projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: ath3k: output firmware filename when request_firmware failed
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 63static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP		 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP		 99 return NULL;
100
0139418c
MH		 101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP		 106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH		 112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP		 119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH		 126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH		 137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP		 142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP		 163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP		 167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP		 174 }
175
73b2ec18
GP		 176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP		 196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
774e5651 223 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP		 227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM		 233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP		 235}
236
89bc500e
GP		 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP		 243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
c9b66675 255 __set_chan_timer(chan, HZ / 5);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP		 258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP		 270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP		 275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP		 287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP		 291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP		 293 chan->state = BT_OPEN;
294
71ba0e56
GP		 295 atomic_set(&chan->refcnt, 1);
296
48454079
GP		 297 return chan;
298}
299
23691d75 300void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 301{
23691d75
GP		 302 write_lock_bh(&chan_list_lock);
303 list_del(&chan->global_l);
304 write_unlock_bh(&chan_list_lock);
305
71ba0e56 306 chan_put(chan);
6ff5abbf
GP		 307}
308
48454079 309static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 310{
af05b30b 311 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 312 chan->psm, chan->dcid);
0139418c 313
2950f21a
MH		 314 conn->disc_reason = 0x13;
315
8c1d787b 316 chan->conn = conn;
0139418c 317
715ec005 318 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 319 if (conn->hcon->type == LE_LINK) {
320 /* LE connection */
0c1bc5c6 321 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 322 chan->scid = L2CAP_CID_LE_DATA;
323 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 324 } else {
325 /* Alloc CID for connection-oriented socket */
fe4128e0 326 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 327 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 328 }
715ec005 329 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 330 /* Connectionless socket */
fe4128e0
GP		 331 chan->scid = L2CAP_CID_CONN_LESS;
332 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 333 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 334 } else {
335 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 336 chan->scid = L2CAP_CID_SIGNALING;
337 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 338 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 339 }
340
8f7975b1
AE		 341 chan->local_id = L2CAP_BESTEFFORT_ID;
342 chan->local_stype = L2CAP_SERV_BESTEFFORT;
343 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
344 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
345 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
346 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
347
71ba0e56 348 chan_hold(chan);
baa7e1fa
GP		 349
350 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 351}
352
8e87d142 353/* Delete channel.
0139418c 354 * Must be called on the locked socket. */
4519de9a 355static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 356{
48454079 357 struct sock *sk = chan->sk;
8c1d787b 358 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 359 struct sock *parent = bt_sk(sk)->parent;
360
c9b66675 361 __clear_chan_timer(chan);
0139418c 362
49208c9c 363 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 364
8e87d142 365 if (conn) {
baa7e1fa
GP		 366 /* Delete from channel list */
367 write_lock_bh(&conn->chan_lock);
368 list_del(&chan->list);
369 write_unlock_bh(&conn->chan_lock);
71ba0e56 370 chan_put(chan);
baa7e1fa 371
8c1d787b 372 chan->conn = NULL;
0139418c
MH		 373 hci_conn_put(conn->hcon);
374 }
375
89bc500e 376 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 377 sock_set_flag(sk, SOCK_ZAPPED);
378
379 if (err)
380 sk->sk_err = err;
381
382 if (parent) {
383 bt_accept_unlink(sk);
384 parent->sk_data_ready(parent, 0);
385 } else
386 sk->sk_state_change(sk);
c13ffa62 387
c1360a1c
GP		 388 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
389 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 390 return;
2ead70b8 391
58d35f87 392 skb_queue_purge(&chan->tx_q);
c13ffa62 393
0c1bc5c6 394 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 395 struct srej_list *l, *tmp;
396
1a09bcb9
GP		 397 __clear_retrans_timer(chan);
398 __clear_monitor_timer(chan);
399 __clear_ack_timer(chan);
c13ffa62 400
f1c6775b 401 skb_queue_purge(&chan->srej_q);
c13ffa62 402
39d5a3ee 403 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 404 list_del(&l->list);
405 kfree(l);
406 }
407 }
0139418c
MH		 408}
409
4519de9a
GP		 410static void l2cap_chan_cleanup_listen(struct sock *parent)
411{
412 struct sock *sk;
413
414 BT_DBG("parent %p", parent);
415
416 /* Close not yet accepted channels */
0f852724 417 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 418 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 419 __clear_chan_timer(chan);
0f852724 420 lock_sock(sk);
ba3bd0ee 421 l2cap_chan_close(chan, ECONNRESET);
0f852724 422 release_sock(sk);
ba3bd0ee 423 chan->ops->close(chan->data);
0f852724 424 }
4519de9a
GP		 425}
426
0f852724 427void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 428{
429 struct l2cap_conn *conn = chan->conn;
430 struct sock *sk = chan->sk;
431
89bc500e 432 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 433
89bc500e 434 switch (chan->state) {
4519de9a
GP		 435 case BT_LISTEN:
436 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 437
438 l2cap_state_change(chan, BT_CLOSED);
439 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 440 break;
441
442 case BT_CONNECTED:
443 case BT_CONFIG:
715ec005 444 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 445 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 446 __clear_chan_timer(chan);
447 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 448 l2cap_send_disconn_req(conn, chan, reason);
449 } else
450 l2cap_chan_del(chan, reason);
451 break;
452
453 case BT_CONNECT2:
715ec005 454 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 455 conn->hcon->type == ACL_LINK) {
456 struct l2cap_conn_rsp rsp;
457 __u16 result;
458
459 if (bt_sk(sk)->defer_setup)
460 result = L2CAP_CR_SEC_BLOCK;
461 else
462 result = L2CAP_CR_BAD_PSM;
89bc500e 463 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 464
465 rsp.scid = cpu_to_le16(chan->dcid);
466 rsp.dcid = cpu_to_le16(chan->scid);
467 rsp.result = cpu_to_le16(result);
468 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
470 sizeof(rsp), &rsp);
471 }
472
473 l2cap_chan_del(chan, reason);
474 break;
475
476 case BT_CONNECT:
477 case BT_DISCONN:
478 l2cap_chan_del(chan, reason);
479 break;
480
481 default:
482 sock_set_flag(sk, SOCK_ZAPPED);
483 break;
484 }
485}
486
4343478f 487static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 488{
715ec005 489 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 490 switch (chan->sec_level) {
8556edd3
JH		 491 case BT_SECURITY_HIGH:
492 return HCI_AT_DEDICATED_BONDING_MITM;
493 case BT_SECURITY_MEDIUM:
494 return HCI_AT_DEDICATED_BONDING;
495 default:
496 return HCI_AT_NO_BONDING;
497 }
fe4128e0 498 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 499 if (chan->sec_level == BT_SECURITY_LOW)
500 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 501
4343478f 502 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 503 return HCI_AT_NO_BONDING_MITM;
00ae4af9 504 else
8556edd3 505 return HCI_AT_NO_BONDING;
00ae4af9 506 } else {
4343478f 507 switch (chan->sec_level) {
00ae4af9 508 case BT_SECURITY_HIGH:
8556edd3 509 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 510 case BT_SECURITY_MEDIUM:
8556edd3 511 return HCI_AT_GENERAL_BONDING;
00ae4af9 512 default:
8556edd3 513 return HCI_AT_NO_BONDING;
00ae4af9 514 }
0684e5f9 515 }
8556edd3
JH		 516}
517
518/* Service level security */
4343478f 519static inline int l2cap_check_security(struct l2cap_chan *chan)
8556edd3 520{
8c1d787b 521 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 522 __u8 auth_type;
523
4343478f 524 auth_type = l2cap_get_auth_type(chan);
79d554a6 525
4343478f 526 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 527}
528
b5ad8b7f 529static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 530{
531 u8 id;
532
533 /* Get next available identificator.
534 * 1 - 128 are used by kernel.
535 * 129 - 199 are reserved.
536 * 200 - 254 are used by utilities like l2ping, etc.
537 */
538
539 spin_lock_bh(&conn->lock);
540
541 if (++conn->tx_ident > 128)
542 conn->tx_ident = 1;
543
544 id = conn->tx_ident;
545
546 spin_unlock_bh(&conn->lock);
547
548 return id;
549}
550
4519de9a 551static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 552{
553 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 554 u8 flags;
4e8402a3
MH		 555
556 BT_DBG("code 0x%2.2x", code);
557
558 if (!skb)
9a9c6a34 559 return;
4e8402a3 560
e702112f
AE		 561 if (lmp_no_flush_capable(conn->hcon->hdev))
562 flags = ACL_START_NO_FLUSH;
563 else
564 flags = ACL_START;
565
14b12d0b
JG		 566 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
567
e702112f 568 hci_send_acl(conn->hcon, skb, flags);
4e8402a3
MH		 569}
570
88843ab0 571static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 572{
573 struct sk_buff *skb;
574 struct l2cap_hdr *lh;
8c1d787b 575 struct l2cap_conn *conn = chan->conn;
e4ca6d98 576 int count, hlen;
e702112f 577 u8 flags;
fcc203c3 578
89bc500e 579 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 580 return;
581
e4ca6d98
AE		 582 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
583 hlen = L2CAP_EXT_HDR_SIZE;
584 else
585 hlen = L2CAP_ENH_HDR_SIZE;
586
47d1ec61 587 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 588 hlen += L2CAP_FCS_SIZE;
1c2acffb 589
88843ab0 590 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 591
fcc203c3 592 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 593
594 control |= __set_sframe(chan);
1c2acffb 595
e2ab4353 596 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 597 control |= __set_ctrl_final(chan);
9e917af1 598
e2ab4353 599 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 600 control |= __set_ctrl_poll(chan);
f0946ccf 601
1c2acffb
GP		 602 skb = bt_skb_alloc(count, GFP_ATOMIC);
603 if (!skb)
9a9c6a34 604 return;
1c2acffb
GP		 605
606 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 607 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 608 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 609
610 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 611
47d1ec61 612 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 613 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
614 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 615 }
616
e702112f
AE		 617 if (lmp_no_flush_capable(conn->hcon->hdev))
618 flags = ACL_START_NO_FLUSH;
619 else
620 flags = ACL_START;
621
15770b1a 622 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
14b12d0b 623
8c1d787b 624 hci_send_acl(chan->conn->hcon, skb, flags);
1c2acffb
GP		 625}
626
88843ab0 627static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 628{
e2ab4353 629 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 630 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 631 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 632 } else
ab784b73 633 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 634
0b209fae 635 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 636
525cd185 637 l2cap_send_sframe(chan, control);
7e743090
GP		 638}
639
b4450035 640static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 641{
c1360a1c 642 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 643}
644
fc7f8a7e 645static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 646{
8c1d787b 647 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 648
649 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 650 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
651 return;
652
4343478f
GP		 653 if (l2cap_check_security(chan) &&
654 __l2cap_no_conn_pending(chan)) {
b1235d79 655 struct l2cap_conn_req req;
fe4128e0
GP		 656 req.scid = cpu_to_le16(chan->scid);
657 req.psm = chan->psm;
79d554a6 658
fc7f8a7e 659 chan->ident = l2cap_get_ident(conn);
c1360a1c 660 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 661
fc7f8a7e
GP		 662 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
663 sizeof(req), &req);
b1235d79 664 }
79d554a6
MH		 665 } else {
666 struct l2cap_info_req req;
667 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
668
669 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
670 conn->info_ident = l2cap_get_ident(conn);
671
672 mod_timer(&conn->info_timer, jiffies +
673 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
674
675 l2cap_send_cmd(conn, conn->info_ident,
676 L2CAP_INFO_REQ, sizeof(req), &req);
677 }
678}
679
cf6c2c0b
GP		 680static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
681{
682 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 683 if (!disable_ertm)
cf6c2c0b
GP		 684 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
685
686 switch (mode) {
687 case L2CAP_MODE_ERTM:
688 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
689 case L2CAP_MODE_STREAMING:
690 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
691 default:
692 return 0x00;
693 }
694}
695
4519de9a 696static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 697{
e92c8e70 698 struct sock *sk;
22121fc9
GP		 699 struct l2cap_disconn_req req;
700
c13ffa62
GP		 701 if (!conn)
702 return;
703
e92c8e70
GP		 704 sk = chan->sk;
705
0c1bc5c6 706 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 707 __clear_retrans_timer(chan);
708 __clear_monitor_timer(chan);
709 __clear_ack_timer(chan);
c13ffa62
GP		 710 }
711
fe4128e0
GP		 712 req.dcid = cpu_to_le16(chan->dcid);
713 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 714 l2cap_send_cmd(conn, l2cap_get_ident(conn),
715 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 716
89bc500e 717 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 718 sk->sk_err = err;
22121fc9
GP		 719}
720
1da177e4 721/* ---- L2CAP connections ---- */
4e8402a3
MH		 722static void l2cap_conn_start(struct l2cap_conn *conn)
723{
820ffdb3 724 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 725
726 BT_DBG("conn %p", conn);
727
baa7e1fa 728 read_lock(&conn->chan_lock);
4e8402a3 729
820ffdb3 730 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 731 struct sock *sk = chan->sk;
baa7e1fa 732
4e8402a3
MH		 733 bh_lock_sock(sk);
734
715ec005 735 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 736 bh_unlock_sock(sk);
737 continue;
738 }
739
89bc500e 740 if (chan->state == BT_CONNECT) {
47731de7 741 struct l2cap_conn_req req;
79d554a6 742
4343478f 743 if (!l2cap_check_security(chan) ||
b4450035 744 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 745 bh_unlock_sock(sk);
746 continue;
747 }
79d554a6 748
c1360a1c
GP		 749 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
750 && test_bit(CONF_STATE2_DEVICE,
751 &chan->conf_state)) {
0f852724 752 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 753 * so release the lock */
2461daac 754 read_unlock(&conn->chan_lock);
89bc500e 755 l2cap_chan_close(chan, ECONNRESET);
2461daac 756 read_lock(&conn->chan_lock);
47731de7
GP		 757 bh_unlock_sock(sk);
758 continue;
b1235d79 759 }
47731de7 760
fe4128e0
GP		 761 req.scid = cpu_to_le16(chan->scid);
762 req.psm = chan->psm;
47731de7 763
fc7f8a7e 764 chan->ident = l2cap_get_ident(conn);
c1360a1c 765 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 766
fc7f8a7e
GP		 767 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
768 sizeof(req), &req);
47731de7 769
89bc500e 770 } else if (chan->state == BT_CONNECT2) {
79d554a6 771 struct l2cap_conn_rsp rsp;
e9aeb2dd 772 char buf[128];
fe4128e0
GP		 773 rsp.scid = cpu_to_le16(chan->dcid);
774 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 775
4343478f 776 if (l2cap_check_security(chan)) {
f66dc81f
MH		 777 if (bt_sk(sk)->defer_setup) {
778 struct sock *parent = bt_sk(sk)->parent;
779 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
780 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 781 if (parent)
782 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 783
784 } else {
89bc500e 785 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 786 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
787 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
788 }
79d554a6
MH		 789 } else {
790 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
791 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
792 }
793
fc7f8a7e
GP		 794 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
795 sizeof(rsp), &rsp);
e9aeb2dd 796
c1360a1c 797 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 798 rsp.result != L2CAP_CR_SUCCESS) {
799 bh_unlock_sock(sk);
800 continue;
801 }
802
c1360a1c 803 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 804 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 805 l2cap_build_conf_req(chan, buf), buf);
806 chan->num_conf_req++;
4e8402a3
MH		 807 }
808
809 bh_unlock_sock(sk);
810 }
811
baa7e1fa 812 read_unlock(&conn->chan_lock);
4e8402a3
MH		 813}
814
b62f328b
VT		 815/* Find socket with cid and source bdaddr.
816 * Returns closest match, locked.
817 */
23691d75 818static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 819{
23691d75 820 struct l2cap_chan *c, *c1 = NULL;
b62f328b 821
23691d75 822 read_lock(&chan_list_lock);
b62f328b 823
23691d75
GP		 824 list_for_each_entry(c, &chan_list, global_l) {
825 struct sock *sk = c->sk;
fe4128e0 826
89bc500e 827 if (state && c->state != state)
b62f328b
VT		 828 continue;
829
23691d75 830 if (c->scid == cid) {
b62f328b 831 /* Exact match. */
23691d75
GP		 832 if (!bacmp(&bt_sk(sk)->src, src)) {
833 read_unlock(&chan_list_lock);
834 return c;
835 }
b62f328b
VT		 836
837 /* Closest match */
838 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 839 c1 = c;
b62f328b
VT		 840 }
841 }
280f294f 842
23691d75 843 read_unlock(&chan_list_lock);
b62f328b 844
23691d75 845 return c1;
b62f328b
VT		 846}
847
848static void l2cap_le_conn_ready(struct l2cap_conn *conn)
849{
c916fbe4 850 struct sock *parent, *sk;
23691d75 851 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 852
853 BT_DBG("");
854
855 /* Check if we have socket listening on cid */
23691d75 856 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 857 conn->src);
23691d75 858 if (!pchan)
b62f328b
VT		 859 return;
860
23691d75
GP		 861 parent = pchan->sk;
862
62f3a2cf
GP		 863 bh_lock_sock(parent);
864
b62f328b
VT		 865 /* Check for backlog size */
866 if (sk_acceptq_is_full(parent)) {
867 BT_DBG("backlog full %d", parent->sk_ack_backlog);
868 goto clean;
869 }
870
80808e43
GP		 871 chan = pchan->ops->new_connection(pchan->data);
872 if (!chan)
b62f328b
VT		 873 goto clean;
874
80808e43 875 sk = chan->sk;
5d41ce1d 876
baa7e1fa 877 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 878
879 hci_conn_hold(conn->hcon);
880
b62f328b
VT		 881 bacpy(&bt_sk(sk)->src, conn->src);
882 bacpy(&bt_sk(sk)->dst, conn->dst);
883
d1010240
GP		 884 bt_accept_enqueue(parent, sk);
885
48454079
GP		 886 __l2cap_chan_add(conn, chan);
887
c9b66675 888 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 889
89bc500e 890 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 891 parent->sk_data_ready(parent, 0);
892
baa7e1fa 893 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 894
895clean:
896 bh_unlock_sock(parent);
897}
898
f1cb9af5
VCG		 899static void l2cap_chan_ready(struct sock *sk)
900{
901 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
902 struct sock *parent = bt_sk(sk)->parent;
903
904 BT_DBG("sk %p, parent %p", sk, parent);
905
906 chan->conf_state = 0;
907 __clear_chan_timer(chan);
908
43f3dc41 909 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 910 sk->sk_state_change(sk);
911
912 if (parent)
913 parent->sk_data_ready(parent, 0);
914}
915
4e8402a3
MH		 916static void l2cap_conn_ready(struct l2cap_conn *conn)
917{
48454079 918 struct l2cap_chan *chan;
4e8402a3 919
79d554a6 920 BT_DBG("conn %p", conn);
4e8402a3 921
b62f328b
VT		 922 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
923 l2cap_le_conn_ready(conn);
924
160dc6ac
VCG		 925 if (conn->hcon->out && conn->hcon->type == LE_LINK)
926 smp_conn_security(conn, conn->hcon->pending_sec_level);
927
baa7e1fa 928 read_lock(&conn->chan_lock);
4e8402a3 929
baa7e1fa 930 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 931 struct sock *sk = chan->sk;
baa7e1fa 932
79d554a6 933 bh_lock_sock(sk);
4e8402a3 934
63128451 935 if (conn->hcon->type == LE_LINK) {
b501d6a1 936 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 937 l2cap_chan_ready(sk);
acd7d370 938
63128451 939 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 940 __clear_chan_timer(chan);
89bc500e 941 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 942 sk->sk_state_change(sk);
b501d6a1 943
89bc500e 944 } else if (chan->state == BT_CONNECT)
fc7f8a7e 945 l2cap_do_start(chan);
4e8402a3 946
79d554a6 947 bh_unlock_sock(sk);
4e8402a3 948 }
79d554a6 949
baa7e1fa 950 read_unlock(&conn->chan_lock);
4e8402a3
MH		 951}
952
953/* Notify sockets that we cannot guaranty reliability anymore */
954static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
955{
48454079 956 struct l2cap_chan *chan;
4e8402a3
MH		 957
958 BT_DBG("conn %p", conn);
959
baa7e1fa 960 read_lock(&conn->chan_lock);
4e8402a3 961
baa7e1fa 962 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 963 struct sock *sk = chan->sk;
baa7e1fa 964
ecf61bdb 965 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 966 sk->sk_err = err;
967 }
968
baa7e1fa 969 read_unlock(&conn->chan_lock);
4e8402a3
MH		 970}
971
972static void l2cap_info_timeout(unsigned long arg)
973{
974 struct l2cap_conn *conn = (void *) arg;
975
984947dc 976 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 977 conn->info_ident = 0;
984947dc 978
4e8402a3
MH		 979 l2cap_conn_start(conn);
980}
981
5d3de7df
VCG		 982static void l2cap_conn_del(struct hci_conn *hcon, int err)
983{
984 struct l2cap_conn *conn = hcon->l2cap_data;
985 struct l2cap_chan *chan, *l;
986 struct sock *sk;
987
988 if (!conn)
989 return;
990
991 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
992
993 kfree_skb(conn->rx_skb);
994
995 /* Kill channels */
996 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
997 sk = chan->sk;
998 bh_lock_sock(sk);
999 l2cap_chan_del(chan, err);
1000 bh_unlock_sock(sk);
1001 chan->ops->close(chan->data);
1002 }
1003
1004 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1005 del_timer_sync(&conn->info_timer);
1006
d26a2345 1007 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1008 del_timer(&conn->security_timer);
8aab4757 1009 smp_chan_destroy(conn);
d26a2345 1010 }
5d3de7df
VCG		 1011
1012 hcon->l2cap_data = NULL;
1013 kfree(conn);
1014}
1015
1016static void security_timeout(unsigned long arg)
1017{
1018 struct l2cap_conn *conn = (void *) arg;
1019
1020 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1021}
1022
1da177e4
LT		 1023static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1024{
0139418c 1025 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 1026
0139418c 1027 if (conn || status)
1da177e4
LT		 1028 return conn;
1029
0139418c
MH		 1030 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1031 if (!conn)
1da177e4 1032 return NULL;
1da177e4
LT		 1033
1034 hcon->l2cap_data = conn;
1035 conn->hcon = hcon;
1036
0139418c
MH		 1037 BT_DBG("hcon %p conn %p", hcon, conn);
1038
acd7d370
VT		 1039 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1040 conn->mtu = hcon->hdev->le_mtu;
1041 else
1042 conn->mtu = hcon->hdev->acl_mtu;
1043
1da177e4
LT		 1044 conn->src = &hcon->hdev->bdaddr;
1045 conn->dst = &hcon->dst;
1046
4e8402a3
MH		 1047 conn->feat_mask = 0;
1048
1da177e4 1049 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1050 rwlock_init(&conn->chan_lock);
1051
1052 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1053
5d3de7df
VCG		 1054 if (hcon->type == LE_LINK)
1055 setup_timer(&conn->security_timer, security_timeout,
1056 (unsigned long) conn);
1057 else
b62f328b 1058 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1059 (unsigned long) conn);
1060
2950f21a
MH		 1061 conn->disc_reason = 0x13;
1062
1da177e4
LT		 1063 return conn;
1064}
1065
48454079 1066static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1067{
baa7e1fa 1068 write_lock_bh(&conn->chan_lock);
48454079 1069 __l2cap_chan_add(conn, chan);
baa7e1fa 1070 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1071}
1072
1da177e4 1073/* ---- Socket interface ---- */
1da177e4
LT		 1074
1075/* Find socket with psm and source bdaddr.
1076 * Returns closest match.
1077 */
23691d75 1078static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1079{
23691d75 1080 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1081
23691d75 1082 read_lock(&chan_list_lock);
e0f0cb56 1083
23691d75
GP		 1084 list_for_each_entry(c, &chan_list, global_l) {
1085 struct sock *sk = c->sk;
fe4128e0 1086
89bc500e 1087 if (state && c->state != state)
1da177e4
LT		 1088 continue;
1089
23691d75 1090 if (c->psm == psm) {
1da177e4 1091 /* Exact match. */
23691d75 1092 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1093 read_unlock(&chan_list_lock);
23691d75
GP		 1094 return c;
1095 }
1da177e4
LT		 1096
1097 /* Closest match */
1098 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1099 c1 = c;
1da177e4
LT		 1100 }
1101 }
1da177e4 1102
23691d75 1103 read_unlock(&chan_list_lock);
e0f0cb56 1104
23691d75 1105 return c1;
1da177e4
LT		 1106}
1107
77a74c7e 1108int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1109{
5d41ce1d 1110 struct sock *sk = chan->sk;
1da177e4
LT		 1111 bdaddr_t *src = &bt_sk(sk)->src;
1112 bdaddr_t *dst = &bt_sk(sk)->dst;
1113 struct l2cap_conn *conn;
1114 struct hci_conn *hcon;
1115 struct hci_dev *hdev;
09ab6f4c 1116 __u8 auth_type;
44d0e48e 1117 int err;
1da177e4 1118
f29972de 1119 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1120 chan->psm);
1da177e4 1121
af05b30b
GP		 1122 hdev = hci_get_route(dst, src);
1123 if (!hdev)
1da177e4
LT		 1124 return -EHOSTUNREACH;
1125
1126 hci_dev_lock_bh(hdev);
1127
4343478f 1128 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1129
fe4128e0 1130 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1131 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1132 chan->sec_level, auth_type);
acd7d370
VT		 1133 else
1134 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1135 chan->sec_level, auth_type);
acd7d370 1136
30e76272
VT		 1137 if (IS_ERR(hcon)) {
1138 err = PTR_ERR(hcon);
1da177e4 1139 goto done;
30e76272 1140 }
1da177e4
LT		 1141
1142 conn = l2cap_conn_add(hcon, 0);
1143 if (!conn) {
1144 hci_conn_put(hcon);
30e76272 1145 err = -ENOMEM;
1da177e4
LT		 1146 goto done;
1147 }
1148
1da177e4
LT		 1149 /* Update source addr of the socket */
1150 bacpy(src, conn->src);
1151
48454079
GP		 1152 l2cap_chan_add(conn, chan);
1153
89bc500e 1154 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1155 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1156
1157 if (hcon->state == BT_CONNECTED) {
715ec005 1158 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1159 __clear_chan_timer(chan);
4343478f 1160 if (l2cap_check_security(chan))
89bc500e 1161 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1162 } else
fc7f8a7e 1163 l2cap_do_start(chan);
1da177e4
LT		 1164 }
1165
30e76272
VT		 1166 err = 0;
1167
1da177e4
LT		 1168done:
1169 hci_dev_unlock_bh(hdev);
1170 hci_dev_put(hdev);
1171 return err;
1172}
1173
dcba0dba 1174int __l2cap_wait_ack(struct sock *sk)
6161c038 1175{
8c1d787b 1176 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1177 DECLARE_WAITQUEUE(wait, current);
1178 int err = 0;
1179 int timeo = HZ/5;
1180
2b0b05dd 1181 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1182 set_current_state(TASK_INTERRUPTIBLE);
1183 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1184 if (!timeo)
1185 timeo = HZ/5;
1186
1187 if (signal_pending(current)) {
1188 err = sock_intr_errno(timeo);
1189 break;
1190 }
1191
1192 release_sock(sk);
1193 timeo = schedule_timeout(timeo);
1194 lock_sock(sk);
a71a0cf4 1195 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1196
1197 err = sock_error(sk);
1198 if (err)
1199 break;
1200 }
1201 set_current_state(TASK_RUNNING);
2b0b05dd 1202 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1203 return err;
1204}
1205
e90bac06
GP		 1206static void l2cap_monitor_timeout(unsigned long arg)
1207{
525cd185
GP		 1208 struct l2cap_chan *chan = (void *) arg;
1209 struct sock *sk = chan->sk;
e90bac06 1210
525cd185 1211 BT_DBG("chan %p", chan);
0e98958d 1212
e686219a 1213 bh_lock_sock(sk);
2c03a7a4 1214 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1215 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1216 bh_unlock_sock(sk);
e90bac06
GP		 1217 return;
1218 }
1219
6a026610 1220 chan->retry_count++;
1a09bcb9 1221 __set_monitor_timer(chan);
e90bac06 1222
525cd185 1223 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1224 bh_unlock_sock(sk);
e90bac06
GP		 1225}
1226
1227static void l2cap_retrans_timeout(unsigned long arg)
1228{
525cd185
GP		 1229 struct l2cap_chan *chan = (void *) arg;
1230 struct sock *sk = chan->sk;
e90bac06 1231
49208c9c 1232 BT_DBG("chan %p", chan);
0e98958d 1233
e686219a 1234 bh_lock_sock(sk);
6a026610 1235 chan->retry_count = 1;
1a09bcb9 1236 __set_monitor_timer(chan);
e90bac06 1237
e2ab4353 1238 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1239
525cd185 1240 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1241 bh_unlock_sock(sk);
e90bac06
GP		 1242}
1243
42e5c802 1244static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1245{
1c2acffb 1246 struct sk_buff *skb;
1da177e4 1247
58d35f87 1248 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1249 chan->unacked_frames) {
42e5c802 1250 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1251 break;
1da177e4 1252
58d35f87 1253 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1254 kfree_skb(skb);
1da177e4 1255
6a026610 1256 chan->unacked_frames--;
1c2acffb 1257 }
1da177e4 1258
6a026610 1259 if (!chan->unacked_frames)
1a09bcb9 1260 __clear_retrans_timer(chan);
1c2acffb 1261}
1da177e4 1262
67c9e840 1263static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1c2acffb 1264{
8c1d787b 1265 struct hci_conn *hcon = chan->conn->hcon;
e702112f 1266 u16 flags;
1c2acffb 1267
4343478f 1268 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1da177e4 1269
d57b0e8b
AE		 1270 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
1271 lmp_no_flush_capable(hcon->hdev))
e702112f
AE		 1272 flags = ACL_START_NO_FLUSH;
1273 else
1274 flags = ACL_START;
1275
15770b1a 1276 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
e702112f 1277 hci_send_acl(hcon, skb, flags);
1c2acffb
GP		 1278}
1279
67c9e840 1280static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1281{
ccbb84af 1282 struct sk_buff *skb;
88843ab0
AE		 1283 u32 control;
1284 u16 fcs;
6840ed07 1285
58d35f87 1286 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1287 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1288 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1289 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1290
47d1ec61 1291 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1292 fcs = crc16(0, (u8 *)skb->data,
1293 skb->len - L2CAP_FCS_SIZE);
1294 put_unaligned_le16(fcs,
1295 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1296 }
1297
4343478f 1298 l2cap_do_send(chan, skb);
6840ed07 1299
836be934 1300 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1301 }
6840ed07
GP		 1302}
1303
fb45de7d 1304static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1305{
8f17154f 1306 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1307 u16 fcs;
1308 u32 control;
8f17154f 1309
58d35f87 1310 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1311 if (!skb)
1312 return;
8f17154f 1313
f11d676d
GP		 1314 do {
1315 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1316 break;
8f17154f 1317
58d35f87 1318 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1319 return;
8f17154f 1320
58d35f87 1321 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
8f17154f 1322
2c03a7a4
GP		 1323 if (chan->remote_max_tx &&
1324 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1325 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1326 return;
1327 }
1328
1329 tx_skb = skb_clone(skb, GFP_ATOMIC);
1330 bt_cb(skb)->retries++;
88843ab0
AE		 1331
1332 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1333 control &= __get_sar_mask(chan);
3cb123d1 1334
e2ab4353 1335 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1336 control |= __set_ctrl_final(chan);
95ffa978 1337
0b209fae 1338 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1339 control |= __set_txseq(chan, tx_seq);
3cb123d1 1340
88843ab0 1341 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1342
47d1ec61 1343 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1344 fcs = crc16(0, (u8 *)tx_skb->data,
1345 tx_skb->len - L2CAP_FCS_SIZE);
1346 put_unaligned_le16(fcs,
1347 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1348 }
1349
4343478f 1350 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1351}
1352
67c9e840 1353static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1354{
1355 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1356 u16 fcs;
1357 u32 control;
9a9c6a34 1358 int nsent = 0;
1c2acffb 1359
89bc500e 1360 if (chan->state != BT_CONNECTED)
c13ffa62 1361 return -ENOTCONN;
e90bac06 1362
58d35f87 1363 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1364
2c03a7a4
GP		 1365 if (chan->remote_max_tx &&
1366 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1367 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1368 break;
1369 }
1370
e420aba3
AE		 1371 tx_skb = skb_clone(skb, GFP_ATOMIC);
1372
e90bac06
GP		 1373 bt_cb(skb)->retries++;
1374
88843ab0 1375 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1376 control &= __get_sar_mask(chan);
95ffa978 1377
e2ab4353 1378 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1379 control |= __set_ctrl_final(chan);
e2ab4353 1380
0b209fae 1381 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1382 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1383
88843ab0 1384 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1385
47d1ec61 1386 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1387 fcs = crc16(0, (u8 *)skb->data,
1388 tx_skb->len - L2CAP_FCS_SIZE);
1389 put_unaligned_le16(fcs, skb->data +
1390 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1391 }
1392
4343478f 1393 l2cap_do_send(chan, tx_skb);
9a9c6a34 1394
1a09bcb9 1395 __set_retrans_timer(chan);
1c2acffb 1396
42e5c802 1397 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1398
1399 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1400
23e9fde2 1401 if (bt_cb(skb)->retries == 1)
6a026610 1402 chan->unacked_frames++;
23e9fde2 1403
6a026610 1404 chan->frames_sent++;
1c2acffb 1405
58d35f87
GP		 1406 if (skb_queue_is_last(&chan->tx_q, skb))
1407 chan->tx_send_head = NULL;
1c2acffb 1408 else
58d35f87 1409 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1410
1411 nsent++;
1c2acffb
GP		 1412 }
1413
9e917af1
GP		 1414 return nsent;
1415}
1416
525cd185 1417static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1418{
dfc909be
GP		 1419 int ret;
1420
58d35f87
GP		 1421 if (!skb_queue_empty(&chan->tx_q))
1422 chan->tx_send_head = chan->tx_q.next;
dfc909be 1423
42e5c802 1424 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1425 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1426 return ret;
1427}
1428
525cd185 1429static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1430{
88843ab0 1431 u32 control = 0;
9e917af1 1432
0b209fae 1433 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1434
e2ab4353 1435 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1436 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1437 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1438 l2cap_send_sframe(chan, control);
9a9c6a34 1439 return;
9e917af1 1440 }
dfc909be 1441
525cd185 1442 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1443 return;
1444
ab784b73 1445 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1446 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1447}
1448
525cd185 1449static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1450{
1451 struct srej_list *tail;
88843ab0 1452 u32 control;
99b0d4b7 1453
ab784b73 1454 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1455 control |= __set_ctrl_final(chan);
99b0d4b7 1456
39d5a3ee 1457 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1458 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1459
525cd185 1460 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1461}
1462
1c2acffb
GP		 1463static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1464{
8c1d787b 1465 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1466 struct sk_buff **frag;
1467 int err, sent = 0;
1da177e4 1468
59203a21 1469 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1470 return -EFAULT;
1da177e4
LT		 1471
1472 sent += count;
1473 len -= count;
1474
1475 /* Continuation fragments (no L2CAP header) */
1476 frag = &skb_shinfo(skb)->frag_list;
1477 while (len) {
1478 count = min_t(unsigned int, conn->mtu, len);
1479
1480 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1481 if (!*frag)
0175d629 1482 return err;
1c2acffb
GP		 1483 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1484 return -EFAULT;
1da177e4
LT		 1485
1486 sent += count;
1487 len -= count;
1488
1489 frag = &(*frag)->next;
1490 }
1da177e4
LT		 1491
1492 return sent;
1c2acffb 1493}
1da177e4 1494
67c9e840 1495static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1496{
fe4128e0 1497 struct sock *sk = chan->sk;
8c1d787b 1498 struct l2cap_conn *conn = chan->conn;
1c2acffb 1499 struct sk_buff *skb;
03a51213 1500 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1501 struct l2cap_hdr *lh;
1502
1503 BT_DBG("sk %p len %d", sk, (int)len);
1504
1505 count = min_t(unsigned int, (conn->mtu - hlen), len);
1506 skb = bt_skb_send_alloc(sk, count + hlen,
1507 msg->msg_flags & MSG_DONTWAIT, &err);
1508 if (!skb)
0175d629 1509 return ERR_PTR(err);
1c2acffb
GP		 1510
1511 /* Create L2CAP header */
1512 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1513 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1514 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1515 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1516
1517 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1518 if (unlikely(err < 0)) {
1519 kfree_skb(skb);
1520 return ERR_PTR(err);
1521 }
1522 return skb;
1523}
1524
67c9e840 1525static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1c2acffb 1526{
fe4128e0 1527 struct sock *sk = chan->sk;
8c1d787b 1528 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1529 struct sk_buff *skb;
1530 int err, count, hlen = L2CAP_HDR_SIZE;
1531 struct l2cap_hdr *lh;
1532
1533 BT_DBG("sk %p len %d", sk, (int)len);
1534
1535 count = min_t(unsigned int, (conn->mtu - hlen), len);
1536 skb = bt_skb_send_alloc(sk, count + hlen,
1537 msg->msg_flags & MSG_DONTWAIT, &err);
1538 if (!skb)
0175d629 1539 return ERR_PTR(err);
1c2acffb
GP		 1540
1541 /* Create L2CAP header */
1542 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1543 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1544 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1545
1546 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1547 if (unlikely(err < 0)) {
1548 kfree_skb(skb);
1549 return ERR_PTR(err);
1550 }
1551 return skb;
1552}
1553
ab0ff76d
LAD		 1554static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1555 struct msghdr *msg, size_t len,
88843ab0 1556 u32 control, u16 sdulen)
1c2acffb 1557{
47d1ec61 1558 struct sock *sk = chan->sk;
8c1d787b 1559 struct l2cap_conn *conn = chan->conn;
1c2acffb 1560 struct sk_buff *skb;
e4ca6d98 1561 int err, count, hlen;
1c2acffb
GP		 1562 struct l2cap_hdr *lh;
1563
1564 BT_DBG("sk %p len %d", sk, (int)len);
1565
0ee0d208
GP		 1566 if (!conn)
1567 return ERR_PTR(-ENOTCONN);
1568
e4ca6d98
AE		 1569 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1570 hlen = L2CAP_EXT_HDR_SIZE;
1571 else
1572 hlen = L2CAP_ENH_HDR_SIZE;
1573
c74e560c 1574 if (sdulen)
03a51213 1575 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1576
47d1ec61 1577 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1578 hlen += L2CAP_FCS_SIZE;
fcc203c3 1579
1c2acffb
GP		 1580 count = min_t(unsigned int, (conn->mtu - hlen), len);
1581 skb = bt_skb_send_alloc(sk, count + hlen,
1582 msg->msg_flags & MSG_DONTWAIT, &err);
1583 if (!skb)
0175d629 1584 return ERR_PTR(err);
1c2acffb
GP		 1585
1586 /* Create L2CAP header */
1587 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1588 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1589 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1590
1591 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1592
c74e560c 1593 if (sdulen)
03a51213 1594 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb
GP		 1595
1596 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1597 if (unlikely(err < 0)) {
1598 kfree_skb(skb);
1599 return ERR_PTR(err);
1600 }
e90bac06 1601
47d1ec61 1602 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1603 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1604
e90bac06 1605 bt_cb(skb)->retries = 0;
1c2acffb 1606 return skb;
1da177e4
LT		 1607}
1608
67c9e840 1609static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1610{
c74e560c
GP		 1611 struct sk_buff *skb;
1612 struct sk_buff_head sar_queue;
88843ab0 1613 u32 control;
c74e560c
GP		 1614 size_t size = 0;
1615
ff12fd64 1616 skb_queue_head_init(&sar_queue);
7e0ef6ee 1617 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1618 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1619 if (IS_ERR(skb))
1620 return PTR_ERR(skb);
1621
1622 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1623 len -= chan->remote_mps;
1624 size += chan->remote_mps;
c74e560c
GP		 1625
1626 while (len > 0) {
1627 size_t buflen;
1628
2c03a7a4 1629 if (len > chan->remote_mps) {
7e0ef6ee 1630 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1631 buflen = chan->remote_mps;
c74e560c 1632 } else {
7e0ef6ee 1633 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1634 buflen = len;
1635 }
1636
47d1ec61 1637 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1638 if (IS_ERR(skb)) {
1639 skb_queue_purge(&sar_queue);
1640 return PTR_ERR(skb);
1641 }
1642
1643 __skb_queue_tail(&sar_queue, skb);
1644 len -= buflen;
1645 size += buflen;
c74e560c 1646 }
58d35f87
GP		 1647 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1648 if (chan->tx_send_head == NULL)
1649 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1650
1651 return size;
1652}
1653
9a91a04a
GP		 1654int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1655{
9a91a04a 1656 struct sk_buff *skb;
88843ab0 1657 u32 control;
9a91a04a
GP		 1658 int err;
1659
1660 /* Connectionless channel */
715ec005 1661 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
9a91a04a
GP		 1662 skb = l2cap_create_connless_pdu(chan, msg, len);
1663 if (IS_ERR(skb))
1664 return PTR_ERR(skb);
1665
1666 l2cap_do_send(chan, skb);
1667 return len;
1668 }
1669
1670 switch (chan->mode) {
1671 case L2CAP_MODE_BASIC:
1672 /* Check outgoing MTU */
1673 if (len > chan->omtu)
1674 return -EMSGSIZE;
1675
1676 /* Create a basic PDU */
1677 skb = l2cap_create_basic_pdu(chan, msg, len);
1678 if (IS_ERR(skb))
1679 return PTR_ERR(skb);
1680
1681 l2cap_do_send(chan, skb);
1682 err = len;
1683 break;
1684
1685 case L2CAP_MODE_ERTM:
1686 case L2CAP_MODE_STREAMING:
1687 /* Entire SDU fits into one PDU */
1688 if (len <= chan->remote_mps) {
7e0ef6ee 1689 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1690 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1691 0);
1692 if (IS_ERR(skb))
1693 return PTR_ERR(skb);
1694
1695 __skb_queue_tail(&chan->tx_q, skb);
1696
1697 if (chan->tx_send_head == NULL)
1698 chan->tx_send_head = skb;
1699
1700 } else {
1701 /* Segment SDU into multiples PDUs */
1702 err = l2cap_sar_segment_sdu(chan, msg, len);
1703 if (err < 0)
1704 return err;
1705 }
1706
1707 if (chan->mode == L2CAP_MODE_STREAMING) {
1708 l2cap_streaming_send(chan);
1709 err = len;
1710 break;
1711 }
1712
e2ab4353
GP		 1713 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1714 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1715 err = len;
1716 break;
1717 }
1718
1719 err = l2cap_ertm_send(chan);
1720 if (err >= 0)
1721 err = len;
1722
1723 break;
1724
1725 default:
1726 BT_DBG("bad state %1.1x", chan->mode);
1727 err = -EBADFD;
1728 }
1729
1730 return err;
1731}
1732
1da177e4
LT		 1733/* Copy frame to all raw sockets on that connection */
1734static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1735{
1da177e4 1736 struct sk_buff *nskb;
48454079 1737 struct l2cap_chan *chan;
1da177e4
LT		 1738
1739 BT_DBG("conn %p", conn);
1740
baa7e1fa
GP		 1741 read_lock(&conn->chan_lock);
1742 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1743 struct sock *sk = chan->sk;
715ec005 1744 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1745 continue;
1746
1747 /* Don't send frame to the socket it came from */
1748 if (skb->sk == sk)
1749 continue;
af05b30b
GP		 1750 nskb = skb_clone(skb, GFP_ATOMIC);
1751 if (!nskb)
1da177e4
LT		 1752 continue;
1753
23070494 1754 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1755 kfree_skb(nskb);
1756 }
baa7e1fa 1757 read_unlock(&conn->chan_lock);
1da177e4
LT		 1758}
1759
1760/* ---- L2CAP signalling commands ---- */
1761static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1762 u8 code, u8 ident, u16 dlen, void *data)
1763{
1764 struct sk_buff *skb, **frag;
1765 struct l2cap_cmd_hdr *cmd;
1766 struct l2cap_hdr *lh;
1767 int len, count;
1768
af05b30b
GP		 1769 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1770 conn, code, ident, dlen);
1da177e4
LT		 1771
1772 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1773 count = min_t(unsigned int, conn->mtu, len);
1774
1775 skb = bt_skb_alloc(count, GFP_ATOMIC);
1776 if (!skb)
1777 return NULL;
1778
1779 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1780 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1781
1782 if (conn->hcon->type == LE_LINK)
1783 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1784 else
1785 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1786
1787 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1788 cmd->code = code;
1789 cmd->ident = ident;
aca3192c 1790 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1791
1792 if (dlen) {
1793 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1794 memcpy(skb_put(skb, count), data, count);
1795 data += count;
1796 }
1797
1798 len -= skb->len;
1799
1800 /* Continuation fragments (no L2CAP header) */
1801 frag = &skb_shinfo(skb)->frag_list;
1802 while (len) {
1803 count = min_t(unsigned int, conn->mtu, len);
1804
1805 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1806 if (!*frag)
1807 goto fail;
1808
1809 memcpy(skb_put(*frag, count), data, count);
1810
1811 len -= count;
1812 data += count;
1813
1814 frag = &(*frag)->next;
1815 }
1816
1817 return skb;
1818
1819fail:
1820 kfree_skb(skb);
1821 return NULL;
1822}
1823
1824static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1825{
1826 struct l2cap_conf_opt *opt = *ptr;
1827 int len;
1828
1829 len = L2CAP_CONF_OPT_SIZE + opt->len;
1830 *ptr += len;
1831
1832 *type = opt->type;
1833 *olen = opt->len;
1834
1835 switch (opt->len) {
1836 case 1:
1837 *val = *((u8 *) opt->val);
1838 break;
1839
1840 case 2:
bfaaeb3e 1841 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1842 break;
1843
1844 case 4:
bfaaeb3e 1845 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1846 break;
1847
1848 default:
1849 *val = (unsigned long) opt->val;
1850 break;
1851 }
1852
1853 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1854 return len;
1855}
1856
1da177e4
LT		 1857static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1858{
1859 struct l2cap_conf_opt *opt = *ptr;
1860
1861 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1862
1863 opt->type = type;
1864 opt->len = len;
1865
1866 switch (len) {
1867 case 1:
1868 *((u8 *) opt->val) = val;
1869 break;
1870
1871 case 2:
4f8b691c 1872 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1873 break;
1874
1875 case 4:
4f8b691c 1876 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1877 break;
1878
1879 default:
1880 memcpy(opt->val, (void *) val, len);
1881 break;
1882 }
1883
1884 *ptr += L2CAP_CONF_OPT_SIZE + len;
1885}
1886
f89cef09
AE		 1887static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1888{
1889 struct l2cap_conf_efs efs;
1890
1891 switch(chan->mode) {
1892 case L2CAP_MODE_ERTM:
1893 efs.id = chan->local_id;
1894 efs.stype = chan->local_stype;
1895 efs.msdu = cpu_to_le16(chan->local_msdu);
1896 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1897 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1898 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1899 break;
1900
1901 case L2CAP_MODE_STREAMING:
1902 efs.id = 1;
1903 efs.stype = L2CAP_SERV_BESTEFFORT;
1904 efs.msdu = cpu_to_le16(chan->local_msdu);
1905 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1906 efs.acc_lat = 0;
1907 efs.flush_to = 0;
1908 break;
1909
1910 default:
1911 return;
1912 }
1913
1914 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1915 (unsigned long) &efs);
1916}
1917
c1b4f43b
GP		 1918static void l2cap_ack_timeout(unsigned long arg)
1919{
525cd185 1920 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1921
525cd185
GP		 1922 bh_lock_sock(chan->sk);
1923 l2cap_send_ack(chan);
1924 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1925}
1926
525cd185 1927static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1928{
525cd185
GP		 1929 struct sock *sk = chan->sk;
1930
42e5c802 1931 chan->expected_ack_seq = 0;
6a026610 1932 chan->unacked_frames = 0;
42e5c802 1933 chan->buffer_seq = 0;
6a026610
GP		 1934 chan->num_acked = 0;
1935 chan->frames_sent = 0;
0565c1c2 1936
e92c8e70
GP		 1937 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1938 (unsigned long) chan);
1939 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1940 (unsigned long) chan);
1941 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1942
f1c6775b 1943 skb_queue_head_init(&chan->srej_q);
1890d36b 1944
39d5a3ee
GP		 1945 INIT_LIST_HEAD(&chan->srej_l);
1946
218bb9df
GP		 1947
1948 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1949}
1950
f2fcfcd6
GP		 1951static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1952{
1953 switch (mode) {
1954 case L2CAP_MODE_STREAMING:
1955 case L2CAP_MODE_ERTM:
1956 if (l2cap_mode_supported(mode, remote_feat_mask))
1957 return mode;
1958 /* fall through */
1959 default:
1960 return L2CAP_MODE_BASIC;
1961 }
1962}
1963
6327eb98
AE		 1964static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1965{
1966 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1967}
1968
f89cef09
AE		 1969static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1970{
1971 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1972}
1973
6327eb98
AE		 1974static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1975{
1976 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 1977 __l2cap_ews_supported(chan)) {
6327eb98
AE		 1978 /* use extended control field */
1979 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 1980 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
1981 } else {
6327eb98
AE		 1982 chan->tx_win = min_t(u16, chan->tx_win,
1983 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 1984 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
1985 }
6327eb98
AE		 1986}
1987
710f9b0a 1988static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 1989{
1da177e4 1990 struct l2cap_conf_req *req = data;
0c1bc5c6 1991 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 1992 void *ptr = req->data;
c8f79162 1993 u16 size;
1da177e4 1994
49208c9c 1995 BT_DBG("chan %p", chan);
1da177e4 1996
73ffa904 1997 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 1998 goto done;
1999
0c1bc5c6 2000 switch (chan->mode) {
f2fcfcd6
GP		 2001 case L2CAP_MODE_STREAMING:
2002 case L2CAP_MODE_ERTM:
c1360a1c 2003 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2004 break;
85eb53c6 2005
f89cef09
AE		 2006 if (__l2cap_efs_supported(chan))
2007 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2008
2ba13ed6 2009 /* fall through */
f2fcfcd6 2010 default:
8c1d787b 2011 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2012 break;
2013 }
2014
2015done:
0c1bc5c6
GP		 2016 if (chan->imtu != L2CAP_DEFAULT_MTU)
2017 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2018
0c1bc5c6 2019 switch (chan->mode) {
65c7c491 2020 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2021 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2022 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2023 break;
2024
62547752
GP		 2025 rfc.mode = L2CAP_MODE_BASIC;
2026 rfc.txwin_size = 0;
2027 rfc.max_transmit = 0;
2028 rfc.retrans_timeout = 0;
2029 rfc.monitor_timeout = 0;
2030 rfc.max_pdu_size = 0;
2031
63406504
GP		 2032 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2033 (unsigned long) &rfc);
65c7c491
MH		 2034 break;
2035
2036 case L2CAP_MODE_ERTM:
2037 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2038 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2039 rfc.retrans_timeout = 0;
2040 rfc.monitor_timeout = 0;
c8f79162
AE		 2041
2042 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2043 L2CAP_EXT_HDR_SIZE -
2044 L2CAP_SDULEN_SIZE -
2045 L2CAP_FCS_SIZE);
2046 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2047
6327eb98
AE		 2048 l2cap_txwin_setup(chan);
2049
2050 rfc.txwin_size = min_t(u16, chan->tx_win,
2051 L2CAP_DEFAULT_TX_WINDOW);
2052
63406504
GP		 2053 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2054 (unsigned long) &rfc);
2055
f89cef09
AE		 2056 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2057 l2cap_add_opt_efs(&ptr, chan);
2058
8c1d787b 2059 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2060 break;
2061
47d1ec61 2062 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2063 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2064 chan->fcs = L2CAP_FCS_NONE;
2065 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2066 }
6327eb98
AE		 2067
2068 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2069 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2070 chan->tx_win);
f2fcfcd6
GP		 2071 break;
2072
2073 case L2CAP_MODE_STREAMING:
2074 rfc.mode = L2CAP_MODE_STREAMING;
2075 rfc.txwin_size = 0;
2076 rfc.max_transmit = 0;
2077 rfc.retrans_timeout = 0;
2078 rfc.monitor_timeout = 0;
c8f79162
AE		 2079
2080 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2081 L2CAP_EXT_HDR_SIZE -
2082 L2CAP_SDULEN_SIZE -
2083 L2CAP_FCS_SIZE);
2084 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2085
63406504
GP		 2086 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2087 (unsigned long) &rfc);
2088
f89cef09
AE		 2089 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2090 l2cap_add_opt_efs(&ptr, chan);
2091
8c1d787b 2092 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2093 break;
2094
47d1ec61 2095 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2096 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2097 chan->fcs = L2CAP_FCS_NONE;
2098 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2099 }
65c7c491
MH		 2100 break;
2101 }
1da177e4 2102
fe4128e0 2103 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2104 req->flags = cpu_to_le16(0);
1da177e4
LT		 2105
2106 return ptr - data;
2107}
2108
73ffa904 2109static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2110{
5dee9e7c
MH		 2111 struct l2cap_conf_rsp *rsp = data;
2112 void *ptr = rsp->data;
73ffa904
GP		 2113 void *req = chan->conf_req;
2114 int len = chan->conf_len;
5dee9e7c
MH		 2115 int type, hint, olen;
2116 unsigned long val;
6464f35f 2117 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2118 struct l2cap_conf_efs efs;
2119 u8 remote_efs = 0;
861d6882 2120 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2121 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2122 u16 size;
1da177e4 2123
73ffa904 2124 BT_DBG("chan %p", chan);
820ae1b8 2125
5dee9e7c
MH		 2126 while (len >= L2CAP_CONF_OPT_SIZE) {
2127 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2128
589d2746 2129 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2130 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2131
2132 switch (type) {
2133 case L2CAP_CONF_MTU:
861d6882 2134 mtu = val;
5dee9e7c
MH		 2135 break;
2136
2137 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2138 chan->flush_to = val;
5dee9e7c
MH		 2139 break;
2140
2141 case L2CAP_CONF_QOS:
2142 break;
2143
6464f35f
MH		 2144 case L2CAP_CONF_RFC:
2145 if (olen == sizeof(rfc))
2146 memcpy(&rfc, (void *) val, olen);
2147 break;
2148
fcc203c3
GP		 2149 case L2CAP_CONF_FCS:
2150 if (val == L2CAP_FCS_NONE)
c1360a1c 2151 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2152 break;
fcc203c3 2153
42dceae2
AE		 2154 case L2CAP_CONF_EFS:
2155 remote_efs = 1;
2156 if (olen == sizeof(efs))
2157 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2158 break;
2159
6327eb98
AE		 2160 case L2CAP_CONF_EWS:
2161 if (!enable_hs)
2162 return -ECONNREFUSED;
2163
2164 set_bit(FLAG_EXT_CTRL, &chan->flags);
2165 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2166 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98
AE		 2167 chan->remote_tx_win = val;
2168 break;
2169
5dee9e7c
MH		 2170 default:
2171 if (hint)
2172 break;
2173
2174 result = L2CAP_CONF_UNKNOWN;
2175 *((u8 *) ptr++) = type;
2176 break;
2177 }
2178 }
2179
73ffa904 2180 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2181 goto done;
2182
0c1bc5c6 2183 switch (chan->mode) {
f2fcfcd6
GP		 2184 case L2CAP_MODE_STREAMING:
2185 case L2CAP_MODE_ERTM:
c1360a1c 2186 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2187 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2188 chan->conn->feat_mask);
85eb53c6
GP		 2189 break;
2190 }
2191
42dceae2
AE		 2192 if (remote_efs) {
2193 if (__l2cap_efs_supported(chan))
2194 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2195 else
2196 return -ECONNREFUSED;
2197 }
2198
0c1bc5c6 2199 if (chan->mode != rfc.mode)
f2fcfcd6 2200 return -ECONNREFUSED;
742e519b 2201
f2fcfcd6 2202 break;
f2fcfcd6
GP		 2203 }
2204
2205done:
0c1bc5c6 2206 if (chan->mode != rfc.mode) {
f2fcfcd6 2207 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2208 rfc.mode = chan->mode;
f2fcfcd6 2209
73ffa904 2210 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2211 return -ECONNREFUSED;
2212
2213 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2214 sizeof(rfc), (unsigned long) &rfc);
2215 }
2216
5dee9e7c
MH		 2217 if (result == L2CAP_CONF_SUCCESS) {
2218 /* Configure output options and let the other side know
2219 * which ones we don't like. */
2220
f2fcfcd6
GP		 2221 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2222 result = L2CAP_CONF_UNACCEPT;
2223 else {
0c1bc5c6 2224 chan->omtu = mtu;
c1360a1c 2225 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2226 }
0c1bc5c6 2227 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2228
42dceae2
AE		 2229 if (remote_efs) {
2230 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2231 efs.stype != L2CAP_SERV_NOTRAFIC &&
2232 efs.stype != chan->local_stype) {
2233
2234 result = L2CAP_CONF_UNACCEPT;
2235
2236 if (chan->num_conf_req >= 1)
2237 return -ECONNREFUSED;
2238
2239 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2240 sizeof(efs),
2241 (unsigned long) &efs);
2242 }
2243 }
2244
f2fcfcd6
GP		 2245 switch (rfc.mode) {
2246 case L2CAP_MODE_BASIC:
47d1ec61 2247 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2248 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2249 break;
2250
2251 case L2CAP_MODE_ERTM:
6327eb98
AE		 2252 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2253 chan->remote_tx_win = rfc.txwin_size;
2254 else
2255 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2256
2c03a7a4 2257 chan->remote_max_tx = rfc.max_transmit;
86b1b263 2258
c8f79162
AE		 2259 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2260 chan->conn->mtu -
2261 L2CAP_EXT_HDR_SIZE -
2262 L2CAP_SDULEN_SIZE -
2263 L2CAP_FCS_SIZE);
2264 rfc.max_pdu_size = cpu_to_le16(size);
2265 chan->remote_mps = size;
f2fcfcd6 2266
10467e9e
GP		 2267 rfc.retrans_timeout =
2268 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2269 rfc.monitor_timeout =
2270 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2271
c1360a1c 2272 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2273
2274 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2275 sizeof(rfc), (unsigned long) &rfc);
2276
42dceae2
AE		 2277 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2278 chan->remote_id = efs.id;
2279 chan->remote_stype = efs.stype;
2280 chan->remote_msdu = le16_to_cpu(efs.msdu);
2281 chan->remote_flush_to =
2282 le32_to_cpu(efs.flush_to);
2283 chan->remote_acc_lat =
2284 le32_to_cpu(efs.acc_lat);
2285 chan->remote_sdu_itime =
2286 le32_to_cpu(efs.sdu_itime);
2287 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2288 sizeof(efs), (unsigned long) &efs);
2289 }
f2fcfcd6
GP		 2290 break;
2291
2292 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2293 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2294 chan->conn->mtu -
2295 L2CAP_EXT_HDR_SIZE -
2296 L2CAP_SDULEN_SIZE -
2297 L2CAP_FCS_SIZE);
2298 rfc.max_pdu_size = cpu_to_le16(size);
2299 chan->remote_mps = size;
f2fcfcd6 2300
c1360a1c 2301 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2302
2303 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2304 sizeof(rfc), (unsigned long) &rfc);
2305
f2fcfcd6
GP		 2306 break;
2307
2308 default:
5dee9e7c 2309 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2310
6464f35f 2311 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2312 rfc.mode = chan->mode;
f2fcfcd6 2313 }
6464f35f 2314
f2fcfcd6 2315 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2316 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2317 }
fe4128e0 2318 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2319 rsp->result = cpu_to_le16(result);
2320 rsp->flags = cpu_to_le16(0x0000);
2321
2322 return ptr - data;
1da177e4
LT		 2323}
2324
b4450035 2325static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2326{
f2fcfcd6
GP		 2327 struct l2cap_conf_req *req = data;
2328 void *ptr = req->data;
2329 int type, olen;
2330 unsigned long val;
2331 struct l2cap_conf_rfc rfc;
2332
fe4128e0 2333 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2334
2335 while (len >= L2CAP_CONF_OPT_SIZE) {
2336 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2337
2338 switch (type) {
2339 case L2CAP_CONF_MTU:
2340 if (val < L2CAP_DEFAULT_MIN_MTU) {
2341 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2342 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2343 } else
0c1bc5c6
GP		 2344 chan->imtu = val;
2345 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2346 break;
2347
2348 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2349 chan->flush_to = val;
f2fcfcd6 2350 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2351 2, chan->flush_to);
f2fcfcd6
GP		 2352 break;
2353
2354 case L2CAP_CONF_RFC:
2355 if (olen == sizeof(rfc))
2356 memcpy(&rfc, (void *)val, olen);
2357
c1360a1c 2358 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2359 rfc.mode != chan->mode)
f2fcfcd6
GP		 2360 return -ECONNREFUSED;
2361
47d1ec61 2362 chan->fcs = 0;
f2fcfcd6
GP		 2363
2364 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2365 sizeof(rfc), (unsigned long) &rfc);
2366 break;
6327eb98
AE		 2367
2368 case L2CAP_CONF_EWS:
2369 chan->tx_win = min_t(u16, val,
2370 L2CAP_DEFAULT_EXT_WINDOW);
2371 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS,
2372 2, chan->tx_win);
2373 break;
f2fcfcd6
GP		 2374 }
2375 }
2376
0c1bc5c6 2377 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2378 return -ECONNREFUSED;
2379
0c1bc5c6 2380 chan->mode = rfc.mode;
6c2ea7a8 2381
f2fcfcd6
GP		 2382 if (*result == L2CAP_CONF_SUCCESS) {
2383 switch (rfc.mode) {
2384 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2385 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2386 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2387 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2388 break;
2389 case L2CAP_MODE_STREAMING:
47d1ec61 2390 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2391 }
2392 }
2393
fe4128e0 2394 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2395 req->flags = cpu_to_le16(0x0000);
2396
2397 return ptr - data;
2398}
2399
fe4128e0 2400static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2401{
2402 struct l2cap_conf_rsp *rsp = data;
2403 void *ptr = rsp->data;
1da177e4 2404
fe4128e0 2405 BT_DBG("chan %p", chan);
1da177e4 2406
fe4128e0 2407 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2408 rsp->result = cpu_to_le16(result);
aca3192c 2409 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2410
2411 return ptr - data;
2412}
2413
8c1d787b 2414void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2415{
2416 struct l2cap_conn_rsp rsp;
8c1d787b 2417 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2418 u8 buf[128];
2419
fe4128e0
GP		 2420 rsp.scid = cpu_to_le16(chan->dcid);
2421 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2422 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2423 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2424 l2cap_send_cmd(conn, chan->ident,
2425 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2426
c1360a1c 2427 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2428 return;
2429
710f9b0a
GP		 2430 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2431 l2cap_build_conf_req(chan, buf), buf);
2432 chan->num_conf_req++;
2433}
2434
47d1ec61 2435static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2436{
7b1c0049
GP		 2437 int type, olen;
2438 unsigned long val;
2439 struct l2cap_conf_rfc rfc;
2440
47d1ec61 2441 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2442
0c1bc5c6 2443 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2444 return;
2445
2446 while (len >= L2CAP_CONF_OPT_SIZE) {
2447 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2448
2449 switch (type) {
2450 case L2CAP_CONF_RFC:
2451 if (olen == sizeof(rfc))
2452 memcpy(&rfc, (void *)val, olen);
2453 goto done;
2454 }
2455 }
2456
2457done:
2458 switch (rfc.mode) {
2459 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2460 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2461 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2462 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2463 break;
2464 case L2CAP_MODE_STREAMING:
47d1ec61 2465 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2466 }
2467}
2468
4e8402a3
MH		 2469static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2470{
e2fd318e 2471 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2472
e2fd318e 2473 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2474 return 0;
2475
2476 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2477 cmd->ident == conn->info_ident) {
4e8402a3 2478 del_timer(&conn->info_timer);
984947dc
MH		 2479
2480 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2481 conn->info_ident = 0;
984947dc 2482
4e8402a3
MH		 2483 l2cap_conn_start(conn);
2484 }
2485
2486 return 0;
2487}
2488
1da177e4
LT		 2489static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2490{
1da177e4
LT		 2491 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2492 struct l2cap_conn_rsp rsp;
23691d75 2493 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2494 struct sock *parent, *sk = NULL;
e7c29cb1 2495 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2496
2497 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2498 __le16 psm = req->psm;
1da177e4
LT		 2499
2500 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2501
2502 /* Check if we have socket listening on psm */
23691d75
GP		 2503 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2504 if (!pchan) {
1da177e4
LT		 2505 result = L2CAP_CR_BAD_PSM;
2506 goto sendresp;
2507 }
2508
23691d75
GP		 2509 parent = pchan->sk;
2510
e0f0cb56
GP		 2511 bh_lock_sock(parent);
2512
e7c29cb1
MH		 2513 /* Check if the ACL is secure enough (if not SDP) */
2514 if (psm != cpu_to_le16(0x0001) &&
2515 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2516 conn->disc_reason = 0x05;
e7c29cb1
MH		 2517 result = L2CAP_CR_SEC_BLOCK;
2518 goto response;
2519 }
2520
1da177e4
LT		 2521 result = L2CAP_CR_NO_MEM;
2522
2523 /* Check for backlog size */
2524 if (sk_acceptq_is_full(parent)) {
8e87d142 2525 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2526 goto response;
2527 }
2528
80808e43
GP		 2529 chan = pchan->ops->new_connection(pchan->data);
2530 if (!chan)
1da177e4
LT		 2531 goto response;
2532
80808e43
GP		 2533 sk = chan->sk;
2534
baa7e1fa 2535 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2536
2537 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2538 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2539 write_unlock_bh(&conn->chan_lock);
1da177e4 2540 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2541 chan->ops->close(chan->data);
1da177e4
LT		 2542 goto response;
2543 }
2544
2545 hci_conn_hold(conn->hcon);
2546
1da177e4
LT		 2547 bacpy(&bt_sk(sk)->src, conn->src);
2548 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2549 chan->psm = psm;
2550 chan->dcid = scid;
1da177e4 2551
d1010240
GP		 2552 bt_accept_enqueue(parent, sk);
2553
48454079
GP		 2554 __l2cap_chan_add(conn, chan);
2555
fe4128e0 2556 dcid = chan->scid;
1da177e4 2557
c9b66675 2558 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2559
fc7f8a7e 2560 chan->ident = cmd->ident;
1da177e4 2561
984947dc 2562 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4343478f 2563 if (l2cap_check_security(chan)) {
f66dc81f 2564 if (bt_sk(sk)->defer_setup) {
89bc500e 2565 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2566 result = L2CAP_CR_PEND;
2567 status = L2CAP_CS_AUTHOR_PEND;
2568 parent->sk_data_ready(parent, 0);
2569 } else {
89bc500e 2570 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2571 result = L2CAP_CR_SUCCESS;
2572 status = L2CAP_CS_NO_INFO;
2573 }
79d554a6 2574 } else {
89bc500e 2575 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2576 result = L2CAP_CR_PEND;
2577 status = L2CAP_CS_AUTHEN_PEND;
2578 }
2579 } else {
89bc500e 2580 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2581 result = L2CAP_CR_PEND;
2582 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2583 }
2584
baa7e1fa 2585 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2586
2587response:
2588 bh_unlock_sock(parent);
2589
2590sendresp:
aca3192c
YH		 2591 rsp.scid = cpu_to_le16(scid);
2592 rsp.dcid = cpu_to_le16(dcid);
2593 rsp.result = cpu_to_le16(result);
2594 rsp.status = cpu_to_le16(status);
1da177e4 2595 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2596
2597 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2598 struct l2cap_info_req info;
2599 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2600
2601 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2602 conn->info_ident = l2cap_get_ident(conn);
2603
2604 mod_timer(&conn->info_timer, jiffies +
2605 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2606
2607 l2cap_send_cmd(conn, conn->info_ident,
2608 L2CAP_INFO_REQ, sizeof(info), &info);
2609 }
2610
c1360a1c 2611 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2612 result == L2CAP_CR_SUCCESS) {
2613 u8 buf[128];
c1360a1c 2614 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2615 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2616 l2cap_build_conf_req(chan, buf), buf);
2617 chan->num_conf_req++;
e9aeb2dd
GP		 2618 }
2619
1da177e4
LT		 2620 return 0;
2621}
2622
2623static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2624{
2625 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2626 u16 scid, dcid, result, status;
48454079 2627 struct l2cap_chan *chan;
1da177e4
LT		 2628 struct sock *sk;
2629 u8 req[128];
2630
2631 scid = __le16_to_cpu(rsp->scid);
2632 dcid = __le16_to_cpu(rsp->dcid);
2633 result = __le16_to_cpu(rsp->result);
2634 status = __le16_to_cpu(rsp->status);
2635
2636 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2637
2638 if (scid) {
baa7e1fa 2639 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2640 if (!chan)
57d3b22b 2641 return -EFAULT;
1da177e4 2642 } else {
baa7e1fa 2643 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2644 if (!chan)
57d3b22b 2645 return -EFAULT;
1da177e4
LT		 2646 }
2647
48454079
GP		 2648 sk = chan->sk;
2649
1da177e4
LT		 2650 switch (result) {
2651 case L2CAP_CR_SUCCESS:
89bc500e 2652 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2653 chan->ident = 0;
fe4128e0 2654 chan->dcid = dcid;
c1360a1c 2655 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2656
c1360a1c 2657 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2658 break;
2659
1da177e4 2660 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2661 l2cap_build_conf_req(chan, req), req);
2662 chan->num_conf_req++;
1da177e4
LT		 2663 break;
2664
2665 case L2CAP_CR_PEND:
c1360a1c 2666 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2667 break;
2668
2669 default:
a49184c2
AE		 2670 /* don't delete l2cap channel if sk is owned by user */
2671 if (sock_owned_by_user(sk)) {
89bc500e 2672 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2673 __clear_chan_timer(chan);
2674 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2675 break;
2676 }
2677
48454079 2678 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2679 break;
2680 }
2681
2682 bh_unlock_sock(sk);
2683 return 0;
2684}
2685
47d1ec61 2686static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2687{
2688 /* FCS is enabled only in ERTM or streaming mode, if one or both
2689 * sides request it.
2690 */
0c1bc5c6 2691 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2692 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2693 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2694 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2695}
2696
88219a0f 2697static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2698{
2699 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2700 u16 dcid, flags;
2701 u8 rsp[64];
48454079 2702 struct l2cap_chan *chan;
1da177e4 2703 struct sock *sk;
5dee9e7c 2704 int len;
1da177e4
LT		 2705
2706 dcid = __le16_to_cpu(req->dcid);
2707 flags = __le16_to_cpu(req->flags);
2708
2709 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2710
baa7e1fa 2711 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2712 if (!chan)
1da177e4
LT		 2713 return -ENOENT;
2714
48454079
GP		 2715 sk = chan->sk;
2716
033b1142 2717 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2718 struct l2cap_cmd_rej_cid rej;
2719
2720 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2721 rej.scid = cpu_to_le16(chan->scid);
2722 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2723
df6bd743
GP		 2724 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2725 sizeof(rej), &rej);
354f60a9 2726 goto unlock;
df6bd743 2727 }
354f60a9 2728
5dee9e7c 2729 /* Reject if config buffer is too small. */
88219a0f 2730 len = cmd_len - sizeof(*req);
7ac28817 2731 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2732 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2733 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2734 L2CAP_CONF_REJECT, flags), rsp);
2735 goto unlock;
2736 }
2737
2738 /* Store config. */
73ffa904
GP		 2739 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2740 chan->conf_len += len;
1da177e4
LT		 2741
2742 if (flags & 0x0001) {
2743 /* Incomplete config. Send empty response. */
2744 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2745 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2746 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2747 goto unlock;
2748 }
2749
2750 /* Complete config. */
73ffa904 2751 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2752 if (len < 0) {
e92c8e70 2753 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2754 goto unlock;
f2fcfcd6 2755 }
1da177e4 2756
5dee9e7c 2757 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2758 chan->num_conf_rsp++;
5dee9e7c 2759
5dee9e7c 2760 /* Reset config buffer. */
73ffa904 2761 chan->conf_len = 0;
5dee9e7c 2762
c1360a1c 2763 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2764 goto unlock;
2765
c1360a1c 2766 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2767 set_default_fcs(chan);
fcc203c3 2768
89bc500e 2769 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2770
42e5c802
GP		 2771 chan->next_tx_seq = 0;
2772 chan->expected_tx_seq = 0;
58d35f87 2773 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2774 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2775 l2cap_ertm_init(chan);
0565c1c2 2776
1da177e4 2777 l2cap_chan_ready(sk);
876d9484
MH		 2778 goto unlock;
2779 }
2780
c1360a1c 2781 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2782 u8 buf[64];
1da177e4 2783 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2784 l2cap_build_conf_req(chan, buf), buf);
2785 chan->num_conf_req++;
1da177e4
LT		 2786 }
2787
2788unlock:
2789 bh_unlock_sock(sk);
2790 return 0;
2791}
2792
2793static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2794{
2795 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2796 u16 scid, flags, result;
48454079 2797 struct l2cap_chan *chan;
1da177e4 2798 struct sock *sk;
7b1c0049 2799 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2800
2801 scid = __le16_to_cpu(rsp->scid);
2802 flags = __le16_to_cpu(rsp->flags);
2803 result = __le16_to_cpu(rsp->result);
2804
af05b30b
GP		 2805 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2806 scid, flags, result);
1da177e4 2807
baa7e1fa 2808 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2809 if (!chan)
1da177e4
LT		 2810 return 0;
2811
48454079
GP		 2812 sk = chan->sk;
2813
1da177e4
LT		 2814 switch (result) {
2815 case L2CAP_CONF_SUCCESS:
47d1ec61 2816 l2cap_conf_rfc_get(chan, rsp->data, len);
1da177e4
LT		 2817 break;
2818
2819 case L2CAP_CONF_UNACCEPT:
73ffa904 2820 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2821 char req[64];
2822
c2c77ec8 2823 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2824 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2825 goto done;
2826 }
2827
f2fcfcd6
GP		 2828 /* throw out any old stored conf requests */
2829 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2830 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2831 req, &result);
f2fcfcd6 2832 if (len < 0) {
e92c8e70 2833 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2834 goto done;
2835 }
2836
2837 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2838 L2CAP_CONF_REQ, len, req);
73ffa904 2839 chan->num_conf_req++;
f2fcfcd6
GP		 2840 if (result != L2CAP_CONF_SUCCESS)
2841 goto done;
2842 break;
1da177e4
LT		 2843 }
2844
8e87d142 2845 default:
b1235d79 2846 sk->sk_err = ECONNRESET;
c9b66675 2847 __set_chan_timer(chan, HZ * 5);
e92c8e70 2848 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2849 goto done;
2850 }
2851
2852 if (flags & 0x01)
2853 goto done;
2854
c1360a1c 2855 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2856
c1360a1c 2857 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2858 set_default_fcs(chan);
fcc203c3 2859
89bc500e 2860 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2861 chan->next_tx_seq = 0;
2862 chan->expected_tx_seq = 0;
58d35f87 2863 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2864 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2865 l2cap_ertm_init(chan);
0565c1c2 2866
1da177e4
LT		 2867 l2cap_chan_ready(sk);
2868 }
2869
2870done:
2871 bh_unlock_sock(sk);
2872 return 0;
2873}
2874
2875static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2876{
2877 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2878 struct l2cap_disconn_rsp rsp;
2879 u16 dcid, scid;
48454079 2880 struct l2cap_chan *chan;
1da177e4
LT		 2881 struct sock *sk;
2882
2883 scid = __le16_to_cpu(req->scid);
2884 dcid = __le16_to_cpu(req->dcid);
2885
2886 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2887
baa7e1fa 2888 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2889 if (!chan)
1da177e4
LT		 2890 return 0;
2891
48454079
GP		 2892 sk = chan->sk;
2893
fe4128e0
GP		 2894 rsp.dcid = cpu_to_le16(chan->scid);
2895 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2896 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2897
2898 sk->sk_shutdown = SHUTDOWN_MASK;
2899
a49184c2
AE		 2900 /* don't delete l2cap channel if sk is owned by user */
2901 if (sock_owned_by_user(sk)) {
89bc500e 2902 l2cap_state_change(chan, BT_DISCONN);
c9b66675
GP		 2903 __clear_chan_timer(chan);
2904 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2905 bh_unlock_sock(sk);
2906 return 0;
2907 }
2908
48454079 2909 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2910 bh_unlock_sock(sk);
2911
ba3bd0ee 2912 chan->ops->close(chan->data);
1da177e4
LT		 2913 return 0;
2914}
2915
2916static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2917{
2918 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2919 u16 dcid, scid;
48454079 2920 struct l2cap_chan *chan;
1da177e4
LT		 2921 struct sock *sk;
2922
2923 scid = __le16_to_cpu(rsp->scid);
2924 dcid = __le16_to_cpu(rsp->dcid);
2925
2926 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2927
baa7e1fa 2928 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2929 if (!chan)
1da177e4
LT		 2930 return 0;
2931
48454079
GP		 2932 sk = chan->sk;
2933
a49184c2
AE		 2934 /* don't delete l2cap channel if sk is owned by user */
2935 if (sock_owned_by_user(sk)) {
89bc500e 2936 l2cap_state_change(chan,BT_DISCONN);
c9b66675
GP		 2937 __clear_chan_timer(chan);
2938 __set_chan_timer(chan, HZ / 5);
a49184c2
AE		 2939 bh_unlock_sock(sk);
2940 return 0;
2941 }
2942
48454079 2943 l2cap_chan_del(chan, 0);
1da177e4
LT		 2944 bh_unlock_sock(sk);
2945
ba3bd0ee 2946 chan->ops->close(chan->data);
1da177e4
LT		 2947 return 0;
2948}
2949
2950static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2951{
2952 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 2953 u16 type;
2954
2955 type = __le16_to_cpu(req->type);
2956
2957 BT_DBG("type 0x%4.4x", type);
2958
f0709e03
MH		 2959 if (type == L2CAP_IT_FEAT_MASK) {
2960 u8 buf[8];
44dd46de 2961 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 2962 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2963 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2964 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 2965 if (!disable_ertm)
fcc203c3
GP		 2966 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2967 | L2CAP_FEAT_FCS;
a5fd6f30 2968 if (enable_hs)
6327eb98
AE		 2969 feat_mask |= L2CAP_FEAT_EXT_FLOW
2970 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 2971
1b7bf4ed 2972 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 2973 l2cap_send_cmd(conn, cmd->ident,
2974 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 2975 } else if (type == L2CAP_IT_FIXED_CHAN) {
2976 u8 buf[12];
2977 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2978 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2979 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2980 memcpy(buf + 4, l2cap_fixed_chan, 8);
2981 l2cap_send_cmd(conn, cmd->ident,
2982 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 2983 } else {
2984 struct l2cap_info_rsp rsp;
2985 rsp.type = cpu_to_le16(type);
2986 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2987 l2cap_send_cmd(conn, cmd->ident,
2988 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2989 }
1da177e4
LT		 2990
2991 return 0;
2992}
2993
2994static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2995{
2996 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2997 u16 type, result;
2998
2999 type = __le16_to_cpu(rsp->type);
3000 result = __le16_to_cpu(rsp->result);
3001
3002 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3003
e90165be
AE		 3004 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3005 if (cmd->ident != conn->info_ident ||
3006 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3007 return 0;
3008
4e8402a3
MH		 3009 del_timer(&conn->info_timer);
3010
adb08ede
VT		 3011 if (result != L2CAP_IR_SUCCESS) {
3012 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3013 conn->info_ident = 0;
3014
3015 l2cap_conn_start(conn);
3016
3017 return 0;
3018 }
3019
984947dc 3020 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3021 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3022
47ec1dcd 3023 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3024 struct l2cap_info_req req;
3025 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3026
3027 conn->info_ident = l2cap_get_ident(conn);
3028
3029 l2cap_send_cmd(conn, conn->info_ident,
3030 L2CAP_INFO_REQ, sizeof(req), &req);
3031 } else {
3032 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3033 conn->info_ident = 0;
3034
3035 l2cap_conn_start(conn);
3036 }
3037 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3038 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3039 conn->info_ident = 0;
984947dc
MH		 3040
3041 l2cap_conn_start(conn);
3042 }
4e8402a3 3043
1da177e4
LT		 3044 return 0;
3045}
3046
e2174ca4 3047static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3048 u16 to_multiplier)
3049{
3050 u16 max_latency;
3051
3052 if (min > max || min < 6 || max > 3200)
3053 return -EINVAL;
3054
3055 if (to_multiplier < 10 || to_multiplier > 3200)
3056 return -EINVAL;
3057
3058 if (max >= to_multiplier * 8)
3059 return -EINVAL;
3060
3061 max_latency = (to_multiplier * 8 / max) - 1;
3062 if (latency > 499 || latency > max_latency)
3063 return -EINVAL;
3064
3065 return 0;
3066}
3067
3068static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3069 struct l2cap_cmd_hdr *cmd, u8 *data)
3070{
3071 struct hci_conn *hcon = conn->hcon;
3072 struct l2cap_conn_param_update_req *req;
3073 struct l2cap_conn_param_update_rsp rsp;
3074 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3075 int err;
de73115a
CT		 3076
3077 if (!(hcon->link_mode & HCI_LM_MASTER))
3078 return -EINVAL;
3079
3080 cmd_len = __le16_to_cpu(cmd->len);
3081 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3082 return -EPROTO;
3083
3084 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3085 min = __le16_to_cpu(req->min);
3086 max = __le16_to_cpu(req->max);
de73115a
CT		 3087 latency = __le16_to_cpu(req->latency);
3088 to_multiplier = __le16_to_cpu(req->to_multiplier);
3089
3090 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3091 min, max, latency, to_multiplier);
3092
3093 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3094
3095 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3096 if (err)
de73115a
CT		 3097 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3098 else
3099 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3100
3101 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3102 sizeof(rsp), &rsp);
3103
2ce603eb
CT		 3104 if (!err)
3105 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3106
de73115a
CT		 3107 return 0;
3108}
3109
3300d9a9
CT		 3110static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3111 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3112{
3113 int err = 0;
3114
3115 switch (cmd->code) {
3116 case L2CAP_COMMAND_REJ:
3117 l2cap_command_rej(conn, cmd, data);
3118 break;
3119
3120 case L2CAP_CONN_REQ:
3121 err = l2cap_connect_req(conn, cmd, data);
3122 break;
3123
3124 case L2CAP_CONN_RSP:
3125 err = l2cap_connect_rsp(conn, cmd, data);
3126 break;
3127
3128 case L2CAP_CONF_REQ:
3129 err = l2cap_config_req(conn, cmd, cmd_len, data);
3130 break;
3131
3132 case L2CAP_CONF_RSP:
3133 err = l2cap_config_rsp(conn, cmd, data);
3134 break;
3135
3136 case L2CAP_DISCONN_REQ:
3137 err = l2cap_disconnect_req(conn, cmd, data);
3138 break;
3139
3140 case L2CAP_DISCONN_RSP:
3141 err = l2cap_disconnect_rsp(conn, cmd, data);
3142 break;
3143
3144 case L2CAP_ECHO_REQ:
3145 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3146 break;
3147
3148 case L2CAP_ECHO_RSP:
3149 break;
3150
3151 case L2CAP_INFO_REQ:
3152 err = l2cap_information_req(conn, cmd, data);
3153 break;
3154
3155 case L2CAP_INFO_RSP:
3156 err = l2cap_information_rsp(conn, cmd, data);
3157 break;
3158
3159 default:
3160 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3161 err = -EINVAL;
3162 break;
3163 }
3164
3165 return err;
3166}
3167
3168static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3169 struct l2cap_cmd_hdr *cmd, u8 *data)
3170{
3171 switch (cmd->code) {
3172 case L2CAP_COMMAND_REJ:
3173 return 0;
3174
3175 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3176 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3177
3178 case L2CAP_CONN_PARAM_UPDATE_RSP:
3179 return 0;
3180
3181 default:
3182 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3183 return -EINVAL;
3184 }
3185}
3186
3187static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3188 struct sk_buff *skb)
1da177e4
LT		 3189{
3190 u8 *data = skb->data;
3191 int len = skb->len;
3192 struct l2cap_cmd_hdr cmd;
3300d9a9 3193 int err;
1da177e4
LT		 3194
3195 l2cap_raw_recv(conn, skb);
3196
3197 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3198 u16 cmd_len;
1da177e4
LT		 3199 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3200 data += L2CAP_CMD_HDR_SIZE;
3201 len -= L2CAP_CMD_HDR_SIZE;
3202
88219a0f 3203 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3204
88219a0f 3205 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3206
88219a0f 3207 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3208 BT_DBG("corrupted command");
3209 break;
3210 }
3211
3300d9a9
CT		 3212 if (conn->hcon->type == LE_LINK)
3213 err = l2cap_le_sig_cmd(conn, &cmd, data);
3214 else
3215 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3216
3217 if (err) {
e2fd318e 3218 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3219
3220 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3221
3222 /* FIXME: Map err to a valid reason */
e2fd318e 3223 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3224 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3225 }
3226
88219a0f
AV		 3227 data += cmd_len;
3228 len -= cmd_len;
1da177e4
LT		 3229 }
3230
3231 kfree_skb(skb);
3232}
3233
47d1ec61 3234static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3235{
3236 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3237 int hdr_size;
3238
3239 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3240 hdr_size = L2CAP_EXT_HDR_SIZE;
3241 else
3242 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3243
47d1ec61 3244 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3245 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3246 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3247 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3248
3249 if (our_fcs != rcv_fcs)
7a560e5c 3250 return -EBADMSG;
fcc203c3
GP		 3251 }
3252 return 0;
3253}
3254
525cd185 3255static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3256{
88843ab0 3257 u32 control = 0;
d5392c8f 3258
6a026610 3259 chan->frames_sent = 0;
d5392c8f 3260
0b209fae 3261 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3262
e2ab4353 3263 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3264 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3265 l2cap_send_sframe(chan, control);
e2ab4353 3266 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3267 }
3268
e2ab4353 3269 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3270 l2cap_retransmit_frames(chan);
d5392c8f 3271
525cd185 3272 l2cap_ertm_send(chan);
d5392c8f 3273
e2ab4353 3274 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3275 chan->frames_sent == 0) {
ab784b73 3276 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3277 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3278 }
3279}
3280
fb45de7d 3281static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3282{
3283 struct sk_buff *next_skb;
bfbacc11 3284 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3285
3286 bt_cb(skb)->tx_seq = tx_seq;
3287 bt_cb(skb)->sar = sar;
3288
f1c6775b 3289 next_skb = skb_peek(&chan->srej_q);
8f17154f 3290 if (!next_skb) {
f1c6775b 3291 __skb_queue_tail(&chan->srej_q, skb);
9b53350d 3292 return 0;
8f17154f
GP		 3293 }
3294
836be934 3295 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3296
8f17154f 3297 do {
9b53350d
JPRV		 3298 if (bt_cb(next_skb)->tx_seq == tx_seq)
3299 return -EINVAL;
3300
836be934
AE		 3301 next_tx_seq_offset = __seq_offset(chan,
3302 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3303
3304 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3305 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3306 return 0;
8f17154f
GP		 3307 }
3308
f1c6775b 3309 if (skb_queue_is_last(&chan->srej_q, next_skb))
8f17154f
GP		 3310 break;
3311
f1c6775b 3312 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
8f17154f 3313
f1c6775b 3314 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3315
3316 return 0;
8f17154f
GP		 3317}
3318
84084a31
MM		 3319static void append_skb_frag(struct sk_buff *skb,
3320 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3321{
84084a31
MM		 3322 /* skb->len reflects data in skb as well as all fragments
3323 * skb->data_len reflects only data in fragments
3324 */
3325 if (!skb_has_frag_list(skb))
3326 skb_shinfo(skb)->frag_list = new_frag;
3327
3328 new_frag->next = NULL;
3329
3330 (*last_frag)->next = new_frag;
3331 *last_frag = new_frag;
3332
3333 skb->len += new_frag->len;
3334 skb->data_len += new_frag->len;
3335 skb->truesize += new_frag->truesize;
3336}
3337
88843ab0 3338static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3339{
3340 int err = -EINVAL;
18778a63 3341
7e0ef6ee
AE		 3342 switch (__get_ctrl_sar(chan, control)) {
3343 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3344 if (chan->sdu)
3345 break;
18778a63 3346
84084a31
MM		 3347 err = chan->ops->recv(chan->data, skb);
3348 break;
18778a63 3349
7e0ef6ee 3350 case L2CAP_SAR_START:
84084a31
MM		 3351 if (chan->sdu)
3352 break;
18778a63 3353
6f61fd47 3354 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3355 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3356
84084a31
MM		 3357 if (chan->sdu_len > chan->imtu) {
3358 err = -EMSGSIZE;
3359 break;
3360 }
1890d36b 3361
84084a31
MM		 3362 if (skb->len >= chan->sdu_len)
3363 break;
18778a63 3364
84084a31
MM		 3365 chan->sdu = skb;
3366 chan->sdu_last_frag = skb;
18778a63 3367
84084a31
MM		 3368 skb = NULL;
3369 err = 0;
18778a63
GP		 3370 break;
3371
7e0ef6ee 3372 case L2CAP_SAR_CONTINUE:
6f61fd47 3373 if (!chan->sdu)
84084a31 3374 break;
18778a63 3375
84084a31
MM		 3376 append_skb_frag(chan->sdu, skb,
3377 &chan->sdu_last_frag);
3378 skb = NULL;
18778a63 3379
84084a31
MM		 3380 if (chan->sdu->len >= chan->sdu_len)
3381 break;
4178ba46 3382
84084a31 3383 err = 0;
18778a63
GP		 3384 break;
3385
7e0ef6ee 3386 case L2CAP_SAR_END:
6f61fd47 3387 if (!chan->sdu)
84084a31 3388 break;
18778a63 3389
84084a31
MM		 3390 append_skb_frag(chan->sdu, skb,
3391 &chan->sdu_last_frag);
3392 skb = NULL;
4178ba46 3393
84084a31
MM		 3394 if (chan->sdu->len != chan->sdu_len)
3395 break;
18778a63 3396
84084a31 3397 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3398
84084a31
MM		 3399 if (!err) {
3400 /* Reassembly complete */
3401 chan->sdu = NULL;
3402 chan->sdu_last_frag = NULL;
3403 chan->sdu_len = 0;
1890d36b 3404 }
18778a63
GP		 3405 break;
3406 }
3407
84084a31
MM		 3408 if (err) {
3409 kfree_skb(skb);
3410 kfree_skb(chan->sdu);
3411 chan->sdu = NULL;
3412 chan->sdu_last_frag = NULL;
3413 chan->sdu_len = 0;
3414 }
18778a63 3415
84084a31 3416 return err;
18778a63
GP		 3417}
3418
26f880d2 3419static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3420{
88843ab0 3421 u32 control;
712132eb 3422
26f880d2 3423 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3424
26f880d2
MM		 3425 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3426
0b209fae 3427 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3428 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3429 l2cap_send_sframe(chan, control);
3430
3431 set_bit(CONN_RNR_SENT, &chan->conn_state);
3432
3433 __clear_ack_timer(chan);
3434}
3435
3436static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3437{
88843ab0 3438 u32 control;
712132eb 3439
e2ab4353 3440 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3441 goto done;
3442
0b209fae 3443 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3444 control |= __set_ctrl_poll(chan);
ab784b73 3445 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3446 l2cap_send_sframe(chan, control);
6a026610 3447 chan->retry_count = 1;
712132eb 3448
1a09bcb9
GP		 3449 __clear_retrans_timer(chan);
3450 __set_monitor_timer(chan);
712132eb 3451
e2ab4353 3452 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3453
3454done:
e2ab4353
GP		 3455 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3456 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3457
49208c9c 3458 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3459}
3460
e328140f 3461void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3462{
e328140f
MM		 3463 if (chan->mode == L2CAP_MODE_ERTM) {
3464 if (busy)
3465 l2cap_ertm_enter_local_busy(chan);
3466 else
3467 l2cap_ertm_exit_local_busy(chan);
1890d36b 3468 }
1890d36b
GP		 3469}
3470
fb45de7d 3471static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3472{
3473 struct sk_buff *skb;
88843ab0 3474 u32 control;
8f17154f 3475
e328140f
MM		 3476 while ((skb = skb_peek(&chan->srej_q)) &&
3477 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3478 int err;
3479
8f17154f
GP		 3480 if (bt_cb(skb)->tx_seq != tx_seq)
3481 break;
3482
f1c6775b 3483 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3484 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3485 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3486
3487 if (err < 0) {
3488 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3489 break;
3490 }
3491
836be934
AE		 3492 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3493 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3494 }
3495}
3496
fb45de7d 3497static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3498{
8f17154f 3499 struct srej_list *l, *tmp;
88843ab0 3500 u32 control;
8f17154f 3501
39d5a3ee 3502 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3503 if (l->tx_seq == tx_seq) {
3504 list_del(&l->list);
3505 kfree(l);
3506 return;
3507 }
ab784b73 3508 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3509 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3510 l2cap_send_sframe(chan, control);
8f17154f 3511 list_del(&l->list);
39d5a3ee 3512 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3513 }
3514}
3515
fb45de7d 3516static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3517{
8f17154f 3518 struct srej_list *new;
88843ab0 3519 u32 control;
8f17154f 3520
42e5c802 3521 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3522 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3523 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3524 l2cap_send_sframe(chan, control);
8f17154f
GP		 3525
3526 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
42e5c802 3527 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3528
3529 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3530
39d5a3ee 3531 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3532 }
836be934
AE		 3533
3534 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f
GP		 3535}
3536
88843ab0 3537static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3538{
fb45de7d 3539 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3540 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3541 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3542 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3543 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3544 int err = 0;
3545
88843ab0 3546 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3547 tx_seq, rx_control);
1c2acffb 3548
03f6715d 3549 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3550 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3551 __clear_monitor_timer(chan);
6a026610 3552 if (chan->unacked_frames > 0)
1a09bcb9 3553 __set_retrans_timer(chan);
e2ab4353 3554 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3555 }
3556
42e5c802
GP		 3557 chan->expected_ack_seq = req_seq;
3558 l2cap_drop_acked_frames(chan);
9f121a5a 3559
836be934 3560 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3561
3562 /* invalid tx_seq */
47d1ec61 3563 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3564 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3565 goto drop;
3566 }
3567
e2ab4353 3568 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3569 goto drop;
3570
02f1b641
MM		 3571 if (tx_seq == chan->expected_tx_seq)
3572 goto expected;
3573
e2ab4353 3574 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3575 struct srej_list *first;
30afb5b2 3576
39d5a3ee 3577 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3578 struct srej_list, list);
3579 if (tx_seq == first->tx_seq) {
42e5c802 3580 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3581 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3582
3583 list_del(&first->list);
3584 kfree(first);
3585
39d5a3ee 3586 if (list_empty(&chan->srej_l)) {
42e5c802 3587 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3588 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3589 l2cap_send_ack(chan);
49208c9c 3590 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3591 }
3592 } else {
3593 struct srej_list *l;
9b53350d
JPRV		 3594
3595 /* duplicated tx_seq */
42e5c802 3596 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3597 goto drop;
8f17154f 3598
39d5a3ee 3599 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3600 if (l->tx_seq == tx_seq) {
525cd185 3601 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3602 return 0;
3603 }
3604 }
525cd185 3605 l2cap_send_srejframe(chan, tx_seq);
30afb5b2
GP		 3606 }
3607 } else {
836be934
AE		 3608 expected_tx_seq_offset = __seq_offset(chan,
3609 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3610
3611 /* duplicated tx_seq */
3612 if (tx_seq_offset < expected_tx_seq_offset)
3613 goto drop;
3614
e2ab4353 3615 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3616
49208c9c 3617 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3618
39d5a3ee 3619 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3620 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3621
f1c6775b 3622 __skb_queue_head_init(&chan->srej_q);
42e5c802 3623 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3624
e2ab4353 3625 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3626
525cd185 3627 l2cap_send_srejframe(chan, tx_seq);
7fe9b298 3628
1a09bcb9 3629 __clear_ack_timer(chan);
1c2acffb 3630 }
30afb5b2
GP		 3631 return 0;
3632
8f17154f 3633expected:
836be934 3634 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3635
e2ab4353 3636 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3637 bt_cb(skb)->tx_seq = tx_seq;
3638 bt_cb(skb)->sar = sar;
f1c6775b 3639 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3640 return 0;
3641 }
3642
84084a31 3643 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3644 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3645
e328140f
MM		 3646 if (err < 0) {
3647 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3648 return err;
3649 }
2ece3684 3650
03f6715d 3651 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3652 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3653 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3654 }
3655
1a09bcb9 3656 __set_ack_timer(chan);
c1b4f43b 3657
6a026610
GP		 3658 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3659 if (chan->num_acked == num_to_ack - 1)
525cd185 3660 l2cap_send_ack(chan);
9e917af1 3661
8f17154f 3662 return 0;
9b53350d
JPRV		 3663
3664drop:
3665 kfree_skb(skb);
3666 return 0;
1c2acffb
GP		 3667}
3668
88843ab0 3669static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3670{
88843ab0 3671 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3672 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3673
0b209fae 3674 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3675 l2cap_drop_acked_frames(chan);
1c2acffb 3676
e3781735 3677 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3678 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3679 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3680 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3681 (chan->unacked_frames > 0))
1a09bcb9 3682 __set_retrans_timer(chan);
05fbd89d 3683
e2ab4353 3684 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3685 l2cap_send_srejtail(chan);
05fbd89d 3686 } else {
525cd185 3687 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3688 }
1d8f5d16 3689
03f6715d 3690 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3691 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3692
e2ab4353 3693 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3694 l2cap_retransmit_frames(chan);
2246b2f1 3695
e072745f 3696 } else {
e2ab4353 3697 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3698 (chan->unacked_frames > 0))
1a09bcb9 3699 __set_retrans_timer(chan);
1c2acffb 3700
e2ab4353
GP		 3701 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3702 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3703 l2cap_send_ack(chan);
894718a6 3704 else
525cd185 3705 l2cap_ertm_send(chan);
e072745f
GP		 3706 }
3707}
2246b2f1 3708
88843ab0 3709static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3710{
0b209fae 3711 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3712
88843ab0 3713 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3714
e2ab4353 3715 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 3716
42e5c802
GP		 3717 chan->expected_ack_seq = tx_seq;
3718 l2cap_drop_acked_frames(chan);
e072745f 3719
03f6715d 3720 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3721 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3722 l2cap_retransmit_frames(chan);
e072745f 3723 } else {
525cd185 3724 l2cap_retransmit_frames(chan);
30afb5b2 3725
e2ab4353
GP		 3726 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3727 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 3728 }
3729}
88843ab0 3730static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3731{
0b209fae 3732 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3733
88843ab0 3734 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3735
e2ab4353 3736 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 3737
e3781735 3738 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 3739 chan->expected_ack_seq = tx_seq;
3740 l2cap_drop_acked_frames(chan);
3cb123d1 3741
e2ab4353 3742 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 3743 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 3744
525cd185 3745 l2cap_ertm_send(chan);
dfc909be 3746
e2ab4353 3747 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3748 chan->srej_save_reqseq = tx_seq;
e2ab4353 3749 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3750 }
03f6715d 3751 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3752 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 3753 chan->srej_save_reqseq == tx_seq)
e2ab4353 3754 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 3755 else
525cd185 3756 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 3757 } else {
525cd185 3758 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 3759 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 3760 chan->srej_save_reqseq = tx_seq;
e2ab4353 3761 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 3762 }
e072745f
GP		 3763 }
3764}
3765
88843ab0 3766static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3767{
0b209fae 3768 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 3769
88843ab0 3770 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3771
e2ab4353 3772 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 3773 chan->expected_ack_seq = tx_seq;
3774 l2cap_drop_acked_frames(chan);
e072745f 3775
e3781735 3776 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 3777 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 3778
e2ab4353 3779 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 3780 __clear_retrans_timer(chan);
e3781735 3781 if (__is_ctrl_poll(chan, rx_control))
525cd185 3782 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 3783 return;
e072745f 3784 }
99b0d4b7 3785
e3781735 3786 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 3787 l2cap_send_srejtail(chan);
ab784b73
AE		 3788 } else {
3789 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
3790 l2cap_send_sframe(chan, rx_control);
3791 }
e072745f
GP		 3792}
3793
88843ab0 3794static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 3795{
88843ab0 3796 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 3797
03f6715d 3798 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3799 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3800 __clear_monitor_timer(chan);
6a026610 3801 if (chan->unacked_frames > 0)
1a09bcb9 3802 __set_retrans_timer(chan);
e2ab4353 3803 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 3804 }
3805
ab784b73
AE		 3806 switch (__get_ctrl_super(chan, rx_control)) {
3807 case L2CAP_SUPER_RR:
525cd185 3808 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 3809 break;
3810
ab784b73 3811 case L2CAP_SUPER_REJ:
525cd185 3812 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 3813 break;
2246b2f1 3814
ab784b73 3815 case L2CAP_SUPER_SREJ:
525cd185 3816 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 3817 break;
3818
ab784b73 3819 case L2CAP_SUPER_RNR:
525cd185 3820 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 3821 break;
3822 }
3823
faaebd19 3824 kfree_skb(skb);
1c2acffb
GP		 3825 return 0;
3826}
3827
218bb9df
GP		 3828static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3829{
525cd185 3830 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 3831 u32 control;
0b209fae 3832 u16 req_seq;
218bb9df
GP		 3833 int len, next_tx_seq_offset, req_seq_offset;
3834
88843ab0
AE		 3835 control = __get_control(chan, skb->data);
3836 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 3837 len = skb->len;
3838
3839 /*
3840 * We can just drop the corrupted I-frame here.
3841 * Receiver will miss it and start proper recovery
3842 * procedures and ask retransmission.
3843 */
47d1ec61 3844 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 3845 goto drop;
3846
793c2f1c 3847 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 3848 len -= L2CAP_SDULEN_SIZE;
218bb9df 3849
47d1ec61 3850 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 3851 len -= L2CAP_FCS_SIZE;
218bb9df 3852
47d1ec61 3853 if (len > chan->mps) {
8c1d787b 3854 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3855 goto drop;
3856 }
3857
0b209fae 3858 req_seq = __get_reqseq(chan, control);
218bb9df 3859
836be934
AE		 3860 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
3861
3862 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
3863 chan->expected_ack_seq);
218bb9df
GP		 3864
3865 /* check for invalid req-seq */
3866 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 3867 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3868 goto drop;
3869 }
3870
793c2f1c 3871 if (!__is_sframe(chan, control)) {
218bb9df 3872 if (len < 0) {
8c1d787b 3873 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3874 goto drop;
3875 }
3876
525cd185 3877 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 3878 } else {
3879 if (len != 0) {
3880 BT_ERR("%d", len);
8c1d787b 3881 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 3882 goto drop;
3883 }
3884
525cd185 3885 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 3886 }
3887
3888 return 0;
3889
3890drop:
3891 kfree_skb(skb);
3892 return 0;
3893}
3894
1da177e4
LT		 3895static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3896{
48454079 3897 struct l2cap_chan *chan;
bf734843 3898 struct sock *sk = NULL;
88843ab0 3899 u32 control;
fb45de7d 3900 u16 tx_seq;
218bb9df 3901 int len;
1da177e4 3902
baa7e1fa 3903 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 3904 if (!chan) {
1da177e4
LT		 3905 BT_DBG("unknown cid 0x%4.4x", cid);
3906 goto drop;
3907 }
3908
48454079 3909 sk = chan->sk;
6840ed07 3910
49208c9c 3911 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 3912
89bc500e 3913 if (chan->state != BT_CONNECTED)
1da177e4
LT		 3914 goto drop;
3915
0c1bc5c6 3916 switch (chan->mode) {
1c2acffb
GP		 3917 case L2CAP_MODE_BASIC:
3918 /* If socket recv buffers overflows we drop data here
3919 * which is *bad* because L2CAP has to be reliable.
3920 * But we don't have any other choice. L2CAP doesn't
3921 * provide flow control mechanism. */
1da177e4 3922
0c1bc5c6 3923 if (chan->imtu < skb->len)
1c2acffb 3924 goto drop;
1da177e4 3925
23070494 3926 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 3927 goto done;
3928 break;
3929
3930 case L2CAP_MODE_ERTM:
218bb9df
GP		 3931 if (!sock_owned_by_user(sk)) {
3932 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 3933 } else {
218bb9df 3934 if (sk_add_backlog(sk, skb))
277ffbe3 3935 goto drop;
277ffbe3 3936 }
1c2acffb 3937
fcafde2e 3938 goto done;
1c2acffb 3939
6840ed07 3940 case L2CAP_MODE_STREAMING:
88843ab0
AE		 3941 control = __get_control(chan, skb->data);
3942 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 3943 len = skb->len;
3944
47d1ec61 3945 if (l2cap_check_fcs(chan, skb))
26000089
GP		 3946 goto drop;
3947
7e0ef6ee 3948 if (__is_sar_start(chan, control))
03a51213 3949 len -= L2CAP_SDULEN_SIZE;
6840ed07 3950
47d1ec61 3951 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 3952 len -= L2CAP_FCS_SIZE;
fcc203c3 3953
793c2f1c 3954 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 3955 goto drop;
3956
fb45de7d 3957 tx_seq = __get_txseq(chan, control);
6840ed07 3958
84084a31
MM		 3959 if (chan->expected_tx_seq != tx_seq) {
3960 /* Frame(s) missing - must discard partial SDU */
3961 kfree_skb(chan->sdu);
3962 chan->sdu = NULL;
3963 chan->sdu_last_frag = NULL;
3964 chan->sdu_len = 0;
6840ed07 3965
84084a31
MM		 3966 /* TODO: Notify userland of missing data */
3967 }
3968
836be934 3969 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 3970
3971 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
3972 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 3973
3974 goto done;
3975
1c2acffb 3976 default:
0c1bc5c6 3977 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 3978 break;
3979 }
1da177e4
LT		 3980
3981drop:
3982 kfree_skb(skb);
3983
3984done:
0139418c
MH		 3985 if (sk)
3986 bh_unlock_sock(sk);
3987
1da177e4
LT		 3988 return 0;
3989}
3990
8e036fc3 3991static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 3992{
6dcae1ea 3993 struct sock *sk = NULL;
23691d75 3994 struct l2cap_chan *chan;
1da177e4 3995
23691d75
GP		 3996 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3997 if (!chan)
1da177e4
LT		 3998 goto drop;
3999
23691d75
GP		 4000 sk = chan->sk;
4001
e0f0cb56
GP		 4002 bh_lock_sock(sk);
4003
1da177e4
LT		 4004 BT_DBG("sk %p, len %d", sk, skb->len);
4005
89bc500e 4006 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4007 goto drop;
4008
e13e21dc 4009 if (chan->imtu < skb->len)
1da177e4
LT		 4010 goto drop;
4011
23070494 4012 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4013 goto done;
4014
4015drop:
4016 kfree_skb(skb);
4017
4018done:
af05b30b
GP		 4019 if (sk)
4020 bh_unlock_sock(sk);
1da177e4
LT		 4021 return 0;
4022}
4023
9f69bda6
GP		 4024static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4025{
6dcae1ea 4026 struct sock *sk = NULL;
23691d75 4027 struct l2cap_chan *chan;
9f69bda6 4028
23691d75
GP		 4029 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4030 if (!chan)
9f69bda6
GP		 4031 goto drop;
4032
23691d75
GP		 4033 sk = chan->sk;
4034
9f69bda6
GP		 4035 bh_lock_sock(sk);
4036
4037 BT_DBG("sk %p, len %d", sk, skb->len);
4038
89bc500e 4039 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4040 goto drop;
4041
e13e21dc 4042 if (chan->imtu < skb->len)
9f69bda6
GP		 4043 goto drop;
4044
23070494 4045 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4046 goto done;
4047
4048drop:
4049 kfree_skb(skb);
4050
4051done:
4052 if (sk)
4053 bh_unlock_sock(sk);
4054 return 0;
4055}
4056
1da177e4
LT		 4057static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4058{
4059 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4060 u16 cid, len;
4061 __le16 psm;
1da177e4
LT		 4062
4063 skb_pull(skb, L2CAP_HDR_SIZE);
4064 cid = __le16_to_cpu(lh->cid);
4065 len = __le16_to_cpu(lh->len);
4066
1c2acffb
GP		 4067 if (len != skb->len) {
4068 kfree_skb(skb);
4069 return;
4070 }
4071
1da177e4
LT		 4072 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4073
4074 switch (cid) {
3300d9a9 4075 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4076 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4077 l2cap_sig_channel(conn, skb);
4078 break;
4079
8db4dc46 4080 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4081 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4082 skb_pull(skb, 2);
4083 l2cap_conless_channel(conn, psm, skb);
4084 break;
4085
9f69bda6
GP		 4086 case L2CAP_CID_LE_DATA:
4087 l2cap_att_channel(conn, cid, skb);
4088 break;
4089
b501d6a1
AB		 4090 case L2CAP_CID_SMP:
4091 if (smp_sig_channel(conn, skb))
4092 l2cap_conn_del(conn->hcon, EACCES);
4093 break;
4094
1da177e4
LT		 4095 default:
4096 l2cap_data_channel(conn, cid, skb);
4097 break;
4098 }
4099}
4100
4101/* ---- L2CAP interface with lower layer (HCI) ---- */
4102
4103static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4104{
4105 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4106 struct l2cap_chan *c;
1da177e4
LT		 4107
4108 if (type != ACL_LINK)
963cf687 4109 return -EINVAL;
1da177e4
LT		 4110
4111 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4112
4113 /* Find listening sockets and check their link_mode */
23691d75
GP		 4114 read_lock(&chan_list_lock);
4115 list_for_each_entry(c, &chan_list, global_l) {
4116 struct sock *sk = c->sk;
4343478f 4117
89bc500e 4118 if (c->state != BT_LISTEN)
1da177e4
LT		 4119 continue;
4120
4121 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4122 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4123 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4124 lm1 |= HCI_LM_MASTER;
1da177e4 4125 exact++;
2af6b9d5
MH		 4126 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4127 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4128 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4129 lm2 |= HCI_LM_MASTER;
4130 }
1da177e4 4131 }
23691d75 4132 read_unlock(&chan_list_lock);
1da177e4
LT		 4133
4134 return exact ? lm1 : lm2;
4135}
4136
4137static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4138{
0139418c
MH		 4139 struct l2cap_conn *conn;
4140
1da177e4
LT		 4141 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4142
acd7d370 4143 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4144 return -EINVAL;
1da177e4
LT		 4145
4146 if (!status) {
1da177e4
LT		 4147 conn = l2cap_conn_add(hcon, status);
4148 if (conn)
4149 l2cap_conn_ready(conn);
0139418c 4150 } else
e175072f 4151 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4152
4153 return 0;
4154}
4155
2950f21a
MH		 4156static int l2cap_disconn_ind(struct hci_conn *hcon)
4157{
4158 struct l2cap_conn *conn = hcon->l2cap_data;
4159
4160 BT_DBG("hcon %p", hcon);
4161
b5694506 4162 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
2950f21a
MH		 4163 return 0x13;
4164
4165 return conn->disc_reason;
4166}
4167
4168static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4169{
4170 BT_DBG("hcon %p reason %d", hcon, reason);
4171
acd7d370 4172 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4173 return -EINVAL;
1da177e4 4174
e175072f 4175 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4176
1da177e4
LT		 4177 return 0;
4178}
4179
4343478f 4180static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4181{
715ec005 4182 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4183 return;
4184
f62e4323 4185 if (encrypt == 0x00) {
4343478f 4186 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675
GP		 4187 __clear_chan_timer(chan);
4188 __set_chan_timer(chan, HZ * 5);
4343478f 4189 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4190 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4191 } else {
4343478f 4192 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4193 __clear_chan_timer(chan);
f62e4323
MH		 4194 }
4195}
4196
8c1b2355 4197static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4198{
0139418c 4199 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4200 struct l2cap_chan *chan;
1da177e4 4201
0139418c 4202 if (!conn)
1da177e4 4203 return 0;
0139418c 4204
1da177e4
LT		 4205 BT_DBG("conn %p", conn);
4206
160dc6ac
VCG		 4207 if (hcon->type == LE_LINK) {
4208 smp_distribute_keys(conn, 0);
4209 del_timer(&conn->security_timer);
4210 }
4211
baa7e1fa 4212 read_lock(&conn->chan_lock);
1da177e4 4213
baa7e1fa 4214 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4215 struct sock *sk = chan->sk;
baa7e1fa 4216
1da177e4
LT		 4217 bh_lock_sock(sk);
4218
f1cb9af5
VCG		 4219 BT_DBG("chan->scid %d", chan->scid);
4220
4221 if (chan->scid == L2CAP_CID_LE_DATA) {
4222 if (!status && encrypt) {
4223 chan->sec_level = hcon->sec_level;
4224 l2cap_chan_ready(sk);
4225 }
4226
4227 bh_unlock_sock(sk);
4228 continue;
4229 }
4230
c1360a1c 4231 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4232 bh_unlock_sock(sk);
4233 continue;
4234 }
4235
89bc500e
GP		 4236 if (!status && (chan->state == BT_CONNECTED ||
4237 chan->state == BT_CONFIG)) {
4343478f 4238 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4239 bh_unlock_sock(sk);
4240 continue;
4241 }
4242
89bc500e 4243 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4244 if (!status) {
4245 struct l2cap_conn_req req;
fe4128e0
GP		 4246 req.scid = cpu_to_le16(chan->scid);
4247 req.psm = chan->psm;
1da177e4 4248
fc7f8a7e 4249 chan->ident = l2cap_get_ident(conn);
c1360a1c 4250 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4251
fc7f8a7e 4252 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4253 L2CAP_CONN_REQ, sizeof(req), &req);
4254 } else {
c9b66675
GP		 4255 __clear_chan_timer(chan);
4256 __set_chan_timer(chan, HZ / 10);
b1235d79 4257 }
89bc500e 4258 } else if (chan->state == BT_CONNECT2) {
b1235d79 4259 struct l2cap_conn_rsp rsp;
df3c3931 4260 __u16 res, stat;
1da177e4 4261
b1235d79 4262 if (!status) {
df3c3931
JH		 4263 if (bt_sk(sk)->defer_setup) {
4264 struct sock *parent = bt_sk(sk)->parent;
4265 res = L2CAP_CR_PEND;
4266 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4267 if (parent)
4268 parent->sk_data_ready(parent, 0);
df3c3931 4269 } else {
05558911 4270 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4271 res = L2CAP_CR_SUCCESS;
4272 stat = L2CAP_CS_NO_INFO;
4273 }
b1235d79 4274 } else {
89bc500e 4275 l2cap_state_change(chan, BT_DISCONN);
c9b66675 4276 __set_chan_timer(chan, HZ / 10);
df3c3931
JH		 4277 res = L2CAP_CR_SEC_BLOCK;
4278 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4279 }
4280
fe4128e0
GP		 4281 rsp.scid = cpu_to_le16(chan->dcid);
4282 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4283 rsp.result = cpu_to_le16(res);
4284 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4285 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4286 sizeof(rsp), &rsp);
b1235d79 4287 }
1da177e4
LT		 4288
4289 bh_unlock_sock(sk);
4290 }
4291
baa7e1fa 4292 read_unlock(&conn->chan_lock);
b1235d79 4293
1da177e4
LT		 4294 return 0;
4295}
4296
4297static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4298{
4299 struct l2cap_conn *conn = hcon->l2cap_data;
4300
5a08ecce
AE		 4301 if (!conn)
4302 conn = l2cap_conn_add(hcon, 0);
4303
4304 if (!conn)
1da177e4
LT		 4305 goto drop;
4306
4307 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4308
e702112f 4309 if (!(flags & ACL_CONT)) {
1da177e4 4310 struct l2cap_hdr *hdr;
48454079 4311 struct l2cap_chan *chan;
89794813 4312 u16 cid;
1da177e4
LT		 4313 int len;
4314
4315 if (conn->rx_len) {
4316 BT_ERR("Unexpected start frame (len %d)", skb->len);
4317 kfree_skb(conn->rx_skb);
4318 conn->rx_skb = NULL;
4319 conn->rx_len = 0;
4320 l2cap_conn_unreliable(conn, ECOMM);
4321 }
4322
aae7fe22
AE		 4323 /* Start fragment always begin with Basic L2CAP header */
4324 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4325 BT_ERR("Frame is too short (len %d)", skb->len);
4326 l2cap_conn_unreliable(conn, ECOMM);
4327 goto drop;
4328 }
4329
4330 hdr = (struct l2cap_hdr *) skb->data;
4331 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4332 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4333
4334 if (len == skb->len) {
4335 /* Complete frame received */
4336 l2cap_recv_frame(conn, skb);
4337 return 0;
4338 }
4339
4340 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4341
4342 if (skb->len > len) {
4343 BT_ERR("Frame is too long (len %d, expected len %d)",
4344 skb->len, len);
4345 l2cap_conn_unreliable(conn, ECOMM);
4346 goto drop;
4347 }
4348
baa7e1fa 4349 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4350
48454079
GP		 4351 if (chan && chan->sk) {
4352 struct sock *sk = chan->sk;
89794813 4353
0c1bc5c6 4354 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4355 BT_ERR("Frame exceeding recv MTU (len %d, "
4356 "MTU %d)", len,
0c1bc5c6 4357 chan->imtu);
48454079
GP		 4358 bh_unlock_sock(sk);
4359 l2cap_conn_unreliable(conn, ECOMM);
4360 goto drop;
4361 }
89794813 4362 bh_unlock_sock(sk);
48454079 4363 }
89794813 4364
1da177e4 4365 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4366 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4367 if (!conn->rx_skb)
1da177e4
LT		 4368 goto drop;
4369
d626f62b 4370 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4371 skb->len);
1da177e4
LT		 4372 conn->rx_len = len - skb->len;
4373 } else {
4374 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4375
4376 if (!conn->rx_len) {
4377 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4378 l2cap_conn_unreliable(conn, ECOMM);
4379 goto drop;
4380 }
4381
4382 if (skb->len > conn->rx_len) {
4383 BT_ERR("Fragment is too long (len %d, expected %d)",
4384 skb->len, conn->rx_len);
4385 kfree_skb(conn->rx_skb);
4386 conn->rx_skb = NULL;
4387 conn->rx_len = 0;
4388 l2cap_conn_unreliable(conn, ECOMM);
4389 goto drop;
4390 }
4391
d626f62b 4392 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4393 skb->len);
1da177e4
LT		 4394 conn->rx_len -= skb->len;
4395
4396 if (!conn->rx_len) {
4397 /* Complete frame received */
4398 l2cap_recv_frame(conn, conn->rx_skb);
4399 conn->rx_skb = NULL;
4400 }
4401 }
4402
4403drop:
4404 kfree_skb(skb);
4405 return 0;
4406}
4407
aef7d97c 4408static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4409{
23691d75 4410 struct l2cap_chan *c;
1da177e4 4411
23691d75 4412 read_lock_bh(&chan_list_lock);
1da177e4 4413
23691d75
GP		 4414 list_for_each_entry(c, &chan_list, global_l) {
4415 struct sock *sk = c->sk;
101545f6 4416
903d343e 4417 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4418 batostr(&bt_sk(sk)->src),
4419 batostr(&bt_sk(sk)->dst),
89bc500e 4420 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4421 c->scid, c->dcid, c->imtu, c->omtu,
4422 c->sec_level, c->mode);
05558911 4423}
1da177e4 4424
23691d75 4425 read_unlock_bh(&chan_list_lock);
1da177e4 4426
aef7d97c 4427 return 0;
1da177e4
LT		 4428}
4429
aef7d97c
MH		 4430static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4431{
4432 return single_open(file, l2cap_debugfs_show, inode->i_private);
4433}
4434
4435static const struct file_operations l2cap_debugfs_fops = {
4436 .open = l2cap_debugfs_open,
4437 .read = seq_read,
4438 .llseek = seq_lseek,
4439 .release = single_release,
4440};
4441
4442static struct dentry *l2cap_debugfs;
1da177e4 4443
1da177e4
LT		 4444static struct hci_proto l2cap_hci_proto = {
4445 .name = "L2CAP",
4446 .id = HCI_PROTO_L2CAP,
4447 .connect_ind = l2cap_connect_ind,
4448 .connect_cfm = l2cap_connect_cfm,
4449 .disconn_ind = l2cap_disconn_ind,
2950f21a 4450 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4451 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4452 .recv_acldata = l2cap_recv_acldata
4453};
4454
64274518 4455int __init l2cap_init(void)
1da177e4
LT		 4456{
4457 int err;
be9d1227 4458
bb58f747 4459 err = l2cap_init_sockets();
1da177e4
LT		 4460 if (err < 0)
4461 return err;
4462
1da177e4
LT		 4463 err = hci_register_proto(&l2cap_hci_proto);
4464 if (err < 0) {
4465 BT_ERR("L2CAP protocol registration failed");
4466 bt_sock_unregister(BTPROTO_L2CAP);
4467 goto error;
4468 }
4469
aef7d97c
MH		 4470 if (bt_debugfs) {
4471 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4472 bt_debugfs, NULL, &l2cap_debugfs_fops);
4473 if (!l2cap_debugfs)
4474 BT_ERR("Failed to create L2CAP debug file");
4475 }
1da177e4 4476
1da177e4
LT		 4477 return 0;
4478
4479error:
bb58f747 4480 l2cap_cleanup_sockets();
1da177e4
LT		 4481 return err;
4482}
4483
64274518 4484void l2cap_exit(void)
1da177e4 4485{
aef7d97c 4486 debugfs_remove(l2cap_debugfs);
1da177e4 4487
1da177e4
LT		 4488 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4489 BT_ERR("L2CAP protocol unregistration failed");
4490
bb58f747 4491 l2cap_cleanup_sockets();
1da177e4
LT		 4492}
4493
d1c4a17d
GP		 4494module_param(disable_ertm, bool, 0644);
4495MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE		 4496
4497module_param(enable_hs, bool, 0644);
4498MODULE_PARM_DESC(enable_hs, "Enable High Speed");
kernel source for telekom puls (alcatel/mediatek)