 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 845 conn->src);
23691d75 846 if (!pchan)
b62f328b
VT		 847 return;
848
23691d75
GP		 849 parent = pchan->sk;
850
aa2ac881 851 lock_sock(parent);
62f3a2cf 852
b62f328b
VT		 853 /* Check for backlog size */
854 if (sk_acceptq_is_full(parent)) {
855 BT_DBG("backlog full %d", parent->sk_ack_backlog);
856 goto clean;
857 }
858
80808e43
GP		 859 chan = pchan->ops->new_connection(pchan->data);
860 if (!chan)
b62f328b
VT		 861 goto clean;
862
80808e43 863 sk = chan->sk;
5d41ce1d 864
b62f328b
VT		 865 hci_conn_hold(conn->hcon);
866
b62f328b
VT		 867 bacpy(&bt_sk(sk)->src, conn->src);
868 bacpy(&bt_sk(sk)->dst, conn->dst);
869
d1010240
GP		 870 bt_accept_enqueue(parent, sk);
871
3d57dc68 872 l2cap_chan_add(conn, chan);
48454079 873
c9b66675 874 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 875
89bc500e 876 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 877 parent->sk_data_ready(parent, 0);
878
b62f328b 879clean:
aa2ac881 880 release_sock(parent);
b62f328b
VT		 881}
882
cf4cd009 883static void l2cap_chan_ready(struct l2cap_chan *chan)
f1cb9af5 884{
cf4cd009 885 struct sock *sk = chan->sk;
f1cb9af5
VCG		 886 struct sock *parent = bt_sk(sk)->parent;
887
888 BT_DBG("sk %p, parent %p", sk, parent);
889
890 chan->conf_state = 0;
891 __clear_chan_timer(chan);
892
43f3dc41 893 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 894 sk->sk_state_change(sk);
895
896 if (parent)
897 parent->sk_data_ready(parent, 0);
898}
899
4e8402a3
MH		 900static void l2cap_conn_ready(struct l2cap_conn *conn)
901{
48454079 902 struct l2cap_chan *chan;
4e8402a3 903
79d554a6 904 BT_DBG("conn %p", conn);
4e8402a3 905
b62f328b
VT		 906 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
907 l2cap_le_conn_ready(conn);
908
160dc6ac
VCG		 909 if (conn->hcon->out && conn->hcon->type == LE_LINK)
910 smp_conn_security(conn, conn->hcon->pending_sec_level);
911
3df91ea2 912 mutex_lock(&conn->chan_lock);
4e8402a3 913
3df91ea2 914 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 915 struct sock *sk = chan->sk;
baa7e1fa 916
79d554a6 917 bh_lock_sock(sk);
4e8402a3 918
63128451 919 if (conn->hcon->type == LE_LINK) {
b501d6a1 920 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 921 l2cap_chan_ready(chan);
acd7d370 922
63128451 923 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 924 __clear_chan_timer(chan);
89bc500e 925 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 926 sk->sk_state_change(sk);
b501d6a1 927
89bc500e 928 } else if (chan->state == BT_CONNECT)
fc7f8a7e 929 l2cap_do_start(chan);
4e8402a3 930
79d554a6 931 bh_unlock_sock(sk);
4e8402a3 932 }
79d554a6 933
3df91ea2 934 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 935}
936
937/* Notify sockets that we cannot guaranty reliability anymore */
938static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
939{
48454079 940 struct l2cap_chan *chan;
4e8402a3
MH		 941
942 BT_DBG("conn %p", conn);
943
3df91ea2 944 mutex_lock(&conn->chan_lock);
4e8402a3 945
3df91ea2 946 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 947 struct sock *sk = chan->sk;
baa7e1fa 948
ecf61bdb 949 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 950 sk->sk_err = err;
951 }
952
3df91ea2 953 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 954}
955
f878fcad 956static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 957{
f878fcad 958 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 959 info_timer.work);
4e8402a3 960
984947dc 961 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 962 conn->info_ident = 0;
984947dc 963
4e8402a3
MH		 964 l2cap_conn_start(conn);
965}
966
5d3de7df
VCG		 967static void l2cap_conn_del(struct hci_conn *hcon, int err)
968{
969 struct l2cap_conn *conn = hcon->l2cap_data;
970 struct l2cap_chan *chan, *l;
971 struct sock *sk;
972
973 if (!conn)
974 return;
975
976 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
977
978 kfree_skb(conn->rx_skb);
979
3df91ea2
AE		 980 mutex_lock(&conn->chan_lock);
981
5d3de7df
VCG		 982 /* Kill channels */
983 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
984 sk = chan->sk;
aa2ac881 985 lock_sock(sk);
5d3de7df 986 l2cap_chan_del(chan, err);
aa2ac881 987 release_sock(sk);
5d3de7df
VCG		 988 chan->ops->close(chan->data);
989 }
990
3df91ea2
AE		 991 mutex_unlock(&conn->chan_lock);
992
73d80deb
LAD		 993 hci_chan_del(conn->hchan);
994
5d3de7df 995 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 996 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 997
51a8efd7 998 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 999 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1000 smp_chan_destroy(conn);
d26a2345 1001 }
5d3de7df
VCG		 1002
1003 hcon->l2cap_data = NULL;
1004 kfree(conn);
1005}
1006
6c9d42a1 1007static void security_timeout(struct work_struct *work)
5d3de7df 1008{
6c9d42a1
GP		 1009 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1010 security_timer.work);
5d3de7df
VCG		 1011
1012 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1013}
1014
1da177e4
LT		 1015static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1016{
0139418c 1017 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1018 struct hci_chan *hchan;
1da177e4 1019
0139418c 1020 if (conn || status)
1da177e4
LT		 1021 return conn;
1022
73d80deb
LAD		 1023 hchan = hci_chan_create(hcon);
1024 if (!hchan)
1025 return NULL;
1026
0139418c 1027 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1028 if (!conn) {
1029 hci_chan_del(hchan);
1da177e4 1030 return NULL;
73d80deb 1031 }
1da177e4
LT		 1032
1033 hcon->l2cap_data = conn;
1034 conn->hcon = hcon;
73d80deb 1035 conn->hchan = hchan;
1da177e4 1036
73d80deb 1037 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1038
acd7d370
VT		 1039 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1040 conn->mtu = hcon->hdev->le_mtu;
1041 else
1042 conn->mtu = hcon->hdev->acl_mtu;
1043
1da177e4
LT		 1044 conn->src = &hcon->hdev->bdaddr;
1045 conn->dst = &hcon->dst;
1046
4e8402a3
MH		 1047 conn->feat_mask = 0;
1048
1da177e4 1049 spin_lock_init(&conn->lock);
3df91ea2 1050 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1051
1052 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1053
5d3de7df 1054 if (hcon->type == LE_LINK)
6c9d42a1 1055 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1056 else
030013d8 1057 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1058
9f5a0d7b 1059 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1060
1da177e4
LT		 1061 return conn;
1062}
1063
1da177e4 1064/* ---- Socket interface ---- */
1da177e4
LT		 1065
1066/* Find socket with psm and source bdaddr.
1067 * Returns closest match.
1068 */
23691d75 1069static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1070{
23691d75 1071 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1072
23691d75 1073 read_lock(&chan_list_lock);
e0f0cb56 1074
23691d75
GP		 1075 list_for_each_entry(c, &chan_list, global_l) {
1076 struct sock *sk = c->sk;
fe4128e0 1077
89bc500e 1078 if (state && c->state != state)
1da177e4
LT		 1079 continue;
1080
23691d75 1081 if (c->psm == psm) {
1da177e4 1082 /* Exact match. */
23691d75 1083 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1084 read_unlock(&chan_list_lock);
23691d75
GP		 1085 return c;
1086 }
1da177e4
LT		 1087
1088 /* Closest match */
1089 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1090 c1 = c;
1da177e4
LT		 1091 }
1092 }
1da177e4 1093
23691d75 1094 read_unlock(&chan_list_lock);
e0f0cb56 1095
23691d75 1096 return c1;
1da177e4
LT		 1097}
1098
cbe8fed4 1099int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1da177e4 1100{
5d41ce1d 1101 struct sock *sk = chan->sk;
1da177e4 1102 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1103 struct l2cap_conn *conn;
1104 struct hci_conn *hcon;
1105 struct hci_dev *hdev;
09ab6f4c 1106 __u8 auth_type;
44d0e48e 1107 int err;
1da177e4 1108
f29972de 1109 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1110 chan->psm);
1da177e4 1111
af05b30b
GP		 1112 hdev = hci_get_route(dst, src);
1113 if (!hdev)
1da177e4
LT		 1114 return -EHOSTUNREACH;
1115
09fd0de5 1116 hci_dev_lock(hdev);
1da177e4 1117
03a00194
GP		 1118 lock_sock(sk);
1119
1120 /* PSM must be odd and lsb of upper byte must be 0 */
1121 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1122 chan->chan_type != L2CAP_CHAN_RAW) {
1123 err = -EINVAL;
1124 goto done;
1125 }
1126
1127 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1128 err = -EINVAL;
1129 goto done;
1130 }
1131
1132 switch (chan->mode) {
1133 case L2CAP_MODE_BASIC:
1134 break;
1135 case L2CAP_MODE_ERTM:
1136 case L2CAP_MODE_STREAMING:
1137 if (!disable_ertm)
1138 break;
1139 /* fall through */
1140 default:
1141 err = -ENOTSUPP;
1142 goto done;
1143 }
1144
1145 switch (sk->sk_state) {
1146 case BT_CONNECT:
1147 case BT_CONNECT2:
1148 case BT_CONFIG:
1149 /* Already connecting */
1150 err = 0;
1151 goto done;
1152
1153 case BT_CONNECTED:
1154 /* Already connected */
1155 err = -EISCONN;
1156 goto done;
1157
1158 case BT_OPEN:
1159 case BT_BOUND:
1160 /* Can connect */
1161 break;
1162
1163 default:
1164 err = -EBADFD;
1165 goto done;
1166 }
1167
1168 /* Set destination address and psm */
9219b2a0 1169 bacpy(&bt_sk(sk)->dst, dst);
03a00194
GP		 1170 chan->psm = psm;
1171 chan->dcid = cid;
1da177e4 1172
4343478f 1173 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1174
fe4128e0 1175 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1176 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1177 chan->sec_level, auth_type);
acd7d370
VT		 1178 else
1179 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1180 chan->sec_level, auth_type);
acd7d370 1181
30e76272
VT		 1182 if (IS_ERR(hcon)) {
1183 err = PTR_ERR(hcon);
1da177e4 1184 goto done;
30e76272 1185 }
1da177e4
LT		 1186
1187 conn = l2cap_conn_add(hcon, 0);
1188 if (!conn) {
1189 hci_conn_put(hcon);
30e76272 1190 err = -ENOMEM;
1da177e4
LT		 1191 goto done;
1192 }
1193
1da177e4
LT		 1194 /* Update source addr of the socket */
1195 bacpy(src, conn->src);
1196
48454079
GP		 1197 l2cap_chan_add(conn, chan);
1198
89bc500e 1199 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1200 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1201
1202 if (hcon->state == BT_CONNECTED) {
715ec005 1203 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1204 __clear_chan_timer(chan);
d45fc423 1205 if (l2cap_chan_check_security(chan))
89bc500e 1206 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1207 } else
fc7f8a7e 1208 l2cap_do_start(chan);
1da177e4
LT		 1209 }
1210
30e76272
VT		 1211 err = 0;
1212
1da177e4 1213done:
09fd0de5 1214 hci_dev_unlock(hdev);
1da177e4
LT		 1215 hci_dev_put(hdev);
1216 return err;
1217}
1218
dcba0dba 1219int __l2cap_wait_ack(struct sock *sk)
6161c038 1220{
8c1d787b 1221 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1222 DECLARE_WAITQUEUE(wait, current);
1223 int err = 0;
1224 int timeo = HZ/5;
1225
2b0b05dd 1226 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1227 set_current_state(TASK_INTERRUPTIBLE);
1228 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1229 if (!timeo)
1230 timeo = HZ/5;
1231
1232 if (signal_pending(current)) {
1233 err = sock_intr_errno(timeo);
1234 break;
1235 }
1236
1237 release_sock(sk);
1238 timeo = schedule_timeout(timeo);
1239 lock_sock(sk);
a71a0cf4 1240 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1241
1242 err = sock_error(sk);
1243 if (err)
1244 break;
1245 }
1246 set_current_state(TASK_RUNNING);
2b0b05dd 1247 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1248 return err;
1249}
1250
721c4181 1251static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1252{
721c4181
GP		 1253 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1254 monitor_timer.work);
525cd185 1255 struct sock *sk = chan->sk;
e90bac06 1256
525cd185 1257 BT_DBG("chan %p", chan);
0e98958d 1258
721c4181 1259 lock_sock(sk);
2c03a7a4 1260 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1261 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
721c4181 1262 release_sock(sk);
e90bac06
GP		 1263 return;
1264 }
1265
6a026610 1266 chan->retry_count++;
1a09bcb9 1267 __set_monitor_timer(chan);
e90bac06 1268
525cd185 1269 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1270 release_sock(sk);
e90bac06
GP		 1271}
1272
721c4181 1273static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1274{
721c4181
GP		 1275 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1276 retrans_timer.work);
525cd185 1277 struct sock *sk = chan->sk;
e90bac06 1278
49208c9c 1279 BT_DBG("chan %p", chan);
0e98958d 1280
721c4181 1281 lock_sock(sk);
6a026610 1282 chan->retry_count = 1;
1a09bcb9 1283 __set_monitor_timer(chan);
e90bac06 1284
e2ab4353 1285 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1286
525cd185 1287 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1288 release_sock(sk);
e90bac06
GP		 1289}
1290
42e5c802 1291static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1292{
1c2acffb 1293 struct sk_buff *skb;
1da177e4 1294
58d35f87 1295 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1296 chan->unacked_frames) {
42e5c802 1297 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1298 break;
1da177e4 1299
58d35f87 1300 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1301 kfree_skb(skb);
1da177e4 1302
6a026610 1303 chan->unacked_frames--;
1c2acffb 1304 }
1da177e4 1305
6a026610 1306 if (!chan->unacked_frames)
1a09bcb9 1307 __clear_retrans_timer(chan);
1c2acffb 1308}
1da177e4 1309
67c9e840 1310static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1311{
ccbb84af 1312 struct sk_buff *skb;
88843ab0
AE		 1313 u32 control;
1314 u16 fcs;
6840ed07 1315
58d35f87 1316 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1317 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1318 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1319 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1320
47d1ec61 1321 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1322 fcs = crc16(0, (u8 *)skb->data,
1323 skb->len - L2CAP_FCS_SIZE);
1324 put_unaligned_le16(fcs,
1325 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1326 }
1327
4343478f 1328 l2cap_do_send(chan, skb);
6840ed07 1329
836be934 1330 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1331 }
6840ed07
GP		 1332}
1333
fb45de7d 1334static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1335{
8f17154f 1336 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1337 u16 fcs;
1338 u32 control;
8f17154f 1339
58d35f87 1340 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1341 if (!skb)
1342 return;
8f17154f 1343
d1726b6d 1344 while (bt_cb(skb)->tx_seq != tx_seq) {
58d35f87 1345 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1346 return;
8f17154f 1347
d1726b6d
SJ		 1348 skb = skb_queue_next(&chan->tx_q, skb);
1349 }
8f17154f 1350
2c03a7a4
GP		 1351 if (chan->remote_max_tx &&
1352 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1353 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1354 return;
1355 }
1356
1357 tx_skb = skb_clone(skb, GFP_ATOMIC);
1358 bt_cb(skb)->retries++;
88843ab0
AE		 1359
1360 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1361 control &= __get_sar_mask(chan);
3cb123d1 1362
e2ab4353 1363 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1364 control |= __set_ctrl_final(chan);
95ffa978 1365
0b209fae 1366 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1367 control |= __set_txseq(chan, tx_seq);
3cb123d1 1368
88843ab0 1369 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1370
47d1ec61 1371 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1372 fcs = crc16(0, (u8 *)tx_skb->data,
1373 tx_skb->len - L2CAP_FCS_SIZE);
1374 put_unaligned_le16(fcs,
1375 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1376 }
1377
4343478f 1378 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1379}
1380
67c9e840 1381static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1382{
1383 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1384 u16 fcs;
1385 u32 control;
9a9c6a34 1386 int nsent = 0;
1c2acffb 1387
89bc500e 1388 if (chan->state != BT_CONNECTED)
c13ffa62 1389 return -ENOTCONN;
e90bac06 1390
58d35f87 1391 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1392
2c03a7a4
GP		 1393 if (chan->remote_max_tx &&
1394 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1395 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1396 break;
1397 }
1398
e420aba3
AE		 1399 tx_skb = skb_clone(skb, GFP_ATOMIC);
1400
e90bac06
GP		 1401 bt_cb(skb)->retries++;
1402
88843ab0 1403 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1404 control &= __get_sar_mask(chan);
95ffa978 1405
e2ab4353 1406 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1407 control |= __set_ctrl_final(chan);
e2ab4353 1408
0b209fae 1409 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1410 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1411
88843ab0 1412 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1413
47d1ec61 1414 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1415 fcs = crc16(0, (u8 *)skb->data,
1416 tx_skb->len - L2CAP_FCS_SIZE);
1417 put_unaligned_le16(fcs, skb->data +
1418 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1419 }
1420
4343478f 1421 l2cap_do_send(chan, tx_skb);
9a9c6a34 1422
1a09bcb9 1423 __set_retrans_timer(chan);
1c2acffb 1424
42e5c802 1425 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1426
1427 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1428
8ed7a0ae 1429 if (bt_cb(skb)->retries == 1) {
6a026610 1430 chan->unacked_frames++;
930fa4ae
SJ		 1431
1432 if (!nsent++)
1433 __clear_ack_timer(chan);
8ed7a0ae 1434 }
23e9fde2 1435
6a026610 1436 chan->frames_sent++;
1c2acffb 1437
58d35f87
GP		 1438 if (skb_queue_is_last(&chan->tx_q, skb))
1439 chan->tx_send_head = NULL;
1c2acffb 1440 else
58d35f87 1441 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1442 }
1443
9e917af1
GP		 1444 return nsent;
1445}
1446
525cd185 1447static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1448{
dfc909be
GP		 1449 int ret;
1450
58d35f87
GP		 1451 if (!skb_queue_empty(&chan->tx_q))
1452 chan->tx_send_head = chan->tx_q.next;
dfc909be 1453
42e5c802 1454 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1455 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1456 return ret;
1457}
1458
b17e73bb 1459static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1460{
88843ab0 1461 u32 control = 0;
9e917af1 1462
0b209fae 1463 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1464
e2ab4353 1465 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1466 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1467 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1468 l2cap_send_sframe(chan, control);
9a9c6a34 1469 return;
9e917af1 1470 }
dfc909be 1471
525cd185 1472 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1473 return;
1474
ab784b73 1475 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1476 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1477}
1478
b17e73bb
SJ		 1479static void l2cap_send_ack(struct l2cap_chan *chan)
1480{
1481 __clear_ack_timer(chan);
1482 __l2cap_send_ack(chan);
1483}
1484
525cd185 1485static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1486{
1487 struct srej_list *tail;
88843ab0 1488 u32 control;
99b0d4b7 1489
ab784b73 1490 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1491 control |= __set_ctrl_final(chan);
99b0d4b7 1492
39d5a3ee 1493 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1494 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1495
525cd185 1496 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1497}
1498
0952a57a 1499static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1c2acffb 1500{
0952a57a 1501 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1502 struct sk_buff **frag;
1503 int err, sent = 0;
1da177e4 1504
59203a21 1505 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1506 return -EFAULT;
1da177e4
LT		 1507
1508 sent += count;
1509 len -= count;
1510
1511 /* Continuation fragments (no L2CAP header) */
1512 frag = &skb_shinfo(skb)->frag_list;
1513 while (len) {
1514 count = min_t(unsigned int, conn->mtu, len);
1515
2f7719ce
AE		 1516 *frag = chan->ops->alloc_skb(chan, count,
1517 msg->msg_flags & MSG_DONTWAIT, &err);
1518
1da177e4 1519 if (!*frag)
0175d629 1520 return err;
1c2acffb
GP		 1521 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1522 return -EFAULT;
1da177e4 1523
5e59b791
LAD		 1524 (*frag)->priority = skb->priority;
1525
1da177e4
LT		 1526 sent += count;
1527 len -= count;
1528
1529 frag = &(*frag)->next;
1530 }
1da177e4
LT		 1531
1532 return sent;
1c2acffb 1533}
1da177e4 1534
5e59b791
LAD		 1535static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1536 struct msghdr *msg, size_t len,
1537 u32 priority)
1c2acffb 1538{
8c1d787b 1539 struct l2cap_conn *conn = chan->conn;
1c2acffb 1540 struct sk_buff *skb;
03a51213 1541 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1542 struct l2cap_hdr *lh;
1543
6d5922b0 1544 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1545
1546 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1547
1548 skb = chan->ops->alloc_skb(chan, count + hlen,
1549 msg->msg_flags & MSG_DONTWAIT, &err);
1550
1c2acffb 1551 if (!skb)
0175d629 1552 return ERR_PTR(err);
1c2acffb 1553
5e59b791
LAD		 1554 skb->priority = priority;
1555
1c2acffb
GP		 1556 /* Create L2CAP header */
1557 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1558 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1559 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1560 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb 1561
0952a57a 1562 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1563 if (unlikely(err < 0)) {
1564 kfree_skb(skb);
1565 return ERR_PTR(err);
1566 }
1567 return skb;
1568}
1569
5e59b791
LAD		 1570static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1571 struct msghdr *msg, size_t len,
1572 u32 priority)
1c2acffb 1573{
8c1d787b 1574 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1575 struct sk_buff *skb;
1576 int err, count, hlen = L2CAP_HDR_SIZE;
1577 struct l2cap_hdr *lh;
1578
6d5922b0 1579 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb
GP		 1580
1581 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1582
1583 skb = chan->ops->alloc_skb(chan, count + hlen,
1584 msg->msg_flags & MSG_DONTWAIT, &err);
1585
1c2acffb 1586 if (!skb)
0175d629 1587 return ERR_PTR(err);
1c2acffb 1588
5e59b791
LAD		 1589 skb->priority = priority;
1590
1c2acffb
GP		 1591 /* Create L2CAP header */
1592 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1593 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1594 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1595
0952a57a 1596 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1597 if (unlikely(err < 0)) {
1598 kfree_skb(skb);
1599 return ERR_PTR(err);
1600 }
1601 return skb;
1602}
1603
ab0ff76d
LAD		 1604static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1605 struct msghdr *msg, size_t len,
88843ab0 1606 u32 control, u16 sdulen)
1c2acffb 1607{
8c1d787b 1608 struct l2cap_conn *conn = chan->conn;
1c2acffb 1609 struct sk_buff *skb;
e4ca6d98 1610 int err, count, hlen;
1c2acffb
GP		 1611 struct l2cap_hdr *lh;
1612
6d5922b0 1613 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1614
0ee0d208
GP		 1615 if (!conn)
1616 return ERR_PTR(-ENOTCONN);
1617
e4ca6d98
AE		 1618 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1619 hlen = L2CAP_EXT_HDR_SIZE;
1620 else
1621 hlen = L2CAP_ENH_HDR_SIZE;
1622
c74e560c 1623 if (sdulen)
03a51213 1624 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1625
47d1ec61 1626 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1627 hlen += L2CAP_FCS_SIZE;
fcc203c3 1628
1c2acffb 1629 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1630
1631 skb = chan->ops->alloc_skb(chan, count + hlen,
1632 msg->msg_flags & MSG_DONTWAIT, &err);
1633
1c2acffb 1634 if (!skb)
0175d629 1635 return ERR_PTR(err);
1c2acffb
GP		 1636
1637 /* Create L2CAP header */
1638 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1639 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1640 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1641
1642 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1643
c74e560c 1644 if (sdulen)
03a51213 1645 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1646
0952a57a 1647 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1648 if (unlikely(err < 0)) {
1649 kfree_skb(skb);
1650 return ERR_PTR(err);
1651 }
e90bac06 1652
47d1ec61 1653 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1654 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1655
e90bac06 1656 bt_cb(skb)->retries = 0;
1c2acffb 1657 return skb;
1da177e4
LT		 1658}
1659
67c9e840 1660static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1661{
c74e560c
GP		 1662 struct sk_buff *skb;
1663 struct sk_buff_head sar_queue;
88843ab0 1664 u32 control;
c74e560c
GP		 1665 size_t size = 0;
1666
ff12fd64 1667 skb_queue_head_init(&sar_queue);
7e0ef6ee 1668 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1669 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1670 if (IS_ERR(skb))
1671 return PTR_ERR(skb);
1672
1673 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1674 len -= chan->remote_mps;
1675 size += chan->remote_mps;
c74e560c
GP		 1676
1677 while (len > 0) {
1678 size_t buflen;
1679
2c03a7a4 1680 if (len > chan->remote_mps) {
7e0ef6ee 1681 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1682 buflen = chan->remote_mps;
c74e560c 1683 } else {
7e0ef6ee 1684 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1685 buflen = len;
1686 }
1687
47d1ec61 1688 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1689 if (IS_ERR(skb)) {
1690 skb_queue_purge(&sar_queue);
1691 return PTR_ERR(skb);
1692 }
1693
1694 __skb_queue_tail(&sar_queue, skb);
1695 len -= buflen;
1696 size += buflen;
c74e560c 1697 }
58d35f87
GP		 1698 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1699 if (chan->tx_send_head == NULL)
1700 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1701
1702 return size;
1703}
1704
5e59b791
LAD		 1705int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1706 u32 priority)
9a91a04a 1707{
9a91a04a 1708 struct sk_buff *skb;
88843ab0 1709 u32 control;
9a91a04a
GP		 1710 int err;
1711
1712 /* Connectionless channel */
715ec005 1713 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1714 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1715 if (IS_ERR(skb))
1716 return PTR_ERR(skb);
1717
1718 l2cap_do_send(chan, skb);
1719 return len;
1720 }
1721
1722 switch (chan->mode) {
1723 case L2CAP_MODE_BASIC:
1724 /* Check outgoing MTU */
1725 if (len > chan->omtu)
1726 return -EMSGSIZE;
1727
1728 /* Create a basic PDU */
5e59b791 1729 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1730 if (IS_ERR(skb))
1731 return PTR_ERR(skb);
1732
1733 l2cap_do_send(chan, skb);
1734 err = len;
1735 break;
1736
1737 case L2CAP_MODE_ERTM:
1738 case L2CAP_MODE_STREAMING:
1739 /* Entire SDU fits into one PDU */
1740 if (len <= chan->remote_mps) {
7e0ef6ee 1741 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1742 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1743 0);
1744 if (IS_ERR(skb))
1745 return PTR_ERR(skb);
1746
1747 __skb_queue_tail(&chan->tx_q, skb);
1748
1749 if (chan->tx_send_head == NULL)
1750 chan->tx_send_head = skb;
1751
1752 } else {
1753 /* Segment SDU into multiples PDUs */
1754 err = l2cap_sar_segment_sdu(chan, msg, len);
1755 if (err < 0)
1756 return err;
1757 }
1758
1759 if (chan->mode == L2CAP_MODE_STREAMING) {
1760 l2cap_streaming_send(chan);
1761 err = len;
1762 break;
1763 }
1764
e2ab4353
GP		 1765 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1766 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1767 err = len;
1768 break;
1769 }
1770
1771 err = l2cap_ertm_send(chan);
1772 if (err >= 0)
1773 err = len;
1774
1775 break;
1776
1777 default:
1778 BT_DBG("bad state %1.1x", chan->mode);
1779 err = -EBADFD;
1780 }
1781
1782 return err;
1783}
1784
1da177e4
LT		 1785/* Copy frame to all raw sockets on that connection */
1786static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1787{
1da177e4 1788 struct sk_buff *nskb;
48454079 1789 struct l2cap_chan *chan;
1da177e4
LT		 1790
1791 BT_DBG("conn %p", conn);
1792
3df91ea2 1793 mutex_lock(&conn->chan_lock);
3d57dc68 1794
3df91ea2 1795 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1796 struct sock *sk = chan->sk;
715ec005 1797 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1798 continue;
1799
1800 /* Don't send frame to the socket it came from */
1801 if (skb->sk == sk)
1802 continue;
af05b30b
GP		 1803 nskb = skb_clone(skb, GFP_ATOMIC);
1804 if (!nskb)
1da177e4
LT		 1805 continue;
1806
23070494 1807 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1808 kfree_skb(nskb);
1809 }
3d57dc68 1810
3df91ea2 1811 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 1812}
1813
1814/* ---- L2CAP signalling commands ---- */
1815static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1816 u8 code, u8 ident, u16 dlen, void *data)
1817{
1818 struct sk_buff *skb, **frag;
1819 struct l2cap_cmd_hdr *cmd;
1820 struct l2cap_hdr *lh;
1821 int len, count;
1822
af05b30b
GP		 1823 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1824 conn, code, ident, dlen);
1da177e4
LT		 1825
1826 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1827 count = min_t(unsigned int, conn->mtu, len);
1828
1829 skb = bt_skb_alloc(count, GFP_ATOMIC);
1830 if (!skb)
1831 return NULL;
1832
1833 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1834 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1835
1836 if (conn->hcon->type == LE_LINK)
1837 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1838 else
1839 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1840
1841 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1842 cmd->code = code;
1843 cmd->ident = ident;
aca3192c 1844 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1845
1846 if (dlen) {
1847 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1848 memcpy(skb_put(skb, count), data, count);
1849 data += count;
1850 }
1851
1852 len -= skb->len;
1853
1854 /* Continuation fragments (no L2CAP header) */
1855 frag = &skb_shinfo(skb)->frag_list;
1856 while (len) {
1857 count = min_t(unsigned int, conn->mtu, len);
1858
1859 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1860 if (!*frag)
1861 goto fail;
1862
1863 memcpy(skb_put(*frag, count), data, count);
1864
1865 len -= count;
1866 data += count;
1867
1868 frag = &(*frag)->next;
1869 }
1870
1871 return skb;
1872
1873fail:
1874 kfree_skb(skb);
1875 return NULL;
1876}
1877
1878static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1879{
1880 struct l2cap_conf_opt *opt = *ptr;
1881 int len;
1882
1883 len = L2CAP_CONF_OPT_SIZE + opt->len;
1884 *ptr += len;
1885
1886 *type = opt->type;
1887 *olen = opt->len;
1888
1889 switch (opt->len) {
1890 case 1:
1891 *val = *((u8 *) opt->val);
1892 break;
1893
1894 case 2:
bfaaeb3e 1895 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1896 break;
1897
1898 case 4:
bfaaeb3e 1899 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1900 break;
1901
1902 default:
1903 *val = (unsigned long) opt->val;
1904 break;
1905 }
1906
1907 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1908 return len;
1909}
1910
1da177e4
LT		 1911static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1912{
1913 struct l2cap_conf_opt *opt = *ptr;
1914
1915 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1916
1917 opt->type = type;
1918 opt->len = len;
1919
1920 switch (len) {
1921 case 1:
1922 *((u8 *) opt->val) = val;
1923 break;
1924
1925 case 2:
4f8b691c 1926 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1927 break;
1928
1929 case 4:
4f8b691c 1930 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1931 break;
1932
1933 default:
1934 memcpy(opt->val, (void *) val, len);
1935 break;
1936 }
1937
1938 *ptr += L2CAP_CONF_OPT_SIZE + len;
1939}
1940
f89cef09
AE		 1941static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1942{
1943 struct l2cap_conf_efs efs;
1944
1ec918ce 1945 switch (chan->mode) {
f89cef09
AE		 1946 case L2CAP_MODE_ERTM:
1947 efs.id = chan->local_id;
1948 efs.stype = chan->local_stype;
1949 efs.msdu = cpu_to_le16(chan->local_msdu);
1950 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1951 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1952 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1953 break;
1954
1955 case L2CAP_MODE_STREAMING:
1956 efs.id = 1;
1957 efs.stype = L2CAP_SERV_BESTEFFORT;
1958 efs.msdu = cpu_to_le16(chan->local_msdu);
1959 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1960 efs.acc_lat = 0;
1961 efs.flush_to = 0;
1962 break;
1963
1964 default:
1965 return;
1966 }
1967
1968 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1969 (unsigned long) &efs);
1970}
1971
721c4181 1972static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 1973{
721c4181
GP		 1974 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1975 ack_timer.work);
c1b4f43b 1976
2fb9b3d4
GP		 1977 BT_DBG("chan %p", chan);
1978
721c4181 1979 lock_sock(chan->sk);
b17e73bb 1980 __l2cap_send_ack(chan);
721c4181 1981 release_sock(chan->sk);
09bfb2ee
SJ		 1982
1983 l2cap_chan_put(chan);
c1b4f43b
GP		 1984}
1985
525cd185 1986static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1987{
42e5c802 1988 chan->expected_ack_seq = 0;
6a026610 1989 chan->unacked_frames = 0;
42e5c802 1990 chan->buffer_seq = 0;
6a026610
GP		 1991 chan->num_acked = 0;
1992 chan->frames_sent = 0;
0565c1c2 1993
721c4181
GP		 1994 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
1995 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
1996 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 1997
f1c6775b 1998 skb_queue_head_init(&chan->srej_q);
1890d36b 1999
39d5a3ee 2000 INIT_LIST_HEAD(&chan->srej_l);
0565c1c2
GP		 2001}
2002
f2fcfcd6
GP		 2003static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2004{
2005 switch (mode) {
2006 case L2CAP_MODE_STREAMING:
2007 case L2CAP_MODE_ERTM:
2008 if (l2cap_mode_supported(mode, remote_feat_mask))
2009 return mode;
2010 /* fall through */
2011 default:
2012 return L2CAP_MODE_BASIC;
2013 }
2014}
2015
6327eb98
AE		 2016static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2017{
2018 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2019}
2020
f89cef09
AE		 2021static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2022{
2023 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2024}
2025
6327eb98
AE		 2026static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2027{
2028 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2029 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2030 /* use extended control field */
2031 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2032 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2033 } else {
6327eb98
AE		 2034 chan->tx_win = min_t(u16, chan->tx_win,
2035 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2036 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2037 }
6327eb98
AE		 2038}
2039
710f9b0a 2040static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2041{
1da177e4 2042 struct l2cap_conf_req *req = data;
0c1bc5c6 2043 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2044 void *ptr = req->data;
c8f79162 2045 u16 size;
1da177e4 2046
49208c9c 2047 BT_DBG("chan %p", chan);
1da177e4 2048
73ffa904 2049 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2050 goto done;
2051
0c1bc5c6 2052 switch (chan->mode) {
f2fcfcd6
GP		 2053 case L2CAP_MODE_STREAMING:
2054 case L2CAP_MODE_ERTM:
c1360a1c 2055 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2056 break;
85eb53c6 2057
f89cef09
AE		 2058 if (__l2cap_efs_supported(chan))
2059 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2060
2ba13ed6 2061 /* fall through */
f2fcfcd6 2062 default:
8c1d787b 2063 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2064 break;
2065 }
2066
2067done:
0c1bc5c6
GP		 2068 if (chan->imtu != L2CAP_DEFAULT_MTU)
2069 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2070
0c1bc5c6 2071 switch (chan->mode) {
65c7c491 2072 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2073 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2074 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2075 break;
2076
62547752
GP		 2077 rfc.mode = L2CAP_MODE_BASIC;
2078 rfc.txwin_size = 0;
2079 rfc.max_transmit = 0;
2080 rfc.retrans_timeout = 0;
2081 rfc.monitor_timeout = 0;
2082 rfc.max_pdu_size = 0;
2083
63406504
GP		 2084 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2085 (unsigned long) &rfc);
65c7c491
MH		 2086 break;
2087
2088 case L2CAP_MODE_ERTM:
2089 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2090 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2091 rfc.retrans_timeout = 0;
2092 rfc.monitor_timeout = 0;
c8f79162
AE		 2093
2094 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2095 L2CAP_EXT_HDR_SIZE -
2096 L2CAP_SDULEN_SIZE -
2097 L2CAP_FCS_SIZE);
2098 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2099
6327eb98
AE		 2100 l2cap_txwin_setup(chan);
2101
2102 rfc.txwin_size = min_t(u16, chan->tx_win,
2103 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2104
63406504
GP		 2105 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2106 (unsigned long) &rfc);
2107
f89cef09
AE		 2108 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2109 l2cap_add_opt_efs(&ptr, chan);
2110
8c1d787b 2111 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2112 break;
2113
47d1ec61 2114 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2115 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2116 chan->fcs = L2CAP_FCS_NONE;
2117 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2118 }
6327eb98
AE		 2119
2120 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2121 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2122 chan->tx_win);
f2fcfcd6
GP		 2123 break;
2124
2125 case L2CAP_MODE_STREAMING:
2126 rfc.mode = L2CAP_MODE_STREAMING;
2127 rfc.txwin_size = 0;
2128 rfc.max_transmit = 0;
2129 rfc.retrans_timeout = 0;
2130 rfc.monitor_timeout = 0;
c8f79162
AE		 2131
2132 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2133 L2CAP_EXT_HDR_SIZE -
2134 L2CAP_SDULEN_SIZE -
2135 L2CAP_FCS_SIZE);
2136 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2137
63406504
GP		 2138 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2139 (unsigned long) &rfc);
2140
f89cef09
AE		 2141 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2142 l2cap_add_opt_efs(&ptr, chan);
2143
8c1d787b 2144 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2145 break;
2146
47d1ec61 2147 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2148 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2149 chan->fcs = L2CAP_FCS_NONE;
2150 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2151 }
65c7c491
MH		 2152 break;
2153 }
1da177e4 2154
fe4128e0 2155 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2156 req->flags = cpu_to_le16(0);
1da177e4
LT		 2157
2158 return ptr - data;
2159}
2160
73ffa904 2161static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2162{
5dee9e7c
MH		 2163 struct l2cap_conf_rsp *rsp = data;
2164 void *ptr = rsp->data;
73ffa904
GP		 2165 void *req = chan->conf_req;
2166 int len = chan->conf_len;
5dee9e7c
MH		 2167 int type, hint, olen;
2168 unsigned long val;
6464f35f 2169 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2170 struct l2cap_conf_efs efs;
2171 u8 remote_efs = 0;
861d6882 2172 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2173 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2174 u16 size;
1da177e4 2175
73ffa904 2176 BT_DBG("chan %p", chan);
820ae1b8 2177
5dee9e7c
MH		 2178 while (len >= L2CAP_CONF_OPT_SIZE) {
2179 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2180
589d2746 2181 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2182 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2183
2184 switch (type) {
2185 case L2CAP_CONF_MTU:
861d6882 2186 mtu = val;
5dee9e7c
MH		 2187 break;
2188
2189 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2190 chan->flush_to = val;
5dee9e7c
MH		 2191 break;
2192
2193 case L2CAP_CONF_QOS:
2194 break;
2195
6464f35f
MH		 2196 case L2CAP_CONF_RFC:
2197 if (olen == sizeof(rfc))
2198 memcpy(&rfc, (void *) val, olen);
2199 break;
2200
fcc203c3
GP		 2201 case L2CAP_CONF_FCS:
2202 if (val == L2CAP_FCS_NONE)
c1360a1c 2203 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2204 break;
fcc203c3 2205
42dceae2
AE		 2206 case L2CAP_CONF_EFS:
2207 remote_efs = 1;
2208 if (olen == sizeof(efs))
2209 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2210 break;
2211
6327eb98
AE		 2212 case L2CAP_CONF_EWS:
2213 if (!enable_hs)
2214 return -ECONNREFUSED;
fcc203c3 2215
6327eb98
AE		 2216 set_bit(FLAG_EXT_CTRL, &chan->flags);
2217 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2218 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2219 chan->remote_tx_win = val;
fcc203c3
GP		 2220 break;
2221
5dee9e7c
MH		 2222 default:
2223 if (hint)
2224 break;
2225
2226 result = L2CAP_CONF_UNKNOWN;
2227 *((u8 *) ptr++) = type;
2228 break;
2229 }
2230 }
2231
73ffa904 2232 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2233 goto done;
2234
0c1bc5c6 2235 switch (chan->mode) {
f2fcfcd6
GP		 2236 case L2CAP_MODE_STREAMING:
2237 case L2CAP_MODE_ERTM:
c1360a1c 2238 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2239 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2240 chan->conn->feat_mask);
85eb53c6
GP		 2241 break;
2242 }
2243
42dceae2
AE		 2244 if (remote_efs) {
2245 if (__l2cap_efs_supported(chan))
2246 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2247 else
2248 return -ECONNREFUSED;
2249 }
2250
0c1bc5c6 2251 if (chan->mode != rfc.mode)
f2fcfcd6 2252 return -ECONNREFUSED;
742e519b 2253
f2fcfcd6 2254 break;
f2fcfcd6
GP		 2255 }
2256
2257done:
0c1bc5c6 2258 if (chan->mode != rfc.mode) {
f2fcfcd6 2259 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2260 rfc.mode = chan->mode;
f2fcfcd6 2261
73ffa904 2262 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2263 return -ECONNREFUSED;
2264
2265 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2266 sizeof(rfc), (unsigned long) &rfc);
2267 }
2268
5dee9e7c
MH		 2269 if (result == L2CAP_CONF_SUCCESS) {
2270 /* Configure output options and let the other side know
2271 * which ones we don't like. */
2272
f2fcfcd6
GP		 2273 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2274 result = L2CAP_CONF_UNACCEPT;
2275 else {
0c1bc5c6 2276 chan->omtu = mtu;
c1360a1c 2277 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2278 }
0c1bc5c6 2279 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2280
42dceae2
AE		 2281 if (remote_efs) {
2282 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2283 efs.stype != L2CAP_SERV_NOTRAFIC &&
2284 efs.stype != chan->local_stype) {
2285
2286 result = L2CAP_CONF_UNACCEPT;
2287
2288 if (chan->num_conf_req >= 1)
2289 return -ECONNREFUSED;
2290
2291 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2292 sizeof(efs),
42dceae2 2293 (unsigned long) &efs);
0e8b207e 2294 } else {
3e6b3b95 2295 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2296 result = L2CAP_CONF_PENDING;
2297 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2298 }
2299 }
2300
f2fcfcd6
GP		 2301 switch (rfc.mode) {
2302 case L2CAP_MODE_BASIC:
47d1ec61 2303 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2304 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2305 break;
2306
2307 case L2CAP_MODE_ERTM:
6327eb98
AE		 2308 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2309 chan->remote_tx_win = rfc.txwin_size;
2310 else
2311 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2312
2c03a7a4 2313 chan->remote_max_tx = rfc.max_transmit;
1c762159 2314
c8f79162
AE		 2315 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2316 chan->conn->mtu -
2317 L2CAP_EXT_HDR_SIZE -
2318 L2CAP_SDULEN_SIZE -
2319 L2CAP_FCS_SIZE);
2320 rfc.max_pdu_size = cpu_to_le16(size);
2321 chan->remote_mps = size;
f2fcfcd6 2322
10467e9e
GP		 2323 rfc.retrans_timeout =
2324 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2325 rfc.monitor_timeout =
2326 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2327
c1360a1c 2328 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2329
2330 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2331 sizeof(rfc), (unsigned long) &rfc);
2332
42dceae2
AE		 2333 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2334 chan->remote_id = efs.id;
2335 chan->remote_stype = efs.stype;
2336 chan->remote_msdu = le16_to_cpu(efs.msdu);
2337 chan->remote_flush_to =
2338 le32_to_cpu(efs.flush_to);
2339 chan->remote_acc_lat =
2340 le32_to_cpu(efs.acc_lat);
2341 chan->remote_sdu_itime =
2342 le32_to_cpu(efs.sdu_itime);
2343 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2344 sizeof(efs), (unsigned long) &efs);
2345 }
f2fcfcd6
GP		 2346 break;
2347
2348 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2349 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2350 chan->conn->mtu -
2351 L2CAP_EXT_HDR_SIZE -
2352 L2CAP_SDULEN_SIZE -
2353 L2CAP_FCS_SIZE);
2354 rfc.max_pdu_size = cpu_to_le16(size);
2355 chan->remote_mps = size;
f2fcfcd6 2356
c1360a1c 2357 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2358
2359 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2360 sizeof(rfc), (unsigned long) &rfc);
2361
f2fcfcd6
GP		 2362 break;
2363
2364 default:
5dee9e7c 2365 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2366
6464f35f 2367 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2368 rfc.mode = chan->mode;
f2fcfcd6 2369 }
6464f35f 2370
f2fcfcd6 2371 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2372 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2373 }
fe4128e0 2374 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2375 rsp->result = cpu_to_le16(result);
2376 rsp->flags = cpu_to_le16(0x0000);
2377
2378 return ptr - data;
1da177e4
LT		 2379}
2380
b4450035 2381static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2382{
f2fcfcd6
GP		 2383 struct l2cap_conf_req *req = data;
2384 void *ptr = req->data;
2385 int type, olen;
2386 unsigned long val;
36e999a8 2387 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2388 struct l2cap_conf_efs efs;
f2fcfcd6 2389
fe4128e0 2390 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2391
2392 while (len >= L2CAP_CONF_OPT_SIZE) {
2393 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2394
2395 switch (type) {
2396 case L2CAP_CONF_MTU:
2397 if (val < L2CAP_DEFAULT_MIN_MTU) {
2398 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2399 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2400 } else
0c1bc5c6
GP		 2401 chan->imtu = val;
2402 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2403 break;
2404
2405 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2406 chan->flush_to = val;
f2fcfcd6 2407 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2408 2, chan->flush_to);
f2fcfcd6
GP		 2409 break;
2410
2411 case L2CAP_CONF_RFC:
2412 if (olen == sizeof(rfc))
2413 memcpy(&rfc, (void *)val, olen);
2414
c1360a1c 2415 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2416 rfc.mode != chan->mode)
f2fcfcd6
GP		 2417 return -ECONNREFUSED;
2418
47d1ec61 2419 chan->fcs = 0;
f2fcfcd6
GP		 2420
2421 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2422 sizeof(rfc), (unsigned long) &rfc);
2423 break;
6327eb98
AE		 2424
2425 case L2CAP_CONF_EWS:
2426 chan->tx_win = min_t(u16, val,
2427 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2428 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2429 chan->tx_win);
6327eb98 2430 break;
66af7aaf
AE		 2431
2432 case L2CAP_CONF_EFS:
2433 if (olen == sizeof(efs))
2434 memcpy(&efs, (void *)val, olen);
2435
2436 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2437 efs.stype != L2CAP_SERV_NOTRAFIC &&
2438 efs.stype != chan->local_stype)
2439 return -ECONNREFUSED;
2440
2441 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2442 sizeof(efs), (unsigned long) &efs);
2443 break;
f2fcfcd6
GP		 2444 }
2445 }
2446
0c1bc5c6 2447 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2448 return -ECONNREFUSED;
2449
0c1bc5c6 2450 chan->mode = rfc.mode;
6c2ea7a8 2451
0e8b207e 2452 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2453 switch (rfc.mode) {
2454 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2455 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2456 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2457 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2458
2459 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2460 chan->local_msdu = le16_to_cpu(efs.msdu);
2461 chan->local_sdu_itime =
2462 le32_to_cpu(efs.sdu_itime);
2463 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2464 chan->local_flush_to =
2465 le32_to_cpu(efs.flush_to);
2466 }
f2fcfcd6 2467 break;
66af7aaf 2468
f2fcfcd6 2469 case L2CAP_MODE_STREAMING:
47d1ec61 2470 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2471 }
2472 }
2473
fe4128e0 2474 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2475 req->flags = cpu_to_le16(0x0000);
2476
2477 return ptr - data;
2478}
2479
fe4128e0 2480static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2481{
2482 struct l2cap_conf_rsp *rsp = data;
2483 void *ptr = rsp->data;
1da177e4 2484
fe4128e0 2485 BT_DBG("chan %p", chan);
1da177e4 2486
fe4128e0 2487 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2488 rsp->result = cpu_to_le16(result);
aca3192c 2489 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2490
2491 return ptr - data;
2492}
2493
8c1d787b 2494void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2495{
2496 struct l2cap_conn_rsp rsp;
8c1d787b 2497 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2498 u8 buf[128];
2499
fe4128e0
GP		 2500 rsp.scid = cpu_to_le16(chan->dcid);
2501 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2502 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2503 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2504 l2cap_send_cmd(conn, chan->ident,
2505 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2506
c1360a1c 2507 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2508 return;
2509
710f9b0a
GP		 2510 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2511 l2cap_build_conf_req(chan, buf), buf);
2512 chan->num_conf_req++;
2513}
2514
47d1ec61 2515static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2516{
7b1c0049
GP		 2517 int type, olen;
2518 unsigned long val;
2519 struct l2cap_conf_rfc rfc;
2520
47d1ec61 2521 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2522
0c1bc5c6 2523 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2524 return;
2525
2526 while (len >= L2CAP_CONF_OPT_SIZE) {
2527 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2528
2529 switch (type) {
2530 case L2CAP_CONF_RFC:
2531 if (olen == sizeof(rfc))
2532 memcpy(&rfc, (void *)val, olen);
2533 goto done;
2534 }
2535 }
2536
36e999a8
MM		 2537 /* Use sane default values in case a misbehaving remote device
2538 * did not send an RFC option.
2539 */
2540 rfc.mode = chan->mode;
2541 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2542 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2543 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2544
2545 BT_ERR("Expected RFC option was not found, using defaults");
2546
7b1c0049
GP		 2547done:
2548 switch (rfc.mode) {
2549 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2550 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2551 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2552 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2553 break;
2554 case L2CAP_MODE_STREAMING:
47d1ec61 2555 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2556 }
2557}
2558
4e8402a3
MH		 2559static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2560{
e2fd318e 2561 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2562
e2fd318e 2563 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2564 return 0;
2565
2566 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2567 cmd->ident == conn->info_ident) {
17cd3f37 2568 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2569
2570 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2571 conn->info_ident = 0;
984947dc 2572
4e8402a3
MH		 2573 l2cap_conn_start(conn);
2574 }
2575
2576 return 0;
2577}
2578
1da177e4
LT		 2579static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2580{
1da177e4
LT		 2581 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2582 struct l2cap_conn_rsp rsp;
23691d75 2583 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2584 struct sock *parent, *sk = NULL;
e7c29cb1 2585 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2586
2587 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2588 __le16 psm = req->psm;
1da177e4
LT		 2589
2590 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2591
2592 /* Check if we have socket listening on psm */
23691d75
GP		 2593 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2594 if (!pchan) {
1da177e4
LT		 2595 result = L2CAP_CR_BAD_PSM;
2596 goto sendresp;
2597 }
2598
23691d75
GP		 2599 parent = pchan->sk;
2600
3df91ea2 2601 mutex_lock(&conn->chan_lock);
aa2ac881 2602 lock_sock(parent);
e0f0cb56 2603
e7c29cb1
MH		 2604 /* Check if the ACL is secure enough (if not SDP) */
2605 if (psm != cpu_to_le16(0x0001) &&
2606 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2607 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2608 result = L2CAP_CR_SEC_BLOCK;
2609 goto response;
2610 }
2611
1da177e4
LT		 2612 result = L2CAP_CR_NO_MEM;
2613
2614 /* Check for backlog size */
2615 if (sk_acceptq_is_full(parent)) {
8e87d142 2616 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2617 goto response;
2618 }
2619
80808e43
GP		 2620 chan = pchan->ops->new_connection(pchan->data);
2621 if (!chan)
1da177e4
LT		 2622 goto response;
2623
80808e43
GP		 2624 sk = chan->sk;
2625
1da177e4 2626 /* Check if we already have channel with that dcid */
baa7e1fa 2627 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 2628 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2629 chan->ops->close(chan->data);
1da177e4
LT		 2630 goto response;
2631 }
2632
2633 hci_conn_hold(conn->hcon);
2634
1da177e4
LT		 2635 bacpy(&bt_sk(sk)->src, conn->src);
2636 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2637 chan->psm = psm;
2638 chan->dcid = scid;
1da177e4 2639
d1010240
GP		 2640 bt_accept_enqueue(parent, sk);
2641
3d57dc68 2642 l2cap_chan_add(conn, chan);
48454079 2643
fe4128e0 2644 dcid = chan->scid;
1da177e4 2645
c9b66675 2646 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2647
fc7f8a7e 2648 chan->ident = cmd->ident;
1da177e4 2649
984947dc 2650 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2651 if (l2cap_chan_check_security(chan)) {
f66dc81f 2652 if (bt_sk(sk)->defer_setup) {
89bc500e 2653 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2654 result = L2CAP_CR_PEND;
2655 status = L2CAP_CS_AUTHOR_PEND;
2656 parent->sk_data_ready(parent, 0);
2657 } else {
89bc500e 2658 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2659 result = L2CAP_CR_SUCCESS;
2660 status = L2CAP_CS_NO_INFO;
2661 }
79d554a6 2662 } else {
89bc500e 2663 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2664 result = L2CAP_CR_PEND;
2665 status = L2CAP_CS_AUTHEN_PEND;
2666 }
2667 } else {
89bc500e 2668 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2669 result = L2CAP_CR_PEND;
2670 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2671 }
2672
1da177e4 2673response:
aa2ac881 2674 release_sock(parent);
3df91ea2 2675 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2676
2677sendresp:
aca3192c
YH		 2678 rsp.scid = cpu_to_le16(scid);
2679 rsp.dcid = cpu_to_le16(dcid);
2680 rsp.result = cpu_to_le16(result);
2681 rsp.status = cpu_to_le16(status);
1da177e4 2682 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2683
2684 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2685 struct l2cap_info_req info;
2686 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2687
2688 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2689 conn->info_ident = l2cap_get_ident(conn);
2690
030013d8 2691 schedule_delayed_work(&conn->info_timer,
79d554a6
MH		 2692 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2693
2694 l2cap_send_cmd(conn, conn->info_ident,
2695 L2CAP_INFO_REQ, sizeof(info), &info);
2696 }
2697
c1360a1c 2698 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2699 result == L2CAP_CR_SUCCESS) {
2700 u8 buf[128];
c1360a1c 2701 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2702 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2703 l2cap_build_conf_req(chan, buf), buf);
2704 chan->num_conf_req++;
e9aeb2dd
GP		 2705 }
2706
1da177e4
LT		 2707 return 0;
2708}
2709
2710static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2711{
2712 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2713 u16 scid, dcid, result, status;
48454079 2714 struct l2cap_chan *chan;
1da177e4
LT		 2715 struct sock *sk;
2716 u8 req[128];
3df91ea2 2717 int err;
1da177e4
LT		 2718
2719 scid = __le16_to_cpu(rsp->scid);
2720 dcid = __le16_to_cpu(rsp->dcid);
2721 result = __le16_to_cpu(rsp->result);
2722 status = __le16_to_cpu(rsp->status);
2723
1b009c98
AE		 2724 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2725 dcid, scid, result, status);
1da177e4 2726
3df91ea2
AE		 2727 mutex_lock(&conn->chan_lock);
2728
1da177e4 2729 if (scid) {
3df91ea2
AE		 2730 chan = __l2cap_get_chan_by_scid(conn, scid);
2731 if (!chan) {
2732 err = -EFAULT;
2733 goto unlock;
2734 }
1da177e4 2735 } else {
3df91ea2
AE		 2736 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
2737 if (!chan) {
2738 err = -EFAULT;
2739 goto unlock;
2740 }
1da177e4
LT		 2741 }
2742
3df91ea2
AE		 2743 err = 0;
2744
48454079 2745 sk = chan->sk;
3df91ea2 2746 lock_sock(sk);
48454079 2747
1da177e4
LT		 2748 switch (result) {
2749 case L2CAP_CR_SUCCESS:
89bc500e 2750 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2751 chan->ident = 0;
fe4128e0 2752 chan->dcid = dcid;
c1360a1c 2753 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2754
c1360a1c 2755 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2756 break;
2757
1da177e4 2758 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2759 l2cap_build_conf_req(chan, req), req);
2760 chan->num_conf_req++;
1da177e4
LT		 2761 break;
2762
2763 case L2CAP_CR_PEND:
c1360a1c 2764 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2765 break;
2766
2767 default:
48454079 2768 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2769 break;
2770 }
2771
aa2ac881 2772 release_sock(sk);
3df91ea2
AE		 2773
2774unlock:
2775 mutex_unlock(&conn->chan_lock);
2776
2777 return err;
1da177e4
LT		 2778}
2779
47d1ec61 2780static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2781{
2782 /* FCS is enabled only in ERTM or streaming mode, if one or both
2783 * sides request it.
2784 */
0c1bc5c6 2785 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2786 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2787 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2788 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2789}
2790
88219a0f 2791static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2792{
2793 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2794 u16 dcid, flags;
2795 u8 rsp[64];
48454079 2796 struct l2cap_chan *chan;
1da177e4 2797 struct sock *sk;
5dee9e7c 2798 int len;
1da177e4
LT		 2799
2800 dcid = __le16_to_cpu(req->dcid);
2801 flags = __le16_to_cpu(req->flags);
2802
2803 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2804
baa7e1fa 2805 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2806 if (!chan)
1da177e4
LT		 2807 return -ENOENT;
2808
48454079 2809 sk = chan->sk;
3df91ea2 2810 lock_sock(sk);
48454079 2811
033b1142 2812 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2813 struct l2cap_cmd_rej_cid rej;
2814
2815 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2816 rej.scid = cpu_to_le16(chan->scid);
2817 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2818
df6bd743
GP		 2819 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2820 sizeof(rej), &rej);
354f60a9 2821 goto unlock;
df6bd743 2822 }
354f60a9 2823
5dee9e7c 2824 /* Reject if config buffer is too small. */
88219a0f 2825 len = cmd_len - sizeof(*req);
7ac28817 2826 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2827 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2828 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2829 L2CAP_CONF_REJECT, flags), rsp);
2830 goto unlock;
2831 }
2832
2833 /* Store config. */
73ffa904
GP		 2834 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2835 chan->conf_len += len;
1da177e4
LT		 2836
2837 if (flags & 0x0001) {
2838 /* Incomplete config. Send empty response. */
2839 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2840 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2841 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2842 goto unlock;
2843 }
2844
2845 /* Complete config. */
73ffa904 2846 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2847 if (len < 0) {
e92c8e70 2848 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2849 goto unlock;
f2fcfcd6 2850 }
1da177e4 2851
5dee9e7c 2852 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2853 chan->num_conf_rsp++;
5dee9e7c 2854
5dee9e7c 2855 /* Reset config buffer. */
73ffa904 2856 chan->conf_len = 0;
5dee9e7c 2857
c1360a1c 2858 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2859 goto unlock;
2860
c1360a1c 2861 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2862 set_default_fcs(chan);
fcc203c3 2863
89bc500e 2864 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2865
42e5c802
GP		 2866 chan->next_tx_seq = 0;
2867 chan->expected_tx_seq = 0;
58d35f87 2868 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2869 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2870 l2cap_ertm_init(chan);
0565c1c2 2871
cf4cd009 2872 l2cap_chan_ready(chan);
876d9484
MH		 2873 goto unlock;
2874 }
2875
c1360a1c 2876 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2877 u8 buf[64];
1da177e4 2878 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2879 l2cap_build_conf_req(chan, buf), buf);
2880 chan->num_conf_req++;
1da177e4
LT		 2881 }
2882
0e8b207e
AE		 2883 /* Got Conf Rsp PENDING from remote side and asume we sent
2884 Conf Rsp PENDING in the code above */
2885 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2886 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2887
2888 /* check compatibility */
2889
2890 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2891 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2892
2893 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2894 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2895 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2896 }
2897
1da177e4 2898unlock:
aa2ac881 2899 release_sock(sk);
1da177e4
LT		 2900 return 0;
2901}
2902
2903static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2904{
2905 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2906 u16 scid, flags, result;
48454079 2907 struct l2cap_chan *chan;
1da177e4 2908 struct sock *sk;
7b1c0049 2909 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2910
2911 scid = __le16_to_cpu(rsp->scid);
2912 flags = __le16_to_cpu(rsp->flags);
2913 result = __le16_to_cpu(rsp->result);
2914
af05b30b
GP		 2915 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2916 scid, flags, result);
1da177e4 2917
baa7e1fa 2918 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2919 if (!chan)
1da177e4
LT		 2920 return 0;
2921
48454079 2922 sk = chan->sk;
3df91ea2 2923 lock_sock(sk);
48454079 2924
1da177e4
LT		 2925 switch (result) {
2926 case L2CAP_CONF_SUCCESS:
47d1ec61 2927 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2928 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2929 break;
2930
0e8b207e
AE		 2931 case L2CAP_CONF_PENDING:
2932 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2933
2934 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2935 char buf[64];
2936
2937 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2938 buf, &result);
2939 if (len < 0) {
2940 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2941 goto done;
2942 }
2943
2944 /* check compatibility */
2945
2946 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2947 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2948
2949 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2950 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2951 L2CAP_CONF_SUCCESS, 0x0000), buf);
2952 }
2953 goto done;
2954
1da177e4 2955 case L2CAP_CONF_UNACCEPT:
73ffa904 2956 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2957 char req[64];
2958
c2c77ec8 2959 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2960 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2961 goto done;
2962 }
2963
f2fcfcd6
GP		 2964 /* throw out any old stored conf requests */
2965 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2966 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2967 req, &result);
f2fcfcd6 2968 if (len < 0) {
e92c8e70 2969 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2970 goto done;
2971 }
2972
2973 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2974 L2CAP_CONF_REQ, len, req);
73ffa904 2975 chan->num_conf_req++;
f2fcfcd6
GP		 2976 if (result != L2CAP_CONF_SUCCESS)
2977 goto done;
2978 break;
1da177e4
LT		 2979 }
2980
8e87d142 2981 default:
b1235d79 2982 sk->sk_err = ECONNRESET;
b83ddfe2
AK		 2983 __set_chan_timer(chan,
2984 msecs_to_jiffies(L2CAP_DISC_REJ_TIMEOUT));
e92c8e70 2985 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2986 goto done;
2987 }
2988
2989 if (flags & 0x01)
2990 goto done;
2991
c1360a1c 2992 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2993
c1360a1c 2994 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2995 set_default_fcs(chan);
fcc203c3 2996
89bc500e 2997 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2998 chan->next_tx_seq = 0;
2999 chan->expected_tx_seq = 0;
58d35f87 3000 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 3001 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 3002 l2cap_ertm_init(chan);
0565c1c2 3003
cf4cd009 3004 l2cap_chan_ready(chan);
1da177e4
LT		 3005 }
3006
3007done:
aa2ac881 3008 release_sock(sk);
1da177e4
LT		 3009 return 0;
3010}
3011
3012static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3013{
3014 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3015 struct l2cap_disconn_rsp rsp;
3016 u16 dcid, scid;
48454079 3017 struct l2cap_chan *chan;
1da177e4
LT		 3018 struct sock *sk;
3019
3020 scid = __le16_to_cpu(req->scid);
3021 dcid = __le16_to_cpu(req->dcid);
3022
3023 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3024
3df91ea2
AE		 3025 mutex_lock(&conn->chan_lock);
3026
3027 chan = __l2cap_get_chan_by_scid(conn, dcid);
3028 if (!chan) {
3029 mutex_unlock(&conn->chan_lock);
1da177e4 3030 return 0;
3df91ea2 3031 }
1da177e4 3032
48454079 3033 sk = chan->sk;
3df91ea2 3034 lock_sock(sk);
48454079 3035
fe4128e0
GP		 3036 rsp.dcid = cpu_to_le16(chan->scid);
3037 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3038 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3039
3040 sk->sk_shutdown = SHUTDOWN_MASK;
3041
48454079 3042 l2cap_chan_del(chan, ECONNRESET);
aa2ac881 3043 release_sock(sk);
1da177e4 3044
ba3bd0ee 3045 chan->ops->close(chan->data);
3df91ea2
AE		 3046
3047 mutex_unlock(&conn->chan_lock);
3048
1da177e4
LT		 3049 return 0;
3050}
3051
3052static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3053{
3054 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3055 u16 dcid, scid;
48454079 3056 struct l2cap_chan *chan;
1da177e4
LT		 3057 struct sock *sk;
3058
3059 scid = __le16_to_cpu(rsp->scid);
3060 dcid = __le16_to_cpu(rsp->dcid);
3061
3062 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3063
3df91ea2
AE		 3064 mutex_lock(&conn->chan_lock);
3065
3066 chan = __l2cap_get_chan_by_scid(conn, scid);
3067 if (!chan) {
3068 mutex_unlock(&conn->chan_lock);
1da177e4 3069 return 0;
3df91ea2 3070 }
1da177e4 3071
48454079 3072 sk = chan->sk;
3df91ea2 3073 lock_sock(sk);
48454079 3074
48454079 3075 l2cap_chan_del(chan, 0);
aa2ac881 3076 release_sock(sk);
1da177e4 3077
ba3bd0ee 3078 chan->ops->close(chan->data);
3df91ea2
AE		 3079
3080 mutex_unlock(&conn->chan_lock);
3081
1da177e4
LT		 3082 return 0;
3083}
3084
3085static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3086{
3087 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3088 u16 type;
3089
3090 type = __le16_to_cpu(req->type);
3091
3092 BT_DBG("type 0x%4.4x", type);
3093
f0709e03
MH		 3094 if (type == L2CAP_IT_FEAT_MASK) {
3095 u8 buf[8];
44dd46de 3096 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3097 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3098 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3099 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3100 if (!disable_ertm)
fcc203c3
GP		 3101 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3102 | L2CAP_FEAT_FCS;
a5fd6f30 3103 if (enable_hs)
6327eb98
AE		 3104 feat_mask |= L2CAP_FEAT_EXT_FLOW
3105 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3106
1b7bf4ed 3107 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3108 l2cap_send_cmd(conn, cmd->ident,
3109 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3110 } else if (type == L2CAP_IT_FIXED_CHAN) {
3111 u8 buf[12];
3112 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3113
3114 if (enable_hs)
3115 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3116 else
3117 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3118
e1027a7c
MH		 3119 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3120 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3121 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3122 l2cap_send_cmd(conn, cmd->ident,
3123 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3124 } else {
3125 struct l2cap_info_rsp rsp;
3126 rsp.type = cpu_to_le16(type);
3127 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3128 l2cap_send_cmd(conn, cmd->ident,
3129 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3130 }
1da177e4
LT		 3131
3132 return 0;
3133}
3134
3135static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3136{
3137 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3138 u16 type, result;
3139
3140 type = __le16_to_cpu(rsp->type);
3141 result = __le16_to_cpu(rsp->result);
3142
3143 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3144
e90165be
AE		 3145 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3146 if (cmd->ident != conn->info_ident ||
3147 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3148 return 0;
3149
17cd3f37 3150 cancel_delayed_work(&conn->info_timer);
4e8402a3 3151
adb08ede
VT		 3152 if (result != L2CAP_IR_SUCCESS) {
3153 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3154 conn->info_ident = 0;
3155
3156 l2cap_conn_start(conn);
3157
3158 return 0;
3159 }
3160
984947dc 3161 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3162 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3163
47ec1dcd 3164 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3165 struct l2cap_info_req req;
3166 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3167
3168 conn->info_ident = l2cap_get_ident(conn);
3169
3170 l2cap_send_cmd(conn, conn->info_ident,
3171 L2CAP_INFO_REQ, sizeof(req), &req);
3172 } else {
3173 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3174 conn->info_ident = 0;
3175
3176 l2cap_conn_start(conn);
3177 }
3178 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3179 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3180 conn->info_ident = 0;
984947dc
MH		 3181
3182 l2cap_conn_start(conn);
3183 }
4e8402a3 3184
1da177e4
LT		 3185 return 0;
3186}
3187
f94ff6ff
MM		 3188static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3189 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3190 void *data)
3191{
3192 struct l2cap_create_chan_req *req = data;
3193 struct l2cap_create_chan_rsp rsp;
3194 u16 psm, scid;
3195
3196 if (cmd_len != sizeof(*req))
3197 return -EPROTO;
3198
3199 if (!enable_hs)
3200 return -EINVAL;
3201
3202 psm = le16_to_cpu(req->psm);
3203 scid = le16_to_cpu(req->scid);
3204
3205 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3206
3207 /* Placeholder: Always reject */
3208 rsp.dcid = 0;
3209 rsp.scid = cpu_to_le16(scid);
3210 rsp.result = L2CAP_CR_NO_MEM;
3211 rsp.status = L2CAP_CS_NO_INFO;
3212
3213 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3214 sizeof(rsp), &rsp);
3215
3216 return 0;
3217}
3218
3219static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3220 struct l2cap_cmd_hdr *cmd, void *data)
3221{
3222 BT_DBG("conn %p", conn);
3223
3224 return l2cap_connect_rsp(conn, cmd, data);
3225}
3226
8d5a04a1
MM		 3227static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3228 u16 icid, u16 result)
3229{
3230 struct l2cap_move_chan_rsp rsp;
3231
3232 BT_DBG("icid %d, result %d", icid, result);
3233
3234 rsp.icid = cpu_to_le16(icid);
3235 rsp.result = cpu_to_le16(result);
3236
3237 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3238}
3239
3240static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3241 struct l2cap_chan *chan, u16 icid, u16 result)
3242{
3243 struct l2cap_move_chan_cfm cfm;
3244 u8 ident;
3245
3246 BT_DBG("icid %d, result %d", icid, result);
3247
3248 ident = l2cap_get_ident(conn);
3249 if (chan)
3250 chan->ident = ident;
3251
3252 cfm.icid = cpu_to_le16(icid);
3253 cfm.result = cpu_to_le16(result);
3254
3255 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3256}
3257
3258static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3259 u16 icid)
3260{
3261 struct l2cap_move_chan_cfm_rsp rsp;
3262
3263 BT_DBG("icid %d", icid);
3264
3265 rsp.icid = cpu_to_le16(icid);
3266 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3267}
3268
3269static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3270 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3271{
3272 struct l2cap_move_chan_req *req = data;
3273 u16 icid = 0;
3274 u16 result = L2CAP_MR_NOT_ALLOWED;
3275
3276 if (cmd_len != sizeof(*req))
3277 return -EPROTO;
3278
3279 icid = le16_to_cpu(req->icid);
3280
3281 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3282
3283 if (!enable_hs)
3284 return -EINVAL;
3285
3286 /* Placeholder: Always refuse */
3287 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3288
3289 return 0;
3290}
3291
3292static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3293 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3294{
3295 struct l2cap_move_chan_rsp *rsp = data;
3296 u16 icid, result;
3297
3298 if (cmd_len != sizeof(*rsp))
3299 return -EPROTO;
3300
3301 icid = le16_to_cpu(rsp->icid);
3302 result = le16_to_cpu(rsp->result);
3303
3304 BT_DBG("icid %d, result %d", icid, result);
3305
3306 /* Placeholder: Always unconfirmed */
3307 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3308
3309 return 0;
3310}
3311
3312static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3313 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3314{
3315 struct l2cap_move_chan_cfm *cfm = data;
3316 u16 icid, result;
3317
3318 if (cmd_len != sizeof(*cfm))
3319 return -EPROTO;
3320
3321 icid = le16_to_cpu(cfm->icid);
3322 result = le16_to_cpu(cfm->result);
3323
3324 BT_DBG("icid %d, result %d", icid, result);
3325
3326 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3327
3328 return 0;
3329}
3330
3331static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3332 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3333{
3334 struct l2cap_move_chan_cfm_rsp *rsp = data;
3335 u16 icid;
3336
3337 if (cmd_len != sizeof(*rsp))
3338 return -EPROTO;
3339
3340 icid = le16_to_cpu(rsp->icid);
3341
3342 BT_DBG("icid %d", icid);
3343
3344 return 0;
3345}
3346
e2174ca4 3347static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3348 u16 to_multiplier)
3349{
3350 u16 max_latency;
3351
3352 if (min > max || min < 6 || max > 3200)
3353 return -EINVAL;
3354
3355 if (to_multiplier < 10 || to_multiplier > 3200)
3356 return -EINVAL;
3357
3358 if (max >= to_multiplier * 8)
3359 return -EINVAL;
3360
3361 max_latency = (to_multiplier * 8 / max) - 1;
3362 if (latency > 499 || latency > max_latency)
3363 return -EINVAL;
3364
3365 return 0;
3366}
3367
3368static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3369 struct l2cap_cmd_hdr *cmd, u8 *data)
3370{
3371 struct hci_conn *hcon = conn->hcon;
3372 struct l2cap_conn_param_update_req *req;
3373 struct l2cap_conn_param_update_rsp rsp;
3374 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3375 int err;
de73115a
CT		 3376
3377 if (!(hcon->link_mode & HCI_LM_MASTER))
3378 return -EINVAL;
3379
3380 cmd_len = __le16_to_cpu(cmd->len);
3381 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3382 return -EPROTO;
3383
3384 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3385 min = __le16_to_cpu(req->min);
3386 max = __le16_to_cpu(req->max);
de73115a
CT		 3387 latency = __le16_to_cpu(req->latency);
3388 to_multiplier = __le16_to_cpu(req->to_multiplier);
3389
3390 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3391 min, max, latency, to_multiplier);
3392
3393 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3394
3395 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3396 if (err)
de73115a
CT		 3397 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3398 else
3399 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3400
3401 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3402 sizeof(rsp), &rsp);
3403
2ce603eb
CT		 3404 if (!err)
3405 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3406
de73115a
CT		 3407 return 0;
3408}
3409
3300d9a9
CT		 3410static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3411 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3412{
3413 int err = 0;
3414
3415 switch (cmd->code) {
3416 case L2CAP_COMMAND_REJ:
3417 l2cap_command_rej(conn, cmd, data);
3418 break;
3419
3420 case L2CAP_CONN_REQ:
3421 err = l2cap_connect_req(conn, cmd, data);
3422 break;
3423
3424 case L2CAP_CONN_RSP:
3425 err = l2cap_connect_rsp(conn, cmd, data);
3426 break;
3427
3428 case L2CAP_CONF_REQ:
3429 err = l2cap_config_req(conn, cmd, cmd_len, data);
3430 break;
3431
3432 case L2CAP_CONF_RSP:
3433 err = l2cap_config_rsp(conn, cmd, data);
3434 break;
3435
3436 case L2CAP_DISCONN_REQ:
3437 err = l2cap_disconnect_req(conn, cmd, data);
3438 break;
3439
3440 case L2CAP_DISCONN_RSP:
3441 err = l2cap_disconnect_rsp(conn, cmd, data);
3442 break;
3443
3444 case L2CAP_ECHO_REQ:
3445 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3446 break;
3447
3448 case L2CAP_ECHO_RSP:
3449 break;
3450
3451 case L2CAP_INFO_REQ:
3452 err = l2cap_information_req(conn, cmd, data);
3453 break;
3454
3455 case L2CAP_INFO_RSP:
3456 err = l2cap_information_rsp(conn, cmd, data);
3457 break;
3458
f94ff6ff
MM		 3459 case L2CAP_CREATE_CHAN_REQ:
3460 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3461 break;
3462
3463 case L2CAP_CREATE_CHAN_RSP:
3464 err = l2cap_create_channel_rsp(conn, cmd, data);
3465 break;
3466
8d5a04a1
MM		 3467 case L2CAP_MOVE_CHAN_REQ:
3468 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3469 break;
3470
3471 case L2CAP_MOVE_CHAN_RSP:
3472 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3473 break;
3474
3475 case L2CAP_MOVE_CHAN_CFM:
3476 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3477 break;
3478
3479 case L2CAP_MOVE_CHAN_CFM_RSP:
3480 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3481 break;
3482
3300d9a9
CT		 3483 default:
3484 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3485 err = -EINVAL;
3486 break;
3487 }
3488
3489 return err;
3490}
3491
3492static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3493 struct l2cap_cmd_hdr *cmd, u8 *data)
3494{
3495 switch (cmd->code) {
3496 case L2CAP_COMMAND_REJ:
3497 return 0;
3498
3499 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3500 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3501
3502 case L2CAP_CONN_PARAM_UPDATE_RSP:
3503 return 0;
3504
3505 default:
3506 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3507 return -EINVAL;
3508 }
3509}
3510
3511static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3512 struct sk_buff *skb)
1da177e4
LT		 3513{
3514 u8 *data = skb->data;
3515 int len = skb->len;
3516 struct l2cap_cmd_hdr cmd;
3300d9a9 3517 int err;
1da177e4
LT		 3518
3519 l2cap_raw_recv(conn, skb);
3520
3521 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3522 u16 cmd_len;
1da177e4
LT		 3523 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3524 data += L2CAP_CMD_HDR_SIZE;
3525 len -= L2CAP_CMD_HDR_SIZE;
3526
88219a0f 3527 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3528
88219a0f 3529 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3530
88219a0f 3531 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3532 BT_DBG("corrupted command");
3533 break;
3534 }
3535
3300d9a9
CT		 3536 if (conn->hcon->type == LE_LINK)
3537 err = l2cap_le_sig_cmd(conn, &cmd, data);
3538 else
3539 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3540
3541 if (err) {
e2fd318e 3542 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3543
3544 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3545
3546 /* FIXME: Map err to a valid reason */
e2fd318e 3547 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3548 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3549 }
3550
88219a0f
AV		 3551 data += cmd_len;
3552 len -= cmd_len;
1da177e4
LT		 3553 }
3554
3555 kfree_skb(skb);
3556}
3557
47d1ec61 3558static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3559{
3560 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3561 int hdr_size;
3562
3563 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3564 hdr_size = L2CAP_EXT_HDR_SIZE;
3565 else
3566 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3567
47d1ec61 3568 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3569 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3570 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3571 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3572
3573 if (our_fcs != rcv_fcs)
7a560e5c 3574 return -EBADMSG;
fcc203c3
GP		 3575 }
3576 return 0;
3577}
3578
525cd185 3579static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3580{
88843ab0 3581 u32 control = 0;
d5392c8f 3582
6a026610 3583 chan->frames_sent = 0;
d5392c8f 3584
0b209fae 3585 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3586
e2ab4353 3587 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3588 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3589 l2cap_send_sframe(chan, control);
e2ab4353 3590 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3591 }
3592
e2ab4353 3593 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3594 l2cap_retransmit_frames(chan);
d5392c8f 3595
525cd185 3596 l2cap_ertm_send(chan);
d5392c8f 3597
e2ab4353 3598 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3599 chan->frames_sent == 0) {
ab784b73 3600 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3601 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3602 }
3603}
3604
fb45de7d 3605static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3606{
3607 struct sk_buff *next_skb;
bfbacc11 3608 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3609
3610 bt_cb(skb)->tx_seq = tx_seq;
3611 bt_cb(skb)->sar = sar;
3612
f1c6775b 3613 next_skb = skb_peek(&chan->srej_q);
8f17154f 3614
836be934 3615 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3616
039d9572 3617 while (next_skb) {
9b53350d
JPRV		 3618 if (bt_cb(next_skb)->tx_seq == tx_seq)
3619 return -EINVAL;
3620
836be934
AE		 3621 next_tx_seq_offset = __seq_offset(chan,
3622 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3623
3624 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3625 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3626 return 0;
8f17154f
GP		 3627 }
3628
f1c6775b 3629 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3630 next_skb = NULL;
3631 else
3632 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3633 }
8f17154f 3634
f1c6775b 3635 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3636
3637 return 0;
8f17154f
GP		 3638}
3639
84084a31
MM		 3640static void append_skb_frag(struct sk_buff *skb,
3641 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3642{
84084a31
MM		 3643 /* skb->len reflects data in skb as well as all fragments
3644 * skb->data_len reflects only data in fragments
3645 */
3646 if (!skb_has_frag_list(skb))
3647 skb_shinfo(skb)->frag_list = new_frag;
3648
3649 new_frag->next = NULL;
3650
3651 (*last_frag)->next = new_frag;
3652 *last_frag = new_frag;
3653
3654 skb->len += new_frag->len;
3655 skb->data_len += new_frag->len;
3656 skb->truesize += new_frag->truesize;
3657}
3658
88843ab0 3659static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3660{
3661 int err = -EINVAL;
18778a63 3662
7e0ef6ee
AE		 3663 switch (__get_ctrl_sar(chan, control)) {
3664 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3665 if (chan->sdu)
3666 break;
18778a63 3667
84084a31
MM		 3668 err = chan->ops->recv(chan->data, skb);
3669 break;
18778a63 3670
7e0ef6ee 3671 case L2CAP_SAR_START:
84084a31
MM		 3672 if (chan->sdu)
3673 break;
18778a63 3674
6f61fd47 3675 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3676 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3677
84084a31
MM		 3678 if (chan->sdu_len > chan->imtu) {
3679 err = -EMSGSIZE;
3680 break;
3681 }
1890d36b 3682
84084a31
MM		 3683 if (skb->len >= chan->sdu_len)
3684 break;
18778a63 3685
84084a31
MM		 3686 chan->sdu = skb;
3687 chan->sdu_last_frag = skb;
18778a63 3688
84084a31
MM		 3689 skb = NULL;
3690 err = 0;
18778a63
GP		 3691 break;
3692
7e0ef6ee 3693 case L2CAP_SAR_CONTINUE:
6f61fd47 3694 if (!chan->sdu)
84084a31 3695 break;
18778a63 3696
84084a31
MM		 3697 append_skb_frag(chan->sdu, skb,
3698 &chan->sdu_last_frag);
3699 skb = NULL;
18778a63 3700
84084a31
MM		 3701 if (chan->sdu->len >= chan->sdu_len)
3702 break;
4178ba46 3703
84084a31 3704 err = 0;
18778a63
GP		 3705 break;
3706
7e0ef6ee 3707 case L2CAP_SAR_END:
6f61fd47 3708 if (!chan->sdu)
84084a31 3709 break;
18778a63 3710
84084a31
MM		 3711 append_skb_frag(chan->sdu, skb,
3712 &chan->sdu_last_frag);
3713 skb = NULL;
4178ba46 3714
84084a31
MM		 3715 if (chan->sdu->len != chan->sdu_len)
3716 break;
18778a63 3717
84084a31 3718 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3719
84084a31
MM		 3720 if (!err) {
3721 /* Reassembly complete */
3722 chan->sdu = NULL;
3723 chan->sdu_last_frag = NULL;
3724 chan->sdu_len = 0;
1890d36b 3725 }
18778a63
GP		 3726 break;
3727 }
3728
84084a31
MM		 3729 if (err) {
3730 kfree_skb(skb);
3731 kfree_skb(chan->sdu);
3732 chan->sdu = NULL;
3733 chan->sdu_last_frag = NULL;
3734 chan->sdu_len = 0;
3735 }
18778a63 3736
84084a31 3737 return err;
18778a63
GP		 3738}
3739
26f880d2 3740static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3741{
26f880d2 3742 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3743
26f880d2
MM		 3744 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3745
77f918bc 3746 __set_ack_timer(chan);
26f880d2
MM		 3747}
3748
3749static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3750{
88843ab0 3751 u32 control;
712132eb 3752
e2ab4353 3753 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3754 goto done;
3755
0b209fae 3756 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3757 control |= __set_ctrl_poll(chan);
ab784b73 3758 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3759 l2cap_send_sframe(chan, control);
6a026610 3760 chan->retry_count = 1;
712132eb 3761
1a09bcb9
GP		 3762 __clear_retrans_timer(chan);
3763 __set_monitor_timer(chan);
712132eb 3764
e2ab4353 3765 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3766
3767done:
e2ab4353
GP		 3768 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3769 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3770
49208c9c 3771 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3772}
3773
e328140f 3774void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3775{
e328140f
MM		 3776 if (chan->mode == L2CAP_MODE_ERTM) {
3777 if (busy)
3778 l2cap_ertm_enter_local_busy(chan);
3779 else
3780 l2cap_ertm_exit_local_busy(chan);
1890d36b 3781 }
1890d36b
GP		 3782}
3783
fb45de7d 3784static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3785{
3786 struct sk_buff *skb;
88843ab0 3787 u32 control;
8f17154f 3788
e328140f
MM		 3789 while ((skb = skb_peek(&chan->srej_q)) &&
3790 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3791 int err;
3792
8f17154f
GP		 3793 if (bt_cb(skb)->tx_seq != tx_seq)
3794 break;
3795
f1c6775b 3796 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3797 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3798 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3799
3800 if (err < 0) {
3801 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3802 break;
3803 }
3804
836be934
AE		 3805 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3806 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3807 }
3808}
3809
fb45de7d 3810static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3811{
8f17154f 3812 struct srej_list *l, *tmp;
88843ab0 3813 u32 control;
8f17154f 3814
39d5a3ee 3815 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3816 if (l->tx_seq == tx_seq) {
3817 list_del(&l->list);
3818 kfree(l);
3819 return;
3820 }
ab784b73 3821 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3822 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3823 l2cap_send_sframe(chan, control);
8f17154f 3824 list_del(&l->list);
39d5a3ee 3825 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3826 }
3827}
3828
aef89f21 3829static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3830{
8f17154f 3831 struct srej_list *new;
88843ab0 3832 u32 control;
8f17154f 3833
42e5c802 3834 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3835 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3836 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3837 l2cap_send_sframe(chan, control);
8f17154f
GP		 3838
3839 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 3840 if (!new)
3841 return -ENOMEM;
3842
42e5c802 3843 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3844
3845 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3846
39d5a3ee 3847 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3848 }
836be934
AE		 3849
3850 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 3851
3852 return 0;
8f17154f
GP		 3853}
3854
88843ab0 3855static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3856{
fb45de7d 3857 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3858 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3859 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3860 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3861 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3862 int err = 0;
3863
88843ab0 3864 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3865 tx_seq, rx_control);
1c2acffb 3866
03f6715d 3867 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3868 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3869 __clear_monitor_timer(chan);
6a026610 3870 if (chan->unacked_frames > 0)
1a09bcb9 3871 __set_retrans_timer(chan);
e2ab4353 3872 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3873 }
3874
42e5c802
GP		 3875 chan->expected_ack_seq = req_seq;
3876 l2cap_drop_acked_frames(chan);
9f121a5a 3877
836be934 3878 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3879
3880 /* invalid tx_seq */
47d1ec61 3881 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3882 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3883 goto drop;
3884 }
3885
77f918bc
SJ		 3886 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3887 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3888 l2cap_send_ack(chan);
1890d36b 3889 goto drop;
77f918bc 3890 }
1890d36b 3891
02f1b641
MM		 3892 if (tx_seq == chan->expected_tx_seq)
3893 goto expected;
3894
e2ab4353 3895 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3896 struct srej_list *first;
30afb5b2 3897
39d5a3ee 3898 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3899 struct srej_list, list);
3900 if (tx_seq == first->tx_seq) {
42e5c802 3901 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3902 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3903
3904 list_del(&first->list);
3905 kfree(first);
3906
39d5a3ee 3907 if (list_empty(&chan->srej_l)) {
42e5c802 3908 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3909 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3910 l2cap_send_ack(chan);
49208c9c 3911 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3912 }
3913 } else {
3914 struct srej_list *l;
9b53350d
JPRV		 3915
3916 /* duplicated tx_seq */
42e5c802 3917 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3918 goto drop;
8f17154f 3919
39d5a3ee 3920 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3921 if (l->tx_seq == tx_seq) {
525cd185 3922 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3923 return 0;
3924 }
3925 }
aef89f21
SJ		 3926
3927 err = l2cap_send_srejframe(chan, tx_seq);
3928 if (err < 0) {
3929 l2cap_send_disconn_req(chan->conn, chan, -err);
3930 return err;
3931 }
30afb5b2
GP		 3932 }
3933 } else {
836be934
AE		 3934 expected_tx_seq_offset = __seq_offset(chan,
3935 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3936
3937 /* duplicated tx_seq */
3938 if (tx_seq_offset < expected_tx_seq_offset)
3939 goto drop;
3940
e2ab4353 3941 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3942
49208c9c 3943 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3944
39d5a3ee 3945 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3946 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3947
f1c6775b 3948 __skb_queue_head_init(&chan->srej_q);
42e5c802 3949 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3950
0ef3ef0f
SJ		 3951 /* Set P-bit only if there are some I-frames to ack. */
3952 if (__clear_ack_timer(chan))
3953 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3954
aef89f21
SJ		 3955 err = l2cap_send_srejframe(chan, tx_seq);
3956 if (err < 0) {
3957 l2cap_send_disconn_req(chan->conn, chan, -err);
3958 return err;
3959 }
1c2acffb 3960 }
30afb5b2
GP		 3961 return 0;
3962
8f17154f 3963expected:
836be934 3964 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3965
e2ab4353 3966 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3967 bt_cb(skb)->tx_seq = tx_seq;
3968 bt_cb(skb)->sar = sar;
f1c6775b 3969 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3970 return 0;
3971 }
3972
84084a31 3973 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3974 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3975
e328140f
MM		 3976 if (err < 0) {
3977 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3978 return err;
3979 }
2ece3684 3980
03f6715d 3981 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3982 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3983 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3984 }
3985
c1b4f43b 3986
6a026610
GP		 3987 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3988 if (chan->num_acked == num_to_ack - 1)
525cd185 3989 l2cap_send_ack(chan);
4d611e4d
GP		 3990 else
3991 __set_ack_timer(chan);
9e917af1 3992
8f17154f 3993 return 0;
9b53350d
JPRV		 3994
3995drop:
3996 kfree_skb(skb);
3997 return 0;
1c2acffb
GP		 3998}
3999
88843ab0 4000static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 4001{
88843ab0 4002 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 4003 __get_reqseq(chan, rx_control), rx_control);
0e98958d 4004
0b209fae 4005 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 4006 l2cap_drop_acked_frames(chan);
1c2acffb 4007
e3781735 4008 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4009 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4010 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4011 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4012 (chan->unacked_frames > 0))
1a09bcb9 4013 __set_retrans_timer(chan);
05fbd89d 4014
e2ab4353 4015 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4016 l2cap_send_srejtail(chan);
05fbd89d 4017 } else {
525cd185 4018 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4019 }
1d8f5d16 4020
03f6715d 4021 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4022 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4023
e2ab4353 4024 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4025 l2cap_retransmit_frames(chan);
2246b2f1 4026
e072745f 4027 } else {
e2ab4353 4028 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4029 (chan->unacked_frames > 0))
1a09bcb9 4030 __set_retrans_timer(chan);
1c2acffb 4031
e2ab4353
GP		 4032 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4033 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4034 l2cap_send_ack(chan);
894718a6 4035 else
525cd185 4036 l2cap_ertm_send(chan);
e072745f
GP		 4037 }
4038}
2246b2f1 4039
88843ab0 4040static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4041{
0b209fae 4042 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4043
88843ab0 4044 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4045
e2ab4353 4046 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4047
42e5c802
GP		 4048 chan->expected_ack_seq = tx_seq;
4049 l2cap_drop_acked_frames(chan);
e072745f 4050
03f6715d 4051 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4052 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4053 l2cap_retransmit_frames(chan);
e072745f 4054 } else {
525cd185 4055 l2cap_retransmit_frames(chan);
30afb5b2 4056
e2ab4353
GP		 4057 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4058 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4059 }
4060}
88843ab0 4061static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4062{
0b209fae 4063 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4064
88843ab0 4065 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4066
e2ab4353 4067 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4068
e3781735 4069 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4070 chan->expected_ack_seq = tx_seq;
4071 l2cap_drop_acked_frames(chan);
3cb123d1 4072
e2ab4353 4073 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4074 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4075
525cd185 4076 l2cap_ertm_send(chan);
dfc909be 4077
e2ab4353 4078 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4079 chan->srej_save_reqseq = tx_seq;
e2ab4353 4080 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4081 }
03f6715d 4082 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4083 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4084 chan->srej_save_reqseq == tx_seq)
e2ab4353 4085 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4086 else
525cd185 4087 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4088 } else {
525cd185 4089 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4090 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4091 chan->srej_save_reqseq = tx_seq;
e2ab4353 4092 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4093 }
e072745f
GP		 4094 }
4095}
4096
88843ab0 4097static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4098{
0b209fae 4099 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4100
88843ab0 4101 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4102
e2ab4353 4103 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4104 chan->expected_ack_seq = tx_seq;
4105 l2cap_drop_acked_frames(chan);
e072745f 4106
e3781735 4107 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4108 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4109
e2ab4353 4110 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4111 __clear_retrans_timer(chan);
e3781735 4112 if (__is_ctrl_poll(chan, rx_control))
525cd185 4113 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4114 return;
e072745f 4115 }
99b0d4b7 4116
e3781735 4117 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4118 l2cap_send_srejtail(chan);
ab784b73
AE		 4119 } else {
4120 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4121 l2cap_send_sframe(chan, rx_control);
4122 }
e072745f
GP		 4123}
4124
88843ab0 4125static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4126{
88843ab0 4127 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4128
03f6715d 4129 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4130 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4131 __clear_monitor_timer(chan);
6a026610 4132 if (chan->unacked_frames > 0)
1a09bcb9 4133 __set_retrans_timer(chan);
e2ab4353 4134 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4135 }
4136
ab784b73
AE		 4137 switch (__get_ctrl_super(chan, rx_control)) {
4138 case L2CAP_SUPER_RR:
525cd185 4139 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4140 break;
4141
ab784b73 4142 case L2CAP_SUPER_REJ:
525cd185 4143 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4144 break;
2246b2f1 4145
ab784b73 4146 case L2CAP_SUPER_SREJ:
525cd185 4147 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4148 break;
4149
ab784b73 4150 case L2CAP_SUPER_RNR:
525cd185 4151 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4152 break;
4153 }
4154
faaebd19 4155 kfree_skb(skb);
1c2acffb
GP		 4156 return 0;
4157}
4158
cad8f1d0 4159static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4160{
88843ab0 4161 u32 control;
0b209fae 4162 u16 req_seq;
218bb9df
GP		 4163 int len, next_tx_seq_offset, req_seq_offset;
4164
88843ab0
AE		 4165 control = __get_control(chan, skb->data);
4166 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4167 len = skb->len;
4168
4169 /*
4170 * We can just drop the corrupted I-frame here.
4171 * Receiver will miss it and start proper recovery
4172 * procedures and ask retransmission.
4173 */
47d1ec61 4174 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4175 goto drop;
4176
793c2f1c 4177 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4178 len -= L2CAP_SDULEN_SIZE;
218bb9df 4179
47d1ec61 4180 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4181 len -= L2CAP_FCS_SIZE;
218bb9df 4182
47d1ec61 4183 if (len > chan->mps) {
8c1d787b 4184 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4185 goto drop;
4186 }
4187
0b209fae 4188 req_seq = __get_reqseq(chan, control);
218bb9df 4189
836be934
AE		 4190 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4191
4192 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4193 chan->expected_ack_seq);
218bb9df
GP		 4194
4195 /* check for invalid req-seq */
4196 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4197 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4198 goto drop;
4199 }
4200
793c2f1c 4201 if (!__is_sframe(chan, control)) {
218bb9df 4202 if (len < 0) {
8c1d787b 4203 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4204 goto drop;
4205 }
4206
525cd185 4207 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4208 } else {
4209 if (len != 0) {
4210 BT_ERR("%d", len);
8c1d787b 4211 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4212 goto drop;
4213 }
4214
525cd185 4215 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4216 }
4217
4218 return 0;
4219
4220drop:
4221 kfree_skb(skb);
4222 return 0;
4223}
4224
1da177e4
LT		 4225static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4226{
48454079 4227 struct l2cap_chan *chan;
bf734843 4228 struct sock *sk = NULL;
88843ab0 4229 u32 control;
fb45de7d 4230 u16 tx_seq;
218bb9df 4231 int len;
1da177e4 4232
baa7e1fa 4233 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4234 if (!chan) {
1da177e4
LT		 4235 BT_DBG("unknown cid 0x%4.4x", cid);
4236 goto drop;
4237 }
4238
48454079 4239 sk = chan->sk;
3df91ea2 4240 lock_sock(sk);
6840ed07 4241
49208c9c 4242 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4243
89bc500e 4244 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4245 goto drop;
4246
0c1bc5c6 4247 switch (chan->mode) {
1c2acffb
GP		 4248 case L2CAP_MODE_BASIC:
4249 /* If socket recv buffers overflows we drop data here
4250 * which is *bad* because L2CAP has to be reliable.
4251 * But we don't have any other choice. L2CAP doesn't
4252 * provide flow control mechanism. */
1da177e4 4253
0c1bc5c6 4254 if (chan->imtu < skb->len)
1c2acffb 4255 goto drop;
1da177e4 4256
23070494 4257 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4258 goto done;
4259 break;
4260
4261 case L2CAP_MODE_ERTM:
5ef8cb9e 4262 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4263
fcafde2e 4264 goto done;
1c2acffb 4265
6840ed07 4266 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4267 control = __get_control(chan, skb->data);
4268 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4269 len = skb->len;
4270
47d1ec61 4271 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4272 goto drop;
4273
7e0ef6ee 4274 if (__is_sar_start(chan, control))
03a51213 4275 len -= L2CAP_SDULEN_SIZE;
6840ed07 4276
47d1ec61 4277 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4278 len -= L2CAP_FCS_SIZE;
fcc203c3 4279
793c2f1c 4280 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4281 goto drop;
4282
fb45de7d 4283 tx_seq = __get_txseq(chan, control);
6840ed07 4284
84084a31
MM		 4285 if (chan->expected_tx_seq != tx_seq) {
4286 /* Frame(s) missing - must discard partial SDU */
4287 kfree_skb(chan->sdu);
4288 chan->sdu = NULL;
4289 chan->sdu_last_frag = NULL;
4290 chan->sdu_len = 0;
6840ed07 4291
84084a31
MM		 4292 /* TODO: Notify userland of missing data */
4293 }
4294
836be934 4295 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4296
4297 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4298 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4299
4300 goto done;
4301
1c2acffb 4302 default:
0c1bc5c6 4303 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4304 break;
4305 }
1da177e4
LT		 4306
4307drop:
4308 kfree_skb(skb);
4309
4310done:
0139418c 4311 if (sk)
aa2ac881 4312 release_sock(sk);
0139418c 4313
1da177e4
LT		 4314 return 0;
4315}
4316
8e036fc3 4317static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4318{
6dcae1ea 4319 struct sock *sk = NULL;
23691d75 4320 struct l2cap_chan *chan;
1da177e4 4321
23691d75
GP		 4322 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4323 if (!chan)
1da177e4
LT		 4324 goto drop;
4325
23691d75
GP		 4326 sk = chan->sk;
4327
aa2ac881 4328 lock_sock(sk);
e0f0cb56 4329
1da177e4
LT		 4330 BT_DBG("sk %p, len %d", sk, skb->len);
4331
89bc500e 4332 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4333 goto drop;
4334
e13e21dc 4335 if (chan->imtu < skb->len)
1da177e4
LT		 4336 goto drop;
4337
23070494 4338 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4339 goto done;
4340
4341drop:
4342 kfree_skb(skb);
4343
4344done:
af05b30b 4345 if (sk)
aa2ac881 4346 release_sock(sk);
1da177e4
LT		 4347 return 0;
4348}
4349
9f69bda6
GP		 4350static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4351{
6dcae1ea 4352 struct sock *sk = NULL;
23691d75 4353 struct l2cap_chan *chan;
9f69bda6 4354
23691d75
GP		 4355 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4356 if (!chan)
9f69bda6
GP		 4357 goto drop;
4358
23691d75
GP		 4359 sk = chan->sk;
4360
aa2ac881 4361 lock_sock(sk);
9f69bda6
GP		 4362
4363 BT_DBG("sk %p, len %d", sk, skb->len);
4364
89bc500e 4365 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4366 goto drop;
4367
e13e21dc 4368 if (chan->imtu < skb->len)
9f69bda6
GP		 4369 goto drop;
4370
23070494 4371 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4372 goto done;
4373
4374drop:
4375 kfree_skb(skb);
4376
4377done:
4378 if (sk)
aa2ac881 4379 release_sock(sk);
9f69bda6
GP		 4380 return 0;
4381}
4382
1da177e4
LT		 4383static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4384{
4385 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4386 u16 cid, len;
4387 __le16 psm;
1da177e4
LT		 4388
4389 skb_pull(skb, L2CAP_HDR_SIZE);
4390 cid = __le16_to_cpu(lh->cid);
4391 len = __le16_to_cpu(lh->len);
4392
1c2acffb
GP		 4393 if (len != skb->len) {
4394 kfree_skb(skb);
4395 return;
4396 }
4397
1da177e4
LT		 4398 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4399
4400 switch (cid) {
3300d9a9 4401 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4402 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4403 l2cap_sig_channel(conn, skb);
4404 break;
4405
8db4dc46 4406 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4407 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4408 skb_pull(skb, 2);
4409 l2cap_conless_channel(conn, psm, skb);
4410 break;
4411
9f69bda6
GP		 4412 case L2CAP_CID_LE_DATA:
4413 l2cap_att_channel(conn, cid, skb);
4414 break;
4415
b501d6a1
AB		 4416 case L2CAP_CID_SMP:
4417 if (smp_sig_channel(conn, skb))
4418 l2cap_conn_del(conn->hcon, EACCES);
4419 break;
4420
1da177e4
LT		 4421 default:
4422 l2cap_data_channel(conn, cid, skb);
4423 break;
4424 }
4425}
4426
4427/* ---- L2CAP interface with lower layer (HCI) ---- */
4428
686ebf28 4429int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4430{
4431 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4432 struct l2cap_chan *c;
1da177e4 4433
1da177e4
LT		 4434 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4435
4436 /* Find listening sockets and check their link_mode */
23691d75
GP		 4437 read_lock(&chan_list_lock);
4438 list_for_each_entry(c, &chan_list, global_l) {
4439 struct sock *sk = c->sk;
4343478f 4440
89bc500e 4441 if (c->state != BT_LISTEN)
1da177e4
LT		 4442 continue;
4443
4444 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4445 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4446 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4447 lm1 |= HCI_LM_MASTER;
1da177e4 4448 exact++;
2af6b9d5
MH		 4449 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4450 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4451 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4452 lm2 |= HCI_LM_MASTER;
4453 }
1da177e4 4454 }
23691d75 4455 read_unlock(&chan_list_lock);
1da177e4
LT		 4456
4457 return exact ? lm1 : lm2;
4458}
4459
686ebf28 4460int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4461{
0139418c
MH		 4462 struct l2cap_conn *conn;
4463
1da177e4
LT		 4464 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4465
1da177e4 4466 if (!status) {
1da177e4
LT		 4467 conn = l2cap_conn_add(hcon, status);
4468 if (conn)
4469 l2cap_conn_ready(conn);
0139418c 4470 } else
e175072f 4471 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4472
4473 return 0;
4474}
4475
686ebf28 4476int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4477{
4478 struct l2cap_conn *conn = hcon->l2cap_data;
4479
4480 BT_DBG("hcon %p", hcon);
4481
686ebf28 4482 if (!conn)
9f5a0d7b 4483 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4484 return conn->disc_reason;
4485}
4486
686ebf28 4487int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4488{
4489 BT_DBG("hcon %p reason %d", hcon, reason);
4490
e175072f 4491 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4492 return 0;
4493}
4494
4343478f 4495static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4496{
715ec005 4497 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4498 return;
4499
f62e4323 4500 if (encrypt == 0x00) {
4343478f 4501 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675 4502 __clear_chan_timer(chan);
b83ddfe2
AK		 4503 __set_chan_timer(chan,
4504 msecs_to_jiffies(L2CAP_ENC_TIMEOUT));
4343478f 4505 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4506 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4507 } else {
4343478f 4508 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4509 __clear_chan_timer(chan);
f62e4323
MH		 4510 }
4511}
4512
686ebf28 4513int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4514{
0139418c 4515 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4516 struct l2cap_chan *chan;
1da177e4 4517
0139418c 4518 if (!conn)
1da177e4 4519 return 0;
0139418c 4520
1da177e4
LT		 4521 BT_DBG("conn %p", conn);
4522
160dc6ac
VCG		 4523 if (hcon->type == LE_LINK) {
4524 smp_distribute_keys(conn, 0);
17cd3f37 4525 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4526 }
4527
3df91ea2 4528 mutex_lock(&conn->chan_lock);
1da177e4 4529
3df91ea2 4530 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4531 struct sock *sk = chan->sk;
baa7e1fa 4532
1da177e4
LT		 4533 bh_lock_sock(sk);
4534
f1cb9af5
VCG		 4535 BT_DBG("chan->scid %d", chan->scid);
4536
4537 if (chan->scid == L2CAP_CID_LE_DATA) {
4538 if (!status && encrypt) {
4539 chan->sec_level = hcon->sec_level;
cf4cd009 4540 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4541 }
4542
4543 bh_unlock_sock(sk);
4544 continue;
4545 }
4546
c1360a1c 4547 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4548 bh_unlock_sock(sk);
4549 continue;
4550 }
4551
89bc500e
GP		 4552 if (!status && (chan->state == BT_CONNECTED ||
4553 chan->state == BT_CONFIG)) {
4343478f 4554 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4555 bh_unlock_sock(sk);
4556 continue;
4557 }
4558
89bc500e 4559 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4560 if (!status) {
4561 struct l2cap_conn_req req;
fe4128e0
GP		 4562 req.scid = cpu_to_le16(chan->scid);
4563 req.psm = chan->psm;
1da177e4 4564
fc7f8a7e 4565 chan->ident = l2cap_get_ident(conn);
c1360a1c 4566 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4567
fc7f8a7e 4568 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4569 L2CAP_CONN_REQ, sizeof(req), &req);
4570 } else {
c9b66675 4571 __clear_chan_timer(chan);
b83ddfe2
AK		 4572 __set_chan_timer(chan,
4573 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
b1235d79 4574 }
89bc500e 4575 } else if (chan->state == BT_CONNECT2) {
b1235d79 4576 struct l2cap_conn_rsp rsp;
df3c3931 4577 __u16 res, stat;
1da177e4 4578
b1235d79 4579 if (!status) {
df3c3931
JH		 4580 if (bt_sk(sk)->defer_setup) {
4581 struct sock *parent = bt_sk(sk)->parent;
4582 res = L2CAP_CR_PEND;
4583 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4584 if (parent)
4585 parent->sk_data_ready(parent, 0);
df3c3931 4586 } else {
05558911 4587 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4588 res = L2CAP_CR_SUCCESS;
4589 stat = L2CAP_CS_NO_INFO;
4590 }
b1235d79 4591 } else {
89bc500e 4592 l2cap_state_change(chan, BT_DISCONN);
b83ddfe2
AK		 4593 __set_chan_timer(chan,
4594 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
df3c3931
JH		 4595 res = L2CAP_CR_SEC_BLOCK;
4596 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4597 }
4598
fe4128e0
GP		 4599 rsp.scid = cpu_to_le16(chan->dcid);
4600 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4601 rsp.result = cpu_to_le16(res);
4602 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4603 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4604 sizeof(rsp), &rsp);
b1235d79 4605 }
1da177e4
LT		 4606
4607 bh_unlock_sock(sk);
4608 }
4609
3df91ea2 4610 mutex_unlock(&conn->chan_lock);
b1235d79 4611
1da177e4
LT		 4612 return 0;
4613}
4614
686ebf28 4615int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4616{
4617 struct l2cap_conn *conn = hcon->l2cap_data;
4618
5a08ecce
AE		 4619 if (!conn)
4620 conn = l2cap_conn_add(hcon, 0);
4621
4622 if (!conn)
1da177e4
LT		 4623 goto drop;
4624
4625 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4626
e702112f 4627 if (!(flags & ACL_CONT)) {
1da177e4 4628 struct l2cap_hdr *hdr;
48454079 4629 struct l2cap_chan *chan;
89794813 4630 u16 cid;
1da177e4
LT		 4631 int len;
4632
4633 if (conn->rx_len) {
4634 BT_ERR("Unexpected start frame (len %d)", skb->len);
4635 kfree_skb(conn->rx_skb);
4636 conn->rx_skb = NULL;
4637 conn->rx_len = 0;
4638 l2cap_conn_unreliable(conn, ECOMM);
4639 }
4640
aae7fe22
AE		 4641 /* Start fragment always begin with Basic L2CAP header */
4642 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4643 BT_ERR("Frame is too short (len %d)", skb->len);
4644 l2cap_conn_unreliable(conn, ECOMM);
4645 goto drop;
4646 }
4647
4648 hdr = (struct l2cap_hdr *) skb->data;
4649 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4650 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4651
4652 if (len == skb->len) {
4653 /* Complete frame received */
4654 l2cap_recv_frame(conn, skb);
4655 return 0;
4656 }
4657
4658 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4659
4660 if (skb->len > len) {
4661 BT_ERR("Frame is too long (len %d, expected len %d)",
4662 skb->len, len);
4663 l2cap_conn_unreliable(conn, ECOMM);
4664 goto drop;
4665 }
4666
baa7e1fa 4667 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4668
48454079
GP		 4669 if (chan && chan->sk) {
4670 struct sock *sk = chan->sk;
3df91ea2 4671 lock_sock(sk);
89794813 4672
0c1bc5c6 4673 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4674 BT_ERR("Frame exceeding recv MTU (len %d, "
4675 "MTU %d)", len,
0c1bc5c6 4676 chan->imtu);
aa2ac881 4677 release_sock(sk);
48454079
GP		 4678 l2cap_conn_unreliable(conn, ECOMM);
4679 goto drop;
4680 }
aa2ac881 4681 release_sock(sk);
48454079 4682 }
89794813 4683
1da177e4 4684 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4685 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4686 if (!conn->rx_skb)
1da177e4
LT		 4687 goto drop;
4688
d626f62b 4689 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4690 skb->len);
1da177e4
LT		 4691 conn->rx_len = len - skb->len;
4692 } else {
4693 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4694
4695 if (!conn->rx_len) {
4696 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4697 l2cap_conn_unreliable(conn, ECOMM);
4698 goto drop;
4699 }
4700
4701 if (skb->len > conn->rx_len) {
4702 BT_ERR("Fragment is too long (len %d, expected %d)",
4703 skb->len, conn->rx_len);
4704 kfree_skb(conn->rx_skb);
4705 conn->rx_skb = NULL;
4706 conn->rx_len = 0;
4707 l2cap_conn_unreliable(conn, ECOMM);
4708 goto drop;
4709 }
4710
d626f62b 4711 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4712 skb->len);
1da177e4
LT		 4713 conn->rx_len -= skb->len;
4714
4715 if (!conn->rx_len) {
4716 /* Complete frame received */
4717 l2cap_recv_frame(conn, conn->rx_skb);
4718 conn->rx_skb = NULL;
4719 }
4720 }
4721
4722drop:
4723 kfree_skb(skb);
4724 return 0;
4725}
4726
aef7d97c 4727static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4728{
23691d75 4729 struct l2cap_chan *c;
1da177e4 4730
333055f2 4731 read_lock(&chan_list_lock);
1da177e4 4732
23691d75
GP		 4733 list_for_each_entry(c, &chan_list, global_l) {
4734 struct sock *sk = c->sk;
101545f6 4735
903d343e 4736 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4737 batostr(&bt_sk(sk)->src),
4738 batostr(&bt_sk(sk)->dst),
89bc500e 4739 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4740 c->scid, c->dcid, c->imtu, c->omtu,
4741 c->sec_level, c->mode);
61e1b4b7 4742 }
1da177e4 4743
333055f2 4744 read_unlock(&chan_list_lock);
1da177e4 4745
aef7d97c 4746 return 0;
1da177e4
LT		 4747}
4748
aef7d97c
MH		 4749static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4750{
4751 return single_open(file, l2cap_debugfs_show, inode->i_private);
4752}
4753
4754static const struct file_operations l2cap_debugfs_fops = {
4755 .open = l2cap_debugfs_open,
4756 .read = seq_read,
4757 .llseek = seq_lseek,
4758 .release = single_release,
4759};
4760
4761static struct dentry *l2cap_debugfs;
1da177e4 4762
64274518 4763int __init l2cap_init(void)
1da177e4
LT		 4764{
4765 int err;
be9d1227 4766
bb58f747 4767 err = l2cap_init_sockets();
1da177e4
LT		 4768 if (err < 0)
4769 return err;
4770
aef7d97c
MH		 4771 if (bt_debugfs) {
4772 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4773 bt_debugfs, NULL, &l2cap_debugfs_fops);
4774 if (!l2cap_debugfs)
4775 BT_ERR("Failed to create L2CAP debug file");
4776 }
1da177e4 4777
1da177e4 4778 return 0;
1da177e4
LT		 4779}
4780
64274518 4781void l2cap_exit(void)
1da177e4 4782{
aef7d97c 4783 debugfs_remove(l2cap_debugfs);
bb58f747 4784 l2cap_cleanup_sockets();
1da177e4
LT		 4785}
4786
d1c4a17d
GP		 4787module_param(disable_ertm, bool, 0644);
4788MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)