projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Refactor loop in l2cap_retransmit_one_frame
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
1da177e4
LT		 6
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
12
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
8e87d142
YH		 22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 24 SOFTWARE IS DISCLAIMED.
25*/
26
bb58f747 27/* Bluetooth L2CAP core. */
1da177e4 28
1da177e4
LT		 29#include <linux/module.h>
30
31#include <linux/types.h>
4fc268d2 32#include <linux/capability.h>
1da177e4
LT		 33#include <linux/errno.h>
34#include <linux/kernel.h>
1da177e4
LT		 35#include <linux/sched.h>
36#include <linux/slab.h>
37#include <linux/poll.h>
38#include <linux/fcntl.h>
39#include <linux/init.h>
40#include <linux/interrupt.h>
41#include <linux/socket.h>
42#include <linux/skbuff.h>
1da177e4 43#include <linux/list.h>
be9d1227 44#include <linux/device.h>
aef7d97c
MH		 45#include <linux/debugfs.h>
46#include <linux/seq_file.h>
af05b30b 47#include <linux/uaccess.h>
fcc203c3 48#include <linux/crc16.h>
1da177e4
LT		 49#include <net/sock.h>
50
51#include <asm/system.h>
1da177e4
LT		 52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
b501d6a1 57#include <net/bluetooth/smp.h>
1da177e4 58
bb58f747 59int disable_ertm;
a5fd6f30 60int enable_hs;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
218bb9df
GP		 76static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56
GP		 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
baa7e1fa 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa
GP		 94
95 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 96 if (c->dcid == cid)
baa7e1fa 97 return c;
0139418c 98 }
baa7e1fa
GP		 99 return NULL;
100
0139418c
MH		 101}
102
baa7e1fa 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa
GP		 106
107 list_for_each_entry(c, &conn->chan_l, list) {
fe4128e0 108 if (c->scid == cid)
baa7e1fa 109 return c;
0139418c 110 }
baa7e1fa 111 return NULL;
0139418c
MH		 112}
113
114/* Find channel with given SCID.
115 * Returns locked socket */
baa7e1fa 116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 117{
48454079 118 struct l2cap_chan *c;
baa7e1fa
GP		 119
120 read_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
48454079
GP		 122 if (c)
123 bh_lock_sock(c->sk);
baa7e1fa 124 read_unlock(&conn->chan_lock);
48454079 125 return c;
0139418c
MH		 126}
127
baa7e1fa 128static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 129{
48454079 130 struct l2cap_chan *c;
baa7e1fa
GP		 131
132 list_for_each_entry(c, &conn->chan_l, list) {
fc7f8a7e 133 if (c->ident == ident)
baa7e1fa 134 return c;
0139418c 135 }
baa7e1fa 136 return NULL;
0139418c
MH		 137}
138
baa7e1fa 139static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 140{
48454079 141 struct l2cap_chan *c;
baa7e1fa
GP		 142
143 read_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_ident(conn, ident);
48454079
GP		 145 if (c)
146 bh_lock_sock(c->sk);
baa7e1fa 147 read_unlock(&conn->chan_lock);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
9e4425ff
GP		 157 goto found;
158 }
159
23691d75 160 c = NULL;
9e4425ff 161found:
23691d75 162 return c;
9e4425ff
GP		 163}
164
165int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
166{
73b2ec18
GP		 167 int err;
168
23691d75 169 write_lock_bh(&chan_list_lock);
9e4425ff 170
23691d75 171 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 172 err = -EADDRINUSE;
173 goto done;
9e4425ff
GP		 174 }
175
73b2ec18
GP		 176 if (psm) {
177 chan->psm = psm;
178 chan->sport = psm;
179 err = 0;
180 } else {
181 u16 p;
182
183 err = -EINVAL;
184 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 185 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 186 chan->psm = cpu_to_le16(p);
187 chan->sport = cpu_to_le16(p);
188 err = 0;
189 break;
190 }
191 }
9e4425ff 192
73b2ec18 193done:
23691d75 194 write_unlock_bh(&chan_list_lock);
73b2ec18 195 return err;
9e4425ff
GP		 196}
197
198int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199{
23691d75 200 write_lock_bh(&chan_list_lock);
9e4425ff
GP		 201
202 chan->scid = scid;
203
23691d75 204 write_unlock_bh(&chan_list_lock);
9e4425ff
GP		 205
206 return 0;
207}
208
baa7e1fa 209static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 210{
8db4dc46 211 u16 cid = L2CAP_CID_DYN_START;
0139418c 212
8db4dc46 213 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 214 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 215 return cid;
216 }
217
218 return 0;
219}
220
c9b66675 221static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
ab07801d 222{
457f4850 223 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
89bc500e 224
942ecc9c 225 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
774e5651 226 chan_hold(chan);
ab07801d
GP		 227}
228
c9b66675 229static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
ab07801d 230{
774e5651 231 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d 232
774e5651
MM		 233 if (timer_pending(timer) && del_timer(timer))
234 chan_put(chan);
ab07801d
GP		 235}
236
89bc500e
GP		 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
238{
239 chan->state = state;
240 chan->ops->state_change(chan->data, state);
241}
242
ab07801d
GP		 243static void l2cap_chan_timeout(unsigned long arg)
244{
245 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
246 struct sock *sk = chan->sk;
247 int reason;
248
89bc500e 249 BT_DBG("chan %p state %d", chan, chan->state);
ab07801d
GP		 250
251 bh_lock_sock(sk);
252
253 if (sock_owned_by_user(sk)) {
254 /* sk is owned by user. Try again later */
f3f668b0 255 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
ab07801d 256 bh_unlock_sock(sk);
71ba0e56 257 chan_put(chan);
ab07801d
GP		 258 return;
259 }
260
89bc500e 261 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 262 reason = ECONNREFUSED;
89bc500e 263 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 264 chan->sec_level != BT_SECURITY_SDP)
265 reason = ECONNREFUSED;
266 else
267 reason = ETIMEDOUT;
268
0f852724 269 l2cap_chan_close(chan, reason);
ab07801d
GP		 270
271 bh_unlock_sock(sk);
272
ba3bd0ee 273 chan->ops->close(chan->data);
71ba0e56 274 chan_put(chan);
ab07801d
GP		 275}
276
23691d75 277struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 278{
279 struct l2cap_chan *chan;
280
281 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
282 if (!chan)
283 return NULL;
284
285 chan->sk = sk;
286
23691d75
GP		 287 write_lock_bh(&chan_list_lock);
288 list_add(&chan->global_l, &chan_list);
289 write_unlock_bh(&chan_list_lock);
290
ab07801d
GP		 291 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292
89bc500e
GP		 293 chan->state = BT_OPEN;
294
71ba0e56
GP		 295 atomic_set(&chan->refcnt, 1);
296
abc545b8
SJ		 297 BT_DBG("sk %p chan %p", sk, chan);
298
48454079
GP		 299 return chan;
300}
301
23691d75 302void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 303{
23691d75
GP		 304 write_lock_bh(&chan_list_lock);
305 list_del(&chan->global_l);
306 write_unlock_bh(&chan_list_lock);
307
71ba0e56 308 chan_put(chan);
6ff5abbf
GP		 309}
310
48454079 311static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 312{
af05b30b 313 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 314 chan->psm, chan->dcid);
0139418c 315
9f5a0d7b 316 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 317
8c1d787b 318 chan->conn = conn;
0139418c 319
715ec005 320 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
b62f328b
VT		 321 if (conn->hcon->type == LE_LINK) {
322 /* LE connection */
0c1bc5c6 323 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 324 chan->scid = L2CAP_CID_LE_DATA;
325 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 326 } else {
327 /* Alloc CID for connection-oriented socket */
fe4128e0 328 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 329 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 330 }
715ec005 331 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
0139418c 332 /* Connectionless socket */
fe4128e0
GP		 333 chan->scid = L2CAP_CID_CONN_LESS;
334 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 335 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 336 } else {
337 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 338 chan->scid = L2CAP_CID_SIGNALING;
339 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 340 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 341 }
342
8f7975b1
AE		 343 chan->local_id = L2CAP_BESTEFFORT_ID;
344 chan->local_stype = L2CAP_SERV_BESTEFFORT;
345 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
346 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
347 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
348 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
349
71ba0e56 350 chan_hold(chan);
baa7e1fa
GP		 351
352 list_add(&chan->list, &conn->chan_l);
0139418c
MH		 353}
354
8e87d142 355/* Delete channel.
0139418c 356 * Must be called on the locked socket. */
4519de9a 357static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 358{
48454079 359 struct sock *sk = chan->sk;
8c1d787b 360 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 361 struct sock *parent = bt_sk(sk)->parent;
362
c9b66675 363 __clear_chan_timer(chan);
0139418c 364
49208c9c 365 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 366
8e87d142 367 if (conn) {
baa7e1fa
GP		 368 /* Delete from channel list */
369 write_lock_bh(&conn->chan_lock);
370 list_del(&chan->list);
371 write_unlock_bh(&conn->chan_lock);
71ba0e56 372 chan_put(chan);
baa7e1fa 373
8c1d787b 374 chan->conn = NULL;
0139418c
MH		 375 hci_conn_put(conn->hcon);
376 }
377
89bc500e 378 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 379 sock_set_flag(sk, SOCK_ZAPPED);
380
381 if (err)
382 sk->sk_err = err;
383
384 if (parent) {
385 bt_accept_unlink(sk);
386 parent->sk_data_ready(parent, 0);
387 } else
388 sk->sk_state_change(sk);
c13ffa62 389
c1360a1c
GP		 390 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
391 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 392 return;
2ead70b8 393
58d35f87 394 skb_queue_purge(&chan->tx_q);
c13ffa62 395
0c1bc5c6 396 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 397 struct srej_list *l, *tmp;
398
1a09bcb9
GP		 399 __clear_retrans_timer(chan);
400 __clear_monitor_timer(chan);
401 __clear_ack_timer(chan);
c13ffa62 402
f1c6775b 403 skb_queue_purge(&chan->srej_q);
c13ffa62 404
39d5a3ee 405 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 406 list_del(&l->list);
407 kfree(l);
408 }
409 }
0139418c
MH		 410}
411
4519de9a
GP		 412static void l2cap_chan_cleanup_listen(struct sock *parent)
413{
414 struct sock *sk;
415
416 BT_DBG("parent %p", parent);
417
418 /* Close not yet accepted channels */
0f852724 419 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 420 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 421 __clear_chan_timer(chan);
0f852724 422 lock_sock(sk);
ba3bd0ee 423 l2cap_chan_close(chan, ECONNRESET);
0f852724 424 release_sock(sk);
ba3bd0ee 425 chan->ops->close(chan->data);
0f852724 426 }
4519de9a
GP		 427}
428
0f852724 429void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 430{
431 struct l2cap_conn *conn = chan->conn;
432 struct sock *sk = chan->sk;
433
89bc500e 434 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
4519de9a 435
89bc500e 436 switch (chan->state) {
4519de9a
GP		 437 case BT_LISTEN:
438 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 439
440 l2cap_state_change(chan, BT_CLOSED);
441 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 442 break;
443
444 case BT_CONNECTED:
445 case BT_CONFIG:
715ec005 446 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 447 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 448 __clear_chan_timer(chan);
449 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 450 l2cap_send_disconn_req(conn, chan, reason);
451 } else
452 l2cap_chan_del(chan, reason);
453 break;
454
455 case BT_CONNECT2:
715ec005 456 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 457 conn->hcon->type == ACL_LINK) {
458 struct l2cap_conn_rsp rsp;
459 __u16 result;
460
461 if (bt_sk(sk)->defer_setup)
462 result = L2CAP_CR_SEC_BLOCK;
463 else
464 result = L2CAP_CR_BAD_PSM;
89bc500e 465 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 466
467 rsp.scid = cpu_to_le16(chan->dcid);
468 rsp.dcid = cpu_to_le16(chan->scid);
469 rsp.result = cpu_to_le16(result);
470 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
471 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
472 sizeof(rsp), &rsp);
473 }
474
475 l2cap_chan_del(chan, reason);
476 break;
477
478 case BT_CONNECT:
479 case BT_DISCONN:
480 l2cap_chan_del(chan, reason);
481 break;
482
483 default:
484 sock_set_flag(sk, SOCK_ZAPPED);
485 break;
486 }
487}
488
4343478f 489static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 490{
715ec005 491 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 492 switch (chan->sec_level) {
8556edd3
JH		 493 case BT_SECURITY_HIGH:
494 return HCI_AT_DEDICATED_BONDING_MITM;
495 case BT_SECURITY_MEDIUM:
496 return HCI_AT_DEDICATED_BONDING;
497 default:
498 return HCI_AT_NO_BONDING;
499 }
fe4128e0 500 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 501 if (chan->sec_level == BT_SECURITY_LOW)
502 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 503
4343478f 504 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 505 return HCI_AT_NO_BONDING_MITM;
00ae4af9 506 else
8556edd3 507 return HCI_AT_NO_BONDING;
00ae4af9 508 } else {
4343478f 509 switch (chan->sec_level) {
00ae4af9 510 case BT_SECURITY_HIGH:
8556edd3 511 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 512 case BT_SECURITY_MEDIUM:
8556edd3 513 return HCI_AT_GENERAL_BONDING;
00ae4af9 514 default:
8556edd3 515 return HCI_AT_NO_BONDING;
00ae4af9 516 }
0684e5f9 517 }
8556edd3
JH		 518}
519
520/* Service level security */
d45fc423 521int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 522{
8c1d787b 523 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 524 __u8 auth_type;
525
4343478f 526 auth_type = l2cap_get_auth_type(chan);
79d554a6 527
4343478f 528 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 529}
530
b5ad8b7f 531static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 532{
533 u8 id;
534
535 /* Get next available identificator.
536 * 1 - 128 are used by kernel.
537 * 129 - 199 are reserved.
538 * 200 - 254 are used by utilities like l2ping, etc.
539 */
540
541 spin_lock_bh(&conn->lock);
542
543 if (++conn->tx_ident > 128)
544 conn->tx_ident = 1;
545
546 id = conn->tx_ident;
547
548 spin_unlock_bh(&conn->lock);
549
550 return id;
551}
552
4519de9a 553static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 554{
555 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 556 u8 flags;
4e8402a3
MH		 557
558 BT_DBG("code 0x%2.2x", code);
559
560 if (!skb)
9a9c6a34 561 return;
4e8402a3 562
e702112f
AE		 563 if (lmp_no_flush_capable(conn->hcon->hdev))
564 flags = ACL_START_NO_FLUSH;
565 else
566 flags = ACL_START;
567
14b12d0b 568 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 569 skb->priority = HCI_PRIO_MAX;
14b12d0b 570
73d80deb
LAD		 571 hci_send_acl(conn->hchan, skb, flags);
572}
573
574static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
575{
576 struct hci_conn *hcon = chan->conn->hcon;
577 u16 flags;
578
579 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
580 skb->priority);
581
582 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
583 lmp_no_flush_capable(hcon->hdev))
584 flags = ACL_START_NO_FLUSH;
585 else
586 flags = ACL_START;
14b12d0b 587
73d80deb
LAD		 588 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
589 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 590}
591
88843ab0 592static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 593{
594 struct sk_buff *skb;
595 struct l2cap_hdr *lh;
8c1d787b 596 struct l2cap_conn *conn = chan->conn;
e4ca6d98 597 int count, hlen;
fcc203c3 598
89bc500e 599 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 600 return;
601
e4ca6d98
AE		 602 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
603 hlen = L2CAP_EXT_HDR_SIZE;
604 else
605 hlen = L2CAP_ENH_HDR_SIZE;
606
47d1ec61 607 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 608 hlen += L2CAP_FCS_SIZE;
1c2acffb 609
88843ab0 610 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 611
fcc203c3 612 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 613
614 control |= __set_sframe(chan);
1c2acffb 615
e2ab4353 616 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 617 control |= __set_ctrl_final(chan);
9e917af1 618
e2ab4353 619 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 620 control |= __set_ctrl_poll(chan);
f0946ccf 621
1c2acffb
GP		 622 skb = bt_skb_alloc(count, GFP_ATOMIC);
623 if (!skb)
9a9c6a34 624 return;
1c2acffb
GP		 625
626 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 627 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 628 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 629
630 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 631
47d1ec61 632 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 633 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
634 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 635 }
636
73d80deb
LAD		 637 skb->priority = HCI_PRIO_MAX;
638 l2cap_do_send(chan, skb);
1c2acffb
GP		 639}
640
88843ab0 641static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 642{
e2ab4353 643 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 644 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 645 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 646 } else
ab784b73 647 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 648
0b209fae 649 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 650
525cd185 651 l2cap_send_sframe(chan, control);
7e743090
GP		 652}
653
b4450035 654static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 655{
c1360a1c 656 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 657}
658
fc7f8a7e 659static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 660{
8c1d787b 661 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 662
663 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 664 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
665 return;
666
d45fc423 667 if (l2cap_chan_check_security(chan) &&
4343478f 668 __l2cap_no_conn_pending(chan)) {
b1235d79 669 struct l2cap_conn_req req;
fe4128e0
GP		 670 req.scid = cpu_to_le16(chan->scid);
671 req.psm = chan->psm;
79d554a6 672
fc7f8a7e 673 chan->ident = l2cap_get_ident(conn);
c1360a1c 674 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 675
fc7f8a7e
GP		 676 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
677 sizeof(req), &req);
b1235d79 678 }
79d554a6
MH		 679 } else {
680 struct l2cap_info_req req;
681 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
682
683 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
684 conn->info_ident = l2cap_get_ident(conn);
685
686 mod_timer(&conn->info_timer, jiffies +
687 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
688
689 l2cap_send_cmd(conn, conn->info_ident,
690 L2CAP_INFO_REQ, sizeof(req), &req);
691 }
692}
693
cf6c2c0b
GP		 694static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
695{
696 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 697 if (!disable_ertm)
cf6c2c0b
GP		 698 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
699
700 switch (mode) {
701 case L2CAP_MODE_ERTM:
702 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
703 case L2CAP_MODE_STREAMING:
704 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
705 default:
706 return 0x00;
707 }
708}
709
4519de9a 710static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 711{
e92c8e70 712 struct sock *sk;
22121fc9
GP		 713 struct l2cap_disconn_req req;
714
c13ffa62
GP		 715 if (!conn)
716 return;
717
e92c8e70
GP		 718 sk = chan->sk;
719
0c1bc5c6 720 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 721 __clear_retrans_timer(chan);
722 __clear_monitor_timer(chan);
723 __clear_ack_timer(chan);
c13ffa62
GP		 724 }
725
fe4128e0
GP		 726 req.dcid = cpu_to_le16(chan->dcid);
727 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 728 l2cap_send_cmd(conn, l2cap_get_ident(conn),
729 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 730
89bc500e 731 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 732 sk->sk_err = err;
22121fc9
GP		 733}
734
1da177e4 735/* ---- L2CAP connections ---- */
4e8402a3
MH		 736static void l2cap_conn_start(struct l2cap_conn *conn)
737{
820ffdb3 738 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 739
740 BT_DBG("conn %p", conn);
741
baa7e1fa 742 read_lock(&conn->chan_lock);
4e8402a3 743
820ffdb3 744 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 745 struct sock *sk = chan->sk;
baa7e1fa 746
4e8402a3
MH		 747 bh_lock_sock(sk);
748
715ec005 749 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 750 bh_unlock_sock(sk);
751 continue;
752 }
753
89bc500e 754 if (chan->state == BT_CONNECT) {
47731de7 755 struct l2cap_conn_req req;
79d554a6 756
d45fc423 757 if (!l2cap_chan_check_security(chan) ||
b4450035 758 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 759 bh_unlock_sock(sk);
760 continue;
761 }
79d554a6 762
c1360a1c
GP		 763 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
764 && test_bit(CONF_STATE2_DEVICE,
765 &chan->conf_state)) {
0f852724 766 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 767 * so release the lock */
2461daac 768 read_unlock(&conn->chan_lock);
89bc500e 769 l2cap_chan_close(chan, ECONNRESET);
2461daac 770 read_lock(&conn->chan_lock);
47731de7
GP		 771 bh_unlock_sock(sk);
772 continue;
b1235d79 773 }
47731de7 774
fe4128e0
GP		 775 req.scid = cpu_to_le16(chan->scid);
776 req.psm = chan->psm;
47731de7 777
fc7f8a7e 778 chan->ident = l2cap_get_ident(conn);
c1360a1c 779 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 780
fc7f8a7e
GP		 781 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
782 sizeof(req), &req);
47731de7 783
89bc500e 784 } else if (chan->state == BT_CONNECT2) {
79d554a6 785 struct l2cap_conn_rsp rsp;
e9aeb2dd 786 char buf[128];
fe4128e0
GP		 787 rsp.scid = cpu_to_le16(chan->dcid);
788 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 789
d45fc423 790 if (l2cap_chan_check_security(chan)) {
f66dc81f
MH		 791 if (bt_sk(sk)->defer_setup) {
792 struct sock *parent = bt_sk(sk)->parent;
793 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
794 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 795 if (parent)
796 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 797
798 } else {
89bc500e 799 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 800 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
801 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
802 }
79d554a6
MH		 803 } else {
804 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
805 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
806 }
807
fc7f8a7e
GP		 808 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
809 sizeof(rsp), &rsp);
e9aeb2dd 810
c1360a1c 811 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 812 rsp.result != L2CAP_CR_SUCCESS) {
813 bh_unlock_sock(sk);
814 continue;
815 }
816
c1360a1c 817 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 818 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 819 l2cap_build_conf_req(chan, buf), buf);
820 chan->num_conf_req++;
4e8402a3
MH		 821 }
822
823 bh_unlock_sock(sk);
824 }
825
baa7e1fa 826 read_unlock(&conn->chan_lock);
4e8402a3
MH		 827}
828
b62f328b
VT		 829/* Find socket with cid and source bdaddr.
830 * Returns closest match, locked.
831 */
23691d75 832static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 833{
23691d75 834 struct l2cap_chan *c, *c1 = NULL;
b62f328b 835
23691d75 836 read_lock(&chan_list_lock);
b62f328b 837
23691d75
GP		 838 list_for_each_entry(c, &chan_list, global_l) {
839 struct sock *sk = c->sk;
fe4128e0 840
89bc500e 841 if (state && c->state != state)
b62f328b
VT		 842 continue;
843
23691d75 844 if (c->scid == cid) {
b62f328b 845 /* Exact match. */
23691d75
GP		 846 if (!bacmp(&bt_sk(sk)->src, src)) {
847 read_unlock(&chan_list_lock);
848 return c;
849 }
b62f328b
VT		 850
851 /* Closest match */
852 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 853 c1 = c;
b62f328b
VT		 854 }
855 }
280f294f 856
23691d75 857 read_unlock(&chan_list_lock);
b62f328b 858
23691d75 859 return c1;
b62f328b
VT		 860}
861
862static void l2cap_le_conn_ready(struct l2cap_conn *conn)
863{
c916fbe4 864 struct sock *parent, *sk;
23691d75 865 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 866
867 BT_DBG("");
868
869 /* Check if we have socket listening on cid */
23691d75 870 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 871 conn->src);
23691d75 872 if (!pchan)
b62f328b
VT		 873 return;
874
23691d75
GP		 875 parent = pchan->sk;
876
62f3a2cf
GP		 877 bh_lock_sock(parent);
878
b62f328b
VT		 879 /* Check for backlog size */
880 if (sk_acceptq_is_full(parent)) {
881 BT_DBG("backlog full %d", parent->sk_ack_backlog);
882 goto clean;
883 }
884
80808e43
GP		 885 chan = pchan->ops->new_connection(pchan->data);
886 if (!chan)
b62f328b
VT		 887 goto clean;
888
80808e43 889 sk = chan->sk;
5d41ce1d 890
baa7e1fa 891 write_lock_bh(&conn->chan_lock);
b62f328b
VT		 892
893 hci_conn_hold(conn->hcon);
894
b62f328b
VT		 895 bacpy(&bt_sk(sk)->src, conn->src);
896 bacpy(&bt_sk(sk)->dst, conn->dst);
897
d1010240
GP		 898 bt_accept_enqueue(parent, sk);
899
48454079
GP		 900 __l2cap_chan_add(conn, chan);
901
c9b66675 902 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 903
89bc500e 904 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 905 parent->sk_data_ready(parent, 0);
906
baa7e1fa 907 write_unlock_bh(&conn->chan_lock);
b62f328b
VT		 908
909clean:
910 bh_unlock_sock(parent);
911}
912
f1cb9af5
VCG		 913static void l2cap_chan_ready(struct sock *sk)
914{
915 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
916 struct sock *parent = bt_sk(sk)->parent;
917
918 BT_DBG("sk %p, parent %p", sk, parent);
919
920 chan->conf_state = 0;
921 __clear_chan_timer(chan);
922
43f3dc41 923 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 924 sk->sk_state_change(sk);
925
926 if (parent)
927 parent->sk_data_ready(parent, 0);
928}
929
4e8402a3
MH		 930static void l2cap_conn_ready(struct l2cap_conn *conn)
931{
48454079 932 struct l2cap_chan *chan;
4e8402a3 933
79d554a6 934 BT_DBG("conn %p", conn);
4e8402a3 935
b62f328b
VT		 936 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
937 l2cap_le_conn_ready(conn);
938
160dc6ac
VCG		 939 if (conn->hcon->out && conn->hcon->type == LE_LINK)
940 smp_conn_security(conn, conn->hcon->pending_sec_level);
941
baa7e1fa 942 read_lock(&conn->chan_lock);
4e8402a3 943
baa7e1fa 944 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 945 struct sock *sk = chan->sk;
baa7e1fa 946
79d554a6 947 bh_lock_sock(sk);
4e8402a3 948
63128451 949 if (conn->hcon->type == LE_LINK) {
b501d6a1 950 if (smp_conn_security(conn, chan->sec_level))
f1cb9af5 951 l2cap_chan_ready(sk);
acd7d370 952
63128451 953 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 954 __clear_chan_timer(chan);
89bc500e 955 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 956 sk->sk_state_change(sk);
b501d6a1 957
89bc500e 958 } else if (chan->state == BT_CONNECT)
fc7f8a7e 959 l2cap_do_start(chan);
4e8402a3 960
79d554a6 961 bh_unlock_sock(sk);
4e8402a3 962 }
79d554a6 963
baa7e1fa 964 read_unlock(&conn->chan_lock);
4e8402a3
MH		 965}
966
967/* Notify sockets that we cannot guaranty reliability anymore */
968static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
969{
48454079 970 struct l2cap_chan *chan;
4e8402a3
MH		 971
972 BT_DBG("conn %p", conn);
973
baa7e1fa 974 read_lock(&conn->chan_lock);
4e8402a3 975
baa7e1fa 976 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 977 struct sock *sk = chan->sk;
baa7e1fa 978
ecf61bdb 979 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 980 sk->sk_err = err;
981 }
982
baa7e1fa 983 read_unlock(&conn->chan_lock);
4e8402a3
MH		 984}
985
986static void l2cap_info_timeout(unsigned long arg)
987{
988 struct l2cap_conn *conn = (void *) arg;
989
984947dc 990 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 991 conn->info_ident = 0;
984947dc 992
4e8402a3
MH		 993 l2cap_conn_start(conn);
994}
995
5d3de7df
VCG		 996static void l2cap_conn_del(struct hci_conn *hcon, int err)
997{
998 struct l2cap_conn *conn = hcon->l2cap_data;
999 struct l2cap_chan *chan, *l;
1000 struct sock *sk;
1001
1002 if (!conn)
1003 return;
1004
1005 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1006
1007 kfree_skb(conn->rx_skb);
1008
1009 /* Kill channels */
1010 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1011 sk = chan->sk;
1012 bh_lock_sock(sk);
1013 l2cap_chan_del(chan, err);
1014 bh_unlock_sock(sk);
1015 chan->ops->close(chan->data);
1016 }
1017
73d80deb
LAD		 1018 hci_chan_del(conn->hchan);
1019
5d3de7df
VCG		 1020 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1021 del_timer_sync(&conn->info_timer);
1022
d26a2345 1023 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
5d3de7df 1024 del_timer(&conn->security_timer);
8aab4757 1025 smp_chan_destroy(conn);
d26a2345 1026 }
5d3de7df
VCG		 1027
1028 hcon->l2cap_data = NULL;
1029 kfree(conn);
1030}
1031
1032static void security_timeout(unsigned long arg)
1033{
1034 struct l2cap_conn *conn = (void *) arg;
1035
1036 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1037}
1038
1da177e4
LT		 1039static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1040{
0139418c 1041 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1042 struct hci_chan *hchan;
1da177e4 1043
0139418c 1044 if (conn || status)
1da177e4
LT		 1045 return conn;
1046
73d80deb
LAD		 1047 hchan = hci_chan_create(hcon);
1048 if (!hchan)
1049 return NULL;
1050
0139418c 1051 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1052 if (!conn) {
1053 hci_chan_del(hchan);
1da177e4 1054 return NULL;
73d80deb 1055 }
1da177e4
LT		 1056
1057 hcon->l2cap_data = conn;
1058 conn->hcon = hcon;
73d80deb 1059 conn->hchan = hchan;
1da177e4 1060
73d80deb 1061 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1062
acd7d370
VT		 1063 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1064 conn->mtu = hcon->hdev->le_mtu;
1065 else
1066 conn->mtu = hcon->hdev->acl_mtu;
1067
1da177e4
LT		 1068 conn->src = &hcon->hdev->bdaddr;
1069 conn->dst = &hcon->dst;
1070
4e8402a3
MH		 1071 conn->feat_mask = 0;
1072
1da177e4 1073 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1074 rwlock_init(&conn->chan_lock);
1075
1076 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1077
5d3de7df
VCG		 1078 if (hcon->type == LE_LINK)
1079 setup_timer(&conn->security_timer, security_timeout,
1080 (unsigned long) conn);
1081 else
b62f328b 1082 setup_timer(&conn->info_timer, l2cap_info_timeout,
45054dc1
DY		 1083 (unsigned long) conn);
1084
9f5a0d7b 1085 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1086
1da177e4
LT		 1087 return conn;
1088}
1089
48454079 1090static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1da177e4 1091{
baa7e1fa 1092 write_lock_bh(&conn->chan_lock);
48454079 1093 __l2cap_chan_add(conn, chan);
baa7e1fa 1094 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 1095}
1096
1da177e4 1097/* ---- Socket interface ---- */
1da177e4
LT		 1098
1099/* Find socket with psm and source bdaddr.
1100 * Returns closest match.
1101 */
23691d75 1102static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1103{
23691d75 1104 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1105
23691d75 1106 read_lock(&chan_list_lock);
e0f0cb56 1107
23691d75
GP		 1108 list_for_each_entry(c, &chan_list, global_l) {
1109 struct sock *sk = c->sk;
fe4128e0 1110
89bc500e 1111 if (state && c->state != state)
1da177e4
LT		 1112 continue;
1113
23691d75 1114 if (c->psm == psm) {
1da177e4 1115 /* Exact match. */
23691d75 1116 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1117 read_unlock(&chan_list_lock);
23691d75
GP		 1118 return c;
1119 }
1da177e4
LT		 1120
1121 /* Closest match */
1122 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1123 c1 = c;
1da177e4
LT		 1124 }
1125 }
1da177e4 1126
23691d75 1127 read_unlock(&chan_list_lock);
e0f0cb56 1128
23691d75 1129 return c1;
1da177e4
LT		 1130}
1131
77a74c7e 1132int l2cap_chan_connect(struct l2cap_chan *chan)
1da177e4 1133{
5d41ce1d 1134 struct sock *sk = chan->sk;
1da177e4
LT		 1135 bdaddr_t *src = &bt_sk(sk)->src;
1136 bdaddr_t *dst = &bt_sk(sk)->dst;
1137 struct l2cap_conn *conn;
1138 struct hci_conn *hcon;
1139 struct hci_dev *hdev;
09ab6f4c 1140 __u8 auth_type;
44d0e48e 1141 int err;
1da177e4 1142
f29972de 1143 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1144 chan->psm);
1da177e4 1145
af05b30b
GP		 1146 hdev = hci_get_route(dst, src);
1147 if (!hdev)
1da177e4
LT		 1148 return -EHOSTUNREACH;
1149
1150 hci_dev_lock_bh(hdev);
1151
4343478f 1152 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1153
fe4128e0 1154 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1155 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1156 chan->sec_level, auth_type);
acd7d370
VT		 1157 else
1158 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1159 chan->sec_level, auth_type);
acd7d370 1160
30e76272
VT		 1161 if (IS_ERR(hcon)) {
1162 err = PTR_ERR(hcon);
1da177e4 1163 goto done;
30e76272 1164 }
1da177e4
LT		 1165
1166 conn = l2cap_conn_add(hcon, 0);
1167 if (!conn) {
1168 hci_conn_put(hcon);
30e76272 1169 err = -ENOMEM;
1da177e4
LT		 1170 goto done;
1171 }
1172
1da177e4
LT		 1173 /* Update source addr of the socket */
1174 bacpy(src, conn->src);
1175
48454079
GP		 1176 l2cap_chan_add(conn, chan);
1177
89bc500e 1178 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1179 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1180
1181 if (hcon->state == BT_CONNECTED) {
715ec005 1182 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1183 __clear_chan_timer(chan);
d45fc423 1184 if (l2cap_chan_check_security(chan))
89bc500e 1185 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1186 } else
fc7f8a7e 1187 l2cap_do_start(chan);
1da177e4
LT		 1188 }
1189
30e76272
VT		 1190 err = 0;
1191
1da177e4
LT		 1192done:
1193 hci_dev_unlock_bh(hdev);
1194 hci_dev_put(hdev);
1195 return err;
1196}
1197
dcba0dba 1198int __l2cap_wait_ack(struct sock *sk)
6161c038 1199{
8c1d787b 1200 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1201 DECLARE_WAITQUEUE(wait, current);
1202 int err = 0;
1203 int timeo = HZ/5;
1204
2b0b05dd 1205 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1206 set_current_state(TASK_INTERRUPTIBLE);
1207 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1208 if (!timeo)
1209 timeo = HZ/5;
1210
1211 if (signal_pending(current)) {
1212 err = sock_intr_errno(timeo);
1213 break;
1214 }
1215
1216 release_sock(sk);
1217 timeo = schedule_timeout(timeo);
1218 lock_sock(sk);
a71a0cf4 1219 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1220
1221 err = sock_error(sk);
1222 if (err)
1223 break;
1224 }
1225 set_current_state(TASK_RUNNING);
2b0b05dd 1226 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1227 return err;
1228}
1229
e90bac06
GP		 1230static void l2cap_monitor_timeout(unsigned long arg)
1231{
525cd185
GP		 1232 struct l2cap_chan *chan = (void *) arg;
1233 struct sock *sk = chan->sk;
e90bac06 1234
525cd185 1235 BT_DBG("chan %p", chan);
0e98958d 1236
e686219a 1237 bh_lock_sock(sk);
2c03a7a4 1238 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1239 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
b13f5860 1240 bh_unlock_sock(sk);
e90bac06
GP		 1241 return;
1242 }
1243
6a026610 1244 chan->retry_count++;
1a09bcb9 1245 __set_monitor_timer(chan);
e90bac06 1246
525cd185 1247 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1248 bh_unlock_sock(sk);
e90bac06
GP		 1249}
1250
1251static void l2cap_retrans_timeout(unsigned long arg)
1252{
525cd185
GP		 1253 struct l2cap_chan *chan = (void *) arg;
1254 struct sock *sk = chan->sk;
e90bac06 1255
49208c9c 1256 BT_DBG("chan %p", chan);
0e98958d 1257
e686219a 1258 bh_lock_sock(sk);
6a026610 1259 chan->retry_count = 1;
1a09bcb9 1260 __set_monitor_timer(chan);
e90bac06 1261
e2ab4353 1262 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1263
525cd185 1264 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
e686219a 1265 bh_unlock_sock(sk);
e90bac06
GP		 1266}
1267
42e5c802 1268static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1269{
1c2acffb 1270 struct sk_buff *skb;
1da177e4 1271
58d35f87 1272 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1273 chan->unacked_frames) {
42e5c802 1274 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1275 break;
1da177e4 1276
58d35f87 1277 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1278 kfree_skb(skb);
1da177e4 1279
6a026610 1280 chan->unacked_frames--;
1c2acffb 1281 }
1da177e4 1282
6a026610 1283 if (!chan->unacked_frames)
1a09bcb9 1284 __clear_retrans_timer(chan);
1c2acffb 1285}
1da177e4 1286
67c9e840 1287static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1288{
ccbb84af 1289 struct sk_buff *skb;
88843ab0
AE		 1290 u32 control;
1291 u16 fcs;
6840ed07 1292
58d35f87 1293 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1294 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1295 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1296 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1297
47d1ec61 1298 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1299 fcs = crc16(0, (u8 *)skb->data,
1300 skb->len - L2CAP_FCS_SIZE);
1301 put_unaligned_le16(fcs,
1302 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1303 }
1304
4343478f 1305 l2cap_do_send(chan, skb);
6840ed07 1306
836be934 1307 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1308 }
6840ed07
GP		 1309}
1310
fb45de7d 1311static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1312{
8f17154f 1313 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1314 u16 fcs;
1315 u32 control;
8f17154f 1316
58d35f87 1317 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1318 if (!skb)
1319 return;
8f17154f 1320
d1726b6d 1321 while (bt_cb(skb)->tx_seq != tx_seq) {
58d35f87 1322 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1323 return;
8f17154f 1324
d1726b6d
SJ		 1325 skb = skb_queue_next(&chan->tx_q, skb);
1326 }
8f17154f 1327
2c03a7a4
GP		 1328 if (chan->remote_max_tx &&
1329 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1330 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1331 return;
1332 }
1333
1334 tx_skb = skb_clone(skb, GFP_ATOMIC);
1335 bt_cb(skb)->retries++;
88843ab0
AE		 1336
1337 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1338 control &= __get_sar_mask(chan);
3cb123d1 1339
e2ab4353 1340 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1341 control |= __set_ctrl_final(chan);
95ffa978 1342
0b209fae 1343 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1344 control |= __set_txseq(chan, tx_seq);
3cb123d1 1345
88843ab0 1346 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1347
47d1ec61 1348 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1349 fcs = crc16(0, (u8 *)tx_skb->data,
1350 tx_skb->len - L2CAP_FCS_SIZE);
1351 put_unaligned_le16(fcs,
1352 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1353 }
1354
4343478f 1355 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1356}
1357
67c9e840 1358static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1359{
1360 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1361 u16 fcs;
1362 u32 control;
9a9c6a34 1363 int nsent = 0;
1c2acffb 1364
89bc500e 1365 if (chan->state != BT_CONNECTED)
c13ffa62 1366 return -ENOTCONN;
e90bac06 1367
58d35f87 1368 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1369
2c03a7a4
GP		 1370 if (chan->remote_max_tx &&
1371 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1372 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1373 break;
1374 }
1375
e420aba3
AE		 1376 tx_skb = skb_clone(skb, GFP_ATOMIC);
1377
e90bac06
GP		 1378 bt_cb(skb)->retries++;
1379
88843ab0 1380 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1381 control &= __get_sar_mask(chan);
95ffa978 1382
e2ab4353 1383 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1384 control |= __set_ctrl_final(chan);
e2ab4353 1385
0b209fae 1386 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1387 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1388
88843ab0 1389 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1390
47d1ec61 1391 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1392 fcs = crc16(0, (u8 *)skb->data,
1393 tx_skb->len - L2CAP_FCS_SIZE);
1394 put_unaligned_le16(fcs, skb->data +
1395 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1396 }
1397
4343478f 1398 l2cap_do_send(chan, tx_skb);
9a9c6a34 1399
1a09bcb9 1400 __set_retrans_timer(chan);
1c2acffb 1401
42e5c802 1402 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1403
1404 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1405
23e9fde2 1406 if (bt_cb(skb)->retries == 1)
6a026610 1407 chan->unacked_frames++;
23e9fde2 1408
6a026610 1409 chan->frames_sent++;
1c2acffb 1410
58d35f87
GP		 1411 if (skb_queue_is_last(&chan->tx_q, skb))
1412 chan->tx_send_head = NULL;
1c2acffb 1413 else
58d35f87 1414 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
9e917af1
GP		 1415
1416 nsent++;
1c2acffb
GP		 1417 }
1418
9e917af1
GP		 1419 return nsent;
1420}
1421
525cd185 1422static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1423{
dfc909be
GP		 1424 int ret;
1425
58d35f87
GP		 1426 if (!skb_queue_empty(&chan->tx_q))
1427 chan->tx_send_head = chan->tx_q.next;
dfc909be 1428
42e5c802 1429 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1430 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1431 return ret;
1432}
1433
525cd185 1434static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1435{
88843ab0 1436 u32 control = 0;
9e917af1 1437
0b209fae 1438 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1439
e2ab4353 1440 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1441 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1442 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1443 l2cap_send_sframe(chan, control);
9a9c6a34 1444 return;
9e917af1 1445 }
dfc909be 1446
525cd185 1447 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1448 return;
1449
ab784b73 1450 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1451 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1452}
1453
525cd185 1454static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1455{
1456 struct srej_list *tail;
88843ab0 1457 u32 control;
99b0d4b7 1458
ab784b73 1459 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1460 control |= __set_ctrl_final(chan);
99b0d4b7 1461
39d5a3ee 1462 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1463 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1464
525cd185 1465 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1466}
1467
1c2acffb
GP		 1468static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1469{
8c1d787b 1470 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1c2acffb
GP		 1471 struct sk_buff **frag;
1472 int err, sent = 0;
1da177e4 1473
59203a21 1474 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1475 return -EFAULT;
1da177e4
LT		 1476
1477 sent += count;
1478 len -= count;
1479
1480 /* Continuation fragments (no L2CAP header) */
1481 frag = &skb_shinfo(skb)->frag_list;
1482 while (len) {
1483 count = min_t(unsigned int, conn->mtu, len);
1484
1485 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1486 if (!*frag)
0175d629 1487 return err;
1c2acffb
GP		 1488 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1489 return -EFAULT;
1da177e4 1490
5e59b791
LAD		 1491 (*frag)->priority = skb->priority;
1492
1da177e4
LT		 1493 sent += count;
1494 len -= count;
1495
1496 frag = &(*frag)->next;
1497 }
1da177e4
LT		 1498
1499 return sent;
1c2acffb 1500}
1da177e4 1501
5e59b791
LAD		 1502static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1503 struct msghdr *msg, size_t len,
1504 u32 priority)
1c2acffb 1505{
fe4128e0 1506 struct sock *sk = chan->sk;
8c1d787b 1507 struct l2cap_conn *conn = chan->conn;
1c2acffb 1508 struct sk_buff *skb;
03a51213 1509 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1510 struct l2cap_hdr *lh;
1511
5e59b791 1512 BT_DBG("sk %p len %d priority %u", sk, (int)len, priority);
1c2acffb
GP		 1513
1514 count = min_t(unsigned int, (conn->mtu - hlen), len);
1515 skb = bt_skb_send_alloc(sk, count + hlen,
1516 msg->msg_flags & MSG_DONTWAIT, &err);
1517 if (!skb)
0175d629 1518 return ERR_PTR(err);
1c2acffb 1519
5e59b791
LAD		 1520 skb->priority = priority;
1521
1c2acffb
GP		 1522 /* Create L2CAP header */
1523 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1524 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1525 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1526 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb
GP		 1527
1528 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1529 if (unlikely(err < 0)) {
1530 kfree_skb(skb);
1531 return ERR_PTR(err);
1532 }
1533 return skb;
1534}
1535
5e59b791
LAD		 1536static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1537 struct msghdr *msg, size_t len,
1538 u32 priority)
1c2acffb 1539{
fe4128e0 1540 struct sock *sk = chan->sk;
8c1d787b 1541 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1542 struct sk_buff *skb;
1543 int err, count, hlen = L2CAP_HDR_SIZE;
1544 struct l2cap_hdr *lh;
1545
1546 BT_DBG("sk %p len %d", sk, (int)len);
1547
1548 count = min_t(unsigned int, (conn->mtu - hlen), len);
1549 skb = bt_skb_send_alloc(sk, count + hlen,
1550 msg->msg_flags & MSG_DONTWAIT, &err);
1551 if (!skb)
0175d629 1552 return ERR_PTR(err);
1c2acffb 1553
5e59b791
LAD		 1554 skb->priority = priority;
1555
1c2acffb
GP		 1556 /* Create L2CAP header */
1557 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1558 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1559 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1560
1561 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1562 if (unlikely(err < 0)) {
1563 kfree_skb(skb);
1564 return ERR_PTR(err);
1565 }
1566 return skb;
1567}
1568
ab0ff76d
LAD		 1569static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1570 struct msghdr *msg, size_t len,
88843ab0 1571 u32 control, u16 sdulen)
1c2acffb 1572{
47d1ec61 1573 struct sock *sk = chan->sk;
8c1d787b 1574 struct l2cap_conn *conn = chan->conn;
1c2acffb 1575 struct sk_buff *skb;
e4ca6d98 1576 int err, count, hlen;
1c2acffb
GP		 1577 struct l2cap_hdr *lh;
1578
1579 BT_DBG("sk %p len %d", sk, (int)len);
1580
0ee0d208
GP		 1581 if (!conn)
1582 return ERR_PTR(-ENOTCONN);
1583
e4ca6d98
AE		 1584 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1585 hlen = L2CAP_EXT_HDR_SIZE;
1586 else
1587 hlen = L2CAP_ENH_HDR_SIZE;
1588
c74e560c 1589 if (sdulen)
03a51213 1590 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1591
47d1ec61 1592 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1593 hlen += L2CAP_FCS_SIZE;
fcc203c3 1594
1c2acffb
GP		 1595 count = min_t(unsigned int, (conn->mtu - hlen), len);
1596 skb = bt_skb_send_alloc(sk, count + hlen,
1597 msg->msg_flags & MSG_DONTWAIT, &err);
1598 if (!skb)
0175d629 1599 return ERR_PTR(err);
1c2acffb
GP		 1600
1601 /* Create L2CAP header */
1602 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1603 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1604 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1605
1606 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1607
c74e560c 1608 if (sdulen)
03a51213 1609 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb
GP		 1610
1611 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1612 if (unlikely(err < 0)) {
1613 kfree_skb(skb);
1614 return ERR_PTR(err);
1615 }
e90bac06 1616
47d1ec61 1617 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1618 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1619
e90bac06 1620 bt_cb(skb)->retries = 0;
1c2acffb 1621 return skb;
1da177e4
LT		 1622}
1623
67c9e840 1624static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1625{
c74e560c
GP		 1626 struct sk_buff *skb;
1627 struct sk_buff_head sar_queue;
88843ab0 1628 u32 control;
c74e560c
GP		 1629 size_t size = 0;
1630
ff12fd64 1631 skb_queue_head_init(&sar_queue);
7e0ef6ee 1632 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1633 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1634 if (IS_ERR(skb))
1635 return PTR_ERR(skb);
1636
1637 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1638 len -= chan->remote_mps;
1639 size += chan->remote_mps;
c74e560c
GP		 1640
1641 while (len > 0) {
1642 size_t buflen;
1643
2c03a7a4 1644 if (len > chan->remote_mps) {
7e0ef6ee 1645 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1646 buflen = chan->remote_mps;
c74e560c 1647 } else {
7e0ef6ee 1648 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1649 buflen = len;
1650 }
1651
47d1ec61 1652 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1653 if (IS_ERR(skb)) {
1654 skb_queue_purge(&sar_queue);
1655 return PTR_ERR(skb);
1656 }
1657
1658 __skb_queue_tail(&sar_queue, skb);
1659 len -= buflen;
1660 size += buflen;
c74e560c 1661 }
58d35f87
GP		 1662 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1663 if (chan->tx_send_head == NULL)
1664 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1665
1666 return size;
1667}
1668
5e59b791
LAD		 1669int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1670 u32 priority)
9a91a04a 1671{
9a91a04a 1672 struct sk_buff *skb;
88843ab0 1673 u32 control;
9a91a04a
GP		 1674 int err;
1675
1676 /* Connectionless channel */
715ec005 1677 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1678 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1679 if (IS_ERR(skb))
1680 return PTR_ERR(skb);
1681
1682 l2cap_do_send(chan, skb);
1683 return len;
1684 }
1685
1686 switch (chan->mode) {
1687 case L2CAP_MODE_BASIC:
1688 /* Check outgoing MTU */
1689 if (len > chan->omtu)
1690 return -EMSGSIZE;
1691
1692 /* Create a basic PDU */
5e59b791 1693 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1694 if (IS_ERR(skb))
1695 return PTR_ERR(skb);
1696
1697 l2cap_do_send(chan, skb);
1698 err = len;
1699 break;
1700
1701 case L2CAP_MODE_ERTM:
1702 case L2CAP_MODE_STREAMING:
1703 /* Entire SDU fits into one PDU */
1704 if (len <= chan->remote_mps) {
7e0ef6ee 1705 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1706 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1707 0);
1708 if (IS_ERR(skb))
1709 return PTR_ERR(skb);
1710
1711 __skb_queue_tail(&chan->tx_q, skb);
1712
1713 if (chan->tx_send_head == NULL)
1714 chan->tx_send_head = skb;
1715
1716 } else {
1717 /* Segment SDU into multiples PDUs */
1718 err = l2cap_sar_segment_sdu(chan, msg, len);
1719 if (err < 0)
1720 return err;
1721 }
1722
1723 if (chan->mode == L2CAP_MODE_STREAMING) {
1724 l2cap_streaming_send(chan);
1725 err = len;
1726 break;
1727 }
1728
e2ab4353
GP		 1729 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1730 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1731 err = len;
1732 break;
1733 }
1734
1735 err = l2cap_ertm_send(chan);
1736 if (err >= 0)
1737 err = len;
1738
1739 break;
1740
1741 default:
1742 BT_DBG("bad state %1.1x", chan->mode);
1743 err = -EBADFD;
1744 }
1745
1746 return err;
1747}
1748
1da177e4
LT		 1749/* Copy frame to all raw sockets on that connection */
1750static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1751{
1da177e4 1752 struct sk_buff *nskb;
48454079 1753 struct l2cap_chan *chan;
1da177e4
LT		 1754
1755 BT_DBG("conn %p", conn);
1756
baa7e1fa
GP		 1757 read_lock(&conn->chan_lock);
1758 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 1759 struct sock *sk = chan->sk;
715ec005 1760 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1761 continue;
1762
1763 /* Don't send frame to the socket it came from */
1764 if (skb->sk == sk)
1765 continue;
af05b30b
GP		 1766 nskb = skb_clone(skb, GFP_ATOMIC);
1767 if (!nskb)
1da177e4
LT		 1768 continue;
1769
23070494 1770 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1771 kfree_skb(nskb);
1772 }
baa7e1fa 1773 read_unlock(&conn->chan_lock);
1da177e4
LT		 1774}
1775
1776/* ---- L2CAP signalling commands ---- */
1777static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1778 u8 code, u8 ident, u16 dlen, void *data)
1779{
1780 struct sk_buff *skb, **frag;
1781 struct l2cap_cmd_hdr *cmd;
1782 struct l2cap_hdr *lh;
1783 int len, count;
1784
af05b30b
GP		 1785 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1786 conn, code, ident, dlen);
1da177e4
LT		 1787
1788 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1789 count = min_t(unsigned int, conn->mtu, len);
1790
1791 skb = bt_skb_alloc(count, GFP_ATOMIC);
1792 if (!skb)
1793 return NULL;
1794
1795 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1796 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1797
1798 if (conn->hcon->type == LE_LINK)
1799 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1800 else
1801 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1802
1803 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1804 cmd->code = code;
1805 cmd->ident = ident;
aca3192c 1806 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1807
1808 if (dlen) {
1809 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1810 memcpy(skb_put(skb, count), data, count);
1811 data += count;
1812 }
1813
1814 len -= skb->len;
1815
1816 /* Continuation fragments (no L2CAP header) */
1817 frag = &skb_shinfo(skb)->frag_list;
1818 while (len) {
1819 count = min_t(unsigned int, conn->mtu, len);
1820
1821 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1822 if (!*frag)
1823 goto fail;
1824
1825 memcpy(skb_put(*frag, count), data, count);
1826
1827 len -= count;
1828 data += count;
1829
1830 frag = &(*frag)->next;
1831 }
1832
1833 return skb;
1834
1835fail:
1836 kfree_skb(skb);
1837 return NULL;
1838}
1839
1840static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1841{
1842 struct l2cap_conf_opt *opt = *ptr;
1843 int len;
1844
1845 len = L2CAP_CONF_OPT_SIZE + opt->len;
1846 *ptr += len;
1847
1848 *type = opt->type;
1849 *olen = opt->len;
1850
1851 switch (opt->len) {
1852 case 1:
1853 *val = *((u8 *) opt->val);
1854 break;
1855
1856 case 2:
bfaaeb3e 1857 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1858 break;
1859
1860 case 4:
bfaaeb3e 1861 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1862 break;
1863
1864 default:
1865 *val = (unsigned long) opt->val;
1866 break;
1867 }
1868
1869 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1870 return len;
1871}
1872
1da177e4
LT		 1873static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1874{
1875 struct l2cap_conf_opt *opt = *ptr;
1876
1877 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1878
1879 opt->type = type;
1880 opt->len = len;
1881
1882 switch (len) {
1883 case 1:
1884 *((u8 *) opt->val) = val;
1885 break;
1886
1887 case 2:
4f8b691c 1888 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1889 break;
1890
1891 case 4:
4f8b691c 1892 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1893 break;
1894
1895 default:
1896 memcpy(opt->val, (void *) val, len);
1897 break;
1898 }
1899
1900 *ptr += L2CAP_CONF_OPT_SIZE + len;
1901}
1902
f89cef09
AE		 1903static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1904{
1905 struct l2cap_conf_efs efs;
1906
1907 switch(chan->mode) {
1908 case L2CAP_MODE_ERTM:
1909 efs.id = chan->local_id;
1910 efs.stype = chan->local_stype;
1911 efs.msdu = cpu_to_le16(chan->local_msdu);
1912 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1913 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1914 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1915 break;
1916
1917 case L2CAP_MODE_STREAMING:
1918 efs.id = 1;
1919 efs.stype = L2CAP_SERV_BESTEFFORT;
1920 efs.msdu = cpu_to_le16(chan->local_msdu);
1921 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1922 efs.acc_lat = 0;
1923 efs.flush_to = 0;
1924 break;
1925
1926 default:
1927 return;
1928 }
1929
1930 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1931 (unsigned long) &efs);
1932}
1933
c1b4f43b
GP		 1934static void l2cap_ack_timeout(unsigned long arg)
1935{
525cd185 1936 struct l2cap_chan *chan = (void *) arg;
c1b4f43b 1937
525cd185
GP		 1938 bh_lock_sock(chan->sk);
1939 l2cap_send_ack(chan);
1940 bh_unlock_sock(chan->sk);
c1b4f43b
GP		 1941}
1942
525cd185 1943static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1944{
525cd185
GP		 1945 struct sock *sk = chan->sk;
1946
42e5c802 1947 chan->expected_ack_seq = 0;
6a026610 1948 chan->unacked_frames = 0;
42e5c802 1949 chan->buffer_seq = 0;
6a026610
GP		 1950 chan->num_acked = 0;
1951 chan->frames_sent = 0;
0565c1c2 1952
e92c8e70
GP		 1953 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1954 (unsigned long) chan);
1955 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1956 (unsigned long) chan);
1957 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
0565c1c2 1958
f1c6775b 1959 skb_queue_head_init(&chan->srej_q);
1890d36b 1960
39d5a3ee
GP		 1961 INIT_LIST_HEAD(&chan->srej_l);
1962
218bb9df
GP		 1963
1964 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
0565c1c2
GP		 1965}
1966
f2fcfcd6
GP		 1967static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1968{
1969 switch (mode) {
1970 case L2CAP_MODE_STREAMING:
1971 case L2CAP_MODE_ERTM:
1972 if (l2cap_mode_supported(mode, remote_feat_mask))
1973 return mode;
1974 /* fall through */
1975 default:
1976 return L2CAP_MODE_BASIC;
1977 }
1978}
1979
6327eb98
AE		 1980static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
1981{
1982 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
1983}
1984
f89cef09
AE		 1985static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
1986{
1987 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
1988}
1989
6327eb98
AE		 1990static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
1991{
1992 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 1993 __l2cap_ews_supported(chan)) {
6327eb98
AE		 1994 /* use extended control field */
1995 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 1996 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
1997 } else {
6327eb98
AE		 1998 chan->tx_win = min_t(u16, chan->tx_win,
1999 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2000 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2001 }
6327eb98
AE		 2002}
2003
710f9b0a 2004static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2005{
1da177e4 2006 struct l2cap_conf_req *req = data;
0c1bc5c6 2007 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2008 void *ptr = req->data;
c8f79162 2009 u16 size;
1da177e4 2010
49208c9c 2011 BT_DBG("chan %p", chan);
1da177e4 2012
73ffa904 2013 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2014 goto done;
2015
0c1bc5c6 2016 switch (chan->mode) {
f2fcfcd6
GP		 2017 case L2CAP_MODE_STREAMING:
2018 case L2CAP_MODE_ERTM:
c1360a1c 2019 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2020 break;
85eb53c6 2021
f89cef09
AE		 2022 if (__l2cap_efs_supported(chan))
2023 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2024
2ba13ed6 2025 /* fall through */
f2fcfcd6 2026 default:
8c1d787b 2027 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2028 break;
2029 }
2030
2031done:
0c1bc5c6
GP		 2032 if (chan->imtu != L2CAP_DEFAULT_MTU)
2033 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2034
0c1bc5c6 2035 switch (chan->mode) {
65c7c491 2036 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2037 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2038 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2039 break;
2040
62547752
GP		 2041 rfc.mode = L2CAP_MODE_BASIC;
2042 rfc.txwin_size = 0;
2043 rfc.max_transmit = 0;
2044 rfc.retrans_timeout = 0;
2045 rfc.monitor_timeout = 0;
2046 rfc.max_pdu_size = 0;
2047
63406504
GP		 2048 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2049 (unsigned long) &rfc);
65c7c491
MH		 2050 break;
2051
2052 case L2CAP_MODE_ERTM:
2053 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2054 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2055 rfc.retrans_timeout = 0;
2056 rfc.monitor_timeout = 0;
c8f79162
AE		 2057
2058 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2059 L2CAP_EXT_HDR_SIZE -
2060 L2CAP_SDULEN_SIZE -
2061 L2CAP_FCS_SIZE);
2062 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2063
6327eb98
AE		 2064 l2cap_txwin_setup(chan);
2065
2066 rfc.txwin_size = min_t(u16, chan->tx_win,
2067 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2068
63406504
GP		 2069 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2070 (unsigned long) &rfc);
2071
f89cef09
AE		 2072 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2073 l2cap_add_opt_efs(&ptr, chan);
2074
8c1d787b 2075 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2076 break;
2077
47d1ec61 2078 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2079 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2080 chan->fcs = L2CAP_FCS_NONE;
2081 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2082 }
6327eb98
AE		 2083
2084 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2085 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2086 chan->tx_win);
f2fcfcd6
GP		 2087 break;
2088
2089 case L2CAP_MODE_STREAMING:
2090 rfc.mode = L2CAP_MODE_STREAMING;
2091 rfc.txwin_size = 0;
2092 rfc.max_transmit = 0;
2093 rfc.retrans_timeout = 0;
2094 rfc.monitor_timeout = 0;
c8f79162
AE		 2095
2096 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2097 L2CAP_EXT_HDR_SIZE -
2098 L2CAP_SDULEN_SIZE -
2099 L2CAP_FCS_SIZE);
2100 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2101
63406504
GP		 2102 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2103 (unsigned long) &rfc);
2104
f89cef09
AE		 2105 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2106 l2cap_add_opt_efs(&ptr, chan);
2107
8c1d787b 2108 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2109 break;
2110
47d1ec61 2111 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2112 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2113 chan->fcs = L2CAP_FCS_NONE;
2114 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2115 }
65c7c491
MH		 2116 break;
2117 }
1da177e4 2118
fe4128e0 2119 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2120 req->flags = cpu_to_le16(0);
1da177e4
LT		 2121
2122 return ptr - data;
2123}
2124
73ffa904 2125static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2126{
5dee9e7c
MH		 2127 struct l2cap_conf_rsp *rsp = data;
2128 void *ptr = rsp->data;
73ffa904
GP		 2129 void *req = chan->conf_req;
2130 int len = chan->conf_len;
5dee9e7c
MH		 2131 int type, hint, olen;
2132 unsigned long val;
6464f35f 2133 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2134 struct l2cap_conf_efs efs;
2135 u8 remote_efs = 0;
861d6882 2136 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2137 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2138 u16 size;
1da177e4 2139
73ffa904 2140 BT_DBG("chan %p", chan);
820ae1b8 2141
5dee9e7c
MH		 2142 while (len >= L2CAP_CONF_OPT_SIZE) {
2143 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2144
589d2746 2145 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2146 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2147
2148 switch (type) {
2149 case L2CAP_CONF_MTU:
861d6882 2150 mtu = val;
5dee9e7c
MH		 2151 break;
2152
2153 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2154 chan->flush_to = val;
5dee9e7c
MH		 2155 break;
2156
2157 case L2CAP_CONF_QOS:
2158 break;
2159
6464f35f
MH		 2160 case L2CAP_CONF_RFC:
2161 if (olen == sizeof(rfc))
2162 memcpy(&rfc, (void *) val, olen);
2163 break;
2164
fcc203c3
GP		 2165 case L2CAP_CONF_FCS:
2166 if (val == L2CAP_FCS_NONE)
c1360a1c 2167 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2168 break;
fcc203c3 2169
42dceae2
AE		 2170 case L2CAP_CONF_EFS:
2171 remote_efs = 1;
2172 if (olen == sizeof(efs))
2173 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2174 break;
2175
6327eb98
AE		 2176 case L2CAP_CONF_EWS:
2177 if (!enable_hs)
2178 return -ECONNREFUSED;
fcc203c3 2179
6327eb98
AE		 2180 set_bit(FLAG_EXT_CTRL, &chan->flags);
2181 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2182 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2183 chan->remote_tx_win = val;
fcc203c3
GP		 2184 break;
2185
5dee9e7c
MH		 2186 default:
2187 if (hint)
2188 break;
2189
2190 result = L2CAP_CONF_UNKNOWN;
2191 *((u8 *) ptr++) = type;
2192 break;
2193 }
2194 }
2195
73ffa904 2196 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2197 goto done;
2198
0c1bc5c6 2199 switch (chan->mode) {
f2fcfcd6
GP		 2200 case L2CAP_MODE_STREAMING:
2201 case L2CAP_MODE_ERTM:
c1360a1c 2202 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2203 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2204 chan->conn->feat_mask);
85eb53c6
GP		 2205 break;
2206 }
2207
42dceae2
AE		 2208 if (remote_efs) {
2209 if (__l2cap_efs_supported(chan))
2210 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2211 else
2212 return -ECONNREFUSED;
2213 }
2214
0c1bc5c6 2215 if (chan->mode != rfc.mode)
f2fcfcd6 2216 return -ECONNREFUSED;
742e519b 2217
f2fcfcd6 2218 break;
f2fcfcd6
GP		 2219 }
2220
2221done:
0c1bc5c6 2222 if (chan->mode != rfc.mode) {
f2fcfcd6 2223 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2224 rfc.mode = chan->mode;
f2fcfcd6 2225
73ffa904 2226 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2227 return -ECONNREFUSED;
2228
2229 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2230 sizeof(rfc), (unsigned long) &rfc);
2231 }
2232
5dee9e7c
MH		 2233 if (result == L2CAP_CONF_SUCCESS) {
2234 /* Configure output options and let the other side know
2235 * which ones we don't like. */
2236
f2fcfcd6
GP		 2237 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2238 result = L2CAP_CONF_UNACCEPT;
2239 else {
0c1bc5c6 2240 chan->omtu = mtu;
c1360a1c 2241 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2242 }
0c1bc5c6 2243 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2244
42dceae2
AE		 2245 if (remote_efs) {
2246 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2247 efs.stype != L2CAP_SERV_NOTRAFIC &&
2248 efs.stype != chan->local_stype) {
2249
2250 result = L2CAP_CONF_UNACCEPT;
2251
2252 if (chan->num_conf_req >= 1)
2253 return -ECONNREFUSED;
2254
2255 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2256 sizeof(efs),
42dceae2 2257 (unsigned long) &efs);
0e8b207e 2258 } else {
3e6b3b95 2259 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2260 result = L2CAP_CONF_PENDING;
2261 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2262 }
2263 }
2264
f2fcfcd6
GP		 2265 switch (rfc.mode) {
2266 case L2CAP_MODE_BASIC:
47d1ec61 2267 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2268 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2269 break;
2270
2271 case L2CAP_MODE_ERTM:
6327eb98
AE		 2272 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2273 chan->remote_tx_win = rfc.txwin_size;
2274 else
2275 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2276
2c03a7a4 2277 chan->remote_max_tx = rfc.max_transmit;
1c762159 2278
c8f79162
AE		 2279 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2280 chan->conn->mtu -
2281 L2CAP_EXT_HDR_SIZE -
2282 L2CAP_SDULEN_SIZE -
2283 L2CAP_FCS_SIZE);
2284 rfc.max_pdu_size = cpu_to_le16(size);
2285 chan->remote_mps = size;
f2fcfcd6 2286
10467e9e
GP		 2287 rfc.retrans_timeout =
2288 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2289 rfc.monitor_timeout =
2290 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2291
c1360a1c 2292 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2293
2294 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2295 sizeof(rfc), (unsigned long) &rfc);
2296
42dceae2
AE		 2297 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2298 chan->remote_id = efs.id;
2299 chan->remote_stype = efs.stype;
2300 chan->remote_msdu = le16_to_cpu(efs.msdu);
2301 chan->remote_flush_to =
2302 le32_to_cpu(efs.flush_to);
2303 chan->remote_acc_lat =
2304 le32_to_cpu(efs.acc_lat);
2305 chan->remote_sdu_itime =
2306 le32_to_cpu(efs.sdu_itime);
2307 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2308 sizeof(efs), (unsigned long) &efs);
2309 }
f2fcfcd6
GP		 2310 break;
2311
2312 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2313 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2314 chan->conn->mtu -
2315 L2CAP_EXT_HDR_SIZE -
2316 L2CAP_SDULEN_SIZE -
2317 L2CAP_FCS_SIZE);
2318 rfc.max_pdu_size = cpu_to_le16(size);
2319 chan->remote_mps = size;
f2fcfcd6 2320
c1360a1c 2321 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2322
2323 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2324 sizeof(rfc), (unsigned long) &rfc);
2325
f2fcfcd6
GP		 2326 break;
2327
2328 default:
5dee9e7c 2329 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2330
6464f35f 2331 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2332 rfc.mode = chan->mode;
f2fcfcd6 2333 }
6464f35f 2334
f2fcfcd6 2335 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2336 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2337 }
fe4128e0 2338 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2339 rsp->result = cpu_to_le16(result);
2340 rsp->flags = cpu_to_le16(0x0000);
2341
2342 return ptr - data;
1da177e4
LT		 2343}
2344
b4450035 2345static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2346{
f2fcfcd6
GP		 2347 struct l2cap_conf_req *req = data;
2348 void *ptr = req->data;
2349 int type, olen;
2350 unsigned long val;
2351 struct l2cap_conf_rfc rfc;
66af7aaf 2352 struct l2cap_conf_efs efs;
f2fcfcd6 2353
fe4128e0 2354 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2355
2356 while (len >= L2CAP_CONF_OPT_SIZE) {
2357 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2358
2359 switch (type) {
2360 case L2CAP_CONF_MTU:
2361 if (val < L2CAP_DEFAULT_MIN_MTU) {
2362 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2363 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2364 } else
0c1bc5c6
GP		 2365 chan->imtu = val;
2366 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2367 break;
2368
2369 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2370 chan->flush_to = val;
f2fcfcd6 2371 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2372 2, chan->flush_to);
f2fcfcd6
GP		 2373 break;
2374
2375 case L2CAP_CONF_RFC:
2376 if (olen == sizeof(rfc))
2377 memcpy(&rfc, (void *)val, olen);
2378
c1360a1c 2379 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2380 rfc.mode != chan->mode)
f2fcfcd6
GP		 2381 return -ECONNREFUSED;
2382
47d1ec61 2383 chan->fcs = 0;
f2fcfcd6
GP		 2384
2385 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2386 sizeof(rfc), (unsigned long) &rfc);
2387 break;
6327eb98
AE		 2388
2389 case L2CAP_CONF_EWS:
2390 chan->tx_win = min_t(u16, val,
2391 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2392 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2393 chan->tx_win);
6327eb98 2394 break;
66af7aaf
AE		 2395
2396 case L2CAP_CONF_EFS:
2397 if (olen == sizeof(efs))
2398 memcpy(&efs, (void *)val, olen);
2399
2400 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2401 efs.stype != L2CAP_SERV_NOTRAFIC &&
2402 efs.stype != chan->local_stype)
2403 return -ECONNREFUSED;
2404
2405 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2406 sizeof(efs), (unsigned long) &efs);
2407 break;
f2fcfcd6
GP		 2408 }
2409 }
2410
0c1bc5c6 2411 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2412 return -ECONNREFUSED;
2413
0c1bc5c6 2414 chan->mode = rfc.mode;
6c2ea7a8 2415
0e8b207e 2416 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2417 switch (rfc.mode) {
2418 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2419 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2420 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2421 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2422
2423 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2424 chan->local_msdu = le16_to_cpu(efs.msdu);
2425 chan->local_sdu_itime =
2426 le32_to_cpu(efs.sdu_itime);
2427 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2428 chan->local_flush_to =
2429 le32_to_cpu(efs.flush_to);
2430 }
f2fcfcd6 2431 break;
66af7aaf 2432
f2fcfcd6 2433 case L2CAP_MODE_STREAMING:
47d1ec61 2434 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2435 }
2436 }
2437
fe4128e0 2438 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2439 req->flags = cpu_to_le16(0x0000);
2440
2441 return ptr - data;
2442}
2443
fe4128e0 2444static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2445{
2446 struct l2cap_conf_rsp *rsp = data;
2447 void *ptr = rsp->data;
1da177e4 2448
fe4128e0 2449 BT_DBG("chan %p", chan);
1da177e4 2450
fe4128e0 2451 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2452 rsp->result = cpu_to_le16(result);
aca3192c 2453 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2454
2455 return ptr - data;
2456}
2457
8c1d787b 2458void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2459{
2460 struct l2cap_conn_rsp rsp;
8c1d787b 2461 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2462 u8 buf[128];
2463
fe4128e0
GP		 2464 rsp.scid = cpu_to_le16(chan->dcid);
2465 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2466 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2467 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2468 l2cap_send_cmd(conn, chan->ident,
2469 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2470
c1360a1c 2471 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2472 return;
2473
710f9b0a
GP		 2474 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2475 l2cap_build_conf_req(chan, buf), buf);
2476 chan->num_conf_req++;
2477}
2478
47d1ec61 2479static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2480{
7b1c0049
GP		 2481 int type, olen;
2482 unsigned long val;
2483 struct l2cap_conf_rfc rfc;
2484
47d1ec61 2485 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2486
0c1bc5c6 2487 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2488 return;
2489
2490 while (len >= L2CAP_CONF_OPT_SIZE) {
2491 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2492
2493 switch (type) {
2494 case L2CAP_CONF_RFC:
2495 if (olen == sizeof(rfc))
2496 memcpy(&rfc, (void *)val, olen);
2497 goto done;
2498 }
2499 }
2500
2501done:
2502 switch (rfc.mode) {
2503 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2504 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2505 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2506 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2507 break;
2508 case L2CAP_MODE_STREAMING:
47d1ec61 2509 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2510 }
2511}
2512
4e8402a3
MH		 2513static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2514{
e2fd318e 2515 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2516
e2fd318e 2517 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2518 return 0;
2519
2520 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2521 cmd->ident == conn->info_ident) {
4e8402a3 2522 del_timer(&conn->info_timer);
984947dc
MH		 2523
2524 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2525 conn->info_ident = 0;
984947dc 2526
4e8402a3
MH		 2527 l2cap_conn_start(conn);
2528 }
2529
2530 return 0;
2531}
2532
1da177e4
LT		 2533static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2534{
1da177e4
LT		 2535 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2536 struct l2cap_conn_rsp rsp;
23691d75 2537 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2538 struct sock *parent, *sk = NULL;
e7c29cb1 2539 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2540
2541 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2542 __le16 psm = req->psm;
1da177e4
LT		 2543
2544 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2545
2546 /* Check if we have socket listening on psm */
23691d75
GP		 2547 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2548 if (!pchan) {
1da177e4
LT		 2549 result = L2CAP_CR_BAD_PSM;
2550 goto sendresp;
2551 }
2552
23691d75
GP		 2553 parent = pchan->sk;
2554
e0f0cb56
GP		 2555 bh_lock_sock(parent);
2556
e7c29cb1
MH		 2557 /* Check if the ACL is secure enough (if not SDP) */
2558 if (psm != cpu_to_le16(0x0001) &&
2559 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2560 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2561 result = L2CAP_CR_SEC_BLOCK;
2562 goto response;
2563 }
2564
1da177e4
LT		 2565 result = L2CAP_CR_NO_MEM;
2566
2567 /* Check for backlog size */
2568 if (sk_acceptq_is_full(parent)) {
8e87d142 2569 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2570 goto response;
2571 }
2572
80808e43
GP		 2573 chan = pchan->ops->new_connection(pchan->data);
2574 if (!chan)
1da177e4
LT		 2575 goto response;
2576
80808e43
GP		 2577 sk = chan->sk;
2578
baa7e1fa 2579 write_lock_bh(&conn->chan_lock);
1da177e4
LT		 2580
2581 /* Check if we already have channel with that dcid */
baa7e1fa
GP		 2582 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2583 write_unlock_bh(&conn->chan_lock);
1da177e4 2584 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2585 chan->ops->close(chan->data);
1da177e4
LT		 2586 goto response;
2587 }
2588
2589 hci_conn_hold(conn->hcon);
2590
1da177e4
LT		 2591 bacpy(&bt_sk(sk)->src, conn->src);
2592 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2593 chan->psm = psm;
2594 chan->dcid = scid;
1da177e4 2595
d1010240
GP		 2596 bt_accept_enqueue(parent, sk);
2597
48454079
GP		 2598 __l2cap_chan_add(conn, chan);
2599
fe4128e0 2600 dcid = chan->scid;
1da177e4 2601
c9b66675 2602 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2603
fc7f8a7e 2604 chan->ident = cmd->ident;
1da177e4 2605
984947dc 2606 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2607 if (l2cap_chan_check_security(chan)) {
f66dc81f 2608 if (bt_sk(sk)->defer_setup) {
89bc500e 2609 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2610 result = L2CAP_CR_PEND;
2611 status = L2CAP_CS_AUTHOR_PEND;
2612 parent->sk_data_ready(parent, 0);
2613 } else {
89bc500e 2614 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2615 result = L2CAP_CR_SUCCESS;
2616 status = L2CAP_CS_NO_INFO;
2617 }
79d554a6 2618 } else {
89bc500e 2619 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2620 result = L2CAP_CR_PEND;
2621 status = L2CAP_CS_AUTHEN_PEND;
2622 }
2623 } else {
89bc500e 2624 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2625 result = L2CAP_CR_PEND;
2626 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2627 }
2628
baa7e1fa 2629 write_unlock_bh(&conn->chan_lock);
1da177e4
LT		 2630
2631response:
2632 bh_unlock_sock(parent);
2633
2634sendresp:
aca3192c
YH		 2635 rsp.scid = cpu_to_le16(scid);
2636 rsp.dcid = cpu_to_le16(dcid);
2637 rsp.result = cpu_to_le16(result);
2638 rsp.status = cpu_to_le16(status);
1da177e4 2639 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2640
2641 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2642 struct l2cap_info_req info;
2643 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2644
2645 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2646 conn->info_ident = l2cap_get_ident(conn);
2647
2648 mod_timer(&conn->info_timer, jiffies +
2649 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2650
2651 l2cap_send_cmd(conn, conn->info_ident,
2652 L2CAP_INFO_REQ, sizeof(info), &info);
2653 }
2654
c1360a1c 2655 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2656 result == L2CAP_CR_SUCCESS) {
2657 u8 buf[128];
c1360a1c 2658 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2659 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2660 l2cap_build_conf_req(chan, buf), buf);
2661 chan->num_conf_req++;
e9aeb2dd
GP		 2662 }
2663
1da177e4
LT		 2664 return 0;
2665}
2666
2667static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2668{
2669 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2670 u16 scid, dcid, result, status;
48454079 2671 struct l2cap_chan *chan;
1da177e4
LT		 2672 struct sock *sk;
2673 u8 req[128];
2674
2675 scid = __le16_to_cpu(rsp->scid);
2676 dcid = __le16_to_cpu(rsp->dcid);
2677 result = __le16_to_cpu(rsp->result);
2678 status = __le16_to_cpu(rsp->status);
2679
2680 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2681
2682 if (scid) {
baa7e1fa 2683 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2684 if (!chan)
57d3b22b 2685 return -EFAULT;
1da177e4 2686 } else {
baa7e1fa 2687 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2688 if (!chan)
57d3b22b 2689 return -EFAULT;
1da177e4
LT		 2690 }
2691
48454079
GP		 2692 sk = chan->sk;
2693
1da177e4
LT		 2694 switch (result) {
2695 case L2CAP_CR_SUCCESS:
89bc500e 2696 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2697 chan->ident = 0;
fe4128e0 2698 chan->dcid = dcid;
c1360a1c 2699 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2700
c1360a1c 2701 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2702 break;
2703
1da177e4 2704 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2705 l2cap_build_conf_req(chan, req), req);
2706 chan->num_conf_req++;
1da177e4
LT		 2707 break;
2708
2709 case L2CAP_CR_PEND:
c1360a1c 2710 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2711 break;
2712
2713 default:
a49184c2
AE		 2714 /* don't delete l2cap channel if sk is owned by user */
2715 if (sock_owned_by_user(sk)) {
89bc500e 2716 l2cap_state_change(chan, BT_DISCONN);
c9b66675 2717 __clear_chan_timer(chan);
f3f668b0 2718 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
a49184c2
AE		 2719 break;
2720 }
2721
48454079 2722 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2723 break;
2724 }
2725
2726 bh_unlock_sock(sk);
2727 return 0;
2728}
2729
47d1ec61 2730static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2731{
2732 /* FCS is enabled only in ERTM or streaming mode, if one or both
2733 * sides request it.
2734 */
0c1bc5c6 2735 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2736 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2737 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2738 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2739}
2740
88219a0f 2741static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2742{
2743 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2744 u16 dcid, flags;
2745 u8 rsp[64];
48454079 2746 struct l2cap_chan *chan;
1da177e4 2747 struct sock *sk;
5dee9e7c 2748 int len;
1da177e4
LT		 2749
2750 dcid = __le16_to_cpu(req->dcid);
2751 flags = __le16_to_cpu(req->flags);
2752
2753 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2754
baa7e1fa 2755 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2756 if (!chan)
1da177e4
LT		 2757 return -ENOENT;
2758
48454079
GP		 2759 sk = chan->sk;
2760
033b1142 2761 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2762 struct l2cap_cmd_rej_cid rej;
2763
2764 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2765 rej.scid = cpu_to_le16(chan->scid);
2766 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2767
df6bd743
GP		 2768 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2769 sizeof(rej), &rej);
354f60a9 2770 goto unlock;
df6bd743 2771 }
354f60a9 2772
5dee9e7c 2773 /* Reject if config buffer is too small. */
88219a0f 2774 len = cmd_len - sizeof(*req);
7ac28817 2775 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2776 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2777 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2778 L2CAP_CONF_REJECT, flags), rsp);
2779 goto unlock;
2780 }
2781
2782 /* Store config. */
73ffa904
GP		 2783 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2784 chan->conf_len += len;
1da177e4
LT		 2785
2786 if (flags & 0x0001) {
2787 /* Incomplete config. Send empty response. */
2788 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2789 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2790 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2791 goto unlock;
2792 }
2793
2794 /* Complete config. */
73ffa904 2795 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2796 if (len < 0) {
e92c8e70 2797 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2798 goto unlock;
f2fcfcd6 2799 }
1da177e4 2800
5dee9e7c 2801 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2802 chan->num_conf_rsp++;
5dee9e7c 2803
5dee9e7c 2804 /* Reset config buffer. */
73ffa904 2805 chan->conf_len = 0;
5dee9e7c 2806
c1360a1c 2807 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2808 goto unlock;
2809
c1360a1c 2810 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2811 set_default_fcs(chan);
fcc203c3 2812
89bc500e 2813 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2814
42e5c802
GP		 2815 chan->next_tx_seq = 0;
2816 chan->expected_tx_seq = 0;
58d35f87 2817 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2818 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2819 l2cap_ertm_init(chan);
0565c1c2 2820
1da177e4 2821 l2cap_chan_ready(sk);
876d9484
MH		 2822 goto unlock;
2823 }
2824
c1360a1c 2825 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2826 u8 buf[64];
1da177e4 2827 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2828 l2cap_build_conf_req(chan, buf), buf);
2829 chan->num_conf_req++;
1da177e4
LT		 2830 }
2831
0e8b207e
AE		 2832 /* Got Conf Rsp PENDING from remote side and asume we sent
2833 Conf Rsp PENDING in the code above */
2834 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2835 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2836
2837 /* check compatibility */
2838
2839 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2840 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2841
2842 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2843 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2844 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2845 }
2846
1da177e4
LT		 2847unlock:
2848 bh_unlock_sock(sk);
2849 return 0;
2850}
2851
2852static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2853{
2854 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2855 u16 scid, flags, result;
48454079 2856 struct l2cap_chan *chan;
1da177e4 2857 struct sock *sk;
7b1c0049 2858 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2859
2860 scid = __le16_to_cpu(rsp->scid);
2861 flags = __le16_to_cpu(rsp->flags);
2862 result = __le16_to_cpu(rsp->result);
2863
af05b30b
GP		 2864 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2865 scid, flags, result);
1da177e4 2866
baa7e1fa 2867 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2868 if (!chan)
1da177e4
LT		 2869 return 0;
2870
48454079
GP		 2871 sk = chan->sk;
2872
1da177e4
LT		 2873 switch (result) {
2874 case L2CAP_CONF_SUCCESS:
47d1ec61 2875 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2876 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2877 break;
2878
0e8b207e
AE		 2879 case L2CAP_CONF_PENDING:
2880 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2881
2882 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2883 char buf[64];
2884
2885 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2886 buf, &result);
2887 if (len < 0) {
2888 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2889 goto done;
2890 }
2891
2892 /* check compatibility */
2893
2894 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2895 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2896
2897 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2898 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2899 L2CAP_CONF_SUCCESS, 0x0000), buf);
2900 }
2901 goto done;
2902
1da177e4 2903 case L2CAP_CONF_UNACCEPT:
73ffa904 2904 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2905 char req[64];
2906
c2c77ec8 2907 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2908 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2909 goto done;
2910 }
2911
f2fcfcd6
GP		 2912 /* throw out any old stored conf requests */
2913 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2914 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2915 req, &result);
f2fcfcd6 2916 if (len < 0) {
e92c8e70 2917 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2918 goto done;
2919 }
2920
2921 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2922 L2CAP_CONF_REQ, len, req);
73ffa904 2923 chan->num_conf_req++;
f2fcfcd6
GP		 2924 if (result != L2CAP_CONF_SUCCESS)
2925 goto done;
2926 break;
1da177e4
LT		 2927 }
2928
8e87d142 2929 default:
b1235d79 2930 sk->sk_err = ECONNRESET;
f3f668b0 2931 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 2932 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2933 goto done;
2934 }
2935
2936 if (flags & 0x01)
2937 goto done;
2938
c1360a1c 2939 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2940
c1360a1c 2941 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2942 set_default_fcs(chan);
fcc203c3 2943
89bc500e 2944 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2945 chan->next_tx_seq = 0;
2946 chan->expected_tx_seq = 0;
58d35f87 2947 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2948 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2949 l2cap_ertm_init(chan);
0565c1c2 2950
1da177e4
LT		 2951 l2cap_chan_ready(sk);
2952 }
2953
2954done:
2955 bh_unlock_sock(sk);
2956 return 0;
2957}
2958
2959static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2960{
2961 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2962 struct l2cap_disconn_rsp rsp;
2963 u16 dcid, scid;
48454079 2964 struct l2cap_chan *chan;
1da177e4
LT		 2965 struct sock *sk;
2966
2967 scid = __le16_to_cpu(req->scid);
2968 dcid = __le16_to_cpu(req->dcid);
2969
2970 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2971
baa7e1fa 2972 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2973 if (!chan)
1da177e4
LT		 2974 return 0;
2975
48454079
GP		 2976 sk = chan->sk;
2977
fe4128e0
GP		 2978 rsp.dcid = cpu_to_le16(chan->scid);
2979 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 2980 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2981
2982 sk->sk_shutdown = SHUTDOWN_MASK;
2983
a49184c2
AE		 2984 /* don't delete l2cap channel if sk is owned by user */
2985 if (sock_owned_by_user(sk)) {
89bc500e 2986 l2cap_state_change(chan, BT_DISCONN);
c9b66675 2987 __clear_chan_timer(chan);
f3f668b0 2988 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
a49184c2
AE		 2989 bh_unlock_sock(sk);
2990 return 0;
2991 }
2992
48454079 2993 l2cap_chan_del(chan, ECONNRESET);
1da177e4
LT		 2994 bh_unlock_sock(sk);
2995
ba3bd0ee 2996 chan->ops->close(chan->data);
1da177e4
LT		 2997 return 0;
2998}
2999
3000static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3001{
3002 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3003 u16 dcid, scid;
48454079 3004 struct l2cap_chan *chan;
1da177e4
LT		 3005 struct sock *sk;
3006
3007 scid = __le16_to_cpu(rsp->scid);
3008 dcid = __le16_to_cpu(rsp->dcid);
3009
3010 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3011
baa7e1fa 3012 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3013 if (!chan)
1da177e4
LT		 3014 return 0;
3015
48454079
GP		 3016 sk = chan->sk;
3017
a49184c2
AE		 3018 /* don't delete l2cap channel if sk is owned by user */
3019 if (sock_owned_by_user(sk)) {
89bc500e 3020 l2cap_state_change(chan,BT_DISCONN);
c9b66675 3021 __clear_chan_timer(chan);
f3f668b0 3022 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
a49184c2
AE		 3023 bh_unlock_sock(sk);
3024 return 0;
3025 }
3026
48454079 3027 l2cap_chan_del(chan, 0);
1da177e4
LT		 3028 bh_unlock_sock(sk);
3029
ba3bd0ee 3030 chan->ops->close(chan->data);
1da177e4
LT		 3031 return 0;
3032}
3033
3034static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3035{
3036 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3037 u16 type;
3038
3039 type = __le16_to_cpu(req->type);
3040
3041 BT_DBG("type 0x%4.4x", type);
3042
f0709e03
MH		 3043 if (type == L2CAP_IT_FEAT_MASK) {
3044 u8 buf[8];
44dd46de 3045 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3046 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3047 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3048 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3049 if (!disable_ertm)
fcc203c3
GP		 3050 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3051 | L2CAP_FEAT_FCS;
a5fd6f30 3052 if (enable_hs)
6327eb98
AE		 3053 feat_mask |= L2CAP_FEAT_EXT_FLOW
3054 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3055
1b7bf4ed 3056 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3057 l2cap_send_cmd(conn, cmd->ident,
3058 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3059 } else if (type == L2CAP_IT_FIXED_CHAN) {
3060 u8 buf[12];
3061 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3062
3063 if (enable_hs)
3064 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3065 else
3066 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3067
e1027a7c
MH		 3068 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3069 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3070 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3071 l2cap_send_cmd(conn, cmd->ident,
3072 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3073 } else {
3074 struct l2cap_info_rsp rsp;
3075 rsp.type = cpu_to_le16(type);
3076 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3077 l2cap_send_cmd(conn, cmd->ident,
3078 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3079 }
1da177e4
LT		 3080
3081 return 0;
3082}
3083
3084static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3085{
3086 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3087 u16 type, result;
3088
3089 type = __le16_to_cpu(rsp->type);
3090 result = __le16_to_cpu(rsp->result);
3091
3092 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3093
e90165be
AE		 3094 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3095 if (cmd->ident != conn->info_ident ||
3096 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3097 return 0;
3098
4e8402a3
MH		 3099 del_timer(&conn->info_timer);
3100
adb08ede
VT		 3101 if (result != L2CAP_IR_SUCCESS) {
3102 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3103 conn->info_ident = 0;
3104
3105 l2cap_conn_start(conn);
3106
3107 return 0;
3108 }
3109
984947dc 3110 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3111 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3112
47ec1dcd 3113 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3114 struct l2cap_info_req req;
3115 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3116
3117 conn->info_ident = l2cap_get_ident(conn);
3118
3119 l2cap_send_cmd(conn, conn->info_ident,
3120 L2CAP_INFO_REQ, sizeof(req), &req);
3121 } else {
3122 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3123 conn->info_ident = 0;
3124
3125 l2cap_conn_start(conn);
3126 }
3127 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3128 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3129 conn->info_ident = 0;
984947dc
MH		 3130
3131 l2cap_conn_start(conn);
3132 }
4e8402a3 3133
1da177e4
LT		 3134 return 0;
3135}
3136
f94ff6ff
MM		 3137static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3138 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3139 void *data)
3140{
3141 struct l2cap_create_chan_req *req = data;
3142 struct l2cap_create_chan_rsp rsp;
3143 u16 psm, scid;
3144
3145 if (cmd_len != sizeof(*req))
3146 return -EPROTO;
3147
3148 if (!enable_hs)
3149 return -EINVAL;
3150
3151 psm = le16_to_cpu(req->psm);
3152 scid = le16_to_cpu(req->scid);
3153
3154 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3155
3156 /* Placeholder: Always reject */
3157 rsp.dcid = 0;
3158 rsp.scid = cpu_to_le16(scid);
3159 rsp.result = L2CAP_CR_NO_MEM;
3160 rsp.status = L2CAP_CS_NO_INFO;
3161
3162 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3163 sizeof(rsp), &rsp);
3164
3165 return 0;
3166}
3167
3168static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3169 struct l2cap_cmd_hdr *cmd, void *data)
3170{
3171 BT_DBG("conn %p", conn);
3172
3173 return l2cap_connect_rsp(conn, cmd, data);
3174}
3175
8d5a04a1
MM		 3176static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3177 u16 icid, u16 result)
3178{
3179 struct l2cap_move_chan_rsp rsp;
3180
3181 BT_DBG("icid %d, result %d", icid, result);
3182
3183 rsp.icid = cpu_to_le16(icid);
3184 rsp.result = cpu_to_le16(result);
3185
3186 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3187}
3188
3189static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3190 struct l2cap_chan *chan, u16 icid, u16 result)
3191{
3192 struct l2cap_move_chan_cfm cfm;
3193 u8 ident;
3194
3195 BT_DBG("icid %d, result %d", icid, result);
3196
3197 ident = l2cap_get_ident(conn);
3198 if (chan)
3199 chan->ident = ident;
3200
3201 cfm.icid = cpu_to_le16(icid);
3202 cfm.result = cpu_to_le16(result);
3203
3204 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3205}
3206
3207static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3208 u16 icid)
3209{
3210 struct l2cap_move_chan_cfm_rsp rsp;
3211
3212 BT_DBG("icid %d", icid);
3213
3214 rsp.icid = cpu_to_le16(icid);
3215 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3216}
3217
3218static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3219 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3220{
3221 struct l2cap_move_chan_req *req = data;
3222 u16 icid = 0;
3223 u16 result = L2CAP_MR_NOT_ALLOWED;
3224
3225 if (cmd_len != sizeof(*req))
3226 return -EPROTO;
3227
3228 icid = le16_to_cpu(req->icid);
3229
3230 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3231
3232 if (!enable_hs)
3233 return -EINVAL;
3234
3235 /* Placeholder: Always refuse */
3236 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3237
3238 return 0;
3239}
3240
3241static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3242 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3243{
3244 struct l2cap_move_chan_rsp *rsp = data;
3245 u16 icid, result;
3246
3247 if (cmd_len != sizeof(*rsp))
3248 return -EPROTO;
3249
3250 icid = le16_to_cpu(rsp->icid);
3251 result = le16_to_cpu(rsp->result);
3252
3253 BT_DBG("icid %d, result %d", icid, result);
3254
3255 /* Placeholder: Always unconfirmed */
3256 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3257
3258 return 0;
3259}
3260
3261static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3262 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3263{
3264 struct l2cap_move_chan_cfm *cfm = data;
3265 u16 icid, result;
3266
3267 if (cmd_len != sizeof(*cfm))
3268 return -EPROTO;
3269
3270 icid = le16_to_cpu(cfm->icid);
3271 result = le16_to_cpu(cfm->result);
3272
3273 BT_DBG("icid %d, result %d", icid, result);
3274
3275 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3276
3277 return 0;
3278}
3279
3280static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3281 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3282{
3283 struct l2cap_move_chan_cfm_rsp *rsp = data;
3284 u16 icid;
3285
3286 if (cmd_len != sizeof(*rsp))
3287 return -EPROTO;
3288
3289 icid = le16_to_cpu(rsp->icid);
3290
3291 BT_DBG("icid %d", icid);
3292
3293 return 0;
3294}
3295
e2174ca4 3296static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3297 u16 to_multiplier)
3298{
3299 u16 max_latency;
3300
3301 if (min > max || min < 6 || max > 3200)
3302 return -EINVAL;
3303
3304 if (to_multiplier < 10 || to_multiplier > 3200)
3305 return -EINVAL;
3306
3307 if (max >= to_multiplier * 8)
3308 return -EINVAL;
3309
3310 max_latency = (to_multiplier * 8 / max) - 1;
3311 if (latency > 499 || latency > max_latency)
3312 return -EINVAL;
3313
3314 return 0;
3315}
3316
3317static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3318 struct l2cap_cmd_hdr *cmd, u8 *data)
3319{
3320 struct hci_conn *hcon = conn->hcon;
3321 struct l2cap_conn_param_update_req *req;
3322 struct l2cap_conn_param_update_rsp rsp;
3323 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3324 int err;
de73115a
CT		 3325
3326 if (!(hcon->link_mode & HCI_LM_MASTER))
3327 return -EINVAL;
3328
3329 cmd_len = __le16_to_cpu(cmd->len);
3330 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3331 return -EPROTO;
3332
3333 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3334 min = __le16_to_cpu(req->min);
3335 max = __le16_to_cpu(req->max);
de73115a
CT		 3336 latency = __le16_to_cpu(req->latency);
3337 to_multiplier = __le16_to_cpu(req->to_multiplier);
3338
3339 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3340 min, max, latency, to_multiplier);
3341
3342 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3343
3344 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3345 if (err)
de73115a
CT		 3346 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3347 else
3348 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3349
3350 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3351 sizeof(rsp), &rsp);
3352
2ce603eb
CT		 3353 if (!err)
3354 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3355
de73115a
CT		 3356 return 0;
3357}
3358
3300d9a9
CT		 3359static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3360 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3361{
3362 int err = 0;
3363
3364 switch (cmd->code) {
3365 case L2CAP_COMMAND_REJ:
3366 l2cap_command_rej(conn, cmd, data);
3367 break;
3368
3369 case L2CAP_CONN_REQ:
3370 err = l2cap_connect_req(conn, cmd, data);
3371 break;
3372
3373 case L2CAP_CONN_RSP:
3374 err = l2cap_connect_rsp(conn, cmd, data);
3375 break;
3376
3377 case L2CAP_CONF_REQ:
3378 err = l2cap_config_req(conn, cmd, cmd_len, data);
3379 break;
3380
3381 case L2CAP_CONF_RSP:
3382 err = l2cap_config_rsp(conn, cmd, data);
3383 break;
3384
3385 case L2CAP_DISCONN_REQ:
3386 err = l2cap_disconnect_req(conn, cmd, data);
3387 break;
3388
3389 case L2CAP_DISCONN_RSP:
3390 err = l2cap_disconnect_rsp(conn, cmd, data);
3391 break;
3392
3393 case L2CAP_ECHO_REQ:
3394 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3395 break;
3396
3397 case L2CAP_ECHO_RSP:
3398 break;
3399
3400 case L2CAP_INFO_REQ:
3401 err = l2cap_information_req(conn, cmd, data);
3402 break;
3403
3404 case L2CAP_INFO_RSP:
3405 err = l2cap_information_rsp(conn, cmd, data);
3406 break;
3407
f94ff6ff
MM		 3408 case L2CAP_CREATE_CHAN_REQ:
3409 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3410 break;
3411
3412 case L2CAP_CREATE_CHAN_RSP:
3413 err = l2cap_create_channel_rsp(conn, cmd, data);
3414 break;
3415
8d5a04a1
MM		 3416 case L2CAP_MOVE_CHAN_REQ:
3417 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3418 break;
3419
3420 case L2CAP_MOVE_CHAN_RSP:
3421 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3422 break;
3423
3424 case L2CAP_MOVE_CHAN_CFM:
3425 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3426 break;
3427
3428 case L2CAP_MOVE_CHAN_CFM_RSP:
3429 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3430 break;
3431
3300d9a9
CT		 3432 default:
3433 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3434 err = -EINVAL;
3435 break;
3436 }
3437
3438 return err;
3439}
3440
3441static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3442 struct l2cap_cmd_hdr *cmd, u8 *data)
3443{
3444 switch (cmd->code) {
3445 case L2CAP_COMMAND_REJ:
3446 return 0;
3447
3448 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3449 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3450
3451 case L2CAP_CONN_PARAM_UPDATE_RSP:
3452 return 0;
3453
3454 default:
3455 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3456 return -EINVAL;
3457 }
3458}
3459
3460static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3461 struct sk_buff *skb)
1da177e4
LT		 3462{
3463 u8 *data = skb->data;
3464 int len = skb->len;
3465 struct l2cap_cmd_hdr cmd;
3300d9a9 3466 int err;
1da177e4
LT		 3467
3468 l2cap_raw_recv(conn, skb);
3469
3470 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3471 u16 cmd_len;
1da177e4
LT		 3472 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3473 data += L2CAP_CMD_HDR_SIZE;
3474 len -= L2CAP_CMD_HDR_SIZE;
3475
88219a0f 3476 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3477
88219a0f 3478 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3479
88219a0f 3480 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3481 BT_DBG("corrupted command");
3482 break;
3483 }
3484
3300d9a9
CT		 3485 if (conn->hcon->type == LE_LINK)
3486 err = l2cap_le_sig_cmd(conn, &cmd, data);
3487 else
3488 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3489
3490 if (err) {
e2fd318e 3491 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3492
3493 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3494
3495 /* FIXME: Map err to a valid reason */
e2fd318e 3496 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3497 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3498 }
3499
88219a0f
AV		 3500 data += cmd_len;
3501 len -= cmd_len;
1da177e4
LT		 3502 }
3503
3504 kfree_skb(skb);
3505}
3506
47d1ec61 3507static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3508{
3509 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3510 int hdr_size;
3511
3512 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3513 hdr_size = L2CAP_EXT_HDR_SIZE;
3514 else
3515 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3516
47d1ec61 3517 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3518 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3519 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3520 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3521
3522 if (our_fcs != rcv_fcs)
7a560e5c 3523 return -EBADMSG;
fcc203c3
GP		 3524 }
3525 return 0;
3526}
3527
525cd185 3528static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3529{
88843ab0 3530 u32 control = 0;
d5392c8f 3531
6a026610 3532 chan->frames_sent = 0;
d5392c8f 3533
0b209fae 3534 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3535
e2ab4353 3536 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3537 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3538 l2cap_send_sframe(chan, control);
e2ab4353 3539 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3540 }
3541
e2ab4353 3542 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3543 l2cap_retransmit_frames(chan);
d5392c8f 3544
525cd185 3545 l2cap_ertm_send(chan);
d5392c8f 3546
e2ab4353 3547 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3548 chan->frames_sent == 0) {
ab784b73 3549 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3550 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3551 }
3552}
3553
fb45de7d 3554static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3555{
3556 struct sk_buff *next_skb;
bfbacc11 3557 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3558
3559 bt_cb(skb)->tx_seq = tx_seq;
3560 bt_cb(skb)->sar = sar;
3561
f1c6775b 3562 next_skb = skb_peek(&chan->srej_q);
8f17154f 3563
836be934 3564 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3565
039d9572 3566 while (next_skb) {
9b53350d
JPRV		 3567 if (bt_cb(next_skb)->tx_seq == tx_seq)
3568 return -EINVAL;
3569
836be934
AE		 3570 next_tx_seq_offset = __seq_offset(chan,
3571 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3572
3573 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3574 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3575 return 0;
8f17154f
GP		 3576 }
3577
f1c6775b 3578 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3579 next_skb = NULL;
3580 else
3581 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3582 }
8f17154f 3583
f1c6775b 3584 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3585
3586 return 0;
8f17154f
GP		 3587}
3588
84084a31
MM		 3589static void append_skb_frag(struct sk_buff *skb,
3590 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3591{
84084a31
MM		 3592 /* skb->len reflects data in skb as well as all fragments
3593 * skb->data_len reflects only data in fragments
3594 */
3595 if (!skb_has_frag_list(skb))
3596 skb_shinfo(skb)->frag_list = new_frag;
3597
3598 new_frag->next = NULL;
3599
3600 (*last_frag)->next = new_frag;
3601 *last_frag = new_frag;
3602
3603 skb->len += new_frag->len;
3604 skb->data_len += new_frag->len;
3605 skb->truesize += new_frag->truesize;
3606}
3607
88843ab0 3608static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3609{
3610 int err = -EINVAL;
18778a63 3611
7e0ef6ee
AE		 3612 switch (__get_ctrl_sar(chan, control)) {
3613 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3614 if (chan->sdu)
3615 break;
18778a63 3616
84084a31
MM		 3617 err = chan->ops->recv(chan->data, skb);
3618 break;
18778a63 3619
7e0ef6ee 3620 case L2CAP_SAR_START:
84084a31
MM		 3621 if (chan->sdu)
3622 break;
18778a63 3623
6f61fd47 3624 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3625 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3626
84084a31
MM		 3627 if (chan->sdu_len > chan->imtu) {
3628 err = -EMSGSIZE;
3629 break;
3630 }
1890d36b 3631
84084a31
MM		 3632 if (skb->len >= chan->sdu_len)
3633 break;
18778a63 3634
84084a31
MM		 3635 chan->sdu = skb;
3636 chan->sdu_last_frag = skb;
18778a63 3637
84084a31
MM		 3638 skb = NULL;
3639 err = 0;
18778a63
GP		 3640 break;
3641
7e0ef6ee 3642 case L2CAP_SAR_CONTINUE:
6f61fd47 3643 if (!chan->sdu)
84084a31 3644 break;
18778a63 3645
84084a31
MM		 3646 append_skb_frag(chan->sdu, skb,
3647 &chan->sdu_last_frag);
3648 skb = NULL;
18778a63 3649
84084a31
MM		 3650 if (chan->sdu->len >= chan->sdu_len)
3651 break;
4178ba46 3652
84084a31 3653 err = 0;
18778a63
GP		 3654 break;
3655
7e0ef6ee 3656 case L2CAP_SAR_END:
6f61fd47 3657 if (!chan->sdu)
84084a31 3658 break;
18778a63 3659
84084a31
MM		 3660 append_skb_frag(chan->sdu, skb,
3661 &chan->sdu_last_frag);
3662 skb = NULL;
4178ba46 3663
84084a31
MM		 3664 if (chan->sdu->len != chan->sdu_len)
3665 break;
18778a63 3666
84084a31 3667 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3668
84084a31
MM		 3669 if (!err) {
3670 /* Reassembly complete */
3671 chan->sdu = NULL;
3672 chan->sdu_last_frag = NULL;
3673 chan->sdu_len = 0;
1890d36b 3674 }
18778a63
GP		 3675 break;
3676 }
3677
84084a31
MM		 3678 if (err) {
3679 kfree_skb(skb);
3680 kfree_skb(chan->sdu);
3681 chan->sdu = NULL;
3682 chan->sdu_last_frag = NULL;
3683 chan->sdu_len = 0;
3684 }
18778a63 3685
84084a31 3686 return err;
18778a63
GP		 3687}
3688
26f880d2 3689static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3690{
88843ab0 3691 u32 control;
712132eb 3692
26f880d2 3693 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3694
26f880d2
MM		 3695 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3696
0b209fae 3697 control = __set_reqseq(chan, chan->buffer_seq);
ab784b73 3698 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
26f880d2
MM		 3699 l2cap_send_sframe(chan, control);
3700
3701 set_bit(CONN_RNR_SENT, &chan->conn_state);
3702
3703 __clear_ack_timer(chan);
3704}
3705
3706static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3707{
88843ab0 3708 u32 control;
712132eb 3709
e2ab4353 3710 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3711 goto done;
3712
0b209fae 3713 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3714 control |= __set_ctrl_poll(chan);
ab784b73 3715 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3716 l2cap_send_sframe(chan, control);
6a026610 3717 chan->retry_count = 1;
712132eb 3718
1a09bcb9
GP		 3719 __clear_retrans_timer(chan);
3720 __set_monitor_timer(chan);
712132eb 3721
e2ab4353 3722 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3723
3724done:
e2ab4353
GP		 3725 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3726 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3727
49208c9c 3728 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3729}
3730
e328140f 3731void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3732{
e328140f
MM		 3733 if (chan->mode == L2CAP_MODE_ERTM) {
3734 if (busy)
3735 l2cap_ertm_enter_local_busy(chan);
3736 else
3737 l2cap_ertm_exit_local_busy(chan);
1890d36b 3738 }
1890d36b
GP		 3739}
3740
fb45de7d 3741static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3742{
3743 struct sk_buff *skb;
88843ab0 3744 u32 control;
8f17154f 3745
e328140f
MM		 3746 while ((skb = skb_peek(&chan->srej_q)) &&
3747 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3748 int err;
3749
8f17154f
GP		 3750 if (bt_cb(skb)->tx_seq != tx_seq)
3751 break;
3752
f1c6775b 3753 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3754 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3755 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3756
3757 if (err < 0) {
3758 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3759 break;
3760 }
3761
836be934
AE		 3762 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3763 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3764 }
3765}
3766
fb45de7d 3767static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3768{
8f17154f 3769 struct srej_list *l, *tmp;
88843ab0 3770 u32 control;
8f17154f 3771
39d5a3ee 3772 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3773 if (l->tx_seq == tx_seq) {
3774 list_del(&l->list);
3775 kfree(l);
3776 return;
3777 }
ab784b73 3778 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3779 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3780 l2cap_send_sframe(chan, control);
8f17154f 3781 list_del(&l->list);
39d5a3ee 3782 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3783 }
3784}
3785
aef89f21 3786static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3787{
8f17154f 3788 struct srej_list *new;
88843ab0 3789 u32 control;
8f17154f 3790
42e5c802 3791 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3792 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3793 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3794 l2cap_send_sframe(chan, control);
8f17154f
GP		 3795
3796 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 3797 if (!new)
3798 return -ENOMEM;
3799
42e5c802 3800 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3801
3802 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3803
39d5a3ee 3804 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3805 }
836be934
AE		 3806
3807 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 3808
3809 return 0;
8f17154f
GP		 3810}
3811
88843ab0 3812static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3813{
fb45de7d 3814 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3815 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3816 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3817 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3818 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3819 int err = 0;
3820
88843ab0 3821 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3822 tx_seq, rx_control);
1c2acffb 3823
03f6715d 3824 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3825 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3826 __clear_monitor_timer(chan);
6a026610 3827 if (chan->unacked_frames > 0)
1a09bcb9 3828 __set_retrans_timer(chan);
e2ab4353 3829 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3830 }
3831
42e5c802
GP		 3832 chan->expected_ack_seq = req_seq;
3833 l2cap_drop_acked_frames(chan);
9f121a5a 3834
836be934 3835 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3836
3837 /* invalid tx_seq */
47d1ec61 3838 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3839 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3840 goto drop;
3841 }
3842
e2ab4353 3843 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1890d36b
GP		 3844 goto drop;
3845
02f1b641
MM		 3846 if (tx_seq == chan->expected_tx_seq)
3847 goto expected;
3848
e2ab4353 3849 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3850 struct srej_list *first;
30afb5b2 3851
39d5a3ee 3852 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3853 struct srej_list, list);
3854 if (tx_seq == first->tx_seq) {
42e5c802 3855 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3856 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3857
3858 list_del(&first->list);
3859 kfree(first);
3860
39d5a3ee 3861 if (list_empty(&chan->srej_l)) {
42e5c802 3862 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3863 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3864 l2cap_send_ack(chan);
49208c9c 3865 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3866 }
3867 } else {
3868 struct srej_list *l;
9b53350d
JPRV		 3869
3870 /* duplicated tx_seq */
42e5c802 3871 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3872 goto drop;
8f17154f 3873
39d5a3ee 3874 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3875 if (l->tx_seq == tx_seq) {
525cd185 3876 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3877 return 0;
3878 }
3879 }
aef89f21
SJ		 3880
3881 err = l2cap_send_srejframe(chan, tx_seq);
3882 if (err < 0) {
3883 l2cap_send_disconn_req(chan->conn, chan, -err);
3884 return err;
3885 }
30afb5b2
GP		 3886 }
3887 } else {
836be934
AE		 3888 expected_tx_seq_offset = __seq_offset(chan,
3889 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3890
3891 /* duplicated tx_seq */
3892 if (tx_seq_offset < expected_tx_seq_offset)
3893 goto drop;
3894
e2ab4353 3895 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3896
49208c9c 3897 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3898
39d5a3ee 3899 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3900 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3901
f1c6775b 3902 __skb_queue_head_init(&chan->srej_q);
42e5c802 3903 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3904
e2ab4353 3905 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3906
aef89f21
SJ		 3907 err = l2cap_send_srejframe(chan, tx_seq);
3908 if (err < 0) {
3909 l2cap_send_disconn_req(chan->conn, chan, -err);
3910 return err;
3911 }
7fe9b298 3912
1a09bcb9 3913 __clear_ack_timer(chan);
1c2acffb 3914 }
30afb5b2
GP		 3915 return 0;
3916
8f17154f 3917expected:
836be934 3918 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3919
e2ab4353 3920 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3921 bt_cb(skb)->tx_seq = tx_seq;
3922 bt_cb(skb)->sar = sar;
f1c6775b 3923 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3924 return 0;
3925 }
3926
84084a31 3927 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3928 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3929
e328140f
MM		 3930 if (err < 0) {
3931 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3932 return err;
3933 }
2ece3684 3934
03f6715d 3935 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3936 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3937 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3938 }
3939
c1b4f43b 3940
6a026610
GP		 3941 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3942 if (chan->num_acked == num_to_ack - 1)
525cd185 3943 l2cap_send_ack(chan);
4d611e4d
GP		 3944 else
3945 __set_ack_timer(chan);
9e917af1 3946
8f17154f 3947 return 0;
9b53350d
JPRV		 3948
3949drop:
3950 kfree_skb(skb);
3951 return 0;
1c2acffb
GP		 3952}
3953
88843ab0 3954static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3955{
88843ab0 3956 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3957 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3958
0b209fae 3959 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3960 l2cap_drop_acked_frames(chan);
1c2acffb 3961
e3781735 3962 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3963 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3964 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3965 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3966 (chan->unacked_frames > 0))
1a09bcb9 3967 __set_retrans_timer(chan);
05fbd89d 3968
e2ab4353 3969 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3970 l2cap_send_srejtail(chan);
05fbd89d 3971 } else {
525cd185 3972 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3973 }
1d8f5d16 3974
03f6715d 3975 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3976 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3977
e2ab4353 3978 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3979 l2cap_retransmit_frames(chan);
2246b2f1 3980
e072745f 3981 } else {
e2ab4353 3982 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3983 (chan->unacked_frames > 0))
1a09bcb9 3984 __set_retrans_timer(chan);
1c2acffb 3985
e2ab4353
GP		 3986 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3987 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 3988 l2cap_send_ack(chan);
894718a6 3989 else
525cd185 3990 l2cap_ertm_send(chan);
e072745f
GP		 3991 }
3992}
2246b2f1 3993
88843ab0 3994static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 3995{
0b209fae 3996 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 3997
88843ab0 3998 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 3999
e2ab4353 4000 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4001
42e5c802
GP		 4002 chan->expected_ack_seq = tx_seq;
4003 l2cap_drop_acked_frames(chan);
e072745f 4004
03f6715d 4005 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4006 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4007 l2cap_retransmit_frames(chan);
e072745f 4008 } else {
525cd185 4009 l2cap_retransmit_frames(chan);
30afb5b2 4010
e2ab4353
GP		 4011 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4012 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4013 }
4014}
88843ab0 4015static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4016{
0b209fae 4017 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4018
88843ab0 4019 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4020
e2ab4353 4021 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4022
e3781735 4023 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4024 chan->expected_ack_seq = tx_seq;
4025 l2cap_drop_acked_frames(chan);
3cb123d1 4026
e2ab4353 4027 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4028 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4029
525cd185 4030 l2cap_ertm_send(chan);
dfc909be 4031
e2ab4353 4032 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4033 chan->srej_save_reqseq = tx_seq;
e2ab4353 4034 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4035 }
03f6715d 4036 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4037 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4038 chan->srej_save_reqseq == tx_seq)
e2ab4353 4039 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4040 else
525cd185 4041 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4042 } else {
525cd185 4043 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4044 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4045 chan->srej_save_reqseq = tx_seq;
e2ab4353 4046 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4047 }
e072745f
GP		 4048 }
4049}
4050
88843ab0 4051static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4052{
0b209fae 4053 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4054
88843ab0 4055 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4056
e2ab4353 4057 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4058 chan->expected_ack_seq = tx_seq;
4059 l2cap_drop_acked_frames(chan);
e072745f 4060
e3781735 4061 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4062 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4063
e2ab4353 4064 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4065 __clear_retrans_timer(chan);
e3781735 4066 if (__is_ctrl_poll(chan, rx_control))
525cd185 4067 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4068 return;
e072745f 4069 }
99b0d4b7 4070
e3781735 4071 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4072 l2cap_send_srejtail(chan);
ab784b73
AE		 4073 } else {
4074 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4075 l2cap_send_sframe(chan, rx_control);
4076 }
e072745f
GP		 4077}
4078
88843ab0 4079static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4080{
88843ab0 4081 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4082
03f6715d 4083 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4084 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4085 __clear_monitor_timer(chan);
6a026610 4086 if (chan->unacked_frames > 0)
1a09bcb9 4087 __set_retrans_timer(chan);
e2ab4353 4088 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4089 }
4090
ab784b73
AE		 4091 switch (__get_ctrl_super(chan, rx_control)) {
4092 case L2CAP_SUPER_RR:
525cd185 4093 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4094 break;
4095
ab784b73 4096 case L2CAP_SUPER_REJ:
525cd185 4097 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4098 break;
2246b2f1 4099
ab784b73 4100 case L2CAP_SUPER_SREJ:
525cd185 4101 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4102 break;
4103
ab784b73 4104 case L2CAP_SUPER_RNR:
525cd185 4105 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4106 break;
4107 }
4108
faaebd19 4109 kfree_skb(skb);
1c2acffb
GP		 4110 return 0;
4111}
4112
218bb9df
GP		 4113static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4114{
525cd185 4115 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
88843ab0 4116 u32 control;
0b209fae 4117 u16 req_seq;
218bb9df
GP		 4118 int len, next_tx_seq_offset, req_seq_offset;
4119
88843ab0
AE		 4120 control = __get_control(chan, skb->data);
4121 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4122 len = skb->len;
4123
4124 /*
4125 * We can just drop the corrupted I-frame here.
4126 * Receiver will miss it and start proper recovery
4127 * procedures and ask retransmission.
4128 */
47d1ec61 4129 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4130 goto drop;
4131
793c2f1c 4132 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4133 len -= L2CAP_SDULEN_SIZE;
218bb9df 4134
47d1ec61 4135 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4136 len -= L2CAP_FCS_SIZE;
218bb9df 4137
47d1ec61 4138 if (len > chan->mps) {
8c1d787b 4139 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4140 goto drop;
4141 }
4142
0b209fae 4143 req_seq = __get_reqseq(chan, control);
218bb9df 4144
836be934
AE		 4145 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4146
4147 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4148 chan->expected_ack_seq);
218bb9df
GP		 4149
4150 /* check for invalid req-seq */
4151 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4152 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4153 goto drop;
4154 }
4155
793c2f1c 4156 if (!__is_sframe(chan, control)) {
218bb9df 4157 if (len < 0) {
8c1d787b 4158 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4159 goto drop;
4160 }
4161
525cd185 4162 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4163 } else {
4164 if (len != 0) {
4165 BT_ERR("%d", len);
8c1d787b 4166 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4167 goto drop;
4168 }
4169
525cd185 4170 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4171 }
4172
4173 return 0;
4174
4175drop:
4176 kfree_skb(skb);
4177 return 0;
4178}
4179
1da177e4
LT		 4180static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4181{
48454079 4182 struct l2cap_chan *chan;
bf734843 4183 struct sock *sk = NULL;
88843ab0 4184 u32 control;
fb45de7d 4185 u16 tx_seq;
218bb9df 4186 int len;
1da177e4 4187
baa7e1fa 4188 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4189 if (!chan) {
1da177e4
LT		 4190 BT_DBG("unknown cid 0x%4.4x", cid);
4191 goto drop;
4192 }
4193
48454079 4194 sk = chan->sk;
6840ed07 4195
49208c9c 4196 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4197
89bc500e 4198 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4199 goto drop;
4200
0c1bc5c6 4201 switch (chan->mode) {
1c2acffb
GP		 4202 case L2CAP_MODE_BASIC:
4203 /* If socket recv buffers overflows we drop data here
4204 * which is *bad* because L2CAP has to be reliable.
4205 * But we don't have any other choice. L2CAP doesn't
4206 * provide flow control mechanism. */
1da177e4 4207
0c1bc5c6 4208 if (chan->imtu < skb->len)
1c2acffb 4209 goto drop;
1da177e4 4210
23070494 4211 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4212 goto done;
4213 break;
4214
4215 case L2CAP_MODE_ERTM:
218bb9df
GP		 4216 if (!sock_owned_by_user(sk)) {
4217 l2cap_ertm_data_rcv(sk, skb);
277ffbe3 4218 } else {
218bb9df 4219 if (sk_add_backlog(sk, skb))
277ffbe3 4220 goto drop;
277ffbe3 4221 }
1c2acffb 4222
fcafde2e 4223 goto done;
1c2acffb 4224
6840ed07 4225 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4226 control = __get_control(chan, skb->data);
4227 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4228 len = skb->len;
4229
47d1ec61 4230 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4231 goto drop;
4232
7e0ef6ee 4233 if (__is_sar_start(chan, control))
03a51213 4234 len -= L2CAP_SDULEN_SIZE;
6840ed07 4235
47d1ec61 4236 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4237 len -= L2CAP_FCS_SIZE;
fcc203c3 4238
793c2f1c 4239 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4240 goto drop;
4241
fb45de7d 4242 tx_seq = __get_txseq(chan, control);
6840ed07 4243
84084a31
MM		 4244 if (chan->expected_tx_seq != tx_seq) {
4245 /* Frame(s) missing - must discard partial SDU */
4246 kfree_skb(chan->sdu);
4247 chan->sdu = NULL;
4248 chan->sdu_last_frag = NULL;
4249 chan->sdu_len = 0;
6840ed07 4250
84084a31
MM		 4251 /* TODO: Notify userland of missing data */
4252 }
4253
836be934 4254 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4255
4256 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4257 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4258
4259 goto done;
4260
1c2acffb 4261 default:
0c1bc5c6 4262 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4263 break;
4264 }
1da177e4
LT		 4265
4266drop:
4267 kfree_skb(skb);
4268
4269done:
0139418c
MH		 4270 if (sk)
4271 bh_unlock_sock(sk);
4272
1da177e4
LT		 4273 return 0;
4274}
4275
8e036fc3 4276static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4277{
6dcae1ea 4278 struct sock *sk = NULL;
23691d75 4279 struct l2cap_chan *chan;
1da177e4 4280
23691d75
GP		 4281 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4282 if (!chan)
1da177e4
LT		 4283 goto drop;
4284
23691d75
GP		 4285 sk = chan->sk;
4286
e0f0cb56
GP		 4287 bh_lock_sock(sk);
4288
1da177e4
LT		 4289 BT_DBG("sk %p, len %d", sk, skb->len);
4290
89bc500e 4291 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4292 goto drop;
4293
e13e21dc 4294 if (chan->imtu < skb->len)
1da177e4
LT		 4295 goto drop;
4296
23070494 4297 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4298 goto done;
4299
4300drop:
4301 kfree_skb(skb);
4302
4303done:
af05b30b
GP		 4304 if (sk)
4305 bh_unlock_sock(sk);
1da177e4
LT		 4306 return 0;
4307}
4308
9f69bda6
GP		 4309static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4310{
6dcae1ea 4311 struct sock *sk = NULL;
23691d75 4312 struct l2cap_chan *chan;
9f69bda6 4313
23691d75
GP		 4314 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4315 if (!chan)
9f69bda6
GP		 4316 goto drop;
4317
23691d75
GP		 4318 sk = chan->sk;
4319
9f69bda6
GP		 4320 bh_lock_sock(sk);
4321
4322 BT_DBG("sk %p, len %d", sk, skb->len);
4323
89bc500e 4324 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4325 goto drop;
4326
e13e21dc 4327 if (chan->imtu < skb->len)
9f69bda6
GP		 4328 goto drop;
4329
23070494 4330 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4331 goto done;
4332
4333drop:
4334 kfree_skb(skb);
4335
4336done:
4337 if (sk)
4338 bh_unlock_sock(sk);
4339 return 0;
4340}
4341
1da177e4
LT		 4342static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4343{
4344 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4345 u16 cid, len;
4346 __le16 psm;
1da177e4
LT		 4347
4348 skb_pull(skb, L2CAP_HDR_SIZE);
4349 cid = __le16_to_cpu(lh->cid);
4350 len = __le16_to_cpu(lh->len);
4351
1c2acffb
GP		 4352 if (len != skb->len) {
4353 kfree_skb(skb);
4354 return;
4355 }
4356
1da177e4
LT		 4357 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4358
4359 switch (cid) {
3300d9a9 4360 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4361 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4362 l2cap_sig_channel(conn, skb);
4363 break;
4364
8db4dc46 4365 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4366 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4367 skb_pull(skb, 2);
4368 l2cap_conless_channel(conn, psm, skb);
4369 break;
4370
9f69bda6
GP		 4371 case L2CAP_CID_LE_DATA:
4372 l2cap_att_channel(conn, cid, skb);
4373 break;
4374
b501d6a1
AB		 4375 case L2CAP_CID_SMP:
4376 if (smp_sig_channel(conn, skb))
4377 l2cap_conn_del(conn->hcon, EACCES);
4378 break;
4379
1da177e4
LT		 4380 default:
4381 l2cap_data_channel(conn, cid, skb);
4382 break;
4383 }
4384}
4385
4386/* ---- L2CAP interface with lower layer (HCI) ---- */
4387
4388static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4389{
4390 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4391 struct l2cap_chan *c;
1da177e4
LT		 4392
4393 if (type != ACL_LINK)
963cf687 4394 return -EINVAL;
1da177e4
LT		 4395
4396 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4397
4398 /* Find listening sockets and check their link_mode */
23691d75
GP		 4399 read_lock(&chan_list_lock);
4400 list_for_each_entry(c, &chan_list, global_l) {
4401 struct sock *sk = c->sk;
4343478f 4402
89bc500e 4403 if (c->state != BT_LISTEN)
1da177e4
LT		 4404 continue;
4405
4406 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4407 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4408 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4409 lm1 |= HCI_LM_MASTER;
1da177e4 4410 exact++;
2af6b9d5
MH		 4411 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4412 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4413 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4414 lm2 |= HCI_LM_MASTER;
4415 }
1da177e4 4416 }
23691d75 4417 read_unlock(&chan_list_lock);
1da177e4
LT		 4418
4419 return exact ? lm1 : lm2;
4420}
4421
4422static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4423{
0139418c
MH		 4424 struct l2cap_conn *conn;
4425
1da177e4
LT		 4426 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4427
acd7d370 4428 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4429 return -EINVAL;
1da177e4
LT		 4430
4431 if (!status) {
1da177e4
LT		 4432 conn = l2cap_conn_add(hcon, status);
4433 if (conn)
4434 l2cap_conn_ready(conn);
0139418c 4435 } else
e175072f 4436 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4437
4438 return 0;
4439}
4440
2950f21a
MH		 4441static int l2cap_disconn_ind(struct hci_conn *hcon)
4442{
4443 struct l2cap_conn *conn = hcon->l2cap_data;
4444
4445 BT_DBG("hcon %p", hcon);
4446
b5694506 4447 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
9f5a0d7b 4448 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4449
4450 return conn->disc_reason;
4451}
4452
4453static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4454{
4455 BT_DBG("hcon %p reason %d", hcon, reason);
4456
acd7d370 4457 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
963cf687 4458 return -EINVAL;
1da177e4 4459
e175072f 4460 l2cap_conn_del(hcon, bt_to_errno(reason));
0139418c 4461
1da177e4
LT		 4462 return 0;
4463}
4464
4343478f 4465static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4466{
715ec005 4467 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4468 return;
4469
f62e4323 4470 if (encrypt == 0x00) {
4343478f 4471 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675 4472 __clear_chan_timer(chan);
f3f668b0 4473 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4474 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4475 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4476 } else {
4343478f 4477 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4478 __clear_chan_timer(chan);
f62e4323
MH		 4479 }
4480}
4481
8c1b2355 4482static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4483{
0139418c 4484 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4485 struct l2cap_chan *chan;
1da177e4 4486
0139418c 4487 if (!conn)
1da177e4 4488 return 0;
0139418c 4489
1da177e4
LT		 4490 BT_DBG("conn %p", conn);
4491
160dc6ac
VCG		 4492 if (hcon->type == LE_LINK) {
4493 smp_distribute_keys(conn, 0);
4494 del_timer(&conn->security_timer);
4495 }
4496
baa7e1fa 4497 read_lock(&conn->chan_lock);
1da177e4 4498
baa7e1fa 4499 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 4500 struct sock *sk = chan->sk;
baa7e1fa 4501
1da177e4
LT		 4502 bh_lock_sock(sk);
4503
f1cb9af5
VCG		 4504 BT_DBG("chan->scid %d", chan->scid);
4505
4506 if (chan->scid == L2CAP_CID_LE_DATA) {
4507 if (!status && encrypt) {
4508 chan->sec_level = hcon->sec_level;
4509 l2cap_chan_ready(sk);
4510 }
4511
4512 bh_unlock_sock(sk);
4513 continue;
4514 }
4515
c1360a1c 4516 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4517 bh_unlock_sock(sk);
4518 continue;
4519 }
4520
89bc500e
GP		 4521 if (!status && (chan->state == BT_CONNECTED ||
4522 chan->state == BT_CONFIG)) {
4343478f 4523 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4524 bh_unlock_sock(sk);
4525 continue;
4526 }
4527
89bc500e 4528 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4529 if (!status) {
4530 struct l2cap_conn_req req;
fe4128e0
GP		 4531 req.scid = cpu_to_le16(chan->scid);
4532 req.psm = chan->psm;
1da177e4 4533
fc7f8a7e 4534 chan->ident = l2cap_get_ident(conn);
c1360a1c 4535 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4536
fc7f8a7e 4537 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4538 L2CAP_CONN_REQ, sizeof(req), &req);
4539 } else {
c9b66675 4540 __clear_chan_timer(chan);
f3f668b0 4541 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4542 }
89bc500e 4543 } else if (chan->state == BT_CONNECT2) {
b1235d79 4544 struct l2cap_conn_rsp rsp;
df3c3931 4545 __u16 res, stat;
1da177e4 4546
b1235d79 4547 if (!status) {
df3c3931
JH		 4548 if (bt_sk(sk)->defer_setup) {
4549 struct sock *parent = bt_sk(sk)->parent;
4550 res = L2CAP_CR_PEND;
4551 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4552 if (parent)
4553 parent->sk_data_ready(parent, 0);
df3c3931 4554 } else {
05558911 4555 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4556 res = L2CAP_CR_SUCCESS;
4557 stat = L2CAP_CS_NO_INFO;
4558 }
b1235d79 4559 } else {
89bc500e 4560 l2cap_state_change(chan, BT_DISCONN);
f3f668b0 4561 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4562 res = L2CAP_CR_SEC_BLOCK;
4563 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4564 }
4565
fe4128e0
GP		 4566 rsp.scid = cpu_to_le16(chan->dcid);
4567 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4568 rsp.result = cpu_to_le16(res);
4569 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4570 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4571 sizeof(rsp), &rsp);
b1235d79 4572 }
1da177e4
LT		 4573
4574 bh_unlock_sock(sk);
4575 }
4576
baa7e1fa 4577 read_unlock(&conn->chan_lock);
b1235d79 4578
1da177e4
LT		 4579 return 0;
4580}
4581
4582static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4583{
4584 struct l2cap_conn *conn = hcon->l2cap_data;
4585
5a08ecce
AE		 4586 if (!conn)
4587 conn = l2cap_conn_add(hcon, 0);
4588
4589 if (!conn)
1da177e4
LT		 4590 goto drop;
4591
4592 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4593
e702112f 4594 if (!(flags & ACL_CONT)) {
1da177e4 4595 struct l2cap_hdr *hdr;
48454079 4596 struct l2cap_chan *chan;
89794813 4597 u16 cid;
1da177e4
LT		 4598 int len;
4599
4600 if (conn->rx_len) {
4601 BT_ERR("Unexpected start frame (len %d)", skb->len);
4602 kfree_skb(conn->rx_skb);
4603 conn->rx_skb = NULL;
4604 conn->rx_len = 0;
4605 l2cap_conn_unreliable(conn, ECOMM);
4606 }
4607
aae7fe22
AE		 4608 /* Start fragment always begin with Basic L2CAP header */
4609 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4610 BT_ERR("Frame is too short (len %d)", skb->len);
4611 l2cap_conn_unreliable(conn, ECOMM);
4612 goto drop;
4613 }
4614
4615 hdr = (struct l2cap_hdr *) skb->data;
4616 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4617 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4618
4619 if (len == skb->len) {
4620 /* Complete frame received */
4621 l2cap_recv_frame(conn, skb);
4622 return 0;
4623 }
4624
4625 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4626
4627 if (skb->len > len) {
4628 BT_ERR("Frame is too long (len %d, expected len %d)",
4629 skb->len, len);
4630 l2cap_conn_unreliable(conn, ECOMM);
4631 goto drop;
4632 }
4633
baa7e1fa 4634 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4635
48454079
GP		 4636 if (chan && chan->sk) {
4637 struct sock *sk = chan->sk;
89794813 4638
0c1bc5c6 4639 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4640 BT_ERR("Frame exceeding recv MTU (len %d, "
4641 "MTU %d)", len,
0c1bc5c6 4642 chan->imtu);
48454079
GP		 4643 bh_unlock_sock(sk);
4644 l2cap_conn_unreliable(conn, ECOMM);
4645 goto drop;
4646 }
89794813 4647 bh_unlock_sock(sk);
48454079 4648 }
89794813 4649
1da177e4 4650 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4651 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4652 if (!conn->rx_skb)
1da177e4
LT		 4653 goto drop;
4654
d626f62b 4655 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4656 skb->len);
1da177e4
LT		 4657 conn->rx_len = len - skb->len;
4658 } else {
4659 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4660
4661 if (!conn->rx_len) {
4662 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4663 l2cap_conn_unreliable(conn, ECOMM);
4664 goto drop;
4665 }
4666
4667 if (skb->len > conn->rx_len) {
4668 BT_ERR("Fragment is too long (len %d, expected %d)",
4669 skb->len, conn->rx_len);
4670 kfree_skb(conn->rx_skb);
4671 conn->rx_skb = NULL;
4672 conn->rx_len = 0;
4673 l2cap_conn_unreliable(conn, ECOMM);
4674 goto drop;
4675 }
4676
d626f62b 4677 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4678 skb->len);
1da177e4
LT		 4679 conn->rx_len -= skb->len;
4680
4681 if (!conn->rx_len) {
4682 /* Complete frame received */
4683 l2cap_recv_frame(conn, conn->rx_skb);
4684 conn->rx_skb = NULL;
4685 }
4686 }
4687
4688drop:
4689 kfree_skb(skb);
4690 return 0;
4691}
4692
aef7d97c 4693static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4694{
23691d75 4695 struct l2cap_chan *c;
1da177e4 4696
23691d75 4697 read_lock_bh(&chan_list_lock);
1da177e4 4698
23691d75
GP		 4699 list_for_each_entry(c, &chan_list, global_l) {
4700 struct sock *sk = c->sk;
101545f6 4701
903d343e 4702 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4703 batostr(&bt_sk(sk)->src),
4704 batostr(&bt_sk(sk)->dst),
89bc500e 4705 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4706 c->scid, c->dcid, c->imtu, c->omtu,
4707 c->sec_level, c->mode);
05558911 4708}
1da177e4 4709
23691d75 4710 read_unlock_bh(&chan_list_lock);
1da177e4 4711
aef7d97c 4712 return 0;
1da177e4
LT		 4713}
4714
aef7d97c
MH		 4715static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4716{
4717 return single_open(file, l2cap_debugfs_show, inode->i_private);
4718}
4719
4720static const struct file_operations l2cap_debugfs_fops = {
4721 .open = l2cap_debugfs_open,
4722 .read = seq_read,
4723 .llseek = seq_lseek,
4724 .release = single_release,
4725};
4726
4727static struct dentry *l2cap_debugfs;
1da177e4 4728
1da177e4
LT		 4729static struct hci_proto l2cap_hci_proto = {
4730 .name = "L2CAP",
4731 .id = HCI_PROTO_L2CAP,
4732 .connect_ind = l2cap_connect_ind,
4733 .connect_cfm = l2cap_connect_cfm,
4734 .disconn_ind = l2cap_disconn_ind,
2950f21a 4735 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4736 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4737 .recv_acldata = l2cap_recv_acldata
4738};
4739
64274518 4740int __init l2cap_init(void)
1da177e4
LT		 4741{
4742 int err;
be9d1227 4743
bb58f747 4744 err = l2cap_init_sockets();
1da177e4
LT		 4745 if (err < 0)
4746 return err;
4747
1da177e4
LT		 4748 err = hci_register_proto(&l2cap_hci_proto);
4749 if (err < 0) {
4750 BT_ERR("L2CAP protocol registration failed");
4751 bt_sock_unregister(BTPROTO_L2CAP);
4752 goto error;
4753 }
4754
aef7d97c
MH		 4755 if (bt_debugfs) {
4756 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4757 bt_debugfs, NULL, &l2cap_debugfs_fops);
4758 if (!l2cap_debugfs)
4759 BT_ERR("Failed to create L2CAP debug file");
4760 }
1da177e4 4761
1da177e4
LT		 4762 return 0;
4763
4764error:
bb58f747 4765 l2cap_cleanup_sockets();
1da177e4
LT		 4766 return err;
4767}
4768
64274518 4769void l2cap_exit(void)
1da177e4 4770{
aef7d97c 4771 debugfs_remove(l2cap_debugfs);
1da177e4 4772
1da177e4
LT		 4773 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4774 BT_ERR("L2CAP protocol unregistration failed");
4775
bb58f747 4776 l2cap_cleanup_sockets();
1da177e4
LT		 4777}
4778
d1c4a17d
GP		 4779module_param(disable_ertm, bool, 0644);
4780MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
a5fd6f30
AE		 4781
4782module_param(enable_hs, bool, 0644);
4783MODULE_PARM_DESC(enable_hs, "Enable High Speed");
kernel source for telekom puls (alcatel/mediatek)