projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: trivial: Fix long line
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
1da177e4
LT		 7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
8e87d142
YH		 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 25 SOFTWARE IS DISCLAIMED.
26*/
27
bb58f747 28/* Bluetooth L2CAP core. */
1da177e4 29
1da177e4
LT		 30#include <linux/module.h>
31
32#include <linux/types.h>
4fc268d2 33#include <linux/capability.h>
1da177e4
LT		 34#include <linux/errno.h>
35#include <linux/kernel.h>
1da177e4
LT		 36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/poll.h>
39#include <linux/fcntl.h>
40#include <linux/init.h>
41#include <linux/interrupt.h>
42#include <linux/socket.h>
43#include <linux/skbuff.h>
1da177e4 44#include <linux/list.h>
be9d1227 45#include <linux/device.h>
aef7d97c
MH		 46#include <linux/debugfs.h>
47#include <linux/seq_file.h>
af05b30b 48#include <linux/uaccess.h>
fcc203c3 49#include <linux/crc16.h>
1da177e4
LT		 50#include <net/sock.h>
51
52#include <asm/system.h>
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
eb939922 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a
GP		 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
1da177e4 75
0139418c 76/* ---- L2CAP channels ---- */
71ba0e56 77
baa7e1fa 78static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 79{
3d57dc68 80 struct l2cap_chan *c, *r = NULL;
baa7e1fa 81
3d57dc68
GP		 82 rcu_read_lock();
83
84 list_for_each_entry_rcu(c, &conn->chan_l, list) {
85 if (c->dcid == cid) {
86 r = c;
87 break;
88 }
0139418c 89 }
3d57dc68
GP		 90
91 rcu_read_unlock();
92 return r;
0139418c
MH		 93}
94
baa7e1fa 95static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 96{
3d57dc68 97 struct l2cap_chan *c, *r = NULL;
baa7e1fa 98
3d57dc68
GP		 99 rcu_read_lock();
100
101 list_for_each_entry_rcu(c, &conn->chan_l, list) {
102 if (c->scid == cid) {
103 r = c;
104 break;
105 }
0139418c 106 }
3d57dc68
GP		 107
108 rcu_read_unlock();
109 return r;
0139418c
MH		 110}
111
112/* Find channel with given SCID.
113 * Returns locked socket */
baa7e1fa 114static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 115{
48454079 116 struct l2cap_chan *c;
baa7e1fa 117
baa7e1fa 118 c = __l2cap_get_chan_by_scid(conn, cid);
48454079 119 if (c)
aa2ac881 120 lock_sock(c->sk);
48454079 121 return c;
0139418c
MH		 122}
123
baa7e1fa 124static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 125{
3d57dc68 126 struct l2cap_chan *c, *r = NULL;
baa7e1fa 127
3d57dc68
GP		 128 rcu_read_lock();
129
130 list_for_each_entry_rcu(c, &conn->chan_l, list) {
131 if (c->ident == ident) {
132 r = c;
133 break;
134 }
0139418c 135 }
3d57dc68
GP		 136
137 rcu_read_unlock();
138 return r;
0139418c
MH		 139}
140
baa7e1fa 141static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 142{
48454079 143 struct l2cap_chan *c;
baa7e1fa 144
baa7e1fa 145 c = __l2cap_get_chan_by_ident(conn, ident);
48454079 146 if (c)
aa2ac881 147 lock_sock(c->sk);
48454079 148 return c;
0139418c
MH		 149}
150
23691d75 151static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 152{
23691d75 153 struct l2cap_chan *c;
9e4425ff 154
23691d75
GP		 155 list_for_each_entry(c, &chan_list, global_l) {
156 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 157 return c;
9e4425ff 158 }
250938cb 159 return NULL;
9e4425ff
GP		 160}
161
162int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
163{
73b2ec18
GP		 164 int err;
165
333055f2 166 write_lock(&chan_list_lock);
9e4425ff 167
23691d75 168 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 169 err = -EADDRINUSE;
170 goto done;
9e4425ff
GP		 171 }
172
73b2ec18
GP		 173 if (psm) {
174 chan->psm = psm;
175 chan->sport = psm;
176 err = 0;
177 } else {
178 u16 p;
179
180 err = -EINVAL;
181 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 182 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 183 chan->psm = cpu_to_le16(p);
184 chan->sport = cpu_to_le16(p);
185 err = 0;
186 break;
187 }
188 }
9e4425ff 189
73b2ec18 190done:
333055f2 191 write_unlock(&chan_list_lock);
73b2ec18 192 return err;
9e4425ff
GP		 193}
194
195int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
196{
333055f2 197 write_lock(&chan_list_lock);
9e4425ff
GP		 198
199 chan->scid = scid;
200
333055f2 201 write_unlock(&chan_list_lock);
9e4425ff
GP		 202
203 return 0;
204}
205
baa7e1fa 206static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 207{
8db4dc46 208 u16 cid = L2CAP_CID_DYN_START;
0139418c 209
8db4dc46 210 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 211 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 212 return cid;
213 }
214
215 return 0;
216}
217
89bc500e
GP		 218static void l2cap_state_change(struct l2cap_chan *chan, int state)
219{
42d2d87c 220 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 221 state_to_string(state));
222
89bc500e
GP		 223 chan->state = state;
224 chan->ops->state_change(chan->data, state);
225}
226
721c4181 227static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 228{
721c4181
GP		 229 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
230 chan_timer.work);
ab07801d
GP		 231 struct sock *sk = chan->sk;
232 int reason;
233
e05dcc32 234 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 235
721c4181 236 lock_sock(sk);
ab07801d 237
89bc500e 238 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 239 reason = ECONNREFUSED;
89bc500e 240 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 241 chan->sec_level != BT_SECURITY_SDP)
242 reason = ECONNREFUSED;
243 else
244 reason = ETIMEDOUT;
245
0f852724 246 l2cap_chan_close(chan, reason);
ab07801d 247
721c4181 248 release_sock(sk);
ab07801d 249
ba3bd0ee 250 chan->ops->close(chan->data);
371fd835 251 l2cap_chan_put(chan);
ab07801d
GP		 252}
253
23691d75 254struct l2cap_chan *l2cap_chan_create(struct sock *sk)
48454079
GP		 255{
256 struct l2cap_chan *chan;
257
258 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
259 if (!chan)
260 return NULL;
261
262 chan->sk = sk;
263
333055f2 264 write_lock(&chan_list_lock);
23691d75 265 list_add(&chan->global_l, &chan_list);
333055f2 266 write_unlock(&chan_list_lock);
23691d75 267
721c4181 268 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 269
89bc500e
GP		 270 chan->state = BT_OPEN;
271
71ba0e56
GP		 272 atomic_set(&chan->refcnt, 1);
273
abc545b8
SJ		 274 BT_DBG("sk %p chan %p", sk, chan);
275
48454079
GP		 276 return chan;
277}
278
23691d75 279void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 280{
333055f2 281 write_lock(&chan_list_lock);
23691d75 282 list_del(&chan->global_l);
333055f2 283 write_unlock(&chan_list_lock);
23691d75 284
371fd835 285 l2cap_chan_put(chan);
6ff5abbf
GP		 286}
287
3d57dc68 288static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 289{
af05b30b 290 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
fe4128e0 291 chan->psm, chan->dcid);
0139418c 292
9f5a0d7b 293 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 294
8c1d787b 295 chan->conn = conn;
0139418c 296
5491120e
AE		 297 switch (chan->chan_type) {
298 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 299 if (conn->hcon->type == LE_LINK) {
300 /* LE connection */
0c1bc5c6 301 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 302 chan->scid = L2CAP_CID_LE_DATA;
303 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 304 } else {
305 /* Alloc CID for connection-oriented socket */
fe4128e0 306 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 307 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 308 }
5491120e
AE		 309 break;
310
311 case L2CAP_CHAN_CONN_LESS:
0139418c 312 /* Connectionless socket */
fe4128e0
GP		 313 chan->scid = L2CAP_CID_CONN_LESS;
314 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 315 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 316 break;
317
318 default:
0139418c 319 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 320 chan->scid = L2CAP_CID_SIGNALING;
321 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 322 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 323 }
324
8f7975b1
AE		 325 chan->local_id = L2CAP_BESTEFFORT_ID;
326 chan->local_stype = L2CAP_SERV_BESTEFFORT;
327 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
328 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
329 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
330 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
331
371fd835 332 l2cap_chan_hold(chan);
baa7e1fa 333
3d57dc68 334 list_add_rcu(&chan->list, &conn->chan_l);
0139418c
MH		 335}
336
8e87d142 337/* Delete channel.
0139418c 338 * Must be called on the locked socket. */
4519de9a 339static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 340{
48454079 341 struct sock *sk = chan->sk;
8c1d787b 342 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 343 struct sock *parent = bt_sk(sk)->parent;
344
c9b66675 345 __clear_chan_timer(chan);
0139418c 346
49208c9c 347 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 348
8e87d142 349 if (conn) {
baa7e1fa 350 /* Delete from channel list */
3d57dc68
GP		 351 list_del_rcu(&chan->list);
352 synchronize_rcu();
353
371fd835 354 l2cap_chan_put(chan);
baa7e1fa 355
8c1d787b 356 chan->conn = NULL;
0139418c
MH		 357 hci_conn_put(conn->hcon);
358 }
359
89bc500e 360 l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 361 sock_set_flag(sk, SOCK_ZAPPED);
362
363 if (err)
364 sk->sk_err = err;
365
366 if (parent) {
367 bt_accept_unlink(sk);
368 parent->sk_data_ready(parent, 0);
369 } else
370 sk->sk_state_change(sk);
c13ffa62 371
c1360a1c
GP		 372 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
373 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
6ff5abbf 374 return;
2ead70b8 375
58d35f87 376 skb_queue_purge(&chan->tx_q);
c13ffa62 377
0c1bc5c6 378 if (chan->mode == L2CAP_MODE_ERTM) {
c13ffa62
GP		 379 struct srej_list *l, *tmp;
380
1a09bcb9
GP		 381 __clear_retrans_timer(chan);
382 __clear_monitor_timer(chan);
383 __clear_ack_timer(chan);
c13ffa62 384
f1c6775b 385 skb_queue_purge(&chan->srej_q);
c13ffa62 386
39d5a3ee 387 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
c13ffa62
GP		 388 list_del(&l->list);
389 kfree(l);
390 }
391 }
0139418c
MH		 392}
393
4519de9a
GP		 394static void l2cap_chan_cleanup_listen(struct sock *parent)
395{
396 struct sock *sk;
397
398 BT_DBG("parent %p", parent);
399
400 /* Close not yet accepted channels */
0f852724 401 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 402 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
c9b66675 403 __clear_chan_timer(chan);
0f852724 404 lock_sock(sk);
ba3bd0ee 405 l2cap_chan_close(chan, ECONNRESET);
0f852724 406 release_sock(sk);
ba3bd0ee 407 chan->ops->close(chan->data);
0f852724 408 }
4519de9a
GP		 409}
410
0f852724 411void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 412{
413 struct l2cap_conn *conn = chan->conn;
414 struct sock *sk = chan->sk;
415
e05dcc32
AE		 416 BT_DBG("chan %p state %s sk %p", chan,
417 state_to_string(chan->state), sk);
4519de9a 418
89bc500e 419 switch (chan->state) {
4519de9a
GP		 420 case BT_LISTEN:
421 l2cap_chan_cleanup_listen(sk);
89bc500e
GP		 422
423 l2cap_state_change(chan, BT_CLOSED);
424 sock_set_flag(sk, SOCK_ZAPPED);
4519de9a
GP		 425 break;
426
427 case BT_CONNECTED:
428 case BT_CONFIG:
715ec005 429 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 430 conn->hcon->type == ACL_LINK) {
c9b66675
GP		 431 __clear_chan_timer(chan);
432 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 433 l2cap_send_disconn_req(conn, chan, reason);
434 } else
435 l2cap_chan_del(chan, reason);
436 break;
437
438 case BT_CONNECT2:
715ec005 439 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 440 conn->hcon->type == ACL_LINK) {
441 struct l2cap_conn_rsp rsp;
442 __u16 result;
443
444 if (bt_sk(sk)->defer_setup)
445 result = L2CAP_CR_SEC_BLOCK;
446 else
447 result = L2CAP_CR_BAD_PSM;
89bc500e 448 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 449
450 rsp.scid = cpu_to_le16(chan->dcid);
451 rsp.dcid = cpu_to_le16(chan->scid);
452 rsp.result = cpu_to_le16(result);
453 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
454 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
455 sizeof(rsp), &rsp);
456 }
457
458 l2cap_chan_del(chan, reason);
459 break;
460
461 case BT_CONNECT:
462 case BT_DISCONN:
463 l2cap_chan_del(chan, reason);
464 break;
465
466 default:
467 sock_set_flag(sk, SOCK_ZAPPED);
468 break;
469 }
470}
471
4343478f 472static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 473{
715ec005 474 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 475 switch (chan->sec_level) {
8556edd3
JH		 476 case BT_SECURITY_HIGH:
477 return HCI_AT_DEDICATED_BONDING_MITM;
478 case BT_SECURITY_MEDIUM:
479 return HCI_AT_DEDICATED_BONDING;
480 default:
481 return HCI_AT_NO_BONDING;
482 }
fe4128e0 483 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 484 if (chan->sec_level == BT_SECURITY_LOW)
485 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 486
4343478f 487 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 488 return HCI_AT_NO_BONDING_MITM;
00ae4af9 489 else
8556edd3 490 return HCI_AT_NO_BONDING;
00ae4af9 491 } else {
4343478f 492 switch (chan->sec_level) {
00ae4af9 493 case BT_SECURITY_HIGH:
8556edd3 494 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 495 case BT_SECURITY_MEDIUM:
8556edd3 496 return HCI_AT_GENERAL_BONDING;
00ae4af9 497 default:
8556edd3 498 return HCI_AT_NO_BONDING;
00ae4af9 499 }
0684e5f9 500 }
8556edd3
JH		 501}
502
503/* Service level security */
d45fc423 504int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 505{
8c1d787b 506 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 507 __u8 auth_type;
508
4343478f 509 auth_type = l2cap_get_auth_type(chan);
79d554a6 510
4343478f 511 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 512}
513
b5ad8b7f 514static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 515{
516 u8 id;
517
518 /* Get next available identificator.
519 * 1 - 128 are used by kernel.
520 * 129 - 199 are reserved.
521 * 200 - 254 are used by utilities like l2ping, etc.
522 */
523
333055f2 524 spin_lock(&conn->lock);
4e8402a3
MH		 525
526 if (++conn->tx_ident > 128)
527 conn->tx_ident = 1;
528
529 id = conn->tx_ident;
530
333055f2 531 spin_unlock(&conn->lock);
4e8402a3
MH		 532
533 return id;
534}
535
4519de9a 536static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 537{
538 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 539 u8 flags;
4e8402a3
MH		 540
541 BT_DBG("code 0x%2.2x", code);
542
543 if (!skb)
9a9c6a34 544 return;
4e8402a3 545
e702112f
AE		 546 if (lmp_no_flush_capable(conn->hcon->hdev))
547 flags = ACL_START_NO_FLUSH;
548 else
549 flags = ACL_START;
550
14b12d0b 551 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 552 skb->priority = HCI_PRIO_MAX;
14b12d0b 553
73d80deb
LAD		 554 hci_send_acl(conn->hchan, skb, flags);
555}
556
557static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
558{
559 struct hci_conn *hcon = chan->conn->hcon;
560 u16 flags;
561
562 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
563 skb->priority);
564
565 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
566 lmp_no_flush_capable(hcon->hdev))
567 flags = ACL_START_NO_FLUSH;
568 else
569 flags = ACL_START;
14b12d0b 570
73d80deb
LAD		 571 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
572 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 573}
574
88843ab0 575static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
1c2acffb
GP		 576{
577 struct sk_buff *skb;
578 struct l2cap_hdr *lh;
8c1d787b 579 struct l2cap_conn *conn = chan->conn;
e4ca6d98 580 int count, hlen;
fcc203c3 581
89bc500e 582 if (chan->state != BT_CONNECTED)
c13ffa62
GP		 583 return;
584
e4ca6d98
AE		 585 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
586 hlen = L2CAP_EXT_HDR_SIZE;
587 else
588 hlen = L2CAP_ENH_HDR_SIZE;
589
47d1ec61 590 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 591 hlen += L2CAP_FCS_SIZE;
1c2acffb 592
88843ab0 593 BT_DBG("chan %p, control 0x%8.8x", chan, control);
1c2acffb 594
fcc203c3 595 count = min_t(unsigned int, conn->mtu, hlen);
793c2f1c
AE		 596
597 control |= __set_sframe(chan);
1c2acffb 598
e2ab4353 599 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 600 control |= __set_ctrl_final(chan);
9e917af1 601
e2ab4353 602 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
e3781735 603 control |= __set_ctrl_poll(chan);
f0946ccf 604
1c2acffb
GP		 605 skb = bt_skb_alloc(count, GFP_ATOMIC);
606 if (!skb)
9a9c6a34 607 return;
1c2acffb
GP		 608
609 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 610 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
fe4128e0 611 lh->cid = cpu_to_le16(chan->dcid);
88843ab0
AE		 612
613 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1c2acffb 614
47d1ec61 615 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 616 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
617 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 618 }
619
73d80deb
LAD		 620 skb->priority = HCI_PRIO_MAX;
621 l2cap_do_send(chan, skb);
1c2acffb
GP		 622}
623
88843ab0 624static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
7e743090 625{
e2ab4353 626 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 627 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 628 set_bit(CONN_RNR_SENT, &chan->conn_state);
1890d36b 629 } else
ab784b73 630 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
7e743090 631
0b209fae 632 control |= __set_reqseq(chan, chan->buffer_seq);
2ab25cdd 633
525cd185 634 l2cap_send_sframe(chan, control);
7e743090
GP		 635}
636
b4450035 637static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 638{
c1360a1c 639 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 640}
641
fc7f8a7e 642static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 643{
8c1d787b 644 struct l2cap_conn *conn = chan->conn;
79d554a6
MH		 645
646 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 647 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
648 return;
649
d45fc423 650 if (l2cap_chan_check_security(chan) &&
4343478f 651 __l2cap_no_conn_pending(chan)) {
b1235d79 652 struct l2cap_conn_req req;
fe4128e0
GP		 653 req.scid = cpu_to_le16(chan->scid);
654 req.psm = chan->psm;
79d554a6 655
fc7f8a7e 656 chan->ident = l2cap_get_ident(conn);
c1360a1c 657 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
79d554a6 658
fc7f8a7e
GP		 659 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
660 sizeof(req), &req);
b1235d79 661 }
79d554a6
MH		 662 } else {
663 struct l2cap_info_req req;
664 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
665
666 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
667 conn->info_ident = l2cap_get_ident(conn);
668
030013d8 669 schedule_delayed_work(&conn->info_timer,
79d554a6
MH		 670 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
671
672 l2cap_send_cmd(conn, conn->info_ident,
673 L2CAP_INFO_REQ, sizeof(req), &req);
674 }
675}
676
cf6c2c0b
GP		 677static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
678{
679 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 680 if (!disable_ertm)
cf6c2c0b
GP		 681 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
682
683 switch (mode) {
684 case L2CAP_MODE_ERTM:
685 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
686 case L2CAP_MODE_STREAMING:
687 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
688 default:
689 return 0x00;
690 }
691}
692
4519de9a 693static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 694{
e92c8e70 695 struct sock *sk;
22121fc9
GP		 696 struct l2cap_disconn_req req;
697
c13ffa62
GP		 698 if (!conn)
699 return;
700
e92c8e70
GP		 701 sk = chan->sk;
702
0c1bc5c6 703 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 704 __clear_retrans_timer(chan);
705 __clear_monitor_timer(chan);
706 __clear_ack_timer(chan);
c13ffa62
GP		 707 }
708
fe4128e0
GP		 709 req.dcid = cpu_to_le16(chan->dcid);
710 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 711 l2cap_send_cmd(conn, l2cap_get_ident(conn),
712 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 713
89bc500e 714 l2cap_state_change(chan, BT_DISCONN);
9b108fc0 715 sk->sk_err = err;
22121fc9
GP		 716}
717
1da177e4 718/* ---- L2CAP connections ---- */
4e8402a3
MH		 719static void l2cap_conn_start(struct l2cap_conn *conn)
720{
3d57dc68 721 struct l2cap_chan *chan;
4e8402a3
MH		 722
723 BT_DBG("conn %p", conn);
724
3d57dc68 725 rcu_read_lock();
4e8402a3 726
3d57dc68 727 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 728 struct sock *sk = chan->sk;
baa7e1fa 729
4e8402a3
MH		 730 bh_lock_sock(sk);
731
715ec005 732 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
79d554a6
MH		 733 bh_unlock_sock(sk);
734 continue;
735 }
736
89bc500e 737 if (chan->state == BT_CONNECT) {
47731de7 738 struct l2cap_conn_req req;
79d554a6 739
d45fc423 740 if (!l2cap_chan_check_security(chan) ||
b4450035 741 !__l2cap_no_conn_pending(chan)) {
47731de7
GP		 742 bh_unlock_sock(sk);
743 continue;
744 }
79d554a6 745
c1360a1c
GP		 746 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
747 && test_bit(CONF_STATE2_DEVICE,
748 &chan->conf_state)) {
0f852724 749 /* l2cap_chan_close() calls list_del(chan)
820ffdb3 750 * so release the lock */
89bc500e 751 l2cap_chan_close(chan, ECONNRESET);
47731de7
GP		 752 bh_unlock_sock(sk);
753 continue;
b1235d79 754 }
47731de7 755
fe4128e0
GP		 756 req.scid = cpu_to_le16(chan->scid);
757 req.psm = chan->psm;
47731de7 758
fc7f8a7e 759 chan->ident = l2cap_get_ident(conn);
c1360a1c 760 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
47731de7 761
fc7f8a7e
GP		 762 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
763 sizeof(req), &req);
47731de7 764
89bc500e 765 } else if (chan->state == BT_CONNECT2) {
79d554a6 766 struct l2cap_conn_rsp rsp;
e9aeb2dd 767 char buf[128];
fe4128e0
GP		 768 rsp.scid = cpu_to_le16(chan->dcid);
769 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 770
d45fc423 771 if (l2cap_chan_check_security(chan)) {
f66dc81f
MH		 772 if (bt_sk(sk)->defer_setup) {
773 struct sock *parent = bt_sk(sk)->parent;
774 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
775 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 776 if (parent)
777 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 778
779 } else {
89bc500e 780 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 781 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
782 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
783 }
79d554a6
MH		 784 } else {
785 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
786 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
787 }
788
fc7f8a7e
GP		 789 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
790 sizeof(rsp), &rsp);
e9aeb2dd 791
c1360a1c 792 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd
GP		 793 rsp.result != L2CAP_CR_SUCCESS) {
794 bh_unlock_sock(sk);
795 continue;
796 }
797
c1360a1c 798 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 799 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 800 l2cap_build_conf_req(chan, buf), buf);
801 chan->num_conf_req++;
4e8402a3
MH		 802 }
803
804 bh_unlock_sock(sk);
805 }
806
3d57dc68 807 rcu_read_unlock();
4e8402a3
MH		 808}
809
b62f328b
VT		 810/* Find socket with cid and source bdaddr.
811 * Returns closest match, locked.
812 */
23691d75 813static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
b62f328b 814{
23691d75 815 struct l2cap_chan *c, *c1 = NULL;
b62f328b 816
23691d75 817 read_lock(&chan_list_lock);
b62f328b 818
23691d75
GP		 819 list_for_each_entry(c, &chan_list, global_l) {
820 struct sock *sk = c->sk;
fe4128e0 821
89bc500e 822 if (state && c->state != state)
b62f328b
VT		 823 continue;
824
23691d75 825 if (c->scid == cid) {
b62f328b 826 /* Exact match. */
23691d75
GP		 827 if (!bacmp(&bt_sk(sk)->src, src)) {
828 read_unlock(&chan_list_lock);
829 return c;
830 }
b62f328b
VT		 831
832 /* Closest match */
833 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 834 c1 = c;
b62f328b
VT		 835 }
836 }
280f294f 837
23691d75 838 read_unlock(&chan_list_lock);
b62f328b 839
23691d75 840 return c1;
b62f328b
VT		 841}
842
843static void l2cap_le_conn_ready(struct l2cap_conn *conn)
844{
c916fbe4 845 struct sock *parent, *sk;
23691d75 846 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 847
848 BT_DBG("");
849
850 /* Check if we have socket listening on cid */
23691d75 851 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
b62f328b 852 conn->src);
23691d75 853 if (!pchan)
b62f328b
VT		 854 return;
855
23691d75
GP		 856 parent = pchan->sk;
857
aa2ac881 858 lock_sock(parent);
62f3a2cf 859
b62f328b
VT		 860 /* Check for backlog size */
861 if (sk_acceptq_is_full(parent)) {
862 BT_DBG("backlog full %d", parent->sk_ack_backlog);
863 goto clean;
864 }
865
80808e43
GP		 866 chan = pchan->ops->new_connection(pchan->data);
867 if (!chan)
b62f328b
VT		 868 goto clean;
869
80808e43 870 sk = chan->sk;
5d41ce1d 871
b62f328b
VT		 872 hci_conn_hold(conn->hcon);
873
b62f328b
VT		 874 bacpy(&bt_sk(sk)->src, conn->src);
875 bacpy(&bt_sk(sk)->dst, conn->dst);
876
d1010240
GP		 877 bt_accept_enqueue(parent, sk);
878
3d57dc68 879 l2cap_chan_add(conn, chan);
48454079 880
c9b66675 881 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 882
89bc500e 883 l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 884 parent->sk_data_ready(parent, 0);
885
b62f328b 886clean:
aa2ac881 887 release_sock(parent);
b62f328b
VT		 888}
889
cf4cd009 890static void l2cap_chan_ready(struct l2cap_chan *chan)
f1cb9af5 891{
cf4cd009 892 struct sock *sk = chan->sk;
f1cb9af5
VCG		 893 struct sock *parent = bt_sk(sk)->parent;
894
895 BT_DBG("sk %p, parent %p", sk, parent);
896
897 chan->conf_state = 0;
898 __clear_chan_timer(chan);
899
43f3dc41 900 l2cap_state_change(chan, BT_CONNECTED);
f1cb9af5
VCG		 901 sk->sk_state_change(sk);
902
903 if (parent)
904 parent->sk_data_ready(parent, 0);
905}
906
4e8402a3
MH		 907static void l2cap_conn_ready(struct l2cap_conn *conn)
908{
48454079 909 struct l2cap_chan *chan;
4e8402a3 910
79d554a6 911 BT_DBG("conn %p", conn);
4e8402a3 912
b62f328b
VT		 913 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
914 l2cap_le_conn_ready(conn);
915
160dc6ac
VCG		 916 if (conn->hcon->out && conn->hcon->type == LE_LINK)
917 smp_conn_security(conn, conn->hcon->pending_sec_level);
918
3d57dc68 919 rcu_read_lock();
4e8402a3 920
3d57dc68 921 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 922 struct sock *sk = chan->sk;
baa7e1fa 923
79d554a6 924 bh_lock_sock(sk);
4e8402a3 925
63128451 926 if (conn->hcon->type == LE_LINK) {
b501d6a1 927 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 928 l2cap_chan_ready(chan);
acd7d370 929
63128451 930 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 931 __clear_chan_timer(chan);
89bc500e 932 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 933 sk->sk_state_change(sk);
b501d6a1 934
89bc500e 935 } else if (chan->state == BT_CONNECT)
fc7f8a7e 936 l2cap_do_start(chan);
4e8402a3 937
79d554a6 938 bh_unlock_sock(sk);
4e8402a3 939 }
79d554a6 940
3d57dc68 941 rcu_read_unlock();
4e8402a3
MH		 942}
943
944/* Notify sockets that we cannot guaranty reliability anymore */
945static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
946{
48454079 947 struct l2cap_chan *chan;
4e8402a3
MH		 948
949 BT_DBG("conn %p", conn);
950
3d57dc68 951 rcu_read_lock();
4e8402a3 952
3d57dc68 953 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 954 struct sock *sk = chan->sk;
baa7e1fa 955
ecf61bdb 956 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
4e8402a3
MH		 957 sk->sk_err = err;
958 }
959
3d57dc68 960 rcu_read_unlock();
4e8402a3
MH		 961}
962
f878fcad 963static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 964{
f878fcad 965 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 966 info_timer.work);
4e8402a3 967
984947dc 968 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 969 conn->info_ident = 0;
984947dc 970
4e8402a3
MH		 971 l2cap_conn_start(conn);
972}
973
5d3de7df
VCG		 974static void l2cap_conn_del(struct hci_conn *hcon, int err)
975{
976 struct l2cap_conn *conn = hcon->l2cap_data;
977 struct l2cap_chan *chan, *l;
978 struct sock *sk;
979
980 if (!conn)
981 return;
982
983 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
984
985 kfree_skb(conn->rx_skb);
986
987 /* Kill channels */
988 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
989 sk = chan->sk;
aa2ac881 990 lock_sock(sk);
5d3de7df 991 l2cap_chan_del(chan, err);
aa2ac881 992 release_sock(sk);
5d3de7df
VCG		 993 chan->ops->close(chan->data);
994 }
995
73d80deb
LAD		 996 hci_chan_del(conn->hchan);
997
5d3de7df 998 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 999 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1000
51a8efd7 1001 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1002 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1003 smp_chan_destroy(conn);
d26a2345 1004 }
5d3de7df
VCG		 1005
1006 hcon->l2cap_data = NULL;
1007 kfree(conn);
1008}
1009
6c9d42a1 1010static void security_timeout(struct work_struct *work)
5d3de7df 1011{
6c9d42a1
GP		 1012 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1013 security_timer.work);
5d3de7df
VCG		 1014
1015 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1016}
1017
1da177e4
LT		 1018static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1019{
0139418c 1020 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1021 struct hci_chan *hchan;
1da177e4 1022
0139418c 1023 if (conn || status)
1da177e4
LT		 1024 return conn;
1025
73d80deb
LAD		 1026 hchan = hci_chan_create(hcon);
1027 if (!hchan)
1028 return NULL;
1029
0139418c 1030 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1031 if (!conn) {
1032 hci_chan_del(hchan);
1da177e4 1033 return NULL;
73d80deb 1034 }
1da177e4
LT		 1035
1036 hcon->l2cap_data = conn;
1037 conn->hcon = hcon;
73d80deb 1038 conn->hchan = hchan;
1da177e4 1039
73d80deb 1040 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1041
acd7d370
VT		 1042 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1043 conn->mtu = hcon->hdev->le_mtu;
1044 else
1045 conn->mtu = hcon->hdev->acl_mtu;
1046
1da177e4
LT		 1047 conn->src = &hcon->hdev->bdaddr;
1048 conn->dst = &hcon->dst;
1049
4e8402a3
MH		 1050 conn->feat_mask = 0;
1051
1da177e4 1052 spin_lock_init(&conn->lock);
baa7e1fa
GP		 1053
1054 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1055
5d3de7df 1056 if (hcon->type == LE_LINK)
6c9d42a1 1057 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1058 else
030013d8 1059 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1060
9f5a0d7b 1061 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1062
1da177e4
LT		 1063 return conn;
1064}
1065
1da177e4 1066/* ---- Socket interface ---- */
1da177e4
LT		 1067
1068/* Find socket with psm and source bdaddr.
1069 * Returns closest match.
1070 */
23691d75 1071static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4 1072{
23691d75 1073 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1074
23691d75 1075 read_lock(&chan_list_lock);
e0f0cb56 1076
23691d75
GP		 1077 list_for_each_entry(c, &chan_list, global_l) {
1078 struct sock *sk = c->sk;
fe4128e0 1079
89bc500e 1080 if (state && c->state != state)
1da177e4
LT		 1081 continue;
1082
23691d75 1083 if (c->psm == psm) {
1da177e4 1084 /* Exact match. */
23691d75 1085 if (!bacmp(&bt_sk(sk)->src, src)) {
a7567b20 1086 read_unlock(&chan_list_lock);
23691d75
GP		 1087 return c;
1088 }
1da177e4
LT		 1089
1090 /* Closest match */
1091 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
23691d75 1092 c1 = c;
1da177e4
LT		 1093 }
1094 }
1da177e4 1095
23691d75 1096 read_unlock(&chan_list_lock);
e0f0cb56 1097
23691d75 1098 return c1;
1da177e4
LT		 1099}
1100
cbe8fed4 1101int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1da177e4 1102{
5d41ce1d 1103 struct sock *sk = chan->sk;
1da177e4 1104 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1105 struct l2cap_conn *conn;
1106 struct hci_conn *hcon;
1107 struct hci_dev *hdev;
09ab6f4c 1108 __u8 auth_type;
44d0e48e 1109 int err;
1da177e4 1110
f29972de 1111 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
fe4128e0 1112 chan->psm);
1da177e4 1113
af05b30b
GP		 1114 hdev = hci_get_route(dst, src);
1115 if (!hdev)
1da177e4
LT		 1116 return -EHOSTUNREACH;
1117
09fd0de5 1118 hci_dev_lock(hdev);
1da177e4 1119
03a00194
GP		 1120 lock_sock(sk);
1121
1122 /* PSM must be odd and lsb of upper byte must be 0 */
1123 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1124 chan->chan_type != L2CAP_CHAN_RAW) {
1125 err = -EINVAL;
1126 goto done;
1127 }
1128
1129 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1130 err = -EINVAL;
1131 goto done;
1132 }
1133
1134 switch (chan->mode) {
1135 case L2CAP_MODE_BASIC:
1136 break;
1137 case L2CAP_MODE_ERTM:
1138 case L2CAP_MODE_STREAMING:
1139 if (!disable_ertm)
1140 break;
1141 /* fall through */
1142 default:
1143 err = -ENOTSUPP;
1144 goto done;
1145 }
1146
1147 switch (sk->sk_state) {
1148 case BT_CONNECT:
1149 case BT_CONNECT2:
1150 case BT_CONFIG:
1151 /* Already connecting */
1152 err = 0;
1153 goto done;
1154
1155 case BT_CONNECTED:
1156 /* Already connected */
1157 err = -EISCONN;
1158 goto done;
1159
1160 case BT_OPEN:
1161 case BT_BOUND:
1162 /* Can connect */
1163 break;
1164
1165 default:
1166 err = -EBADFD;
1167 goto done;
1168 }
1169
1170 /* Set destination address and psm */
9219b2a0 1171 bacpy(&bt_sk(sk)->dst, dst);
03a00194
GP		 1172 chan->psm = psm;
1173 chan->dcid = cid;
1da177e4 1174
4343478f 1175 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1176
fe4128e0 1177 if (chan->dcid == L2CAP_CID_LE_DATA)
acd7d370 1178 hcon = hci_connect(hdev, LE_LINK, dst,
4343478f 1179 chan->sec_level, auth_type);
acd7d370
VT		 1180 else
1181 hcon = hci_connect(hdev, ACL_LINK, dst,
4343478f 1182 chan->sec_level, auth_type);
acd7d370 1183
30e76272
VT		 1184 if (IS_ERR(hcon)) {
1185 err = PTR_ERR(hcon);
1da177e4 1186 goto done;
30e76272 1187 }
1da177e4
LT		 1188
1189 conn = l2cap_conn_add(hcon, 0);
1190 if (!conn) {
1191 hci_conn_put(hcon);
30e76272 1192 err = -ENOMEM;
1da177e4
LT		 1193 goto done;
1194 }
1195
1da177e4
LT		 1196 /* Update source addr of the socket */
1197 bacpy(src, conn->src);
1198
48454079
GP		 1199 l2cap_chan_add(conn, chan);
1200
89bc500e 1201 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1202 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1203
1204 if (hcon->state == BT_CONNECTED) {
715ec005 1205 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1206 __clear_chan_timer(chan);
d45fc423 1207 if (l2cap_chan_check_security(chan))
89bc500e 1208 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1209 } else
fc7f8a7e 1210 l2cap_do_start(chan);
1da177e4
LT		 1211 }
1212
30e76272
VT		 1213 err = 0;
1214
1da177e4 1215done:
09fd0de5 1216 hci_dev_unlock(hdev);
1da177e4
LT		 1217 hci_dev_put(hdev);
1218 return err;
1219}
1220
dcba0dba 1221int __l2cap_wait_ack(struct sock *sk)
6161c038 1222{
8c1d787b 1223 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1224 DECLARE_WAITQUEUE(wait, current);
1225 int err = 0;
1226 int timeo = HZ/5;
1227
2b0b05dd 1228 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1229 set_current_state(TASK_INTERRUPTIBLE);
1230 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1231 if (!timeo)
1232 timeo = HZ/5;
1233
1234 if (signal_pending(current)) {
1235 err = sock_intr_errno(timeo);
1236 break;
1237 }
1238
1239 release_sock(sk);
1240 timeo = schedule_timeout(timeo);
1241 lock_sock(sk);
a71a0cf4 1242 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1243
1244 err = sock_error(sk);
1245 if (err)
1246 break;
1247 }
1248 set_current_state(TASK_RUNNING);
2b0b05dd 1249 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1250 return err;
1251}
1252
721c4181 1253static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1254{
721c4181
GP		 1255 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1256 monitor_timer.work);
525cd185 1257 struct sock *sk = chan->sk;
e90bac06 1258
525cd185 1259 BT_DBG("chan %p", chan);
0e98958d 1260
721c4181 1261 lock_sock(sk);
2c03a7a4 1262 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1263 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
721c4181 1264 release_sock(sk);
e90bac06
GP		 1265 return;
1266 }
1267
6a026610 1268 chan->retry_count++;
1a09bcb9 1269 __set_monitor_timer(chan);
e90bac06 1270
525cd185 1271 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1272 release_sock(sk);
e90bac06
GP		 1273}
1274
721c4181 1275static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1276{
721c4181
GP		 1277 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1278 retrans_timer.work);
525cd185 1279 struct sock *sk = chan->sk;
e90bac06 1280
49208c9c 1281 BT_DBG("chan %p", chan);
0e98958d 1282
721c4181 1283 lock_sock(sk);
6a026610 1284 chan->retry_count = 1;
1a09bcb9 1285 __set_monitor_timer(chan);
e90bac06 1286
e2ab4353 1287 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1288
525cd185 1289 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
721c4181 1290 release_sock(sk);
e90bac06
GP		 1291}
1292
42e5c802 1293static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1da177e4 1294{
1c2acffb 1295 struct sk_buff *skb;
1da177e4 1296
58d35f87 1297 while ((skb = skb_peek(&chan->tx_q)) &&
6a026610 1298 chan->unacked_frames) {
42e5c802 1299 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1c2acffb 1300 break;
1da177e4 1301
58d35f87 1302 skb = skb_dequeue(&chan->tx_q);
1c2acffb 1303 kfree_skb(skb);
1da177e4 1304
6a026610 1305 chan->unacked_frames--;
1c2acffb 1306 }
1da177e4 1307
6a026610 1308 if (!chan->unacked_frames)
1a09bcb9 1309 __clear_retrans_timer(chan);
1c2acffb 1310}
1da177e4 1311
67c9e840 1312static void l2cap_streaming_send(struct l2cap_chan *chan)
6840ed07 1313{
ccbb84af 1314 struct sk_buff *skb;
88843ab0
AE		 1315 u32 control;
1316 u16 fcs;
6840ed07 1317
58d35f87 1318 while ((skb = skb_dequeue(&chan->tx_q))) {
88843ab0 1319 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
fb45de7d 1320 control |= __set_txseq(chan, chan->next_tx_seq);
88843ab0 1321 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
6840ed07 1322
47d1ec61 1323 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1324 fcs = crc16(0, (u8 *)skb->data,
1325 skb->len - L2CAP_FCS_SIZE);
1326 put_unaligned_le16(fcs,
1327 skb->data + skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1328 }
1329
4343478f 1330 l2cap_do_send(chan, skb);
6840ed07 1331
836be934 1332 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
6840ed07 1333 }
6840ed07
GP		 1334}
1335
fb45de7d 1336static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 1337{
8f17154f 1338 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1339 u16 fcs;
1340 u32 control;
8f17154f 1341
58d35f87 1342 skb = skb_peek(&chan->tx_q);
f11d676d
GP		 1343 if (!skb)
1344 return;
8f17154f 1345
d1726b6d 1346 while (bt_cb(skb)->tx_seq != tx_seq) {
58d35f87 1347 if (skb_queue_is_last(&chan->tx_q, skb))
f11d676d 1348 return;
8f17154f 1349
d1726b6d
SJ		 1350 skb = skb_queue_next(&chan->tx_q, skb);
1351 }
8f17154f 1352
2c03a7a4
GP		 1353 if (chan->remote_max_tx &&
1354 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1355 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
f11d676d
GP		 1356 return;
1357 }
1358
1359 tx_skb = skb_clone(skb, GFP_ATOMIC);
1360 bt_cb(skb)->retries++;
88843ab0
AE		 1361
1362 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1363 control &= __get_sar_mask(chan);
3cb123d1 1364
e2ab4353 1365 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1366 control |= __set_ctrl_final(chan);
95ffa978 1367
0b209fae 1368 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1369 control |= __set_txseq(chan, tx_seq);
3cb123d1 1370
88843ab0 1371 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
f11d676d 1372
47d1ec61 1373 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1374 fcs = crc16(0, (u8 *)tx_skb->data,
1375 tx_skb->len - L2CAP_FCS_SIZE);
1376 put_unaligned_le16(fcs,
1377 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
f11d676d
GP		 1378 }
1379
4343478f 1380 l2cap_do_send(chan, tx_skb);
8f17154f
GP		 1381}
1382
67c9e840 1383static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1384{
1385 struct sk_buff *skb, *tx_skb;
88843ab0
AE		 1386 u16 fcs;
1387 u32 control;
9a9c6a34 1388 int nsent = 0;
1c2acffb 1389
89bc500e 1390 if (chan->state != BT_CONNECTED)
c13ffa62 1391 return -ENOTCONN;
e90bac06 1392
58d35f87 1393 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1c2acffb 1394
2c03a7a4
GP		 1395 if (chan->remote_max_tx &&
1396 bt_cb(skb)->retries == chan->remote_max_tx) {
8c1d787b 1397 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
e90bac06
GP		 1398 break;
1399 }
1400
e420aba3
AE		 1401 tx_skb = skb_clone(skb, GFP_ATOMIC);
1402
e90bac06
GP		 1403 bt_cb(skb)->retries++;
1404
88843ab0 1405 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
7e0ef6ee 1406 control &= __get_sar_mask(chan);
95ffa978 1407
e2ab4353 1408 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
03f6715d 1409 control |= __set_ctrl_final(chan);
e2ab4353 1410
0b209fae 1411 control |= __set_reqseq(chan, chan->buffer_seq);
fb45de7d 1412 control |= __set_txseq(chan, chan->next_tx_seq);
1c2acffb 1413
88843ab0 1414 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
e90bac06 1415
47d1ec61 1416 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213
AE		 1417 fcs = crc16(0, (u8 *)skb->data,
1418 tx_skb->len - L2CAP_FCS_SIZE);
1419 put_unaligned_le16(fcs, skb->data +
1420 tx_skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 1421 }
1422
4343478f 1423 l2cap_do_send(chan, tx_skb);
9a9c6a34 1424
1a09bcb9 1425 __set_retrans_timer(chan);
1c2acffb 1426
42e5c802 1427 bt_cb(skb)->tx_seq = chan->next_tx_seq;
836be934
AE		 1428
1429 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1c2acffb 1430
8ed7a0ae 1431 if (bt_cb(skb)->retries == 1) {
6a026610 1432 chan->unacked_frames++;
930fa4ae
SJ		 1433
1434 if (!nsent++)
1435 __clear_ack_timer(chan);
8ed7a0ae 1436 }
23e9fde2 1437
6a026610 1438 chan->frames_sent++;
1c2acffb 1439
58d35f87
GP		 1440 if (skb_queue_is_last(&chan->tx_q, skb))
1441 chan->tx_send_head = NULL;
1c2acffb 1442 else
58d35f87 1443 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1c2acffb
GP		 1444 }
1445
9e917af1
GP		 1446 return nsent;
1447}
1448
525cd185 1449static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1450{
dfc909be
GP		 1451 int ret;
1452
58d35f87
GP		 1453 if (!skb_queue_empty(&chan->tx_q))
1454 chan->tx_send_head = chan->tx_q.next;
dfc909be 1455
42e5c802 1456 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1457 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1458 return ret;
1459}
1460
b17e73bb 1461static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1462{
88843ab0 1463 u32 control = 0;
9e917af1 1464
0b209fae 1465 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1466
e2ab4353 1467 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1468 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1469 set_bit(CONN_RNR_SENT, &chan->conn_state);
525cd185 1470 l2cap_send_sframe(chan, control);
9a9c6a34 1471 return;
9e917af1 1472 }
dfc909be 1473
525cd185 1474 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1475 return;
1476
ab784b73 1477 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 1478 l2cap_send_sframe(chan, control);
1c2acffb
GP		 1479}
1480
b17e73bb
SJ		 1481static void l2cap_send_ack(struct l2cap_chan *chan)
1482{
1483 __clear_ack_timer(chan);
1484 __l2cap_send_ack(chan);
1485}
1486
525cd185 1487static void l2cap_send_srejtail(struct l2cap_chan *chan)
99b0d4b7
GP		 1488{
1489 struct srej_list *tail;
88843ab0 1490 u32 control;
99b0d4b7 1491
ab784b73 1492 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
03f6715d 1493 control |= __set_ctrl_final(chan);
99b0d4b7 1494
39d5a3ee 1495 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
0b209fae 1496 control |= __set_reqseq(chan, tail->tx_seq);
99b0d4b7 1497
525cd185 1498 l2cap_send_sframe(chan, control);
99b0d4b7
GP		 1499}
1500
0952a57a 1501static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1c2acffb 1502{
0952a57a 1503 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1504 struct sk_buff **frag;
1505 int err, sent = 0;
1da177e4 1506
59203a21 1507 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1508 return -EFAULT;
1da177e4
LT		 1509
1510 sent += count;
1511 len -= count;
1512
1513 /* Continuation fragments (no L2CAP header) */
1514 frag = &skb_shinfo(skb)->frag_list;
1515 while (len) {
1516 count = min_t(unsigned int, conn->mtu, len);
1517
2f7719ce
AE		 1518 *frag = chan->ops->alloc_skb(chan, count,
1519 msg->msg_flags & MSG_DONTWAIT, &err);
1520
1da177e4 1521 if (!*frag)
0175d629 1522 return err;
1c2acffb
GP		 1523 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1524 return -EFAULT;
1da177e4 1525
5e59b791
LAD		 1526 (*frag)->priority = skb->priority;
1527
1da177e4
LT		 1528 sent += count;
1529 len -= count;
1530
1531 frag = &(*frag)->next;
1532 }
1da177e4
LT		 1533
1534 return sent;
1c2acffb 1535}
1da177e4 1536
5e59b791
LAD		 1537static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1538 struct msghdr *msg, size_t len,
1539 u32 priority)
1c2acffb 1540{
8c1d787b 1541 struct l2cap_conn *conn = chan->conn;
1c2acffb 1542 struct sk_buff *skb;
03a51213 1543 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1544 struct l2cap_hdr *lh;
1545
6d5922b0 1546 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1547
1548 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1549
1550 skb = chan->ops->alloc_skb(chan, count + hlen,
1551 msg->msg_flags & MSG_DONTWAIT, &err);
1552
1c2acffb 1553 if (!skb)
0175d629 1554 return ERR_PTR(err);
1c2acffb 1555
5e59b791
LAD		 1556 skb->priority = priority;
1557
1c2acffb
GP		 1558 /* Create L2CAP header */
1559 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1560 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1561 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
fe4128e0 1562 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1c2acffb 1563
0952a57a 1564 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1565 if (unlikely(err < 0)) {
1566 kfree_skb(skb);
1567 return ERR_PTR(err);
1568 }
1569 return skb;
1570}
1571
5e59b791
LAD		 1572static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1573 struct msghdr *msg, size_t len,
1574 u32 priority)
1c2acffb 1575{
8c1d787b 1576 struct l2cap_conn *conn = chan->conn;
1c2acffb
GP		 1577 struct sk_buff *skb;
1578 int err, count, hlen = L2CAP_HDR_SIZE;
1579 struct l2cap_hdr *lh;
1580
6d5922b0 1581 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb
GP		 1582
1583 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1584
1585 skb = chan->ops->alloc_skb(chan, count + hlen,
1586 msg->msg_flags & MSG_DONTWAIT, &err);
1587
1c2acffb 1588 if (!skb)
0175d629 1589 return ERR_PTR(err);
1c2acffb 1590
5e59b791
LAD		 1591 skb->priority = priority;
1592
1c2acffb
GP		 1593 /* Create L2CAP header */
1594 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1595 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb
GP		 1596 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1597
0952a57a 1598 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1599 if (unlikely(err < 0)) {
1600 kfree_skb(skb);
1601 return ERR_PTR(err);
1602 }
1603 return skb;
1604}
1605
ab0ff76d
LAD		 1606static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1607 struct msghdr *msg, size_t len,
88843ab0 1608 u32 control, u16 sdulen)
1c2acffb 1609{
8c1d787b 1610 struct l2cap_conn *conn = chan->conn;
1c2acffb 1611 struct sk_buff *skb;
e4ca6d98 1612 int err, count, hlen;
1c2acffb
GP		 1613 struct l2cap_hdr *lh;
1614
6d5922b0 1615 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1616
0ee0d208
GP		 1617 if (!conn)
1618 return ERR_PTR(-ENOTCONN);
1619
e4ca6d98
AE		 1620 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1621 hlen = L2CAP_EXT_HDR_SIZE;
1622 else
1623 hlen = L2CAP_ENH_HDR_SIZE;
1624
c74e560c 1625 if (sdulen)
03a51213 1626 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1627
47d1ec61 1628 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1629 hlen += L2CAP_FCS_SIZE;
fcc203c3 1630
1c2acffb 1631 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1632
1633 skb = chan->ops->alloc_skb(chan, count + hlen,
1634 msg->msg_flags & MSG_DONTWAIT, &err);
1635
1c2acffb 1636 if (!skb)
0175d629 1637 return ERR_PTR(err);
1c2acffb
GP		 1638
1639 /* Create L2CAP header */
1640 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1641 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1642 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0
AE		 1643
1644 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1645
c74e560c 1646 if (sdulen)
03a51213 1647 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1648
0952a57a 1649 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1650 if (unlikely(err < 0)) {
1651 kfree_skb(skb);
1652 return ERR_PTR(err);
1653 }
e90bac06 1654
47d1ec61 1655 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1656 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3 1657
e90bac06 1658 bt_cb(skb)->retries = 0;
1c2acffb 1659 return skb;
1da177e4
LT		 1660}
1661
67c9e840 1662static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
c74e560c 1663{
c74e560c
GP		 1664 struct sk_buff *skb;
1665 struct sk_buff_head sar_queue;
88843ab0 1666 u32 control;
c74e560c
GP		 1667 size_t size = 0;
1668
ff12fd64 1669 skb_queue_head_init(&sar_queue);
7e0ef6ee 1670 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
47d1ec61 1671 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
c74e560c
GP		 1672 if (IS_ERR(skb))
1673 return PTR_ERR(skb);
1674
1675 __skb_queue_tail(&sar_queue, skb);
2c03a7a4
GP		 1676 len -= chan->remote_mps;
1677 size += chan->remote_mps;
c74e560c
GP		 1678
1679 while (len > 0) {
1680 size_t buflen;
1681
2c03a7a4 1682 if (len > chan->remote_mps) {
7e0ef6ee 1683 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
2c03a7a4 1684 buflen = chan->remote_mps;
c74e560c 1685 } else {
7e0ef6ee 1686 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
c74e560c
GP		 1687 buflen = len;
1688 }
1689
47d1ec61 1690 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
c74e560c
GP		 1691 if (IS_ERR(skb)) {
1692 skb_queue_purge(&sar_queue);
1693 return PTR_ERR(skb);
1694 }
1695
1696 __skb_queue_tail(&sar_queue, skb);
1697 len -= buflen;
1698 size += buflen;
c74e560c 1699 }
58d35f87
GP		 1700 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1701 if (chan->tx_send_head == NULL)
1702 chan->tx_send_head = sar_queue.next;
c74e560c
GP		 1703
1704 return size;
1705}
1706
5e59b791
LAD		 1707int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1708 u32 priority)
9a91a04a 1709{
9a91a04a 1710 struct sk_buff *skb;
88843ab0 1711 u32 control;
9a91a04a
GP		 1712 int err;
1713
1714 /* Connectionless channel */
715ec005 1715 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 1716 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 1717 if (IS_ERR(skb))
1718 return PTR_ERR(skb);
1719
1720 l2cap_do_send(chan, skb);
1721 return len;
1722 }
1723
1724 switch (chan->mode) {
1725 case L2CAP_MODE_BASIC:
1726 /* Check outgoing MTU */
1727 if (len > chan->omtu)
1728 return -EMSGSIZE;
1729
1730 /* Create a basic PDU */
5e59b791 1731 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 1732 if (IS_ERR(skb))
1733 return PTR_ERR(skb);
1734
1735 l2cap_do_send(chan, skb);
1736 err = len;
1737 break;
1738
1739 case L2CAP_MODE_ERTM:
1740 case L2CAP_MODE_STREAMING:
1741 /* Entire SDU fits into one PDU */
1742 if (len <= chan->remote_mps) {
7e0ef6ee 1743 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
9a91a04a
GP		 1744 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1745 0);
1746 if (IS_ERR(skb))
1747 return PTR_ERR(skb);
1748
1749 __skb_queue_tail(&chan->tx_q, skb);
1750
1751 if (chan->tx_send_head == NULL)
1752 chan->tx_send_head = skb;
1753
1754 } else {
1755 /* Segment SDU into multiples PDUs */
1756 err = l2cap_sar_segment_sdu(chan, msg, len);
1757 if (err < 0)
1758 return err;
1759 }
1760
1761 if (chan->mode == L2CAP_MODE_STREAMING) {
1762 l2cap_streaming_send(chan);
1763 err = len;
1764 break;
1765 }
1766
e2ab4353
GP		 1767 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1768 test_bit(CONN_WAIT_F, &chan->conn_state)) {
9a91a04a
GP		 1769 err = len;
1770 break;
1771 }
1772
1773 err = l2cap_ertm_send(chan);
1774 if (err >= 0)
1775 err = len;
1776
1777 break;
1778
1779 default:
1780 BT_DBG("bad state %1.1x", chan->mode);
1781 err = -EBADFD;
1782 }
1783
1784 return err;
1785}
1786
1da177e4
LT		 1787/* Copy frame to all raw sockets on that connection */
1788static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1789{
1da177e4 1790 struct sk_buff *nskb;
48454079 1791 struct l2cap_chan *chan;
1da177e4
LT		 1792
1793 BT_DBG("conn %p", conn);
1794
3d57dc68
GP		 1795 rcu_read_lock();
1796
1797 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 1798 struct sock *sk = chan->sk;
715ec005 1799 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 1800 continue;
1801
1802 /* Don't send frame to the socket it came from */
1803 if (skb->sk == sk)
1804 continue;
af05b30b
GP		 1805 nskb = skb_clone(skb, GFP_ATOMIC);
1806 if (!nskb)
1da177e4
LT		 1807 continue;
1808
23070494 1809 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 1810 kfree_skb(nskb);
1811 }
3d57dc68
GP		 1812
1813 rcu_read_unlock();
1da177e4
LT		 1814}
1815
1816/* ---- L2CAP signalling commands ---- */
1817static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1818 u8 code, u8 ident, u16 dlen, void *data)
1819{
1820 struct sk_buff *skb, **frag;
1821 struct l2cap_cmd_hdr *cmd;
1822 struct l2cap_hdr *lh;
1823 int len, count;
1824
af05b30b
GP		 1825 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1826 conn, code, ident, dlen);
1da177e4
LT		 1827
1828 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1829 count = min_t(unsigned int, conn->mtu, len);
1830
1831 skb = bt_skb_alloc(count, GFP_ATOMIC);
1832 if (!skb)
1833 return NULL;
1834
1835 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 1836 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 1837
1838 if (conn->hcon->type == LE_LINK)
1839 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1840 else
1841 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 1842
1843 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1844 cmd->code = code;
1845 cmd->ident = ident;
aca3192c 1846 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 1847
1848 if (dlen) {
1849 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1850 memcpy(skb_put(skb, count), data, count);
1851 data += count;
1852 }
1853
1854 len -= skb->len;
1855
1856 /* Continuation fragments (no L2CAP header) */
1857 frag = &skb_shinfo(skb)->frag_list;
1858 while (len) {
1859 count = min_t(unsigned int, conn->mtu, len);
1860
1861 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1862 if (!*frag)
1863 goto fail;
1864
1865 memcpy(skb_put(*frag, count), data, count);
1866
1867 len -= count;
1868 data += count;
1869
1870 frag = &(*frag)->next;
1871 }
1872
1873 return skb;
1874
1875fail:
1876 kfree_skb(skb);
1877 return NULL;
1878}
1879
1880static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1881{
1882 struct l2cap_conf_opt *opt = *ptr;
1883 int len;
1884
1885 len = L2CAP_CONF_OPT_SIZE + opt->len;
1886 *ptr += len;
1887
1888 *type = opt->type;
1889 *olen = opt->len;
1890
1891 switch (opt->len) {
1892 case 1:
1893 *val = *((u8 *) opt->val);
1894 break;
1895
1896 case 2:
bfaaeb3e 1897 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 1898 break;
1899
1900 case 4:
bfaaeb3e 1901 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 1902 break;
1903
1904 default:
1905 *val = (unsigned long) opt->val;
1906 break;
1907 }
1908
1909 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1910 return len;
1911}
1912
1da177e4
LT		 1913static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1914{
1915 struct l2cap_conf_opt *opt = *ptr;
1916
1917 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1918
1919 opt->type = type;
1920 opt->len = len;
1921
1922 switch (len) {
1923 case 1:
1924 *((u8 *) opt->val) = val;
1925 break;
1926
1927 case 2:
4f8b691c 1928 put_unaligned_le16(val, opt->val);
1da177e4
LT		 1929 break;
1930
1931 case 4:
4f8b691c 1932 put_unaligned_le32(val, opt->val);
1da177e4
LT		 1933 break;
1934
1935 default:
1936 memcpy(opt->val, (void *) val, len);
1937 break;
1938 }
1939
1940 *ptr += L2CAP_CONF_OPT_SIZE + len;
1941}
1942
f89cef09
AE		 1943static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1944{
1945 struct l2cap_conf_efs efs;
1946
1ec918ce 1947 switch (chan->mode) {
f89cef09
AE		 1948 case L2CAP_MODE_ERTM:
1949 efs.id = chan->local_id;
1950 efs.stype = chan->local_stype;
1951 efs.msdu = cpu_to_le16(chan->local_msdu);
1952 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1953 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1954 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1955 break;
1956
1957 case L2CAP_MODE_STREAMING:
1958 efs.id = 1;
1959 efs.stype = L2CAP_SERV_BESTEFFORT;
1960 efs.msdu = cpu_to_le16(chan->local_msdu);
1961 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1962 efs.acc_lat = 0;
1963 efs.flush_to = 0;
1964 break;
1965
1966 default:
1967 return;
1968 }
1969
1970 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1971 (unsigned long) &efs);
1972}
1973
721c4181 1974static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 1975{
721c4181
GP		 1976 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1977 ack_timer.work);
c1b4f43b 1978
2fb9b3d4
GP		 1979 BT_DBG("chan %p", chan);
1980
721c4181 1981 lock_sock(chan->sk);
b17e73bb 1982 __l2cap_send_ack(chan);
721c4181 1983 release_sock(chan->sk);
09bfb2ee
SJ		 1984
1985 l2cap_chan_put(chan);
c1b4f43b
GP		 1986}
1987
525cd185 1988static inline void l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 1989{
42e5c802 1990 chan->expected_ack_seq = 0;
6a026610 1991 chan->unacked_frames = 0;
42e5c802 1992 chan->buffer_seq = 0;
6a026610
GP		 1993 chan->num_acked = 0;
1994 chan->frames_sent = 0;
0565c1c2 1995
721c4181
GP		 1996 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
1997 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
1998 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 1999
f1c6775b 2000 skb_queue_head_init(&chan->srej_q);
1890d36b 2001
39d5a3ee 2002 INIT_LIST_HEAD(&chan->srej_l);
0565c1c2
GP		 2003}
2004
f2fcfcd6
GP		 2005static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2006{
2007 switch (mode) {
2008 case L2CAP_MODE_STREAMING:
2009 case L2CAP_MODE_ERTM:
2010 if (l2cap_mode_supported(mode, remote_feat_mask))
2011 return mode;
2012 /* fall through */
2013 default:
2014 return L2CAP_MODE_BASIC;
2015 }
2016}
2017
6327eb98
AE		 2018static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2019{
2020 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2021}
2022
f89cef09
AE		 2023static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2024{
2025 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2026}
2027
6327eb98
AE		 2028static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2029{
2030 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2031 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2032 /* use extended control field */
2033 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2034 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2035 } else {
6327eb98
AE		 2036 chan->tx_win = min_t(u16, chan->tx_win,
2037 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2038 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2039 }
6327eb98
AE		 2040}
2041
710f9b0a 2042static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2043{
1da177e4 2044 struct l2cap_conf_req *req = data;
0c1bc5c6 2045 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2046 void *ptr = req->data;
c8f79162 2047 u16 size;
1da177e4 2048
49208c9c 2049 BT_DBG("chan %p", chan);
1da177e4 2050
73ffa904 2051 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2052 goto done;
2053
0c1bc5c6 2054 switch (chan->mode) {
f2fcfcd6
GP		 2055 case L2CAP_MODE_STREAMING:
2056 case L2CAP_MODE_ERTM:
c1360a1c 2057 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2058 break;
85eb53c6 2059
f89cef09
AE		 2060 if (__l2cap_efs_supported(chan))
2061 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2062
2ba13ed6 2063 /* fall through */
f2fcfcd6 2064 default:
8c1d787b 2065 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2066 break;
2067 }
2068
2069done:
0c1bc5c6
GP		 2070 if (chan->imtu != L2CAP_DEFAULT_MTU)
2071 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2072
0c1bc5c6 2073 switch (chan->mode) {
65c7c491 2074 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2075 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2076 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2077 break;
2078
62547752
GP		 2079 rfc.mode = L2CAP_MODE_BASIC;
2080 rfc.txwin_size = 0;
2081 rfc.max_transmit = 0;
2082 rfc.retrans_timeout = 0;
2083 rfc.monitor_timeout = 0;
2084 rfc.max_pdu_size = 0;
2085
63406504
GP		 2086 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2087 (unsigned long) &rfc);
65c7c491
MH		 2088 break;
2089
2090 case L2CAP_MODE_ERTM:
2091 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2092 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2093 rfc.retrans_timeout = 0;
2094 rfc.monitor_timeout = 0;
c8f79162
AE		 2095
2096 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2097 L2CAP_EXT_HDR_SIZE -
2098 L2CAP_SDULEN_SIZE -
2099 L2CAP_FCS_SIZE);
2100 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2101
6327eb98
AE		 2102 l2cap_txwin_setup(chan);
2103
2104 rfc.txwin_size = min_t(u16, chan->tx_win,
2105 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2106
63406504
GP		 2107 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2108 (unsigned long) &rfc);
2109
f89cef09
AE		 2110 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2111 l2cap_add_opt_efs(&ptr, chan);
2112
8c1d787b 2113 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2114 break;
2115
47d1ec61 2116 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2117 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2118 chan->fcs = L2CAP_FCS_NONE;
2119 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2120 }
6327eb98
AE		 2121
2122 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2123 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2124 chan->tx_win);
f2fcfcd6
GP		 2125 break;
2126
2127 case L2CAP_MODE_STREAMING:
2128 rfc.mode = L2CAP_MODE_STREAMING;
2129 rfc.txwin_size = 0;
2130 rfc.max_transmit = 0;
2131 rfc.retrans_timeout = 0;
2132 rfc.monitor_timeout = 0;
c8f79162
AE		 2133
2134 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2135 L2CAP_EXT_HDR_SIZE -
2136 L2CAP_SDULEN_SIZE -
2137 L2CAP_FCS_SIZE);
2138 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2139
63406504
GP		 2140 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2141 (unsigned long) &rfc);
2142
f89cef09
AE		 2143 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2144 l2cap_add_opt_efs(&ptr, chan);
2145
8c1d787b 2146 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2147 break;
2148
47d1ec61 2149 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2150 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2151 chan->fcs = L2CAP_FCS_NONE;
2152 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2153 }
65c7c491
MH		 2154 break;
2155 }
1da177e4 2156
fe4128e0 2157 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2158 req->flags = cpu_to_le16(0);
1da177e4
LT		 2159
2160 return ptr - data;
2161}
2162
73ffa904 2163static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2164{
5dee9e7c
MH		 2165 struct l2cap_conf_rsp *rsp = data;
2166 void *ptr = rsp->data;
73ffa904
GP		 2167 void *req = chan->conf_req;
2168 int len = chan->conf_len;
5dee9e7c
MH		 2169 int type, hint, olen;
2170 unsigned long val;
6464f35f 2171 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2172 struct l2cap_conf_efs efs;
2173 u8 remote_efs = 0;
861d6882 2174 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2175 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2176 u16 size;
1da177e4 2177
73ffa904 2178 BT_DBG("chan %p", chan);
820ae1b8 2179
5dee9e7c
MH		 2180 while (len >= L2CAP_CONF_OPT_SIZE) {
2181 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2182
589d2746 2183 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2184 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2185
2186 switch (type) {
2187 case L2CAP_CONF_MTU:
861d6882 2188 mtu = val;
5dee9e7c
MH		 2189 break;
2190
2191 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2192 chan->flush_to = val;
5dee9e7c
MH		 2193 break;
2194
2195 case L2CAP_CONF_QOS:
2196 break;
2197
6464f35f
MH		 2198 case L2CAP_CONF_RFC:
2199 if (olen == sizeof(rfc))
2200 memcpy(&rfc, (void *) val, olen);
2201 break;
2202
fcc203c3
GP		 2203 case L2CAP_CONF_FCS:
2204 if (val == L2CAP_FCS_NONE)
c1360a1c 2205 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2206 break;
fcc203c3 2207
42dceae2
AE		 2208 case L2CAP_CONF_EFS:
2209 remote_efs = 1;
2210 if (olen == sizeof(efs))
2211 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2212 break;
2213
6327eb98
AE		 2214 case L2CAP_CONF_EWS:
2215 if (!enable_hs)
2216 return -ECONNREFUSED;
fcc203c3 2217
6327eb98
AE		 2218 set_bit(FLAG_EXT_CTRL, &chan->flags);
2219 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2220 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2221 chan->remote_tx_win = val;
fcc203c3
GP		 2222 break;
2223
5dee9e7c
MH		 2224 default:
2225 if (hint)
2226 break;
2227
2228 result = L2CAP_CONF_UNKNOWN;
2229 *((u8 *) ptr++) = type;
2230 break;
2231 }
2232 }
2233
73ffa904 2234 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2235 goto done;
2236
0c1bc5c6 2237 switch (chan->mode) {
f2fcfcd6
GP		 2238 case L2CAP_MODE_STREAMING:
2239 case L2CAP_MODE_ERTM:
c1360a1c 2240 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2241 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2242 chan->conn->feat_mask);
85eb53c6
GP		 2243 break;
2244 }
2245
42dceae2
AE		 2246 if (remote_efs) {
2247 if (__l2cap_efs_supported(chan))
2248 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2249 else
2250 return -ECONNREFUSED;
2251 }
2252
0c1bc5c6 2253 if (chan->mode != rfc.mode)
f2fcfcd6 2254 return -ECONNREFUSED;
742e519b 2255
f2fcfcd6 2256 break;
f2fcfcd6
GP		 2257 }
2258
2259done:
0c1bc5c6 2260 if (chan->mode != rfc.mode) {
f2fcfcd6 2261 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2262 rfc.mode = chan->mode;
f2fcfcd6 2263
73ffa904 2264 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2265 return -ECONNREFUSED;
2266
2267 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2268 sizeof(rfc), (unsigned long) &rfc);
2269 }
2270
5dee9e7c
MH		 2271 if (result == L2CAP_CONF_SUCCESS) {
2272 /* Configure output options and let the other side know
2273 * which ones we don't like. */
2274
f2fcfcd6
GP		 2275 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2276 result = L2CAP_CONF_UNACCEPT;
2277 else {
0c1bc5c6 2278 chan->omtu = mtu;
c1360a1c 2279 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2280 }
0c1bc5c6 2281 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2282
42dceae2
AE		 2283 if (remote_efs) {
2284 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2285 efs.stype != L2CAP_SERV_NOTRAFIC &&
2286 efs.stype != chan->local_stype) {
2287
2288 result = L2CAP_CONF_UNACCEPT;
2289
2290 if (chan->num_conf_req >= 1)
2291 return -ECONNREFUSED;
2292
2293 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2294 sizeof(efs),
42dceae2 2295 (unsigned long) &efs);
0e8b207e 2296 } else {
3e6b3b95 2297 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2298 result = L2CAP_CONF_PENDING;
2299 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2300 }
2301 }
2302
f2fcfcd6
GP		 2303 switch (rfc.mode) {
2304 case L2CAP_MODE_BASIC:
47d1ec61 2305 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2306 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2307 break;
2308
2309 case L2CAP_MODE_ERTM:
6327eb98
AE		 2310 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2311 chan->remote_tx_win = rfc.txwin_size;
2312 else
2313 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2314
2c03a7a4 2315 chan->remote_max_tx = rfc.max_transmit;
1c762159 2316
c8f79162
AE		 2317 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2318 chan->conn->mtu -
2319 L2CAP_EXT_HDR_SIZE -
2320 L2CAP_SDULEN_SIZE -
2321 L2CAP_FCS_SIZE);
2322 rfc.max_pdu_size = cpu_to_le16(size);
2323 chan->remote_mps = size;
f2fcfcd6 2324
10467e9e
GP		 2325 rfc.retrans_timeout =
2326 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2327 rfc.monitor_timeout =
2328 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2329
c1360a1c 2330 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2331
2332 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2333 sizeof(rfc), (unsigned long) &rfc);
2334
42dceae2
AE		 2335 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2336 chan->remote_id = efs.id;
2337 chan->remote_stype = efs.stype;
2338 chan->remote_msdu = le16_to_cpu(efs.msdu);
2339 chan->remote_flush_to =
2340 le32_to_cpu(efs.flush_to);
2341 chan->remote_acc_lat =
2342 le32_to_cpu(efs.acc_lat);
2343 chan->remote_sdu_itime =
2344 le32_to_cpu(efs.sdu_itime);
2345 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2346 sizeof(efs), (unsigned long) &efs);
2347 }
f2fcfcd6
GP		 2348 break;
2349
2350 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2351 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2352 chan->conn->mtu -
2353 L2CAP_EXT_HDR_SIZE -
2354 L2CAP_SDULEN_SIZE -
2355 L2CAP_FCS_SIZE);
2356 rfc.max_pdu_size = cpu_to_le16(size);
2357 chan->remote_mps = size;
f2fcfcd6 2358
c1360a1c 2359 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2360
2361 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2362 sizeof(rfc), (unsigned long) &rfc);
2363
f2fcfcd6
GP		 2364 break;
2365
2366 default:
5dee9e7c 2367 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2368
6464f35f 2369 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2370 rfc.mode = chan->mode;
f2fcfcd6 2371 }
6464f35f 2372
f2fcfcd6 2373 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2374 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2375 }
fe4128e0 2376 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2377 rsp->result = cpu_to_le16(result);
2378 rsp->flags = cpu_to_le16(0x0000);
2379
2380 return ptr - data;
1da177e4
LT		 2381}
2382
b4450035 2383static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2384{
f2fcfcd6
GP		 2385 struct l2cap_conf_req *req = data;
2386 void *ptr = req->data;
2387 int type, olen;
2388 unsigned long val;
36e999a8 2389 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2390 struct l2cap_conf_efs efs;
f2fcfcd6 2391
fe4128e0 2392 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2393
2394 while (len >= L2CAP_CONF_OPT_SIZE) {
2395 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2396
2397 switch (type) {
2398 case L2CAP_CONF_MTU:
2399 if (val < L2CAP_DEFAULT_MIN_MTU) {
2400 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2401 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2402 } else
0c1bc5c6
GP		 2403 chan->imtu = val;
2404 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2405 break;
2406
2407 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2408 chan->flush_to = val;
f2fcfcd6 2409 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2410 2, chan->flush_to);
f2fcfcd6
GP		 2411 break;
2412
2413 case L2CAP_CONF_RFC:
2414 if (olen == sizeof(rfc))
2415 memcpy(&rfc, (void *)val, olen);
2416
c1360a1c 2417 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 2418 rfc.mode != chan->mode)
f2fcfcd6
GP		 2419 return -ECONNREFUSED;
2420
47d1ec61 2421 chan->fcs = 0;
f2fcfcd6
GP		 2422
2423 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2424 sizeof(rfc), (unsigned long) &rfc);
2425 break;
6327eb98
AE		 2426
2427 case L2CAP_CONF_EWS:
2428 chan->tx_win = min_t(u16, val,
2429 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 2430 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2431 chan->tx_win);
6327eb98 2432 break;
66af7aaf
AE		 2433
2434 case L2CAP_CONF_EFS:
2435 if (olen == sizeof(efs))
2436 memcpy(&efs, (void *)val, olen);
2437
2438 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2439 efs.stype != L2CAP_SERV_NOTRAFIC &&
2440 efs.stype != chan->local_stype)
2441 return -ECONNREFUSED;
2442
2443 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2444 sizeof(efs), (unsigned long) &efs);
2445 break;
f2fcfcd6
GP		 2446 }
2447 }
2448
0c1bc5c6 2449 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 2450 return -ECONNREFUSED;
2451
0c1bc5c6 2452 chan->mode = rfc.mode;
6c2ea7a8 2453
0e8b207e 2454 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 2455 switch (rfc.mode) {
2456 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2457 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2458 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2459 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 2460
2461 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2462 chan->local_msdu = le16_to_cpu(efs.msdu);
2463 chan->local_sdu_itime =
2464 le32_to_cpu(efs.sdu_itime);
2465 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2466 chan->local_flush_to =
2467 le32_to_cpu(efs.flush_to);
2468 }
f2fcfcd6 2469 break;
66af7aaf 2470
f2fcfcd6 2471 case L2CAP_MODE_STREAMING:
47d1ec61 2472 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2473 }
2474 }
2475
fe4128e0 2476 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 2477 req->flags = cpu_to_le16(0x0000);
2478
2479 return ptr - data;
2480}
2481
fe4128e0 2482static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 2483{
2484 struct l2cap_conf_rsp *rsp = data;
2485 void *ptr = rsp->data;
1da177e4 2486
fe4128e0 2487 BT_DBG("chan %p", chan);
1da177e4 2488
fe4128e0 2489 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 2490 rsp->result = cpu_to_le16(result);
aca3192c 2491 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2492
2493 return ptr - data;
2494}
2495
8c1d787b 2496void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 2497{
2498 struct l2cap_conn_rsp rsp;
8c1d787b 2499 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 2500 u8 buf[128];
2501
fe4128e0
GP		 2502 rsp.scid = cpu_to_le16(chan->dcid);
2503 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 2504 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2505 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2506 l2cap_send_cmd(conn, chan->ident,
2507 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2508
c1360a1c 2509 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 2510 return;
2511
710f9b0a
GP		 2512 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2513 l2cap_build_conf_req(chan, buf), buf);
2514 chan->num_conf_req++;
2515}
2516
47d1ec61 2517static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 2518{
7b1c0049
GP		 2519 int type, olen;
2520 unsigned long val;
2521 struct l2cap_conf_rfc rfc;
2522
47d1ec61 2523 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 2524
0c1bc5c6 2525 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 2526 return;
2527
2528 while (len >= L2CAP_CONF_OPT_SIZE) {
2529 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2530
2531 switch (type) {
2532 case L2CAP_CONF_RFC:
2533 if (olen == sizeof(rfc))
2534 memcpy(&rfc, (void *)val, olen);
2535 goto done;
2536 }
2537 }
2538
36e999a8
MM		 2539 /* Use sane default values in case a misbehaving remote device
2540 * did not send an RFC option.
2541 */
2542 rfc.mode = chan->mode;
2543 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2544 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2545 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2546
2547 BT_ERR("Expected RFC option was not found, using defaults");
2548
7b1c0049
GP		 2549done:
2550 switch (rfc.mode) {
2551 case L2CAP_MODE_ERTM:
47d1ec61
GP		 2552 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2553 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2554 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2555 break;
2556 case L2CAP_MODE_STREAMING:
47d1ec61 2557 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 2558 }
2559}
2560
4e8402a3
MH		 2561static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2562{
e2fd318e 2563 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 2564
e2fd318e 2565 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 2566 return 0;
2567
2568 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2569 cmd->ident == conn->info_ident) {
17cd3f37 2570 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 2571
2572 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2573 conn->info_ident = 0;
984947dc 2574
4e8402a3
MH		 2575 l2cap_conn_start(conn);
2576 }
2577
2578 return 0;
2579}
2580
1da177e4
LT		 2581static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2582{
1da177e4
LT		 2583 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2584 struct l2cap_conn_rsp rsp;
23691d75 2585 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 2586 struct sock *parent, *sk = NULL;
e7c29cb1 2587 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2588
2589 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2590 __le16 psm = req->psm;
1da177e4
LT		 2591
2592 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2593
2594 /* Check if we have socket listening on psm */
23691d75
GP		 2595 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2596 if (!pchan) {
1da177e4
LT		 2597 result = L2CAP_CR_BAD_PSM;
2598 goto sendresp;
2599 }
2600
23691d75
GP		 2601 parent = pchan->sk;
2602
aa2ac881 2603 lock_sock(parent);
e0f0cb56 2604
e7c29cb1
MH		 2605 /* Check if the ACL is secure enough (if not SDP) */
2606 if (psm != cpu_to_le16(0x0001) &&
2607 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 2608 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 2609 result = L2CAP_CR_SEC_BLOCK;
2610 goto response;
2611 }
2612
1da177e4
LT		 2613 result = L2CAP_CR_NO_MEM;
2614
2615 /* Check for backlog size */
2616 if (sk_acceptq_is_full(parent)) {
8e87d142 2617 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2618 goto response;
2619 }
2620
80808e43
GP		 2621 chan = pchan->ops->new_connection(pchan->data);
2622 if (!chan)
1da177e4
LT		 2623 goto response;
2624
80808e43
GP		 2625 sk = chan->sk;
2626
1da177e4 2627 /* Check if we already have channel with that dcid */
baa7e1fa 2628 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 2629 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 2630 chan->ops->close(chan->data);
1da177e4
LT		 2631 goto response;
2632 }
2633
2634 hci_conn_hold(conn->hcon);
2635
1da177e4
LT		 2636 bacpy(&bt_sk(sk)->src, conn->src);
2637 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 2638 chan->psm = psm;
2639 chan->dcid = scid;
1da177e4 2640
d1010240
GP		 2641 bt_accept_enqueue(parent, sk);
2642
3d57dc68 2643 l2cap_chan_add(conn, chan);
48454079 2644
fe4128e0 2645 dcid = chan->scid;
1da177e4 2646
c9b66675 2647 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 2648
fc7f8a7e 2649 chan->ident = cmd->ident;
1da177e4 2650
984947dc 2651 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 2652 if (l2cap_chan_check_security(chan)) {
f66dc81f 2653 if (bt_sk(sk)->defer_setup) {
89bc500e 2654 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 2655 result = L2CAP_CR_PEND;
2656 status = L2CAP_CS_AUTHOR_PEND;
2657 parent->sk_data_ready(parent, 0);
2658 } else {
89bc500e 2659 l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 2660 result = L2CAP_CR_SUCCESS;
2661 status = L2CAP_CS_NO_INFO;
2662 }
79d554a6 2663 } else {
89bc500e 2664 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2665 result = L2CAP_CR_PEND;
2666 status = L2CAP_CS_AUTHEN_PEND;
2667 }
2668 } else {
89bc500e 2669 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 2670 result = L2CAP_CR_PEND;
2671 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2672 }
2673
1da177e4 2674response:
aa2ac881 2675 release_sock(parent);
1da177e4
LT		 2676
2677sendresp:
aca3192c
YH		 2678 rsp.scid = cpu_to_le16(scid);
2679 rsp.dcid = cpu_to_le16(dcid);
2680 rsp.result = cpu_to_le16(result);
2681 rsp.status = cpu_to_le16(status);
1da177e4 2682 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2683
2684 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2685 struct l2cap_info_req info;
2686 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2687
2688 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2689 conn->info_ident = l2cap_get_ident(conn);
2690
030013d8 2691 schedule_delayed_work(&conn->info_timer,
79d554a6
MH		 2692 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2693
2694 l2cap_send_cmd(conn, conn->info_ident,
2695 L2CAP_INFO_REQ, sizeof(info), &info);
2696 }
2697
c1360a1c 2698 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 2699 result == L2CAP_CR_SUCCESS) {
2700 u8 buf[128];
c1360a1c 2701 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 2702 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2703 l2cap_build_conf_req(chan, buf), buf);
2704 chan->num_conf_req++;
e9aeb2dd
GP		 2705 }
2706
1da177e4
LT		 2707 return 0;
2708}
2709
2710static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2711{
2712 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2713 u16 scid, dcid, result, status;
48454079 2714 struct l2cap_chan *chan;
1da177e4
LT		 2715 struct sock *sk;
2716 u8 req[128];
2717
2718 scid = __le16_to_cpu(rsp->scid);
2719 dcid = __le16_to_cpu(rsp->dcid);
2720 result = __le16_to_cpu(rsp->result);
2721 status = __le16_to_cpu(rsp->status);
2722
1b009c98
AE		 2723 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2724 dcid, scid, result, status);
1da177e4
LT		 2725
2726 if (scid) {
baa7e1fa 2727 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2728 if (!chan)
57d3b22b 2729 return -EFAULT;
1da177e4 2730 } else {
baa7e1fa 2731 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
48454079 2732 if (!chan)
57d3b22b 2733 return -EFAULT;
1da177e4
LT		 2734 }
2735
48454079
GP		 2736 sk = chan->sk;
2737
1da177e4
LT		 2738 switch (result) {
2739 case L2CAP_CR_SUCCESS:
89bc500e 2740 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 2741 chan->ident = 0;
fe4128e0 2742 chan->dcid = dcid;
c1360a1c 2743 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 2744
c1360a1c 2745 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 2746 break;
2747
1da177e4 2748 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2749 l2cap_build_conf_req(chan, req), req);
2750 chan->num_conf_req++;
1da177e4
LT		 2751 break;
2752
2753 case L2CAP_CR_PEND:
c1360a1c 2754 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 2755 break;
2756
2757 default:
48454079 2758 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 2759 break;
2760 }
2761
aa2ac881 2762 release_sock(sk);
1da177e4
LT		 2763 return 0;
2764}
2765
47d1ec61 2766static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 2767{
2768 /* FCS is enabled only in ERTM or streaming mode, if one or both
2769 * sides request it.
2770 */
0c1bc5c6 2771 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 2772 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2773 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 2774 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 2775}
2776
88219a0f 2777static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 2778{
2779 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2780 u16 dcid, flags;
2781 u8 rsp[64];
48454079 2782 struct l2cap_chan *chan;
1da177e4 2783 struct sock *sk;
5dee9e7c 2784 int len;
1da177e4
LT		 2785
2786 dcid = __le16_to_cpu(req->dcid);
2787 flags = __le16_to_cpu(req->flags);
2788
2789 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2790
baa7e1fa 2791 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 2792 if (!chan)
1da177e4
LT		 2793 return -ENOENT;
2794
48454079
GP		 2795 sk = chan->sk;
2796
033b1142 2797 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 2798 struct l2cap_cmd_rej_cid rej;
2799
2800 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2801 rej.scid = cpu_to_le16(chan->scid);
2802 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 2803
df6bd743
GP		 2804 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2805 sizeof(rej), &rej);
354f60a9 2806 goto unlock;
df6bd743 2807 }
354f60a9 2808
5dee9e7c 2809 /* Reject if config buffer is too small. */
88219a0f 2810 len = cmd_len - sizeof(*req);
7ac28817 2811 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 2812 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2813 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 2814 L2CAP_CONF_REJECT, flags), rsp);
2815 goto unlock;
2816 }
2817
2818 /* Store config. */
73ffa904
GP		 2819 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2820 chan->conf_len += len;
1da177e4
LT		 2821
2822 if (flags & 0x0001) {
2823 /* Incomplete config. Send empty response. */
2824 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 2825 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 2826 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 2827 goto unlock;
2828 }
2829
2830 /* Complete config. */
73ffa904 2831 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 2832 if (len < 0) {
e92c8e70 2833 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 2834 goto unlock;
f2fcfcd6 2835 }
1da177e4 2836
5dee9e7c 2837 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 2838 chan->num_conf_rsp++;
5dee9e7c 2839
5dee9e7c 2840 /* Reset config buffer. */
73ffa904 2841 chan->conf_len = 0;
5dee9e7c 2842
c1360a1c 2843 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 2844 goto unlock;
2845
c1360a1c 2846 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 2847 set_default_fcs(chan);
fcc203c3 2848
89bc500e 2849 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 2850
42e5c802
GP		 2851 chan->next_tx_seq = 0;
2852 chan->expected_tx_seq = 0;
58d35f87 2853 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2854 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2855 l2cap_ertm_init(chan);
0565c1c2 2856
cf4cd009 2857 l2cap_chan_ready(chan);
876d9484
MH		 2858 goto unlock;
2859 }
2860
c1360a1c 2861 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 2862 u8 buf[64];
1da177e4 2863 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 2864 l2cap_build_conf_req(chan, buf), buf);
2865 chan->num_conf_req++;
1da177e4
LT		 2866 }
2867
0e8b207e
AE		 2868 /* Got Conf Rsp PENDING from remote side and asume we sent
2869 Conf Rsp PENDING in the code above */
2870 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2871 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2872
2873 /* check compatibility */
2874
2875 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2876 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2877
2878 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2879 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 2880 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2881 }
2882
1da177e4 2883unlock:
aa2ac881 2884 release_sock(sk);
1da177e4
LT		 2885 return 0;
2886}
2887
2888static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2889{
2890 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2891 u16 scid, flags, result;
48454079 2892 struct l2cap_chan *chan;
1da177e4 2893 struct sock *sk;
7b1c0049 2894 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 2895
2896 scid = __le16_to_cpu(rsp->scid);
2897 flags = __le16_to_cpu(rsp->flags);
2898 result = __le16_to_cpu(rsp->result);
2899
af05b30b
GP		 2900 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2901 scid, flags, result);
1da177e4 2902
baa7e1fa 2903 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 2904 if (!chan)
1da177e4
LT		 2905 return 0;
2906
48454079
GP		 2907 sk = chan->sk;
2908
1da177e4
LT		 2909 switch (result) {
2910 case L2CAP_CONF_SUCCESS:
47d1ec61 2911 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 2912 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 2913 break;
2914
0e8b207e
AE		 2915 case L2CAP_CONF_PENDING:
2916 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2917
2918 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2919 char buf[64];
2920
2921 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2922 buf, &result);
2923 if (len < 0) {
2924 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2925 goto done;
2926 }
2927
2928 /* check compatibility */
2929
2930 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2931 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2932
2933 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 2934 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 2935 L2CAP_CONF_SUCCESS, 0x0000), buf);
2936 }
2937 goto done;
2938
1da177e4 2939 case L2CAP_CONF_UNACCEPT:
73ffa904 2940 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 2941 char req[64];
2942
c2c77ec8 2943 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 2944 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 2945 goto done;
2946 }
2947
f2fcfcd6
GP		 2948 /* throw out any old stored conf requests */
2949 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 2950 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2951 req, &result);
f2fcfcd6 2952 if (len < 0) {
e92c8e70 2953 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 2954 goto done;
2955 }
2956
2957 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2958 L2CAP_CONF_REQ, len, req);
73ffa904 2959 chan->num_conf_req++;
f2fcfcd6
GP		 2960 if (result != L2CAP_CONF_SUCCESS)
2961 goto done;
2962 break;
1da177e4
LT		 2963 }
2964
8e87d142 2965 default:
b1235d79 2966 sk->sk_err = ECONNRESET;
b83ddfe2
AK		 2967 __set_chan_timer(chan,
2968 msecs_to_jiffies(L2CAP_DISC_REJ_TIMEOUT));
e92c8e70 2969 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 2970 goto done;
2971 }
2972
2973 if (flags & 0x01)
2974 goto done;
2975
c1360a1c 2976 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 2977
c1360a1c 2978 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 2979 set_default_fcs(chan);
fcc203c3 2980
89bc500e 2981 l2cap_state_change(chan, BT_CONNECTED);
42e5c802
GP		 2982 chan->next_tx_seq = 0;
2983 chan->expected_tx_seq = 0;
58d35f87 2984 skb_queue_head_init(&chan->tx_q);
0c1bc5c6 2985 if (chan->mode == L2CAP_MODE_ERTM)
525cd185 2986 l2cap_ertm_init(chan);
0565c1c2 2987
cf4cd009 2988 l2cap_chan_ready(chan);
1da177e4
LT		 2989 }
2990
2991done:
aa2ac881 2992 release_sock(sk);
1da177e4
LT		 2993 return 0;
2994}
2995
2996static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2997{
2998 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2999 struct l2cap_disconn_rsp rsp;
3000 u16 dcid, scid;
48454079 3001 struct l2cap_chan *chan;
1da177e4
LT		 3002 struct sock *sk;
3003
3004 scid = __le16_to_cpu(req->scid);
3005 dcid = __le16_to_cpu(req->dcid);
3006
3007 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3008
baa7e1fa 3009 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3010 if (!chan)
1da177e4
LT		 3011 return 0;
3012
48454079
GP		 3013 sk = chan->sk;
3014
fe4128e0
GP		 3015 rsp.dcid = cpu_to_le16(chan->scid);
3016 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3017 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3018
3019 sk->sk_shutdown = SHUTDOWN_MASK;
3020
48454079 3021 l2cap_chan_del(chan, ECONNRESET);
aa2ac881 3022 release_sock(sk);
1da177e4 3023
ba3bd0ee 3024 chan->ops->close(chan->data);
1da177e4
LT		 3025 return 0;
3026}
3027
3028static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3029{
3030 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3031 u16 dcid, scid;
48454079 3032 struct l2cap_chan *chan;
1da177e4
LT		 3033 struct sock *sk;
3034
3035 scid = __le16_to_cpu(rsp->scid);
3036 dcid = __le16_to_cpu(rsp->dcid);
3037
3038 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3039
baa7e1fa 3040 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3041 if (!chan)
1da177e4
LT		 3042 return 0;
3043
48454079
GP		 3044 sk = chan->sk;
3045
48454079 3046 l2cap_chan_del(chan, 0);
aa2ac881 3047 release_sock(sk);
1da177e4 3048
ba3bd0ee 3049 chan->ops->close(chan->data);
1da177e4
LT		 3050 return 0;
3051}
3052
3053static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3054{
3055 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3056 u16 type;
3057
3058 type = __le16_to_cpu(req->type);
3059
3060 BT_DBG("type 0x%4.4x", type);
3061
f0709e03
MH		 3062 if (type == L2CAP_IT_FEAT_MASK) {
3063 u8 buf[8];
44dd46de 3064 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3065 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3066 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3067 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3068 if (!disable_ertm)
fcc203c3
GP		 3069 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3070 | L2CAP_FEAT_FCS;
a5fd6f30 3071 if (enable_hs)
6327eb98
AE		 3072 feat_mask |= L2CAP_FEAT_EXT_FLOW
3073 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3074
1b7bf4ed 3075 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3076 l2cap_send_cmd(conn, cmd->ident,
3077 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3078 } else if (type == L2CAP_IT_FIXED_CHAN) {
3079 u8 buf[12];
3080 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3081
3082 if (enable_hs)
3083 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3084 else
3085 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3086
e1027a7c
MH		 3087 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3088 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3089 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3090 l2cap_send_cmd(conn, cmd->ident,
3091 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3092 } else {
3093 struct l2cap_info_rsp rsp;
3094 rsp.type = cpu_to_le16(type);
3095 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3096 l2cap_send_cmd(conn, cmd->ident,
3097 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3098 }
1da177e4
LT		 3099
3100 return 0;
3101}
3102
3103static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3104{
3105 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3106 u16 type, result;
3107
3108 type = __le16_to_cpu(rsp->type);
3109 result = __le16_to_cpu(rsp->result);
3110
3111 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3112
e90165be
AE		 3113 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3114 if (cmd->ident != conn->info_ident ||
3115 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3116 return 0;
3117
17cd3f37 3118 cancel_delayed_work(&conn->info_timer);
4e8402a3 3119
adb08ede
VT		 3120 if (result != L2CAP_IR_SUCCESS) {
3121 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3122 conn->info_ident = 0;
3123
3124 l2cap_conn_start(conn);
3125
3126 return 0;
3127 }
3128
984947dc 3129 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3130 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3131
47ec1dcd 3132 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3133 struct l2cap_info_req req;
3134 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3135
3136 conn->info_ident = l2cap_get_ident(conn);
3137
3138 l2cap_send_cmd(conn, conn->info_ident,
3139 L2CAP_INFO_REQ, sizeof(req), &req);
3140 } else {
3141 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3142 conn->info_ident = 0;
3143
3144 l2cap_conn_start(conn);
3145 }
3146 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3147 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3148 conn->info_ident = 0;
984947dc
MH		 3149
3150 l2cap_conn_start(conn);
3151 }
4e8402a3 3152
1da177e4
LT		 3153 return 0;
3154}
3155
f94ff6ff
MM		 3156static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3157 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3158 void *data)
3159{
3160 struct l2cap_create_chan_req *req = data;
3161 struct l2cap_create_chan_rsp rsp;
3162 u16 psm, scid;
3163
3164 if (cmd_len != sizeof(*req))
3165 return -EPROTO;
3166
3167 if (!enable_hs)
3168 return -EINVAL;
3169
3170 psm = le16_to_cpu(req->psm);
3171 scid = le16_to_cpu(req->scid);
3172
3173 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3174
3175 /* Placeholder: Always reject */
3176 rsp.dcid = 0;
3177 rsp.scid = cpu_to_le16(scid);
3178 rsp.result = L2CAP_CR_NO_MEM;
3179 rsp.status = L2CAP_CS_NO_INFO;
3180
3181 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3182 sizeof(rsp), &rsp);
3183
3184 return 0;
3185}
3186
3187static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3188 struct l2cap_cmd_hdr *cmd, void *data)
3189{
3190 BT_DBG("conn %p", conn);
3191
3192 return l2cap_connect_rsp(conn, cmd, data);
3193}
3194
8d5a04a1
MM		 3195static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3196 u16 icid, u16 result)
3197{
3198 struct l2cap_move_chan_rsp rsp;
3199
3200 BT_DBG("icid %d, result %d", icid, result);
3201
3202 rsp.icid = cpu_to_le16(icid);
3203 rsp.result = cpu_to_le16(result);
3204
3205 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3206}
3207
3208static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3209 struct l2cap_chan *chan, u16 icid, u16 result)
3210{
3211 struct l2cap_move_chan_cfm cfm;
3212 u8 ident;
3213
3214 BT_DBG("icid %d, result %d", icid, result);
3215
3216 ident = l2cap_get_ident(conn);
3217 if (chan)
3218 chan->ident = ident;
3219
3220 cfm.icid = cpu_to_le16(icid);
3221 cfm.result = cpu_to_le16(result);
3222
3223 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3224}
3225
3226static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3227 u16 icid)
3228{
3229 struct l2cap_move_chan_cfm_rsp rsp;
3230
3231 BT_DBG("icid %d", icid);
3232
3233 rsp.icid = cpu_to_le16(icid);
3234 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3235}
3236
3237static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3238 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3239{
3240 struct l2cap_move_chan_req *req = data;
3241 u16 icid = 0;
3242 u16 result = L2CAP_MR_NOT_ALLOWED;
3243
3244 if (cmd_len != sizeof(*req))
3245 return -EPROTO;
3246
3247 icid = le16_to_cpu(req->icid);
3248
3249 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3250
3251 if (!enable_hs)
3252 return -EINVAL;
3253
3254 /* Placeholder: Always refuse */
3255 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3256
3257 return 0;
3258}
3259
3260static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3261 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3262{
3263 struct l2cap_move_chan_rsp *rsp = data;
3264 u16 icid, result;
3265
3266 if (cmd_len != sizeof(*rsp))
3267 return -EPROTO;
3268
3269 icid = le16_to_cpu(rsp->icid);
3270 result = le16_to_cpu(rsp->result);
3271
3272 BT_DBG("icid %d, result %d", icid, result);
3273
3274 /* Placeholder: Always unconfirmed */
3275 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3276
3277 return 0;
3278}
3279
3280static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3281 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3282{
3283 struct l2cap_move_chan_cfm *cfm = data;
3284 u16 icid, result;
3285
3286 if (cmd_len != sizeof(*cfm))
3287 return -EPROTO;
3288
3289 icid = le16_to_cpu(cfm->icid);
3290 result = le16_to_cpu(cfm->result);
3291
3292 BT_DBG("icid %d, result %d", icid, result);
3293
3294 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3295
3296 return 0;
3297}
3298
3299static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3300 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3301{
3302 struct l2cap_move_chan_cfm_rsp *rsp = data;
3303 u16 icid;
3304
3305 if (cmd_len != sizeof(*rsp))
3306 return -EPROTO;
3307
3308 icid = le16_to_cpu(rsp->icid);
3309
3310 BT_DBG("icid %d", icid);
3311
3312 return 0;
3313}
3314
e2174ca4 3315static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3316 u16 to_multiplier)
3317{
3318 u16 max_latency;
3319
3320 if (min > max || min < 6 || max > 3200)
3321 return -EINVAL;
3322
3323 if (to_multiplier < 10 || to_multiplier > 3200)
3324 return -EINVAL;
3325
3326 if (max >= to_multiplier * 8)
3327 return -EINVAL;
3328
3329 max_latency = (to_multiplier * 8 / max) - 1;
3330 if (latency > 499 || latency > max_latency)
3331 return -EINVAL;
3332
3333 return 0;
3334}
3335
3336static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3337 struct l2cap_cmd_hdr *cmd, u8 *data)
3338{
3339 struct hci_conn *hcon = conn->hcon;
3340 struct l2cap_conn_param_update_req *req;
3341 struct l2cap_conn_param_update_rsp rsp;
3342 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3343 int err;
de73115a
CT		 3344
3345 if (!(hcon->link_mode & HCI_LM_MASTER))
3346 return -EINVAL;
3347
3348 cmd_len = __le16_to_cpu(cmd->len);
3349 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3350 return -EPROTO;
3351
3352 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3353 min = __le16_to_cpu(req->min);
3354 max = __le16_to_cpu(req->max);
de73115a
CT		 3355 latency = __le16_to_cpu(req->latency);
3356 to_multiplier = __le16_to_cpu(req->to_multiplier);
3357
3358 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3359 min, max, latency, to_multiplier);
3360
3361 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3362
3363 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3364 if (err)
de73115a
CT		 3365 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3366 else
3367 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3368
3369 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3370 sizeof(rsp), &rsp);
3371
2ce603eb
CT		 3372 if (!err)
3373 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3374
de73115a
CT		 3375 return 0;
3376}
3377
3300d9a9
CT		 3378static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3379 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3380{
3381 int err = 0;
3382
3383 switch (cmd->code) {
3384 case L2CAP_COMMAND_REJ:
3385 l2cap_command_rej(conn, cmd, data);
3386 break;
3387
3388 case L2CAP_CONN_REQ:
3389 err = l2cap_connect_req(conn, cmd, data);
3390 break;
3391
3392 case L2CAP_CONN_RSP:
3393 err = l2cap_connect_rsp(conn, cmd, data);
3394 break;
3395
3396 case L2CAP_CONF_REQ:
3397 err = l2cap_config_req(conn, cmd, cmd_len, data);
3398 break;
3399
3400 case L2CAP_CONF_RSP:
3401 err = l2cap_config_rsp(conn, cmd, data);
3402 break;
3403
3404 case L2CAP_DISCONN_REQ:
3405 err = l2cap_disconnect_req(conn, cmd, data);
3406 break;
3407
3408 case L2CAP_DISCONN_RSP:
3409 err = l2cap_disconnect_rsp(conn, cmd, data);
3410 break;
3411
3412 case L2CAP_ECHO_REQ:
3413 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3414 break;
3415
3416 case L2CAP_ECHO_RSP:
3417 break;
3418
3419 case L2CAP_INFO_REQ:
3420 err = l2cap_information_req(conn, cmd, data);
3421 break;
3422
3423 case L2CAP_INFO_RSP:
3424 err = l2cap_information_rsp(conn, cmd, data);
3425 break;
3426
f94ff6ff
MM		 3427 case L2CAP_CREATE_CHAN_REQ:
3428 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3429 break;
3430
3431 case L2CAP_CREATE_CHAN_RSP:
3432 err = l2cap_create_channel_rsp(conn, cmd, data);
3433 break;
3434
8d5a04a1
MM		 3435 case L2CAP_MOVE_CHAN_REQ:
3436 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3437 break;
3438
3439 case L2CAP_MOVE_CHAN_RSP:
3440 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3441 break;
3442
3443 case L2CAP_MOVE_CHAN_CFM:
3444 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3445 break;
3446
3447 case L2CAP_MOVE_CHAN_CFM_RSP:
3448 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3449 break;
3450
3300d9a9
CT		 3451 default:
3452 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3453 err = -EINVAL;
3454 break;
3455 }
3456
3457 return err;
3458}
3459
3460static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3461 struct l2cap_cmd_hdr *cmd, u8 *data)
3462{
3463 switch (cmd->code) {
3464 case L2CAP_COMMAND_REJ:
3465 return 0;
3466
3467 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 3468 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 3469
3470 case L2CAP_CONN_PARAM_UPDATE_RSP:
3471 return 0;
3472
3473 default:
3474 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3475 return -EINVAL;
3476 }
3477}
3478
3479static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3480 struct sk_buff *skb)
1da177e4
LT		 3481{
3482 u8 *data = skb->data;
3483 int len = skb->len;
3484 struct l2cap_cmd_hdr cmd;
3300d9a9 3485 int err;
1da177e4
LT		 3486
3487 l2cap_raw_recv(conn, skb);
3488
3489 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3490 u16 cmd_len;
1da177e4
LT		 3491 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3492 data += L2CAP_CMD_HDR_SIZE;
3493 len -= L2CAP_CMD_HDR_SIZE;
3494
88219a0f 3495 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3496
88219a0f 3497 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3498
88219a0f 3499 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3500 BT_DBG("corrupted command");
3501 break;
3502 }
3503
3300d9a9
CT		 3504 if (conn->hcon->type == LE_LINK)
3505 err = l2cap_le_sig_cmd(conn, &cmd, data);
3506 else
3507 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 3508
3509 if (err) {
e2fd318e 3510 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 3511
3512 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 3513
3514 /* FIXME: Map err to a valid reason */
e2fd318e 3515 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 3516 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3517 }
3518
88219a0f
AV		 3519 data += cmd_len;
3520 len -= cmd_len;
1da177e4
LT		 3521 }
3522
3523 kfree_skb(skb);
3524}
3525
47d1ec61 3526static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 3527{
3528 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 3529 int hdr_size;
3530
3531 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3532 hdr_size = L2CAP_EXT_HDR_SIZE;
3533 else
3534 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 3535
47d1ec61 3536 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 3537 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 3538 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3539 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3540
3541 if (our_fcs != rcv_fcs)
7a560e5c 3542 return -EBADMSG;
fcc203c3
GP		 3543 }
3544 return 0;
3545}
3546
525cd185 3547static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 3548{
88843ab0 3549 u32 control = 0;
d5392c8f 3550
6a026610 3551 chan->frames_sent = 0;
d5392c8f 3552
0b209fae 3553 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 3554
e2ab4353 3555 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 3556 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
525cd185 3557 l2cap_send_sframe(chan, control);
e2ab4353 3558 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 3559 }
3560
e2ab4353 3561 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 3562 l2cap_retransmit_frames(chan);
d5392c8f 3563
525cd185 3564 l2cap_ertm_send(chan);
d5392c8f 3565
e2ab4353 3566 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 3567 chan->frames_sent == 0) {
ab784b73 3568 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3569 l2cap_send_sframe(chan, control);
d5392c8f
GP		 3570 }
3571}
3572
fb45de7d 3573static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
8f17154f
GP		 3574{
3575 struct sk_buff *next_skb;
bfbacc11 3576 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3577
3578 bt_cb(skb)->tx_seq = tx_seq;
3579 bt_cb(skb)->sar = sar;
3580
f1c6775b 3581 next_skb = skb_peek(&chan->srej_q);
8f17154f 3582
836be934 3583 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
bfbacc11 3584
039d9572 3585 while (next_skb) {
9b53350d
JPRV		 3586 if (bt_cb(next_skb)->tx_seq == tx_seq)
3587 return -EINVAL;
3588
836be934
AE		 3589 next_tx_seq_offset = __seq_offset(chan,
3590 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
bfbacc11
JPRV		 3591
3592 if (next_tx_seq_offset > tx_seq_offset) {
f1c6775b 3593 __skb_queue_before(&chan->srej_q, next_skb, skb);
9b53350d 3594 return 0;
8f17154f
GP		 3595 }
3596
f1c6775b 3597 if (skb_queue_is_last(&chan->srej_q, next_skb))
039d9572
SJ		 3598 next_skb = NULL;
3599 else
3600 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3601 }
8f17154f 3602
f1c6775b 3603 __skb_queue_tail(&chan->srej_q, skb);
9b53350d
JPRV		 3604
3605 return 0;
8f17154f
GP		 3606}
3607
84084a31
MM		 3608static void append_skb_frag(struct sk_buff *skb,
3609 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 3610{
84084a31
MM		 3611 /* skb->len reflects data in skb as well as all fragments
3612 * skb->data_len reflects only data in fragments
3613 */
3614 if (!skb_has_frag_list(skb))
3615 skb_shinfo(skb)->frag_list = new_frag;
3616
3617 new_frag->next = NULL;
3618
3619 (*last_frag)->next = new_frag;
3620 *last_frag = new_frag;
3621
3622 skb->len += new_frag->len;
3623 skb->data_len += new_frag->len;
3624 skb->truesize += new_frag->truesize;
3625}
3626
88843ab0 3627static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
84084a31
MM		 3628{
3629 int err = -EINVAL;
18778a63 3630
7e0ef6ee
AE		 3631 switch (__get_ctrl_sar(chan, control)) {
3632 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 3633 if (chan->sdu)
3634 break;
18778a63 3635
84084a31
MM		 3636 err = chan->ops->recv(chan->data, skb);
3637 break;
18778a63 3638
7e0ef6ee 3639 case L2CAP_SAR_START:
84084a31
MM		 3640 if (chan->sdu)
3641 break;
18778a63 3642
6f61fd47 3643 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 3644 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 3645
84084a31
MM		 3646 if (chan->sdu_len > chan->imtu) {
3647 err = -EMSGSIZE;
3648 break;
3649 }
1890d36b 3650
84084a31
MM		 3651 if (skb->len >= chan->sdu_len)
3652 break;
18778a63 3653
84084a31
MM		 3654 chan->sdu = skb;
3655 chan->sdu_last_frag = skb;
18778a63 3656
84084a31
MM		 3657 skb = NULL;
3658 err = 0;
18778a63
GP		 3659 break;
3660
7e0ef6ee 3661 case L2CAP_SAR_CONTINUE:
6f61fd47 3662 if (!chan->sdu)
84084a31 3663 break;
18778a63 3664
84084a31
MM		 3665 append_skb_frag(chan->sdu, skb,
3666 &chan->sdu_last_frag);
3667 skb = NULL;
18778a63 3668
84084a31
MM		 3669 if (chan->sdu->len >= chan->sdu_len)
3670 break;
4178ba46 3671
84084a31 3672 err = 0;
18778a63
GP		 3673 break;
3674
7e0ef6ee 3675 case L2CAP_SAR_END:
6f61fd47 3676 if (!chan->sdu)
84084a31 3677 break;
18778a63 3678
84084a31
MM		 3679 append_skb_frag(chan->sdu, skb,
3680 &chan->sdu_last_frag);
3681 skb = NULL;
4178ba46 3682
84084a31
MM		 3683 if (chan->sdu->len != chan->sdu_len)
3684 break;
18778a63 3685
84084a31 3686 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 3687
84084a31
MM		 3688 if (!err) {
3689 /* Reassembly complete */
3690 chan->sdu = NULL;
3691 chan->sdu_last_frag = NULL;
3692 chan->sdu_len = 0;
1890d36b 3693 }
18778a63
GP		 3694 break;
3695 }
3696
84084a31
MM		 3697 if (err) {
3698 kfree_skb(skb);
3699 kfree_skb(chan->sdu);
3700 chan->sdu = NULL;
3701 chan->sdu_last_frag = NULL;
3702 chan->sdu_len = 0;
3703 }
18778a63 3704
84084a31 3705 return err;
18778a63
GP		 3706}
3707
26f880d2 3708static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 3709{
26f880d2 3710 BT_DBG("chan %p, Enter local busy", chan);
712132eb 3711
26f880d2
MM		 3712 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3713
77f918bc 3714 __set_ack_timer(chan);
26f880d2
MM		 3715}
3716
3717static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3718{
88843ab0 3719 u32 control;
712132eb 3720
e2ab4353 3721 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 3722 goto done;
3723
0b209fae 3724 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 3725 control |= __set_ctrl_poll(chan);
ab784b73 3726 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
525cd185 3727 l2cap_send_sframe(chan, control);
6a026610 3728 chan->retry_count = 1;
712132eb 3729
1a09bcb9
GP		 3730 __clear_retrans_timer(chan);
3731 __set_monitor_timer(chan);
712132eb 3732
e2ab4353 3733 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 3734
3735done:
e2ab4353
GP		 3736 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3737 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 3738
49208c9c 3739 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 3740}
3741
e328140f 3742void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 3743{
e328140f
MM		 3744 if (chan->mode == L2CAP_MODE_ERTM) {
3745 if (busy)
3746 l2cap_ertm_enter_local_busy(chan);
3747 else
3748 l2cap_ertm_exit_local_busy(chan);
1890d36b 3749 }
1890d36b
GP		 3750}
3751
fb45de7d 3752static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
8f17154f
GP		 3753{
3754 struct sk_buff *skb;
88843ab0 3755 u32 control;
8f17154f 3756
e328140f
MM		 3757 while ((skb = skb_peek(&chan->srej_q)) &&
3758 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3759 int err;
3760
8f17154f
GP		 3761 if (bt_cb(skb)->tx_seq != tx_seq)
3762 break;
3763
f1c6775b 3764 skb = skb_dequeue(&chan->srej_q);
7e0ef6ee 3765 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
84084a31 3766 err = l2cap_reassemble_sdu(chan, skb, control);
e328140f
MM		 3767
3768 if (err < 0) {
3769 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3770 break;
3771 }
3772
836be934
AE		 3773 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3774 tx_seq = __next_seq(chan, tx_seq);
8f17154f
GP		 3775 }
3776}
3777
fb45de7d 3778static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3779{
8f17154f 3780 struct srej_list *l, *tmp;
88843ab0 3781 u32 control;
8f17154f 3782
39d5a3ee 3783 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
8f17154f
GP		 3784 if (l->tx_seq == tx_seq) {
3785 list_del(&l->list);
3786 kfree(l);
3787 return;
3788 }
ab784b73 3789 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3790 control |= __set_reqseq(chan, l->tx_seq);
525cd185 3791 l2cap_send_sframe(chan, control);
8f17154f 3792 list_del(&l->list);
39d5a3ee 3793 list_add_tail(&l->list, &chan->srej_l);
8f17154f
GP		 3794 }
3795}
3796
aef89f21 3797static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
8f17154f 3798{
8f17154f 3799 struct srej_list *new;
88843ab0 3800 u32 control;
8f17154f 3801
42e5c802 3802 while (tx_seq != chan->expected_tx_seq) {
ab784b73 3803 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
0b209fae 3804 control |= __set_reqseq(chan, chan->expected_tx_seq);
525cd185 3805 l2cap_send_sframe(chan, control);
8f17154f
GP		 3806
3807 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
aef89f21
SJ		 3808 if (!new)
3809 return -ENOMEM;
3810
42e5c802 3811 new->tx_seq = chan->expected_tx_seq;
836be934
AE		 3812
3813 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3814
39d5a3ee 3815 list_add_tail(&new->list, &chan->srej_l);
8f17154f 3816 }
836be934
AE		 3817
3818 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
aef89f21
SJ		 3819
3820 return 0;
8f17154f
GP		 3821}
3822
88843ab0 3823static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
1c2acffb 3824{
fb45de7d 3825 u16 tx_seq = __get_txseq(chan, rx_control);
0b209fae 3826 u16 req_seq = __get_reqseq(chan, rx_control);
7e0ef6ee 3827 u8 sar = __get_ctrl_sar(chan, rx_control);
f6337c77 3828 int tx_seq_offset, expected_tx_seq_offset;
47d1ec61 3829 int num_to_ack = (chan->tx_win/6) + 1;
1c2acffb
GP		 3830 int err = 0;
3831
88843ab0 3832 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
525cd185 3833 tx_seq, rx_control);
1c2acffb 3834
03f6715d 3835 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 3836 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 3837 __clear_monitor_timer(chan);
6a026610 3838 if (chan->unacked_frames > 0)
1a09bcb9 3839 __set_retrans_timer(chan);
e2ab4353 3840 clear_bit(CONN_WAIT_F, &chan->conn_state);
1d8f5d16
GP		 3841 }
3842
42e5c802
GP		 3843 chan->expected_ack_seq = req_seq;
3844 l2cap_drop_acked_frames(chan);
9f121a5a 3845
836be934 3846 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3847
3848 /* invalid tx_seq */
47d1ec61 3849 if (tx_seq_offset >= chan->tx_win) {
8c1d787b 3850 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
9b53350d
JPRV		 3851 goto drop;
3852 }
3853
77f918bc
SJ		 3854 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3855 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3856 l2cap_send_ack(chan);
1890d36b 3857 goto drop;
77f918bc 3858 }
1890d36b 3859
02f1b641
MM		 3860 if (tx_seq == chan->expected_tx_seq)
3861 goto expected;
3862
e2ab4353 3863 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
8f17154f 3864 struct srej_list *first;
30afb5b2 3865
39d5a3ee 3866 first = list_first_entry(&chan->srej_l,
8f17154f
GP		 3867 struct srej_list, list);
3868 if (tx_seq == first->tx_seq) {
42e5c802 3869 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
525cd185 3870 l2cap_check_srej_gap(chan, tx_seq);
8f17154f
GP		 3871
3872 list_del(&first->list);
3873 kfree(first);
3874
39d5a3ee 3875 if (list_empty(&chan->srej_l)) {
42e5c802 3876 chan->buffer_seq = chan->buffer_seq_srej;
e2ab4353 3877 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
525cd185 3878 l2cap_send_ack(chan);
49208c9c 3879 BT_DBG("chan %p, Exit SREJ_SENT", chan);
8f17154f
GP		 3880 }
3881 } else {
3882 struct srej_list *l;
9b53350d
JPRV		 3883
3884 /* duplicated tx_seq */
42e5c802 3885 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
9b53350d 3886 goto drop;
8f17154f 3887
39d5a3ee 3888 list_for_each_entry(l, &chan->srej_l, list) {
8f17154f 3889 if (l->tx_seq == tx_seq) {
525cd185 3890 l2cap_resend_srejframe(chan, tx_seq);
8f17154f
GP		 3891 return 0;
3892 }
3893 }
aef89f21
SJ		 3894
3895 err = l2cap_send_srejframe(chan, tx_seq);
3896 if (err < 0) {
3897 l2cap_send_disconn_req(chan->conn, chan, -err);
3898 return err;
3899 }
30afb5b2
GP		 3900 }
3901 } else {
836be934
AE		 3902 expected_tx_seq_offset = __seq_offset(chan,
3903 chan->expected_tx_seq, chan->buffer_seq);
9b53350d
JPRV		 3904
3905 /* duplicated tx_seq */
3906 if (tx_seq_offset < expected_tx_seq_offset)
3907 goto drop;
3908
e2ab4353 3909 set_bit(CONN_SREJ_SENT, &chan->conn_state);
1c2acffb 3910
49208c9c 3911 BT_DBG("chan %p, Enter SREJ", chan);
0e98958d 3912
39d5a3ee 3913 INIT_LIST_HEAD(&chan->srej_l);
42e5c802 3914 chan->buffer_seq_srej = chan->buffer_seq;
8f17154f 3915
f1c6775b 3916 __skb_queue_head_init(&chan->srej_q);
42e5c802 3917 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
8f17154f 3918
0ef3ef0f
SJ		 3919 /* Set P-bit only if there are some I-frames to ack. */
3920 if (__clear_ack_timer(chan))
3921 set_bit(CONN_SEND_PBIT, &chan->conn_state);
ef54fd93 3922
aef89f21
SJ		 3923 err = l2cap_send_srejframe(chan, tx_seq);
3924 if (err < 0) {
3925 l2cap_send_disconn_req(chan->conn, chan, -err);
3926 return err;
3927 }
1c2acffb 3928 }
30afb5b2
GP		 3929 return 0;
3930
8f17154f 3931expected:
836be934 3932 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
8f17154f 3933
e2ab4353 3934 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3b1a9f3f
GP		 3935 bt_cb(skb)->tx_seq = tx_seq;
3936 bt_cb(skb)->sar = sar;
f1c6775b 3937 __skb_queue_tail(&chan->srej_q, skb);
8f17154f
GP		 3938 return 0;
3939 }
3940
84084a31 3941 err = l2cap_reassemble_sdu(chan, skb, rx_control);
836be934
AE		 3942 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3943
e328140f
MM		 3944 if (err < 0) {
3945 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3946 return err;
3947 }
2ece3684 3948
03f6715d 3949 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3950 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3951 l2cap_retransmit_frames(chan);
4ec10d97
GP		 3952 }
3953
c1b4f43b 3954
6a026610
GP		 3955 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3956 if (chan->num_acked == num_to_ack - 1)
525cd185 3957 l2cap_send_ack(chan);
4d611e4d
GP		 3958 else
3959 __set_ack_timer(chan);
9e917af1 3960
8f17154f 3961 return 0;
9b53350d
JPRV		 3962
3963drop:
3964 kfree_skb(skb);
3965 return 0;
1c2acffb
GP		 3966}
3967
88843ab0 3968static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
1c2acffb 3969{
88843ab0 3970 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
0b209fae 3971 __get_reqseq(chan, rx_control), rx_control);
0e98958d 3972
0b209fae 3973 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
42e5c802 3974 l2cap_drop_acked_frames(chan);
1c2acffb 3975
e3781735 3976 if (__is_ctrl_poll(chan, rx_control)) {
e2ab4353
GP		 3977 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3978 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3979 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3980 (chan->unacked_frames > 0))
1a09bcb9 3981 __set_retrans_timer(chan);
05fbd89d 3982
e2ab4353 3983 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
525cd185 3984 l2cap_send_srejtail(chan);
05fbd89d 3985 } else {
525cd185 3986 l2cap_send_i_or_rr_or_rnr(chan);
05fbd89d 3987 }
1d8f5d16 3988
03f6715d 3989 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 3990 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4ec10d97 3991
e2ab4353 3992 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 3993 l2cap_retransmit_frames(chan);
2246b2f1 3994
e072745f 3995 } else {
e2ab4353 3996 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6a026610 3997 (chan->unacked_frames > 0))
1a09bcb9 3998 __set_retrans_timer(chan);
1c2acffb 3999
e2ab4353
GP		 4000 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4001 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
525cd185 4002 l2cap_send_ack(chan);
894718a6 4003 else
525cd185 4004 l2cap_ertm_send(chan);
e072745f
GP		 4005 }
4006}
2246b2f1 4007
88843ab0 4008static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4009{
0b209fae 4010 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4011
88843ab0 4012 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4013
e2ab4353 4014 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
e072745f 4015
42e5c802
GP		 4016 chan->expected_ack_seq = tx_seq;
4017 l2cap_drop_acked_frames(chan);
e072745f 4018
03f6715d 4019 if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4020 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
525cd185 4021 l2cap_retransmit_frames(chan);
e072745f 4022 } else {
525cd185 4023 l2cap_retransmit_frames(chan);
30afb5b2 4024
e2ab4353
GP		 4025 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4026 set_bit(CONN_REJ_ACT, &chan->conn_state);
e072745f
GP		 4027 }
4028}
88843ab0 4029static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4030{
0b209fae 4031 u16 tx_seq = __get_reqseq(chan, rx_control);
30afb5b2 4032
88843ab0 4033 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4034
e2ab4353 4035 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
2246b2f1 4036
e3781735 4037 if (__is_ctrl_poll(chan, rx_control)) {
42e5c802
GP		 4038 chan->expected_ack_seq = tx_seq;
4039 l2cap_drop_acked_frames(chan);
3cb123d1 4040
e2ab4353 4041 set_bit(CONN_SEND_FBIT, &chan->conn_state);
525cd185 4042 l2cap_retransmit_one_frame(chan, tx_seq);
dfc909be 4043
525cd185 4044 l2cap_ertm_send(chan);
dfc909be 4045
e2ab4353 4046 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4047 chan->srej_save_reqseq = tx_seq;
e2ab4353 4048 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4049 }
03f6715d 4050 } else if (__is_ctrl_final(chan, rx_control)) {
e2ab4353 4051 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
6a026610 4052 chan->srej_save_reqseq == tx_seq)
e2ab4353 4053 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
e072745f 4054 else
525cd185 4055 l2cap_retransmit_one_frame(chan, tx_seq);
e072745f 4056 } else {
525cd185 4057 l2cap_retransmit_one_frame(chan, tx_seq);
e2ab4353 4058 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
6a026610 4059 chan->srej_save_reqseq = tx_seq;
e2ab4353 4060 set_bit(CONN_SREJ_ACT, &chan->conn_state);
ef54fd93 4061 }
e072745f
GP		 4062 }
4063}
4064
88843ab0 4065static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
e072745f 4066{
0b209fae 4067 u16 tx_seq = __get_reqseq(chan, rx_control);
e072745f 4068
88843ab0 4069 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
0e98958d 4070
e2ab4353 4071 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
42e5c802
GP		 4072 chan->expected_ack_seq = tx_seq;
4073 l2cap_drop_acked_frames(chan);
e072745f 4074
e3781735 4075 if (__is_ctrl_poll(chan, rx_control))
e2ab4353 4076 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3cb123d1 4077
e2ab4353 4078 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
1a09bcb9 4079 __clear_retrans_timer(chan);
e3781735 4080 if (__is_ctrl_poll(chan, rx_control))
525cd185 4081 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
99b0d4b7 4082 return;
e072745f 4083 }
99b0d4b7 4084
e3781735 4085 if (__is_ctrl_poll(chan, rx_control)) {
525cd185 4086 l2cap_send_srejtail(chan);
ab784b73
AE		 4087 } else {
4088 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4089 l2cap_send_sframe(chan, rx_control);
4090 }
e072745f
GP		 4091}
4092
88843ab0 4093static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
e072745f 4094{
88843ab0 4095 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
e072745f 4096
03f6715d 4097 if (__is_ctrl_final(chan, rx_control) &&
e2ab4353 4098 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1a09bcb9 4099 __clear_monitor_timer(chan);
6a026610 4100 if (chan->unacked_frames > 0)
1a09bcb9 4101 __set_retrans_timer(chan);
e2ab4353 4102 clear_bit(CONN_WAIT_F, &chan->conn_state);
e072745f
GP		 4103 }
4104
ab784b73
AE		 4105 switch (__get_ctrl_super(chan, rx_control)) {
4106 case L2CAP_SUPER_RR:
525cd185 4107 l2cap_data_channel_rrframe(chan, rx_control);
8f17154f
GP		 4108 break;
4109
ab784b73 4110 case L2CAP_SUPER_REJ:
525cd185 4111 l2cap_data_channel_rejframe(chan, rx_control);
e072745f 4112 break;
2246b2f1 4113
ab784b73 4114 case L2CAP_SUPER_SREJ:
525cd185 4115 l2cap_data_channel_srejframe(chan, rx_control);
e072745f
GP		 4116 break;
4117
ab784b73 4118 case L2CAP_SUPER_RNR:
525cd185 4119 l2cap_data_channel_rnrframe(chan, rx_control);
1c2acffb
GP		 4120 break;
4121 }
4122
faaebd19 4123 kfree_skb(skb);
1c2acffb
GP		 4124 return 0;
4125}
4126
cad8f1d0 4127static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
218bb9df 4128{
88843ab0 4129 u32 control;
0b209fae 4130 u16 req_seq;
218bb9df
GP		 4131 int len, next_tx_seq_offset, req_seq_offset;
4132
88843ab0
AE		 4133 control = __get_control(chan, skb->data);
4134 skb_pull(skb, __ctrl_size(chan));
218bb9df
GP		 4135 len = skb->len;
4136
4137 /*
4138 * We can just drop the corrupted I-frame here.
4139 * Receiver will miss it and start proper recovery
4140 * procedures and ask retransmission.
4141 */
47d1ec61 4142 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4143 goto drop;
4144
793c2f1c 4145 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
03a51213 4146 len -= L2CAP_SDULEN_SIZE;
218bb9df 4147
47d1ec61 4148 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4149 len -= L2CAP_FCS_SIZE;
218bb9df 4150
47d1ec61 4151 if (len > chan->mps) {
8c1d787b 4152 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4153 goto drop;
4154 }
4155
0b209fae 4156 req_seq = __get_reqseq(chan, control);
218bb9df 4157
836be934
AE		 4158 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4159
4160 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4161 chan->expected_ack_seq);
218bb9df
GP		 4162
4163 /* check for invalid req-seq */
4164 if (req_seq_offset > next_tx_seq_offset) {
8c1d787b 4165 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4166 goto drop;
4167 }
4168
793c2f1c 4169 if (!__is_sframe(chan, control)) {
218bb9df 4170 if (len < 0) {
8c1d787b 4171 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4172 goto drop;
4173 }
4174
525cd185 4175 l2cap_data_channel_iframe(chan, control, skb);
218bb9df
GP		 4176 } else {
4177 if (len != 0) {
4178 BT_ERR("%d", len);
8c1d787b 4179 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4180 goto drop;
4181 }
4182
525cd185 4183 l2cap_data_channel_sframe(chan, control, skb);
218bb9df
GP		 4184 }
4185
4186 return 0;
4187
4188drop:
4189 kfree_skb(skb);
4190 return 0;
4191}
4192
1da177e4
LT		 4193static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4194{
48454079 4195 struct l2cap_chan *chan;
bf734843 4196 struct sock *sk = NULL;
88843ab0 4197 u32 control;
fb45de7d 4198 u16 tx_seq;
218bb9df 4199 int len;
1da177e4 4200
baa7e1fa 4201 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4202 if (!chan) {
1da177e4
LT		 4203 BT_DBG("unknown cid 0x%4.4x", cid);
4204 goto drop;
4205 }
4206
48454079 4207 sk = chan->sk;
6840ed07 4208
49208c9c 4209 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4210
89bc500e 4211 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4212 goto drop;
4213
0c1bc5c6 4214 switch (chan->mode) {
1c2acffb
GP		 4215 case L2CAP_MODE_BASIC:
4216 /* If socket recv buffers overflows we drop data here
4217 * which is *bad* because L2CAP has to be reliable.
4218 * But we don't have any other choice. L2CAP doesn't
4219 * provide flow control mechanism. */
1da177e4 4220
0c1bc5c6 4221 if (chan->imtu < skb->len)
1c2acffb 4222 goto drop;
1da177e4 4223
23070494 4224 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4225 goto done;
4226 break;
4227
4228 case L2CAP_MODE_ERTM:
5ef8cb9e 4229 l2cap_ertm_data_rcv(chan, skb);
1c2acffb 4230
fcafde2e 4231 goto done;
1c2acffb 4232
6840ed07 4233 case L2CAP_MODE_STREAMING:
88843ab0
AE		 4234 control = __get_control(chan, skb->data);
4235 skb_pull(skb, __ctrl_size(chan));
6840ed07
GP		 4236 len = skb->len;
4237
47d1ec61 4238 if (l2cap_check_fcs(chan, skb))
26000089
GP		 4239 goto drop;
4240
7e0ef6ee 4241 if (__is_sar_start(chan, control))
03a51213 4242 len -= L2CAP_SDULEN_SIZE;
6840ed07 4243
47d1ec61 4244 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4245 len -= L2CAP_FCS_SIZE;
fcc203c3 4246
793c2f1c 4247 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
6840ed07
GP		 4248 goto drop;
4249
fb45de7d 4250 tx_seq = __get_txseq(chan, control);
6840ed07 4251
84084a31
MM		 4252 if (chan->expected_tx_seq != tx_seq) {
4253 /* Frame(s) missing - must discard partial SDU */
4254 kfree_skb(chan->sdu);
4255 chan->sdu = NULL;
4256 chan->sdu_last_frag = NULL;
4257 chan->sdu_len = 0;
6840ed07 4258
84084a31
MM		 4259 /* TODO: Notify userland of missing data */
4260 }
4261
836be934 4262 chan->expected_tx_seq = __next_seq(chan, tx_seq);
84084a31
MM		 4263
4264 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4265 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
6840ed07
GP		 4266
4267 goto done;
4268
1c2acffb 4269 default:
0c1bc5c6 4270 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4271 break;
4272 }
1da177e4
LT		 4273
4274drop:
4275 kfree_skb(skb);
4276
4277done:
0139418c 4278 if (sk)
aa2ac881 4279 release_sock(sk);
0139418c 4280
1da177e4
LT		 4281 return 0;
4282}
4283
8e036fc3 4284static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4285{
6dcae1ea 4286 struct sock *sk = NULL;
23691d75 4287 struct l2cap_chan *chan;
1da177e4 4288
23691d75
GP		 4289 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4290 if (!chan)
1da177e4
LT		 4291 goto drop;
4292
23691d75
GP		 4293 sk = chan->sk;
4294
aa2ac881 4295 lock_sock(sk);
e0f0cb56 4296
1da177e4
LT		 4297 BT_DBG("sk %p, len %d", sk, skb->len);
4298
89bc500e 4299 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4300 goto drop;
4301
e13e21dc 4302 if (chan->imtu < skb->len)
1da177e4
LT		 4303 goto drop;
4304
23070494 4305 if (!chan->ops->recv(chan->data, skb))
1da177e4
LT		 4306 goto done;
4307
4308drop:
4309 kfree_skb(skb);
4310
4311done:
af05b30b 4312 if (sk)
aa2ac881 4313 release_sock(sk);
1da177e4
LT		 4314 return 0;
4315}
4316
9f69bda6
GP		 4317static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4318{
6dcae1ea 4319 struct sock *sk = NULL;
23691d75 4320 struct l2cap_chan *chan;
9f69bda6 4321
23691d75
GP		 4322 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4323 if (!chan)
9f69bda6
GP		 4324 goto drop;
4325
23691d75
GP		 4326 sk = chan->sk;
4327
aa2ac881 4328 lock_sock(sk);
9f69bda6
GP		 4329
4330 BT_DBG("sk %p, len %d", sk, skb->len);
4331
89bc500e 4332 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4333 goto drop;
4334
e13e21dc 4335 if (chan->imtu < skb->len)
9f69bda6
GP		 4336 goto drop;
4337
23070494 4338 if (!chan->ops->recv(chan->data, skb))
9f69bda6
GP		 4339 goto done;
4340
4341drop:
4342 kfree_skb(skb);
4343
4344done:
4345 if (sk)
aa2ac881 4346 release_sock(sk);
9f69bda6
GP		 4347 return 0;
4348}
4349
1da177e4
LT		 4350static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4351{
4352 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4353 u16 cid, len;
4354 __le16 psm;
1da177e4
LT		 4355
4356 skb_pull(skb, L2CAP_HDR_SIZE);
4357 cid = __le16_to_cpu(lh->cid);
4358 len = __le16_to_cpu(lh->len);
4359
1c2acffb
GP		 4360 if (len != skb->len) {
4361 kfree_skb(skb);
4362 return;
4363 }
4364
1da177e4
LT		 4365 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4366
4367 switch (cid) {
3300d9a9 4368 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4369 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4370 l2cap_sig_channel(conn, skb);
4371 break;
4372
8db4dc46 4373 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4374 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4375 skb_pull(skb, 2);
4376 l2cap_conless_channel(conn, psm, skb);
4377 break;
4378
9f69bda6
GP		 4379 case L2CAP_CID_LE_DATA:
4380 l2cap_att_channel(conn, cid, skb);
4381 break;
4382
b501d6a1
AB		 4383 case L2CAP_CID_SMP:
4384 if (smp_sig_channel(conn, skb))
4385 l2cap_conn_del(conn->hcon, EACCES);
4386 break;
4387
1da177e4
LT		 4388 default:
4389 l2cap_data_channel(conn, cid, skb);
4390 break;
4391 }
4392}
4393
4394/* ---- L2CAP interface with lower layer (HCI) ---- */
4395
686ebf28 4396int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4397{
4398 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4399 struct l2cap_chan *c;
1da177e4 4400
1da177e4
LT		 4401 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4402
4403 /* Find listening sockets and check their link_mode */
23691d75
GP		 4404 read_lock(&chan_list_lock);
4405 list_for_each_entry(c, &chan_list, global_l) {
4406 struct sock *sk = c->sk;
4343478f 4407
89bc500e 4408 if (c->state != BT_LISTEN)
1da177e4
LT		 4409 continue;
4410
4411 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4412 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4413 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4414 lm1 |= HCI_LM_MASTER;
1da177e4 4415 exact++;
2af6b9d5
MH		 4416 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4417 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4418 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4419 lm2 |= HCI_LM_MASTER;
4420 }
1da177e4 4421 }
23691d75 4422 read_unlock(&chan_list_lock);
1da177e4
LT		 4423
4424 return exact ? lm1 : lm2;
4425}
4426
686ebf28 4427int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4428{
0139418c
MH		 4429 struct l2cap_conn *conn;
4430
1da177e4
LT		 4431 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4432
1da177e4 4433 if (!status) {
1da177e4
LT		 4434 conn = l2cap_conn_add(hcon, status);
4435 if (conn)
4436 l2cap_conn_ready(conn);
0139418c 4437 } else
e175072f 4438 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4439
4440 return 0;
4441}
4442
686ebf28 4443int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4444{
4445 struct l2cap_conn *conn = hcon->l2cap_data;
4446
4447 BT_DBG("hcon %p", hcon);
4448
686ebf28 4449 if (!conn)
9f5a0d7b 4450 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4451 return conn->disc_reason;
4452}
4453
686ebf28 4454int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4455{
4456 BT_DBG("hcon %p reason %d", hcon, reason);
4457
e175072f 4458 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4459 return 0;
4460}
4461
4343478f 4462static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4463{
715ec005 4464 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4465 return;
4466
f62e4323 4467 if (encrypt == 0x00) {
4343478f 4468 if (chan->sec_level == BT_SECURITY_MEDIUM) {
c9b66675 4469 __clear_chan_timer(chan);
b83ddfe2
AK		 4470 __set_chan_timer(chan,
4471 msecs_to_jiffies(L2CAP_ENC_TIMEOUT));
4343478f 4472 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4473 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4474 } else {
4343478f 4475 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4476 __clear_chan_timer(chan);
f62e4323
MH		 4477 }
4478}
4479
686ebf28 4480int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4481{
0139418c 4482 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4483 struct l2cap_chan *chan;
1da177e4 4484
0139418c 4485 if (!conn)
1da177e4 4486 return 0;
0139418c 4487
1da177e4
LT		 4488 BT_DBG("conn %p", conn);
4489
160dc6ac
VCG		 4490 if (hcon->type == LE_LINK) {
4491 smp_distribute_keys(conn, 0);
17cd3f37 4492 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4493 }
4494
3d57dc68 4495 rcu_read_lock();
1da177e4 4496
3d57dc68 4497 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
48454079 4498 struct sock *sk = chan->sk;
baa7e1fa 4499
1da177e4
LT		 4500 bh_lock_sock(sk);
4501
f1cb9af5
VCG		 4502 BT_DBG("chan->scid %d", chan->scid);
4503
4504 if (chan->scid == L2CAP_CID_LE_DATA) {
4505 if (!status && encrypt) {
4506 chan->sec_level = hcon->sec_level;
cf4cd009 4507 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4508 }
4509
4510 bh_unlock_sock(sk);
4511 continue;
4512 }
4513
c1360a1c 4514 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6a8d3010
MH		 4515 bh_unlock_sock(sk);
4516 continue;
4517 }
4518
89bc500e
GP		 4519 if (!status && (chan->state == BT_CONNECTED ||
4520 chan->state == BT_CONFIG)) {
4343478f 4521 l2cap_check_encryption(chan, encrypt);
9719f8af
MH		 4522 bh_unlock_sock(sk);
4523 continue;
4524 }
4525
89bc500e 4526 if (chan->state == BT_CONNECT) {
b1235d79
MH		 4527 if (!status) {
4528 struct l2cap_conn_req req;
fe4128e0
GP		 4529 req.scid = cpu_to_le16(chan->scid);
4530 req.psm = chan->psm;
1da177e4 4531
fc7f8a7e 4532 chan->ident = l2cap_get_ident(conn);
c1360a1c 4533 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4 4534
fc7f8a7e 4535 l2cap_send_cmd(conn, chan->ident,
b1235d79
MH		 4536 L2CAP_CONN_REQ, sizeof(req), &req);
4537 } else {
c9b66675 4538 __clear_chan_timer(chan);
b83ddfe2
AK		 4539 __set_chan_timer(chan,
4540 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
b1235d79 4541 }
89bc500e 4542 } else if (chan->state == BT_CONNECT2) {
b1235d79 4543 struct l2cap_conn_rsp rsp;
df3c3931 4544 __u16 res, stat;
1da177e4 4545
b1235d79 4546 if (!status) {
df3c3931
JH		 4547 if (bt_sk(sk)->defer_setup) {
4548 struct sock *parent = bt_sk(sk)->parent;
4549 res = L2CAP_CR_PEND;
4550 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4551 if (parent)
4552 parent->sk_data_ready(parent, 0);
df3c3931 4553 } else {
05558911 4554 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4555 res = L2CAP_CR_SUCCESS;
4556 stat = L2CAP_CS_NO_INFO;
4557 }
b1235d79 4558 } else {
89bc500e 4559 l2cap_state_change(chan, BT_DISCONN);
b83ddfe2
AK		 4560 __set_chan_timer(chan,
4561 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
df3c3931
JH		 4562 res = L2CAP_CR_SEC_BLOCK;
4563 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4564 }
4565
fe4128e0
GP		 4566 rsp.scid = cpu_to_le16(chan->dcid);
4567 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4568 rsp.result = cpu_to_le16(res);
4569 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4570 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4571 sizeof(rsp), &rsp);
b1235d79 4572 }
1da177e4
LT		 4573
4574 bh_unlock_sock(sk);
4575 }
4576
3d57dc68 4577 rcu_read_unlock();
b1235d79 4578
1da177e4
LT		 4579 return 0;
4580}
4581
686ebf28 4582int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4583{
4584 struct l2cap_conn *conn = hcon->l2cap_data;
4585
5a08ecce
AE		 4586 if (!conn)
4587 conn = l2cap_conn_add(hcon, 0);
4588
4589 if (!conn)
1da177e4
LT		 4590 goto drop;
4591
4592 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4593
e702112f 4594 if (!(flags & ACL_CONT)) {
1da177e4 4595 struct l2cap_hdr *hdr;
48454079 4596 struct l2cap_chan *chan;
89794813 4597 u16 cid;
1da177e4
LT		 4598 int len;
4599
4600 if (conn->rx_len) {
4601 BT_ERR("Unexpected start frame (len %d)", skb->len);
4602 kfree_skb(conn->rx_skb);
4603 conn->rx_skb = NULL;
4604 conn->rx_len = 0;
4605 l2cap_conn_unreliable(conn, ECOMM);
4606 }
4607
aae7fe22
AE		 4608 /* Start fragment always begin with Basic L2CAP header */
4609 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4610 BT_ERR("Frame is too short (len %d)", skb->len);
4611 l2cap_conn_unreliable(conn, ECOMM);
4612 goto drop;
4613 }
4614
4615 hdr = (struct l2cap_hdr *) skb->data;
4616 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
89794813 4617 cid = __le16_to_cpu(hdr->cid);
1da177e4
LT		 4618
4619 if (len == skb->len) {
4620 /* Complete frame received */
4621 l2cap_recv_frame(conn, skb);
4622 return 0;
4623 }
4624
4625 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4626
4627 if (skb->len > len) {
4628 BT_ERR("Frame is too long (len %d, expected len %d)",
4629 skb->len, len);
4630 l2cap_conn_unreliable(conn, ECOMM);
4631 goto drop;
4632 }
4633
baa7e1fa 4634 chan = l2cap_get_chan_by_scid(conn, cid);
89794813 4635
48454079
GP		 4636 if (chan && chan->sk) {
4637 struct sock *sk = chan->sk;
89794813 4638
0c1bc5c6 4639 if (chan->imtu < len - L2CAP_HDR_SIZE) {
48454079
GP		 4640 BT_ERR("Frame exceeding recv MTU (len %d, "
4641 "MTU %d)", len,
0c1bc5c6 4642 chan->imtu);
aa2ac881 4643 release_sock(sk);
48454079
GP		 4644 l2cap_conn_unreliable(conn, ECOMM);
4645 goto drop;
4646 }
aa2ac881 4647 release_sock(sk);
48454079 4648 }
89794813 4649
1da177e4 4650 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4651 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4652 if (!conn->rx_skb)
1da177e4
LT		 4653 goto drop;
4654
d626f62b 4655 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4656 skb->len);
1da177e4
LT		 4657 conn->rx_len = len - skb->len;
4658 } else {
4659 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4660
4661 if (!conn->rx_len) {
4662 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4663 l2cap_conn_unreliable(conn, ECOMM);
4664 goto drop;
4665 }
4666
4667 if (skb->len > conn->rx_len) {
4668 BT_ERR("Fragment is too long (len %d, expected %d)",
4669 skb->len, conn->rx_len);
4670 kfree_skb(conn->rx_skb);
4671 conn->rx_skb = NULL;
4672 conn->rx_len = 0;
4673 l2cap_conn_unreliable(conn, ECOMM);
4674 goto drop;
4675 }
4676
d626f62b 4677 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4678 skb->len);
1da177e4
LT		 4679 conn->rx_len -= skb->len;
4680
4681 if (!conn->rx_len) {
4682 /* Complete frame received */
4683 l2cap_recv_frame(conn, conn->rx_skb);
4684 conn->rx_skb = NULL;
4685 }
4686 }
4687
4688drop:
4689 kfree_skb(skb);
4690 return 0;
4691}
4692
aef7d97c 4693static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4694{
23691d75 4695 struct l2cap_chan *c;
1da177e4 4696
333055f2 4697 read_lock(&chan_list_lock);
1da177e4 4698
23691d75
GP		 4699 list_for_each_entry(c, &chan_list, global_l) {
4700 struct sock *sk = c->sk;
101545f6 4701
903d343e 4702 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4703 batostr(&bt_sk(sk)->src),
4704 batostr(&bt_sk(sk)->dst),
89bc500e 4705 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4706 c->scid, c->dcid, c->imtu, c->omtu,
4707 c->sec_level, c->mode);
61e1b4b7 4708 }
1da177e4 4709
333055f2 4710 read_unlock(&chan_list_lock);
1da177e4 4711
aef7d97c 4712 return 0;
1da177e4
LT		 4713}
4714
aef7d97c
MH		 4715static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4716{
4717 return single_open(file, l2cap_debugfs_show, inode->i_private);
4718}
4719
4720static const struct file_operations l2cap_debugfs_fops = {
4721 .open = l2cap_debugfs_open,
4722 .read = seq_read,
4723 .llseek = seq_lseek,
4724 .release = single_release,
4725};
4726
4727static struct dentry *l2cap_debugfs;
1da177e4 4728
64274518 4729int __init l2cap_init(void)
1da177e4
LT		 4730{
4731 int err;
be9d1227 4732
bb58f747 4733 err = l2cap_init_sockets();
1da177e4
LT		 4734 if (err < 0)
4735 return err;
4736
aef7d97c
MH		 4737 if (bt_debugfs) {
4738 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4739 bt_debugfs, NULL, &l2cap_debugfs_fops);
4740 if (!l2cap_debugfs)
4741 BT_ERR("Failed to create L2CAP debug file");
4742 }
1da177e4 4743
1da177e4 4744 return 0;
1da177e4
LT		 4745}
4746
64274518 4747void l2cap_exit(void)
1da177e4 4748{
aef7d97c 4749 debugfs_remove(l2cap_debugfs);
bb58f747 4750 l2cap_cleanup_sockets();
1da177e4
LT		 4751}
4752
d1c4a17d
GP		 4753module_param(disable_ertm, bool, 0644);
4754MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.533179 seconds and 5 git commands to generate.