projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Search global l2cap channels by src/dst addresses
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
1da177e4
LT		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
8e87d142
YH		 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 25 SOFTWARE IS DISCLAIMED.
26*/
27
bb58f747 28/* Bluetooth L2CAP core. */
1da177e4 29
1da177e4
LT		 30#include <linux/module.h>
31
32#include <linux/types.h>
4fc268d2 33#include <linux/capability.h>
1da177e4
LT		 34#include <linux/errno.h>
35#include <linux/kernel.h>
1da177e4
LT		 36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/poll.h>
39#include <linux/fcntl.h>
40#include <linux/init.h>
41#include <linux/interrupt.h>
42#include <linux/socket.h>
43#include <linux/skbuff.h>
1da177e4 44#include <linux/list.h>
be9d1227 45#include <linux/device.h>
aef7d97c
MH		 46#include <linux/debugfs.h>
47#include <linux/seq_file.h>
af05b30b 48#include <linux/uaccess.h>
fcc203c3 49#include <linux/crc16.h>
1da177e4
LT		 50#include <net/sock.h>
51
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
eb939922 59bool disable_ertm;
f0709e03 60
47ec1dcd 61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 62static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 63
b5ad8b7f
JB		 64static LIST_HEAD(chan_list);
65static DEFINE_RWLOCK(chan_list_lock);
1da177e4 66
1da177e4
LT		 67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
710f9b0a 71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
1da177e4 74
0139418c 75/* ---- L2CAP channels ---- */
71ba0e56 76
baa7e1fa 77static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->dcid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
baa7e1fa 88static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 89{
3df91ea2 90 struct l2cap_chan *c;
3d57dc68 91
3df91ea2
AE		 92 list_for_each_entry(c, &conn->chan_l, list) {
93 if (c->scid == cid)
94 return c;
0139418c 95 }
3df91ea2 96 return NULL;
0139418c
MH		 97}
98
99/* Find channel with given SCID.
100 * Returns locked socket */
baa7e1fa 101static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 102{
48454079 103 struct l2cap_chan *c;
baa7e1fa 104
3df91ea2 105 mutex_lock(&conn->chan_lock);
baa7e1fa 106 c = __l2cap_get_chan_by_scid(conn, cid);
3df91ea2
AE		 107 mutex_unlock(&conn->chan_lock);
108
48454079 109 return c;
0139418c
MH		 110}
111
baa7e1fa 112static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 113{
3df91ea2 114 struct l2cap_chan *c;
3d57dc68 115
3df91ea2
AE		 116 list_for_each_entry(c, &conn->chan_l, list) {
117 if (c->ident == ident)
118 return c;
0139418c 119 }
3df91ea2 120 return NULL;
0139418c
MH		 121}
122
baa7e1fa 123static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 124{
48454079 125 struct l2cap_chan *c;
baa7e1fa 126
3df91ea2 127 mutex_lock(&conn->chan_lock);
baa7e1fa 128 c = __l2cap_get_chan_by_ident(conn, ident);
3df91ea2
AE		 129 mutex_unlock(&conn->chan_lock);
130
48454079 131 return c;
0139418c
MH		 132}
133
23691d75 134static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 135{
23691d75 136 struct l2cap_chan *c;
9e4425ff 137
23691d75
GP		 138 list_for_each_entry(c, &chan_list, global_l) {
139 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 140 return c;
9e4425ff 141 }
250938cb 142 return NULL;
9e4425ff
GP		 143}
144
145int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
146{
73b2ec18
GP		 147 int err;
148
333055f2 149 write_lock(&chan_list_lock);
9e4425ff 150
23691d75 151 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 152 err = -EADDRINUSE;
153 goto done;
9e4425ff
GP		 154 }
155
73b2ec18
GP		 156 if (psm) {
157 chan->psm = psm;
158 chan->sport = psm;
159 err = 0;
160 } else {
161 u16 p;
162
163 err = -EINVAL;
164 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 165 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 166 chan->psm = cpu_to_le16(p);
167 chan->sport = cpu_to_le16(p);
168 err = 0;
169 break;
170 }
171 }
9e4425ff 172
73b2ec18 173done:
333055f2 174 write_unlock(&chan_list_lock);
73b2ec18 175 return err;
9e4425ff
GP		 176}
177
178int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
179{
333055f2 180 write_lock(&chan_list_lock);
9e4425ff
GP		 181
182 chan->scid = scid;
183
333055f2 184 write_unlock(&chan_list_lock);
9e4425ff
GP		 185
186 return 0;
187}
188
baa7e1fa 189static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 190{
8db4dc46 191 u16 cid = L2CAP_CID_DYN_START;
0139418c 192
8db4dc46 193 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 194 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 195 return cid;
196 }
197
198 return 0;
199}
200
0e587be7 201static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 202{
42d2d87c 203 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 204 state_to_string(state));
205
89bc500e
GP		 206 chan->state = state;
207 chan->ops->state_change(chan->data, state);
208}
209
0e587be7
AE		 210static void l2cap_state_change(struct l2cap_chan *chan, int state)
211{
212 struct sock *sk = chan->sk;
213
214 lock_sock(sk);
215 __l2cap_state_change(chan, state);
216 release_sock(sk);
217}
218
2e0052e4
AE		 219static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
220{
221 struct sock *sk = chan->sk;
222
223 sk->sk_err = err;
224}
225
226static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
227{
228 struct sock *sk = chan->sk;
229
230 lock_sock(sk);
231 __l2cap_chan_set_err(chan, err);
232 release_sock(sk);
233}
234
3c588192
MM		 235/* ---- L2CAP sequence number lists ---- */
236
237/* For ERTM, ordered lists of sequence numbers must be tracked for
238 * SREJ requests that are received and for frames that are to be
239 * retransmitted. These seq_list functions implement a singly-linked
240 * list in an array, where membership in the list can also be checked
241 * in constant time. Items can also be added to the tail of the list
242 * and removed from the head in constant time, without further memory
243 * allocs or frees.
244 */
245
246static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
247{
248 size_t alloc_size, i;
249
250 /* Allocated size is a power of 2 to map sequence numbers
251 * (which may be up to 14 bits) in to a smaller array that is
252 * sized for the negotiated ERTM transmit windows.
253 */
254 alloc_size = roundup_pow_of_two(size);
255
256 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
257 if (!seq_list->list)
258 return -ENOMEM;
259
260 seq_list->mask = alloc_size - 1;
261 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
262 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
263 for (i = 0; i < alloc_size; i++)
264 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
265
266 return 0;
267}
268
269static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
270{
271 kfree(seq_list->list);
272}
273
274static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
275 u16 seq)
276{
277 /* Constant-time check for list membership */
278 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
279}
280
281static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
282{
283 u16 mask = seq_list->mask;
284
285 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
286 /* In case someone tries to pop the head of an empty list */
287 return L2CAP_SEQ_LIST_CLEAR;
288 } else if (seq_list->head == seq) {
289 /* Head can be removed in constant time */
290 seq_list->head = seq_list->list[seq & mask];
291 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
294 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
295 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
296 }
297 } else {
298 /* Walk the list to find the sequence number */
299 u16 prev = seq_list->head;
300 while (seq_list->list[prev & mask] != seq) {
301 prev = seq_list->list[prev & mask];
302 if (prev == L2CAP_SEQ_LIST_TAIL)
303 return L2CAP_SEQ_LIST_CLEAR;
304 }
305
306 /* Unlink the number from the list and clear it */
307 seq_list->list[prev & mask] = seq_list->list[seq & mask];
308 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
309 if (seq_list->tail == seq)
310 seq_list->tail = prev;
311 }
312 return seq;
313}
314
315static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
316{
317 /* Remove the head in constant time */
318 return l2cap_seq_list_remove(seq_list, seq_list->head);
319}
320
321static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
322{
323 if (seq_list->head != L2CAP_SEQ_LIST_CLEAR) {
324 u16 i;
325 for (i = 0; i <= seq_list->mask; i++)
326 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
327
328 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
329 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
330 }
331}
332
333static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
334{
335 u16 mask = seq_list->mask;
336
337 /* All appends happen in constant time */
338
339 if (seq_list->list[seq & mask] == L2CAP_SEQ_LIST_CLEAR) {
340 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
341 seq_list->head = seq;
342 else
343 seq_list->list[seq_list->tail & mask] = seq;
344
345 seq_list->tail = seq;
346 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
347 }
348}
349
721c4181 350static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 351{
721c4181
GP		 352 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
353 chan_timer.work);
3df91ea2 354 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 355 int reason;
356
e05dcc32 357 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 358
3df91ea2 359 mutex_lock(&conn->chan_lock);
6be36555 360 l2cap_chan_lock(chan);
ab07801d 361
89bc500e 362 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 363 reason = ECONNREFUSED;
89bc500e 364 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 365 chan->sec_level != BT_SECURITY_SDP)
366 reason = ECONNREFUSED;
367 else
368 reason = ETIMEDOUT;
369
0f852724 370 l2cap_chan_close(chan, reason);
ab07801d 371
6be36555 372 l2cap_chan_unlock(chan);
ab07801d 373
ba3bd0ee 374 chan->ops->close(chan->data);
3df91ea2
AE		 375 mutex_unlock(&conn->chan_lock);
376
371fd835 377 l2cap_chan_put(chan);
ab07801d
GP		 378}
379
eef1d9b6 380struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 381{
382 struct l2cap_chan *chan;
383
384 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
385 if (!chan)
386 return NULL;
387
c03b355e
AE		 388 mutex_init(&chan->lock);
389
333055f2 390 write_lock(&chan_list_lock);
23691d75 391 list_add(&chan->global_l, &chan_list);
333055f2 392 write_unlock(&chan_list_lock);
23691d75 393
721c4181 394 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 395
89bc500e
GP		 396 chan->state = BT_OPEN;
397
71ba0e56
GP		 398 atomic_set(&chan->refcnt, 1);
399
eef1d9b6 400 BT_DBG("chan %p", chan);
abc545b8 401
48454079
GP		 402 return chan;
403}
404
23691d75 405void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 406{
333055f2 407 write_lock(&chan_list_lock);
23691d75 408 list_del(&chan->global_l);
333055f2 409 write_unlock(&chan_list_lock);
23691d75 410
371fd835 411 l2cap_chan_put(chan);
6ff5abbf
GP		 412}
413
bd4b1653
AE		 414void l2cap_chan_set_defaults(struct l2cap_chan *chan)
415{
416 chan->fcs = L2CAP_FCS_CRC16;
417 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
418 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
419 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
420 chan->sec_level = BT_SECURITY_LOW;
421
422 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
423}
424
14a28491 425static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 426{
af05b30b 427 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 428 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 429
9f5a0d7b 430 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 431
8c1d787b 432 chan->conn = conn;
0139418c 433
5491120e
AE		 434 switch (chan->chan_type) {
435 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 436 if (conn->hcon->type == LE_LINK) {
437 /* LE connection */
0c1bc5c6 438 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 439 chan->scid = L2CAP_CID_LE_DATA;
440 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 441 } else {
442 /* Alloc CID for connection-oriented socket */
fe4128e0 443 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 444 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 445 }
5491120e
AE		 446 break;
447
448 case L2CAP_CHAN_CONN_LESS:
0139418c 449 /* Connectionless socket */
fe4128e0
GP		 450 chan->scid = L2CAP_CID_CONN_LESS;
451 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 452 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 453 break;
454
455 default:
0139418c 456 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 457 chan->scid = L2CAP_CID_SIGNALING;
458 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 459 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 460 }
461
8f7975b1
AE		 462 chan->local_id = L2CAP_BESTEFFORT_ID;
463 chan->local_stype = L2CAP_SERV_BESTEFFORT;
464 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
465 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
466 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
467 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
468
371fd835 469 l2cap_chan_hold(chan);
baa7e1fa 470
3df91ea2 471 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 472}
473
14a28491 474static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 475{
476 mutex_lock(&conn->chan_lock);
477 __l2cap_chan_add(conn, chan);
3df91ea2 478 mutex_unlock(&conn->chan_lock);
0139418c
MH		 479}
480
4519de9a 481static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 482{
48454079 483 struct sock *sk = chan->sk;
8c1d787b 484 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 485 struct sock *parent = bt_sk(sk)->parent;
486
c9b66675 487 __clear_chan_timer(chan);
0139418c 488
49208c9c 489 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 490
8e87d142 491 if (conn) {
baa7e1fa 492 /* Delete from channel list */
3df91ea2 493 list_del(&chan->list);
3d57dc68 494
371fd835 495 l2cap_chan_put(chan);
baa7e1fa 496
8c1d787b 497 chan->conn = NULL;
0139418c
MH		 498 hci_conn_put(conn->hcon);
499 }
500
6be36555
AE		 501 lock_sock(sk);
502
0e587be7 503 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 504 sock_set_flag(sk, SOCK_ZAPPED);
505
506 if (err)
2e0052e4 507 __l2cap_chan_set_err(chan, err);
0139418c
MH		 508
509 if (parent) {
510 bt_accept_unlink(sk);
511 parent->sk_data_ready(parent, 0);
512 } else
513 sk->sk_state_change(sk);
c13ffa62 514
6be36555
AE		 515 release_sock(sk);
516
c1360a1c
GP		 517 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
518 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 519 return;
2ead70b8 520
58d35f87 521 skb_queue_purge(&chan->tx_q);
c13ffa62 522
0c1bc5c6 523 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 524 struct srej_list *l, *tmp;
525
1a09bcb9
GP		 526 __clear_retrans_timer(chan);
527 __clear_monitor_timer(chan);
528 __clear_ack_timer(chan);
c13ffa62 529
f1c6775b 530 skb_queue_purge(&chan->srej_q);
c13ffa62 531
3c588192
MM		 532 l2cap_seq_list_free(&chan->srej_list);
533 l2cap_seq_list_free(&chan->retrans_list);
39d5a3ee 534 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 535 list_del(&l->list);
536 kfree(l);
537 }
538 }
0139418c
MH		 539}
540
4519de9a
GP		 541static void l2cap_chan_cleanup_listen(struct sock *parent)
542{
543 struct sock *sk;
544
545 BT_DBG("parent %p", parent);
546
547 /* Close not yet accepted channels */
0f852724 548 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 549 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 550
6be36555 551 l2cap_chan_lock(chan);
c9b66675 552 __clear_chan_timer(chan);
ba3bd0ee 553 l2cap_chan_close(chan, ECONNRESET);
6be36555 554 l2cap_chan_unlock(chan);
3df91ea2 555
ba3bd0ee 556 chan->ops->close(chan->data);
0f852724 557 }
4519de9a
GP		 558}
559
0f852724 560void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 561{
562 struct l2cap_conn *conn = chan->conn;
563 struct sock *sk = chan->sk;
564
e05dcc32
AE		 565 BT_DBG("chan %p state %s sk %p", chan,
566 state_to_string(chan->state), sk);
4519de9a 567
89bc500e 568 switch (chan->state) {
4519de9a 569 case BT_LISTEN:
6be36555 570 lock_sock(sk);
4519de9a 571 l2cap_chan_cleanup_listen(sk);
89bc500e 572
0e587be7 573 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 574 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 575 release_sock(sk);
4519de9a
GP		 576 break;
577
578 case BT_CONNECTED:
579 case BT_CONFIG:
715ec005 580 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 581 conn->hcon->type == ACL_LINK) {
c9b66675 582 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 583 l2cap_send_disconn_req(conn, chan, reason);
584 } else
585 l2cap_chan_del(chan, reason);
586 break;
587
588 case BT_CONNECT2:
715ec005 589 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 590 conn->hcon->type == ACL_LINK) {
591 struct l2cap_conn_rsp rsp;
592 __u16 result;
593
594 if (bt_sk(sk)->defer_setup)
595 result = L2CAP_CR_SEC_BLOCK;
596 else
597 result = L2CAP_CR_BAD_PSM;
89bc500e 598 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 599
600 rsp.scid = cpu_to_le16(chan->dcid);
601 rsp.dcid = cpu_to_le16(chan->scid);
602 rsp.result = cpu_to_le16(result);
603 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
604 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
605 sizeof(rsp), &rsp);
606 }
607
608 l2cap_chan_del(chan, reason);
609 break;
610
611 case BT_CONNECT:
612 case BT_DISCONN:
613 l2cap_chan_del(chan, reason);
614 break;
615
616 default:
6be36555 617 lock_sock(sk);
4519de9a 618 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 619 release_sock(sk);
4519de9a
GP		 620 break;
621 }
622}
623
4343478f 624static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 625{
715ec005 626 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 627 switch (chan->sec_level) {
8556edd3
JH		 628 case BT_SECURITY_HIGH:
629 return HCI_AT_DEDICATED_BONDING_MITM;
630 case BT_SECURITY_MEDIUM:
631 return HCI_AT_DEDICATED_BONDING;
632 default:
633 return HCI_AT_NO_BONDING;
634 }
fe4128e0 635 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 636 if (chan->sec_level == BT_SECURITY_LOW)
637 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 638
4343478f 639 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 640 return HCI_AT_NO_BONDING_MITM;
00ae4af9 641 else
8556edd3 642 return HCI_AT_NO_BONDING;
00ae4af9 643 } else {
4343478f 644 switch (chan->sec_level) {
00ae4af9 645 case BT_SECURITY_HIGH:
8556edd3 646 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 647 case BT_SECURITY_MEDIUM:
8556edd3 648 return HCI_AT_GENERAL_BONDING;
00ae4af9 649 default:
8556edd3 650 return HCI_AT_NO_BONDING;
00ae4af9 651 }
0684e5f9 652 }
8556edd3
JH		 653}
654
655/* Service level security */
d45fc423 656int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 657{
8c1d787b 658 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 659 __u8 auth_type;
660
4343478f 661 auth_type = l2cap_get_auth_type(chan);
79d554a6 662
4343478f 663 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 664}
665
b5ad8b7f 666static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 667{
668 u8 id;
669
670 /* Get next available identificator.
671 * 1 - 128 are used by kernel.
672 * 129 - 199 are reserved.
673 * 200 - 254 are used by utilities like l2ping, etc.
674 */
675
333055f2 676 spin_lock(&conn->lock);
4e8402a3
MH		 677
678 if (++conn->tx_ident > 128)
679 conn->tx_ident = 1;
680
681 id = conn->tx_ident;
682
333055f2 683 spin_unlock(&conn->lock);
4e8402a3
MH		 684
685 return id;
686}
687
4519de9a 688static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 689{
690 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 691 u8 flags;
4e8402a3
MH		 692
693 BT_DBG("code 0x%2.2x", code);
694
695 if (!skb)
9a9c6a34 696 return;
4e8402a3 697
e702112f
AE		 698 if (lmp_no_flush_capable(conn->hcon->hdev))
699 flags = ACL_START_NO_FLUSH;
700 else
701 flags = ACL_START;
702
14b12d0b 703 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 704 skb->priority = HCI_PRIO_MAX;
14b12d0b 705
73d80deb
LAD		 706 hci_send_acl(conn->hchan, skb, flags);
707}
708
709static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
710{
711 struct hci_conn *hcon = chan->conn->hcon;
712 u16 flags;
713
714 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
715 skb->priority);
716
717 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
718 lmp_no_flush_capable(hcon->hdev))
719 flags = ACL_START_NO_FLUSH;
720 else
721 flags = ACL_START;
14b12d0b 722
73d80deb
LAD		 723 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
724 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 725}
726
88843ab0 727static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 728{
729 struct sk_buff *skb;
730 struct l2cap_hdr *lh;
8c1d787b 731 struct l2cap_conn *conn = chan->conn;
e4ca6d98 732 int count, hlen;
fcc203c3 733
89bc500e 734 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 735 return;
736
e4ca6d98
AE		 737 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
738 hlen = L2CAP_EXT_HDR_SIZE;
739 else
740 hlen = L2CAP_ENH_HDR_SIZE;
741
47d1ec61 742 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 743 hlen += L2CAP_FCS_SIZE;
1c2acffb 744
88843ab0 745 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 746
fcc203c3 747 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 748
749 control |= __set_sframe(chan);
1c2acffb 750
e2ab4353 751 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 752 control |= __set_ctrl_final(chan);
9e917af1 753
e2ab4353 754 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 755 control |= __set_ctrl_poll(chan);
f0946ccf 756
1c2acffb
GP		 757 skb = bt_skb_alloc(count, GFP_ATOMIC);
758 if (!skb)
9a9c6a34 759 return;
1c2acffb
GP		 760
761 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 762 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 763 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 764
765 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 766
47d1ec61 767 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 768 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
769 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 770 }
771
73d80deb
LAD		 772 skb->priority = HCI_PRIO_MAX;
773 l2cap_do_send(chan, skb);
1c2acffb
GP		 774}
775
88843ab0 776static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 777{
e2ab4353 778 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 779 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 780 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 781 } else
ab784b73 782 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 783
0b209fae 784 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 785
525cd185 786 l2cap_send_sframe(chan, control);
7e743090
GP		 787}
788
b76bbd66
MM		 789static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
790{
791 u16 packed;
792
793 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
794 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
795
796 if (control->sframe) {
797 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
798 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
799 packed |= L2CAP_CTRL_FRAME_TYPE;
800 } else {
801 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
802 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
803 }
804
805 return packed;
806}
807
808static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
809{
810 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
811 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
812
813 if (enh & L2CAP_CTRL_FRAME_TYPE) {
814 /* S-Frame */
815 control->sframe = 1;
816 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
817 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
818
819 control->sar = 0;
820 control->txseq = 0;
821 } else {
822 /* I-Frame */
823 control->sframe = 0;
824 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
825 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
826
827 control->poll = 0;
828 control->super = 0;
829 }
830}
831
832static u32 __pack_extended_control(struct l2cap_ctrl *control)
833{
834 u32 packed;
835
836 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
837 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
838
839 if (control->sframe) {
840 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
841 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
842 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
843 } else {
844 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
845 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
846 }
847
848 return packed;
849}
850
851static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
852{
853 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
854 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
855
856 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
857 /* S-Frame */
858 control->sframe = 1;
859 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
860 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
861
862 control->sar = 0;
863 control->txseq = 0;
864 } else {
865 /* I-Frame */
866 control->sframe = 0;
867 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
868 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
869
870 control->poll = 0;
871 control->super = 0;
872 }
873}
874
875static inline void __unpack_control(struct l2cap_chan *chan,
876 struct sk_buff *skb)
877{
878 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
879 __unpack_extended_control(get_unaligned_le32(skb->data),
880 &bt_cb(skb)->control);
881 } else {
882 __unpack_enhanced_control(get_unaligned_le16(skb->data),
883 &bt_cb(skb)->control);
884 }
885}
886
887static inline void __pack_control(struct l2cap_chan *chan,
888 struct l2cap_ctrl *control,
889 struct sk_buff *skb)
890{
891 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
892 put_unaligned_le32(__pack_extended_control(control),
893 skb->data + L2CAP_HDR_SIZE);
894 } else {
895 put_unaligned_le16(__pack_enhanced_control(control),
896 skb->data + L2CAP_HDR_SIZE);
897 }
898}
899
b4450035 900static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 901{
c1360a1c 902 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 903}
904
9b27f350
AE		 905static void l2cap_send_conn_req(struct l2cap_chan *chan)
906{
907 struct l2cap_conn *conn = chan->conn;
908 struct l2cap_conn_req req;
909
910 req.scid = cpu_to_le16(chan->scid);
911 req.psm = chan->psm;
912
913 chan->ident = l2cap_get_ident(conn);
914
915 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
916
917 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
918}
919
fc7f8a7e 920static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 921{
8c1d787b 922 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 923
924 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 925 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
926 return;
927
d45fc423 928 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 929 __l2cap_no_conn_pending(chan))
930 l2cap_send_conn_req(chan);
79d554a6
MH		 931 } else {
932 struct l2cap_info_req req;
933 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
934
935 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
936 conn->info_ident = l2cap_get_ident(conn);
937
ba13ccd9 938 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 939
940 l2cap_send_cmd(conn, conn->info_ident,
941 L2CAP_INFO_REQ, sizeof(req), &req);
942 }
943}
944
cf6c2c0b
GP		 945static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
946{
947 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 948 if (!disable_ertm)
cf6c2c0b
GP		 949 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
950
951 switch (mode) {
952 case L2CAP_MODE_ERTM:
953 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
954 case L2CAP_MODE_STREAMING:
955 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
956 default:
957 return 0x00;
958 }
959}
960
4519de9a 961static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 962{
6be36555 963 struct sock *sk = chan->sk;
22121fc9
GP		 964 struct l2cap_disconn_req req;
965
c13ffa62
GP		 966 if (!conn)
967 return;
968
0c1bc5c6 969 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 970 __clear_retrans_timer(chan);
971 __clear_monitor_timer(chan);
972 __clear_ack_timer(chan);
c13ffa62
GP		 973 }
974
fe4128e0
GP		 975 req.dcid = cpu_to_le16(chan->dcid);
976 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 977 l2cap_send_cmd(conn, l2cap_get_ident(conn),
978 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 979
6be36555 980 lock_sock(sk);
0e587be7 981 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 982 __l2cap_chan_set_err(chan, err);
6be36555 983 release_sock(sk);
22121fc9
GP		 984}
985
1da177e4 986/* ---- L2CAP connections ---- */
4e8402a3
MH		 987static void l2cap_conn_start(struct l2cap_conn *conn)
988{
3df91ea2 989 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 990
991 BT_DBG("conn %p", conn);
992
3df91ea2 993 mutex_lock(&conn->chan_lock);
4e8402a3 994
3df91ea2 995 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 996 struct sock *sk = chan->sk;
baa7e1fa 997
6be36555 998 l2cap_chan_lock(chan);
4e8402a3 999
715ec005 1000 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1001 l2cap_chan_unlock(chan);
79d554a6
MH		 1002 continue;
1003 }
1004
89bc500e 1005 if (chan->state == BT_CONNECT) {
d45fc423 1006 if (!l2cap_chan_check_security(chan) ||
b4450035 1007 !__l2cap_no_conn_pending(chan)) {
6be36555 1008 l2cap_chan_unlock(chan);
47731de7
GP		 1009 continue;
1010 }
79d554a6 1011
c1360a1c
GP		 1012 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1013 && test_bit(CONF_STATE2_DEVICE,
1014 &chan->conf_state)) {
89bc500e 1015 l2cap_chan_close(chan, ECONNRESET);
6be36555 1016 l2cap_chan_unlock(chan);
47731de7 1017 continue;
b1235d79 1018 }
47731de7 1019
9b27f350 1020 l2cap_send_conn_req(chan);
47731de7 1021
89bc500e 1022 } else if (chan->state == BT_CONNECT2) {
79d554a6 1023 struct l2cap_conn_rsp rsp;
e9aeb2dd 1024 char buf[128];
fe4128e0
GP		 1025 rsp.scid = cpu_to_le16(chan->dcid);
1026 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1027
d45fc423 1028 if (l2cap_chan_check_security(chan)) {
6be36555 1029 lock_sock(sk);
f66dc81f
MH		 1030 if (bt_sk(sk)->defer_setup) {
1031 struct sock *parent = bt_sk(sk)->parent;
1032 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1033 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1034 if (parent)
1035 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1036
1037 } else {
0e587be7 1038 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1039 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1040 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1041 }
6be36555 1042 release_sock(sk);
79d554a6
MH		 1043 } else {
1044 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1045 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1046 }
1047
fc7f8a7e
GP		 1048 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1049 sizeof(rsp), &rsp);
e9aeb2dd 1050
c1360a1c 1051 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1052 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1053 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1054 continue;
1055 }
1056
c1360a1c 1057 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1058 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1059 l2cap_build_conf_req(chan, buf), buf);
1060 chan->num_conf_req++;
4e8402a3
MH		 1061 }
1062
6be36555 1063 l2cap_chan_unlock(chan);
4e8402a3
MH		 1064 }
1065
3df91ea2 1066 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1067}
1068
c2287681 1069/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1070 * Returns closest match, locked.
1071 */
d9b88702 1072static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1073 bdaddr_t *src,
1074 bdaddr_t *dst)
b62f328b 1075{
23691d75 1076 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1077
23691d75 1078 read_lock(&chan_list_lock);
b62f328b 1079
23691d75
GP		 1080 list_for_each_entry(c, &chan_list, global_l) {
1081 struct sock *sk = c->sk;
fe4128e0 1082
89bc500e 1083 if (state && c->state != state)
b62f328b
VT		 1084 continue;
1085
23691d75 1086 if (c->scid == cid) {
c2287681
IY		 1087 int src_match, dst_match;
1088 int src_any, dst_any;
1089
b62f328b 1090 /* Exact match. */
c2287681
IY		 1091 src_match = !bacmp(&bt_sk(sk)->src, src);
1092 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1093 if (src_match && dst_match) {
23691d75
GP		 1094 read_unlock(&chan_list_lock);
1095 return c;
1096 }
b62f328b
VT		 1097
1098 /* Closest match */
c2287681
IY		 1099 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1100 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1101 if ((src_match && dst_any) || (src_any && dst_match) ||
1102 (src_any && dst_any))
23691d75 1103 c1 = c;
b62f328b
VT		 1104 }
1105 }
280f294f 1106
23691d75 1107 read_unlock(&chan_list_lock);
b62f328b 1108
23691d75 1109 return c1;
b62f328b
VT		 1110}
1111
1112static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1113{
c916fbe4 1114 struct sock *parent, *sk;
23691d75 1115 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1116
1117 BT_DBG("");
1118
1119 /* Check if we have socket listening on cid */
23691d75 1120 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1121 conn->src, conn->dst);
23691d75 1122 if (!pchan)
b62f328b
VT		 1123 return;
1124
23691d75
GP		 1125 parent = pchan->sk;
1126
aa2ac881 1127 lock_sock(parent);
62f3a2cf 1128
b62f328b
VT		 1129 /* Check for backlog size */
1130 if (sk_acceptq_is_full(parent)) {
1131 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1132 goto clean;
1133 }
1134
80808e43
GP		 1135 chan = pchan->ops->new_connection(pchan->data);
1136 if (!chan)
b62f328b
VT		 1137 goto clean;
1138
80808e43 1139 sk = chan->sk;
5d41ce1d 1140
b62f328b
VT		 1141 hci_conn_hold(conn->hcon);
1142
b62f328b
VT		 1143 bacpy(&bt_sk(sk)->src, conn->src);
1144 bacpy(&bt_sk(sk)->dst, conn->dst);
1145
d1010240
GP		 1146 bt_accept_enqueue(parent, sk);
1147
3d57dc68 1148 l2cap_chan_add(conn, chan);
48454079 1149
c9b66675 1150 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1151
0e587be7 1152 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1153 parent->sk_data_ready(parent, 0);
1154
b62f328b 1155clean:
aa2ac881 1156 release_sock(parent);
b62f328b
VT		 1157}
1158
cf4cd009 1159static void l2cap_chan_ready(struct l2cap_chan *chan)
f1cb9af5 1160{
cf4cd009 1161 struct sock *sk = chan->sk;
6be36555
AE		 1162 struct sock *parent;
1163
1164 lock_sock(sk);
1165
1166 parent = bt_sk(sk)->parent;
f1cb9af5
VCG		 1167
1168 BT_DBG("sk %p, parent %p", sk, parent);
1169
1170 chan->conf_state = 0;
1171 __clear_chan_timer(chan);
1172
0e587be7 1173 __l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 1174 sk->sk_state_change(sk);
1175
1176 if (parent)
1177 parent->sk_data_ready(parent, 0);
6be36555
AE		 1178
1179 release_sock(sk);
f1cb9af5
VCG		 1180}
1181
4e8402a3
MH		 1182static void l2cap_conn_ready(struct l2cap_conn *conn)
1183{
48454079 1184 struct l2cap_chan *chan;
4e8402a3 1185
79d554a6 1186 BT_DBG("conn %p", conn);
4e8402a3 1187
b62f328b
VT		 1188 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1189 l2cap_le_conn_ready(conn);
1190
160dc6ac
VCG		 1191 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1192 smp_conn_security(conn, conn->hcon->pending_sec_level);
1193
3df91ea2 1194 mutex_lock(&conn->chan_lock);
4e8402a3 1195
3df91ea2 1196 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1197
6be36555 1198 l2cap_chan_lock(chan);
4e8402a3 1199
63128451 1200 if (conn->hcon->type == LE_LINK) {
b501d6a1 1201 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1202 l2cap_chan_ready(chan);
acd7d370 1203
63128451 1204 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1205 struct sock *sk = chan->sk;
c9b66675 1206 __clear_chan_timer(chan);
6be36555 1207 lock_sock(sk);
0e587be7 1208 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1209 sk->sk_state_change(sk);
6be36555 1210 release_sock(sk);
b501d6a1 1211
89bc500e 1212 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1213 l2cap_do_start(chan);
4e8402a3 1214
6be36555 1215 l2cap_chan_unlock(chan);
4e8402a3 1216 }
79d554a6 1217
3df91ea2 1218 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1219}
1220
1221/* Notify sockets that we cannot guaranty reliability anymore */
1222static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1223{
48454079 1224 struct l2cap_chan *chan;
4e8402a3
MH		 1225
1226 BT_DBG("conn %p", conn);
1227
3df91ea2 1228 mutex_lock(&conn->chan_lock);
4e8402a3 1229
3df91ea2 1230 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1231 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1232 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1233 }
1234
3df91ea2 1235 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1236}
1237
f878fcad 1238static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1239{
f878fcad 1240 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1241 info_timer.work);
4e8402a3 1242
984947dc 1243 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1244 conn->info_ident = 0;
984947dc 1245
4e8402a3
MH		 1246 l2cap_conn_start(conn);
1247}
1248
5d3de7df
VCG		 1249static void l2cap_conn_del(struct hci_conn *hcon, int err)
1250{
1251 struct l2cap_conn *conn = hcon->l2cap_data;
1252 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1253
1254 if (!conn)
1255 return;
1256
1257 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1258
1259 kfree_skb(conn->rx_skb);
1260
3df91ea2
AE		 1261 mutex_lock(&conn->chan_lock);
1262
5d3de7df
VCG		 1263 /* Kill channels */
1264 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
6be36555
AE		 1265 l2cap_chan_lock(chan);
1266
5d3de7df 1267 l2cap_chan_del(chan, err);
6be36555
AE		 1268
1269 l2cap_chan_unlock(chan);
1270
5d3de7df
VCG		 1271 chan->ops->close(chan->data);
1272 }
1273
3df91ea2
AE		 1274 mutex_unlock(&conn->chan_lock);
1275
73d80deb
LAD		 1276 hci_chan_del(conn->hchan);
1277
5d3de7df 1278 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1279 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1280
51a8efd7 1281 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1282 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1283 smp_chan_destroy(conn);
d26a2345 1284 }
5d3de7df
VCG		 1285
1286 hcon->l2cap_data = NULL;
1287 kfree(conn);
1288}
1289
6c9d42a1 1290static void security_timeout(struct work_struct *work)
5d3de7df 1291{
6c9d42a1
GP		 1292 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1293 security_timer.work);
5d3de7df
VCG		 1294
1295 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1296}
1297
1da177e4
LT		 1298static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1299{
0139418c 1300 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1301 struct hci_chan *hchan;
1da177e4 1302
0139418c 1303 if (conn || status)
1da177e4
LT		 1304 return conn;
1305
73d80deb
LAD		 1306 hchan = hci_chan_create(hcon);
1307 if (!hchan)
1308 return NULL;
1309
0139418c 1310 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1311 if (!conn) {
1312 hci_chan_del(hchan);
1da177e4 1313 return NULL;
73d80deb 1314 }
1da177e4
LT		 1315
1316 hcon->l2cap_data = conn;
1317 conn->hcon = hcon;
73d80deb 1318 conn->hchan = hchan;
1da177e4 1319
73d80deb 1320 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1321
acd7d370
VT		 1322 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1323 conn->mtu = hcon->hdev->le_mtu;
1324 else
1325 conn->mtu = hcon->hdev->acl_mtu;
1326
1da177e4
LT		 1327 conn->src = &hcon->hdev->bdaddr;
1328 conn->dst = &hcon->dst;
1329
4e8402a3
MH		 1330 conn->feat_mask = 0;
1331
1da177e4 1332 spin_lock_init(&conn->lock);
3df91ea2 1333 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1334
1335 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1336
5d3de7df 1337 if (hcon->type == LE_LINK)
6c9d42a1 1338 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1339 else
030013d8 1340 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1341
9f5a0d7b 1342 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1343
1da177e4
LT		 1344 return conn;
1345}
1346
1da177e4 1347/* ---- Socket interface ---- */
1da177e4 1348
c2287681 1349/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1350 * Returns closest match.
1351 */
c2287681
IY		 1352static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1353 bdaddr_t *src,
1354 bdaddr_t *dst)
1da177e4 1355{
23691d75 1356 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1357
23691d75 1358 read_lock(&chan_list_lock);
e0f0cb56 1359
23691d75
GP		 1360 list_for_each_entry(c, &chan_list, global_l) {
1361 struct sock *sk = c->sk;
fe4128e0 1362
89bc500e 1363 if (state && c->state != state)
1da177e4
LT		 1364 continue;
1365
23691d75 1366 if (c->psm == psm) {
c2287681
IY		 1367 int src_match, dst_match;
1368 int src_any, dst_any;
1369
1da177e4 1370 /* Exact match. */
c2287681
IY		 1371 src_match = !bacmp(&bt_sk(sk)->src, src);
1372 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1373 if (src_match && dst_match) {
a7567b20 1374 read_unlock(&chan_list_lock);
23691d75
GP		 1375 return c;
1376 }
1da177e4
LT		 1377
1378 /* Closest match */
c2287681
IY		 1379 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1380 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1381 if ((src_match && dst_any) || (src_any && dst_match) ||
1382 (src_any && dst_any))
23691d75 1383 c1 = c;
1da177e4
LT		 1384 }
1385 }
1da177e4 1386
23691d75 1387 read_unlock(&chan_list_lock);
e0f0cb56 1388
23691d75 1389 return c1;
1da177e4
LT		 1390}
1391
cbe8fed4 1392int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1da177e4 1393{
5d41ce1d 1394 struct sock *sk = chan->sk;
1da177e4 1395 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1396 struct l2cap_conn *conn;
1397 struct hci_conn *hcon;
1398 struct hci_dev *hdev;
09ab6f4c 1399 __u8 auth_type;
44d0e48e 1400 int err;
1da177e4 1401
f29972de 1402 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
097db76c 1403 __le16_to_cpu(chan->psm));
1da177e4 1404
af05b30b
GP		 1405 hdev = hci_get_route(dst, src);
1406 if (!hdev)
1da177e4
LT		 1407 return -EHOSTUNREACH;
1408
09fd0de5 1409 hci_dev_lock(hdev);
1da177e4 1410
6be36555 1411 l2cap_chan_lock(chan);
03a00194
GP		 1412
1413 /* PSM must be odd and lsb of upper byte must be 0 */
1414 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1415 chan->chan_type != L2CAP_CHAN_RAW) {
1416 err = -EINVAL;
1417 goto done;
1418 }
1419
1420 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1421 err = -EINVAL;
1422 goto done;
1423 }
1424
1425 switch (chan->mode) {
1426 case L2CAP_MODE_BASIC:
1427 break;
1428 case L2CAP_MODE_ERTM:
1429 case L2CAP_MODE_STREAMING:
1430 if (!disable_ertm)
1431 break;
1432 /* fall through */
1433 default:
1434 err = -ENOTSUPP;
1435 goto done;
1436 }
1437
6be36555
AE		 1438 lock_sock(sk);
1439
03a00194
GP		 1440 switch (sk->sk_state) {
1441 case BT_CONNECT:
1442 case BT_CONNECT2:
1443 case BT_CONFIG:
1444 /* Already connecting */
1445 err = 0;
6be36555 1446 release_sock(sk);
03a00194
GP		 1447 goto done;
1448
1449 case BT_CONNECTED:
1450 /* Already connected */
1451 err = -EISCONN;
6be36555 1452 release_sock(sk);
03a00194
GP		 1453 goto done;
1454
1455 case BT_OPEN:
1456 case BT_BOUND:
1457 /* Can connect */
1458 break;
1459
1460 default:
1461 err = -EBADFD;
6be36555 1462 release_sock(sk);
03a00194
GP		 1463 goto done;
1464 }
1465
1466 /* Set destination address and psm */
9219b2a0 1467 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1468
1469 release_sock(sk);
1470
03a00194
GP		 1471 chan->psm = psm;
1472 chan->dcid = cid;
1da177e4 1473
4343478f 1474 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1475
fe4128e0 1476 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1477 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1478 chan->sec_level, auth_type);
acd7d370
VT		 1479 else
1480 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1481 chan->sec_level, auth_type);
acd7d370 1482
30e76272
VT		 1483 if (IS_ERR(hcon)) {
1484 err = PTR_ERR(hcon);
1da177e4 1485 goto done;
30e76272 1486 }
1da177e4
LT		 1487
1488 conn = l2cap_conn_add(hcon, 0);
1489 if (!conn) {
1490 hci_conn_put(hcon);
30e76272 1491 err = -ENOMEM;
1da177e4
LT		 1492 goto done;
1493 }
1494
1da177e4
LT		 1495 /* Update source addr of the socket */
1496 bacpy(src, conn->src);
1497
6be36555 1498 l2cap_chan_unlock(chan);
48454079 1499 l2cap_chan_add(conn, chan);
6be36555 1500 l2cap_chan_lock(chan);
48454079 1501
6be36555 1502 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1503 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1504
1505 if (hcon->state == BT_CONNECTED) {
715ec005 1506 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1507 __clear_chan_timer(chan);
d45fc423 1508 if (l2cap_chan_check_security(chan))
6be36555 1509 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1510 } else
fc7f8a7e 1511 l2cap_do_start(chan);
1da177e4
LT		 1512 }
1513
30e76272
VT		 1514 err = 0;
1515
1da177e4 1516done:
6be36555 1517 l2cap_chan_unlock(chan);
09fd0de5 1518 hci_dev_unlock(hdev);
1da177e4
LT		 1519 hci_dev_put(hdev);
1520 return err;
1521}
1522
dcba0dba 1523int __l2cap_wait_ack(struct sock *sk)
6161c038 1524{
8c1d787b 1525 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1526 DECLARE_WAITQUEUE(wait, current);
1527 int err = 0;
1528 int timeo = HZ/5;
1529
2b0b05dd 1530 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1531 set_current_state(TASK_INTERRUPTIBLE);
1532 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1533 if (!timeo)
1534 timeo = HZ/5;
1535
1536 if (signal_pending(current)) {
1537 err = sock_intr_errno(timeo);
1538 break;
1539 }
1540
1541 release_sock(sk);
1542 timeo = schedule_timeout(timeo);
1543 lock_sock(sk);
a71a0cf4 1544 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1545
1546 err = sock_error(sk);
1547 if (err)
1548 break;
1549 }
1550 set_current_state(TASK_RUNNING);
2b0b05dd 1551 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1552 return err;
1553}
1554
721c4181 1555static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1556{
721c4181
GP		 1557 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1558 monitor_timer.work);
e90bac06 1559
525cd185 1560 BT_DBG("chan %p", chan);
0e98958d 1561
6be36555
AE		 1562 l2cap_chan_lock(chan);
1563
2c03a7a4 1564 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1565 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1566 l2cap_chan_unlock(chan);
8d7e1c7f 1567 l2cap_chan_put(chan);
e90bac06
GP		 1568 return;
1569 }
1570
6a026610 1571 chan->retry_count++;
1a09bcb9 1572 __set_monitor_timer(chan);
e90bac06 1573
525cd185 1574 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1575 l2cap_chan_unlock(chan);
8d7e1c7f 1576 l2cap_chan_put(chan);
e90bac06
GP		 1577}
1578
721c4181 1579static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1580{
721c4181
GP		 1581 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1582 retrans_timer.work);
e90bac06 1583
49208c9c 1584 BT_DBG("chan %p", chan);
0e98958d 1585
6be36555
AE		 1586 l2cap_chan_lock(chan);
1587
6a026610 1588 chan->retry_count = 1;
1a09bcb9 1589 __set_monitor_timer(chan);
e90bac06 1590
e2ab4353 1591 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1592
525cd185 1593 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1594
1595 l2cap_chan_unlock(chan);
8d7e1c7f 1596 l2cap_chan_put(chan);
e90bac06
GP		 1597}
1598
42e5c802 1599static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1600{
1c2acffb 1601 struct sk_buff *skb;
1da177e4 1602
58d35f87 1603 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1604 chan->unacked_frames) {
42e5c802 1605 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1606 break;
1da177e4 1607
58d35f87 1608 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1609 kfree_skb(skb);
1da177e4 1610
6a026610 1611 chan->unacked_frames--;
1c2acffb 1612 }
1da177e4 1613
6a026610 1614 if (!chan->unacked_frames)
1a09bcb9 1615 __clear_retrans_timer(chan);
1c2acffb 1616}
1da177e4 1617
67c9e840 1618static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1619{
ccbb84af 1620 struct sk_buff *skb;
88843ab0
AE		 1621 u32 control;
1622 u16 fcs;
6840ed07 1623
58d35f87 1624 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1625 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1626 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1627 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1628
47d1ec61 1629 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1630 fcs = crc16(0, (u8 *)skb->data,
1631 skb->len - L2CAP_FCS_SIZE);
1632 put_unaligned_le16(fcs,
1633 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1634 }
1635
4343478f 1636 l2cap_do_send(chan, skb);
6840ed07 1637
836be934 1638 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1639 }
6840ed07
GP		 1640}
1641
fb45de7d 1642static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1643{
8f17154f 1644 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1645 u16 fcs;
1646 u32 control;
8f17154f 1647
58d35f87 1648 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1649 if (!skb)
1650 return;
8f17154f 1651
d1726b6d 1652 while (bt_cb(skb)->tx_seq != tx_seq) {
58d35f87 1653 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1654 return;
8f17154f 1655
d1726b6d
SJ		 1656 skb = skb_queue_next(&chan->tx_q, skb);
1657 }
8f17154f 1658
2c03a7a4
GP		 1659 if (chan->remote_max_tx &&
1660 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1661 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1662 return;
1663 }
1664
1665 tx_skb = skb_clone(skb, GFP_ATOMIC);
1666 bt_cb(skb)->retries++;
88843ab0
AE		 1667
1668 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1669 control &= __get_sar_mask(chan);
3cb123d1 1670
e2ab4353 1671 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1672 control |= __set_ctrl_final(chan);
95ffa978 1673
0b209fae 1674 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1675 control |= __set_txseq(chan, tx_seq);
3cb123d1 1676
88843ab0 1677 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1678
47d1ec61 1679 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1680 fcs = crc16(0, (u8 *)tx_skb->data,
1681 tx_skb->len - L2CAP_FCS_SIZE);
1682 put_unaligned_le16(fcs,
1683 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1684 }
1685
4343478f 1686 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1687}
1688
67c9e840 1689static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1690{
1691 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1692 u16 fcs;
1693 u32 control;
9a9c6a34 1694 int nsent = 0;
1c2acffb 1695
89bc500e 1696 if (chan->state != BT_CONNECTED)
c13ffa62 1697 return -ENOTCONN;
e90bac06 1698
58d35f87 1699 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1700
2c03a7a4
GP		 1701 if (chan->remote_max_tx &&
1702 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1703 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1704 break;
1705 }
1706
e420aba3
AE		 1707 tx_skb = skb_clone(skb, GFP_ATOMIC);
1708
e90bac06
GP		 1709 bt_cb(skb)->retries++;
1710
88843ab0 1711 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1712 control &= __get_sar_mask(chan);
95ffa978 1713
e2ab4353 1714 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1715 control |= __set_ctrl_final(chan);
e2ab4353 1716
0b209fae 1717 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1718 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1719
88843ab0 1720 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1721
47d1ec61 1722 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1723 fcs = crc16(0, (u8 *)skb->data,
1724 tx_skb->len - L2CAP_FCS_SIZE);
1725 put_unaligned_le16(fcs, skb->data +
1726 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1727 }
1728
4343478f 1729 l2cap_do_send(chan, tx_skb);
9a9c6a34 1730
1a09bcb9 1731 __set_retrans_timer(chan);
1c2acffb 1732
42e5c802 1733 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1734
1735 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1736
8ed7a0ae 1737 if (bt_cb(skb)->retries == 1) {
6a026610 1738 chan->unacked_frames++;
930fa4ae
SJ		 1739
1740 if (!nsent++)
1741 __clear_ack_timer(chan);
8ed7a0ae 1742 }
23e9fde2 1743
6a026610 1744 chan->frames_sent++;
1c2acffb 1745
58d35f87
GP		 1746 if (skb_queue_is_last(&chan->tx_q, skb))
1747 chan->tx_send_head = NULL;
1c2acffb 1748 else
58d35f87 1749 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1750 }
1751
9e917af1
GP		 1752 return nsent;
1753}
1754
525cd185 1755static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1756{
dfc909be
GP		 1757 int ret;
1758
58d35f87
GP		 1759 if (!skb_queue_empty(&chan->tx_q))
1760 chan->tx_send_head = chan->tx_q.next;
dfc909be 1761
42e5c802 1762 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1763 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1764 return ret;
1765}
1766
b17e73bb 1767static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1768{
88843ab0 1769 u32 control = 0;
9e917af1 1770
0b209fae 1771 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1772
e2ab4353 1773 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1774 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1775 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1776 l2cap_send_sframe(chan, control);
9a9c6a34 1777 return;
9e917af1 1778 }
dfc909be 1779
525cd185 1780 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1781 return;
1782
ab784b73 1783 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1784 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1785}
1786
b17e73bb
SJ		 1787static void l2cap_send_ack(struct l2cap_chan *chan)
1788{
1789 __clear_ack_timer(chan);
1790 __l2cap_send_ack(chan);
1791}
1792
525cd185 1793static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1794{
1795 struct srej_list *tail;
88843ab0 1796 u32 control;
99b0d4b7 1797
ab784b73 1798 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1799 control |= __set_ctrl_final(chan);
99b0d4b7 1800
39d5a3ee 1801 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1802 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1803
525cd185 1804 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1805}
1806
04124681
GP		 1807static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1808 struct msghdr *msg, int len,
1809 int count, struct sk_buff *skb)
1c2acffb 1810{
0952a57a 1811 struct l2cap_conn *conn = chan->conn;
1c2acffb 1812 struct sk_buff **frag;
90338947 1813 int sent = 0;
1da177e4 1814
59203a21 1815 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1816 return -EFAULT;
1da177e4
LT		 1817
1818 sent += count;
1819 len -= count;
1820
1821 /* Continuation fragments (no L2CAP header) */
1822 frag = &skb_shinfo(skb)->frag_list;
1823 while (len) {
1824 count = min_t(unsigned int, conn->mtu, len);
1825
2f7719ce 1826 *frag = chan->ops->alloc_skb(chan, count,
90338947 1827 msg->msg_flags & MSG_DONTWAIT);
2f7719ce 1828
90338947
GP		 1829 if (IS_ERR(*frag))
1830 return PTR_ERR(*frag);
1c2acffb
GP		 1831 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1832 return -EFAULT;
1da177e4 1833
5e59b791
LAD		 1834 (*frag)->priority = skb->priority;
1835
1da177e4
LT		 1836 sent += count;
1837 len -= count;
1838
1839 frag = &(*frag)->next;
1840 }
1da177e4
LT		 1841
1842 return sent;
1c2acffb 1843}
1da177e4 1844
5e59b791
LAD		 1845static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1846 struct msghdr *msg, size_t len,
1847 u32 priority)
1c2acffb 1848{
8c1d787b 1849 struct l2cap_conn *conn = chan->conn;
1c2acffb 1850 struct sk_buff *skb;
03a51213 1851 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1852 struct l2cap_hdr *lh;
1853
6d5922b0 1854 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1855
1856 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1857
1858 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1859 msg->msg_flags & MSG_DONTWAIT);
1860 if (IS_ERR(skb))
1861 return skb;
1c2acffb 1862
5e59b791
LAD		 1863 skb->priority = priority;
1864
1c2acffb
GP		 1865 /* Create L2CAP header */
1866 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1867 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1868 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
097db76c 1869 put_unaligned(chan->psm, skb_put(skb, 2));
1c2acffb 1870
0952a57a 1871 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1872 if (unlikely(err < 0)) {
1873 kfree_skb(skb);
1874 return ERR_PTR(err);
1875 }
1876 return skb;
1877}
1878
5e59b791
LAD		 1879static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1880 struct msghdr *msg, size_t len,
1881 u32 priority)
1c2acffb 1882{
8c1d787b 1883 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1884 struct sk_buff *skb;
1885 int err, count, hlen = L2CAP_HDR_SIZE;
1886 struct l2cap_hdr *lh;
1887
6d5922b0 1888 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb
GP		 1889
1890 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1891
1892 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1893 msg->msg_flags & MSG_DONTWAIT);
1894 if (IS_ERR(skb))
1895 return skb;
1c2acffb 1896
5e59b791
LAD		 1897 skb->priority = priority;
1898
1c2acffb
GP		 1899 /* Create L2CAP header */
1900 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1901 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1902 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1903
0952a57a 1904 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1905 if (unlikely(err < 0)) {
1906 kfree_skb(skb);
1907 return ERR_PTR(err);
1908 }
1909 return skb;
1910}
1911
ab0ff76d
LAD		 1912static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1913 struct msghdr *msg, size_t len,
88843ab0 1914 u32 control, u16 sdulen)
1c2acffb 1915{
8c1d787b 1916 struct l2cap_conn *conn = chan->conn;
1c2acffb 1917 struct sk_buff *skb;
e4ca6d98 1918 int err, count, hlen;
1c2acffb
GP		 1919 struct l2cap_hdr *lh;
1920
6d5922b0 1921 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1922
0ee0d208
GP		 1923 if (!conn)
1924 return ERR_PTR(-ENOTCONN);
1925
e4ca6d98
AE		 1926 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1927 hlen = L2CAP_EXT_HDR_SIZE;
1928 else
1929 hlen = L2CAP_ENH_HDR_SIZE;
1930
c74e560c 1931 if (sdulen)
03a51213 1932 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1933
47d1ec61 1934 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1935 hlen += L2CAP_FCS_SIZE;
fcc203c3 1936
1c2acffb 1937 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1938
1939 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1940 msg->msg_flags & MSG_DONTWAIT);
1941 if (IS_ERR(skb))
1942 return skb;
1c2acffb
GP		 1943
1944 /* Create L2CAP header */
1945 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1946 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1947 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1948
1949 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1950
c74e560c 1951 if (sdulen)
03a51213 1952 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1953
0952a57a 1954 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1955 if (unlikely(err < 0)) {
1956 kfree_skb(skb);
1957 return ERR_PTR(err);
1958 }
e90bac06 1959
47d1ec61 1960 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1961 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1962
e90bac06 1963 bt_cb(skb)->retries = 0;
1c2acffb 1964 return skb;
1da177e4
LT		 1965}
1966
67c9e840 1967static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1968{
c74e560c
GP		 1969 struct sk_buff *skb;
1970 struct sk_buff_head sar_queue;
88843ab0 1971 u32 control;
c74e560c
GP		 1972 size_t size = 0;
1973
ff12fd64 1974 skb_queue_head_init(&sar_queue);
7e0ef6ee 1975 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1976 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1977 if (IS_ERR(skb))
1978 return PTR_ERR(skb);
1979
1980 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1981 len -= chan->remote_mps;
1982 size += chan->remote_mps;
c74e560c
GP		 1983
1984 while (len > 0) {
1985 size_t buflen;
1986
2c03a7a4 1987 if (len > chan->remote_mps) {
7e0ef6ee 1988 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1989 buflen = chan->remote_mps;
c74e560c 1990 } else {
7e0ef6ee 1991 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1992 buflen = len;
1993 }
1994
47d1ec61 1995 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1996 if (IS_ERR(skb)) {
1997 skb_queue_purge(&sar_queue);
1998 return PTR_ERR(skb);
1999 }
2000
2001 __skb_queue_tail(&sar_queue, skb);
2002 len -= buflen;
2003 size += buflen;
c74e560c 2004 }
58d35f87
GP		 2005 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
2006 if (chan->tx_send_head == NULL)
2007 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 2008
2009 return size;
2010}
2011
5e59b791
LAD		 2012int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2013 u32 priority)
9a91a04a 2014{
9a91a04a 2015 struct sk_buff *skb;
88843ab0 2016 u32 control;
9a91a04a
GP		 2017 int err;
2018
2019 /* Connectionless channel */
715ec005 2020 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2021 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2022 if (IS_ERR(skb))
2023 return PTR_ERR(skb);
2024
2025 l2cap_do_send(chan, skb);
2026 return len;
2027 }
2028
2029 switch (chan->mode) {
2030 case L2CAP_MODE_BASIC:
2031 /* Check outgoing MTU */
2032 if (len > chan->omtu)
2033 return -EMSGSIZE;
2034
2035 /* Create a basic PDU */
5e59b791 2036 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2037 if (IS_ERR(skb))
2038 return PTR_ERR(skb);
2039
2040 l2cap_do_send(chan, skb);
2041 err = len;
2042 break;
2043
2044 case L2CAP_MODE_ERTM:
2045 case L2CAP_MODE_STREAMING:
2046 /* Entire SDU fits into one PDU */
2047 if (len <= chan->remote_mps) {
7e0ef6ee 2048 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 2049 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
2050 0);
2051 if (IS_ERR(skb))
2052 return PTR_ERR(skb);
2053
2054 __skb_queue_tail(&chan->tx_q, skb);
2055
2056 if (chan->tx_send_head == NULL)
2057 chan->tx_send_head = skb;
2058
2059 } else {
2060 /* Segment SDU into multiples PDUs */
2061 err = l2cap_sar_segment_sdu(chan, msg, len);
2062 if (err < 0)
2063 return err;
2064 }
2065
2066 if (chan->mode == L2CAP_MODE_STREAMING) {
2067 l2cap_streaming_send(chan);
2068 err = len;
2069 break;
2070 }
2071
e2ab4353
GP		 2072 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
2073 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 2074 err = len;
2075 break;
2076 }
2077
2078 err = l2cap_ertm_send(chan);
2079 if (err >= 0)
2080 err = len;
2081
2082 break;
2083
2084 default:
2085 BT_DBG("bad state %1.1x", chan->mode);
2086 err = -EBADFD;
2087 }
2088
2089 return err;
2090}
2091
1da177e4
LT		 2092/* Copy frame to all raw sockets on that connection */
2093static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2094{
1da177e4 2095 struct sk_buff *nskb;
48454079 2096 struct l2cap_chan *chan;
1da177e4
LT		 2097
2098 BT_DBG("conn %p", conn);
2099
3df91ea2 2100 mutex_lock(&conn->chan_lock);
3d57dc68 2101
3df91ea2 2102 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2103 struct sock *sk = chan->sk;
715ec005 2104 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2105 continue;
2106
2107 /* Don't send frame to the socket it came from */
2108 if (skb->sk == sk)
2109 continue;
af05b30b
GP		 2110 nskb = skb_clone(skb, GFP_ATOMIC);
2111 if (!nskb)
1da177e4
LT		 2112 continue;
2113
23070494 2114 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2115 kfree_skb(nskb);
2116 }
3d57dc68 2117
3df91ea2 2118 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2119}
2120
2121/* ---- L2CAP signalling commands ---- */
2122static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2123 u8 code, u8 ident, u16 dlen, void *data)
2124{
2125 struct sk_buff *skb, **frag;
2126 struct l2cap_cmd_hdr *cmd;
2127 struct l2cap_hdr *lh;
2128 int len, count;
2129
af05b30b
GP		 2130 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2131 conn, code, ident, dlen);
1da177e4
LT		 2132
2133 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2134 count = min_t(unsigned int, conn->mtu, len);
2135
2136 skb = bt_skb_alloc(count, GFP_ATOMIC);
2137 if (!skb)
2138 return NULL;
2139
2140 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2141 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2142
2143 if (conn->hcon->type == LE_LINK)
2144 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2145 else
2146 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2147
2148 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2149 cmd->code = code;
2150 cmd->ident = ident;
aca3192c 2151 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2152
2153 if (dlen) {
2154 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2155 memcpy(skb_put(skb, count), data, count);
2156 data += count;
2157 }
2158
2159 len -= skb->len;
2160
2161 /* Continuation fragments (no L2CAP header) */
2162 frag = &skb_shinfo(skb)->frag_list;
2163 while (len) {
2164 count = min_t(unsigned int, conn->mtu, len);
2165
2166 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2167 if (!*frag)
2168 goto fail;
2169
2170 memcpy(skb_put(*frag, count), data, count);
2171
2172 len -= count;
2173 data += count;
2174
2175 frag = &(*frag)->next;
2176 }
2177
2178 return skb;
2179
2180fail:
2181 kfree_skb(skb);
2182 return NULL;
2183}
2184
2185static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2186{
2187 struct l2cap_conf_opt *opt = *ptr;
2188 int len;
2189
2190 len = L2CAP_CONF_OPT_SIZE + opt->len;
2191 *ptr += len;
2192
2193 *type = opt->type;
2194 *olen = opt->len;
2195
2196 switch (opt->len) {
2197 case 1:
2198 *val = *((u8 *) opt->val);
2199 break;
2200
2201 case 2:
bfaaeb3e 2202 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2203 break;
2204
2205 case 4:
bfaaeb3e 2206 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2207 break;
2208
2209 default:
2210 *val = (unsigned long) opt->val;
2211 break;
2212 }
2213
2214 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2215 return len;
2216}
2217
1da177e4
LT		 2218static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2219{
2220 struct l2cap_conf_opt *opt = *ptr;
2221
2222 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2223
2224 opt->type = type;
2225 opt->len = len;
2226
2227 switch (len) {
2228 case 1:
2229 *((u8 *) opt->val) = val;
2230 break;
2231
2232 case 2:
4f8b691c 2233 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2234 break;
2235
2236 case 4:
4f8b691c 2237 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2238 break;
2239
2240 default:
2241 memcpy(opt->val, (void *) val, len);
2242 break;
2243 }
2244
2245 *ptr += L2CAP_CONF_OPT_SIZE + len;
2246}
2247
f89cef09
AE		 2248static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2249{
2250 struct l2cap_conf_efs efs;
2251
1ec918ce 2252 switch (chan->mode) {
f89cef09
AE		 2253 case L2CAP_MODE_ERTM:
2254 efs.id = chan->local_id;
2255 efs.stype = chan->local_stype;
2256 efs.msdu = cpu_to_le16(chan->local_msdu);
2257 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2258 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2259 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2260 break;
2261
2262 case L2CAP_MODE_STREAMING:
2263 efs.id = 1;
2264 efs.stype = L2CAP_SERV_BESTEFFORT;
2265 efs.msdu = cpu_to_le16(chan->local_msdu);
2266 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2267 efs.acc_lat = 0;
2268 efs.flush_to = 0;
2269 break;
2270
2271 default:
2272 return;
2273 }
2274
2275 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2276 (unsigned long) &efs);
2277}
2278
721c4181 2279static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2280{
721c4181
GP		 2281 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2282 ack_timer.work);
c1b4f43b 2283
2fb9b3d4
GP		 2284 BT_DBG("chan %p", chan);
2285
6be36555
AE		 2286 l2cap_chan_lock(chan);
2287
b17e73bb 2288 __l2cap_send_ack(chan);
6be36555
AE		 2289
2290 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2291
2292 l2cap_chan_put(chan);
c1b4f43b
GP		 2293}
2294
3c588192 2295static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2296{
3c588192
MM		 2297 int err;
2298
42e5c802 2299 chan->expected_ack_seq = 0;
6a026610 2300 chan->unacked_frames = 0;
42e5c802 2301 chan->buffer_seq = 0;
6a026610
GP		 2302 chan->num_acked = 0;
2303 chan->frames_sent = 0;
0565c1c2 2304
721c4181
GP		 2305 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2306 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2307 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2308
f1c6775b 2309 skb_queue_head_init(&chan->srej_q);
1890d36b 2310
39d5a3ee 2311 INIT_LIST_HEAD(&chan->srej_l);
3c588192
MM		 2312 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2313 if (err < 0)
2314 return err;
2315
2316 return l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
0565c1c2
GP		 2317}
2318
f2fcfcd6
GP		 2319static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2320{
2321 switch (mode) {
2322 case L2CAP_MODE_STREAMING:
2323 case L2CAP_MODE_ERTM:
2324 if (l2cap_mode_supported(mode, remote_feat_mask))
2325 return mode;
2326 /* fall through */
2327 default:
2328 return L2CAP_MODE_BASIC;
2329 }
2330}
2331
6327eb98
AE		 2332static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2333{
2334 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2335}
2336
f89cef09
AE		 2337static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2338{
2339 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2340}
2341
6327eb98
AE		 2342static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2343{
2344 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2345 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2346 /* use extended control field */
2347 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2348 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2349 } else {
6327eb98
AE		 2350 chan->tx_win = min_t(u16, chan->tx_win,
2351 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2352 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2353 }
6327eb98
AE		 2354}
2355
710f9b0a 2356static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2357{
1da177e4 2358 struct l2cap_conf_req *req = data;
0c1bc5c6 2359 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2360 void *ptr = req->data;
c8f79162 2361 u16 size;
1da177e4 2362
49208c9c 2363 BT_DBG("chan %p", chan);
1da177e4 2364
73ffa904 2365 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2366 goto done;
2367
0c1bc5c6 2368 switch (chan->mode) {
f2fcfcd6
GP		 2369 case L2CAP_MODE_STREAMING:
2370 case L2CAP_MODE_ERTM:
c1360a1c 2371 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2372 break;
85eb53c6 2373
f89cef09
AE		 2374 if (__l2cap_efs_supported(chan))
2375 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2376
2ba13ed6 2377 /* fall through */
f2fcfcd6 2378 default:
8c1d787b 2379 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2380 break;
2381 }
2382
2383done:
0c1bc5c6
GP		 2384 if (chan->imtu != L2CAP_DEFAULT_MTU)
2385 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2386
0c1bc5c6 2387 switch (chan->mode) {
65c7c491 2388 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2389 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2390 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2391 break;
2392
62547752
GP		 2393 rfc.mode = L2CAP_MODE_BASIC;
2394 rfc.txwin_size = 0;
2395 rfc.max_transmit = 0;
2396 rfc.retrans_timeout = 0;
2397 rfc.monitor_timeout = 0;
2398 rfc.max_pdu_size = 0;
2399
63406504
GP		 2400 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2401 (unsigned long) &rfc);
65c7c491
MH		 2402 break;
2403
2404 case L2CAP_MODE_ERTM:
2405 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2406 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2407 rfc.retrans_timeout = 0;
2408 rfc.monitor_timeout = 0;
c8f79162
AE		 2409
2410 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2411 L2CAP_EXT_HDR_SIZE -
2412 L2CAP_SDULEN_SIZE -
2413 L2CAP_FCS_SIZE);
2414 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2415
6327eb98
AE		 2416 l2cap_txwin_setup(chan);
2417
2418 rfc.txwin_size = min_t(u16, chan->tx_win,
2419 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2420
63406504
GP		 2421 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2422 (unsigned long) &rfc);
2423
f89cef09
AE		 2424 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2425 l2cap_add_opt_efs(&ptr, chan);
2426
8c1d787b 2427 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2428 break;
2429
47d1ec61 2430 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2431 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2432 chan->fcs = L2CAP_FCS_NONE;
2433 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2434 }
6327eb98
AE		 2435
2436 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2437 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2438 chan->tx_win);
f2fcfcd6
GP		 2439 break;
2440
2441 case L2CAP_MODE_STREAMING:
2442 rfc.mode = L2CAP_MODE_STREAMING;
2443 rfc.txwin_size = 0;
2444 rfc.max_transmit = 0;
2445 rfc.retrans_timeout = 0;
2446 rfc.monitor_timeout = 0;
c8f79162
AE		 2447
2448 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2449 L2CAP_EXT_HDR_SIZE -
2450 L2CAP_SDULEN_SIZE -
2451 L2CAP_FCS_SIZE);
2452 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2453
63406504
GP		 2454 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2455 (unsigned long) &rfc);
2456
f89cef09
AE		 2457 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2458 l2cap_add_opt_efs(&ptr, chan);
2459
8c1d787b 2460 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2461 break;
2462
47d1ec61 2463 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2464 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2465 chan->fcs = L2CAP_FCS_NONE;
2466 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2467 }
65c7c491
MH		 2468 break;
2469 }
1da177e4 2470
fe4128e0 2471 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2472 req->flags = cpu_to_le16(0);
1da177e4
LT		 2473
2474 return ptr - data;
2475}
2476
73ffa904 2477static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2478{
5dee9e7c
MH		 2479 struct l2cap_conf_rsp *rsp = data;
2480 void *ptr = rsp->data;
73ffa904
GP		 2481 void *req = chan->conf_req;
2482 int len = chan->conf_len;
5dee9e7c
MH		 2483 int type, hint, olen;
2484 unsigned long val;
6464f35f 2485 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2486 struct l2cap_conf_efs efs;
2487 u8 remote_efs = 0;
861d6882 2488 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2489 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2490 u16 size;
1da177e4 2491
73ffa904 2492 BT_DBG("chan %p", chan);
820ae1b8 2493
5dee9e7c
MH		 2494 while (len >= L2CAP_CONF_OPT_SIZE) {
2495 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2496
589d2746 2497 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2498 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2499
2500 switch (type) {
2501 case L2CAP_CONF_MTU:
861d6882 2502 mtu = val;
5dee9e7c
MH		 2503 break;
2504
2505 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2506 chan->flush_to = val;
5dee9e7c
MH		 2507 break;
2508
2509 case L2CAP_CONF_QOS:
2510 break;
2511
6464f35f
MH		 2512 case L2CAP_CONF_RFC:
2513 if (olen == sizeof(rfc))
2514 memcpy(&rfc, (void *) val, olen);
2515 break;
2516
fcc203c3
GP		 2517 case L2CAP_CONF_FCS:
2518 if (val == L2CAP_FCS_NONE)
c1360a1c 2519 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2520 break;
fcc203c3 2521
42dceae2
AE		 2522 case L2CAP_CONF_EFS:
2523 remote_efs = 1;
2524 if (olen == sizeof(efs))
2525 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2526 break;
2527
6327eb98
AE		 2528 case L2CAP_CONF_EWS:
2529 if (!enable_hs)
2530 return -ECONNREFUSED;
fcc203c3 2531
6327eb98
AE		 2532 set_bit(FLAG_EXT_CTRL, &chan->flags);
2533 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2534 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2535 chan->remote_tx_win = val;
fcc203c3
GP		 2536 break;
2537
5dee9e7c
MH		 2538 default:
2539 if (hint)
2540 break;
2541
2542 result = L2CAP_CONF_UNKNOWN;
2543 *((u8 *) ptr++) = type;
2544 break;
2545 }
2546 }
2547
73ffa904 2548 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2549 goto done;
2550
0c1bc5c6 2551 switch (chan->mode) {
f2fcfcd6
GP		 2552 case L2CAP_MODE_STREAMING:
2553 case L2CAP_MODE_ERTM:
c1360a1c 2554 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2555 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2556 chan->conn->feat_mask);
85eb53c6
GP		 2557 break;
2558 }
2559
42dceae2
AE		 2560 if (remote_efs) {
2561 if (__l2cap_efs_supported(chan))
2562 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2563 else
2564 return -ECONNREFUSED;
2565 }
2566
0c1bc5c6 2567 if (chan->mode != rfc.mode)
f2fcfcd6 2568 return -ECONNREFUSED;
742e519b 2569
f2fcfcd6 2570 break;
f2fcfcd6
GP		 2571 }
2572
2573done:
0c1bc5c6 2574 if (chan->mode != rfc.mode) {
f2fcfcd6 2575 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2576 rfc.mode = chan->mode;
f2fcfcd6 2577
73ffa904 2578 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2579 return -ECONNREFUSED;
2580
2581 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2582 sizeof(rfc), (unsigned long) &rfc);
2583 }
2584
5dee9e7c
MH		 2585 if (result == L2CAP_CONF_SUCCESS) {
2586 /* Configure output options and let the other side know
2587 * which ones we don't like. */
2588
f2fcfcd6
GP		 2589 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2590 result = L2CAP_CONF_UNACCEPT;
2591 else {
0c1bc5c6 2592 chan->omtu = mtu;
c1360a1c 2593 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2594 }
0c1bc5c6 2595 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2596
42dceae2
AE		 2597 if (remote_efs) {
2598 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2599 efs.stype != L2CAP_SERV_NOTRAFIC &&
2600 efs.stype != chan->local_stype) {
2601
2602 result = L2CAP_CONF_UNACCEPT;
2603
2604 if (chan->num_conf_req >= 1)
2605 return -ECONNREFUSED;
2606
2607 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2608 sizeof(efs),
42dceae2 2609 (unsigned long) &efs);
0e8b207e 2610 } else {
3e6b3b95 2611 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2612 result = L2CAP_CONF_PENDING;
2613 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2614 }
2615 }
2616
f2fcfcd6
GP		 2617 switch (rfc.mode) {
2618 case L2CAP_MODE_BASIC:
47d1ec61 2619 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2620 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2621 break;
2622
2623 case L2CAP_MODE_ERTM:
6327eb98
AE		 2624 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2625 chan->remote_tx_win = rfc.txwin_size;
2626 else
2627 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2628
2c03a7a4 2629 chan->remote_max_tx = rfc.max_transmit;
1c762159 2630
c8f79162
AE		 2631 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2632 chan->conn->mtu -
2633 L2CAP_EXT_HDR_SIZE -
2634 L2CAP_SDULEN_SIZE -
2635 L2CAP_FCS_SIZE);
2636 rfc.max_pdu_size = cpu_to_le16(size);
2637 chan->remote_mps = size;
f2fcfcd6 2638
10467e9e 2639 rfc.retrans_timeout =
4fd21a88 2640 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2641 rfc.monitor_timeout =
4fd21a88 2642 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2643
c1360a1c 2644 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2645
2646 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2647 sizeof(rfc), (unsigned long) &rfc);
2648
42dceae2
AE		 2649 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2650 chan->remote_id = efs.id;
2651 chan->remote_stype = efs.stype;
2652 chan->remote_msdu = le16_to_cpu(efs.msdu);
2653 chan->remote_flush_to =
2654 le32_to_cpu(efs.flush_to);
2655 chan->remote_acc_lat =
2656 le32_to_cpu(efs.acc_lat);
2657 chan->remote_sdu_itime =
2658 le32_to_cpu(efs.sdu_itime);
2659 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2660 sizeof(efs), (unsigned long) &efs);
2661 }
f2fcfcd6
GP		 2662 break;
2663
2664 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2665 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2666 chan->conn->mtu -
2667 L2CAP_EXT_HDR_SIZE -
2668 L2CAP_SDULEN_SIZE -
2669 L2CAP_FCS_SIZE);
2670 rfc.max_pdu_size = cpu_to_le16(size);
2671 chan->remote_mps = size;
f2fcfcd6 2672
c1360a1c 2673 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2674
2675 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2676 sizeof(rfc), (unsigned long) &rfc);
2677
f2fcfcd6
GP		 2678 break;
2679
2680 default:
5dee9e7c 2681 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2682
6464f35f 2683 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2684 rfc.mode = chan->mode;
f2fcfcd6 2685 }
6464f35f 2686
f2fcfcd6 2687 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2688 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2689 }
fe4128e0 2690 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2691 rsp->result = cpu_to_le16(result);
2692 rsp->flags = cpu_to_le16(0x0000);
2693
2694 return ptr - data;
1da177e4
LT		 2695}
2696
b4450035 2697static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2698{
f2fcfcd6
GP		 2699 struct l2cap_conf_req *req = data;
2700 void *ptr = req->data;
2701 int type, olen;
2702 unsigned long val;
36e999a8 2703 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2704 struct l2cap_conf_efs efs;
f2fcfcd6 2705
fe4128e0 2706 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2707
2708 while (len >= L2CAP_CONF_OPT_SIZE) {
2709 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2710
2711 switch (type) {
2712 case L2CAP_CONF_MTU:
2713 if (val < L2CAP_DEFAULT_MIN_MTU) {
2714 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2715 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2716 } else
0c1bc5c6
GP		 2717 chan->imtu = val;
2718 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2719 break;
2720
2721 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2722 chan->flush_to = val;
f2fcfcd6 2723 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2724 2, chan->flush_to);
f2fcfcd6
GP		 2725 break;
2726
2727 case L2CAP_CONF_RFC:
2728 if (olen == sizeof(rfc))
2729 memcpy(&rfc, (void *)val, olen);
2730
c1360a1c 2731 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2732 rfc.mode != chan->mode)
f2fcfcd6
GP		 2733 return -ECONNREFUSED;
2734
47d1ec61 2735 chan->fcs = 0;
f2fcfcd6
GP		 2736
2737 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2738 sizeof(rfc), (unsigned long) &rfc);
2739 break;
6327eb98
AE		 2740
2741 case L2CAP_CONF_EWS:
2742 chan->tx_win = min_t(u16, val,
2743 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2744 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2745 chan->tx_win);
6327eb98 2746 break;
66af7aaf
AE		 2747
2748 case L2CAP_CONF_EFS:
2749 if (olen == sizeof(efs))
2750 memcpy(&efs, (void *)val, olen);
2751
2752 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2753 efs.stype != L2CAP_SERV_NOTRAFIC &&
2754 efs.stype != chan->local_stype)
2755 return -ECONNREFUSED;
2756
2757 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2758 sizeof(efs), (unsigned long) &efs);
2759 break;
f2fcfcd6
GP		 2760 }
2761 }
2762
0c1bc5c6 2763 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2764 return -ECONNREFUSED;
2765
0c1bc5c6 2766 chan->mode = rfc.mode;
6c2ea7a8 2767
0e8b207e 2768 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2769 switch (rfc.mode) {
2770 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2771 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2772 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2773 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2774
2775 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2776 chan->local_msdu = le16_to_cpu(efs.msdu);
2777 chan->local_sdu_itime =
2778 le32_to_cpu(efs.sdu_itime);
2779 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2780 chan->local_flush_to =
2781 le32_to_cpu(efs.flush_to);
2782 }
f2fcfcd6 2783 break;
66af7aaf 2784
f2fcfcd6 2785 case L2CAP_MODE_STREAMING:
47d1ec61 2786 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2787 }
2788 }
2789
fe4128e0 2790 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2791 req->flags = cpu_to_le16(0x0000);
2792
2793 return ptr - data;
2794}
2795
fe4128e0 2796static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2797{
2798 struct l2cap_conf_rsp *rsp = data;
2799 void *ptr = rsp->data;
1da177e4 2800
fe4128e0 2801 BT_DBG("chan %p", chan);
1da177e4 2802
fe4128e0 2803 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2804 rsp->result = cpu_to_le16(result);
aca3192c 2805 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2806
2807 return ptr - data;
2808}
2809
8c1d787b 2810void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2811{
2812 struct l2cap_conn_rsp rsp;
8c1d787b 2813 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2814 u8 buf[128];
2815
fe4128e0
GP		 2816 rsp.scid = cpu_to_le16(chan->dcid);
2817 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2818 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2819 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2820 l2cap_send_cmd(conn, chan->ident,
2821 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2822
c1360a1c 2823 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2824 return;
2825
710f9b0a
GP		 2826 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2827 l2cap_build_conf_req(chan, buf), buf);
2828 chan->num_conf_req++;
2829}
2830
47d1ec61 2831static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2832{
7b1c0049
GP		 2833 int type, olen;
2834 unsigned long val;
2835 struct l2cap_conf_rfc rfc;
2836
47d1ec61 2837 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2838
0c1bc5c6 2839 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2840 return;
2841
2842 while (len >= L2CAP_CONF_OPT_SIZE) {
2843 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2844
2845 switch (type) {
2846 case L2CAP_CONF_RFC:
2847 if (olen == sizeof(rfc))
2848 memcpy(&rfc, (void *)val, olen);
2849 goto done;
2850 }
2851 }
2852
36e999a8
MM		 2853 /* Use sane default values in case a misbehaving remote device
2854 * did not send an RFC option.
2855 */
2856 rfc.mode = chan->mode;
2857 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2858 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2859 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2860
2861 BT_ERR("Expected RFC option was not found, using defaults");
2862
7b1c0049
GP		 2863done:
2864 switch (rfc.mode) {
2865 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2866 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2867 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2868 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2869 break;
2870 case L2CAP_MODE_STREAMING:
47d1ec61 2871 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2872 }
2873}
2874
4e8402a3
MH		 2875static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2876{
e2fd318e 2877 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2878
e2fd318e 2879 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2880 return 0;
2881
2882 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2883 cmd->ident == conn->info_ident) {
17cd3f37 2884 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2885
2886 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2887 conn->info_ident = 0;
984947dc 2888
4e8402a3
MH		 2889 l2cap_conn_start(conn);
2890 }
2891
2892 return 0;
2893}
2894
1da177e4
LT		 2895static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2896{
1da177e4
LT		 2897 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2898 struct l2cap_conn_rsp rsp;
23691d75 2899 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2900 struct sock *parent, *sk = NULL;
e7c29cb1 2901 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2902
2903 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2904 __le16 psm = req->psm;
1da177e4 2905
097db76c 2906 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 2907
2908 /* Check if we have socket listening on psm */
c2287681 2909 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 2910 if (!pchan) {
1da177e4
LT		 2911 result = L2CAP_CR_BAD_PSM;
2912 goto sendresp;
2913 }
2914
23691d75
GP		 2915 parent = pchan->sk;
2916
3df91ea2 2917 mutex_lock(&conn->chan_lock);
aa2ac881 2918 lock_sock(parent);
e0f0cb56 2919
e7c29cb1
MH		 2920 /* Check if the ACL is secure enough (if not SDP) */
2921 if (psm != cpu_to_le16(0x0001) &&
2922 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2923 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2924 result = L2CAP_CR_SEC_BLOCK;
2925 goto response;
2926 }
2927
1da177e4
LT		 2928 result = L2CAP_CR_NO_MEM;
2929
2930 /* Check for backlog size */
2931 if (sk_acceptq_is_full(parent)) {
8e87d142 2932 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2933 goto response;
2934 }
2935
80808e43
GP		 2936 chan = pchan->ops->new_connection(pchan->data);
2937 if (!chan)
1da177e4
LT		 2938 goto response;
2939
80808e43
GP		 2940 sk = chan->sk;
2941
1da177e4 2942 /* Check if we already have channel with that dcid */
baa7e1fa 2943 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 2944 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2945 chan->ops->close(chan->data);
1da177e4
LT		 2946 goto response;
2947 }
2948
2949 hci_conn_hold(conn->hcon);
2950
1da177e4
LT		 2951 bacpy(&bt_sk(sk)->src, conn->src);
2952 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2953 chan->psm = psm;
2954 chan->dcid = scid;
1da177e4 2955
d1010240
GP		 2956 bt_accept_enqueue(parent, sk);
2957
6be36555 2958 __l2cap_chan_add(conn, chan);
48454079 2959
fe4128e0 2960 dcid = chan->scid;
1da177e4 2961
c9b66675 2962 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2963
fc7f8a7e 2964 chan->ident = cmd->ident;
1da177e4 2965
984947dc 2966 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2967 if (l2cap_chan_check_security(chan)) {
f66dc81f 2968 if (bt_sk(sk)->defer_setup) {
0e587be7 2969 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2970 result = L2CAP_CR_PEND;
2971 status = L2CAP_CS_AUTHOR_PEND;
2972 parent->sk_data_ready(parent, 0);
2973 } else {
0e587be7 2974 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2975 result = L2CAP_CR_SUCCESS;
2976 status = L2CAP_CS_NO_INFO;
2977 }
79d554a6 2978 } else {
0e587be7 2979 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2980 result = L2CAP_CR_PEND;
2981 status = L2CAP_CS_AUTHEN_PEND;
2982 }
2983 } else {
0e587be7 2984 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2985 result = L2CAP_CR_PEND;
2986 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2987 }
2988
1da177e4 2989response:
aa2ac881 2990 release_sock(parent);
3df91ea2 2991 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2992
2993sendresp:
aca3192c
YH		 2994 rsp.scid = cpu_to_le16(scid);
2995 rsp.dcid = cpu_to_le16(dcid);
2996 rsp.result = cpu_to_le16(result);
2997 rsp.status = cpu_to_le16(status);
1da177e4 2998 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2999
3000 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3001 struct l2cap_info_req info;
3002 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3003
3004 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3005 conn->info_ident = l2cap_get_ident(conn);
3006
ba13ccd9 3007 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3008
3009 l2cap_send_cmd(conn, conn->info_ident,
3010 L2CAP_INFO_REQ, sizeof(info), &info);
3011 }
3012
c1360a1c 3013 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3014 result == L2CAP_CR_SUCCESS) {
3015 u8 buf[128];
c1360a1c 3016 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3017 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3018 l2cap_build_conf_req(chan, buf), buf);
3019 chan->num_conf_req++;
e9aeb2dd
GP		 3020 }
3021
1da177e4
LT		 3022 return 0;
3023}
3024
3025static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3026{
3027 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3028 u16 scid, dcid, result, status;
48454079 3029 struct l2cap_chan *chan;
1da177e4 3030 u8 req[128];
3df91ea2 3031 int err;
1da177e4
LT		 3032
3033 scid = __le16_to_cpu(rsp->scid);
3034 dcid = __le16_to_cpu(rsp->dcid);
3035 result = __le16_to_cpu(rsp->result);
3036 status = __le16_to_cpu(rsp->status);
3037
1b009c98
AE		 3038 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3039 dcid, scid, result, status);
1da177e4 3040
3df91ea2
AE		 3041 mutex_lock(&conn->chan_lock);
3042
1da177e4 3043 if (scid) {
3df91ea2
AE		 3044 chan = __l2cap_get_chan_by_scid(conn, scid);
3045 if (!chan) {
3046 err = -EFAULT;
3047 goto unlock;
3048 }
1da177e4 3049 } else {
3df91ea2
AE		 3050 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3051 if (!chan) {
3052 err = -EFAULT;
3053 goto unlock;
3054 }
1da177e4
LT		 3055 }
3056
3df91ea2
AE		 3057 err = 0;
3058
6be36555 3059 l2cap_chan_lock(chan);
48454079 3060
1da177e4
LT		 3061 switch (result) {
3062 case L2CAP_CR_SUCCESS:
89bc500e 3063 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3064 chan->ident = 0;
fe4128e0 3065 chan->dcid = dcid;
c1360a1c 3066 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3067
c1360a1c 3068 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3069 break;
3070
1da177e4 3071 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3072 l2cap_build_conf_req(chan, req), req);
3073 chan->num_conf_req++;
1da177e4
LT		 3074 break;
3075
3076 case L2CAP_CR_PEND:
c1360a1c 3077 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3078 break;
3079
3080 default:
48454079 3081 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3082 break;
3083 }
3084
6be36555 3085 l2cap_chan_unlock(chan);
3df91ea2
AE		 3086
3087unlock:
3088 mutex_unlock(&conn->chan_lock);
3089
3090 return err;
1da177e4
LT		 3091}
3092
47d1ec61 3093static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3094{
3095 /* FCS is enabled only in ERTM or streaming mode, if one or both
3096 * sides request it.
3097 */
0c1bc5c6 3098 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3099 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3100 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3101 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3102}
3103
88219a0f 3104static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3105{
3106 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3107 u16 dcid, flags;
3108 u8 rsp[64];
48454079 3109 struct l2cap_chan *chan;
3c588192 3110 int len, err = 0;
1da177e4
LT		 3111
3112 dcid = __le16_to_cpu(req->dcid);
3113 flags = __le16_to_cpu(req->flags);
3114
3115 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3116
baa7e1fa 3117 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3118 if (!chan)
1da177e4
LT		 3119 return -ENOENT;
3120
6be36555 3121 l2cap_chan_lock(chan);
48454079 3122
033b1142 3123 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3124 struct l2cap_cmd_rej_cid rej;
3125
3126 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3127 rej.scid = cpu_to_le16(chan->scid);
3128 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3129
df6bd743
GP		 3130 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3131 sizeof(rej), &rej);
354f60a9 3132 goto unlock;
df6bd743 3133 }
354f60a9 3134
5dee9e7c 3135 /* Reject if config buffer is too small. */
88219a0f 3136 len = cmd_len - sizeof(*req);
7ac28817 3137 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3138 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3139 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3140 L2CAP_CONF_REJECT, flags), rsp);
3141 goto unlock;
3142 }
3143
3144 /* Store config. */
73ffa904
GP		 3145 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3146 chan->conf_len += len;
1da177e4
LT		 3147
3148 if (flags & 0x0001) {
3149 /* Incomplete config. Send empty response. */
3150 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3151 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3152 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3153 goto unlock;
3154 }
3155
3156 /* Complete config. */
73ffa904 3157 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3158 if (len < 0) {
e92c8e70 3159 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3160 goto unlock;
f2fcfcd6 3161 }
1da177e4 3162
5dee9e7c 3163 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3164 chan->num_conf_rsp++;
5dee9e7c 3165
5dee9e7c 3166 /* Reset config buffer. */
73ffa904 3167 chan->conf_len = 0;
5dee9e7c 3168
c1360a1c 3169 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3170 goto unlock;
3171
c1360a1c 3172 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3173 set_default_fcs(chan);
fcc203c3 3174
89bc500e 3175 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3176
42e5c802
GP		 3177 chan->next_tx_seq = 0;
3178 chan->expected_tx_seq = 0;
58d35f87 3179 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 3180 if (chan->mode == L2CAP_MODE_ERTM)
3c588192
MM		 3181 err = l2cap_ertm_init(chan);
3182
3183 if (err < 0)
3184 l2cap_send_disconn_req(chan->conn, chan, -err);
3185 else
3186 l2cap_chan_ready(chan);
0565c1c2 3187
876d9484
MH		 3188 goto unlock;
3189 }
3190
c1360a1c 3191 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3192 u8 buf[64];
1da177e4 3193 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3194 l2cap_build_conf_req(chan, buf), buf);
3195 chan->num_conf_req++;
1da177e4
LT		 3196 }
3197
0e8b207e
AE		 3198 /* Got Conf Rsp PENDING from remote side and asume we sent
3199 Conf Rsp PENDING in the code above */
3200 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3201 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3202
3203 /* check compatibility */
3204
3205 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3206 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3207
3208 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3209 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3210 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3211 }
3212
1da177e4 3213unlock:
6be36555 3214 l2cap_chan_unlock(chan);
3c588192 3215 return err;
1da177e4
LT		 3216}
3217
3218static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3219{
3220 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3221 u16 scid, flags, result;
48454079 3222 struct l2cap_chan *chan;
61386cba 3223 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3224 int err = 0;
1da177e4
LT		 3225
3226 scid = __le16_to_cpu(rsp->scid);
3227 flags = __le16_to_cpu(rsp->flags);
3228 result = __le16_to_cpu(rsp->result);
3229
61386cba
AE		 3230 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3231 result, len);
1da177e4 3232
baa7e1fa 3233 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3234 if (!chan)
1da177e4
LT		 3235 return 0;
3236
6be36555 3237 l2cap_chan_lock(chan);
48454079 3238
1da177e4
LT		 3239 switch (result) {
3240 case L2CAP_CONF_SUCCESS:
47d1ec61 3241 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3242 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3243 break;
3244
0e8b207e
AE		 3245 case L2CAP_CONF_PENDING:
3246 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3247
3248 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3249 char buf[64];
3250
3251 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3252 buf, &result);
3253 if (len < 0) {
3254 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3255 goto done;
3256 }
3257
3258 /* check compatibility */
3259
3260 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3261 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3262
3263 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3264 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3265 L2CAP_CONF_SUCCESS, 0x0000), buf);
3266 }
3267 goto done;
3268
1da177e4 3269 case L2CAP_CONF_UNACCEPT:
73ffa904 3270 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3271 char req[64];
3272
c2c77ec8 3273 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3274 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3275 goto done;
3276 }
3277
f2fcfcd6
GP		 3278 /* throw out any old stored conf requests */
3279 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3280 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3281 req, &result);
f2fcfcd6 3282 if (len < 0) {
e92c8e70 3283 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3284 goto done;
3285 }
3286
3287 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3288 L2CAP_CONF_REQ, len, req);
73ffa904 3289 chan->num_conf_req++;
f2fcfcd6
GP		 3290 if (result != L2CAP_CONF_SUCCESS)
3291 goto done;
3292 break;
1da177e4
LT		 3293 }
3294
8e87d142 3295 default:
6be36555 3296 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3297
ba13ccd9 3298 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3299 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3300 goto done;
3301 }
3302
3303 if (flags & 0x01)
3304 goto done;
3305
c1360a1c 3306 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3307
c1360a1c 3308 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3309 set_default_fcs(chan);
fcc203c3 3310
89bc500e 3311 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 3312 chan->next_tx_seq = 0;
3313 chan->expected_tx_seq = 0;
58d35f87 3314 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 3315 if (chan->mode == L2CAP_MODE_ERTM)
3c588192 3316 err = l2cap_ertm_init(chan);
0565c1c2 3317
3c588192
MM		 3318 if (err < 0)
3319 l2cap_send_disconn_req(chan->conn, chan, -err);
3320 else
3321 l2cap_chan_ready(chan);
1da177e4
LT		 3322 }
3323
3324done:
6be36555 3325 l2cap_chan_unlock(chan);
3c588192 3326 return err;
1da177e4
LT		 3327}
3328
3329static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3330{
3331 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3332 struct l2cap_disconn_rsp rsp;
3333 u16 dcid, scid;
48454079 3334 struct l2cap_chan *chan;
1da177e4
LT		 3335 struct sock *sk;
3336
3337 scid = __le16_to_cpu(req->scid);
3338 dcid = __le16_to_cpu(req->dcid);
3339
3340 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3341
3df91ea2
AE		 3342 mutex_lock(&conn->chan_lock);
3343
3344 chan = __l2cap_get_chan_by_scid(conn, dcid);
3345 if (!chan) {
3346 mutex_unlock(&conn->chan_lock);
1da177e4 3347 return 0;
3df91ea2 3348 }
1da177e4 3349
6be36555
AE		 3350 l2cap_chan_lock(chan);
3351
48454079
GP		 3352 sk = chan->sk;
3353
fe4128e0
GP		 3354 rsp.dcid = cpu_to_le16(chan->scid);
3355 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3356 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3357
6be36555 3358 lock_sock(sk);
1da177e4 3359 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3360 release_sock(sk);
1da177e4 3361
48454079 3362 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3363
3364 l2cap_chan_unlock(chan);
1da177e4 3365
ba3bd0ee 3366 chan->ops->close(chan->data);
3df91ea2
AE		 3367
3368 mutex_unlock(&conn->chan_lock);
3369
1da177e4
LT		 3370 return 0;
3371}
3372
3373static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3374{
3375 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3376 u16 dcid, scid;
48454079 3377 struct l2cap_chan *chan;
1da177e4
LT		 3378
3379 scid = __le16_to_cpu(rsp->scid);
3380 dcid = __le16_to_cpu(rsp->dcid);
3381
3382 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3383
3df91ea2
AE		 3384 mutex_lock(&conn->chan_lock);
3385
3386 chan = __l2cap_get_chan_by_scid(conn, scid);
3387 if (!chan) {
3388 mutex_unlock(&conn->chan_lock);
1da177e4 3389 return 0;
3df91ea2 3390 }
1da177e4 3391
6be36555 3392 l2cap_chan_lock(chan);
48454079 3393
48454079 3394 l2cap_chan_del(chan, 0);
6be36555
AE		 3395
3396 l2cap_chan_unlock(chan);
1da177e4 3397
ba3bd0ee 3398 chan->ops->close(chan->data);
3df91ea2
AE		 3399
3400 mutex_unlock(&conn->chan_lock);
3401
1da177e4
LT		 3402 return 0;
3403}
3404
3405static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3406{
3407 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3408 u16 type;
3409
3410 type = __le16_to_cpu(req->type);
3411
3412 BT_DBG("type 0x%4.4x", type);
3413
f0709e03
MH		 3414 if (type == L2CAP_IT_FEAT_MASK) {
3415 u8 buf[8];
44dd46de 3416 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3417 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3418 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3419 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3420 if (!disable_ertm)
fcc203c3
GP		 3421 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3422 | L2CAP_FEAT_FCS;
a5fd6f30 3423 if (enable_hs)
6327eb98
AE		 3424 feat_mask |= L2CAP_FEAT_EXT_FLOW
3425 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3426
1b7bf4ed 3427 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3428 l2cap_send_cmd(conn, cmd->ident,
3429 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3430 } else if (type == L2CAP_IT_FIXED_CHAN) {
3431 u8 buf[12];
3432 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3433
3434 if (enable_hs)
3435 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3436 else
3437 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3438
e1027a7c
MH		 3439 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3440 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3441 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3442 l2cap_send_cmd(conn, cmd->ident,
3443 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3444 } else {
3445 struct l2cap_info_rsp rsp;
3446 rsp.type = cpu_to_le16(type);
3447 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3448 l2cap_send_cmd(conn, cmd->ident,
3449 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3450 }
1da177e4
LT		 3451
3452 return 0;
3453}
3454
3455static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3456{
3457 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3458 u16 type, result;
3459
3460 type = __le16_to_cpu(rsp->type);
3461 result = __le16_to_cpu(rsp->result);
3462
3463 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3464
e90165be
AE		 3465 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3466 if (cmd->ident != conn->info_ident ||
3467 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3468 return 0;
3469
17cd3f37 3470 cancel_delayed_work(&conn->info_timer);
4e8402a3 3471
adb08ede
VT		 3472 if (result != L2CAP_IR_SUCCESS) {
3473 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3474 conn->info_ident = 0;
3475
3476 l2cap_conn_start(conn);
3477
3478 return 0;
3479 }
3480
978c93b9
AE		 3481 switch (type) {
3482 case L2CAP_IT_FEAT_MASK:
83985319 3483 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3484
47ec1dcd 3485 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3486 struct l2cap_info_req req;
3487 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3488
3489 conn->info_ident = l2cap_get_ident(conn);
3490
3491 l2cap_send_cmd(conn, conn->info_ident,
3492 L2CAP_INFO_REQ, sizeof(req), &req);
3493 } else {
3494 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3495 conn->info_ident = 0;
3496
3497 l2cap_conn_start(conn);
3498 }
978c93b9
AE		 3499 break;
3500
3501 case L2CAP_IT_FIXED_CHAN:
3502 conn->fixed_chan_mask = rsp->data[0];
984947dc 3503 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3504 conn->info_ident = 0;
984947dc
MH		 3505
3506 l2cap_conn_start(conn);
978c93b9 3507 break;
984947dc 3508 }
4e8402a3 3509
1da177e4
LT		 3510 return 0;
3511}
3512
f94ff6ff
MM		 3513static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3514 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3515 void *data)
3516{
3517 struct l2cap_create_chan_req *req = data;
3518 struct l2cap_create_chan_rsp rsp;
3519 u16 psm, scid;
3520
3521 if (cmd_len != sizeof(*req))
3522 return -EPROTO;
3523
3524 if (!enable_hs)
3525 return -EINVAL;
3526
3527 psm = le16_to_cpu(req->psm);
3528 scid = le16_to_cpu(req->scid);
3529
3530 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3531
3532 /* Placeholder: Always reject */
3533 rsp.dcid = 0;
3534 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3535 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3536 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3537
3538 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3539 sizeof(rsp), &rsp);
3540
3541 return 0;
3542}
3543
3544static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3545 struct l2cap_cmd_hdr *cmd, void *data)
3546{
3547 BT_DBG("conn %p", conn);
3548
3549 return l2cap_connect_rsp(conn, cmd, data);
3550}
3551
8d5a04a1
MM		 3552static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3553 u16 icid, u16 result)
3554{
3555 struct l2cap_move_chan_rsp rsp;
3556
3557 BT_DBG("icid %d, result %d", icid, result);
3558
3559 rsp.icid = cpu_to_le16(icid);
3560 rsp.result = cpu_to_le16(result);
3561
3562 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3563}
3564
3565static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3566 struct l2cap_chan *chan, u16 icid, u16 result)
3567{
3568 struct l2cap_move_chan_cfm cfm;
3569 u8 ident;
3570
3571 BT_DBG("icid %d, result %d", icid, result);
3572
3573 ident = l2cap_get_ident(conn);
3574 if (chan)
3575 chan->ident = ident;
3576
3577 cfm.icid = cpu_to_le16(icid);
3578 cfm.result = cpu_to_le16(result);
3579
3580 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3581}
3582
3583static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3584 u16 icid)
3585{
3586 struct l2cap_move_chan_cfm_rsp rsp;
3587
3588 BT_DBG("icid %d", icid);
3589
3590 rsp.icid = cpu_to_le16(icid);
3591 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3592}
3593
3594static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3595 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3596{
3597 struct l2cap_move_chan_req *req = data;
3598 u16 icid = 0;
3599 u16 result = L2CAP_MR_NOT_ALLOWED;
3600
3601 if (cmd_len != sizeof(*req))
3602 return -EPROTO;
3603
3604 icid = le16_to_cpu(req->icid);
3605
3606 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3607
3608 if (!enable_hs)
3609 return -EINVAL;
3610
3611 /* Placeholder: Always refuse */
3612 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3613
3614 return 0;
3615}
3616
3617static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3618 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3619{
3620 struct l2cap_move_chan_rsp *rsp = data;
3621 u16 icid, result;
3622
3623 if (cmd_len != sizeof(*rsp))
3624 return -EPROTO;
3625
3626 icid = le16_to_cpu(rsp->icid);
3627 result = le16_to_cpu(rsp->result);
3628
3629 BT_DBG("icid %d, result %d", icid, result);
3630
3631 /* Placeholder: Always unconfirmed */
3632 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3633
3634 return 0;
3635}
3636
3637static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3638 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3639{
3640 struct l2cap_move_chan_cfm *cfm = data;
3641 u16 icid, result;
3642
3643 if (cmd_len != sizeof(*cfm))
3644 return -EPROTO;
3645
3646 icid = le16_to_cpu(cfm->icid);
3647 result = le16_to_cpu(cfm->result);
3648
3649 BT_DBG("icid %d, result %d", icid, result);
3650
3651 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3652
3653 return 0;
3654}
3655
3656static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3657 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3658{
3659 struct l2cap_move_chan_cfm_rsp *rsp = data;
3660 u16 icid;
3661
3662 if (cmd_len != sizeof(*rsp))
3663 return -EPROTO;
3664
3665 icid = le16_to_cpu(rsp->icid);
3666
3667 BT_DBG("icid %d", icid);
3668
3669 return 0;
3670}
3671
e2174ca4 3672static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3673 u16 to_multiplier)
3674{
3675 u16 max_latency;
3676
3677 if (min > max || min < 6 || max > 3200)
3678 return -EINVAL;
3679
3680 if (to_multiplier < 10 || to_multiplier > 3200)
3681 return -EINVAL;
3682
3683 if (max >= to_multiplier * 8)
3684 return -EINVAL;
3685
3686 max_latency = (to_multiplier * 8 / max) - 1;
3687 if (latency > 499 || latency > max_latency)
3688 return -EINVAL;
3689
3690 return 0;
3691}
3692
3693static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3694 struct l2cap_cmd_hdr *cmd, u8 *data)
3695{
3696 struct hci_conn *hcon = conn->hcon;
3697 struct l2cap_conn_param_update_req *req;
3698 struct l2cap_conn_param_update_rsp rsp;
3699 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3700 int err;
de73115a
CT		 3701
3702 if (!(hcon->link_mode & HCI_LM_MASTER))
3703 return -EINVAL;
3704
3705 cmd_len = __le16_to_cpu(cmd->len);
3706 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3707 return -EPROTO;
3708
3709 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3710 min = __le16_to_cpu(req->min);
3711 max = __le16_to_cpu(req->max);
de73115a
CT		 3712 latency = __le16_to_cpu(req->latency);
3713 to_multiplier = __le16_to_cpu(req->to_multiplier);
3714
3715 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3716 min, max, latency, to_multiplier);
3717
3718 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3719
3720 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3721 if (err)
de73115a
CT		 3722 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3723 else
3724 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3725
3726 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3727 sizeof(rsp), &rsp);
3728
2ce603eb
CT		 3729 if (!err)
3730 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3731
de73115a
CT		 3732 return 0;
3733}
3734
3300d9a9
CT		 3735static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3736 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3737{
3738 int err = 0;
3739
3740 switch (cmd->code) {
3741 case L2CAP_COMMAND_REJ:
3742 l2cap_command_rej(conn, cmd, data);
3743 break;
3744
3745 case L2CAP_CONN_REQ:
3746 err = l2cap_connect_req(conn, cmd, data);
3747 break;
3748
3749 case L2CAP_CONN_RSP:
3750 err = l2cap_connect_rsp(conn, cmd, data);
3751 break;
3752
3753 case L2CAP_CONF_REQ:
3754 err = l2cap_config_req(conn, cmd, cmd_len, data);
3755 break;
3756
3757 case L2CAP_CONF_RSP:
3758 err = l2cap_config_rsp(conn, cmd, data);
3759 break;
3760
3761 case L2CAP_DISCONN_REQ:
3762 err = l2cap_disconnect_req(conn, cmd, data);
3763 break;
3764
3765 case L2CAP_DISCONN_RSP:
3766 err = l2cap_disconnect_rsp(conn, cmd, data);
3767 break;
3768
3769 case L2CAP_ECHO_REQ:
3770 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3771 break;
3772
3773 case L2CAP_ECHO_RSP:
3774 break;
3775
3776 case L2CAP_INFO_REQ:
3777 err = l2cap_information_req(conn, cmd, data);
3778 break;
3779
3780 case L2CAP_INFO_RSP:
3781 err = l2cap_information_rsp(conn, cmd, data);
3782 break;
3783
f94ff6ff
MM		 3784 case L2CAP_CREATE_CHAN_REQ:
3785 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3786 break;
3787
3788 case L2CAP_CREATE_CHAN_RSP:
3789 err = l2cap_create_channel_rsp(conn, cmd, data);
3790 break;
3791
8d5a04a1
MM		 3792 case L2CAP_MOVE_CHAN_REQ:
3793 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3794 break;
3795
3796 case L2CAP_MOVE_CHAN_RSP:
3797 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3798 break;
3799
3800 case L2CAP_MOVE_CHAN_CFM:
3801 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3802 break;
3803
3804 case L2CAP_MOVE_CHAN_CFM_RSP:
3805 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3806 break;
3807
3300d9a9
CT		 3808 default:
3809 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3810 err = -EINVAL;
3811 break;
3812 }
3813
3814 return err;
3815}
3816
3817static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3818 struct l2cap_cmd_hdr *cmd, u8 *data)
3819{
3820 switch (cmd->code) {
3821 case L2CAP_COMMAND_REJ:
3822 return 0;
3823
3824 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3825 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3826
3827 case L2CAP_CONN_PARAM_UPDATE_RSP:
3828 return 0;
3829
3830 default:
3831 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3832 return -EINVAL;
3833 }
3834}
3835
3836static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3837 struct sk_buff *skb)
1da177e4
LT		 3838{
3839 u8 *data = skb->data;
3840 int len = skb->len;
3841 struct l2cap_cmd_hdr cmd;
3300d9a9 3842 int err;
1da177e4
LT		 3843
3844 l2cap_raw_recv(conn, skb);
3845
3846 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3847 u16 cmd_len;
1da177e4
LT		 3848 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3849 data += L2CAP_CMD_HDR_SIZE;
3850 len -= L2CAP_CMD_HDR_SIZE;
3851
88219a0f 3852 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3853
88219a0f 3854 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3855
88219a0f 3856 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3857 BT_DBG("corrupted command");
3858 break;
3859 }
3860
3300d9a9
CT		 3861 if (conn->hcon->type == LE_LINK)
3862 err = l2cap_le_sig_cmd(conn, &cmd, data);
3863 else
3864 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3865
3866 if (err) {
e2fd318e 3867 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3868
3869 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3870
3871 /* FIXME: Map err to a valid reason */
e2fd318e 3872 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3873 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3874 }
3875
88219a0f
AV		 3876 data += cmd_len;
3877 len -= cmd_len;
1da177e4
LT		 3878 }
3879
3880 kfree_skb(skb);
3881}
3882
47d1ec61 3883static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3884{
3885 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3886 int hdr_size;
3887
3888 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3889 hdr_size = L2CAP_EXT_HDR_SIZE;
3890 else
3891 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3892
47d1ec61 3893 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3894 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3895 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3896 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3897
3898 if (our_fcs != rcv_fcs)
7a560e5c 3899 return -EBADMSG;
fcc203c3
GP		 3900 }
3901 return 0;
3902}
3903
525cd185 3904static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3905{
88843ab0 3906 u32 control = 0;
d5392c8f 3907
6a026610 3908 chan->frames_sent = 0;
d5392c8f 3909
0b209fae 3910 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3911
e2ab4353 3912 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3913 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3914 l2cap_send_sframe(chan, control);
e2ab4353 3915 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3916 }
3917
e2ab4353 3918 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3919 l2cap_retransmit_frames(chan);
d5392c8f 3920
525cd185 3921 l2cap_ertm_send(chan);
d5392c8f 3922
e2ab4353 3923 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3924 chan->frames_sent == 0) {
ab784b73 3925 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3926 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3927 }
3928}
3929
fb45de7d 3930static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3931{
3932 struct sk_buff *next_skb;
bfbacc11 3933 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3934
3935 bt_cb(skb)->tx_seq = tx_seq;
3936 bt_cb(skb)->sar = sar;
3937
f1c6775b 3938 next_skb = skb_peek(&chan->srej_q);
8f17154f 3939
836be934 3940 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3941
039d9572 3942 while (next_skb) {
9b53350d
JPRV		 3943 if (bt_cb(next_skb)->tx_seq == tx_seq)
3944 return -EINVAL;
3945
836be934
AE		 3946 next_tx_seq_offset = __seq_offset(chan,
3947 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3948
3949 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3950 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3951 return 0;
8f17154f
GP		 3952 }
3953
f1c6775b 3954 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3955 next_skb = NULL;
3956 else
3957 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3958 }
8f17154f 3959
f1c6775b 3960 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3961
3962 return 0;
8f17154f
GP		 3963}
3964
84084a31
MM		 3965static void append_skb_frag(struct sk_buff *skb,
3966 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3967{
84084a31
MM		 3968 /* skb->len reflects data in skb as well as all fragments
3969 * skb->data_len reflects only data in fragments
3970 */
3971 if (!skb_has_frag_list(skb))
3972 skb_shinfo(skb)->frag_list = new_frag;
3973
3974 new_frag->next = NULL;
3975
3976 (*last_frag)->next = new_frag;
3977 *last_frag = new_frag;
3978
3979 skb->len += new_frag->len;
3980 skb->data_len += new_frag->len;
3981 skb->truesize += new_frag->truesize;
3982}
3983
88843ab0 3984static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3985{
3986 int err = -EINVAL;
18778a63 3987
7e0ef6ee
AE		 3988 switch (__get_ctrl_sar(chan, control)) {
3989 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3990 if (chan->sdu)
3991 break;
18778a63 3992
84084a31
MM		 3993 err = chan->ops->recv(chan->data, skb);
3994 break;
18778a63 3995
7e0ef6ee 3996 case L2CAP_SAR_START:
84084a31
MM		 3997 if (chan->sdu)
3998 break;
18778a63 3999
6f61fd47 4000 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4001 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4002
84084a31
MM		 4003 if (chan->sdu_len > chan->imtu) {
4004 err = -EMSGSIZE;
4005 break;
4006 }
1890d36b 4007
84084a31
MM		 4008 if (skb->len >= chan->sdu_len)
4009 break;
18778a63 4010
84084a31
MM		 4011 chan->sdu = skb;
4012 chan->sdu_last_frag = skb;
18778a63 4013
84084a31
MM		 4014 skb = NULL;
4015 err = 0;
18778a63
GP		 4016 break;
4017
7e0ef6ee 4018 case L2CAP_SAR_CONTINUE:
6f61fd47 4019 if (!chan->sdu)
84084a31 4020 break;
18778a63 4021
84084a31
MM		 4022 append_skb_frag(chan->sdu, skb,
4023 &chan->sdu_last_frag);
4024 skb = NULL;
18778a63 4025
84084a31
MM		 4026 if (chan->sdu->len >= chan->sdu_len)
4027 break;
4178ba46 4028
84084a31 4029 err = 0;
18778a63
GP		 4030 break;
4031
7e0ef6ee 4032 case L2CAP_SAR_END:
6f61fd47 4033 if (!chan->sdu)
84084a31 4034 break;
18778a63 4035
84084a31
MM		 4036 append_skb_frag(chan->sdu, skb,
4037 &chan->sdu_last_frag);
4038 skb = NULL;
4178ba46 4039
84084a31
MM		 4040 if (chan->sdu->len != chan->sdu_len)
4041 break;
18778a63 4042
84084a31 4043 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4044
84084a31
MM		 4045 if (!err) {
4046 /* Reassembly complete */
4047 chan->sdu = NULL;
4048 chan->sdu_last_frag = NULL;
4049 chan->sdu_len = 0;
1890d36b 4050 }
18778a63
GP		 4051 break;
4052 }
4053
84084a31
MM		 4054 if (err) {
4055 kfree_skb(skb);
4056 kfree_skb(chan->sdu);
4057 chan->sdu = NULL;
4058 chan->sdu_last_frag = NULL;
4059 chan->sdu_len = 0;
4060 }
18778a63 4061
84084a31 4062 return err;
18778a63
GP		 4063}
4064
26f880d2 4065static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 4066{
26f880d2 4067 BT_DBG("chan %p, Enter local busy", chan);
712132eb 4068
26f880d2 4069 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3c588192 4070 l2cap_seq_list_clear(&chan->srej_list);
26f880d2 4071
77f918bc 4072 __set_ack_timer(chan);
26f880d2
MM		 4073}
4074
4075static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4076{
88843ab0 4077 u32 control;
712132eb 4078
e2ab4353 4079 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 4080 goto done;
4081
0b209fae 4082 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 4083 control |= __set_ctrl_poll(chan);
ab784b73 4084 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 4085 l2cap_send_sframe(chan, control);
6a026610 4086 chan->retry_count = 1;
712132eb 4087
1a09bcb9
GP		 4088 __clear_retrans_timer(chan);
4089 __set_monitor_timer(chan);
712132eb 4090
e2ab4353 4091 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 4092
4093done:
e2ab4353
GP		 4094 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4095 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 4096
49208c9c 4097 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 4098}
4099
e328140f 4100void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 4101{
e328140f
MM		 4102 if (chan->mode == L2CAP_MODE_ERTM) {
4103 if (busy)
4104 l2cap_ertm_enter_local_busy(chan);
4105 else
4106 l2cap_ertm_exit_local_busy(chan);
1890d36b 4107 }
1890d36b
GP		 4108}
4109
fb45de7d 4110static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 4111{
4112 struct sk_buff *skb;
88843ab0 4113 u32 control;
8f17154f 4114
e328140f
MM		 4115 while ((skb = skb_peek(&chan->srej_q)) &&
4116 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4117 int err;
4118
8f17154f
GP		 4119 if (bt_cb(skb)->tx_seq != tx_seq)
4120 break;
4121
f1c6775b 4122 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 4123 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 4124 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 4125
4126 if (err < 0) {
4127 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4128 break;
4129 }
4130
836be934
AE		 4131 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
4132 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 4133 }
4134}
4135
fb45de7d 4136static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4137{
8f17154f 4138 struct srej_list *l, *tmp;
88843ab0 4139 u32 control;
8f17154f 4140
39d5a3ee 4141 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 4142 if (l->tx_seq == tx_seq) {
4143 list_del(&l->list);
4144 kfree(l);
4145 return;
4146 }
ab784b73 4147 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4148 control |= __set_reqseq(chan, l->tx_seq);
525cd185 4149 l2cap_send_sframe(chan, control);
8f17154f 4150 list_del(&l->list);
39d5a3ee 4151 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 4152 }
4153}
4154
aef89f21 4155static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4156{
8f17154f 4157 struct srej_list *new;
88843ab0 4158 u32 control;
8f17154f 4159
42e5c802 4160 while (tx_seq != chan->expected_tx_seq) {
ab784b73 4161 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4162 control |= __set_reqseq(chan, chan->expected_tx_seq);
3c588192 4163 l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
525cd185 4164 l2cap_send_sframe(chan, control);
8f17154f
GP		 4165
4166 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 4167 if (!new)
4168 return -ENOMEM;
4169
42e5c802 4170 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 4171
4172 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4173
39d5a3ee 4174 list_add_tail(&new->list, &chan->srej_l);
8f17154f 4175 }
836be934
AE		 4176
4177 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 4178
4179 return 0;
8f17154f
GP		 4180}
4181
88843ab0 4182static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 4183{
fb45de7d 4184 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 4185 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 4186 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 4187 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 4188 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 4189 int err = 0;
4190
88843ab0 4191 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 4192 tx_seq, rx_control);
1c2acffb 4193
03f6715d 4194 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4195 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4196 __clear_monitor_timer(chan);
6a026610 4197 if (chan->unacked_frames > 0)
1a09bcb9 4198 __set_retrans_timer(chan);
e2ab4353 4199 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 4200 }
4201
42e5c802
GP		 4202 chan->expected_ack_seq = req_seq;
4203 l2cap_drop_acked_frames(chan);
9f121a5a 4204
836be934 4205 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4206
4207 /* invalid tx_seq */
47d1ec61 4208 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 4209 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 4210 goto drop;
4211 }
4212
77f918bc
SJ		 4213 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4214 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4215 l2cap_send_ack(chan);
1890d36b 4216 goto drop;
77f918bc 4217 }
1890d36b 4218
02f1b641
MM		 4219 if (tx_seq == chan->expected_tx_seq)
4220 goto expected;
4221
e2ab4353 4222 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 4223 struct srej_list *first;
30afb5b2 4224
39d5a3ee 4225 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 4226 struct srej_list, list);
4227 if (tx_seq == first->tx_seq) {
42e5c802 4228 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 4229 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 4230
4231 list_del(&first->list);
4232 kfree(first);
4233
39d5a3ee 4234 if (list_empty(&chan->srej_l)) {
42e5c802 4235 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 4236 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 4237 l2cap_send_ack(chan);
49208c9c 4238 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 4239 }
4240 } else {
4241 struct srej_list *l;
9b53350d
JPRV		 4242
4243 /* duplicated tx_seq */
42e5c802 4244 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 4245 goto drop;
8f17154f 4246
39d5a3ee 4247 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 4248 if (l->tx_seq == tx_seq) {
525cd185 4249 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 4250 return 0;
4251 }
4252 }
aef89f21
SJ		 4253
4254 err = l2cap_send_srejframe(chan, tx_seq);
4255 if (err < 0) {
4256 l2cap_send_disconn_req(chan->conn, chan, -err);
4257 return err;
4258 }
30afb5b2
GP		 4259 }
4260 } else {
836be934
AE		 4261 expected_tx_seq_offset = __seq_offset(chan,
4262 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4263
4264 /* duplicated tx_seq */
4265 if (tx_seq_offset < expected_tx_seq_offset)
4266 goto drop;
4267
e2ab4353 4268 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 4269
49208c9c 4270 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 4271
39d5a3ee 4272 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 4273 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 4274
f1c6775b 4275 __skb_queue_head_init(&chan->srej_q);
42e5c802 4276 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 4277
0ef3ef0f
SJ		 4278 /* Set P-bit only if there are some I-frames to ack. */
4279 if (__clear_ack_timer(chan))
4280 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 4281
aef89f21
SJ		 4282 err = l2cap_send_srejframe(chan, tx_seq);
4283 if (err < 0) {
4284 l2cap_send_disconn_req(chan->conn, chan, -err);
4285 return err;
4286 }
1c2acffb 4287 }
30afb5b2
GP		 4288 return 0;
4289
8f17154f 4290expected:
836be934 4291 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 4292
e2ab4353 4293 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 4294 bt_cb(skb)->tx_seq = tx_seq;
4295 bt_cb(skb)->sar = sar;
f1c6775b 4296 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 4297 return 0;
4298 }
4299
84084a31 4300 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 4301 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4302
e328140f
MM		 4303 if (err < 0) {
4304 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4305 return err;
4306 }
2ece3684 4307
03f6715d 4308 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4309 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4310 l2cap_retransmit_frames(chan);
4ec10d97
GP		 4311 }
4312
c1b4f43b 4313
6a026610
GP		 4314 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4315 if (chan->num_acked == num_to_ack - 1)
525cd185 4316 l2cap_send_ack(chan);
4d611e4d
GP		 4317 else
4318 __set_ack_timer(chan);
9e917af1 4319
8f17154f 4320 return 0;
9b53350d
JPRV		 4321
4322drop:
4323 kfree_skb(skb);
4324 return 0;
1c2acffb
GP		 4325}
4326
88843ab0 4327static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 4328{
88843ab0 4329 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 4330 __get_reqseq(chan, rx_control), rx_control);
0e98958d 4331
0b209fae 4332 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 4333 l2cap_drop_acked_frames(chan);
1c2acffb 4334
e3781735 4335 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4336 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4337 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4338 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4339 (chan->unacked_frames > 0))
1a09bcb9 4340 __set_retrans_timer(chan);
05fbd89d 4341
e2ab4353 4342 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4343 l2cap_send_srejtail(chan);
05fbd89d 4344 } else {
525cd185 4345 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4346 }
1d8f5d16 4347
03f6715d 4348 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4349 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4350
e2ab4353 4351 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4352 l2cap_retransmit_frames(chan);
2246b2f1 4353
e072745f 4354 } else {
e2ab4353 4355 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4356 (chan->unacked_frames > 0))
1a09bcb9 4357 __set_retrans_timer(chan);
1c2acffb 4358
e2ab4353
GP		 4359 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4360 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4361 l2cap_send_ack(chan);
894718a6 4362 else
525cd185 4363 l2cap_ertm_send(chan);
e072745f
GP		 4364 }
4365}
2246b2f1 4366
88843ab0 4367static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4368{
0b209fae 4369 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4370
88843ab0 4371 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4372
e2ab4353 4373 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4374
42e5c802
GP		 4375 chan->expected_ack_seq = tx_seq;
4376 l2cap_drop_acked_frames(chan);
e072745f 4377
03f6715d 4378 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4379 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4380 l2cap_retransmit_frames(chan);
e072745f 4381 } else {
525cd185 4382 l2cap_retransmit_frames(chan);
30afb5b2 4383
e2ab4353
GP		 4384 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4385 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4386 }
4387}
88843ab0 4388static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4389{
0b209fae 4390 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4391
88843ab0 4392 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4393
e2ab4353 4394 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4395
e3781735 4396 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4397 chan->expected_ack_seq = tx_seq;
4398 l2cap_drop_acked_frames(chan);
3cb123d1 4399
e2ab4353 4400 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4401 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4402
525cd185 4403 l2cap_ertm_send(chan);
dfc909be 4404
e2ab4353 4405 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4406 chan->srej_save_reqseq = tx_seq;
e2ab4353 4407 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4408 }
03f6715d 4409 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4410 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4411 chan->srej_save_reqseq == tx_seq)
e2ab4353 4412 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4413 else
525cd185 4414 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4415 } else {
525cd185 4416 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4417 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4418 chan->srej_save_reqseq = tx_seq;
e2ab4353 4419 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4420 }
e072745f
GP		 4421 }
4422}
4423
88843ab0 4424static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4425{
0b209fae 4426 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4427
88843ab0 4428 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4429
e2ab4353 4430 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4431 chan->expected_ack_seq = tx_seq;
4432 l2cap_drop_acked_frames(chan);
e072745f 4433
e3781735 4434 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4435 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4436
e2ab4353 4437 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4438 __clear_retrans_timer(chan);
e3781735 4439 if (__is_ctrl_poll(chan, rx_control))
525cd185 4440 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4441 return;
e072745f 4442 }
99b0d4b7 4443
e3781735 4444 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4445 l2cap_send_srejtail(chan);
ab784b73
AE		 4446 } else {
4447 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4448 l2cap_send_sframe(chan, rx_control);
4449 }
e072745f
GP		 4450}
4451
88843ab0 4452static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4453{
88843ab0 4454 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4455
03f6715d 4456 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4457 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4458 __clear_monitor_timer(chan);
6a026610 4459 if (chan->unacked_frames > 0)
1a09bcb9 4460 __set_retrans_timer(chan);
e2ab4353 4461 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4462 }
4463
ab784b73
AE		 4464 switch (__get_ctrl_super(chan, rx_control)) {
4465 case L2CAP_SUPER_RR:
525cd185 4466 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4467 break;
4468
ab784b73 4469 case L2CAP_SUPER_REJ:
525cd185 4470 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4471 break;
2246b2f1 4472
ab784b73 4473 case L2CAP_SUPER_SREJ:
525cd185 4474 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4475 break;
4476
ab784b73 4477 case L2CAP_SUPER_RNR:
525cd185 4478 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4479 break;
4480 }
4481
faaebd19 4482 kfree_skb(skb);
1c2acffb
GP		 4483 return 0;
4484}
4485
cad8f1d0 4486static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4487{
88843ab0 4488 u32 control;
0b209fae 4489 u16 req_seq;
218bb9df
GP		 4490 int len, next_tx_seq_offset, req_seq_offset;
4491
b76bbd66
MM		 4492 __unpack_control(chan, skb);
4493
88843ab0
AE		 4494 control = __get_control(chan, skb->data);
4495 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4496 len = skb->len;
4497
4498 /*
4499 * We can just drop the corrupted I-frame here.
4500 * Receiver will miss it and start proper recovery
4501 * procedures and ask retransmission.
4502 */
47d1ec61 4503 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4504 goto drop;
4505
793c2f1c 4506 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4507 len -= L2CAP_SDULEN_SIZE;
218bb9df 4508
47d1ec61 4509 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4510 len -= L2CAP_FCS_SIZE;
218bb9df 4511
47d1ec61 4512 if (len > chan->mps) {
8c1d787b 4513 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4514 goto drop;
4515 }
4516
0b209fae 4517 req_seq = __get_reqseq(chan, control);
218bb9df 4518
836be934
AE		 4519 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4520
4521 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4522 chan->expected_ack_seq);
218bb9df
GP		 4523
4524 /* check for invalid req-seq */
4525 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4526 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4527 goto drop;
4528 }
4529
793c2f1c 4530 if (!__is_sframe(chan, control)) {
218bb9df 4531 if (len < 0) {
8c1d787b 4532 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4533 goto drop;
4534 }
4535
525cd185 4536 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4537 } else {
4538 if (len != 0) {
4539 BT_ERR("%d", len);
8c1d787b 4540 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4541 goto drop;
4542 }
4543
525cd185 4544 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4545 }
4546
4547 return 0;
4548
4549drop:
4550 kfree_skb(skb);
4551 return 0;
4552}
4553
1da177e4
LT		 4554static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4555{
48454079 4556 struct l2cap_chan *chan;
88843ab0 4557 u32 control;
fb45de7d 4558 u16 tx_seq;
218bb9df 4559 int len;
1da177e4 4560
baa7e1fa 4561 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4562 if (!chan) {
1da177e4 4563 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4564 /* Drop packet and return */
3379013b 4565 kfree_skb(skb);
6be36555 4566 return 0;
1da177e4
LT		 4567 }
4568
6be36555 4569 l2cap_chan_lock(chan);
6840ed07 4570
49208c9c 4571 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4572
89bc500e 4573 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4574 goto drop;
4575
0c1bc5c6 4576 switch (chan->mode) {
1c2acffb
GP		 4577 case L2CAP_MODE_BASIC:
4578 /* If socket recv buffers overflows we drop data here
4579 * which is *bad* because L2CAP has to be reliable.
4580 * But we don't have any other choice. L2CAP doesn't
4581 * provide flow control mechanism. */
1da177e4 4582
0c1bc5c6 4583 if (chan->imtu < skb->len)
1c2acffb 4584 goto drop;
1da177e4 4585
23070494 4586 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4587 goto done;
4588 break;
4589
4590 case L2CAP_MODE_ERTM:
5ef8cb9e 4591 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4592
fcafde2e 4593 goto done;
1c2acffb 4594
6840ed07 4595 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4596 control = __get_control(chan, skb->data);
4597 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4598 len = skb->len;
4599
47d1ec61 4600 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4601 goto drop;
4602
7e0ef6ee 4603 if (__is_sar_start(chan, control))
03a51213 4604 len -= L2CAP_SDULEN_SIZE;
6840ed07 4605
47d1ec61 4606 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4607 len -= L2CAP_FCS_SIZE;
fcc203c3 4608
793c2f1c 4609 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4610 goto drop;
4611
fb45de7d 4612 tx_seq = __get_txseq(chan, control);
6840ed07 4613
84084a31
MM		 4614 if (chan->expected_tx_seq != tx_seq) {
4615 /* Frame(s) missing - must discard partial SDU */
4616 kfree_skb(chan->sdu);
4617 chan->sdu = NULL;
4618 chan->sdu_last_frag = NULL;
4619 chan->sdu_len = 0;
6840ed07 4620
84084a31
MM		 4621 /* TODO: Notify userland of missing data */
4622 }
4623
836be934 4624 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4625
4626 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4627 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4628
4629 goto done;
4630
1c2acffb 4631 default:
0c1bc5c6 4632 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4633 break;
4634 }
1da177e4
LT		 4635
4636drop:
4637 kfree_skb(skb);
4638
4639done:
6be36555 4640 l2cap_chan_unlock(chan);
0139418c 4641
1da177e4
LT		 4642 return 0;
4643}
4644
8e036fc3 4645static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4646{
23691d75 4647 struct l2cap_chan *chan;
1da177e4 4648
c2287681 4649 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4650 if (!chan)
1da177e4
LT		 4651 goto drop;
4652
5b4cedaa 4653 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4654
89bc500e 4655 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4656 goto drop;
4657
e13e21dc 4658 if (chan->imtu < skb->len)
1da177e4
LT		 4659 goto drop;
4660
23070494 4661 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4662 return 0;
1da177e4
LT		 4663
4664drop:
4665 kfree_skb(skb);
4666
1da177e4
LT		 4667 return 0;
4668}
4669
d9b88702
AE		 4670static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4671 struct sk_buff *skb)
9f69bda6 4672{
23691d75 4673 struct l2cap_chan *chan;
9f69bda6 4674
c2287681 4675 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4676 if (!chan)
9f69bda6
GP		 4677 goto drop;
4678
5b4cedaa 4679 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4680
89bc500e 4681 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4682 goto drop;
4683
e13e21dc 4684 if (chan->imtu < skb->len)
9f69bda6
GP		 4685 goto drop;
4686
23070494 4687 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4688 return 0;
9f69bda6
GP		 4689
4690drop:
4691 kfree_skb(skb);
4692
9f69bda6
GP		 4693 return 0;
4694}
4695
1da177e4
LT		 4696static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4697{
4698 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4699 u16 cid, len;
4700 __le16 psm;
1da177e4
LT		 4701
4702 skb_pull(skb, L2CAP_HDR_SIZE);
4703 cid = __le16_to_cpu(lh->cid);
4704 len = __le16_to_cpu(lh->len);
4705
1c2acffb
GP		 4706 if (len != skb->len) {
4707 kfree_skb(skb);
4708 return;
4709 }
4710
1da177e4
LT		 4711 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4712
4713 switch (cid) {
3300d9a9 4714 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4715 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4716 l2cap_sig_channel(conn, skb);
4717 break;
4718
8db4dc46 4719 case L2CAP_CID_CONN_LESS:
097db76c 4720 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4721 skb_pull(skb, 2);
4722 l2cap_conless_channel(conn, psm, skb);
4723 break;
4724
9f69bda6
GP		 4725 case L2CAP_CID_LE_DATA:
4726 l2cap_att_channel(conn, cid, skb);
4727 break;
4728
b501d6a1
AB		 4729 case L2CAP_CID_SMP:
4730 if (smp_sig_channel(conn, skb))
4731 l2cap_conn_del(conn->hcon, EACCES);
4732 break;
4733
1da177e4
LT		 4734 default:
4735 l2cap_data_channel(conn, cid, skb);
4736 break;
4737 }
4738}
4739
4740/* ---- L2CAP interface with lower layer (HCI) ---- */
4741
686ebf28 4742int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4743{
4744 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4745 struct l2cap_chan *c;
1da177e4 4746
1da177e4
LT		 4747 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4748
4749 /* Find listening sockets and check their link_mode */
23691d75
GP		 4750 read_lock(&chan_list_lock);
4751 list_for_each_entry(c, &chan_list, global_l) {
4752 struct sock *sk = c->sk;
4343478f 4753
89bc500e 4754 if (c->state != BT_LISTEN)
1da177e4
LT		 4755 continue;
4756
4757 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4758 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4759 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4760 lm1 |= HCI_LM_MASTER;
1da177e4 4761 exact++;
2af6b9d5
MH		 4762 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4763 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4764 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4765 lm2 |= HCI_LM_MASTER;
4766 }
1da177e4 4767 }
23691d75 4768 read_unlock(&chan_list_lock);
1da177e4
LT		 4769
4770 return exact ? lm1 : lm2;
4771}
4772
686ebf28 4773int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4774{
0139418c
MH		 4775 struct l2cap_conn *conn;
4776
1da177e4
LT		 4777 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4778
1da177e4 4779 if (!status) {
1da177e4
LT		 4780 conn = l2cap_conn_add(hcon, status);
4781 if (conn)
4782 l2cap_conn_ready(conn);
0139418c 4783 } else
e175072f 4784 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4785
4786 return 0;
4787}
4788
686ebf28 4789int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4790{
4791 struct l2cap_conn *conn = hcon->l2cap_data;
4792
4793 BT_DBG("hcon %p", hcon);
4794
686ebf28 4795 if (!conn)
9f5a0d7b 4796 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4797 return conn->disc_reason;
4798}
4799
686ebf28 4800int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4801{
4802 BT_DBG("hcon %p reason %d", hcon, reason);
4803
e175072f 4804 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4805 return 0;
4806}
4807
4343478f 4808static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4809{
715ec005 4810 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4811 return;
4812
f62e4323 4813 if (encrypt == 0x00) {
4343478f 4814 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4815 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4816 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4817 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4818 } else {
4343478f 4819 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4820 __clear_chan_timer(chan);
f62e4323
MH		 4821 }
4822}
4823
686ebf28 4824int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4825{
0139418c 4826 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4827 struct l2cap_chan *chan;
1da177e4 4828
0139418c 4829 if (!conn)
1da177e4 4830 return 0;
0139418c 4831
1da177e4
LT		 4832 BT_DBG("conn %p", conn);
4833
160dc6ac 4834 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4835 if (!status && encrypt)
4836 smp_distribute_keys(conn, 0);
17cd3f37 4837 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4838 }
4839
3df91ea2 4840 mutex_lock(&conn->chan_lock);
1da177e4 4841
3df91ea2 4842 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4843 l2cap_chan_lock(chan);
1da177e4 4844
f1cb9af5
VCG		 4845 BT_DBG("chan->scid %d", chan->scid);
4846
4847 if (chan->scid == L2CAP_CID_LE_DATA) {
4848 if (!status && encrypt) {
4849 chan->sec_level = hcon->sec_level;
cf4cd009 4850 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4851 }
4852
6be36555 4853 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4854 continue;
4855 }
4856
c1360a1c 4857 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4858 l2cap_chan_unlock(chan);
6a8d3010
MH		 4859 continue;
4860 }
4861
89bc500e
GP		 4862 if (!status && (chan->state == BT_CONNECTED ||
4863 chan->state == BT_CONFIG)) {
4343478f 4864 l2cap_check_encryption(chan, encrypt);
6be36555 4865 l2cap_chan_unlock(chan);
9719f8af
MH		 4866 continue;
4867 }
4868
89bc500e 4869 if (chan->state == BT_CONNECT) {
b1235d79 4870 if (!status) {
9b27f350 4871 l2cap_send_conn_req(chan);
b1235d79 4872 } else {
ba13ccd9 4873 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4874 }
89bc500e 4875 } else if (chan->state == BT_CONNECT2) {
6be36555 4876 struct sock *sk = chan->sk;
b1235d79 4877 struct l2cap_conn_rsp rsp;
df3c3931 4878 __u16 res, stat;
1da177e4 4879
6be36555
AE		 4880 lock_sock(sk);
4881
b1235d79 4882 if (!status) {
df3c3931
JH		 4883 if (bt_sk(sk)->defer_setup) {
4884 struct sock *parent = bt_sk(sk)->parent;
4885 res = L2CAP_CR_PEND;
4886 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4887 if (parent)
4888 parent->sk_data_ready(parent, 0);
df3c3931 4889 } else {
0e587be7 4890 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4891 res = L2CAP_CR_SUCCESS;
4892 stat = L2CAP_CS_NO_INFO;
4893 }
b1235d79 4894 } else {
0e587be7 4895 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4896 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4897 res = L2CAP_CR_SEC_BLOCK;
4898 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4899 }
4900
6be36555
AE		 4901 release_sock(sk);
4902
fe4128e0
GP		 4903 rsp.scid = cpu_to_le16(chan->dcid);
4904 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4905 rsp.result = cpu_to_le16(res);
4906 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4907 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4908 sizeof(rsp), &rsp);
b1235d79 4909 }
1da177e4 4910
6be36555 4911 l2cap_chan_unlock(chan);
1da177e4
LT		 4912 }
4913
3df91ea2 4914 mutex_unlock(&conn->chan_lock);
b1235d79 4915
1da177e4
LT		 4916 return 0;
4917}
4918
686ebf28 4919int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4920{
4921 struct l2cap_conn *conn = hcon->l2cap_data;
4922
5a08ecce
AE		 4923 if (!conn)
4924 conn = l2cap_conn_add(hcon, 0);
4925
4926 if (!conn)
1da177e4
LT		 4927 goto drop;
4928
4929 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4930
e702112f 4931 if (!(flags & ACL_CONT)) {
1da177e4 4932 struct l2cap_hdr *hdr;
48454079 4933 struct l2cap_chan *chan;
89794813 4934 u16 cid;
1da177e4
LT		 4935 int len;
4936
4937 if (conn->rx_len) {
4938 BT_ERR("Unexpected start frame (len %d)", skb->len);
4939 kfree_skb(conn->rx_skb);
4940 conn->rx_skb = NULL;
4941 conn->rx_len = 0;
4942 l2cap_conn_unreliable(conn, ECOMM);
4943 }
4944
aae7fe22
AE		 4945 /* Start fragment always begin with Basic L2CAP header */
4946 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4947 BT_ERR("Frame is too short (len %d)", skb->len);
4948 l2cap_conn_unreliable(conn, ECOMM);
4949 goto drop;
4950 }
4951
4952 hdr = (struct l2cap_hdr *) skb->data;
4953 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4954 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4955
4956 if (len == skb->len) {
4957 /* Complete frame received */
4958 l2cap_recv_frame(conn, skb);
4959 return 0;
4960 }
4961
4962 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4963
4964 if (skb->len > len) {
4965 BT_ERR("Frame is too long (len %d, expected len %d)",
4966 skb->len, len);
4967 l2cap_conn_unreliable(conn, ECOMM);
4968 goto drop;
4969 }
4970
baa7e1fa 4971 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4972
48454079
GP		 4973 if (chan && chan->sk) {
4974 struct sock *sk = chan->sk;
3df91ea2 4975 lock_sock(sk);
89794813 4976
0c1bc5c6 4977 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4978 BT_ERR("Frame exceeding recv MTU (len %d, "
4979 "MTU %d)", len,
0c1bc5c6 4980 chan->imtu);
aa2ac881 4981 release_sock(sk);
48454079
GP		 4982 l2cap_conn_unreliable(conn, ECOMM);
4983 goto drop;
4984 }
aa2ac881 4985 release_sock(sk);
48454079 4986 }
89794813 4987
1da177e4 4988 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4989 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4990 if (!conn->rx_skb)
1da177e4
LT		 4991 goto drop;
4992
d626f62b 4993 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4994 skb->len);
1da177e4
LT		 4995 conn->rx_len = len - skb->len;
4996 } else {
4997 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4998
4999 if (!conn->rx_len) {
5000 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5001 l2cap_conn_unreliable(conn, ECOMM);
5002 goto drop;
5003 }
5004
5005 if (skb->len > conn->rx_len) {
5006 BT_ERR("Fragment is too long (len %d, expected %d)",
5007 skb->len, conn->rx_len);
5008 kfree_skb(conn->rx_skb);
5009 conn->rx_skb = NULL;
5010 conn->rx_len = 0;
5011 l2cap_conn_unreliable(conn, ECOMM);
5012 goto drop;
5013 }
5014
d626f62b 5015 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5016 skb->len);
1da177e4
LT		 5017 conn->rx_len -= skb->len;
5018
5019 if (!conn->rx_len) {
5020 /* Complete frame received */
5021 l2cap_recv_frame(conn, conn->rx_skb);
5022 conn->rx_skb = NULL;
5023 }
5024 }
5025
5026drop:
5027 kfree_skb(skb);
5028 return 0;
5029}
5030
aef7d97c 5031static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5032{
23691d75 5033 struct l2cap_chan *c;
1da177e4 5034
333055f2 5035 read_lock(&chan_list_lock);
1da177e4 5036
23691d75
GP		 5037 list_for_each_entry(c, &chan_list, global_l) {
5038 struct sock *sk = c->sk;
101545f6 5039
903d343e 5040 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5041 batostr(&bt_sk(sk)->src),
5042 batostr(&bt_sk(sk)->dst),
89bc500e 5043 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5044 c->scid, c->dcid, c->imtu, c->omtu,
5045 c->sec_level, c->mode);
61e1b4b7 5046 }
1da177e4 5047
333055f2 5048 read_unlock(&chan_list_lock);
1da177e4 5049
aef7d97c 5050 return 0;
1da177e4
LT		 5051}
5052
aef7d97c
MH		 5053static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5054{
5055 return single_open(file, l2cap_debugfs_show, inode->i_private);
5056}
5057
5058static const struct file_operations l2cap_debugfs_fops = {
5059 .open = l2cap_debugfs_open,
5060 .read = seq_read,
5061 .llseek = seq_lseek,
5062 .release = single_release,
5063};
5064
5065static struct dentry *l2cap_debugfs;
1da177e4 5066
64274518 5067int __init l2cap_init(void)
1da177e4
LT		 5068{
5069 int err;
be9d1227 5070
bb58f747 5071 err = l2cap_init_sockets();
1da177e4
LT		 5072 if (err < 0)
5073 return err;
5074
aef7d97c
MH		 5075 if (bt_debugfs) {
5076 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5077 bt_debugfs, NULL, &l2cap_debugfs_fops);
5078 if (!l2cap_debugfs)
5079 BT_ERR("Failed to create L2CAP debug file");
5080 }
1da177e4 5081
1da177e4 5082 return 0;
1da177e4
LT		 5083}
5084
64274518 5085void l2cap_exit(void)
1da177e4 5086{
aef7d97c 5087 debugfs_remove(l2cap_debugfs);
bb58f747 5088 l2cap_cleanup_sockets();
1da177e4
LT		 5089}
5090
d1c4a17d
GP		 5091module_param(disable_ertm, bool, 0644);
5092MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)