projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: report the right security level in getsockopt
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
eb939922 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
0139418c 76/* ---- L2CAP channels ---- */
71ba0e56 77
baa7e1fa 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 79{
3df91ea2 80 struct l2cap_chan *c;
3d57dc68 81
3df91ea2
AE		 82 list_for_each_entry(c, &conn->chan_l, list) {
83 if (c->dcid == cid)
84 return c;
0139418c 85 }
3df91ea2 86 return NULL;
0139418c
MH		 87}
88
baa7e1fa 89static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
ef191ade 101 * Returns locked channel. */
baa7e1fa 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 103{
48454079 104 struct l2cap_chan *c;
baa7e1fa 105
3df91ea2 106 mutex_lock(&conn->chan_lock);
baa7e1fa 107 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 108 if (c)
109 l2cap_chan_lock(c);
3df91ea2
AE		 110 mutex_unlock(&conn->chan_lock);
111
48454079 112 return c;
0139418c
MH		 113}
114
baa7e1fa 115static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 116{
3df91ea2 117 struct l2cap_chan *c;
3d57dc68 118
3df91ea2
AE		 119 list_for_each_entry(c, &conn->chan_l, list) {
120 if (c->ident == ident)
121 return c;
0139418c 122 }
3df91ea2 123 return NULL;
0139418c
MH		 124}
125
23691d75 126static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 127{
23691d75 128 struct l2cap_chan *c;
9e4425ff 129
23691d75
GP		 130 list_for_each_entry(c, &chan_list, global_l) {
131 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 132 return c;
9e4425ff 133 }
250938cb 134 return NULL;
9e4425ff
GP		 135}
136
137int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
138{
73b2ec18
GP		 139 int err;
140
333055f2 141 write_lock(&chan_list_lock);
9e4425ff 142
23691d75 143 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 144 err = -EADDRINUSE;
145 goto done;
9e4425ff
GP		 146 }
147
73b2ec18
GP		 148 if (psm) {
149 chan->psm = psm;
150 chan->sport = psm;
151 err = 0;
152 } else {
153 u16 p;
154
155 err = -EINVAL;
156 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 157 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 158 chan->psm = cpu_to_le16(p);
159 chan->sport = cpu_to_le16(p);
160 err = 0;
161 break;
162 }
163 }
9e4425ff 164
73b2ec18 165done:
333055f2 166 write_unlock(&chan_list_lock);
73b2ec18 167 return err;
9e4425ff
GP		 168}
169
170int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
171{
333055f2 172 write_lock(&chan_list_lock);
9e4425ff
GP		 173
174 chan->scid = scid;
175
333055f2 176 write_unlock(&chan_list_lock);
9e4425ff
GP		 177
178 return 0;
179}
180
baa7e1fa 181static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 182{
8db4dc46 183 u16 cid = L2CAP_CID_DYN_START;
0139418c 184
8db4dc46 185 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 186 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 187 return cid;
188 }
189
190 return 0;
191}
192
0e587be7 193static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 194{
42d2d87c 195 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 196 state_to_string(state));
197
89bc500e
GP		 198 chan->state = state;
199 chan->ops->state_change(chan->data, state);
200}
201
0e587be7
AE		 202static void l2cap_state_change(struct l2cap_chan *chan, int state)
203{
204 struct sock *sk = chan->sk;
205
206 lock_sock(sk);
207 __l2cap_state_change(chan, state);
208 release_sock(sk);
209}
210
2e0052e4
AE		 211static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
212{
213 struct sock *sk = chan->sk;
214
215 sk->sk_err = err;
216}
217
218static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
219{
220 struct sock *sk = chan->sk;
221
222 lock_sock(sk);
223 __l2cap_chan_set_err(chan, err);
224 release_sock(sk);
225}
226
3c588192
MM		 227/* ---- L2CAP sequence number lists ---- */
228
229/* For ERTM, ordered lists of sequence numbers must be tracked for
230 * SREJ requests that are received and for frames that are to be
231 * retransmitted. These seq_list functions implement a singly-linked
232 * list in an array, where membership in the list can also be checked
233 * in constant time. Items can also be added to the tail of the list
234 * and removed from the head in constant time, without further memory
235 * allocs or frees.
236 */
237
238static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
239{
240 size_t alloc_size, i;
241
242 /* Allocated size is a power of 2 to map sequence numbers
243 * (which may be up to 14 bits) in to a smaller array that is
244 * sized for the negotiated ERTM transmit windows.
245 */
246 alloc_size = roundup_pow_of_two(size);
247
248 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
249 if (!seq_list->list)
250 return -ENOMEM;
251
252 seq_list->mask = alloc_size - 1;
253 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
254 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
255 for (i = 0; i < alloc_size; i++)
256 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
257
258 return 0;
259}
260
261static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
262{
263 kfree(seq_list->list);
264}
265
266static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
267 u16 seq)
268{
269 /* Constant-time check for list membership */
270 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
271}
272
273static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
274{
275 u16 mask = seq_list->mask;
276
277 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
278 /* In case someone tries to pop the head of an empty list */
279 return L2CAP_SEQ_LIST_CLEAR;
280 } else if (seq_list->head == seq) {
281 /* Head can be removed in constant time */
282 seq_list->head = seq_list->list[seq & mask];
283 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
284
285 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
286 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
287 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
288 }
289 } else {
290 /* Walk the list to find the sequence number */
291 u16 prev = seq_list->head;
292 while (seq_list->list[prev & mask] != seq) {
293 prev = seq_list->list[prev & mask];
294 if (prev == L2CAP_SEQ_LIST_TAIL)
295 return L2CAP_SEQ_LIST_CLEAR;
296 }
297
298 /* Unlink the number from the list and clear it */
299 seq_list->list[prev & mask] = seq_list->list[seq & mask];
300 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
301 if (seq_list->tail == seq)
302 seq_list->tail = prev;
303 }
304 return seq;
305}
306
307static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
308{
309 /* Remove the head in constant time */
310 return l2cap_seq_list_remove(seq_list, seq_list->head);
311}
312
313static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
314{
f522ae36 315 u16 i;
3c588192 316
f522ae36
GP		 317 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
318 return;
319
320 for (i = 0; i <= seq_list->mask; i++)
321 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
322
323 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
324 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 325}
326
327static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
328{
329 u16 mask = seq_list->mask;
330
331 /* All appends happen in constant time */
332
f522ae36
GP		 333 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
334 return;
3c588192 335
f522ae36
GP		 336 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
337 seq_list->head = seq;
338 else
339 seq_list->list[seq_list->tail & mask] = seq;
340
341 seq_list->tail = seq;
342 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 343}
344
721c4181 345static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 346{
721c4181
GP		 347 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
348 chan_timer.work);
3df91ea2 349 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 350 int reason;
351
e05dcc32 352 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 353
3df91ea2 354 mutex_lock(&conn->chan_lock);
6be36555 355 l2cap_chan_lock(chan);
ab07801d 356
89bc500e 357 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 358 reason = ECONNREFUSED;
89bc500e 359 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 360 chan->sec_level != BT_SECURITY_SDP)
361 reason = ECONNREFUSED;
362 else
363 reason = ETIMEDOUT;
364
0f852724 365 l2cap_chan_close(chan, reason);
ab07801d 366
6be36555 367 l2cap_chan_unlock(chan);
ab07801d 368
ba3bd0ee 369 chan->ops->close(chan->data);
3df91ea2
AE		 370 mutex_unlock(&conn->chan_lock);
371
371fd835 372 l2cap_chan_put(chan);
ab07801d
GP		 373}
374
eef1d9b6 375struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 376{
377 struct l2cap_chan *chan;
378
379 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
380 if (!chan)
381 return NULL;
382
c03b355e
AE		 383 mutex_init(&chan->lock);
384
333055f2 385 write_lock(&chan_list_lock);
23691d75 386 list_add(&chan->global_l, &chan_list);
333055f2 387 write_unlock(&chan_list_lock);
23691d75 388
721c4181 389 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 390
89bc500e
GP		 391 chan->state = BT_OPEN;
392
71ba0e56
GP		 393 atomic_set(&chan->refcnt, 1);
394
eef1d9b6 395 BT_DBG("chan %p", chan);
abc545b8 396
48454079
GP		 397 return chan;
398}
399
23691d75 400void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 401{
333055f2 402 write_lock(&chan_list_lock);
23691d75 403 list_del(&chan->global_l);
333055f2 404 write_unlock(&chan_list_lock);
23691d75 405
371fd835 406 l2cap_chan_put(chan);
6ff5abbf
GP		 407}
408
bd4b1653
AE		 409void l2cap_chan_set_defaults(struct l2cap_chan *chan)
410{
411 chan->fcs = L2CAP_FCS_CRC16;
412 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
413 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
414 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
415 chan->sec_level = BT_SECURITY_LOW;
416
417 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
418}
419
14a28491 420static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 421{
af05b30b 422 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 423 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 424
9f5a0d7b 425 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 426
8c1d787b 427 chan->conn = conn;
0139418c 428
5491120e
AE		 429 switch (chan->chan_type) {
430 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 431 if (conn->hcon->type == LE_LINK) {
432 /* LE connection */
0c1bc5c6 433 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 434 chan->scid = L2CAP_CID_LE_DATA;
435 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 436 } else {
437 /* Alloc CID for connection-oriented socket */
fe4128e0 438 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 439 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 440 }
5491120e
AE		 441 break;
442
443 case L2CAP_CHAN_CONN_LESS:
0139418c 444 /* Connectionless socket */
fe4128e0
GP		 445 chan->scid = L2CAP_CID_CONN_LESS;
446 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 447 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 448 break;
449
450 default:
0139418c 451 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 452 chan->scid = L2CAP_CID_SIGNALING;
453 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 454 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 455 }
456
8f7975b1
AE		 457 chan->local_id = L2CAP_BESTEFFORT_ID;
458 chan->local_stype = L2CAP_SERV_BESTEFFORT;
459 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
460 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
461 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
462 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
463
371fd835 464 l2cap_chan_hold(chan);
baa7e1fa 465
3df91ea2 466 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 467}
468
14a28491 469static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 470{
471 mutex_lock(&conn->chan_lock);
472 __l2cap_chan_add(conn, chan);
3df91ea2 473 mutex_unlock(&conn->chan_lock);
0139418c
MH		 474}
475
4519de9a 476static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 477{
48454079 478 struct sock *sk = chan->sk;
8c1d787b 479 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 480 struct sock *parent = bt_sk(sk)->parent;
481
c9b66675 482 __clear_chan_timer(chan);
0139418c 483
49208c9c 484 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 485
8e87d142 486 if (conn) {
baa7e1fa 487 /* Delete from channel list */
3df91ea2 488 list_del(&chan->list);
3d57dc68 489
371fd835 490 l2cap_chan_put(chan);
baa7e1fa 491
8c1d787b 492 chan->conn = NULL;
0139418c
MH		 493 hci_conn_put(conn->hcon);
494 }
495
6be36555
AE		 496 lock_sock(sk);
497
0e587be7 498 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 499 sock_set_flag(sk, SOCK_ZAPPED);
500
501 if (err)
2e0052e4 502 __l2cap_chan_set_err(chan, err);
0139418c
MH		 503
504 if (parent) {
505 bt_accept_unlink(sk);
506 parent->sk_data_ready(parent, 0);
507 } else
508 sk->sk_state_change(sk);
c13ffa62 509
6be36555
AE		 510 release_sock(sk);
511
c1360a1c
GP		 512 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
513 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 514 return;
2ead70b8 515
58d35f87 516 skb_queue_purge(&chan->tx_q);
c13ffa62 517
0c1bc5c6 518 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 519 struct srej_list *l, *tmp;
520
1a09bcb9
GP		 521 __clear_retrans_timer(chan);
522 __clear_monitor_timer(chan);
523 __clear_ack_timer(chan);
c13ffa62 524
f1c6775b 525 skb_queue_purge(&chan->srej_q);
c13ffa62 526
3c588192
MM		 527 l2cap_seq_list_free(&chan->srej_list);
528 l2cap_seq_list_free(&chan->retrans_list);
39d5a3ee 529 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 530 list_del(&l->list);
531 kfree(l);
532 }
533 }
0139418c
MH		 534}
535
4519de9a
GP		 536static void l2cap_chan_cleanup_listen(struct sock *parent)
537{
538 struct sock *sk;
539
540 BT_DBG("parent %p", parent);
541
542 /* Close not yet accepted channels */
0f852724 543 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 544 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 545
6be36555 546 l2cap_chan_lock(chan);
c9b66675 547 __clear_chan_timer(chan);
ba3bd0ee 548 l2cap_chan_close(chan, ECONNRESET);
6be36555 549 l2cap_chan_unlock(chan);
3df91ea2 550
ba3bd0ee 551 chan->ops->close(chan->data);
0f852724 552 }
4519de9a
GP		 553}
554
0f852724 555void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 556{
557 struct l2cap_conn *conn = chan->conn;
558 struct sock *sk = chan->sk;
559
e05dcc32
AE		 560 BT_DBG("chan %p state %s sk %p", chan,
561 state_to_string(chan->state), sk);
4519de9a 562
89bc500e 563 switch (chan->state) {
4519de9a 564 case BT_LISTEN:
6be36555 565 lock_sock(sk);
4519de9a 566 l2cap_chan_cleanup_listen(sk);
89bc500e 567
0e587be7 568 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 569 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 570 release_sock(sk);
4519de9a
GP		 571 break;
572
573 case BT_CONNECTED:
574 case BT_CONFIG:
715ec005 575 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 576 conn->hcon->type == ACL_LINK) {
c9b66675 577 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 578 l2cap_send_disconn_req(conn, chan, reason);
579 } else
580 l2cap_chan_del(chan, reason);
581 break;
582
583 case BT_CONNECT2:
715ec005 584 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 585 conn->hcon->type == ACL_LINK) {
586 struct l2cap_conn_rsp rsp;
587 __u16 result;
588
589 if (bt_sk(sk)->defer_setup)
590 result = L2CAP_CR_SEC_BLOCK;
591 else
592 result = L2CAP_CR_BAD_PSM;
89bc500e 593 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 594
595 rsp.scid = cpu_to_le16(chan->dcid);
596 rsp.dcid = cpu_to_le16(chan->scid);
597 rsp.result = cpu_to_le16(result);
598 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
599 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
600 sizeof(rsp), &rsp);
601 }
602
603 l2cap_chan_del(chan, reason);
604 break;
605
606 case BT_CONNECT:
607 case BT_DISCONN:
608 l2cap_chan_del(chan, reason);
609 break;
610
611 default:
6be36555 612 lock_sock(sk);
4519de9a 613 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 614 release_sock(sk);
4519de9a
GP		 615 break;
616 }
617}
618
4343478f 619static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 620{
715ec005 621 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 622 switch (chan->sec_level) {
8556edd3
JH		 623 case BT_SECURITY_HIGH:
624 return HCI_AT_DEDICATED_BONDING_MITM;
625 case BT_SECURITY_MEDIUM:
626 return HCI_AT_DEDICATED_BONDING;
627 default:
628 return HCI_AT_NO_BONDING;
629 }
fe4128e0 630 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 631 if (chan->sec_level == BT_SECURITY_LOW)
632 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 633
4343478f 634 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 635 return HCI_AT_NO_BONDING_MITM;
00ae4af9 636 else
8556edd3 637 return HCI_AT_NO_BONDING;
00ae4af9 638 } else {
4343478f 639 switch (chan->sec_level) {
00ae4af9 640 case BT_SECURITY_HIGH:
8556edd3 641 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 642 case BT_SECURITY_MEDIUM:
8556edd3 643 return HCI_AT_GENERAL_BONDING;
00ae4af9 644 default:
8556edd3 645 return HCI_AT_NO_BONDING;
00ae4af9 646 }
0684e5f9 647 }
8556edd3
JH		 648}
649
650/* Service level security */
d45fc423 651int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 652{
8c1d787b 653 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 654 __u8 auth_type;
655
4343478f 656 auth_type = l2cap_get_auth_type(chan);
79d554a6 657
4343478f 658 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 659}
660
b5ad8b7f 661static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 662{
663 u8 id;
664
665 /* Get next available identificator.
666 * 1 - 128 are used by kernel.
667 * 129 - 199 are reserved.
668 * 200 - 254 are used by utilities like l2ping, etc.
669 */
670
333055f2 671 spin_lock(&conn->lock);
4e8402a3
MH		 672
673 if (++conn->tx_ident > 128)
674 conn->tx_ident = 1;
675
676 id = conn->tx_ident;
677
333055f2 678 spin_unlock(&conn->lock);
4e8402a3
MH		 679
680 return id;
681}
682
4519de9a 683static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 684{
685 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 686 u8 flags;
4e8402a3
MH		 687
688 BT_DBG("code 0x%2.2x", code);
689
690 if (!skb)
9a9c6a34 691 return;
4e8402a3 692
e702112f
AE		 693 if (lmp_no_flush_capable(conn->hcon->hdev))
694 flags = ACL_START_NO_FLUSH;
695 else
696 flags = ACL_START;
697
14b12d0b 698 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 699 skb->priority = HCI_PRIO_MAX;
14b12d0b 700
73d80deb
LAD		 701 hci_send_acl(conn->hchan, skb, flags);
702}
703
704static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
705{
706 struct hci_conn *hcon = chan->conn->hcon;
707 u16 flags;
708
709 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
710 skb->priority);
711
712 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
713 lmp_no_flush_capable(hcon->hdev))
714 flags = ACL_START_NO_FLUSH;
715 else
716 flags = ACL_START;
14b12d0b 717
73d80deb
LAD		 718 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
719 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 720}
721
b76bbd66
MM		 722static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
723{
724 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
725 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
726
727 if (enh & L2CAP_CTRL_FRAME_TYPE) {
728 /* S-Frame */
729 control->sframe = 1;
730 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
731 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
732
733 control->sar = 0;
734 control->txseq = 0;
735 } else {
736 /* I-Frame */
737 control->sframe = 0;
738 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
739 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
740
741 control->poll = 0;
742 control->super = 0;
743 }
744}
745
b76bbd66
MM		 746static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
747{
748 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
749 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
750
751 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
752 /* S-Frame */
753 control->sframe = 1;
754 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
755 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
756
757 control->sar = 0;
758 control->txseq = 0;
759 } else {
760 /* I-Frame */
761 control->sframe = 0;
762 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
763 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
764
765 control->poll = 0;
766 control->super = 0;
767 }
768}
769
770static inline void __unpack_control(struct l2cap_chan *chan,
771 struct sk_buff *skb)
772{
773 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
774 __unpack_extended_control(get_unaligned_le32(skb->data),
775 &bt_cb(skb)->control);
776 } else {
777 __unpack_enhanced_control(get_unaligned_le16(skb->data),
778 &bt_cb(skb)->control);
779 }
780}
781
b5c6aaed
MM		 782static u32 __pack_extended_control(struct l2cap_ctrl *control)
783{
784 u32 packed;
785
786 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
787 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
788
789 if (control->sframe) {
790 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
791 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
792 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
793 } else {
794 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
795 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
796 }
797
798 return packed;
799}
800
801static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
802{
803 u16 packed;
804
805 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
806 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
807
808 if (control->sframe) {
809 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
810 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
811 packed |= L2CAP_CTRL_FRAME_TYPE;
812 } else {
813 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
814 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
815 }
816
817 return packed;
818}
819
b76bbd66
MM		 820static inline void __pack_control(struct l2cap_chan *chan,
821 struct l2cap_ctrl *control,
822 struct sk_buff *skb)
823{
824 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
825 put_unaligned_le32(__pack_extended_control(control),
826 skb->data + L2CAP_HDR_SIZE);
827 } else {
828 put_unaligned_le16(__pack_enhanced_control(control),
829 skb->data + L2CAP_HDR_SIZE);
830 }
831}
832
b5c6aaed
MM		 833static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
834{
835 struct sk_buff *skb;
836 struct l2cap_hdr *lh;
837 struct l2cap_conn *conn = chan->conn;
838 int count, hlen;
839
840 if (chan->state != BT_CONNECTED)
841 return;
842
843 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
844 hlen = L2CAP_EXT_HDR_SIZE;
845 else
846 hlen = L2CAP_ENH_HDR_SIZE;
847
848 if (chan->fcs == L2CAP_FCS_CRC16)
849 hlen += L2CAP_FCS_SIZE;
850
851 BT_DBG("chan %p, control 0x%8.8x", chan, control);
852
853 count = min_t(unsigned int, conn->mtu, hlen);
854
855 control |= __set_sframe(chan);
856
857 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
858 control |= __set_ctrl_final(chan);
859
860 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
861 control |= __set_ctrl_poll(chan);
862
863 skb = bt_skb_alloc(count, GFP_ATOMIC);
864 if (!skb)
865 return;
866
867 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
868 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
869 lh->cid = cpu_to_le16(chan->dcid);
870
871 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
872
873 if (chan->fcs == L2CAP_FCS_CRC16) {
874 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
875 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
876 }
877
878 skb->priority = HCI_PRIO_MAX;
879 l2cap_do_send(chan, skb);
880}
881
882static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
883{
884 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
885 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
886 set_bit(CONN_RNR_SENT, &chan->conn_state);
887 } else
888 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
889
890 control |= __set_reqseq(chan, chan->buffer_seq);
891
892 l2cap_send_sframe(chan, control);
893}
894
b4450035 895static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 896{
c1360a1c 897 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 898}
899
9b27f350
AE		 900static void l2cap_send_conn_req(struct l2cap_chan *chan)
901{
902 struct l2cap_conn *conn = chan->conn;
903 struct l2cap_conn_req req;
904
905 req.scid = cpu_to_le16(chan->scid);
906 req.psm = chan->psm;
907
908 chan->ident = l2cap_get_ident(conn);
909
910 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
911
912 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
913}
914
9f0caeb1
VCG		 915static void l2cap_chan_ready(struct l2cap_chan *chan)
916{
917 struct sock *sk = chan->sk;
918 struct sock *parent;
919
920 lock_sock(sk);
921
922 parent = bt_sk(sk)->parent;
923
924 BT_DBG("sk %p, parent %p", sk, parent);
925
926 chan->conf_state = 0;
927 __clear_chan_timer(chan);
928
929 __l2cap_state_change(chan, BT_CONNECTED);
930 sk->sk_state_change(sk);
931
932 if (parent)
933 parent->sk_data_ready(parent, 0);
934
935 release_sock(sk);
936}
937
fc7f8a7e 938static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 939{
8c1d787b 940 struct l2cap_conn *conn = chan->conn;
79d554a6 941
9f0caeb1
VCG		 942 if (conn->hcon->type == LE_LINK) {
943 l2cap_chan_ready(chan);
944 return;
945 }
946
79d554a6 947 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 948 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
949 return;
950
d45fc423 951 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 952 __l2cap_no_conn_pending(chan))
953 l2cap_send_conn_req(chan);
79d554a6
MH		 954 } else {
955 struct l2cap_info_req req;
956 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
957
958 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
959 conn->info_ident = l2cap_get_ident(conn);
960
ba13ccd9 961 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 962
963 l2cap_send_cmd(conn, conn->info_ident,
964 L2CAP_INFO_REQ, sizeof(req), &req);
965 }
966}
967
cf6c2c0b
GP		 968static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
969{
970 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 971 if (!disable_ertm)
cf6c2c0b
GP		 972 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
973
974 switch (mode) {
975 case L2CAP_MODE_ERTM:
976 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
977 case L2CAP_MODE_STREAMING:
978 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
979 default:
980 return 0x00;
981 }
982}
983
4519de9a 984static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 985{
6be36555 986 struct sock *sk = chan->sk;
22121fc9
GP		 987 struct l2cap_disconn_req req;
988
c13ffa62
GP		 989 if (!conn)
990 return;
991
0c1bc5c6 992 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 993 __clear_retrans_timer(chan);
994 __clear_monitor_timer(chan);
995 __clear_ack_timer(chan);
c13ffa62
GP		 996 }
997
fe4128e0
GP		 998 req.dcid = cpu_to_le16(chan->dcid);
999 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1000 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1001 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1002
6be36555 1003 lock_sock(sk);
0e587be7 1004 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1005 __l2cap_chan_set_err(chan, err);
6be36555 1006 release_sock(sk);
22121fc9
GP		 1007}
1008
1da177e4 1009/* ---- L2CAP connections ---- */
4e8402a3
MH		 1010static void l2cap_conn_start(struct l2cap_conn *conn)
1011{
3df91ea2 1012 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1013
1014 BT_DBG("conn %p", conn);
1015
3df91ea2 1016 mutex_lock(&conn->chan_lock);
4e8402a3 1017
3df91ea2 1018 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1019 struct sock *sk = chan->sk;
baa7e1fa 1020
6be36555 1021 l2cap_chan_lock(chan);
4e8402a3 1022
715ec005 1023 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1024 l2cap_chan_unlock(chan);
79d554a6
MH		 1025 continue;
1026 }
1027
89bc500e 1028 if (chan->state == BT_CONNECT) {
d45fc423 1029 if (!l2cap_chan_check_security(chan) ||
b4450035 1030 !__l2cap_no_conn_pending(chan)) {
6be36555 1031 l2cap_chan_unlock(chan);
47731de7
GP		 1032 continue;
1033 }
79d554a6 1034
c1360a1c
GP		 1035 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1036 && test_bit(CONF_STATE2_DEVICE,
1037 &chan->conf_state)) {
89bc500e 1038 l2cap_chan_close(chan, ECONNRESET);
6be36555 1039 l2cap_chan_unlock(chan);
47731de7 1040 continue;
b1235d79 1041 }
47731de7 1042
9b27f350 1043 l2cap_send_conn_req(chan);
47731de7 1044
89bc500e 1045 } else if (chan->state == BT_CONNECT2) {
79d554a6 1046 struct l2cap_conn_rsp rsp;
e9aeb2dd 1047 char buf[128];
fe4128e0
GP		 1048 rsp.scid = cpu_to_le16(chan->dcid);
1049 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1050
d45fc423 1051 if (l2cap_chan_check_security(chan)) {
6be36555 1052 lock_sock(sk);
f66dc81f
MH		 1053 if (bt_sk(sk)->defer_setup) {
1054 struct sock *parent = bt_sk(sk)->parent;
1055 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1056 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1057 if (parent)
1058 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1059
1060 } else {
0e587be7 1061 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1062 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1063 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1064 }
6be36555 1065 release_sock(sk);
79d554a6
MH		 1066 } else {
1067 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1068 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1069 }
1070
fc7f8a7e
GP		 1071 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1072 sizeof(rsp), &rsp);
e9aeb2dd 1073
c1360a1c 1074 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1075 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1076 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1077 continue;
1078 }
1079
c1360a1c 1080 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1081 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1082 l2cap_build_conf_req(chan, buf), buf);
1083 chan->num_conf_req++;
4e8402a3
MH		 1084 }
1085
6be36555 1086 l2cap_chan_unlock(chan);
4e8402a3
MH		 1087 }
1088
3df91ea2 1089 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1090}
1091
c2287681 1092/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1093 * Returns closest match, locked.
1094 */
d9b88702 1095static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1096 bdaddr_t *src,
1097 bdaddr_t *dst)
b62f328b 1098{
23691d75 1099 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1100
23691d75 1101 read_lock(&chan_list_lock);
b62f328b 1102
23691d75
GP		 1103 list_for_each_entry(c, &chan_list, global_l) {
1104 struct sock *sk = c->sk;
fe4128e0 1105
89bc500e 1106 if (state && c->state != state)
b62f328b
VT		 1107 continue;
1108
23691d75 1109 if (c->scid == cid) {
c2287681
IY		 1110 int src_match, dst_match;
1111 int src_any, dst_any;
1112
b62f328b 1113 /* Exact match. */
c2287681
IY		 1114 src_match = !bacmp(&bt_sk(sk)->src, src);
1115 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1116 if (src_match && dst_match) {
23691d75
GP		 1117 read_unlock(&chan_list_lock);
1118 return c;
1119 }
b62f328b
VT		 1120
1121 /* Closest match */
c2287681
IY		 1122 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1123 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1124 if ((src_match && dst_any) || (src_any && dst_match) ||
1125 (src_any && dst_any))
23691d75 1126 c1 = c;
b62f328b
VT		 1127 }
1128 }
280f294f 1129
23691d75 1130 read_unlock(&chan_list_lock);
b62f328b 1131
23691d75 1132 return c1;
b62f328b
VT		 1133}
1134
1135static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1136{
c916fbe4 1137 struct sock *parent, *sk;
23691d75 1138 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1139
1140 BT_DBG("");
1141
1142 /* Check if we have socket listening on cid */
23691d75 1143 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1144 conn->src, conn->dst);
23691d75 1145 if (!pchan)
b62f328b
VT		 1146 return;
1147
23691d75
GP		 1148 parent = pchan->sk;
1149
aa2ac881 1150 lock_sock(parent);
62f3a2cf 1151
b62f328b
VT		 1152 /* Check for backlog size */
1153 if (sk_acceptq_is_full(parent)) {
1154 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1155 goto clean;
1156 }
1157
80808e43
GP		 1158 chan = pchan->ops->new_connection(pchan->data);
1159 if (!chan)
b62f328b
VT		 1160 goto clean;
1161
80808e43 1162 sk = chan->sk;
5d41ce1d 1163
b62f328b
VT		 1164 hci_conn_hold(conn->hcon);
1165
b62f328b
VT		 1166 bacpy(&bt_sk(sk)->src, conn->src);
1167 bacpy(&bt_sk(sk)->dst, conn->dst);
1168
d1010240
GP		 1169 bt_accept_enqueue(parent, sk);
1170
3d57dc68 1171 l2cap_chan_add(conn, chan);
48454079 1172
c9b66675 1173 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1174
0e587be7 1175 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1176 parent->sk_data_ready(parent, 0);
1177
b62f328b 1178clean:
aa2ac881 1179 release_sock(parent);
b62f328b
VT		 1180}
1181
4e8402a3
MH		 1182static void l2cap_conn_ready(struct l2cap_conn *conn)
1183{
48454079 1184 struct l2cap_chan *chan;
4e8402a3 1185
79d554a6 1186 BT_DBG("conn %p", conn);
4e8402a3 1187
b62f328b
VT		 1188 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1189 l2cap_le_conn_ready(conn);
1190
160dc6ac
VCG		 1191 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1192 smp_conn_security(conn, conn->hcon->pending_sec_level);
1193
3df91ea2 1194 mutex_lock(&conn->chan_lock);
4e8402a3 1195
3df91ea2 1196 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1197
6be36555 1198 l2cap_chan_lock(chan);
4e8402a3 1199
63128451 1200 if (conn->hcon->type == LE_LINK) {
b501d6a1 1201 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1202 l2cap_chan_ready(chan);
acd7d370 1203
63128451 1204 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1205 struct sock *sk = chan->sk;
c9b66675 1206 __clear_chan_timer(chan);
6be36555 1207 lock_sock(sk);
0e587be7 1208 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1209 sk->sk_state_change(sk);
6be36555 1210 release_sock(sk);
b501d6a1 1211
89bc500e 1212 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1213 l2cap_do_start(chan);
4e8402a3 1214
6be36555 1215 l2cap_chan_unlock(chan);
4e8402a3 1216 }
79d554a6 1217
3df91ea2 1218 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1219}
1220
1221/* Notify sockets that we cannot guaranty reliability anymore */
1222static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1223{
48454079 1224 struct l2cap_chan *chan;
4e8402a3
MH		 1225
1226 BT_DBG("conn %p", conn);
1227
3df91ea2 1228 mutex_lock(&conn->chan_lock);
4e8402a3 1229
3df91ea2 1230 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1231 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1232 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1233 }
1234
3df91ea2 1235 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1236}
1237
f878fcad 1238static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1239{
f878fcad 1240 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1241 info_timer.work);
4e8402a3 1242
984947dc 1243 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1244 conn->info_ident = 0;
984947dc 1245
4e8402a3
MH		 1246 l2cap_conn_start(conn);
1247}
1248
5d3de7df
VCG		 1249static void l2cap_conn_del(struct hci_conn *hcon, int err)
1250{
1251 struct l2cap_conn *conn = hcon->l2cap_data;
1252 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1253
1254 if (!conn)
1255 return;
1256
1257 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1258
1259 kfree_skb(conn->rx_skb);
1260
3df91ea2
AE		 1261 mutex_lock(&conn->chan_lock);
1262
5d3de7df
VCG		 1263 /* Kill channels */
1264 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1265 l2cap_chan_hold(chan);
6be36555
AE		 1266 l2cap_chan_lock(chan);
1267
5d3de7df 1268 l2cap_chan_del(chan, err);
6be36555
AE		 1269
1270 l2cap_chan_unlock(chan);
1271
5d3de7df 1272 chan->ops->close(chan->data);
61d6ef3e 1273 l2cap_chan_put(chan);
5d3de7df
VCG		 1274 }
1275
3df91ea2
AE		 1276 mutex_unlock(&conn->chan_lock);
1277
73d80deb
LAD		 1278 hci_chan_del(conn->hchan);
1279
5d3de7df 1280 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1281 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1282
51a8efd7 1283 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1284 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1285 smp_chan_destroy(conn);
d26a2345 1286 }
5d3de7df
VCG		 1287
1288 hcon->l2cap_data = NULL;
1289 kfree(conn);
1290}
1291
6c9d42a1 1292static void security_timeout(struct work_struct *work)
5d3de7df 1293{
6c9d42a1
GP		 1294 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1295 security_timer.work);
5d3de7df
VCG		 1296
1297 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1298}
1299
1da177e4
LT		 1300static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1301{
0139418c 1302 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1303 struct hci_chan *hchan;
1da177e4 1304
0139418c 1305 if (conn || status)
1da177e4
LT		 1306 return conn;
1307
73d80deb
LAD		 1308 hchan = hci_chan_create(hcon);
1309 if (!hchan)
1310 return NULL;
1311
0139418c 1312 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1313 if (!conn) {
1314 hci_chan_del(hchan);
1da177e4 1315 return NULL;
73d80deb 1316 }
1da177e4
LT		 1317
1318 hcon->l2cap_data = conn;
1319 conn->hcon = hcon;
73d80deb 1320 conn->hchan = hchan;
1da177e4 1321
73d80deb 1322 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1323
acd7d370
VT		 1324 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1325 conn->mtu = hcon->hdev->le_mtu;
1326 else
1327 conn->mtu = hcon->hdev->acl_mtu;
1328
1da177e4
LT		 1329 conn->src = &hcon->hdev->bdaddr;
1330 conn->dst = &hcon->dst;
1331
4e8402a3
MH		 1332 conn->feat_mask = 0;
1333
1da177e4 1334 spin_lock_init(&conn->lock);
3df91ea2 1335 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1336
1337 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1338
5d3de7df 1339 if (hcon->type == LE_LINK)
6c9d42a1 1340 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1341 else
030013d8 1342 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1343
9f5a0d7b 1344 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1345
1da177e4
LT		 1346 return conn;
1347}
1348
1da177e4 1349/* ---- Socket interface ---- */
1da177e4 1350
c2287681 1351/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1352 * Returns closest match.
1353 */
c2287681
IY		 1354static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1355 bdaddr_t *src,
1356 bdaddr_t *dst)
1da177e4 1357{
23691d75 1358 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1359
23691d75 1360 read_lock(&chan_list_lock);
e0f0cb56 1361
23691d75
GP		 1362 list_for_each_entry(c, &chan_list, global_l) {
1363 struct sock *sk = c->sk;
fe4128e0 1364
89bc500e 1365 if (state && c->state != state)
1da177e4
LT		 1366 continue;
1367
23691d75 1368 if (c->psm == psm) {
c2287681
IY		 1369 int src_match, dst_match;
1370 int src_any, dst_any;
1371
1da177e4 1372 /* Exact match. */
c2287681
IY		 1373 src_match = !bacmp(&bt_sk(sk)->src, src);
1374 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1375 if (src_match && dst_match) {
a7567b20 1376 read_unlock(&chan_list_lock);
23691d75
GP		 1377 return c;
1378 }
1da177e4
LT		 1379
1380 /* Closest match */
c2287681
IY		 1381 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1382 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1383 if ((src_match && dst_any) || (src_any && dst_match) ||
1384 (src_any && dst_any))
23691d75 1385 c1 = c;
1da177e4
LT		 1386 }
1387 }
1da177e4 1388
23691d75 1389 read_unlock(&chan_list_lock);
e0f0cb56 1390
23691d75 1391 return c1;
1da177e4
LT		 1392}
1393
8e9f9892
AG		 1394int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1395 bdaddr_t *dst, u8 dst_type)
1da177e4 1396{
5d41ce1d 1397 struct sock *sk = chan->sk;
1da177e4 1398 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1399 struct l2cap_conn *conn;
1400 struct hci_conn *hcon;
1401 struct hci_dev *hdev;
09ab6f4c 1402 __u8 auth_type;
44d0e48e 1403 int err;
1da177e4 1404
8e9f9892
AG		 1405 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1406 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1407
af05b30b
GP		 1408 hdev = hci_get_route(dst, src);
1409 if (!hdev)
1da177e4
LT		 1410 return -EHOSTUNREACH;
1411
09fd0de5 1412 hci_dev_lock(hdev);
1da177e4 1413
6be36555 1414 l2cap_chan_lock(chan);
03a00194
GP		 1415
1416 /* PSM must be odd and lsb of upper byte must be 0 */
1417 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1418 chan->chan_type != L2CAP_CHAN_RAW) {
1419 err = -EINVAL;
1420 goto done;
1421 }
1422
1423 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1424 err = -EINVAL;
1425 goto done;
1426 }
1427
1428 switch (chan->mode) {
1429 case L2CAP_MODE_BASIC:
1430 break;
1431 case L2CAP_MODE_ERTM:
1432 case L2CAP_MODE_STREAMING:
1433 if (!disable_ertm)
1434 break;
1435 /* fall through */
1436 default:
1437 err = -ENOTSUPP;
1438 goto done;
1439 }
1440
6be36555
AE		 1441 lock_sock(sk);
1442
03a00194
GP		 1443 switch (sk->sk_state) {
1444 case BT_CONNECT:
1445 case BT_CONNECT2:
1446 case BT_CONFIG:
1447 /* Already connecting */
1448 err = 0;
6be36555 1449 release_sock(sk);
03a00194
GP		 1450 goto done;
1451
1452 case BT_CONNECTED:
1453 /* Already connected */
1454 err = -EISCONN;
6be36555 1455 release_sock(sk);
03a00194
GP		 1456 goto done;
1457
1458 case BT_OPEN:
1459 case BT_BOUND:
1460 /* Can connect */
1461 break;
1462
1463 default:
1464 err = -EBADFD;
6be36555 1465 release_sock(sk);
03a00194
GP		 1466 goto done;
1467 }
1468
1469 /* Set destination address and psm */
9219b2a0 1470 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1471
1472 release_sock(sk);
1473
03a00194
GP		 1474 chan->psm = psm;
1475 chan->dcid = cid;
1da177e4 1476
4343478f 1477 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1478
fe4128e0 1479 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1480 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1481 chan->sec_level, auth_type);
acd7d370 1482 else
8e9f9892 1483 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1484 chan->sec_level, auth_type);
acd7d370 1485
30e76272
VT		 1486 if (IS_ERR(hcon)) {
1487 err = PTR_ERR(hcon);
1da177e4 1488 goto done;
30e76272 1489 }
1da177e4
LT		 1490
1491 conn = l2cap_conn_add(hcon, 0);
1492 if (!conn) {
1493 hci_conn_put(hcon);
30e76272 1494 err = -ENOMEM;
1da177e4
LT		 1495 goto done;
1496 }
1497
9f0caeb1
VCG		 1498 if (hcon->type == LE_LINK) {
1499 err = 0;
1500
1501 if (!list_empty(&conn->chan_l)) {
1502 err = -EBUSY;
1503 hci_conn_put(hcon);
1504 }
1505
1506 if (err)
1507 goto done;
1508 }
1509
1da177e4
LT		 1510 /* Update source addr of the socket */
1511 bacpy(src, conn->src);
1512
6be36555 1513 l2cap_chan_unlock(chan);
48454079 1514 l2cap_chan_add(conn, chan);
6be36555 1515 l2cap_chan_lock(chan);
48454079 1516
6be36555 1517 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1518 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1519
1520 if (hcon->state == BT_CONNECTED) {
715ec005 1521 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1522 __clear_chan_timer(chan);
d45fc423 1523 if (l2cap_chan_check_security(chan))
6be36555 1524 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1525 } else
fc7f8a7e 1526 l2cap_do_start(chan);
1da177e4
LT		 1527 }
1528
30e76272
VT		 1529 err = 0;
1530
1da177e4 1531done:
6be36555 1532 l2cap_chan_unlock(chan);
09fd0de5 1533 hci_dev_unlock(hdev);
1da177e4
LT		 1534 hci_dev_put(hdev);
1535 return err;
1536}
1537
dcba0dba 1538int __l2cap_wait_ack(struct sock *sk)
6161c038 1539{
8c1d787b 1540 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1541 DECLARE_WAITQUEUE(wait, current);
1542 int err = 0;
1543 int timeo = HZ/5;
1544
2b0b05dd 1545 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1546 set_current_state(TASK_INTERRUPTIBLE);
1547 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1548 if (!timeo)
1549 timeo = HZ/5;
1550
1551 if (signal_pending(current)) {
1552 err = sock_intr_errno(timeo);
1553 break;
1554 }
1555
1556 release_sock(sk);
1557 timeo = schedule_timeout(timeo);
1558 lock_sock(sk);
a71a0cf4 1559 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1560
1561 err = sock_error(sk);
1562 if (err)
1563 break;
1564 }
1565 set_current_state(TASK_RUNNING);
2b0b05dd 1566 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1567 return err;
1568}
1569
721c4181 1570static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1571{
721c4181
GP		 1572 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1573 monitor_timer.work);
e90bac06 1574
525cd185 1575 BT_DBG("chan %p", chan);
0e98958d 1576
6be36555
AE		 1577 l2cap_chan_lock(chan);
1578
2c03a7a4 1579 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1580 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1581 l2cap_chan_unlock(chan);
8d7e1c7f 1582 l2cap_chan_put(chan);
e90bac06
GP		 1583 return;
1584 }
1585
6a026610 1586 chan->retry_count++;
1a09bcb9 1587 __set_monitor_timer(chan);
e90bac06 1588
525cd185 1589 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1590 l2cap_chan_unlock(chan);
8d7e1c7f 1591 l2cap_chan_put(chan);
e90bac06
GP		 1592}
1593
721c4181 1594static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1595{
721c4181
GP		 1596 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1597 retrans_timer.work);
e90bac06 1598
49208c9c 1599 BT_DBG("chan %p", chan);
0e98958d 1600
6be36555
AE		 1601 l2cap_chan_lock(chan);
1602
6a026610 1603 chan->retry_count = 1;
1a09bcb9 1604 __set_monitor_timer(chan);
e90bac06 1605
e2ab4353 1606 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1607
525cd185 1608 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1609
1610 l2cap_chan_unlock(chan);
8d7e1c7f 1611 l2cap_chan_put(chan);
e90bac06
GP		 1612}
1613
42e5c802 1614static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1615{
1c2acffb 1616 struct sk_buff *skb;
1da177e4 1617
58d35f87 1618 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1619 chan->unacked_frames) {
3ce3514f 1620 if (bt_cb(skb)->control.txseq == chan->expected_ack_seq)
1c2acffb 1621 break;
1da177e4 1622
58d35f87 1623 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1624 kfree_skb(skb);
1da177e4 1625
6a026610 1626 chan->unacked_frames--;
1c2acffb 1627 }
1da177e4 1628
6a026610 1629 if (!chan->unacked_frames)
1a09bcb9 1630 __clear_retrans_timer(chan);
1c2acffb 1631}
1da177e4 1632
67c9e840 1633static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1634{
ccbb84af 1635 struct sk_buff *skb;
88843ab0
AE		 1636 u32 control;
1637 u16 fcs;
6840ed07 1638
58d35f87 1639 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1640 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1641 control |= __set_txseq(chan, chan->next_tx_seq);
94122bbe 1642 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
88843ab0 1643 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1644
47d1ec61 1645 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1646 fcs = crc16(0, (u8 *)skb->data,
1647 skb->len - L2CAP_FCS_SIZE);
1648 put_unaligned_le16(fcs,
1649 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1650 }
1651
4343478f 1652 l2cap_do_send(chan, skb);
6840ed07 1653
836be934 1654 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1655 }
6840ed07
GP		 1656}
1657
fb45de7d 1658static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1659{
8f17154f 1660 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1661 u16 fcs;
1662 u32 control;
8f17154f 1663
58d35f87 1664 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1665 if (!skb)
1666 return;
8f17154f 1667
3ce3514f 1668 while (bt_cb(skb)->control.txseq != tx_seq) {
58d35f87 1669 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1670 return;
8f17154f 1671
d1726b6d
SJ		 1672 skb = skb_queue_next(&chan->tx_q, skb);
1673 }
8f17154f 1674
3ce3514f
MM		 1675 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1676 chan->remote_max_tx) {
8c1d787b 1677 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1678 return;
1679 }
1680
1681 tx_skb = skb_clone(skb, GFP_ATOMIC);
3ce3514f 1682 bt_cb(skb)->control.retries++;
88843ab0
AE		 1683
1684 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1685 control &= __get_sar_mask(chan);
3cb123d1 1686
e2ab4353 1687 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1688 control |= __set_ctrl_final(chan);
95ffa978 1689
0b209fae 1690 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1691 control |= __set_txseq(chan, tx_seq);
3cb123d1 1692
88843ab0 1693 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1694
47d1ec61 1695 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1696 fcs = crc16(0, (u8 *)tx_skb->data,
1697 tx_skb->len - L2CAP_FCS_SIZE);
1698 put_unaligned_le16(fcs,
1699 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1700 }
1701
4343478f 1702 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1703}
1704
67c9e840 1705static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1706{
1707 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1708 u16 fcs;
1709 u32 control;
9a9c6a34 1710 int nsent = 0;
1c2acffb 1711
89bc500e 1712 if (chan->state != BT_CONNECTED)
c13ffa62 1713 return -ENOTCONN;
e90bac06 1714
94122bbe
MM		 1715 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1716 return 0;
1717
58d35f87 1718 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1719
3ce3514f
MM		 1720 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1721 chan->remote_max_tx) {
8c1d787b 1722 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1723 break;
1724 }
1725
e420aba3
AE		 1726 tx_skb = skb_clone(skb, GFP_ATOMIC);
1727
3ce3514f 1728 bt_cb(skb)->control.retries++;
e90bac06 1729
88843ab0 1730 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1731 control &= __get_sar_mask(chan);
95ffa978 1732
e2ab4353 1733 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1734 control |= __set_ctrl_final(chan);
e2ab4353 1735
0b209fae 1736 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1737 control |= __set_txseq(chan, chan->next_tx_seq);
94122bbe 1738 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1c2acffb 1739
88843ab0 1740 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1741
47d1ec61 1742 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1743 fcs = crc16(0, (u8 *)skb->data,
1744 tx_skb->len - L2CAP_FCS_SIZE);
1745 put_unaligned_le16(fcs, skb->data +
1746 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1747 }
1748
4343478f 1749 l2cap_do_send(chan, tx_skb);
9a9c6a34 1750
1a09bcb9 1751 __set_retrans_timer(chan);
1c2acffb 1752
3ce3514f 1753 bt_cb(skb)->control.txseq = chan->next_tx_seq;
836be934
AE		 1754
1755 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1756
3ce3514f 1757 if (bt_cb(skb)->control.retries == 1) {
6a026610 1758 chan->unacked_frames++;
930fa4ae
SJ		 1759
1760 if (!nsent++)
1761 __clear_ack_timer(chan);
8ed7a0ae 1762 }
23e9fde2 1763
6a026610 1764 chan->frames_sent++;
1c2acffb 1765
58d35f87
GP		 1766 if (skb_queue_is_last(&chan->tx_q, skb))
1767 chan->tx_send_head = NULL;
1c2acffb 1768 else
58d35f87 1769 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1770 }
1771
9e917af1
GP		 1772 return nsent;
1773}
1774
525cd185 1775static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1776{
dfc909be
GP		 1777 int ret;
1778
58d35f87
GP		 1779 if (!skb_queue_empty(&chan->tx_q))
1780 chan->tx_send_head = chan->tx_q.next;
dfc909be 1781
42e5c802 1782 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1783 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1784 return ret;
1785}
1786
b17e73bb 1787static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1788{
88843ab0 1789 u32 control = 0;
9e917af1 1790
0b209fae 1791 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1792
e2ab4353 1793 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1794 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1795 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1796 l2cap_send_sframe(chan, control);
9a9c6a34 1797 return;
9e917af1 1798 }
dfc909be 1799
525cd185 1800 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1801 return;
1802
ab784b73 1803 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1804 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1805}
1806
b17e73bb
SJ		 1807static void l2cap_send_ack(struct l2cap_chan *chan)
1808{
1809 __clear_ack_timer(chan);
1810 __l2cap_send_ack(chan);
1811}
1812
525cd185 1813static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1814{
1815 struct srej_list *tail;
88843ab0 1816 u32 control;
99b0d4b7 1817
ab784b73 1818 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1819 control |= __set_ctrl_final(chan);
99b0d4b7 1820
39d5a3ee 1821 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1822 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1823
525cd185 1824 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1825}
1826
04124681
GP		 1827static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1828 struct msghdr *msg, int len,
1829 int count, struct sk_buff *skb)
1c2acffb 1830{
0952a57a 1831 struct l2cap_conn *conn = chan->conn;
1c2acffb 1832 struct sk_buff **frag;
90338947 1833 int sent = 0;
1da177e4 1834
59203a21 1835 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1836 return -EFAULT;
1da177e4
LT		 1837
1838 sent += count;
1839 len -= count;
1840
1841 /* Continuation fragments (no L2CAP header) */
1842 frag = &skb_shinfo(skb)->frag_list;
1843 while (len) {
fbe00700
GP		 1844 struct sk_buff *tmp;
1845
1da177e4
LT		 1846 count = min_t(unsigned int, conn->mtu, len);
1847
fbe00700
GP		 1848 tmp = chan->ops->alloc_skb(chan, count,
1849 msg->msg_flags & MSG_DONTWAIT);
1850 if (IS_ERR(tmp))
1851 return PTR_ERR(tmp);
1852
1853 *frag = tmp;
2f7719ce 1854
1c2acffb
GP		 1855 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1856 return -EFAULT;
1da177e4 1857
5e59b791
LAD		 1858 (*frag)->priority = skb->priority;
1859
1da177e4
LT		 1860 sent += count;
1861 len -= count;
1862
2d0ed3d5
GP		 1863 skb->len += (*frag)->len;
1864 skb->data_len += (*frag)->len;
1865
1da177e4
LT		 1866 frag = &(*frag)->next;
1867 }
1da177e4
LT		 1868
1869 return sent;
1c2acffb 1870}
1da177e4 1871
5e59b791
LAD		 1872static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1873 struct msghdr *msg, size_t len,
1874 u32 priority)
1c2acffb 1875{
8c1d787b 1876 struct l2cap_conn *conn = chan->conn;
1c2acffb 1877 struct sk_buff *skb;
03a51213 1878 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1879 struct l2cap_hdr *lh;
1880
6d5922b0 1881 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1882
1883 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1884
1885 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1886 msg->msg_flags & MSG_DONTWAIT);
1887 if (IS_ERR(skb))
1888 return skb;
1c2acffb 1889
5e59b791
LAD		 1890 skb->priority = priority;
1891
1c2acffb
GP		 1892 /* Create L2CAP header */
1893 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1894 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1895 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1896 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1897
0952a57a 1898 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1899 if (unlikely(err < 0)) {
1900 kfree_skb(skb);
1901 return ERR_PTR(err);
1902 }
1903 return skb;
1904}
1905
5e59b791
LAD		 1906static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1907 struct msghdr *msg, size_t len,
1908 u32 priority)
1c2acffb 1909{
8c1d787b 1910 struct l2cap_conn *conn = chan->conn;
1c2acffb 1911 struct sk_buff *skb;
f2ba7fae 1912 int err, count;
1c2acffb
GP		 1913 struct l2cap_hdr *lh;
1914
6d5922b0 1915 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1916
f2ba7fae 1917 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1918
f2ba7fae 1919 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1920 msg->msg_flags & MSG_DONTWAIT);
1921 if (IS_ERR(skb))
1922 return skb;
1c2acffb 1923
5e59b791
LAD		 1924 skb->priority = priority;
1925
1c2acffb
GP		 1926 /* Create L2CAP header */
1927 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1928 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1929 lh->len = cpu_to_le16(len);
1c2acffb 1930
0952a57a 1931 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1932 if (unlikely(err < 0)) {
1933 kfree_skb(skb);
1934 return ERR_PTR(err);
1935 }
1936 return skb;
1937}
1938
ab0ff76d
LAD		 1939static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1940 struct msghdr *msg, size_t len,
94122bbe 1941 u16 sdulen)
1c2acffb 1942{
8c1d787b 1943 struct l2cap_conn *conn = chan->conn;
1c2acffb 1944 struct sk_buff *skb;
e4ca6d98 1945 int err, count, hlen;
1c2acffb
GP		 1946 struct l2cap_hdr *lh;
1947
6d5922b0 1948 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1949
0ee0d208
GP		 1950 if (!conn)
1951 return ERR_PTR(-ENOTCONN);
1952
e4ca6d98
AE		 1953 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1954 hlen = L2CAP_EXT_HDR_SIZE;
1955 else
1956 hlen = L2CAP_ENH_HDR_SIZE;
1957
c74e560c 1958 if (sdulen)
03a51213 1959 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1960
47d1ec61 1961 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1962 hlen += L2CAP_FCS_SIZE;
fcc203c3 1963
1c2acffb 1964 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1965
1966 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1967 msg->msg_flags & MSG_DONTWAIT);
1968 if (IS_ERR(skb))
1969 return skb;
1c2acffb
GP		 1970
1971 /* Create L2CAP header */
1972 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1973 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1974 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 1975
94122bbe 1976 __put_control(chan, 0, skb_put(skb, __ctrl_size(chan)));
88843ab0 1977
c74e560c 1978 if (sdulen)
03a51213 1979 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1980
0952a57a 1981 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1982 if (unlikely(err < 0)) {
1983 kfree_skb(skb);
1984 return ERR_PTR(err);
1985 }
e90bac06 1986
47d1ec61 1987 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1988 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1989
3ce3514f 1990 bt_cb(skb)->control.retries = 0;
1c2acffb 1991 return skb;
1da177e4
LT		 1992}
1993
94122bbe
MM		 1994static int l2cap_segment_sdu(struct l2cap_chan *chan,
1995 struct sk_buff_head *seg_queue,
1996 struct msghdr *msg, size_t len)
c74e560c 1997{
c74e560c 1998 struct sk_buff *skb;
94122bbe
MM		 1999 u16 sdu_len;
2000 size_t pdu_len;
2001 int err = 0;
2002 u8 sar;
c74e560c 2003
94122bbe 2004 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2005
94122bbe
MM		 2006 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2007 * so fragmented skbs are not used. The HCI layer's handling
2008 * of fragmented skbs is not compatible with ERTM's queueing.
2009 */
c74e560c 2010
94122bbe
MM		 2011 /* PDU size is derived from the HCI MTU */
2012 pdu_len = chan->conn->mtu;
c74e560c 2013
94122bbe
MM		 2014 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2015
2016 /* Adjust for largest possible L2CAP overhead. */
2017 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2018
2019 /* Remote device may have requested smaller PDUs */
2020 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2021
2022 if (len <= pdu_len) {
2023 sar = L2CAP_SAR_UNSEGMENTED;
2024 sdu_len = 0;
2025 pdu_len = len;
2026 } else {
2027 sar = L2CAP_SAR_START;
2028 sdu_len = len;
2029 pdu_len -= L2CAP_SDULEN_SIZE;
2030 }
2031
2032 while (len > 0) {
2033 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2034
c74e560c 2035 if (IS_ERR(skb)) {
94122bbe 2036 __skb_queue_purge(seg_queue);
c74e560c
GP		 2037 return PTR_ERR(skb);
2038 }
2039
94122bbe
MM		 2040 bt_cb(skb)->control.sar = sar;
2041 __skb_queue_tail(seg_queue, skb);
2042
2043 len -= pdu_len;
2044 if (sdu_len) {
2045 sdu_len = 0;
2046 pdu_len += L2CAP_SDULEN_SIZE;
2047 }
2048
2049 if (len <= pdu_len) {
2050 sar = L2CAP_SAR_END;
2051 pdu_len = len;
2052 } else {
2053 sar = L2CAP_SAR_CONTINUE;
2054 }
c74e560c 2055 }
c74e560c 2056
94122bbe 2057 return err;
c74e560c
GP		 2058}
2059
5e59b791
LAD		 2060int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2061 u32 priority)
9a91a04a 2062{
9a91a04a 2063 struct sk_buff *skb;
9a91a04a 2064 int err;
94122bbe 2065 struct sk_buff_head seg_queue;
9a91a04a
GP		 2066
2067 /* Connectionless channel */
715ec005 2068 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2069 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2070 if (IS_ERR(skb))
2071 return PTR_ERR(skb);
2072
2073 l2cap_do_send(chan, skb);
2074 return len;
2075 }
2076
2077 switch (chan->mode) {
2078 case L2CAP_MODE_BASIC:
2079 /* Check outgoing MTU */
2080 if (len > chan->omtu)
2081 return -EMSGSIZE;
2082
2083 /* Create a basic PDU */
5e59b791 2084 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2085 if (IS_ERR(skb))
2086 return PTR_ERR(skb);
2087
2088 l2cap_do_send(chan, skb);
2089 err = len;
2090 break;
2091
2092 case L2CAP_MODE_ERTM:
2093 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2094 /* Check outgoing MTU */
2095 if (len > chan->omtu) {
2096 err = -EMSGSIZE;
2097 break;
2098 }
9a91a04a 2099
94122bbe 2100 __skb_queue_head_init(&seg_queue);
9a91a04a 2101
94122bbe
MM		 2102 /* Do segmentation before calling in to the state machine,
2103 * since it's possible to block while waiting for memory
2104 * allocation.
2105 */
2106 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2107
94122bbe
MM		 2108 /* The channel could have been closed while segmenting,
2109 * check that it is still connected.
2110 */
2111 if (chan->state != BT_CONNECTED) {
2112 __skb_queue_purge(&seg_queue);
2113 err = -ENOTCONN;
9a91a04a
GP		 2114 }
2115
94122bbe 2116 if (err)
9a91a04a 2117 break;
9a91a04a 2118
577cfaeb
MM		 2119 if (chan->mode == L2CAP_MODE_ERTM && chan->tx_send_head == NULL)
2120 chan->tx_send_head = seg_queue.next;
94122bbe 2121 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
577cfaeb 2122
94122bbe
MM		 2123 if (chan->mode == L2CAP_MODE_ERTM)
2124 err = l2cap_ertm_send(chan);
2125 else
2126 l2cap_streaming_send(chan);
9a91a04a 2127
9a91a04a
GP		 2128 if (err >= 0)
2129 err = len;
2130
94122bbe
MM		 2131 /* If the skbs were not queued for sending, they'll still be in
2132 * seg_queue and need to be purged.
2133 */
2134 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2135 break;
2136
2137 default:
2138 BT_DBG("bad state %1.1x", chan->mode);
2139 err = -EBADFD;
2140 }
2141
2142 return err;
2143}
2144
1da177e4
LT		 2145/* Copy frame to all raw sockets on that connection */
2146static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2147{
1da177e4 2148 struct sk_buff *nskb;
48454079 2149 struct l2cap_chan *chan;
1da177e4
LT		 2150
2151 BT_DBG("conn %p", conn);
2152
3df91ea2 2153 mutex_lock(&conn->chan_lock);
3d57dc68 2154
3df91ea2 2155 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2156 struct sock *sk = chan->sk;
715ec005 2157 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2158 continue;
2159
2160 /* Don't send frame to the socket it came from */
2161 if (skb->sk == sk)
2162 continue;
af05b30b
GP		 2163 nskb = skb_clone(skb, GFP_ATOMIC);
2164 if (!nskb)
1da177e4
LT		 2165 continue;
2166
23070494 2167 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2168 kfree_skb(nskb);
2169 }
3d57dc68 2170
3df91ea2 2171 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2172}
2173
2174/* ---- L2CAP signalling commands ---- */
2175static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2176 u8 code, u8 ident, u16 dlen, void *data)
2177{
2178 struct sk_buff *skb, **frag;
2179 struct l2cap_cmd_hdr *cmd;
2180 struct l2cap_hdr *lh;
2181 int len, count;
2182
af05b30b
GP		 2183 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2184 conn, code, ident, dlen);
1da177e4
LT		 2185
2186 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2187 count = min_t(unsigned int, conn->mtu, len);
2188
2189 skb = bt_skb_alloc(count, GFP_ATOMIC);
2190 if (!skb)
2191 return NULL;
2192
2193 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2194 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2195
2196 if (conn->hcon->type == LE_LINK)
2197 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2198 else
2199 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2200
2201 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2202 cmd->code = code;
2203 cmd->ident = ident;
aca3192c 2204 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2205
2206 if (dlen) {
2207 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2208 memcpy(skb_put(skb, count), data, count);
2209 data += count;
2210 }
2211
2212 len -= skb->len;
2213
2214 /* Continuation fragments (no L2CAP header) */
2215 frag = &skb_shinfo(skb)->frag_list;
2216 while (len) {
2217 count = min_t(unsigned int, conn->mtu, len);
2218
2219 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2220 if (!*frag)
2221 goto fail;
2222
2223 memcpy(skb_put(*frag, count), data, count);
2224
2225 len -= count;
2226 data += count;
2227
2228 frag = &(*frag)->next;
2229 }
2230
2231 return skb;
2232
2233fail:
2234 kfree_skb(skb);
2235 return NULL;
2236}
2237
2238static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2239{
2240 struct l2cap_conf_opt *opt = *ptr;
2241 int len;
2242
2243 len = L2CAP_CONF_OPT_SIZE + opt->len;
2244 *ptr += len;
2245
2246 *type = opt->type;
2247 *olen = opt->len;
2248
2249 switch (opt->len) {
2250 case 1:
2251 *val = *((u8 *) opt->val);
2252 break;
2253
2254 case 2:
bfaaeb3e 2255 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2256 break;
2257
2258 case 4:
bfaaeb3e 2259 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2260 break;
2261
2262 default:
2263 *val = (unsigned long) opt->val;
2264 break;
2265 }
2266
2267 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2268 return len;
2269}
2270
1da177e4
LT		 2271static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2272{
2273 struct l2cap_conf_opt *opt = *ptr;
2274
2275 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2276
2277 opt->type = type;
2278 opt->len = len;
2279
2280 switch (len) {
2281 case 1:
2282 *((u8 *) opt->val) = val;
2283 break;
2284
2285 case 2:
4f8b691c 2286 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2287 break;
2288
2289 case 4:
4f8b691c 2290 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2291 break;
2292
2293 default:
2294 memcpy(opt->val, (void *) val, len);
2295 break;
2296 }
2297
2298 *ptr += L2CAP_CONF_OPT_SIZE + len;
2299}
2300
f89cef09
AE		 2301static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2302{
2303 struct l2cap_conf_efs efs;
2304
1ec918ce 2305 switch (chan->mode) {
f89cef09
AE		 2306 case L2CAP_MODE_ERTM:
2307 efs.id = chan->local_id;
2308 efs.stype = chan->local_stype;
2309 efs.msdu = cpu_to_le16(chan->local_msdu);
2310 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2311 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2312 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2313 break;
2314
2315 case L2CAP_MODE_STREAMING:
2316 efs.id = 1;
2317 efs.stype = L2CAP_SERV_BESTEFFORT;
2318 efs.msdu = cpu_to_le16(chan->local_msdu);
2319 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2320 efs.acc_lat = 0;
2321 efs.flush_to = 0;
2322 break;
2323
2324 default:
2325 return;
2326 }
2327
2328 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2329 (unsigned long) &efs);
2330}
2331
721c4181 2332static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2333{
721c4181
GP		 2334 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2335 ack_timer.work);
c1b4f43b 2336
2fb9b3d4
GP		 2337 BT_DBG("chan %p", chan);
2338
6be36555
AE		 2339 l2cap_chan_lock(chan);
2340
b17e73bb 2341 __l2cap_send_ack(chan);
6be36555
AE		 2342
2343 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2344
2345 l2cap_chan_put(chan);
c1b4f43b
GP		 2346}
2347
3c588192 2348static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2349{
3c588192
MM		 2350 int err;
2351
105bdf9e
MM		 2352 chan->next_tx_seq = 0;
2353 chan->expected_tx_seq = 0;
42e5c802 2354 chan->expected_ack_seq = 0;
6a026610 2355 chan->unacked_frames = 0;
42e5c802 2356 chan->buffer_seq = 0;
6a026610
GP		 2357 chan->num_acked = 0;
2358 chan->frames_sent = 0;
105bdf9e
MM		 2359 chan->last_acked_seq = 0;
2360 chan->sdu = NULL;
2361 chan->sdu_last_frag = NULL;
2362 chan->sdu_len = 0;
2363
d34c34fb
MM		 2364 skb_queue_head_init(&chan->tx_q);
2365
105bdf9e
MM		 2366 if (chan->mode != L2CAP_MODE_ERTM)
2367 return 0;
2368
2369 chan->rx_state = L2CAP_RX_STATE_RECV;
2370 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2371
721c4181
GP		 2372 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2373 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2374 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2375
f1c6775b 2376 skb_queue_head_init(&chan->srej_q);
1890d36b 2377
39d5a3ee 2378 INIT_LIST_HEAD(&chan->srej_l);
3c588192
MM		 2379 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2380 if (err < 0)
2381 return err;
2382
2383 return l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
0565c1c2
GP		 2384}
2385
f2fcfcd6
GP		 2386static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2387{
2388 switch (mode) {
2389 case L2CAP_MODE_STREAMING:
2390 case L2CAP_MODE_ERTM:
2391 if (l2cap_mode_supported(mode, remote_feat_mask))
2392 return mode;
2393 /* fall through */
2394 default:
2395 return L2CAP_MODE_BASIC;
2396 }
2397}
2398
6327eb98
AE		 2399static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2400{
2401 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2402}
2403
f89cef09
AE		 2404static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2405{
2406 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2407}
2408
6327eb98
AE		 2409static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2410{
2411 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2412 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2413 /* use extended control field */
2414 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2415 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2416 } else {
6327eb98
AE		 2417 chan->tx_win = min_t(u16, chan->tx_win,
2418 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2419 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2420 }
6327eb98
AE		 2421}
2422
710f9b0a 2423static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2424{
1da177e4 2425 struct l2cap_conf_req *req = data;
0c1bc5c6 2426 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2427 void *ptr = req->data;
c8f79162 2428 u16 size;
1da177e4 2429
49208c9c 2430 BT_DBG("chan %p", chan);
1da177e4 2431
73ffa904 2432 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2433 goto done;
2434
0c1bc5c6 2435 switch (chan->mode) {
f2fcfcd6
GP		 2436 case L2CAP_MODE_STREAMING:
2437 case L2CAP_MODE_ERTM:
c1360a1c 2438 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2439 break;
85eb53c6 2440
f89cef09
AE		 2441 if (__l2cap_efs_supported(chan))
2442 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2443
2ba13ed6 2444 /* fall through */
f2fcfcd6 2445 default:
8c1d787b 2446 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2447 break;
2448 }
2449
2450done:
0c1bc5c6
GP		 2451 if (chan->imtu != L2CAP_DEFAULT_MTU)
2452 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2453
0c1bc5c6 2454 switch (chan->mode) {
65c7c491 2455 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2456 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2457 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2458 break;
2459
62547752
GP		 2460 rfc.mode = L2CAP_MODE_BASIC;
2461 rfc.txwin_size = 0;
2462 rfc.max_transmit = 0;
2463 rfc.retrans_timeout = 0;
2464 rfc.monitor_timeout = 0;
2465 rfc.max_pdu_size = 0;
2466
63406504
GP		 2467 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2468 (unsigned long) &rfc);
65c7c491
MH		 2469 break;
2470
2471 case L2CAP_MODE_ERTM:
2472 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2473 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2474 rfc.retrans_timeout = 0;
2475 rfc.monitor_timeout = 0;
c8f79162
AE		 2476
2477 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2478 L2CAP_EXT_HDR_SIZE -
2479 L2CAP_SDULEN_SIZE -
2480 L2CAP_FCS_SIZE);
2481 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2482
6327eb98
AE		 2483 l2cap_txwin_setup(chan);
2484
2485 rfc.txwin_size = min_t(u16, chan->tx_win,
2486 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2487
63406504
GP		 2488 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2489 (unsigned long) &rfc);
2490
f89cef09
AE		 2491 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2492 l2cap_add_opt_efs(&ptr, chan);
2493
8c1d787b 2494 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2495 break;
2496
47d1ec61 2497 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2498 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2499 chan->fcs = L2CAP_FCS_NONE;
2500 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2501 }
6327eb98
AE		 2502
2503 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2504 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2505 chan->tx_win);
f2fcfcd6
GP		 2506 break;
2507
2508 case L2CAP_MODE_STREAMING:
2509 rfc.mode = L2CAP_MODE_STREAMING;
2510 rfc.txwin_size = 0;
2511 rfc.max_transmit = 0;
2512 rfc.retrans_timeout = 0;
2513 rfc.monitor_timeout = 0;
c8f79162
AE		 2514
2515 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2516 L2CAP_EXT_HDR_SIZE -
2517 L2CAP_SDULEN_SIZE -
2518 L2CAP_FCS_SIZE);
2519 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2520
63406504
GP		 2521 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2522 (unsigned long) &rfc);
2523
f89cef09
AE		 2524 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2525 l2cap_add_opt_efs(&ptr, chan);
2526
8c1d787b 2527 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2528 break;
2529
47d1ec61 2530 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2531 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2532 chan->fcs = L2CAP_FCS_NONE;
2533 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2534 }
65c7c491
MH		 2535 break;
2536 }
1da177e4 2537
fe4128e0 2538 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2539 req->flags = cpu_to_le16(0);
1da177e4
LT		 2540
2541 return ptr - data;
2542}
2543
73ffa904 2544static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2545{
5dee9e7c
MH		 2546 struct l2cap_conf_rsp *rsp = data;
2547 void *ptr = rsp->data;
73ffa904
GP		 2548 void *req = chan->conf_req;
2549 int len = chan->conf_len;
5dee9e7c
MH		 2550 int type, hint, olen;
2551 unsigned long val;
6464f35f 2552 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2553 struct l2cap_conf_efs efs;
2554 u8 remote_efs = 0;
861d6882 2555 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2556 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2557 u16 size;
1da177e4 2558
73ffa904 2559 BT_DBG("chan %p", chan);
820ae1b8 2560
5dee9e7c
MH		 2561 while (len >= L2CAP_CONF_OPT_SIZE) {
2562 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2563
589d2746 2564 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2565 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2566
2567 switch (type) {
2568 case L2CAP_CONF_MTU:
861d6882 2569 mtu = val;
5dee9e7c
MH		 2570 break;
2571
2572 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2573 chan->flush_to = val;
5dee9e7c
MH		 2574 break;
2575
2576 case L2CAP_CONF_QOS:
2577 break;
2578
6464f35f
MH		 2579 case L2CAP_CONF_RFC:
2580 if (olen == sizeof(rfc))
2581 memcpy(&rfc, (void *) val, olen);
2582 break;
2583
fcc203c3
GP		 2584 case L2CAP_CONF_FCS:
2585 if (val == L2CAP_FCS_NONE)
c1360a1c 2586 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2587 break;
fcc203c3 2588
42dceae2
AE		 2589 case L2CAP_CONF_EFS:
2590 remote_efs = 1;
2591 if (olen == sizeof(efs))
2592 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2593 break;
2594
6327eb98
AE		 2595 case L2CAP_CONF_EWS:
2596 if (!enable_hs)
2597 return -ECONNREFUSED;
fcc203c3 2598
6327eb98
AE		 2599 set_bit(FLAG_EXT_CTRL, &chan->flags);
2600 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2601 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2602 chan->remote_tx_win = val;
fcc203c3
GP		 2603 break;
2604
5dee9e7c
MH		 2605 default:
2606 if (hint)
2607 break;
2608
2609 result = L2CAP_CONF_UNKNOWN;
2610 *((u8 *) ptr++) = type;
2611 break;
2612 }
2613 }
2614
73ffa904 2615 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2616 goto done;
2617
0c1bc5c6 2618 switch (chan->mode) {
f2fcfcd6
GP		 2619 case L2CAP_MODE_STREAMING:
2620 case L2CAP_MODE_ERTM:
c1360a1c 2621 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2622 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2623 chan->conn->feat_mask);
85eb53c6
GP		 2624 break;
2625 }
2626
42dceae2
AE		 2627 if (remote_efs) {
2628 if (__l2cap_efs_supported(chan))
2629 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2630 else
2631 return -ECONNREFUSED;
2632 }
2633
0c1bc5c6 2634 if (chan->mode != rfc.mode)
f2fcfcd6 2635 return -ECONNREFUSED;
742e519b 2636
f2fcfcd6 2637 break;
f2fcfcd6
GP		 2638 }
2639
2640done:
0c1bc5c6 2641 if (chan->mode != rfc.mode) {
f2fcfcd6 2642 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2643 rfc.mode = chan->mode;
f2fcfcd6 2644
73ffa904 2645 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2646 return -ECONNREFUSED;
2647
2648 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2649 sizeof(rfc), (unsigned long) &rfc);
2650 }
2651
5dee9e7c
MH		 2652 if (result == L2CAP_CONF_SUCCESS) {
2653 /* Configure output options and let the other side know
2654 * which ones we don't like. */
2655
f2fcfcd6
GP		 2656 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2657 result = L2CAP_CONF_UNACCEPT;
2658 else {
0c1bc5c6 2659 chan->omtu = mtu;
c1360a1c 2660 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2661 }
0c1bc5c6 2662 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2663
42dceae2
AE		 2664 if (remote_efs) {
2665 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2666 efs.stype != L2CAP_SERV_NOTRAFIC &&
2667 efs.stype != chan->local_stype) {
2668
2669 result = L2CAP_CONF_UNACCEPT;
2670
2671 if (chan->num_conf_req >= 1)
2672 return -ECONNREFUSED;
2673
2674 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2675 sizeof(efs),
42dceae2 2676 (unsigned long) &efs);
0e8b207e 2677 } else {
3e6b3b95 2678 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2679 result = L2CAP_CONF_PENDING;
2680 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2681 }
2682 }
2683
f2fcfcd6
GP		 2684 switch (rfc.mode) {
2685 case L2CAP_MODE_BASIC:
47d1ec61 2686 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2687 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2688 break;
2689
2690 case L2CAP_MODE_ERTM:
6327eb98
AE		 2691 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2692 chan->remote_tx_win = rfc.txwin_size;
2693 else
2694 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2695
2c03a7a4 2696 chan->remote_max_tx = rfc.max_transmit;
1c762159 2697
c8f79162
AE		 2698 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2699 chan->conn->mtu -
2700 L2CAP_EXT_HDR_SIZE -
2701 L2CAP_SDULEN_SIZE -
2702 L2CAP_FCS_SIZE);
2703 rfc.max_pdu_size = cpu_to_le16(size);
2704 chan->remote_mps = size;
f2fcfcd6 2705
10467e9e 2706 rfc.retrans_timeout =
4fd21a88 2707 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2708 rfc.monitor_timeout =
4fd21a88 2709 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2710
c1360a1c 2711 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2712
2713 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2714 sizeof(rfc), (unsigned long) &rfc);
2715
42dceae2
AE		 2716 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2717 chan->remote_id = efs.id;
2718 chan->remote_stype = efs.stype;
2719 chan->remote_msdu = le16_to_cpu(efs.msdu);
2720 chan->remote_flush_to =
2721 le32_to_cpu(efs.flush_to);
2722 chan->remote_acc_lat =
2723 le32_to_cpu(efs.acc_lat);
2724 chan->remote_sdu_itime =
2725 le32_to_cpu(efs.sdu_itime);
2726 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2727 sizeof(efs), (unsigned long) &efs);
2728 }
f2fcfcd6
GP		 2729 break;
2730
2731 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2732 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2733 chan->conn->mtu -
2734 L2CAP_EXT_HDR_SIZE -
2735 L2CAP_SDULEN_SIZE -
2736 L2CAP_FCS_SIZE);
2737 rfc.max_pdu_size = cpu_to_le16(size);
2738 chan->remote_mps = size;
f2fcfcd6 2739
c1360a1c 2740 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2741
2742 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2743 sizeof(rfc), (unsigned long) &rfc);
2744
f2fcfcd6
GP		 2745 break;
2746
2747 default:
5dee9e7c 2748 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2749
6464f35f 2750 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2751 rfc.mode = chan->mode;
f2fcfcd6 2752 }
6464f35f 2753
f2fcfcd6 2754 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2755 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2756 }
fe4128e0 2757 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2758 rsp->result = cpu_to_le16(result);
2759 rsp->flags = cpu_to_le16(0x0000);
2760
2761 return ptr - data;
1da177e4
LT		 2762}
2763
b4450035 2764static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2765{
f2fcfcd6
GP		 2766 struct l2cap_conf_req *req = data;
2767 void *ptr = req->data;
2768 int type, olen;
2769 unsigned long val;
36e999a8 2770 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2771 struct l2cap_conf_efs efs;
f2fcfcd6 2772
fe4128e0 2773 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2774
2775 while (len >= L2CAP_CONF_OPT_SIZE) {
2776 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2777
2778 switch (type) {
2779 case L2CAP_CONF_MTU:
2780 if (val < L2CAP_DEFAULT_MIN_MTU) {
2781 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2782 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2783 } else
0c1bc5c6
GP		 2784 chan->imtu = val;
2785 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2786 break;
2787
2788 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2789 chan->flush_to = val;
f2fcfcd6 2790 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2791 2, chan->flush_to);
f2fcfcd6
GP		 2792 break;
2793
2794 case L2CAP_CONF_RFC:
2795 if (olen == sizeof(rfc))
2796 memcpy(&rfc, (void *)val, olen);
2797
c1360a1c 2798 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2799 rfc.mode != chan->mode)
f2fcfcd6
GP		 2800 return -ECONNREFUSED;
2801
47d1ec61 2802 chan->fcs = 0;
f2fcfcd6
GP		 2803
2804 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2805 sizeof(rfc), (unsigned long) &rfc);
2806 break;
6327eb98
AE		 2807
2808 case L2CAP_CONF_EWS:
2809 chan->tx_win = min_t(u16, val,
2810 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2811 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2812 chan->tx_win);
6327eb98 2813 break;
66af7aaf
AE		 2814
2815 case L2CAP_CONF_EFS:
2816 if (olen == sizeof(efs))
2817 memcpy(&efs, (void *)val, olen);
2818
2819 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2820 efs.stype != L2CAP_SERV_NOTRAFIC &&
2821 efs.stype != chan->local_stype)
2822 return -ECONNREFUSED;
2823
2824 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2825 sizeof(efs), (unsigned long) &efs);
2826 break;
f2fcfcd6
GP		 2827 }
2828 }
2829
0c1bc5c6 2830 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2831 return -ECONNREFUSED;
2832
0c1bc5c6 2833 chan->mode = rfc.mode;
6c2ea7a8 2834
0e8b207e 2835 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2836 switch (rfc.mode) {
2837 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2838 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2839 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2840 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2841
2842 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2843 chan->local_msdu = le16_to_cpu(efs.msdu);
2844 chan->local_sdu_itime =
2845 le32_to_cpu(efs.sdu_itime);
2846 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2847 chan->local_flush_to =
2848 le32_to_cpu(efs.flush_to);
2849 }
f2fcfcd6 2850 break;
66af7aaf 2851
f2fcfcd6 2852 case L2CAP_MODE_STREAMING:
47d1ec61 2853 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2854 }
2855 }
2856
fe4128e0 2857 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2858 req->flags = cpu_to_le16(0x0000);
2859
2860 return ptr - data;
2861}
2862
fe4128e0 2863static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2864{
2865 struct l2cap_conf_rsp *rsp = data;
2866 void *ptr = rsp->data;
1da177e4 2867
fe4128e0 2868 BT_DBG("chan %p", chan);
1da177e4 2869
fe4128e0 2870 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2871 rsp->result = cpu_to_le16(result);
aca3192c 2872 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2873
2874 return ptr - data;
2875}
2876
8c1d787b 2877void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2878{
2879 struct l2cap_conn_rsp rsp;
8c1d787b 2880 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2881 u8 buf[128];
2882
fe4128e0
GP		 2883 rsp.scid = cpu_to_le16(chan->dcid);
2884 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2885 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2886 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2887 l2cap_send_cmd(conn, chan->ident,
2888 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2889
c1360a1c 2890 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2891 return;
2892
710f9b0a
GP		 2893 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2894 l2cap_build_conf_req(chan, buf), buf);
2895 chan->num_conf_req++;
2896}
2897
47d1ec61 2898static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2899{
7b1c0049
GP		 2900 int type, olen;
2901 unsigned long val;
2902 struct l2cap_conf_rfc rfc;
2903
47d1ec61 2904 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2905
0c1bc5c6 2906 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2907 return;
2908
2909 while (len >= L2CAP_CONF_OPT_SIZE) {
2910 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2911
2912 switch (type) {
2913 case L2CAP_CONF_RFC:
2914 if (olen == sizeof(rfc))
2915 memcpy(&rfc, (void *)val, olen);
2916 goto done;
2917 }
2918 }
2919
36e999a8
MM		 2920 /* Use sane default values in case a misbehaving remote device
2921 * did not send an RFC option.
2922 */
2923 rfc.mode = chan->mode;
2924 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2925 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2926 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2927
2928 BT_ERR("Expected RFC option was not found, using defaults");
2929
7b1c0049
GP		 2930done:
2931 switch (rfc.mode) {
2932 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2933 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2934 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2935 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2936 break;
2937 case L2CAP_MODE_STREAMING:
47d1ec61 2938 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2939 }
2940}
2941
4e8402a3
MH		 2942static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2943{
e2fd318e 2944 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2945
e2fd318e 2946 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2947 return 0;
2948
2949 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2950 cmd->ident == conn->info_ident) {
17cd3f37 2951 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2952
2953 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2954 conn->info_ident = 0;
984947dc 2955
4e8402a3
MH		 2956 l2cap_conn_start(conn);
2957 }
2958
2959 return 0;
2960}
2961
1da177e4
LT		 2962static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2963{
1da177e4
LT		 2964 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2965 struct l2cap_conn_rsp rsp;
23691d75 2966 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2967 struct sock *parent, *sk = NULL;
e7c29cb1 2968 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2969
2970 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2971 __le16 psm = req->psm;
1da177e4 2972
097db76c 2973 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 2974
2975 /* Check if we have socket listening on psm */
c2287681 2976 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 2977 if (!pchan) {
1da177e4
LT		 2978 result = L2CAP_CR_BAD_PSM;
2979 goto sendresp;
2980 }
2981
23691d75
GP		 2982 parent = pchan->sk;
2983
3df91ea2 2984 mutex_lock(&conn->chan_lock);
aa2ac881 2985 lock_sock(parent);
e0f0cb56 2986
e7c29cb1
MH		 2987 /* Check if the ACL is secure enough (if not SDP) */
2988 if (psm != cpu_to_le16(0x0001) &&
2989 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2990 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2991 result = L2CAP_CR_SEC_BLOCK;
2992 goto response;
2993 }
2994
1da177e4
LT		 2995 result = L2CAP_CR_NO_MEM;
2996
2997 /* Check for backlog size */
2998 if (sk_acceptq_is_full(parent)) {
8e87d142 2999 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3000 goto response;
3001 }
3002
80808e43
GP		 3003 chan = pchan->ops->new_connection(pchan->data);
3004 if (!chan)
1da177e4
LT		 3005 goto response;
3006
80808e43
GP		 3007 sk = chan->sk;
3008
1da177e4 3009 /* Check if we already have channel with that dcid */
baa7e1fa 3010 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3011 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3012 chan->ops->close(chan->data);
1da177e4
LT		 3013 goto response;
3014 }
3015
3016 hci_conn_hold(conn->hcon);
3017
1da177e4
LT		 3018 bacpy(&bt_sk(sk)->src, conn->src);
3019 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3020 chan->psm = psm;
3021 chan->dcid = scid;
1da177e4 3022
d1010240
GP		 3023 bt_accept_enqueue(parent, sk);
3024
6be36555 3025 __l2cap_chan_add(conn, chan);
48454079 3026
fe4128e0 3027 dcid = chan->scid;
1da177e4 3028
c9b66675 3029 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3030
fc7f8a7e 3031 chan->ident = cmd->ident;
1da177e4 3032
984947dc 3033 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3034 if (l2cap_chan_check_security(chan)) {
f66dc81f 3035 if (bt_sk(sk)->defer_setup) {
0e587be7 3036 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3037 result = L2CAP_CR_PEND;
3038 status = L2CAP_CS_AUTHOR_PEND;
3039 parent->sk_data_ready(parent, 0);
3040 } else {
0e587be7 3041 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3042 result = L2CAP_CR_SUCCESS;
3043 status = L2CAP_CS_NO_INFO;
3044 }
79d554a6 3045 } else {
0e587be7 3046 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3047 result = L2CAP_CR_PEND;
3048 status = L2CAP_CS_AUTHEN_PEND;
3049 }
3050 } else {
0e587be7 3051 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3052 result = L2CAP_CR_PEND;
3053 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3054 }
3055
1da177e4 3056response:
aa2ac881 3057 release_sock(parent);
3df91ea2 3058 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3059
3060sendresp:
aca3192c
YH		 3061 rsp.scid = cpu_to_le16(scid);
3062 rsp.dcid = cpu_to_le16(dcid);
3063 rsp.result = cpu_to_le16(result);
3064 rsp.status = cpu_to_le16(status);
1da177e4 3065 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3066
3067 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3068 struct l2cap_info_req info;
3069 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3070
3071 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3072 conn->info_ident = l2cap_get_ident(conn);
3073
ba13ccd9 3074 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3075
3076 l2cap_send_cmd(conn, conn->info_ident,
3077 L2CAP_INFO_REQ, sizeof(info), &info);
3078 }
3079
c1360a1c 3080 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3081 result == L2CAP_CR_SUCCESS) {
3082 u8 buf[128];
c1360a1c 3083 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3084 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3085 l2cap_build_conf_req(chan, buf), buf);
3086 chan->num_conf_req++;
e9aeb2dd
GP		 3087 }
3088
1da177e4
LT		 3089 return 0;
3090}
3091
3092static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3093{
3094 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3095 u16 scid, dcid, result, status;
48454079 3096 struct l2cap_chan *chan;
1da177e4 3097 u8 req[128];
3df91ea2 3098 int err;
1da177e4
LT		 3099
3100 scid = __le16_to_cpu(rsp->scid);
3101 dcid = __le16_to_cpu(rsp->dcid);
3102 result = __le16_to_cpu(rsp->result);
3103 status = __le16_to_cpu(rsp->status);
3104
1b009c98
AE		 3105 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3106 dcid, scid, result, status);
1da177e4 3107
3df91ea2
AE		 3108 mutex_lock(&conn->chan_lock);
3109
1da177e4 3110 if (scid) {
3df91ea2
AE		 3111 chan = __l2cap_get_chan_by_scid(conn, scid);
3112 if (!chan) {
3113 err = -EFAULT;
3114 goto unlock;
3115 }
1da177e4 3116 } else {
3df91ea2
AE		 3117 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3118 if (!chan) {
3119 err = -EFAULT;
3120 goto unlock;
3121 }
1da177e4
LT		 3122 }
3123
3df91ea2
AE		 3124 err = 0;
3125
6be36555 3126 l2cap_chan_lock(chan);
48454079 3127
1da177e4
LT		 3128 switch (result) {
3129 case L2CAP_CR_SUCCESS:
89bc500e 3130 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3131 chan->ident = 0;
fe4128e0 3132 chan->dcid = dcid;
c1360a1c 3133 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3134
c1360a1c 3135 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3136 break;
3137
1da177e4 3138 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3139 l2cap_build_conf_req(chan, req), req);
3140 chan->num_conf_req++;
1da177e4
LT		 3141 break;
3142
3143 case L2CAP_CR_PEND:
c1360a1c 3144 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3145 break;
3146
3147 default:
48454079 3148 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3149 break;
3150 }
3151
6be36555 3152 l2cap_chan_unlock(chan);
3df91ea2
AE		 3153
3154unlock:
3155 mutex_unlock(&conn->chan_lock);
3156
3157 return err;
1da177e4
LT		 3158}
3159
47d1ec61 3160static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3161{
3162 /* FCS is enabled only in ERTM or streaming mode, if one or both
3163 * sides request it.
3164 */
0c1bc5c6 3165 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3166 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3167 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3168 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3169}
3170
88219a0f 3171static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3172{
3173 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3174 u16 dcid, flags;
3175 u8 rsp[64];
48454079 3176 struct l2cap_chan *chan;
3c588192 3177 int len, err = 0;
1da177e4
LT		 3178
3179 dcid = __le16_to_cpu(req->dcid);
3180 flags = __le16_to_cpu(req->flags);
3181
3182 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3183
baa7e1fa 3184 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3185 if (!chan)
1da177e4
LT		 3186 return -ENOENT;
3187
033b1142 3188 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3189 struct l2cap_cmd_rej_cid rej;
3190
3191 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3192 rej.scid = cpu_to_le16(chan->scid);
3193 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3194
df6bd743
GP		 3195 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3196 sizeof(rej), &rej);
354f60a9 3197 goto unlock;
df6bd743 3198 }
354f60a9 3199
5dee9e7c 3200 /* Reject if config buffer is too small. */
88219a0f 3201 len = cmd_len - sizeof(*req);
7ac28817 3202 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3203 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3204 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3205 L2CAP_CONF_REJECT, flags), rsp);
3206 goto unlock;
3207 }
3208
3209 /* Store config. */
73ffa904
GP		 3210 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3211 chan->conf_len += len;
1da177e4
LT		 3212
3213 if (flags & 0x0001) {
3214 /* Incomplete config. Send empty response. */
3215 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3216 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3217 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3218 goto unlock;
3219 }
3220
3221 /* Complete config. */
73ffa904 3222 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3223 if (len < 0) {
e92c8e70 3224 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3225 goto unlock;
f2fcfcd6 3226 }
1da177e4 3227
5dee9e7c 3228 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3229 chan->num_conf_rsp++;
5dee9e7c 3230
5dee9e7c 3231 /* Reset config buffer. */
73ffa904 3232 chan->conf_len = 0;
5dee9e7c 3233
c1360a1c 3234 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3235 goto unlock;
3236
c1360a1c 3237 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3238 set_default_fcs(chan);
fcc203c3 3239
89bc500e 3240 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3241
105bdf9e
MM		 3242 if (chan->mode == L2CAP_MODE_ERTM ||
3243 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3244 err = l2cap_ertm_init(chan);
3245
3246 if (err < 0)
3247 l2cap_send_disconn_req(chan->conn, chan, -err);
3248 else
3249 l2cap_chan_ready(chan);
0565c1c2 3250
876d9484
MH		 3251 goto unlock;
3252 }
3253
c1360a1c 3254 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3255 u8 buf[64];
1da177e4 3256 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3257 l2cap_build_conf_req(chan, buf), buf);
3258 chan->num_conf_req++;
1da177e4
LT		 3259 }
3260
0e8b207e
AE		 3261 /* Got Conf Rsp PENDING from remote side and asume we sent
3262 Conf Rsp PENDING in the code above */
3263 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3264 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3265
3266 /* check compatibility */
3267
3268 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3269 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3270
3271 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3272 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3273 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3274 }
3275
1da177e4 3276unlock:
6be36555 3277 l2cap_chan_unlock(chan);
3c588192 3278 return err;
1da177e4
LT		 3279}
3280
3281static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3282{
3283 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3284 u16 scid, flags, result;
48454079 3285 struct l2cap_chan *chan;
61386cba 3286 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3287 int err = 0;
1da177e4
LT		 3288
3289 scid = __le16_to_cpu(rsp->scid);
3290 flags = __le16_to_cpu(rsp->flags);
3291 result = __le16_to_cpu(rsp->result);
3292
61386cba
AE		 3293 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3294 result, len);
1da177e4 3295
baa7e1fa 3296 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3297 if (!chan)
1da177e4
LT		 3298 return 0;
3299
3300 switch (result) {
3301 case L2CAP_CONF_SUCCESS:
47d1ec61 3302 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3303 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3304 break;
3305
0e8b207e
AE		 3306 case L2CAP_CONF_PENDING:
3307 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3308
3309 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3310 char buf[64];
3311
3312 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3313 buf, &result);
3314 if (len < 0) {
3315 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3316 goto done;
3317 }
3318
3319 /* check compatibility */
3320
3321 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3322 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3323
3324 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3325 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3326 L2CAP_CONF_SUCCESS, 0x0000), buf);
3327 }
3328 goto done;
3329
1da177e4 3330 case L2CAP_CONF_UNACCEPT:
73ffa904 3331 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3332 char req[64];
3333
c2c77ec8 3334 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3335 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3336 goto done;
3337 }
3338
f2fcfcd6
GP		 3339 /* throw out any old stored conf requests */
3340 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3341 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3342 req, &result);
f2fcfcd6 3343 if (len < 0) {
e92c8e70 3344 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3345 goto done;
3346 }
3347
3348 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3349 L2CAP_CONF_REQ, len, req);
73ffa904 3350 chan->num_conf_req++;
f2fcfcd6
GP		 3351 if (result != L2CAP_CONF_SUCCESS)
3352 goto done;
3353 break;
1da177e4
LT		 3354 }
3355
8e87d142 3356 default:
6be36555 3357 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3358
ba13ccd9 3359 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3360 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3361 goto done;
3362 }
3363
3364 if (flags & 0x01)
3365 goto done;
3366
c1360a1c 3367 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3368
c1360a1c 3369 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3370 set_default_fcs(chan);
fcc203c3 3371
89bc500e 3372 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3373 if (chan->mode == L2CAP_MODE_ERTM ||
3374 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3375 err = l2cap_ertm_init(chan);
0565c1c2 3376
3c588192
MM		 3377 if (err < 0)
3378 l2cap_send_disconn_req(chan->conn, chan, -err);
3379 else
3380 l2cap_chan_ready(chan);
1da177e4
LT		 3381 }
3382
3383done:
6be36555 3384 l2cap_chan_unlock(chan);
3c588192 3385 return err;
1da177e4
LT		 3386}
3387
3388static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3389{
3390 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3391 struct l2cap_disconn_rsp rsp;
3392 u16 dcid, scid;
48454079 3393 struct l2cap_chan *chan;
1da177e4
LT		 3394 struct sock *sk;
3395
3396 scid = __le16_to_cpu(req->scid);
3397 dcid = __le16_to_cpu(req->dcid);
3398
3399 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3400
3df91ea2
AE		 3401 mutex_lock(&conn->chan_lock);
3402
3403 chan = __l2cap_get_chan_by_scid(conn, dcid);
3404 if (!chan) {
3405 mutex_unlock(&conn->chan_lock);
1da177e4 3406 return 0;
3df91ea2 3407 }
1da177e4 3408
6be36555
AE		 3409 l2cap_chan_lock(chan);
3410
48454079
GP		 3411 sk = chan->sk;
3412
fe4128e0
GP		 3413 rsp.dcid = cpu_to_le16(chan->scid);
3414 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3415 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3416
6be36555 3417 lock_sock(sk);
1da177e4 3418 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3419 release_sock(sk);
1da177e4 3420
61d6ef3e 3421 l2cap_chan_hold(chan);
48454079 3422 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3423
3424 l2cap_chan_unlock(chan);
1da177e4 3425
ba3bd0ee 3426 chan->ops->close(chan->data);
61d6ef3e 3427 l2cap_chan_put(chan);
3df91ea2
AE		 3428
3429 mutex_unlock(&conn->chan_lock);
3430
1da177e4
LT		 3431 return 0;
3432}
3433
3434static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3435{
3436 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3437 u16 dcid, scid;
48454079 3438 struct l2cap_chan *chan;
1da177e4
LT		 3439
3440 scid = __le16_to_cpu(rsp->scid);
3441 dcid = __le16_to_cpu(rsp->dcid);
3442
3443 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3444
3df91ea2
AE		 3445 mutex_lock(&conn->chan_lock);
3446
3447 chan = __l2cap_get_chan_by_scid(conn, scid);
3448 if (!chan) {
3449 mutex_unlock(&conn->chan_lock);
1da177e4 3450 return 0;
3df91ea2 3451 }
1da177e4 3452
6be36555 3453 l2cap_chan_lock(chan);
48454079 3454
61d6ef3e 3455 l2cap_chan_hold(chan);
48454079 3456 l2cap_chan_del(chan, 0);
6be36555
AE		 3457
3458 l2cap_chan_unlock(chan);
1da177e4 3459
ba3bd0ee 3460 chan->ops->close(chan->data);
61d6ef3e 3461 l2cap_chan_put(chan);
3df91ea2
AE		 3462
3463 mutex_unlock(&conn->chan_lock);
3464
1da177e4
LT		 3465 return 0;
3466}
3467
3468static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3469{
3470 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3471 u16 type;
3472
3473 type = __le16_to_cpu(req->type);
3474
3475 BT_DBG("type 0x%4.4x", type);
3476
f0709e03
MH		 3477 if (type == L2CAP_IT_FEAT_MASK) {
3478 u8 buf[8];
44dd46de 3479 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3480 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3481 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3482 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3483 if (!disable_ertm)
fcc203c3
GP		 3484 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3485 | L2CAP_FEAT_FCS;
a5fd6f30 3486 if (enable_hs)
6327eb98
AE		 3487 feat_mask |= L2CAP_FEAT_EXT_FLOW
3488 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3489
1b7bf4ed 3490 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3491 l2cap_send_cmd(conn, cmd->ident,
3492 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3493 } else if (type == L2CAP_IT_FIXED_CHAN) {
3494 u8 buf[12];
3495 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3496
3497 if (enable_hs)
3498 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3499 else
3500 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3501
e1027a7c
MH		 3502 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3503 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3504 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3505 l2cap_send_cmd(conn, cmd->ident,
3506 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3507 } else {
3508 struct l2cap_info_rsp rsp;
3509 rsp.type = cpu_to_le16(type);
3510 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3511 l2cap_send_cmd(conn, cmd->ident,
3512 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3513 }
1da177e4
LT		 3514
3515 return 0;
3516}
3517
3518static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3519{
3520 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3521 u16 type, result;
3522
3523 type = __le16_to_cpu(rsp->type);
3524 result = __le16_to_cpu(rsp->result);
3525
3526 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3527
e90165be
AE		 3528 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3529 if (cmd->ident != conn->info_ident ||
3530 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3531 return 0;
3532
17cd3f37 3533 cancel_delayed_work(&conn->info_timer);
4e8402a3 3534
adb08ede
VT		 3535 if (result != L2CAP_IR_SUCCESS) {
3536 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3537 conn->info_ident = 0;
3538
3539 l2cap_conn_start(conn);
3540
3541 return 0;
3542 }
3543
978c93b9
AE		 3544 switch (type) {
3545 case L2CAP_IT_FEAT_MASK:
83985319 3546 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3547
47ec1dcd 3548 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3549 struct l2cap_info_req req;
3550 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3551
3552 conn->info_ident = l2cap_get_ident(conn);
3553
3554 l2cap_send_cmd(conn, conn->info_ident,
3555 L2CAP_INFO_REQ, sizeof(req), &req);
3556 } else {
3557 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3558 conn->info_ident = 0;
3559
3560 l2cap_conn_start(conn);
3561 }
978c93b9
AE		 3562 break;
3563
3564 case L2CAP_IT_FIXED_CHAN:
3565 conn->fixed_chan_mask = rsp->data[0];
984947dc 3566 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3567 conn->info_ident = 0;
984947dc
MH		 3568
3569 l2cap_conn_start(conn);
978c93b9 3570 break;
984947dc 3571 }
4e8402a3 3572
1da177e4
LT		 3573 return 0;
3574}
3575
f94ff6ff
MM		 3576static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3577 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3578 void *data)
3579{
3580 struct l2cap_create_chan_req *req = data;
3581 struct l2cap_create_chan_rsp rsp;
3582 u16 psm, scid;
3583
3584 if (cmd_len != sizeof(*req))
3585 return -EPROTO;
3586
3587 if (!enable_hs)
3588 return -EINVAL;
3589
3590 psm = le16_to_cpu(req->psm);
3591 scid = le16_to_cpu(req->scid);
3592
3593 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3594
3595 /* Placeholder: Always reject */
3596 rsp.dcid = 0;
3597 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3598 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3599 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3600
3601 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3602 sizeof(rsp), &rsp);
3603
3604 return 0;
3605}
3606
3607static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3608 struct l2cap_cmd_hdr *cmd, void *data)
3609{
3610 BT_DBG("conn %p", conn);
3611
3612 return l2cap_connect_rsp(conn, cmd, data);
3613}
3614
8d5a04a1
MM		 3615static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3616 u16 icid, u16 result)
3617{
3618 struct l2cap_move_chan_rsp rsp;
3619
3620 BT_DBG("icid %d, result %d", icid, result);
3621
3622 rsp.icid = cpu_to_le16(icid);
3623 rsp.result = cpu_to_le16(result);
3624
3625 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3626}
3627
3628static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3629 struct l2cap_chan *chan, u16 icid, u16 result)
3630{
3631 struct l2cap_move_chan_cfm cfm;
3632 u8 ident;
3633
3634 BT_DBG("icid %d, result %d", icid, result);
3635
3636 ident = l2cap_get_ident(conn);
3637 if (chan)
3638 chan->ident = ident;
3639
3640 cfm.icid = cpu_to_le16(icid);
3641 cfm.result = cpu_to_le16(result);
3642
3643 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3644}
3645
3646static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3647 u16 icid)
3648{
3649 struct l2cap_move_chan_cfm_rsp rsp;
3650
3651 BT_DBG("icid %d", icid);
3652
3653 rsp.icid = cpu_to_le16(icid);
3654 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3655}
3656
3657static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3658 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3659{
3660 struct l2cap_move_chan_req *req = data;
3661 u16 icid = 0;
3662 u16 result = L2CAP_MR_NOT_ALLOWED;
3663
3664 if (cmd_len != sizeof(*req))
3665 return -EPROTO;
3666
3667 icid = le16_to_cpu(req->icid);
3668
3669 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3670
3671 if (!enable_hs)
3672 return -EINVAL;
3673
3674 /* Placeholder: Always refuse */
3675 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3676
3677 return 0;
3678}
3679
3680static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3681 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3682{
3683 struct l2cap_move_chan_rsp *rsp = data;
3684 u16 icid, result;
3685
3686 if (cmd_len != sizeof(*rsp))
3687 return -EPROTO;
3688
3689 icid = le16_to_cpu(rsp->icid);
3690 result = le16_to_cpu(rsp->result);
3691
3692 BT_DBG("icid %d, result %d", icid, result);
3693
3694 /* Placeholder: Always unconfirmed */
3695 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3696
3697 return 0;
3698}
3699
3700static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3701 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3702{
3703 struct l2cap_move_chan_cfm *cfm = data;
3704 u16 icid, result;
3705
3706 if (cmd_len != sizeof(*cfm))
3707 return -EPROTO;
3708
3709 icid = le16_to_cpu(cfm->icid);
3710 result = le16_to_cpu(cfm->result);
3711
3712 BT_DBG("icid %d, result %d", icid, result);
3713
3714 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3715
3716 return 0;
3717}
3718
3719static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3720 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3721{
3722 struct l2cap_move_chan_cfm_rsp *rsp = data;
3723 u16 icid;
3724
3725 if (cmd_len != sizeof(*rsp))
3726 return -EPROTO;
3727
3728 icid = le16_to_cpu(rsp->icid);
3729
3730 BT_DBG("icid %d", icid);
3731
3732 return 0;
3733}
3734
e2174ca4 3735static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3736 u16 to_multiplier)
3737{
3738 u16 max_latency;
3739
3740 if (min > max || min < 6 || max > 3200)
3741 return -EINVAL;
3742
3743 if (to_multiplier < 10 || to_multiplier > 3200)
3744 return -EINVAL;
3745
3746 if (max >= to_multiplier * 8)
3747 return -EINVAL;
3748
3749 max_latency = (to_multiplier * 8 / max) - 1;
3750 if (latency > 499 || latency > max_latency)
3751 return -EINVAL;
3752
3753 return 0;
3754}
3755
3756static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3757 struct l2cap_cmd_hdr *cmd, u8 *data)
3758{
3759 struct hci_conn *hcon = conn->hcon;
3760 struct l2cap_conn_param_update_req *req;
3761 struct l2cap_conn_param_update_rsp rsp;
3762 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3763 int err;
de73115a
CT		 3764
3765 if (!(hcon->link_mode & HCI_LM_MASTER))
3766 return -EINVAL;
3767
3768 cmd_len = __le16_to_cpu(cmd->len);
3769 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3770 return -EPROTO;
3771
3772 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3773 min = __le16_to_cpu(req->min);
3774 max = __le16_to_cpu(req->max);
de73115a
CT		 3775 latency = __le16_to_cpu(req->latency);
3776 to_multiplier = __le16_to_cpu(req->to_multiplier);
3777
3778 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3779 min, max, latency, to_multiplier);
3780
3781 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3782
3783 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3784 if (err)
de73115a
CT		 3785 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3786 else
3787 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3788
3789 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3790 sizeof(rsp), &rsp);
3791
2ce603eb
CT		 3792 if (!err)
3793 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3794
de73115a
CT		 3795 return 0;
3796}
3797
3300d9a9
CT		 3798static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3799 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3800{
3801 int err = 0;
3802
3803 switch (cmd->code) {
3804 case L2CAP_COMMAND_REJ:
3805 l2cap_command_rej(conn, cmd, data);
3806 break;
3807
3808 case L2CAP_CONN_REQ:
3809 err = l2cap_connect_req(conn, cmd, data);
3810 break;
3811
3812 case L2CAP_CONN_RSP:
3813 err = l2cap_connect_rsp(conn, cmd, data);
3814 break;
3815
3816 case L2CAP_CONF_REQ:
3817 err = l2cap_config_req(conn, cmd, cmd_len, data);
3818 break;
3819
3820 case L2CAP_CONF_RSP:
3821 err = l2cap_config_rsp(conn, cmd, data);
3822 break;
3823
3824 case L2CAP_DISCONN_REQ:
3825 err = l2cap_disconnect_req(conn, cmd, data);
3826 break;
3827
3828 case L2CAP_DISCONN_RSP:
3829 err = l2cap_disconnect_rsp(conn, cmd, data);
3830 break;
3831
3832 case L2CAP_ECHO_REQ:
3833 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3834 break;
3835
3836 case L2CAP_ECHO_RSP:
3837 break;
3838
3839 case L2CAP_INFO_REQ:
3840 err = l2cap_information_req(conn, cmd, data);
3841 break;
3842
3843 case L2CAP_INFO_RSP:
3844 err = l2cap_information_rsp(conn, cmd, data);
3845 break;
3846
f94ff6ff
MM		 3847 case L2CAP_CREATE_CHAN_REQ:
3848 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3849 break;
3850
3851 case L2CAP_CREATE_CHAN_RSP:
3852 err = l2cap_create_channel_rsp(conn, cmd, data);
3853 break;
3854
8d5a04a1
MM		 3855 case L2CAP_MOVE_CHAN_REQ:
3856 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3857 break;
3858
3859 case L2CAP_MOVE_CHAN_RSP:
3860 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3861 break;
3862
3863 case L2CAP_MOVE_CHAN_CFM:
3864 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3865 break;
3866
3867 case L2CAP_MOVE_CHAN_CFM_RSP:
3868 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3869 break;
3870
3300d9a9
CT		 3871 default:
3872 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3873 err = -EINVAL;
3874 break;
3875 }
3876
3877 return err;
3878}
3879
3880static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3881 struct l2cap_cmd_hdr *cmd, u8 *data)
3882{
3883 switch (cmd->code) {
3884 case L2CAP_COMMAND_REJ:
3885 return 0;
3886
3887 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3888 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3889
3890 case L2CAP_CONN_PARAM_UPDATE_RSP:
3891 return 0;
3892
3893 default:
3894 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3895 return -EINVAL;
3896 }
3897}
3898
3899static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3900 struct sk_buff *skb)
1da177e4
LT		 3901{
3902 u8 *data = skb->data;
3903 int len = skb->len;
3904 struct l2cap_cmd_hdr cmd;
3300d9a9 3905 int err;
1da177e4
LT		 3906
3907 l2cap_raw_recv(conn, skb);
3908
3909 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3910 u16 cmd_len;
1da177e4
LT		 3911 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3912 data += L2CAP_CMD_HDR_SIZE;
3913 len -= L2CAP_CMD_HDR_SIZE;
3914
88219a0f 3915 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3916
88219a0f 3917 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3918
88219a0f 3919 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3920 BT_DBG("corrupted command");
3921 break;
3922 }
3923
3300d9a9
CT		 3924 if (conn->hcon->type == LE_LINK)
3925 err = l2cap_le_sig_cmd(conn, &cmd, data);
3926 else
3927 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3928
3929 if (err) {
e2fd318e 3930 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3931
3932 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3933
3934 /* FIXME: Map err to a valid reason */
e2fd318e 3935 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3936 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3937 }
3938
88219a0f
AV		 3939 data += cmd_len;
3940 len -= cmd_len;
1da177e4
LT		 3941 }
3942
3943 kfree_skb(skb);
3944}
3945
47d1ec61 3946static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3947{
3948 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3949 int hdr_size;
3950
3951 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3952 hdr_size = L2CAP_EXT_HDR_SIZE;
3953 else
3954 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3955
47d1ec61 3956 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3957 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3958 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3959 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3960
3961 if (our_fcs != rcv_fcs)
7a560e5c 3962 return -EBADMSG;
fcc203c3
GP		 3963 }
3964 return 0;
3965}
3966
525cd185 3967static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3968{
88843ab0 3969 u32 control = 0;
d5392c8f 3970
6a026610 3971 chan->frames_sent = 0;
d5392c8f 3972
0b209fae 3973 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3974
e2ab4353 3975 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3976 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3977 l2cap_send_sframe(chan, control);
e2ab4353 3978 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3979 }
3980
e2ab4353 3981 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3982 l2cap_retransmit_frames(chan);
d5392c8f 3983
525cd185 3984 l2cap_ertm_send(chan);
d5392c8f 3985
e2ab4353 3986 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3987 chan->frames_sent == 0) {
ab784b73 3988 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3989 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3990 }
3991}
3992
fb45de7d 3993static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3994{
3995 struct sk_buff *next_skb;
bfbacc11 3996 int tx_seq_offset, next_tx_seq_offset;
8f17154f 3997
3ce3514f
MM		 3998 bt_cb(skb)->control.txseq = tx_seq;
3999 bt_cb(skb)->control.sar = sar;
8f17154f 4000
f1c6775b 4001 next_skb = skb_peek(&chan->srej_q);
8f17154f 4002
836be934 4003 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 4004
039d9572 4005 while (next_skb) {
3ce3514f 4006 if (bt_cb(next_skb)->control.txseq == tx_seq)
9b53350d
JPRV		 4007 return -EINVAL;
4008
836be934 4009 next_tx_seq_offset = __seq_offset(chan,
3ce3514f 4010 bt_cb(next_skb)->control.txseq, chan->buffer_seq);
bfbacc11
JPRV		 4011
4012 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 4013 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 4014 return 0;
8f17154f
GP		 4015 }
4016
f1c6775b 4017 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 4018 next_skb = NULL;
4019 else
4020 next_skb = skb_queue_next(&chan->srej_q, next_skb);
4021 }
8f17154f 4022
f1c6775b 4023 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 4024
4025 return 0;
8f17154f
GP		 4026}
4027
84084a31
MM		 4028static void append_skb_frag(struct sk_buff *skb,
4029 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4030{
84084a31
MM		 4031 /* skb->len reflects data in skb as well as all fragments
4032 * skb->data_len reflects only data in fragments
4033 */
4034 if (!skb_has_frag_list(skb))
4035 skb_shinfo(skb)->frag_list = new_frag;
4036
4037 new_frag->next = NULL;
4038
4039 (*last_frag)->next = new_frag;
4040 *last_frag = new_frag;
4041
4042 skb->len += new_frag->len;
4043 skb->data_len += new_frag->len;
4044 skb->truesize += new_frag->truesize;
4045}
4046
88843ab0 4047static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 4048{
4049 int err = -EINVAL;
18778a63 4050
7e0ef6ee
AE		 4051 switch (__get_ctrl_sar(chan, control)) {
4052 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4053 if (chan->sdu)
4054 break;
18778a63 4055
84084a31
MM		 4056 err = chan->ops->recv(chan->data, skb);
4057 break;
18778a63 4058
7e0ef6ee 4059 case L2CAP_SAR_START:
84084a31
MM		 4060 if (chan->sdu)
4061 break;
18778a63 4062
6f61fd47 4063 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4064 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4065
84084a31
MM		 4066 if (chan->sdu_len > chan->imtu) {
4067 err = -EMSGSIZE;
4068 break;
4069 }
1890d36b 4070
84084a31
MM		 4071 if (skb->len >= chan->sdu_len)
4072 break;
18778a63 4073
84084a31
MM		 4074 chan->sdu = skb;
4075 chan->sdu_last_frag = skb;
18778a63 4076
84084a31
MM		 4077 skb = NULL;
4078 err = 0;
18778a63
GP		 4079 break;
4080
7e0ef6ee 4081 case L2CAP_SAR_CONTINUE:
6f61fd47 4082 if (!chan->sdu)
84084a31 4083 break;
18778a63 4084
84084a31
MM		 4085 append_skb_frag(chan->sdu, skb,
4086 &chan->sdu_last_frag);
4087 skb = NULL;
18778a63 4088
84084a31
MM		 4089 if (chan->sdu->len >= chan->sdu_len)
4090 break;
4178ba46 4091
84084a31 4092 err = 0;
18778a63
GP		 4093 break;
4094
7e0ef6ee 4095 case L2CAP_SAR_END:
6f61fd47 4096 if (!chan->sdu)
84084a31 4097 break;
18778a63 4098
84084a31
MM		 4099 append_skb_frag(chan->sdu, skb,
4100 &chan->sdu_last_frag);
4101 skb = NULL;
4178ba46 4102
84084a31
MM		 4103 if (chan->sdu->len != chan->sdu_len)
4104 break;
18778a63 4105
84084a31 4106 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4107
84084a31
MM		 4108 if (!err) {
4109 /* Reassembly complete */
4110 chan->sdu = NULL;
4111 chan->sdu_last_frag = NULL;
4112 chan->sdu_len = 0;
1890d36b 4113 }
18778a63
GP		 4114 break;
4115 }
4116
84084a31
MM		 4117 if (err) {
4118 kfree_skb(skb);
4119 kfree_skb(chan->sdu);
4120 chan->sdu = NULL;
4121 chan->sdu_last_frag = NULL;
4122 chan->sdu_len = 0;
4123 }
18778a63 4124
84084a31 4125 return err;
18778a63
GP		 4126}
4127
26f880d2 4128static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 4129{
26f880d2 4130 BT_DBG("chan %p, Enter local busy", chan);
712132eb 4131
26f880d2 4132 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3c588192 4133 l2cap_seq_list_clear(&chan->srej_list);
26f880d2 4134
77f918bc 4135 __set_ack_timer(chan);
26f880d2
MM		 4136}
4137
4138static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4139{
88843ab0 4140 u32 control;
712132eb 4141
e2ab4353 4142 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 4143 goto done;
4144
0b209fae 4145 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 4146 control |= __set_ctrl_poll(chan);
ab784b73 4147 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 4148 l2cap_send_sframe(chan, control);
6a026610 4149 chan->retry_count = 1;
712132eb 4150
1a09bcb9
GP		 4151 __clear_retrans_timer(chan);
4152 __set_monitor_timer(chan);
712132eb 4153
e2ab4353 4154 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 4155
4156done:
e2ab4353
GP		 4157 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4158 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 4159
49208c9c 4160 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 4161}
4162
e328140f 4163void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 4164{
e328140f
MM		 4165 if (chan->mode == L2CAP_MODE_ERTM) {
4166 if (busy)
4167 l2cap_ertm_enter_local_busy(chan);
4168 else
4169 l2cap_ertm_exit_local_busy(chan);
1890d36b 4170 }
1890d36b
GP		 4171}
4172
fb45de7d 4173static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 4174{
4175 struct sk_buff *skb;
88843ab0 4176 u32 control;
8f17154f 4177
e328140f
MM		 4178 while ((skb = skb_peek(&chan->srej_q)) &&
4179 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4180 int err;
4181
3ce3514f 4182 if (bt_cb(skb)->control.txseq != tx_seq)
8f17154f
GP		 4183 break;
4184
f1c6775b 4185 skb = skb_dequeue(&chan->srej_q);
3ce3514f 4186 control = __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
84084a31 4187 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 4188
4189 if (err < 0) {
4190 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4191 break;
4192 }
4193
836be934
AE		 4194 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
4195 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 4196 }
4197}
4198
fb45de7d 4199static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4200{
8f17154f 4201 struct srej_list *l, *tmp;
88843ab0 4202 u32 control;
8f17154f 4203
39d5a3ee 4204 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 4205 if (l->tx_seq == tx_seq) {
4206 list_del(&l->list);
4207 kfree(l);
4208 return;
4209 }
ab784b73 4210 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4211 control |= __set_reqseq(chan, l->tx_seq);
525cd185 4212 l2cap_send_sframe(chan, control);
8f17154f 4213 list_del(&l->list);
39d5a3ee 4214 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 4215 }
4216}
4217
aef89f21 4218static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 4219{
8f17154f 4220 struct srej_list *new;
88843ab0 4221 u32 control;
8f17154f 4222
42e5c802 4223 while (tx_seq != chan->expected_tx_seq) {
ab784b73 4224 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 4225 control |= __set_reqseq(chan, chan->expected_tx_seq);
3c588192 4226 l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
525cd185 4227 l2cap_send_sframe(chan, control);
8f17154f
GP		 4228
4229 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 4230 if (!new)
4231 return -ENOMEM;
4232
42e5c802 4233 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 4234
4235 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4236
39d5a3ee 4237 list_add_tail(&new->list, &chan->srej_l);
8f17154f 4238 }
836be934
AE		 4239
4240 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 4241
4242 return 0;
8f17154f
GP		 4243}
4244
88843ab0 4245static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 4246{
fb45de7d 4247 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 4248 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 4249 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 4250 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 4251 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 4252 int err = 0;
4253
88843ab0 4254 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 4255 tx_seq, rx_control);
1c2acffb 4256
03f6715d 4257 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4258 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4259 __clear_monitor_timer(chan);
6a026610 4260 if (chan->unacked_frames > 0)
1a09bcb9 4261 __set_retrans_timer(chan);
e2ab4353 4262 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 4263 }
4264
42e5c802
GP		 4265 chan->expected_ack_seq = req_seq;
4266 l2cap_drop_acked_frames(chan);
9f121a5a 4267
836be934 4268 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4269
4270 /* invalid tx_seq */
47d1ec61 4271 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 4272 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 4273 goto drop;
4274 }
4275
77f918bc
SJ		 4276 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4277 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4278 l2cap_send_ack(chan);
1890d36b 4279 goto drop;
77f918bc 4280 }
1890d36b 4281
02f1b641
MM		 4282 if (tx_seq == chan->expected_tx_seq)
4283 goto expected;
4284
e2ab4353 4285 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 4286 struct srej_list *first;
30afb5b2 4287
39d5a3ee 4288 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 4289 struct srej_list, list);
4290 if (tx_seq == first->tx_seq) {
42e5c802 4291 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 4292 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 4293
4294 list_del(&first->list);
4295 kfree(first);
4296
39d5a3ee 4297 if (list_empty(&chan->srej_l)) {
42e5c802 4298 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 4299 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 4300 l2cap_send_ack(chan);
49208c9c 4301 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 4302 }
4303 } else {
4304 struct srej_list *l;
9b53350d
JPRV		 4305
4306 /* duplicated tx_seq */
42e5c802 4307 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 4308 goto drop;
8f17154f 4309
39d5a3ee 4310 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 4311 if (l->tx_seq == tx_seq) {
525cd185 4312 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 4313 return 0;
4314 }
4315 }
aef89f21
SJ		 4316
4317 err = l2cap_send_srejframe(chan, tx_seq);
4318 if (err < 0) {
4319 l2cap_send_disconn_req(chan->conn, chan, -err);
4320 return err;
4321 }
30afb5b2
GP		 4322 }
4323 } else {
836be934
AE		 4324 expected_tx_seq_offset = __seq_offset(chan,
4325 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 4326
4327 /* duplicated tx_seq */
4328 if (tx_seq_offset < expected_tx_seq_offset)
4329 goto drop;
4330
e2ab4353 4331 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 4332
49208c9c 4333 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 4334
39d5a3ee 4335 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 4336 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 4337
f1c6775b 4338 __skb_queue_head_init(&chan->srej_q);
42e5c802 4339 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 4340
0ef3ef0f
SJ		 4341 /* Set P-bit only if there are some I-frames to ack. */
4342 if (__clear_ack_timer(chan))
4343 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 4344
aef89f21
SJ		 4345 err = l2cap_send_srejframe(chan, tx_seq);
4346 if (err < 0) {
4347 l2cap_send_disconn_req(chan->conn, chan, -err);
4348 return err;
4349 }
1c2acffb 4350 }
30afb5b2
GP		 4351 return 0;
4352
8f17154f 4353expected:
836be934 4354 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 4355
e2ab4353 4356 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3ce3514f
MM		 4357 bt_cb(skb)->control.txseq = tx_seq;
4358 bt_cb(skb)->control.sar = sar;
f1c6775b 4359 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 4360 return 0;
4361 }
4362
84084a31 4363 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 4364 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4365
e328140f
MM		 4366 if (err < 0) {
4367 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4368 return err;
4369 }
2ece3684 4370
03f6715d 4371 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4372 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4373 l2cap_retransmit_frames(chan);
4ec10d97
GP		 4374 }
4375
c1b4f43b 4376
6a026610
GP		 4377 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4378 if (chan->num_acked == num_to_ack - 1)
525cd185 4379 l2cap_send_ack(chan);
4d611e4d
GP		 4380 else
4381 __set_ack_timer(chan);
9e917af1 4382
8f17154f 4383 return 0;
9b53350d
JPRV		 4384
4385drop:
4386 kfree_skb(skb);
4387 return 0;
1c2acffb
GP		 4388}
4389
88843ab0 4390static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 4391{
88843ab0 4392 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 4393 __get_reqseq(chan, rx_control), rx_control);
0e98958d 4394
0b209fae 4395 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 4396 l2cap_drop_acked_frames(chan);
1c2acffb 4397
e3781735 4398 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 4399 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4400 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4401 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4402 (chan->unacked_frames > 0))
1a09bcb9 4403 __set_retrans_timer(chan);
05fbd89d 4404
e2ab4353 4405 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 4406 l2cap_send_srejtail(chan);
05fbd89d 4407 } else {
525cd185 4408 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 4409 }
1d8f5d16 4410
03f6715d 4411 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4412 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 4413
e2ab4353 4414 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4415 l2cap_retransmit_frames(chan);
2246b2f1 4416
e072745f 4417 } else {
e2ab4353 4418 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 4419 (chan->unacked_frames > 0))
1a09bcb9 4420 __set_retrans_timer(chan);
1c2acffb 4421
e2ab4353
GP		 4422 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4423 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4424 l2cap_send_ack(chan);
894718a6 4425 else
525cd185 4426 l2cap_ertm_send(chan);
e072745f
GP		 4427 }
4428}
2246b2f1 4429
88843ab0 4430static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4431{
0b209fae 4432 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4433
88843ab0 4434 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4435
e2ab4353 4436 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4437
42e5c802
GP		 4438 chan->expected_ack_seq = tx_seq;
4439 l2cap_drop_acked_frames(chan);
e072745f 4440
03f6715d 4441 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4442 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4443 l2cap_retransmit_frames(chan);
e072745f 4444 } else {
525cd185 4445 l2cap_retransmit_frames(chan);
30afb5b2 4446
e2ab4353
GP		 4447 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4448 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4449 }
4450}
88843ab0 4451static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4452{
0b209fae 4453 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4454
88843ab0 4455 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4456
e2ab4353 4457 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4458
e3781735 4459 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4460 chan->expected_ack_seq = tx_seq;
4461 l2cap_drop_acked_frames(chan);
3cb123d1 4462
e2ab4353 4463 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4464 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4465
525cd185 4466 l2cap_ertm_send(chan);
dfc909be 4467
e2ab4353 4468 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4469 chan->srej_save_reqseq = tx_seq;
e2ab4353 4470 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4471 }
03f6715d 4472 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4473 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4474 chan->srej_save_reqseq == tx_seq)
e2ab4353 4475 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4476 else
525cd185 4477 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4478 } else {
525cd185 4479 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4480 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4481 chan->srej_save_reqseq = tx_seq;
e2ab4353 4482 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4483 }
e072745f
GP		 4484 }
4485}
4486
88843ab0 4487static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4488{
0b209fae 4489 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4490
88843ab0 4491 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4492
e2ab4353 4493 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4494 chan->expected_ack_seq = tx_seq;
4495 l2cap_drop_acked_frames(chan);
e072745f 4496
e3781735 4497 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4498 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4499
e2ab4353 4500 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4501 __clear_retrans_timer(chan);
e3781735 4502 if (__is_ctrl_poll(chan, rx_control))
525cd185 4503 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4504 return;
e072745f 4505 }
99b0d4b7 4506
e3781735 4507 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4508 l2cap_send_srejtail(chan);
ab784b73
AE		 4509 } else {
4510 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4511 l2cap_send_sframe(chan, rx_control);
4512 }
e072745f
GP		 4513}
4514
88843ab0 4515static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4516{
88843ab0 4517 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4518
03f6715d 4519 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4520 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4521 __clear_monitor_timer(chan);
6a026610 4522 if (chan->unacked_frames > 0)
1a09bcb9 4523 __set_retrans_timer(chan);
e2ab4353 4524 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4525 }
4526
ab784b73
AE		 4527 switch (__get_ctrl_super(chan, rx_control)) {
4528 case L2CAP_SUPER_RR:
525cd185 4529 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4530 break;
4531
ab784b73 4532 case L2CAP_SUPER_REJ:
525cd185 4533 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4534 break;
2246b2f1 4535
ab784b73 4536 case L2CAP_SUPER_SREJ:
525cd185 4537 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4538 break;
4539
ab784b73 4540 case L2CAP_SUPER_RNR:
525cd185 4541 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4542 break;
4543 }
4544
faaebd19 4545 kfree_skb(skb);
1c2acffb
GP		 4546 return 0;
4547}
4548
cad8f1d0 4549static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4550{
88843ab0 4551 u32 control;
0b209fae 4552 u16 req_seq;
218bb9df
GP		 4553 int len, next_tx_seq_offset, req_seq_offset;
4554
b76bbd66
MM		 4555 __unpack_control(chan, skb);
4556
88843ab0
AE		 4557 control = __get_control(chan, skb->data);
4558 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4559 len = skb->len;
4560
4561 /*
4562 * We can just drop the corrupted I-frame here.
4563 * Receiver will miss it and start proper recovery
4564 * procedures and ask retransmission.
4565 */
47d1ec61 4566 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4567 goto drop;
4568
793c2f1c 4569 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4570 len -= L2CAP_SDULEN_SIZE;
218bb9df 4571
47d1ec61 4572 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4573 len -= L2CAP_FCS_SIZE;
218bb9df 4574
47d1ec61 4575 if (len > chan->mps) {
8c1d787b 4576 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4577 goto drop;
4578 }
4579
0b209fae 4580 req_seq = __get_reqseq(chan, control);
218bb9df 4581
836be934
AE		 4582 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4583
4584 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4585 chan->expected_ack_seq);
218bb9df
GP		 4586
4587 /* check for invalid req-seq */
4588 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4589 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4590 goto drop;
4591 }
4592
793c2f1c 4593 if (!__is_sframe(chan, control)) {
218bb9df 4594 if (len < 0) {
8c1d787b 4595 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4596 goto drop;
4597 }
4598
525cd185 4599 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4600 } else {
4601 if (len != 0) {
4602 BT_ERR("%d", len);
8c1d787b 4603 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4604 goto drop;
4605 }
4606
525cd185 4607 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4608 }
4609
4610 return 0;
4611
4612drop:
4613 kfree_skb(skb);
4614 return 0;
4615}
4616
1da177e4
LT		 4617static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4618{
48454079 4619 struct l2cap_chan *chan;
88843ab0 4620 u32 control;
fb45de7d 4621 u16 tx_seq;
218bb9df 4622 int len;
1da177e4 4623
baa7e1fa 4624 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4625 if (!chan) {
1da177e4 4626 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4627 /* Drop packet and return */
3379013b 4628 kfree_skb(skb);
6be36555 4629 return 0;
1da177e4
LT		 4630 }
4631
49208c9c 4632 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4633
89bc500e 4634 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4635 goto drop;
4636
0c1bc5c6 4637 switch (chan->mode) {
1c2acffb
GP		 4638 case L2CAP_MODE_BASIC:
4639 /* If socket recv buffers overflows we drop data here
4640 * which is *bad* because L2CAP has to be reliable.
4641 * But we don't have any other choice. L2CAP doesn't
4642 * provide flow control mechanism. */
1da177e4 4643
0c1bc5c6 4644 if (chan->imtu < skb->len)
1c2acffb 4645 goto drop;
1da177e4 4646
23070494 4647 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4648 goto done;
4649 break;
4650
4651 case L2CAP_MODE_ERTM:
5ef8cb9e 4652 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4653
fcafde2e 4654 goto done;
1c2acffb 4655
6840ed07 4656 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4657 control = __get_control(chan, skb->data);
4658 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4659 len = skb->len;
4660
47d1ec61 4661 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4662 goto drop;
4663
7e0ef6ee 4664 if (__is_sar_start(chan, control))
03a51213 4665 len -= L2CAP_SDULEN_SIZE;
6840ed07 4666
47d1ec61 4667 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4668 len -= L2CAP_FCS_SIZE;
fcc203c3 4669
793c2f1c 4670 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4671 goto drop;
4672
fb45de7d 4673 tx_seq = __get_txseq(chan, control);
6840ed07 4674
84084a31
MM		 4675 if (chan->expected_tx_seq != tx_seq) {
4676 /* Frame(s) missing - must discard partial SDU */
4677 kfree_skb(chan->sdu);
4678 chan->sdu = NULL;
4679 chan->sdu_last_frag = NULL;
4680 chan->sdu_len = 0;
6840ed07 4681
84084a31
MM		 4682 /* TODO: Notify userland of missing data */
4683 }
4684
836be934 4685 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4686
4687 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4688 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4689
4690 goto done;
4691
1c2acffb 4692 default:
0c1bc5c6 4693 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4694 break;
4695 }
1da177e4
LT		 4696
4697drop:
4698 kfree_skb(skb);
4699
4700done:
6be36555 4701 l2cap_chan_unlock(chan);
0139418c 4702
1da177e4
LT		 4703 return 0;
4704}
4705
8e036fc3 4706static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4707{
23691d75 4708 struct l2cap_chan *chan;
1da177e4 4709
c2287681 4710 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4711 if (!chan)
1da177e4
LT		 4712 goto drop;
4713
5b4cedaa 4714 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4715
89bc500e 4716 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4717 goto drop;
4718
e13e21dc 4719 if (chan->imtu < skb->len)
1da177e4
LT		 4720 goto drop;
4721
23070494 4722 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4723 return 0;
1da177e4
LT		 4724
4725drop:
4726 kfree_skb(skb);
4727
1da177e4
LT		 4728 return 0;
4729}
4730
d9b88702
AE		 4731static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4732 struct sk_buff *skb)
9f69bda6 4733{
23691d75 4734 struct l2cap_chan *chan;
9f69bda6 4735
c2287681 4736 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4737 if (!chan)
9f69bda6
GP		 4738 goto drop;
4739
5b4cedaa 4740 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4741
89bc500e 4742 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4743 goto drop;
4744
e13e21dc 4745 if (chan->imtu < skb->len)
9f69bda6
GP		 4746 goto drop;
4747
23070494 4748 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4749 return 0;
9f69bda6
GP		 4750
4751drop:
4752 kfree_skb(skb);
4753
9f69bda6
GP		 4754 return 0;
4755}
4756
1da177e4
LT		 4757static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4758{
4759 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4760 u16 cid, len;
4761 __le16 psm;
1da177e4
LT		 4762
4763 skb_pull(skb, L2CAP_HDR_SIZE);
4764 cid = __le16_to_cpu(lh->cid);
4765 len = __le16_to_cpu(lh->len);
4766
1c2acffb
GP		 4767 if (len != skb->len) {
4768 kfree_skb(skb);
4769 return;
4770 }
4771
1da177e4
LT		 4772 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4773
4774 switch (cid) {
3300d9a9 4775 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4776 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4777 l2cap_sig_channel(conn, skb);
4778 break;
4779
8db4dc46 4780 case L2CAP_CID_CONN_LESS:
097db76c 4781 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4782 skb_pull(skb, 2);
4783 l2cap_conless_channel(conn, psm, skb);
4784 break;
4785
9f69bda6
GP		 4786 case L2CAP_CID_LE_DATA:
4787 l2cap_att_channel(conn, cid, skb);
4788 break;
4789
b501d6a1
AB		 4790 case L2CAP_CID_SMP:
4791 if (smp_sig_channel(conn, skb))
4792 l2cap_conn_del(conn->hcon, EACCES);
4793 break;
4794
1da177e4
LT		 4795 default:
4796 l2cap_data_channel(conn, cid, skb);
4797 break;
4798 }
4799}
4800
4801/* ---- L2CAP interface with lower layer (HCI) ---- */
4802
686ebf28 4803int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4804{
4805 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4806 struct l2cap_chan *c;
1da177e4 4807
1da177e4
LT		 4808 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4809
4810 /* Find listening sockets and check their link_mode */
23691d75
GP		 4811 read_lock(&chan_list_lock);
4812 list_for_each_entry(c, &chan_list, global_l) {
4813 struct sock *sk = c->sk;
4343478f 4814
89bc500e 4815 if (c->state != BT_LISTEN)
1da177e4
LT		 4816 continue;
4817
4818 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4819 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4820 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4821 lm1 |= HCI_LM_MASTER;
1da177e4 4822 exact++;
2af6b9d5
MH		 4823 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4824 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4825 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4826 lm2 |= HCI_LM_MASTER;
4827 }
1da177e4 4828 }
23691d75 4829 read_unlock(&chan_list_lock);
1da177e4
LT		 4830
4831 return exact ? lm1 : lm2;
4832}
4833
686ebf28 4834int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4835{
0139418c
MH		 4836 struct l2cap_conn *conn;
4837
1da177e4
LT		 4838 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4839
1da177e4 4840 if (!status) {
1da177e4
LT		 4841 conn = l2cap_conn_add(hcon, status);
4842 if (conn)
4843 l2cap_conn_ready(conn);
0139418c 4844 } else
e175072f 4845 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4846
4847 return 0;
4848}
4849
686ebf28 4850int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4851{
4852 struct l2cap_conn *conn = hcon->l2cap_data;
4853
4854 BT_DBG("hcon %p", hcon);
4855
686ebf28 4856 if (!conn)
9f5a0d7b 4857 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4858 return conn->disc_reason;
4859}
4860
686ebf28 4861int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4862{
4863 BT_DBG("hcon %p reason %d", hcon, reason);
4864
e175072f 4865 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4866 return 0;
4867}
4868
4343478f 4869static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4870{
715ec005 4871 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4872 return;
4873
f62e4323 4874 if (encrypt == 0x00) {
4343478f 4875 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4876 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4877 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4878 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4879 } else {
4343478f 4880 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4881 __clear_chan_timer(chan);
f62e4323
MH		 4882 }
4883}
4884
686ebf28 4885int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4886{
0139418c 4887 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4888 struct l2cap_chan *chan;
1da177e4 4889
0139418c 4890 if (!conn)
1da177e4 4891 return 0;
0139418c 4892
1da177e4
LT		 4893 BT_DBG("conn %p", conn);
4894
160dc6ac 4895 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4896 if (!status && encrypt)
4897 smp_distribute_keys(conn, 0);
17cd3f37 4898 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4899 }
4900
3df91ea2 4901 mutex_lock(&conn->chan_lock);
1da177e4 4902
3df91ea2 4903 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4904 l2cap_chan_lock(chan);
1da177e4 4905
f1cb9af5
VCG		 4906 BT_DBG("chan->scid %d", chan->scid);
4907
4908 if (chan->scid == L2CAP_CID_LE_DATA) {
4909 if (!status && encrypt) {
4910 chan->sec_level = hcon->sec_level;
cf4cd009 4911 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4912 }
4913
6be36555 4914 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4915 continue;
4916 }
4917
c1360a1c 4918 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4919 l2cap_chan_unlock(chan);
6a8d3010
MH		 4920 continue;
4921 }
4922
89bc500e
GP		 4923 if (!status && (chan->state == BT_CONNECTED ||
4924 chan->state == BT_CONFIG)) {
a7d7723a
GP		 4925 struct sock *sk = chan->sk;
4926
4927 bt_sk(sk)->suspended = false;
4928 sk->sk_state_change(sk);
4929
4343478f 4930 l2cap_check_encryption(chan, encrypt);
6be36555 4931 l2cap_chan_unlock(chan);
9719f8af
MH		 4932 continue;
4933 }
4934
89bc500e 4935 if (chan->state == BT_CONNECT) {
b1235d79 4936 if (!status) {
9b27f350 4937 l2cap_send_conn_req(chan);
b1235d79 4938 } else {
ba13ccd9 4939 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4940 }
89bc500e 4941 } else if (chan->state == BT_CONNECT2) {
6be36555 4942 struct sock *sk = chan->sk;
b1235d79 4943 struct l2cap_conn_rsp rsp;
df3c3931 4944 __u16 res, stat;
1da177e4 4945
6be36555
AE		 4946 lock_sock(sk);
4947
b1235d79 4948 if (!status) {
df3c3931
JH		 4949 if (bt_sk(sk)->defer_setup) {
4950 struct sock *parent = bt_sk(sk)->parent;
4951 res = L2CAP_CR_PEND;
4952 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4953 if (parent)
4954 parent->sk_data_ready(parent, 0);
df3c3931 4955 } else {
0e587be7 4956 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4957 res = L2CAP_CR_SUCCESS;
4958 stat = L2CAP_CS_NO_INFO;
4959 }
b1235d79 4960 } else {
0e587be7 4961 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4962 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4963 res = L2CAP_CR_SEC_BLOCK;
4964 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4965 }
4966
6be36555
AE		 4967 release_sock(sk);
4968
fe4128e0
GP		 4969 rsp.scid = cpu_to_le16(chan->dcid);
4970 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4971 rsp.result = cpu_to_le16(res);
4972 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4973 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4974 sizeof(rsp), &rsp);
b1235d79 4975 }
1da177e4 4976
6be36555 4977 l2cap_chan_unlock(chan);
1da177e4
LT		 4978 }
4979
3df91ea2 4980 mutex_unlock(&conn->chan_lock);
b1235d79 4981
1da177e4
LT		 4982 return 0;
4983}
4984
686ebf28 4985int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4986{
4987 struct l2cap_conn *conn = hcon->l2cap_data;
4988
5a08ecce
AE		 4989 if (!conn)
4990 conn = l2cap_conn_add(hcon, 0);
4991
4992 if (!conn)
1da177e4
LT		 4993 goto drop;
4994
4995 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4996
e702112f 4997 if (!(flags & ACL_CONT)) {
1da177e4
LT		 4998 struct l2cap_hdr *hdr;
4999 int len;
5000
5001 if (conn->rx_len) {
5002 BT_ERR("Unexpected start frame (len %d)", skb->len);
5003 kfree_skb(conn->rx_skb);
5004 conn->rx_skb = NULL;
5005 conn->rx_len = 0;
5006 l2cap_conn_unreliable(conn, ECOMM);
5007 }
5008
aae7fe22
AE		 5009 /* Start fragment always begin with Basic L2CAP header */
5010 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5011 BT_ERR("Frame is too short (len %d)", skb->len);
5012 l2cap_conn_unreliable(conn, ECOMM);
5013 goto drop;
5014 }
5015
5016 hdr = (struct l2cap_hdr *) skb->data;
5017 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5018
5019 if (len == skb->len) {
5020 /* Complete frame received */
5021 l2cap_recv_frame(conn, skb);
5022 return 0;
5023 }
5024
5025 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5026
5027 if (skb->len > len) {
5028 BT_ERR("Frame is too long (len %d, expected len %d)",
5029 skb->len, len);
5030 l2cap_conn_unreliable(conn, ECOMM);
5031 goto drop;
5032 }
5033
5034 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5035 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5036 if (!conn->rx_skb)
1da177e4
LT		 5037 goto drop;
5038
d626f62b 5039 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5040 skb->len);
1da177e4
LT		 5041 conn->rx_len = len - skb->len;
5042 } else {
5043 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5044
5045 if (!conn->rx_len) {
5046 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5047 l2cap_conn_unreliable(conn, ECOMM);
5048 goto drop;
5049 }
5050
5051 if (skb->len > conn->rx_len) {
5052 BT_ERR("Fragment is too long (len %d, expected %d)",
5053 skb->len, conn->rx_len);
5054 kfree_skb(conn->rx_skb);
5055 conn->rx_skb = NULL;
5056 conn->rx_len = 0;
5057 l2cap_conn_unreliable(conn, ECOMM);
5058 goto drop;
5059 }
5060
d626f62b 5061 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5062 skb->len);
1da177e4
LT		 5063 conn->rx_len -= skb->len;
5064
5065 if (!conn->rx_len) {
5066 /* Complete frame received */
5067 l2cap_recv_frame(conn, conn->rx_skb);
5068 conn->rx_skb = NULL;
5069 }
5070 }
5071
5072drop:
5073 kfree_skb(skb);
5074 return 0;
5075}
5076
aef7d97c 5077static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5078{
23691d75 5079 struct l2cap_chan *c;
1da177e4 5080
333055f2 5081 read_lock(&chan_list_lock);
1da177e4 5082
23691d75
GP		 5083 list_for_each_entry(c, &chan_list, global_l) {
5084 struct sock *sk = c->sk;
101545f6 5085
903d343e 5086 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5087 batostr(&bt_sk(sk)->src),
5088 batostr(&bt_sk(sk)->dst),
89bc500e 5089 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5090 c->scid, c->dcid, c->imtu, c->omtu,
5091 c->sec_level, c->mode);
61e1b4b7 5092 }
1da177e4 5093
333055f2 5094 read_unlock(&chan_list_lock);
1da177e4 5095
aef7d97c 5096 return 0;
1da177e4
LT		 5097}
5098
aef7d97c
MH		 5099static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5100{
5101 return single_open(file, l2cap_debugfs_show, inode->i_private);
5102}
5103
5104static const struct file_operations l2cap_debugfs_fops = {
5105 .open = l2cap_debugfs_open,
5106 .read = seq_read,
5107 .llseek = seq_lseek,
5108 .release = single_release,
5109};
5110
5111static struct dentry *l2cap_debugfs;
1da177e4 5112
64274518 5113int __init l2cap_init(void)
1da177e4
LT		 5114{
5115 int err;
be9d1227 5116
bb58f747 5117 err = l2cap_init_sockets();
1da177e4
LT		 5118 if (err < 0)
5119 return err;
5120
aef7d97c
MH		 5121 if (bt_debugfs) {
5122 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5123 bt_debugfs, NULL, &l2cap_debugfs_fops);
5124 if (!l2cap_debugfs)
5125 BT_ERR("Failed to create L2CAP debug file");
5126 }
1da177e4 5127
1da177e4 5128 return 0;
1da177e4
LT		 5129}
5130
64274518 5131void l2cap_exit(void)
1da177e4 5132{
aef7d97c 5133 debugfs_remove(l2cap_debugfs);
bb58f747 5134 l2cap_cleanup_sockets();
1da177e4
LT		 5135}
5136
d1c4a17d
GP		 5137module_param(disable_ertm, bool, 0644);
5138MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)