projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Move l2cap_chan_hold/put to l2cap_core.c
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
30648372
JK		 428void l2cap_chan_hold(struct l2cap_chan *c)
429{
430 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->refcnt));
431
432 atomic_inc(&c->refcnt);
433}
434
435void l2cap_chan_put(struct l2cap_chan *c)
436{
437 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->refcnt));
438
439 if (atomic_dec_and_test(&c->refcnt))
440 kfree(c);
441}
442
bd4b1653
AE		 443void l2cap_chan_set_defaults(struct l2cap_chan *chan)
444{
445 chan->fcs = L2CAP_FCS_CRC16;
446 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
447 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
448 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 449 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 450 chan->sec_level = BT_SECURITY_LOW;
451
452 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
453}
454
14a28491 455static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 456{
af05b30b 457 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 458 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 459
9f5a0d7b 460 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 461
8c1d787b 462 chan->conn = conn;
0139418c 463
5491120e
AE		 464 switch (chan->chan_type) {
465 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 466 if (conn->hcon->type == LE_LINK) {
467 /* LE connection */
6fcb06a2 468 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 469 chan->scid = L2CAP_CID_LE_DATA;
470 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 471 } else {
472 /* Alloc CID for connection-oriented socket */
fe4128e0 473 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 474 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 475 }
5491120e
AE		 476 break;
477
478 case L2CAP_CHAN_CONN_LESS:
0139418c 479 /* Connectionless socket */
fe4128e0
GP		 480 chan->scid = L2CAP_CID_CONN_LESS;
481 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 482 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 483 break;
484
416fa752
AE		 485 case L2CAP_CHAN_CONN_FIX_A2MP:
486 chan->scid = L2CAP_CID_A2MP;
487 chan->dcid = L2CAP_CID_A2MP;
488 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
489 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
490 break;
491
5491120e 492 default:
0139418c 493 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 494 chan->scid = L2CAP_CID_SIGNALING;
495 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 496 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 497 }
498
8f7975b1
AE		 499 chan->local_id = L2CAP_BESTEFFORT_ID;
500 chan->local_stype = L2CAP_SERV_BESTEFFORT;
501 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
502 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
503 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
504 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
505
371fd835 506 l2cap_chan_hold(chan);
baa7e1fa 507
3df91ea2 508 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 509}
510
466f8004 511void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 512{
513 mutex_lock(&conn->chan_lock);
514 __l2cap_chan_add(conn, chan);
3df91ea2 515 mutex_unlock(&conn->chan_lock);
0139418c
MH		 516}
517
466f8004 518void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 519{
8c1d787b 520 struct l2cap_conn *conn = chan->conn;
0139418c 521
c9b66675 522 __clear_chan_timer(chan);
0139418c 523
49208c9c 524 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 525
8e87d142 526 if (conn) {
baa7e1fa 527 /* Delete from channel list */
3df91ea2 528 list_del(&chan->list);
3d57dc68 529
371fd835 530 l2cap_chan_put(chan);
baa7e1fa 531
8c1d787b 532 chan->conn = NULL;
3cabbfda
AE		 533
534 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
535 hci_conn_put(conn->hcon);
0139418c
MH		 536 }
537
c0df7f6e
AE		 538 if (chan->ops->teardown)
539 chan->ops->teardown(chan, err);
6be36555 540
2827011f 541 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 542 return;
2ead70b8 543
ee556f66
GP		 544 switch(chan->mode) {
545 case L2CAP_MODE_BASIC:
546 break;
c13ffa62 547
ee556f66 548 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 549 __clear_retrans_timer(chan);
550 __clear_monitor_timer(chan);
551 __clear_ack_timer(chan);
c13ffa62 552
f1c6775b 553 skb_queue_purge(&chan->srej_q);
c13ffa62 554
3c588192
MM		 555 l2cap_seq_list_free(&chan->srej_list);
556 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 557
558 /* fall through */
559
560 case L2CAP_MODE_STREAMING:
561 skb_queue_purge(&chan->tx_q);
562 break;
c13ffa62 563 }
ee556f66
GP		 564
565 return;
0139418c
MH		 566}
567
0f852724 568void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 569{
570 struct l2cap_conn *conn = chan->conn;
571 struct sock *sk = chan->sk;
572
e05dcc32
AE		 573 BT_DBG("chan %p state %s sk %p", chan,
574 state_to_string(chan->state), sk);
4519de9a 575
89bc500e 576 switch (chan->state) {
4519de9a 577 case BT_LISTEN:
c0df7f6e
AE		 578 if (chan->ops->teardown)
579 chan->ops->teardown(chan, 0);
4519de9a
GP		 580 break;
581
582 case BT_CONNECTED:
583 case BT_CONFIG:
715ec005 584 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 585 conn->hcon->type == ACL_LINK) {
c9b66675 586 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 587 l2cap_send_disconn_req(conn, chan, reason);
588 } else
589 l2cap_chan_del(chan, reason);
590 break;
591
592 case BT_CONNECT2:
715ec005 593 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 594 conn->hcon->type == ACL_LINK) {
595 struct l2cap_conn_rsp rsp;
596 __u16 result;
597
c5daa683 598 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 599 result = L2CAP_CR_SEC_BLOCK;
600 else
601 result = L2CAP_CR_BAD_PSM;
89bc500e 602 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 603
604 rsp.scid = cpu_to_le16(chan->dcid);
605 rsp.dcid = cpu_to_le16(chan->scid);
606 rsp.result = cpu_to_le16(result);
ac73498c 607 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 608 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
609 sizeof(rsp), &rsp);
610 }
611
612 l2cap_chan_del(chan, reason);
613 break;
614
615 case BT_CONNECT:
616 case BT_DISCONN:
617 l2cap_chan_del(chan, reason);
618 break;
619
620 default:
c0df7f6e
AE		 621 if (chan->ops->teardown)
622 chan->ops->teardown(chan, 0);
4519de9a
GP		 623 break;
624 }
625}
626
4343478f 627static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 628{
715ec005 629 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 630 switch (chan->sec_level) {
8556edd3
JH		 631 case BT_SECURITY_HIGH:
632 return HCI_AT_DEDICATED_BONDING_MITM;
633 case BT_SECURITY_MEDIUM:
634 return HCI_AT_DEDICATED_BONDING;
635 default:
636 return HCI_AT_NO_BONDING;
637 }
2983fd68 638 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 639 if (chan->sec_level == BT_SECURITY_LOW)
640 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 641
4343478f 642 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 643 return HCI_AT_NO_BONDING_MITM;
00ae4af9 644 else
8556edd3 645 return HCI_AT_NO_BONDING;
00ae4af9 646 } else {
4343478f 647 switch (chan->sec_level) {
00ae4af9 648 case BT_SECURITY_HIGH:
8556edd3 649 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 650 case BT_SECURITY_MEDIUM:
8556edd3 651 return HCI_AT_GENERAL_BONDING;
00ae4af9 652 default:
8556edd3 653 return HCI_AT_NO_BONDING;
00ae4af9 654 }
0684e5f9 655 }
8556edd3
JH		 656}
657
658/* Service level security */
d45fc423 659int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 660{
8c1d787b 661 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 662 __u8 auth_type;
663
4343478f 664 auth_type = l2cap_get_auth_type(chan);
79d554a6 665
4343478f 666 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 667}
668
b5ad8b7f 669static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 670{
671 u8 id;
672
673 /* Get next available identificator.
674 * 1 - 128 are used by kernel.
675 * 129 - 199 are reserved.
676 * 200 - 254 are used by utilities like l2ping, etc.
677 */
678
333055f2 679 spin_lock(&conn->lock);
4e8402a3
MH		 680
681 if (++conn->tx_ident > 128)
682 conn->tx_ident = 1;
683
684 id = conn->tx_ident;
685
333055f2 686 spin_unlock(&conn->lock);
4e8402a3
MH		 687
688 return id;
689}
690
4519de9a 691static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 692{
693 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 694 u8 flags;
4e8402a3
MH		 695
696 BT_DBG("code 0x%2.2x", code);
697
698 if (!skb)
9a9c6a34 699 return;
4e8402a3 700
e702112f
AE		 701 if (lmp_no_flush_capable(conn->hcon->hdev))
702 flags = ACL_START_NO_FLUSH;
703 else
704 flags = ACL_START;
705
14b12d0b 706 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 707 skb->priority = HCI_PRIO_MAX;
14b12d0b 708
73d80deb
LAD		 709 hci_send_acl(conn->hchan, skb, flags);
710}
711
712static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
713{
714 struct hci_conn *hcon = chan->conn->hcon;
715 u16 flags;
716
717 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
718 skb->priority);
719
720 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
721 lmp_no_flush_capable(hcon->hdev))
722 flags = ACL_START_NO_FLUSH;
723 else
724 flags = ACL_START;
14b12d0b 725
73d80deb
LAD		 726 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
727 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 728}
729
b76bbd66
MM		 730static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
731{
732 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
733 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
734
735 if (enh & L2CAP_CTRL_FRAME_TYPE) {
736 /* S-Frame */
737 control->sframe = 1;
738 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
739 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
740
741 control->sar = 0;
742 control->txseq = 0;
743 } else {
744 /* I-Frame */
745 control->sframe = 0;
746 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
747 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
748
749 control->poll = 0;
750 control->super = 0;
751 }
752}
753
b76bbd66
MM		 754static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
755{
756 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
757 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
758
759 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
760 /* S-Frame */
761 control->sframe = 1;
762 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
763 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
764
765 control->sar = 0;
766 control->txseq = 0;
767 } else {
768 /* I-Frame */
769 control->sframe = 0;
770 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
771 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
772
773 control->poll = 0;
774 control->super = 0;
775 }
776}
777
778static inline void __unpack_control(struct l2cap_chan *chan,
779 struct sk_buff *skb)
780{
781 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
782 __unpack_extended_control(get_unaligned_le32(skb->data),
783 &bt_cb(skb)->control);
cec8ab6e 784 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 785 } else {
786 __unpack_enhanced_control(get_unaligned_le16(skb->data),
787 &bt_cb(skb)->control);
cec8ab6e 788 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 789 }
790}
791
b5c6aaed
MM		 792static u32 __pack_extended_control(struct l2cap_ctrl *control)
793{
794 u32 packed;
795
796 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
797 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
798
799 if (control->sframe) {
800 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
801 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
802 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
803 } else {
804 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
805 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
806 }
807
808 return packed;
809}
810
811static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
812{
813 u16 packed;
814
815 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
816 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
817
818 if (control->sframe) {
819 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
820 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
821 packed |= L2CAP_CTRL_FRAME_TYPE;
822 } else {
823 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
824 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
825 }
826
827 return packed;
828}
829
b76bbd66
MM		 830static inline void __pack_control(struct l2cap_chan *chan,
831 struct l2cap_ctrl *control,
832 struct sk_buff *skb)
833{
834 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
835 put_unaligned_le32(__pack_extended_control(control),
836 skb->data + L2CAP_HDR_SIZE);
837 } else {
838 put_unaligned_le16(__pack_enhanced_control(control),
839 skb->data + L2CAP_HDR_SIZE);
840 }
841}
842
ba7aa64f
GP		 843static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
844{
845 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
846 return L2CAP_EXT_HDR_SIZE;
847 else
848 return L2CAP_ENH_HDR_SIZE;
849}
850
a67d7f6f
MM		 851static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
852 u32 control)
b5c6aaed
MM		 853{
854 struct sk_buff *skb;
855 struct l2cap_hdr *lh;
ba7aa64f 856 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 857
858 if (chan->fcs == L2CAP_FCS_CRC16)
859 hlen += L2CAP_FCS_SIZE;
860
a67d7f6f 861 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 862
b5c6aaed 863 if (!skb)
a67d7f6f 864 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 865
866 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
867 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
868 lh->cid = cpu_to_le16(chan->dcid);
869
a67d7f6f
MM		 870 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
871 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
872 else
873 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 874
875 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 876 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 877 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
878 }
879
880 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 881 return skb;
882}
883
884static void l2cap_send_sframe(struct l2cap_chan *chan,
885 struct l2cap_ctrl *control)
886{
887 struct sk_buff *skb;
888 u32 control_field;
889
890 BT_DBG("chan %p, control %p", chan, control);
891
892 if (!control->sframe)
893 return;
894
895 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
896 !control->poll)
897 control->final = 1;
898
899 if (control->super == L2CAP_SUPER_RR)
900 clear_bit(CONN_RNR_SENT, &chan->conn_state);
901 else if (control->super == L2CAP_SUPER_RNR)
902 set_bit(CONN_RNR_SENT, &chan->conn_state);
903
904 if (control->super != L2CAP_SUPER_SREJ) {
905 chan->last_acked_seq = control->reqseq;
906 __clear_ack_timer(chan);
907 }
908
909 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
910 control->final, control->poll, control->super);
911
912 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
913 control_field = __pack_extended_control(control);
914 else
915 control_field = __pack_enhanced_control(control);
916
917 skb = l2cap_create_sframe_pdu(chan, control_field);
918 if (!IS_ERR(skb))
919 l2cap_do_send(chan, skb);
b5c6aaed
MM		 920}
921
c9e3d5e0 922static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 923{
c9e3d5e0
MM		 924 struct l2cap_ctrl control;
925
926 BT_DBG("chan %p, poll %d", chan, poll);
927
928 memset(&control, 0, sizeof(control));
929 control.sframe = 1;
930 control.poll = poll;
931
932 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
933 control.super = L2CAP_SUPER_RNR;
934 else
935 control.super = L2CAP_SUPER_RR;
b5c6aaed 936
c9e3d5e0
MM		 937 control.reqseq = chan->buffer_seq;
938 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 939}
940
b4450035 941static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 942{
c1360a1c 943 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 944}
945
9b27f350
AE		 946static void l2cap_send_conn_req(struct l2cap_chan *chan)
947{
948 struct l2cap_conn *conn = chan->conn;
949 struct l2cap_conn_req req;
950
951 req.scid = cpu_to_le16(chan->scid);
952 req.psm = chan->psm;
953
954 chan->ident = l2cap_get_ident(conn);
955
956 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
957
958 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
959}
960
9f0caeb1
VCG		 961static void l2cap_chan_ready(struct l2cap_chan *chan)
962{
2827011f 963 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 964 chan->conf_state = 0;
965 __clear_chan_timer(chan);
966
54a59aa2 967 chan->state = BT_CONNECTED;
9f0caeb1 968
fd83e2c2 969 chan->ops->ready(chan);
9f0caeb1
VCG		 970}
971
fc7f8a7e 972static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 973{
8c1d787b 974 struct l2cap_conn *conn = chan->conn;
79d554a6 975
9f0caeb1
VCG		 976 if (conn->hcon->type == LE_LINK) {
977 l2cap_chan_ready(chan);
978 return;
979 }
980
79d554a6 981 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 982 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
983 return;
984
d45fc423 985 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 986 __l2cap_no_conn_pending(chan))
987 l2cap_send_conn_req(chan);
79d554a6
MH		 988 } else {
989 struct l2cap_info_req req;
ac73498c 990 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 991
992 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
993 conn->info_ident = l2cap_get_ident(conn);
994
ba13ccd9 995 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 996
997 l2cap_send_cmd(conn, conn->info_ident,
998 L2CAP_INFO_REQ, sizeof(req), &req);
999 }
1000}
1001
cf6c2c0b
GP		 1002static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1003{
1004 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1005 if (!disable_ertm)
cf6c2c0b
GP		 1006 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1007
1008 switch (mode) {
1009 case L2CAP_MODE_ERTM:
1010 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1011 case L2CAP_MODE_STREAMING:
1012 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1013 default:
1014 return 0x00;
1015 }
1016}
1017
4519de9a 1018static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1019{
6be36555 1020 struct sock *sk = chan->sk;
22121fc9
GP		 1021 struct l2cap_disconn_req req;
1022
c13ffa62
GP		 1023 if (!conn)
1024 return;
1025
0c1bc5c6 1026 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1027 __clear_retrans_timer(chan);
1028 __clear_monitor_timer(chan);
1029 __clear_ack_timer(chan);
c13ffa62
GP		 1030 }
1031
416fa752
AE		 1032 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1033 __l2cap_state_change(chan, BT_DISCONN);
1034 return;
1035 }
1036
fe4128e0
GP		 1037 req.dcid = cpu_to_le16(chan->dcid);
1038 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1039 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1040 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1041
6be36555 1042 lock_sock(sk);
0e587be7 1043 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1044 __l2cap_chan_set_err(chan, err);
6be36555 1045 release_sock(sk);
22121fc9
GP		 1046}
1047
1da177e4 1048/* ---- L2CAP connections ---- */
4e8402a3
MH		 1049static void l2cap_conn_start(struct l2cap_conn *conn)
1050{
3df91ea2 1051 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1052
1053 BT_DBG("conn %p", conn);
1054
3df91ea2 1055 mutex_lock(&conn->chan_lock);
4e8402a3 1056
3df91ea2 1057 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1058 struct sock *sk = chan->sk;
baa7e1fa 1059
6be36555 1060 l2cap_chan_lock(chan);
4e8402a3 1061
715ec005 1062 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1063 l2cap_chan_unlock(chan);
79d554a6
MH		 1064 continue;
1065 }
1066
89bc500e 1067 if (chan->state == BT_CONNECT) {
d45fc423 1068 if (!l2cap_chan_check_security(chan) ||
b4450035 1069 !__l2cap_no_conn_pending(chan)) {
6be36555 1070 l2cap_chan_unlock(chan);
47731de7
GP		 1071 continue;
1072 }
79d554a6 1073
c1360a1c
GP		 1074 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1075 && test_bit(CONF_STATE2_DEVICE,
1076 &chan->conf_state)) {
89bc500e 1077 l2cap_chan_close(chan, ECONNRESET);
6be36555 1078 l2cap_chan_unlock(chan);
47731de7 1079 continue;
b1235d79 1080 }
47731de7 1081
9b27f350 1082 l2cap_send_conn_req(chan);
47731de7 1083
89bc500e 1084 } else if (chan->state == BT_CONNECT2) {
79d554a6 1085 struct l2cap_conn_rsp rsp;
e9aeb2dd 1086 char buf[128];
fe4128e0
GP		 1087 rsp.scid = cpu_to_le16(chan->dcid);
1088 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1089
d45fc423 1090 if (l2cap_chan_check_security(chan)) {
6be36555 1091 lock_sock(sk);
c5daa683
GP		 1092 if (test_bit(BT_SK_DEFER_SETUP,
1093 &bt_sk(sk)->flags)) {
f66dc81f 1094 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1095 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1096 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1097 if (parent)
1098 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1099
1100 } else {
0e587be7 1101 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1102 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1103 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1104 }
6be36555 1105 release_sock(sk);
79d554a6 1106 } else {
ac73498c
AE		 1107 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1108 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1109 }
1110
fc7f8a7e
GP		 1111 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1112 sizeof(rsp), &rsp);
e9aeb2dd 1113
c1360a1c 1114 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1115 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1116 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1117 continue;
1118 }
1119
c1360a1c 1120 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1121 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1122 l2cap_build_conf_req(chan, buf), buf);
1123 chan->num_conf_req++;
4e8402a3
MH		 1124 }
1125
6be36555 1126 l2cap_chan_unlock(chan);
4e8402a3
MH		 1127 }
1128
3df91ea2 1129 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1130}
1131
c2287681 1132/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1133 * Returns closest match, locked.
1134 */
d9b88702 1135static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1136 bdaddr_t *src,
1137 bdaddr_t *dst)
b62f328b 1138{
23691d75 1139 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1140
23691d75 1141 read_lock(&chan_list_lock);
b62f328b 1142
23691d75
GP		 1143 list_for_each_entry(c, &chan_list, global_l) {
1144 struct sock *sk = c->sk;
fe4128e0 1145
89bc500e 1146 if (state && c->state != state)
b62f328b
VT		 1147 continue;
1148
23691d75 1149 if (c->scid == cid) {
c2287681
IY		 1150 int src_match, dst_match;
1151 int src_any, dst_any;
1152
b62f328b 1153 /* Exact match. */
c2287681
IY		 1154 src_match = !bacmp(&bt_sk(sk)->src, src);
1155 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1156 if (src_match && dst_match) {
23691d75
GP		 1157 read_unlock(&chan_list_lock);
1158 return c;
1159 }
b62f328b
VT		 1160
1161 /* Closest match */
c2287681
IY		 1162 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1163 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1164 if ((src_match && dst_any) || (src_any && dst_match) ||
1165 (src_any && dst_any))
23691d75 1166 c1 = c;
b62f328b
VT		 1167 }
1168 }
280f294f 1169
23691d75 1170 read_unlock(&chan_list_lock);
b62f328b 1171
23691d75 1172 return c1;
b62f328b
VT		 1173}
1174
1175static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1176{
c916fbe4 1177 struct sock *parent, *sk;
23691d75 1178 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1179
1180 BT_DBG("");
1181
1182 /* Check if we have socket listening on cid */
23691d75 1183 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1184 conn->src, conn->dst);
23691d75 1185 if (!pchan)
b62f328b
VT		 1186 return;
1187
23691d75
GP		 1188 parent = pchan->sk;
1189
aa2ac881 1190 lock_sock(parent);
62f3a2cf 1191
80b98027 1192 chan = pchan->ops->new_connection(pchan);
80808e43 1193 if (!chan)
b62f328b
VT		 1194 goto clean;
1195
80808e43 1196 sk = chan->sk;
5d41ce1d 1197
b62f328b
VT		 1198 hci_conn_hold(conn->hcon);
1199
b62f328b
VT		 1200 bacpy(&bt_sk(sk)->src, conn->src);
1201 bacpy(&bt_sk(sk)->dst, conn->dst);
1202
d1010240
GP		 1203 bt_accept_enqueue(parent, sk);
1204
3d57dc68 1205 l2cap_chan_add(conn, chan);
48454079 1206
6754e0df 1207 l2cap_chan_ready(chan);
b62f328b 1208
b62f328b 1209clean:
aa2ac881 1210 release_sock(parent);
b62f328b
VT		 1211}
1212
4e8402a3
MH		 1213static void l2cap_conn_ready(struct l2cap_conn *conn)
1214{
48454079 1215 struct l2cap_chan *chan;
4e8402a3 1216
79d554a6 1217 BT_DBG("conn %p", conn);
4e8402a3 1218
b62f328b
VT		 1219 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1220 l2cap_le_conn_ready(conn);
1221
160dc6ac
VCG		 1222 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1223 smp_conn_security(conn, conn->hcon->pending_sec_level);
1224
3df91ea2 1225 mutex_lock(&conn->chan_lock);
4e8402a3 1226
3df91ea2 1227 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1228
6be36555 1229 l2cap_chan_lock(chan);
4e8402a3 1230
416fa752
AE		 1231 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1232 l2cap_chan_unlock(chan);
1233 continue;
1234 }
1235
63128451 1236 if (conn->hcon->type == LE_LINK) {
b501d6a1 1237 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1238 l2cap_chan_ready(chan);
acd7d370 1239
63128451 1240 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1241 struct sock *sk = chan->sk;
c9b66675 1242 __clear_chan_timer(chan);
6be36555 1243 lock_sock(sk);
0e587be7 1244 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1245 sk->sk_state_change(sk);
6be36555 1246 release_sock(sk);
b501d6a1 1247
89bc500e 1248 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1249 l2cap_do_start(chan);
4e8402a3 1250
6be36555 1251 l2cap_chan_unlock(chan);
4e8402a3 1252 }
79d554a6 1253
3df91ea2 1254 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1255}
1256
1257/* Notify sockets that we cannot guaranty reliability anymore */
1258static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1259{
48454079 1260 struct l2cap_chan *chan;
4e8402a3
MH		 1261
1262 BT_DBG("conn %p", conn);
1263
3df91ea2 1264 mutex_lock(&conn->chan_lock);
4e8402a3 1265
3df91ea2 1266 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1267 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1268 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1269 }
1270
3df91ea2 1271 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1272}
1273
f878fcad 1274static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1275{
f878fcad 1276 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1277 info_timer.work);
4e8402a3 1278
984947dc 1279 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1280 conn->info_ident = 0;
984947dc 1281
4e8402a3
MH		 1282 l2cap_conn_start(conn);
1283}
1284
5d3de7df
VCG		 1285static void l2cap_conn_del(struct hci_conn *hcon, int err)
1286{
1287 struct l2cap_conn *conn = hcon->l2cap_data;
1288 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1289
1290 if (!conn)
1291 return;
1292
1293 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1294
1295 kfree_skb(conn->rx_skb);
1296
3df91ea2
AE		 1297 mutex_lock(&conn->chan_lock);
1298
5d3de7df
VCG		 1299 /* Kill channels */
1300 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1301 l2cap_chan_hold(chan);
6be36555
AE		 1302 l2cap_chan_lock(chan);
1303
5d3de7df 1304 l2cap_chan_del(chan, err);
6be36555
AE		 1305
1306 l2cap_chan_unlock(chan);
1307
80b98027 1308 chan->ops->close(chan);
61d6ef3e 1309 l2cap_chan_put(chan);
5d3de7df
VCG		 1310 }
1311
3df91ea2
AE		 1312 mutex_unlock(&conn->chan_lock);
1313
73d80deb
LAD		 1314 hci_chan_del(conn->hchan);
1315
5d3de7df 1316 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1317 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1318
51a8efd7 1319 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1320 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1321 smp_chan_destroy(conn);
d26a2345 1322 }
5d3de7df
VCG		 1323
1324 hcon->l2cap_data = NULL;
1325 kfree(conn);
1326}
1327
6c9d42a1 1328static void security_timeout(struct work_struct *work)
5d3de7df 1329{
6c9d42a1
GP		 1330 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1331 security_timer.work);
5d3de7df 1332
d06cc416
JH		 1333 BT_DBG("conn %p", conn);
1334
1335 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1336 smp_chan_destroy(conn);
1337 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1338 }
5d3de7df
VCG		 1339}
1340
1da177e4
LT		 1341static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1342{
0139418c 1343 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1344 struct hci_chan *hchan;
1da177e4 1345
0139418c 1346 if (conn || status)
1da177e4
LT		 1347 return conn;
1348
73d80deb
LAD		 1349 hchan = hci_chan_create(hcon);
1350 if (!hchan)
1351 return NULL;
1352
0139418c 1353 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1354 if (!conn) {
1355 hci_chan_del(hchan);
1da177e4 1356 return NULL;
73d80deb 1357 }
1da177e4
LT		 1358
1359 hcon->l2cap_data = conn;
1360 conn->hcon = hcon;
73d80deb 1361 conn->hchan = hchan;
1da177e4 1362
73d80deb 1363 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1364
acd7d370
VT		 1365 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1366 conn->mtu = hcon->hdev->le_mtu;
1367 else
1368 conn->mtu = hcon->hdev->acl_mtu;
1369
1da177e4
LT		 1370 conn->src = &hcon->hdev->bdaddr;
1371 conn->dst = &hcon->dst;
1372
4e8402a3
MH		 1373 conn->feat_mask = 0;
1374
1da177e4 1375 spin_lock_init(&conn->lock);
3df91ea2 1376 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1377
1378 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1379
5d3de7df 1380 if (hcon->type == LE_LINK)
6c9d42a1 1381 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1382 else
030013d8 1383 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1384
9f5a0d7b 1385 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1386
1da177e4
LT		 1387 return conn;
1388}
1389
1da177e4 1390/* ---- Socket interface ---- */
1da177e4 1391
c2287681 1392/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1393 * Returns closest match.
1394 */
c2287681
IY		 1395static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1396 bdaddr_t *src,
1397 bdaddr_t *dst)
1da177e4 1398{
23691d75 1399 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1400
23691d75 1401 read_lock(&chan_list_lock);
e0f0cb56 1402
23691d75
GP		 1403 list_for_each_entry(c, &chan_list, global_l) {
1404 struct sock *sk = c->sk;
fe4128e0 1405
89bc500e 1406 if (state && c->state != state)
1da177e4
LT		 1407 continue;
1408
23691d75 1409 if (c->psm == psm) {
c2287681
IY		 1410 int src_match, dst_match;
1411 int src_any, dst_any;
1412
1da177e4 1413 /* Exact match. */
c2287681
IY		 1414 src_match = !bacmp(&bt_sk(sk)->src, src);
1415 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1416 if (src_match && dst_match) {
a7567b20 1417 read_unlock(&chan_list_lock);
23691d75
GP		 1418 return c;
1419 }
1da177e4
LT		 1420
1421 /* Closest match */
c2287681
IY		 1422 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1423 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1424 if ((src_match && dst_any) || (src_any && dst_match) ||
1425 (src_any && dst_any))
23691d75 1426 c1 = c;
1da177e4
LT		 1427 }
1428 }
1da177e4 1429
23691d75 1430 read_unlock(&chan_list_lock);
e0f0cb56 1431
23691d75 1432 return c1;
1da177e4
LT		 1433}
1434
8e9f9892
AG		 1435int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1436 bdaddr_t *dst, u8 dst_type)
1da177e4 1437{
5d41ce1d 1438 struct sock *sk = chan->sk;
1da177e4 1439 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1440 struct l2cap_conn *conn;
1441 struct hci_conn *hcon;
1442 struct hci_dev *hdev;
09ab6f4c 1443 __u8 auth_type;
44d0e48e 1444 int err;
1da177e4 1445
8e9f9892
AG		 1446 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1447 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1448
af05b30b
GP		 1449 hdev = hci_get_route(dst, src);
1450 if (!hdev)
1da177e4
LT		 1451 return -EHOSTUNREACH;
1452
09fd0de5 1453 hci_dev_lock(hdev);
1da177e4 1454
6be36555 1455 l2cap_chan_lock(chan);
03a00194
GP		 1456
1457 /* PSM must be odd and lsb of upper byte must be 0 */
1458 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1459 chan->chan_type != L2CAP_CHAN_RAW) {
1460 err = -EINVAL;
1461 goto done;
1462 }
1463
1464 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1465 err = -EINVAL;
1466 goto done;
1467 }
1468
1469 switch (chan->mode) {
1470 case L2CAP_MODE_BASIC:
1471 break;
1472 case L2CAP_MODE_ERTM:
1473 case L2CAP_MODE_STREAMING:
1474 if (!disable_ertm)
1475 break;
1476 /* fall through */
1477 default:
1478 err = -ENOTSUPP;
1479 goto done;
1480 }
1481
0797e01d 1482 switch (chan->state) {
03a00194
GP		 1483 case BT_CONNECT:
1484 case BT_CONNECT2:
1485 case BT_CONFIG:
1486 /* Already connecting */
1487 err = 0;
1488 goto done;
1489
1490 case BT_CONNECTED:
1491 /* Already connected */
1492 err = -EISCONN;
1493 goto done;
1494
1495 case BT_OPEN:
1496 case BT_BOUND:
1497 /* Can connect */
1498 break;
1499
1500 default:
1501 err = -EBADFD;
1502 goto done;
1503 }
1504
1505 /* Set destination address and psm */
0797e01d 1506 lock_sock(sk);
9219b2a0 1507 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1508 release_sock(sk);
1509
03a00194
GP		 1510 chan->psm = psm;
1511 chan->dcid = cid;
1da177e4 1512
4343478f 1513 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1514
fe4128e0 1515 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1516 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1517 chan->sec_level, auth_type);
acd7d370 1518 else
8e9f9892 1519 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1520 chan->sec_level, auth_type);
acd7d370 1521
30e76272
VT		 1522 if (IS_ERR(hcon)) {
1523 err = PTR_ERR(hcon);
1da177e4 1524 goto done;
30e76272 1525 }
1da177e4
LT		 1526
1527 conn = l2cap_conn_add(hcon, 0);
1528 if (!conn) {
1529 hci_conn_put(hcon);
30e76272 1530 err = -ENOMEM;
1da177e4
LT		 1531 goto done;
1532 }
1533
9f0caeb1
VCG		 1534 if (hcon->type == LE_LINK) {
1535 err = 0;
1536
1537 if (!list_empty(&conn->chan_l)) {
1538 err = -EBUSY;
1539 hci_conn_put(hcon);
1540 }
1541
1542 if (err)
1543 goto done;
1544 }
1545
1da177e4
LT		 1546 /* Update source addr of the socket */
1547 bacpy(src, conn->src);
1548
6be36555 1549 l2cap_chan_unlock(chan);
48454079 1550 l2cap_chan_add(conn, chan);
6be36555 1551 l2cap_chan_lock(chan);
48454079 1552
6be36555 1553 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1554 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1555
1556 if (hcon->state == BT_CONNECTED) {
715ec005 1557 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1558 __clear_chan_timer(chan);
d45fc423 1559 if (l2cap_chan_check_security(chan))
6be36555 1560 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1561 } else
fc7f8a7e 1562 l2cap_do_start(chan);
1da177e4
LT		 1563 }
1564
30e76272
VT		 1565 err = 0;
1566
1da177e4 1567done:
6be36555 1568 l2cap_chan_unlock(chan);
09fd0de5 1569 hci_dev_unlock(hdev);
1da177e4
LT		 1570 hci_dev_put(hdev);
1571 return err;
1572}
1573
dcba0dba 1574int __l2cap_wait_ack(struct sock *sk)
6161c038 1575{
8c1d787b 1576 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1577 DECLARE_WAITQUEUE(wait, current);
1578 int err = 0;
1579 int timeo = HZ/5;
1580
2b0b05dd 1581 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1582 set_current_state(TASK_INTERRUPTIBLE);
1583 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1584 if (!timeo)
1585 timeo = HZ/5;
1586
1587 if (signal_pending(current)) {
1588 err = sock_intr_errno(timeo);
1589 break;
1590 }
1591
1592 release_sock(sk);
1593 timeo = schedule_timeout(timeo);
1594 lock_sock(sk);
a71a0cf4 1595 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1596
1597 err = sock_error(sk);
1598 if (err)
1599 break;
1600 }
1601 set_current_state(TASK_RUNNING);
2b0b05dd 1602 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1603 return err;
1604}
1605
721c4181 1606static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1607{
721c4181 1608 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1609 monitor_timer.work);
e90bac06 1610
525cd185 1611 BT_DBG("chan %p", chan);
0e98958d 1612
6be36555
AE		 1613 l2cap_chan_lock(chan);
1614
80909e04 1615 if (!chan->conn) {
6be36555 1616 l2cap_chan_unlock(chan);
8d7e1c7f 1617 l2cap_chan_put(chan);
e90bac06
GP		 1618 return;
1619 }
1620
401bb1f7 1621 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1622
6be36555 1623 l2cap_chan_unlock(chan);
8d7e1c7f 1624 l2cap_chan_put(chan);
e90bac06
GP		 1625}
1626
721c4181 1627static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1628{
721c4181 1629 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1630 retrans_timer.work);
e90bac06 1631
49208c9c 1632 BT_DBG("chan %p", chan);
0e98958d 1633
6be36555
AE		 1634 l2cap_chan_lock(chan);
1635
80909e04
MM		 1636 if (!chan->conn) {
1637 l2cap_chan_unlock(chan);
1638 l2cap_chan_put(chan);
1639 return;
1640 }
6be36555 1641
401bb1f7 1642 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1643 l2cap_chan_unlock(chan);
8d7e1c7f 1644 l2cap_chan_put(chan);
e90bac06
GP		 1645}
1646
d660366d
GP		 1647static void l2cap_streaming_send(struct l2cap_chan *chan,
1648 struct sk_buff_head *skbs)
6840ed07 1649{
ccbb84af 1650 struct sk_buff *skb;
3733937d 1651 struct l2cap_ctrl *control;
6840ed07 1652
3733937d
MM		 1653 BT_DBG("chan %p, skbs %p", chan, skbs);
1654
3733937d
MM		 1655 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1656
1657 while (!skb_queue_empty(&chan->tx_q)) {
1658
1659 skb = skb_dequeue(&chan->tx_q);
1660
1661 bt_cb(skb)->control.retries = 1;
1662 control = &bt_cb(skb)->control;
1663
1664 control->reqseq = 0;
1665 control->txseq = chan->next_tx_seq;
1666
1667 __pack_control(chan, control, skb);
6840ed07 1668
47d1ec61 1669 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1670 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1671 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1672 }
1673
4343478f 1674 l2cap_do_send(chan, skb);
6840ed07 1675
b4400672 1676 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1677
836be934 1678 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1679 chan->frames_sent++;
6840ed07 1680 }
6840ed07
GP		 1681}
1682
67c9e840 1683static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1684{
1685 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1686 struct l2cap_ctrl *control;
1687 int sent = 0;
1688
1689 BT_DBG("chan %p", chan);
1c2acffb 1690
89bc500e 1691 if (chan->state != BT_CONNECTED)
c13ffa62 1692 return -ENOTCONN;
e90bac06 1693
94122bbe
MM		 1694 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1695 return 0;
1696
18a48e76
MM		 1697 while (chan->tx_send_head &&
1698 chan->unacked_frames < chan->remote_tx_win &&
1699 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1700
18a48e76 1701 skb = chan->tx_send_head;
e90bac06 1702
18a48e76
MM		 1703 bt_cb(skb)->control.retries = 1;
1704 control = &bt_cb(skb)->control;
95ffa978 1705
e2ab4353 1706 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1707 control->final = 1;
e2ab4353 1708
18a48e76
MM		 1709 control->reqseq = chan->buffer_seq;
1710 chan->last_acked_seq = chan->buffer_seq;
1711 control->txseq = chan->next_tx_seq;
1c2acffb 1712
18a48e76 1713 __pack_control(chan, control, skb);
e90bac06 1714
47d1ec61 1715 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1716 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1717 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1718 }
1719
18a48e76
MM		 1720 /* Clone after data has been modified. Data is assumed to be
1721 read-only (for locking purposes) on cloned sk_buffs.
1722 */
1723 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1724
18a48e76
MM		 1725 if (!tx_skb)
1726 break;
1c2acffb 1727
18a48e76 1728 __set_retrans_timer(chan);
836be934
AE		 1729
1730 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1731 chan->unacked_frames++;
6a026610 1732 chan->frames_sent++;
18a48e76 1733 sent++;
1c2acffb 1734
58d35f87
GP		 1735 if (skb_queue_is_last(&chan->tx_q, skb))
1736 chan->tx_send_head = NULL;
1c2acffb 1737 else
58d35f87 1738 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1739
1740 l2cap_do_send(chan, tx_skb);
b4400672 1741 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1742 }
1743
b4400672
AE		 1744 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1745 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1746
1747 return sent;
9e917af1
GP		 1748}
1749
e1fbd4c1
MM		 1750static void l2cap_ertm_resend(struct l2cap_chan *chan)
1751{
1752 struct l2cap_ctrl control;
1753 struct sk_buff *skb;
1754 struct sk_buff *tx_skb;
1755 u16 seq;
1756
1757 BT_DBG("chan %p", chan);
1758
1759 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1760 return;
1761
1762 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1763 seq = l2cap_seq_list_pop(&chan->retrans_list);
1764
1765 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1766 if (!skb) {
1767 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1768 seq);
1769 continue;
1770 }
1771
1772 bt_cb(skb)->control.retries++;
1773 control = bt_cb(skb)->control;
1774
1775 if (chan->max_tx != 0 &&
1776 bt_cb(skb)->control.retries > chan->max_tx) {
1777 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1778 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1779 l2cap_seq_list_clear(&chan->retrans_list);
1780 break;
1781 }
1782
1783 control.reqseq = chan->buffer_seq;
1784 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1785 control.final = 1;
1786 else
1787 control.final = 0;
1788
1789 if (skb_cloned(skb)) {
1790 /* Cloned sk_buffs are read-only, so we need a
1791 * writeable copy
1792 */
1793 tx_skb = skb_copy(skb, GFP_ATOMIC);
1794 } else {
1795 tx_skb = skb_clone(skb, GFP_ATOMIC);
1796 }
1797
1798 if (!tx_skb) {
1799 l2cap_seq_list_clear(&chan->retrans_list);
1800 break;
1801 }
1802
1803 /* Update skb contents */
1804 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1805 put_unaligned_le32(__pack_extended_control(&control),
1806 tx_skb->data + L2CAP_HDR_SIZE);
1807 } else {
1808 put_unaligned_le16(__pack_enhanced_control(&control),
1809 tx_skb->data + L2CAP_HDR_SIZE);
1810 }
1811
1812 if (chan->fcs == L2CAP_FCS_CRC16) {
1813 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1814 put_unaligned_le16(fcs, skb_put(tx_skb,
1815 L2CAP_FCS_SIZE));
1816 }
1817
1818 l2cap_do_send(chan, tx_skb);
1819
1820 BT_DBG("Resent txseq %d", control.txseq);
1821
1822 chan->last_acked_seq = chan->buffer_seq;
1823 }
1824}
1825
f80842a8
MM		 1826static void l2cap_retransmit(struct l2cap_chan *chan,
1827 struct l2cap_ctrl *control)
1828{
1829 BT_DBG("chan %p, control %p", chan, control);
1830
1831 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1832 l2cap_ertm_resend(chan);
1833}
1834
d2a7ac5d
MM		 1835static void l2cap_retransmit_all(struct l2cap_chan *chan,
1836 struct l2cap_ctrl *control)
1837{
e1fbd4c1
MM		 1838 struct sk_buff *skb;
1839
1840 BT_DBG("chan %p, control %p", chan, control);
1841
1842 if (control->poll)
1843 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1844
1845 l2cap_seq_list_clear(&chan->retrans_list);
1846
1847 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1848 return;
1849
1850 if (chan->unacked_frames) {
1851 skb_queue_walk(&chan->tx_q, skb) {
1852 if (bt_cb(skb)->control.txseq == control->reqseq ||
1853 skb == chan->tx_send_head)
1854 break;
1855 }
1856
1857 skb_queue_walk_from(&chan->tx_q, skb) {
1858 if (skb == chan->tx_send_head)
1859 break;
1860
1861 l2cap_seq_list_append(&chan->retrans_list,
1862 bt_cb(skb)->control.txseq);
1863 }
1864
1865 l2cap_ertm_resend(chan);
1866 }
d2a7ac5d
MM		 1867}
1868
0a0aba42 1869static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1870{
0a0aba42
MM		 1871 struct l2cap_ctrl control;
1872 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1873 chan->last_acked_seq);
1874 int threshold;
9e917af1 1875
0a0aba42
MM		 1876 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1877 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1878
0a0aba42
MM		 1879 memset(&control, 0, sizeof(control));
1880 control.sframe = 1;
dfc909be 1881
0a0aba42
MM		 1882 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1883 chan->rx_state == L2CAP_RX_STATE_RECV) {
1884 __clear_ack_timer(chan);
1885 control.super = L2CAP_SUPER_RNR;
1886 control.reqseq = chan->buffer_seq;
1887 l2cap_send_sframe(chan, &control);
1888 } else {
1889 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1890 l2cap_ertm_send(chan);
1891 /* If any i-frames were sent, they included an ack */
1892 if (chan->buffer_seq == chan->last_acked_seq)
1893 frames_to_ack = 0;
1894 }
dfc909be 1895
c20f8e35 1896 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1897 * Calculate without mul or div
1898 */
c20f8e35 1899 threshold = chan->ack_win;
0a0aba42
MM		 1900 threshold += threshold << 1;
1901 threshold >>= 2;
1902
b4400672 1903 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1904 threshold);
1905
1906 if (frames_to_ack >= threshold) {
1907 __clear_ack_timer(chan);
1908 control.super = L2CAP_SUPER_RR;
1909 control.reqseq = chan->buffer_seq;
1910 l2cap_send_sframe(chan, &control);
1911 frames_to_ack = 0;
1912 }
1c2acffb 1913
0a0aba42
MM		 1914 if (frames_to_ack)
1915 __set_ack_timer(chan);
1916 }
b17e73bb
SJ		 1917}
1918
04124681
GP		 1919static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1920 struct msghdr *msg, int len,
1921 int count, struct sk_buff *skb)
1c2acffb 1922{
0952a57a 1923 struct l2cap_conn *conn = chan->conn;
1c2acffb 1924 struct sk_buff **frag;
90338947 1925 int sent = 0;
1da177e4 1926
59203a21 1927 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1928 return -EFAULT;
1da177e4
LT		 1929
1930 sent += count;
1931 len -= count;
1932
1933 /* Continuation fragments (no L2CAP header) */
1934 frag = &skb_shinfo(skb)->frag_list;
1935 while (len) {
fbe00700
GP		 1936 struct sk_buff *tmp;
1937
1da177e4
LT		 1938 count = min_t(unsigned int, conn->mtu, len);
1939
fbe00700
GP		 1940 tmp = chan->ops->alloc_skb(chan, count,
1941 msg->msg_flags & MSG_DONTWAIT);
1942 if (IS_ERR(tmp))
1943 return PTR_ERR(tmp);
1944
1945 *frag = tmp;
2f7719ce 1946
1c2acffb
GP		 1947 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1948 return -EFAULT;
1da177e4 1949
5e59b791
LAD		 1950 (*frag)->priority = skb->priority;
1951
1da177e4
LT		 1952 sent += count;
1953 len -= count;
1954
2d0ed3d5
GP		 1955 skb->len += (*frag)->len;
1956 skb->data_len += (*frag)->len;
1957
1da177e4
LT		 1958 frag = &(*frag)->next;
1959 }
1da177e4
LT		 1960
1961 return sent;
1c2acffb 1962}
1da177e4 1963
5e59b791 1964static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 1965 struct msghdr *msg, size_t len,
1966 u32 priority)
1c2acffb 1967{
8c1d787b 1968 struct l2cap_conn *conn = chan->conn;
1c2acffb 1969 struct sk_buff *skb;
03a51213 1970 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1971 struct l2cap_hdr *lh;
1972
b4400672 1973 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 1974
1975 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1976
1977 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1978 msg->msg_flags & MSG_DONTWAIT);
1979 if (IS_ERR(skb))
1980 return skb;
1c2acffb 1981
5e59b791
LAD		 1982 skb->priority = priority;
1983
1c2acffb
GP		 1984 /* Create L2CAP header */
1985 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1986 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1987 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1988 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1989
0952a57a 1990 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1991 if (unlikely(err < 0)) {
1992 kfree_skb(skb);
1993 return ERR_PTR(err);
1994 }
1995 return skb;
1996}
1997
5e59b791 1998static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 1999 struct msghdr *msg, size_t len,
2000 u32 priority)
1c2acffb 2001{
8c1d787b 2002 struct l2cap_conn *conn = chan->conn;
1c2acffb 2003 struct sk_buff *skb;
f2ba7fae 2004 int err, count;
1c2acffb
GP		 2005 struct l2cap_hdr *lh;
2006
b4400672 2007 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2008
f2ba7fae 2009 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2010
f2ba7fae 2011 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2012 msg->msg_flags & MSG_DONTWAIT);
2013 if (IS_ERR(skb))
2014 return skb;
1c2acffb 2015
5e59b791
LAD		 2016 skb->priority = priority;
2017
1c2acffb
GP		 2018 /* Create L2CAP header */
2019 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2020 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2021 lh->len = cpu_to_le16(len);
1c2acffb 2022
0952a57a 2023 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2024 if (unlikely(err < 0)) {
2025 kfree_skb(skb);
2026 return ERR_PTR(err);
2027 }
2028 return skb;
2029}
2030
ab0ff76d 2031static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2032 struct msghdr *msg, size_t len,
2033 u16 sdulen)
1c2acffb 2034{
8c1d787b 2035 struct l2cap_conn *conn = chan->conn;
1c2acffb 2036 struct sk_buff *skb;
e4ca6d98 2037 int err, count, hlen;
1c2acffb
GP		 2038 struct l2cap_hdr *lh;
2039
b4400672 2040 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2041
0ee0d208
GP		 2042 if (!conn)
2043 return ERR_PTR(-ENOTCONN);
2044
ba7aa64f 2045 hlen = __ertm_hdr_size(chan);
e4ca6d98 2046
c74e560c 2047 if (sdulen)
03a51213 2048 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2049
47d1ec61 2050 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2051 hlen += L2CAP_FCS_SIZE;
fcc203c3 2052
1c2acffb 2053 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2054
2055 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2056 msg->msg_flags & MSG_DONTWAIT);
2057 if (IS_ERR(skb))
2058 return skb;
1c2acffb
GP		 2059
2060 /* Create L2CAP header */
2061 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2062 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2063 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2064
18a48e76
MM		 2065 /* Control header is populated later */
2066 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2067 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2068 else
2069 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2070
c74e560c 2071 if (sdulen)
03a51213 2072 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2073
0952a57a 2074 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2075 if (unlikely(err < 0)) {
2076 kfree_skb(skb);
2077 return ERR_PTR(err);
2078 }
e90bac06 2079
18a48e76 2080 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2081 bt_cb(skb)->control.retries = 0;
1c2acffb 2082 return skb;
1da177e4
LT		 2083}
2084
94122bbe
MM		 2085static int l2cap_segment_sdu(struct l2cap_chan *chan,
2086 struct sk_buff_head *seg_queue,
2087 struct msghdr *msg, size_t len)
c74e560c 2088{
c74e560c 2089 struct sk_buff *skb;
94122bbe
MM		 2090 u16 sdu_len;
2091 size_t pdu_len;
94122bbe 2092 u8 sar;
c74e560c 2093
b4400672 2094 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2095
94122bbe
MM		 2096 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2097 * so fragmented skbs are not used. The HCI layer's handling
2098 * of fragmented skbs is not compatible with ERTM's queueing.
2099 */
c74e560c 2100
94122bbe
MM		 2101 /* PDU size is derived from the HCI MTU */
2102 pdu_len = chan->conn->mtu;
c74e560c 2103
94122bbe
MM		 2104 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2105
2106 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2107 if (chan->fcs)
2108 pdu_len -= L2CAP_FCS_SIZE;
2109
ba7aa64f 2110 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2111
2112 /* Remote device may have requested smaller PDUs */
2113 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2114
2115 if (len <= pdu_len) {
2116 sar = L2CAP_SAR_UNSEGMENTED;
2117 sdu_len = 0;
2118 pdu_len = len;
2119 } else {
2120 sar = L2CAP_SAR_START;
2121 sdu_len = len;
2122 pdu_len -= L2CAP_SDULEN_SIZE;
2123 }
2124
2125 while (len > 0) {
2126 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2127
c74e560c 2128 if (IS_ERR(skb)) {
94122bbe 2129 __skb_queue_purge(seg_queue);
c74e560c
GP		 2130 return PTR_ERR(skb);
2131 }
2132
94122bbe
MM		 2133 bt_cb(skb)->control.sar = sar;
2134 __skb_queue_tail(seg_queue, skb);
2135
2136 len -= pdu_len;
2137 if (sdu_len) {
2138 sdu_len = 0;
2139 pdu_len += L2CAP_SDULEN_SIZE;
2140 }
2141
2142 if (len <= pdu_len) {
2143 sar = L2CAP_SAR_END;
2144 pdu_len = len;
2145 } else {
2146 sar = L2CAP_SAR_CONTINUE;
2147 }
c74e560c 2148 }
c74e560c 2149
f0f62799 2150 return 0;
c74e560c
GP		 2151}
2152
5e59b791
LAD		 2153int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2154 u32 priority)
9a91a04a 2155{
9a91a04a 2156 struct sk_buff *skb;
9a91a04a 2157 int err;
94122bbe 2158 struct sk_buff_head seg_queue;
9a91a04a
GP		 2159
2160 /* Connectionless channel */
715ec005 2161 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2162 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2163 if (IS_ERR(skb))
2164 return PTR_ERR(skb);
2165
2166 l2cap_do_send(chan, skb);
2167 return len;
2168 }
2169
2170 switch (chan->mode) {
2171 case L2CAP_MODE_BASIC:
2172 /* Check outgoing MTU */
2173 if (len > chan->omtu)
2174 return -EMSGSIZE;
2175
2176 /* Create a basic PDU */
5e59b791 2177 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2178 if (IS_ERR(skb))
2179 return PTR_ERR(skb);
2180
2181 l2cap_do_send(chan, skb);
2182 err = len;
2183 break;
2184
2185 case L2CAP_MODE_ERTM:
2186 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2187 /* Check outgoing MTU */
2188 if (len > chan->omtu) {
2189 err = -EMSGSIZE;
2190 break;
2191 }
9a91a04a 2192
94122bbe 2193 __skb_queue_head_init(&seg_queue);
9a91a04a 2194
94122bbe
MM		 2195 /* Do segmentation before calling in to the state machine,
2196 * since it's possible to block while waiting for memory
2197 * allocation.
2198 */
2199 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2200
94122bbe
MM		 2201 /* The channel could have been closed while segmenting,
2202 * check that it is still connected.
2203 */
2204 if (chan->state != BT_CONNECTED) {
2205 __skb_queue_purge(&seg_queue);
2206 err = -ENOTCONN;
9a91a04a
GP		 2207 }
2208
94122bbe 2209 if (err)
9a91a04a 2210 break;
9a91a04a 2211
3733937d 2212 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2213 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2214 else
d660366d 2215 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2216
d660366d 2217 err = len;
9a91a04a 2218
94122bbe
MM		 2219 /* If the skbs were not queued for sending, they'll still be in
2220 * seg_queue and need to be purged.
2221 */
2222 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2223 break;
2224
2225 default:
2226 BT_DBG("bad state %1.1x", chan->mode);
2227 err = -EBADFD;
2228 }
2229
2230 return err;
2231}
2232
d2a7ac5d
MM		 2233static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2234{
bed68bde
MM		 2235 struct l2cap_ctrl control;
2236 u16 seq;
2237
b4400672 2238 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2239
2240 memset(&control, 0, sizeof(control));
2241 control.sframe = 1;
2242 control.super = L2CAP_SUPER_SREJ;
2243
2244 for (seq = chan->expected_tx_seq; seq != txseq;
2245 seq = __next_seq(chan, seq)) {
2246 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2247 control.reqseq = seq;
2248 l2cap_send_sframe(chan, &control);
2249 l2cap_seq_list_append(&chan->srej_list, seq);
2250 }
2251 }
2252
2253 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2254}
2255
2256static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2257{
bed68bde
MM		 2258 struct l2cap_ctrl control;
2259
2260 BT_DBG("chan %p", chan);
2261
2262 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2263 return;
2264
2265 memset(&control, 0, sizeof(control));
2266 control.sframe = 1;
2267 control.super = L2CAP_SUPER_SREJ;
2268 control.reqseq = chan->srej_list.tail;
2269 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2270}
2271
2272static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2273{
bed68bde
MM		 2274 struct l2cap_ctrl control;
2275 u16 initial_head;
2276 u16 seq;
2277
b4400672 2278 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2279
2280 memset(&control, 0, sizeof(control));
2281 control.sframe = 1;
2282 control.super = L2CAP_SUPER_SREJ;
2283
2284 /* Capture initial list head to allow only one pass through the list. */
2285 initial_head = chan->srej_list.head;
2286
2287 do {
2288 seq = l2cap_seq_list_pop(&chan->srej_list);
2289 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2290 break;
2291
2292 control.reqseq = seq;
2293 l2cap_send_sframe(chan, &control);
2294 l2cap_seq_list_append(&chan->srej_list, seq);
2295 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2296}
2297
608bcc6d
MM		 2298static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2299{
2300 struct sk_buff *acked_skb;
2301 u16 ackseq;
2302
b4400672 2303 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2304
2305 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2306 return;
2307
b4400672 2308 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2309 chan->expected_ack_seq, chan->unacked_frames);
2310
2311 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2312 ackseq = __next_seq(chan, ackseq)) {
2313
2314 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2315 if (acked_skb) {
2316 skb_unlink(acked_skb, &chan->tx_q);
2317 kfree_skb(acked_skb);
2318 chan->unacked_frames--;
2319 }
2320 }
2321
2322 chan->expected_ack_seq = reqseq;
2323
2324 if (chan->unacked_frames == 0)
2325 __clear_retrans_timer(chan);
2326
b4400672 2327 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2328}
2329
2330static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2331{
2332 BT_DBG("chan %p", chan);
2333
2334 chan->expected_tx_seq = chan->buffer_seq;
2335 l2cap_seq_list_clear(&chan->srej_list);
2336 skb_queue_purge(&chan->srej_q);
2337 chan->rx_state = L2CAP_RX_STATE_RECV;
2338}
2339
d660366d
GP		 2340static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2341 struct l2cap_ctrl *control,
2342 struct sk_buff_head *skbs, u8 event)
608bcc6d 2343{
608bcc6d
MM		 2344 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2345 event);
2346
2347 switch (event) {
2348 case L2CAP_EV_DATA_REQUEST:
2349 if (chan->tx_send_head == NULL)
2350 chan->tx_send_head = skb_peek(skbs);
2351
2352 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2353 l2cap_ertm_send(chan);
2354 break;
2355 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2356 BT_DBG("Enter LOCAL_BUSY");
2357 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2358
2359 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2360 /* The SREJ_SENT state must be aborted if we are to
2361 * enter the LOCAL_BUSY state.
2362 */
2363 l2cap_abort_rx_srej_sent(chan);
2364 }
2365
2366 l2cap_send_ack(chan);
2367
2368 break;
2369 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2370 BT_DBG("Exit LOCAL_BUSY");
2371 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2372
2373 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2374 struct l2cap_ctrl local_control;
2375
2376 memset(&local_control, 0, sizeof(local_control));
2377 local_control.sframe = 1;
2378 local_control.super = L2CAP_SUPER_RR;
2379 local_control.poll = 1;
2380 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2381 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2382
2383 chan->retry_count = 1;
2384 __set_monitor_timer(chan);
2385 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2386 }
2387 break;
2388 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2389 l2cap_process_reqseq(chan, control->reqseq);
2390 break;
2391 case L2CAP_EV_EXPLICIT_POLL:
2392 l2cap_send_rr_or_rnr(chan, 1);
2393 chan->retry_count = 1;
2394 __set_monitor_timer(chan);
2395 __clear_ack_timer(chan);
2396 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2397 break;
2398 case L2CAP_EV_RETRANS_TO:
2399 l2cap_send_rr_or_rnr(chan, 1);
2400 chan->retry_count = 1;
2401 __set_monitor_timer(chan);
2402 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2403 break;
2404 case L2CAP_EV_RECV_FBIT:
2405 /* Nothing to process */
2406 break;
2407 default:
2408 break;
2409 }
608bcc6d
MM		 2410}
2411
d660366d
GP		 2412static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2413 struct l2cap_ctrl *control,
2414 struct sk_buff_head *skbs, u8 event)
608bcc6d 2415{
608bcc6d
MM		 2416 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2417 event);
2418
2419 switch (event) {
2420 case L2CAP_EV_DATA_REQUEST:
2421 if (chan->tx_send_head == NULL)
2422 chan->tx_send_head = skb_peek(skbs);
2423 /* Queue data, but don't send. */
2424 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2425 break;
2426 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2427 BT_DBG("Enter LOCAL_BUSY");
2428 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2429
2430 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2431 /* The SREJ_SENT state must be aborted if we are to
2432 * enter the LOCAL_BUSY state.
2433 */
2434 l2cap_abort_rx_srej_sent(chan);
2435 }
2436
2437 l2cap_send_ack(chan);
2438
2439 break;
2440 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2441 BT_DBG("Exit LOCAL_BUSY");
2442 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2443
2444 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2445 struct l2cap_ctrl local_control;
2446 memset(&local_control, 0, sizeof(local_control));
2447 local_control.sframe = 1;
2448 local_control.super = L2CAP_SUPER_RR;
2449 local_control.poll = 1;
2450 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2451 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2452
2453 chan->retry_count = 1;
2454 __set_monitor_timer(chan);
2455 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2456 }
2457 break;
2458 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2459 l2cap_process_reqseq(chan, control->reqseq);
2460
2461 /* Fall through */
2462
2463 case L2CAP_EV_RECV_FBIT:
2464 if (control && control->final) {
2465 __clear_monitor_timer(chan);
2466 if (chan->unacked_frames > 0)
2467 __set_retrans_timer(chan);
2468 chan->retry_count = 0;
2469 chan->tx_state = L2CAP_TX_STATE_XMIT;
2470 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2471 }
2472 break;
2473 case L2CAP_EV_EXPLICIT_POLL:
2474 /* Ignore */
2475 break;
2476 case L2CAP_EV_MONITOR_TO:
2477 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2478 l2cap_send_rr_or_rnr(chan, 1);
2479 __set_monitor_timer(chan);
2480 chan->retry_count++;
2481 } else {
2482 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2483 }
2484 break;
2485 default:
2486 break;
2487 }
608bcc6d
MM		 2488}
2489
d660366d
GP		 2490static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2491 struct sk_buff_head *skbs, u8 event)
608bcc6d 2492{
608bcc6d
MM		 2493 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2494 chan, control, skbs, event, chan->tx_state);
2495
2496 switch (chan->tx_state) {
2497 case L2CAP_TX_STATE_XMIT:
d660366d 2498 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2499 break;
2500 case L2CAP_TX_STATE_WAIT_F:
d660366d 2501 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2502 break;
2503 default:
2504 /* Ignore event */
2505 break;
2506 }
608bcc6d
MM		 2507}
2508
4b51dae9
MM		 2509static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2510 struct l2cap_ctrl *control)
2511{
2512 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2513 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2514}
2515
f80842a8
MM		 2516static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2517 struct l2cap_ctrl *control)
2518{
2519 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2520 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2521}
2522
1da177e4
LT		 2523/* Copy frame to all raw sockets on that connection */
2524static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2525{
1da177e4 2526 struct sk_buff *nskb;
48454079 2527 struct l2cap_chan *chan;
1da177e4
LT		 2528
2529 BT_DBG("conn %p", conn);
2530
3df91ea2 2531 mutex_lock(&conn->chan_lock);
3d57dc68 2532
3df91ea2 2533 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2534 struct sock *sk = chan->sk;
715ec005 2535 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2536 continue;
2537
2538 /* Don't send frame to the socket it came from */
2539 if (skb->sk == sk)
2540 continue;
af05b30b
GP		 2541 nskb = skb_clone(skb, GFP_ATOMIC);
2542 if (!nskb)
1da177e4
LT		 2543 continue;
2544
80b98027 2545 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2546 kfree_skb(nskb);
2547 }
3d57dc68 2548
3df91ea2 2549 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2550}
2551
2552/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2553static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2554 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2555{
2556 struct sk_buff *skb, **frag;
2557 struct l2cap_cmd_hdr *cmd;
2558 struct l2cap_hdr *lh;
2559 int len, count;
2560
b4400672
AE		 2561 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2562 conn, code, ident, dlen);
1da177e4
LT		 2563
2564 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2565 count = min_t(unsigned int, conn->mtu, len);
2566
2567 skb = bt_skb_alloc(count, GFP_ATOMIC);
2568 if (!skb)
2569 return NULL;
2570
2571 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2572 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2573
2574 if (conn->hcon->type == LE_LINK)
ac73498c 2575 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2576 else
ac73498c 2577 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2578
2579 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2580 cmd->code = code;
2581 cmd->ident = ident;
aca3192c 2582 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2583
2584 if (dlen) {
2585 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2586 memcpy(skb_put(skb, count), data, count);
2587 data += count;
2588 }
2589
2590 len -= skb->len;
2591
2592 /* Continuation fragments (no L2CAP header) */
2593 frag = &skb_shinfo(skb)->frag_list;
2594 while (len) {
2595 count = min_t(unsigned int, conn->mtu, len);
2596
2597 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2598 if (!*frag)
2599 goto fail;
2600
2601 memcpy(skb_put(*frag, count), data, count);
2602
2603 len -= count;
2604 data += count;
2605
2606 frag = &(*frag)->next;
2607 }
2608
2609 return skb;
2610
2611fail:
2612 kfree_skb(skb);
2613 return NULL;
2614}
2615
2616static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2617{
2618 struct l2cap_conf_opt *opt = *ptr;
2619 int len;
2620
2621 len = L2CAP_CONF_OPT_SIZE + opt->len;
2622 *ptr += len;
2623
2624 *type = opt->type;
2625 *olen = opt->len;
2626
2627 switch (opt->len) {
2628 case 1:
2629 *val = *((u8 *) opt->val);
2630 break;
2631
2632 case 2:
bfaaeb3e 2633 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2634 break;
2635
2636 case 4:
bfaaeb3e 2637 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2638 break;
2639
2640 default:
2641 *val = (unsigned long) opt->val;
2642 break;
2643 }
2644
b4400672 2645 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2646 return len;
2647}
2648
1da177e4
LT		 2649static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2650{
2651 struct l2cap_conf_opt *opt = *ptr;
2652
b4400672 2653 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2654
2655 opt->type = type;
2656 opt->len = len;
2657
2658 switch (len) {
2659 case 1:
2660 *((u8 *) opt->val) = val;
2661 break;
2662
2663 case 2:
4f8b691c 2664 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2665 break;
2666
2667 case 4:
4f8b691c 2668 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2669 break;
2670
2671 default:
2672 memcpy(opt->val, (void *) val, len);
2673 break;
2674 }
2675
2676 *ptr += L2CAP_CONF_OPT_SIZE + len;
2677}
2678
f89cef09
AE		 2679static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2680{
2681 struct l2cap_conf_efs efs;
2682
1ec918ce 2683 switch (chan->mode) {
f89cef09
AE		 2684 case L2CAP_MODE_ERTM:
2685 efs.id = chan->local_id;
2686 efs.stype = chan->local_stype;
2687 efs.msdu = cpu_to_le16(chan->local_msdu);
2688 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2689 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2690 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2691 break;
2692
2693 case L2CAP_MODE_STREAMING:
2694 efs.id = 1;
2695 efs.stype = L2CAP_SERV_BESTEFFORT;
2696 efs.msdu = cpu_to_le16(chan->local_msdu);
2697 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2698 efs.acc_lat = 0;
2699 efs.flush_to = 0;
2700 break;
2701
2702 default:
2703 return;
2704 }
2705
2706 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2707 (unsigned long) &efs);
2708}
2709
721c4181 2710static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2711{
721c4181 2712 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2713 ack_timer.work);
2714 u16 frames_to_ack;
c1b4f43b 2715
2fb9b3d4
GP		 2716 BT_DBG("chan %p", chan);
2717
6be36555
AE		 2718 l2cap_chan_lock(chan);
2719
0362520b
MM		 2720 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2721 chan->last_acked_seq);
6be36555 2722
0362520b
MM		 2723 if (frames_to_ack)
2724 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2725
0362520b 2726 l2cap_chan_unlock(chan);
09bfb2ee 2727 l2cap_chan_put(chan);
c1b4f43b
GP		 2728}
2729
466f8004 2730int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2731{
3c588192
MM		 2732 int err;
2733
105bdf9e
MM		 2734 chan->next_tx_seq = 0;
2735 chan->expected_tx_seq = 0;
42e5c802 2736 chan->expected_ack_seq = 0;
6a026610 2737 chan->unacked_frames = 0;
42e5c802 2738 chan->buffer_seq = 0;
6a026610 2739 chan->frames_sent = 0;
105bdf9e
MM		 2740 chan->last_acked_seq = 0;
2741 chan->sdu = NULL;
2742 chan->sdu_last_frag = NULL;
2743 chan->sdu_len = 0;
2744
d34c34fb
MM		 2745 skb_queue_head_init(&chan->tx_q);
2746
105bdf9e
MM		 2747 if (chan->mode != L2CAP_MODE_ERTM)
2748 return 0;
2749
2750 chan->rx_state = L2CAP_RX_STATE_RECV;
2751 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2752
721c4181
GP		 2753 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2754 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2755 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2756
f1c6775b 2757 skb_queue_head_init(&chan->srej_q);
1890d36b 2758
3c588192
MM		 2759 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2760 if (err < 0)
2761 return err;
2762
9dc9affc
MM		 2763 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2764 if (err < 0)
2765 l2cap_seq_list_free(&chan->srej_list);
2766
2767 return err;
0565c1c2
GP		 2768}
2769
f2fcfcd6
GP		 2770static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2771{
2772 switch (mode) {
2773 case L2CAP_MODE_STREAMING:
2774 case L2CAP_MODE_ERTM:
2775 if (l2cap_mode_supported(mode, remote_feat_mask))
2776 return mode;
2777 /* fall through */
2778 default:
2779 return L2CAP_MODE_BASIC;
2780 }
2781}
2782
6327eb98
AE		 2783static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2784{
2785 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2786}
2787
f89cef09
AE		 2788static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2789{
2790 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2791}
2792
6327eb98
AE		 2793static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2794{
2795 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2796 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2797 /* use extended control field */
2798 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2799 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2800 } else {
6327eb98
AE		 2801 chan->tx_win = min_t(u16, chan->tx_win,
2802 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2803 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2804 }
c20f8e35 2805 chan->ack_win = chan->tx_win;
6327eb98
AE		 2806}
2807
710f9b0a 2808static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2809{
1da177e4 2810 struct l2cap_conf_req *req = data;
0c1bc5c6 2811 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2812 void *ptr = req->data;
c8f79162 2813 u16 size;
1da177e4 2814
49208c9c 2815 BT_DBG("chan %p", chan);
1da177e4 2816
73ffa904 2817 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2818 goto done;
2819
0c1bc5c6 2820 switch (chan->mode) {
f2fcfcd6
GP		 2821 case L2CAP_MODE_STREAMING:
2822 case L2CAP_MODE_ERTM:
c1360a1c 2823 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2824 break;
85eb53c6 2825
f89cef09
AE		 2826 if (__l2cap_efs_supported(chan))
2827 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2828
2ba13ed6 2829 /* fall through */
f2fcfcd6 2830 default:
8c1d787b 2831 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2832 break;
2833 }
2834
2835done:
0c1bc5c6
GP		 2836 if (chan->imtu != L2CAP_DEFAULT_MTU)
2837 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2838
0c1bc5c6 2839 switch (chan->mode) {
65c7c491 2840 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2841 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2842 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2843 break;
2844
62547752
GP		 2845 rfc.mode = L2CAP_MODE_BASIC;
2846 rfc.txwin_size = 0;
2847 rfc.max_transmit = 0;
2848 rfc.retrans_timeout = 0;
2849 rfc.monitor_timeout = 0;
2850 rfc.max_pdu_size = 0;
2851
63406504
GP		 2852 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2853 (unsigned long) &rfc);
65c7c491
MH		 2854 break;
2855
2856 case L2CAP_MODE_ERTM:
2857 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2858 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2859 rfc.retrans_timeout = 0;
2860 rfc.monitor_timeout = 0;
c8f79162
AE		 2861
2862 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2863 L2CAP_EXT_HDR_SIZE -
2864 L2CAP_SDULEN_SIZE -
2865 L2CAP_FCS_SIZE);
2866 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2867
6327eb98
AE		 2868 l2cap_txwin_setup(chan);
2869
2870 rfc.txwin_size = min_t(u16, chan->tx_win,
2871 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2872
63406504
GP		 2873 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2874 (unsigned long) &rfc);
2875
f89cef09
AE		 2876 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2877 l2cap_add_opt_efs(&ptr, chan);
2878
8c1d787b 2879 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2880 break;
2881
47d1ec61 2882 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2883 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2884 chan->fcs = L2CAP_FCS_NONE;
2885 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2886 }
6327eb98
AE		 2887
2888 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2889 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2890 chan->tx_win);
f2fcfcd6
GP		 2891 break;
2892
2893 case L2CAP_MODE_STREAMING:
273759e2 2894 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2895 rfc.mode = L2CAP_MODE_STREAMING;
2896 rfc.txwin_size = 0;
2897 rfc.max_transmit = 0;
2898 rfc.retrans_timeout = 0;
2899 rfc.monitor_timeout = 0;
c8f79162
AE		 2900
2901 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2902 L2CAP_EXT_HDR_SIZE -
2903 L2CAP_SDULEN_SIZE -
2904 L2CAP_FCS_SIZE);
2905 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2906
63406504
GP		 2907 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2908 (unsigned long) &rfc);
2909
f89cef09
AE		 2910 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2911 l2cap_add_opt_efs(&ptr, chan);
2912
8c1d787b 2913 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2914 break;
2915
47d1ec61 2916 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2917 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2918 chan->fcs = L2CAP_FCS_NONE;
2919 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2920 }
65c7c491
MH		 2921 break;
2922 }
1da177e4 2923
fe4128e0 2924 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2925 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2926
2927 return ptr - data;
2928}
2929
73ffa904 2930static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2931{
5dee9e7c
MH		 2932 struct l2cap_conf_rsp *rsp = data;
2933 void *ptr = rsp->data;
73ffa904
GP		 2934 void *req = chan->conf_req;
2935 int len = chan->conf_len;
5dee9e7c
MH		 2936 int type, hint, olen;
2937 unsigned long val;
6464f35f 2938 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2939 struct l2cap_conf_efs efs;
2940 u8 remote_efs = 0;
861d6882 2941 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2942 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2943 u16 size;
1da177e4 2944
73ffa904 2945 BT_DBG("chan %p", chan);
820ae1b8 2946
5dee9e7c
MH		 2947 while (len >= L2CAP_CONF_OPT_SIZE) {
2948 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2949
589d2746 2950 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2951 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2952
2953 switch (type) {
2954 case L2CAP_CONF_MTU:
861d6882 2955 mtu = val;
5dee9e7c
MH		 2956 break;
2957
2958 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2959 chan->flush_to = val;
5dee9e7c
MH		 2960 break;
2961
2962 case L2CAP_CONF_QOS:
2963 break;
2964
6464f35f
MH		 2965 case L2CAP_CONF_RFC:
2966 if (olen == sizeof(rfc))
2967 memcpy(&rfc, (void *) val, olen);
2968 break;
2969
fcc203c3
GP		 2970 case L2CAP_CONF_FCS:
2971 if (val == L2CAP_FCS_NONE)
c1360a1c 2972 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2973 break;
fcc203c3 2974
42dceae2
AE		 2975 case L2CAP_CONF_EFS:
2976 remote_efs = 1;
2977 if (olen == sizeof(efs))
2978 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2979 break;
2980
6327eb98
AE		 2981 case L2CAP_CONF_EWS:
2982 if (!enable_hs)
2983 return -ECONNREFUSED;
fcc203c3 2984
6327eb98
AE		 2985 set_bit(FLAG_EXT_CTRL, &chan->flags);
2986 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2987 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2988 chan->remote_tx_win = val;
fcc203c3
GP		 2989 break;
2990
5dee9e7c
MH		 2991 default:
2992 if (hint)
2993 break;
2994
2995 result = L2CAP_CONF_UNKNOWN;
2996 *((u8 *) ptr++) = type;
2997 break;
2998 }
2999 }
3000
73ffa904 3001 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3002 goto done;
3003
0c1bc5c6 3004 switch (chan->mode) {
f2fcfcd6
GP		 3005 case L2CAP_MODE_STREAMING:
3006 case L2CAP_MODE_ERTM:
c1360a1c 3007 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3008 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 3009 chan->conn->feat_mask);
85eb53c6
GP		 3010 break;
3011 }
3012
42dceae2
AE		 3013 if (remote_efs) {
3014 if (__l2cap_efs_supported(chan))
3015 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3016 else
3017 return -ECONNREFUSED;
3018 }
3019
0c1bc5c6 3020 if (chan->mode != rfc.mode)
f2fcfcd6 3021 return -ECONNREFUSED;
742e519b 3022
f2fcfcd6 3023 break;
f2fcfcd6
GP		 3024 }
3025
3026done:
0c1bc5c6 3027 if (chan->mode != rfc.mode) {
f2fcfcd6 3028 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3029 rfc.mode = chan->mode;
f2fcfcd6 3030
73ffa904 3031 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3032 return -ECONNREFUSED;
3033
3034 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3035 sizeof(rfc), (unsigned long) &rfc);
3036 }
3037
5dee9e7c
MH		 3038 if (result == L2CAP_CONF_SUCCESS) {
3039 /* Configure output options and let the other side know
3040 * which ones we don't like. */
3041
f2fcfcd6
GP		 3042 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3043 result = L2CAP_CONF_UNACCEPT;
3044 else {
0c1bc5c6 3045 chan->omtu = mtu;
c1360a1c 3046 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3047 }
0c1bc5c6 3048 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3049
42dceae2
AE		 3050 if (remote_efs) {
3051 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3052 efs.stype != L2CAP_SERV_NOTRAFIC &&
3053 efs.stype != chan->local_stype) {
3054
3055 result = L2CAP_CONF_UNACCEPT;
3056
3057 if (chan->num_conf_req >= 1)
3058 return -ECONNREFUSED;
3059
3060 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3061 sizeof(efs),
42dceae2 3062 (unsigned long) &efs);
0e8b207e 3063 } else {
3e6b3b95 3064 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3065 result = L2CAP_CONF_PENDING;
3066 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3067 }
3068 }
3069
f2fcfcd6
GP		 3070 switch (rfc.mode) {
3071 case L2CAP_MODE_BASIC:
47d1ec61 3072 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3073 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3074 break;
3075
3076 case L2CAP_MODE_ERTM:
6327eb98
AE		 3077 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3078 chan->remote_tx_win = rfc.txwin_size;
3079 else
3080 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3081
2c03a7a4 3082 chan->remote_max_tx = rfc.max_transmit;
1c762159 3083
c8f79162
AE		 3084 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3085 chan->conn->mtu -
3086 L2CAP_EXT_HDR_SIZE -
3087 L2CAP_SDULEN_SIZE -
3088 L2CAP_FCS_SIZE);
3089 rfc.max_pdu_size = cpu_to_le16(size);
3090 chan->remote_mps = size;
f2fcfcd6 3091
10467e9e 3092 rfc.retrans_timeout =
4fd21a88 3093 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3094 rfc.monitor_timeout =
4fd21a88 3095 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3096
c1360a1c 3097 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3098
3099 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3100 sizeof(rfc), (unsigned long) &rfc);
3101
42dceae2
AE		 3102 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3103 chan->remote_id = efs.id;
3104 chan->remote_stype = efs.stype;
3105 chan->remote_msdu = le16_to_cpu(efs.msdu);
3106 chan->remote_flush_to =
3107 le32_to_cpu(efs.flush_to);
3108 chan->remote_acc_lat =
3109 le32_to_cpu(efs.acc_lat);
3110 chan->remote_sdu_itime =
3111 le32_to_cpu(efs.sdu_itime);
3112 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3113 sizeof(efs), (unsigned long) &efs);
3114 }
f2fcfcd6
GP		 3115 break;
3116
3117 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3118 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3119 chan->conn->mtu -
3120 L2CAP_EXT_HDR_SIZE -
3121 L2CAP_SDULEN_SIZE -
3122 L2CAP_FCS_SIZE);
3123 rfc.max_pdu_size = cpu_to_le16(size);
3124 chan->remote_mps = size;
f2fcfcd6 3125
c1360a1c 3126 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3127
3128 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3129 sizeof(rfc), (unsigned long) &rfc);
3130
f2fcfcd6
GP		 3131 break;
3132
3133 default:
5dee9e7c 3134 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3135
6464f35f 3136 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3137 rfc.mode = chan->mode;
f2fcfcd6 3138 }
6464f35f 3139
f2fcfcd6 3140 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3141 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3142 }
fe4128e0 3143 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3144 rsp->result = cpu_to_le16(result);
59e54bd1 3145 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3146
3147 return ptr - data;
1da177e4
LT		 3148}
3149
b4450035 3150static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3151{
f2fcfcd6
GP		 3152 struct l2cap_conf_req *req = data;
3153 void *ptr = req->data;
3154 int type, olen;
3155 unsigned long val;
36e999a8 3156 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3157 struct l2cap_conf_efs efs;
f2fcfcd6 3158
fe4128e0 3159 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3160
3161 while (len >= L2CAP_CONF_OPT_SIZE) {
3162 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3163
3164 switch (type) {
3165 case L2CAP_CONF_MTU:
3166 if (val < L2CAP_DEFAULT_MIN_MTU) {
3167 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3168 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3169 } else
0c1bc5c6
GP		 3170 chan->imtu = val;
3171 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3172 break;
3173
3174 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3175 chan->flush_to = val;
f2fcfcd6 3176 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3177 2, chan->flush_to);
f2fcfcd6
GP		 3178 break;
3179
3180 case L2CAP_CONF_RFC:
3181 if (olen == sizeof(rfc))
3182 memcpy(&rfc, (void *)val, olen);
3183
c1360a1c 3184 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3185 rfc.mode != chan->mode)
f2fcfcd6
GP		 3186 return -ECONNREFUSED;
3187
47d1ec61 3188 chan->fcs = 0;
f2fcfcd6
GP		 3189
3190 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3191 sizeof(rfc), (unsigned long) &rfc);
3192 break;
6327eb98
AE		 3193
3194 case L2CAP_CONF_EWS:
c20f8e35 3195 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3196 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3197 chan->tx_win);
6327eb98 3198 break;
66af7aaf
AE		 3199
3200 case L2CAP_CONF_EFS:
3201 if (olen == sizeof(efs))
3202 memcpy(&efs, (void *)val, olen);
3203
3204 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3205 efs.stype != L2CAP_SERV_NOTRAFIC &&
3206 efs.stype != chan->local_stype)
3207 return -ECONNREFUSED;
3208
3209 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3210 sizeof(efs), (unsigned long) &efs);
3211 break;
f2fcfcd6
GP		 3212 }
3213 }
3214
0c1bc5c6 3215 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3216 return -ECONNREFUSED;
3217
0c1bc5c6 3218 chan->mode = rfc.mode;
6c2ea7a8 3219
0e8b207e 3220 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3221 switch (rfc.mode) {
3222 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3223 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3224 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3225 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3226 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3227 chan->ack_win = min_t(u16, chan->ack_win,
3228 rfc.txwin_size);
66af7aaf
AE		 3229
3230 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3231 chan->local_msdu = le16_to_cpu(efs.msdu);
3232 chan->local_sdu_itime =
3233 le32_to_cpu(efs.sdu_itime);
3234 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3235 chan->local_flush_to =
3236 le32_to_cpu(efs.flush_to);
3237 }
f2fcfcd6 3238 break;
66af7aaf 3239
f2fcfcd6 3240 case L2CAP_MODE_STREAMING:
47d1ec61 3241 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3242 }
3243 }
3244
fe4128e0 3245 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3246 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3247
3248 return ptr - data;
3249}
3250
fe4128e0 3251static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3252{
3253 struct l2cap_conf_rsp *rsp = data;
3254 void *ptr = rsp->data;
1da177e4 3255
fe4128e0 3256 BT_DBG("chan %p", chan);
1da177e4 3257
fe4128e0 3258 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3259 rsp->result = cpu_to_le16(result);
aca3192c 3260 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3261
3262 return ptr - data;
3263}
3264
8c1d787b 3265void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3266{
3267 struct l2cap_conn_rsp rsp;
8c1d787b 3268 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3269 u8 buf[128];
3270
fe4128e0
GP		 3271 rsp.scid = cpu_to_le16(chan->dcid);
3272 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3273 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3274 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3275 l2cap_send_cmd(conn, chan->ident,
3276 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3277
c1360a1c 3278 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3279 return;
3280
710f9b0a
GP		 3281 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3282 l2cap_build_conf_req(chan, buf), buf);
3283 chan->num_conf_req++;
3284}
3285
47d1ec61 3286static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3287{
7b1c0049
GP		 3288 int type, olen;
3289 unsigned long val;
c20f8e35
MM		 3290 /* Use sane default values in case a misbehaving remote device
3291 * did not send an RFC or extended window size option.
3292 */
3293 u16 txwin_ext = chan->ack_win;
3294 struct l2cap_conf_rfc rfc = {
3295 .mode = chan->mode,
3296 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3297 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3298 .max_pdu_size = cpu_to_le16(chan->imtu),
3299 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3300 };
7b1c0049 3301
47d1ec61 3302 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3303
0c1bc5c6 3304 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3305 return;
3306
3307 while (len >= L2CAP_CONF_OPT_SIZE) {
3308 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3309
c20f8e35
MM		 3310 switch (type) {
3311 case L2CAP_CONF_RFC:
3312 if (olen == sizeof(rfc))
3313 memcpy(&rfc, (void *)val, olen);
8f321f85 3314 break;
c20f8e35
MM		 3315 case L2CAP_CONF_EWS:
3316 txwin_ext = val;
3317 break;
3318 }
7b1c0049
GP		 3319 }
3320
7b1c0049
GP		 3321 switch (rfc.mode) {
3322 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3323 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3324 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3325 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3326 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3327 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3328 else
3329 chan->ack_win = min_t(u16, chan->ack_win,
3330 rfc.txwin_size);
7b1c0049
GP		 3331 break;
3332 case L2CAP_MODE_STREAMING:
47d1ec61 3333 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3334 }
3335}
3336
4e8402a3
MH		 3337static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3338{
e2fd318e 3339 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3340
e2fd318e 3341 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3342 return 0;
3343
3344 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3345 cmd->ident == conn->info_ident) {
17cd3f37 3346 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3347
3348 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3349 conn->info_ident = 0;
984947dc 3350
4e8402a3
MH		 3351 l2cap_conn_start(conn);
3352 }
3353
3354 return 0;
3355}
3356
1da177e4
LT		 3357static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3358{
1da177e4
LT		 3359 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3360 struct l2cap_conn_rsp rsp;
23691d75 3361 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3362 struct sock *parent, *sk = NULL;
e7c29cb1 3363 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3364
3365 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3366 __le16 psm = req->psm;
1da177e4 3367
097db76c 3368 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3369
3370 /* Check if we have socket listening on psm */
c2287681 3371 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3372 if (!pchan) {
1da177e4
LT		 3373 result = L2CAP_CR_BAD_PSM;
3374 goto sendresp;
3375 }
3376
23691d75
GP		 3377 parent = pchan->sk;
3378
3df91ea2 3379 mutex_lock(&conn->chan_lock);
aa2ac881 3380 lock_sock(parent);
e0f0cb56 3381
e7c29cb1 3382 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3383 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3384 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3385 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3386 result = L2CAP_CR_SEC_BLOCK;
3387 goto response;
3388 }
3389
1da177e4
LT		 3390 result = L2CAP_CR_NO_MEM;
3391
2dfa1003
GP		 3392 /* Check if we already have channel with that dcid */
3393 if (__l2cap_get_chan_by_dcid(conn, scid))
3394 goto response;
3395
80b98027 3396 chan = pchan->ops->new_connection(pchan);
80808e43 3397 if (!chan)
1da177e4
LT		 3398 goto response;
3399
80808e43
GP		 3400 sk = chan->sk;
3401
1da177e4
LT		 3402 hci_conn_hold(conn->hcon);
3403
1da177e4
LT		 3404 bacpy(&bt_sk(sk)->src, conn->src);
3405 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3406 chan->psm = psm;
3407 chan->dcid = scid;
1da177e4 3408
d1010240
GP		 3409 bt_accept_enqueue(parent, sk);
3410
6be36555 3411 __l2cap_chan_add(conn, chan);
48454079 3412
fe4128e0 3413 dcid = chan->scid;
1da177e4 3414
c9b66675 3415 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3416
fc7f8a7e 3417 chan->ident = cmd->ident;
1da177e4 3418
984947dc 3419 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3420 if (l2cap_chan_check_security(chan)) {
c5daa683 3421 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3422 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3423 result = L2CAP_CR_PEND;
3424 status = L2CAP_CS_AUTHOR_PEND;
3425 parent->sk_data_ready(parent, 0);
3426 } else {
0e587be7 3427 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3428 result = L2CAP_CR_SUCCESS;
3429 status = L2CAP_CS_NO_INFO;
3430 }
79d554a6 3431 } else {
0e587be7 3432 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3433 result = L2CAP_CR_PEND;
3434 status = L2CAP_CS_AUTHEN_PEND;
3435 }
3436 } else {
0e587be7 3437 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3438 result = L2CAP_CR_PEND;
3439 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3440 }
3441
1da177e4 3442response:
aa2ac881 3443 release_sock(parent);
3df91ea2 3444 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3445
3446sendresp:
aca3192c
YH		 3447 rsp.scid = cpu_to_le16(scid);
3448 rsp.dcid = cpu_to_le16(dcid);
3449 rsp.result = cpu_to_le16(result);
3450 rsp.status = cpu_to_le16(status);
1da177e4 3451 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3452
3453 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3454 struct l2cap_info_req info;
ac73498c 3455 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3456
3457 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3458 conn->info_ident = l2cap_get_ident(conn);
3459
ba13ccd9 3460 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3461
3462 l2cap_send_cmd(conn, conn->info_ident,
3463 L2CAP_INFO_REQ, sizeof(info), &info);
3464 }
3465
c1360a1c 3466 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3467 result == L2CAP_CR_SUCCESS) {
3468 u8 buf[128];
c1360a1c 3469 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3470 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3471 l2cap_build_conf_req(chan, buf), buf);
3472 chan->num_conf_req++;
e9aeb2dd
GP		 3473 }
3474
1da177e4
LT		 3475 return 0;
3476}
3477
3478static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3479{
3480 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3481 u16 scid, dcid, result, status;
48454079 3482 struct l2cap_chan *chan;
1da177e4 3483 u8 req[128];
3df91ea2 3484 int err;
1da177e4
LT		 3485
3486 scid = __le16_to_cpu(rsp->scid);
3487 dcid = __le16_to_cpu(rsp->dcid);
3488 result = __le16_to_cpu(rsp->result);
3489 status = __le16_to_cpu(rsp->status);
3490
1b009c98
AE		 3491 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3492 dcid, scid, result, status);
1da177e4 3493
3df91ea2
AE		 3494 mutex_lock(&conn->chan_lock);
3495
1da177e4 3496 if (scid) {
3df91ea2
AE		 3497 chan = __l2cap_get_chan_by_scid(conn, scid);
3498 if (!chan) {
3499 err = -EFAULT;
3500 goto unlock;
3501 }
1da177e4 3502 } else {
3df91ea2
AE		 3503 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3504 if (!chan) {
3505 err = -EFAULT;
3506 goto unlock;
3507 }
1da177e4
LT		 3508 }
3509
3df91ea2
AE		 3510 err = 0;
3511
6be36555 3512 l2cap_chan_lock(chan);
48454079 3513
1da177e4
LT		 3514 switch (result) {
3515 case L2CAP_CR_SUCCESS:
89bc500e 3516 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3517 chan->ident = 0;
fe4128e0 3518 chan->dcid = dcid;
c1360a1c 3519 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3520
c1360a1c 3521 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3522 break;
3523
1da177e4 3524 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3525 l2cap_build_conf_req(chan, req), req);
3526 chan->num_conf_req++;
1da177e4
LT		 3527 break;
3528
3529 case L2CAP_CR_PEND:
c1360a1c 3530 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3531 break;
3532
3533 default:
48454079 3534 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3535 break;
3536 }
3537
6be36555 3538 l2cap_chan_unlock(chan);
3df91ea2
AE		 3539
3540unlock:
3541 mutex_unlock(&conn->chan_lock);
3542
3543 return err;
1da177e4
LT		 3544}
3545
47d1ec61 3546static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3547{
3548 /* FCS is enabled only in ERTM or streaming mode, if one or both
3549 * sides request it.
3550 */
0c1bc5c6 3551 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3552 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3553 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3554 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3555}
3556
88219a0f 3557static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3558{
3559 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3560 u16 dcid, flags;
3561 u8 rsp[64];
48454079 3562 struct l2cap_chan *chan;
3c588192 3563 int len, err = 0;
1da177e4
LT		 3564
3565 dcid = __le16_to_cpu(req->dcid);
3566 flags = __le16_to_cpu(req->flags);
3567
3568 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3569
baa7e1fa 3570 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3571 if (!chan)
1da177e4
LT		 3572 return -ENOENT;
3573
033b1142 3574 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3575 struct l2cap_cmd_rej_cid rej;
3576
ac73498c 3577 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3578 rej.scid = cpu_to_le16(chan->scid);
3579 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3580
df6bd743
GP		 3581 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3582 sizeof(rej), &rej);
354f60a9 3583 goto unlock;
df6bd743 3584 }
354f60a9 3585
5dee9e7c 3586 /* Reject if config buffer is too small. */
88219a0f 3587 len = cmd_len - sizeof(*req);
7ac28817 3588 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3589 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3590 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3591 L2CAP_CONF_REJECT, flags), rsp);
3592 goto unlock;
3593 }
3594
3595 /* Store config. */
73ffa904
GP		 3596 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3597 chan->conf_len += len;
1da177e4 3598
59e54bd1 3599 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3600 /* Incomplete config. Send empty response. */
3601 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3602 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3603 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3604 goto unlock;
3605 }
3606
3607 /* Complete config. */
73ffa904 3608 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3609 if (len < 0) {
e92c8e70 3610 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3611 goto unlock;
f2fcfcd6 3612 }
1da177e4 3613
5dee9e7c 3614 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3615 chan->num_conf_rsp++;
5dee9e7c 3616
5dee9e7c 3617 /* Reset config buffer. */
73ffa904 3618 chan->conf_len = 0;
5dee9e7c 3619
c1360a1c 3620 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3621 goto unlock;
3622
c1360a1c 3623 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3624 set_default_fcs(chan);
fcc203c3 3625
105bdf9e
MM		 3626 if (chan->mode == L2CAP_MODE_ERTM ||
3627 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3628 err = l2cap_ertm_init(chan);
3629
3630 if (err < 0)
3631 l2cap_send_disconn_req(chan->conn, chan, -err);
3632 else
3633 l2cap_chan_ready(chan);
0565c1c2 3634
876d9484
MH		 3635 goto unlock;
3636 }
3637
c1360a1c 3638 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3639 u8 buf[64];
1da177e4 3640 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3641 l2cap_build_conf_req(chan, buf), buf);
3642 chan->num_conf_req++;
1da177e4
LT		 3643 }
3644
0e8b207e
AE		 3645 /* Got Conf Rsp PENDING from remote side and asume we sent
3646 Conf Rsp PENDING in the code above */
3647 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3648 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3649
3650 /* check compatibility */
3651
3652 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3653 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3654
3655 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3656 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3657 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3658 }
3659
1da177e4 3660unlock:
6be36555 3661 l2cap_chan_unlock(chan);
3c588192 3662 return err;
1da177e4
LT		 3663}
3664
3665static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3666{
3667 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3668 u16 scid, flags, result;
48454079 3669 struct l2cap_chan *chan;
61386cba 3670 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3671 int err = 0;
1da177e4
LT		 3672
3673 scid = __le16_to_cpu(rsp->scid);
3674 flags = __le16_to_cpu(rsp->flags);
3675 result = __le16_to_cpu(rsp->result);
3676
61386cba
AE		 3677 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3678 result, len);
1da177e4 3679
baa7e1fa 3680 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3681 if (!chan)
1da177e4
LT		 3682 return 0;
3683
3684 switch (result) {
3685 case L2CAP_CONF_SUCCESS:
47d1ec61 3686 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3687 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3688 break;
3689
0e8b207e
AE		 3690 case L2CAP_CONF_PENDING:
3691 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3692
3693 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3694 char buf[64];
3695
3696 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3697 buf, &result);
3698 if (len < 0) {
3699 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3700 goto done;
3701 }
3702
3703 /* check compatibility */
3704
3705 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3706 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3707
3708 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3709 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3710 L2CAP_CONF_SUCCESS, 0x0000), buf);
3711 }
3712 goto done;
3713
1da177e4 3714 case L2CAP_CONF_UNACCEPT:
73ffa904 3715 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3716 char req[64];
3717
c2c77ec8 3718 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3719 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3720 goto done;
3721 }
3722
f2fcfcd6
GP		 3723 /* throw out any old stored conf requests */
3724 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3725 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3726 req, &result);
f2fcfcd6 3727 if (len < 0) {
e92c8e70 3728 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3729 goto done;
3730 }
3731
3732 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3733 L2CAP_CONF_REQ, len, req);
73ffa904 3734 chan->num_conf_req++;
f2fcfcd6
GP		 3735 if (result != L2CAP_CONF_SUCCESS)
3736 goto done;
3737 break;
1da177e4
LT		 3738 }
3739
8e87d142 3740 default:
6be36555 3741 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3742
ba13ccd9 3743 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3744 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3745 goto done;
3746 }
3747
59e54bd1 3748 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3749 goto done;
3750
c1360a1c 3751 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3752
c1360a1c 3753 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3754 set_default_fcs(chan);
fcc203c3 3755
105bdf9e
MM		 3756 if (chan->mode == L2CAP_MODE_ERTM ||
3757 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3758 err = l2cap_ertm_init(chan);
0565c1c2 3759
3c588192
MM		 3760 if (err < 0)
3761 l2cap_send_disconn_req(chan->conn, chan, -err);
3762 else
3763 l2cap_chan_ready(chan);
1da177e4
LT		 3764 }
3765
3766done:
6be36555 3767 l2cap_chan_unlock(chan);
3c588192 3768 return err;
1da177e4
LT		 3769}
3770
3771static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3772{
3773 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3774 struct l2cap_disconn_rsp rsp;
3775 u16 dcid, scid;
48454079 3776 struct l2cap_chan *chan;
1da177e4
LT		 3777 struct sock *sk;
3778
3779 scid = __le16_to_cpu(req->scid);
3780 dcid = __le16_to_cpu(req->dcid);
3781
3782 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3783
3df91ea2
AE		 3784 mutex_lock(&conn->chan_lock);
3785
3786 chan = __l2cap_get_chan_by_scid(conn, dcid);
3787 if (!chan) {
3788 mutex_unlock(&conn->chan_lock);
1da177e4 3789 return 0;
3df91ea2 3790 }
1da177e4 3791
6be36555
AE		 3792 l2cap_chan_lock(chan);
3793
48454079
GP		 3794 sk = chan->sk;
3795
fe4128e0
GP		 3796 rsp.dcid = cpu_to_le16(chan->scid);
3797 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3798 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3799
6be36555 3800 lock_sock(sk);
1da177e4 3801 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3802 release_sock(sk);
1da177e4 3803
61d6ef3e 3804 l2cap_chan_hold(chan);
48454079 3805 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3806
3807 l2cap_chan_unlock(chan);
1da177e4 3808
80b98027 3809 chan->ops->close(chan);
61d6ef3e 3810 l2cap_chan_put(chan);
3df91ea2
AE		 3811
3812 mutex_unlock(&conn->chan_lock);
3813
1da177e4
LT		 3814 return 0;
3815}
3816
3817static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3818{
3819 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3820 u16 dcid, scid;
48454079 3821 struct l2cap_chan *chan;
1da177e4
LT		 3822
3823 scid = __le16_to_cpu(rsp->scid);
3824 dcid = __le16_to_cpu(rsp->dcid);
3825
3826 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3827
3df91ea2
AE		 3828 mutex_lock(&conn->chan_lock);
3829
3830 chan = __l2cap_get_chan_by_scid(conn, scid);
3831 if (!chan) {
3832 mutex_unlock(&conn->chan_lock);
1da177e4 3833 return 0;
3df91ea2 3834 }
1da177e4 3835
6be36555 3836 l2cap_chan_lock(chan);
48454079 3837
61d6ef3e 3838 l2cap_chan_hold(chan);
48454079 3839 l2cap_chan_del(chan, 0);
6be36555
AE		 3840
3841 l2cap_chan_unlock(chan);
1da177e4 3842
80b98027 3843 chan->ops->close(chan);
61d6ef3e 3844 l2cap_chan_put(chan);
3df91ea2
AE		 3845
3846 mutex_unlock(&conn->chan_lock);
3847
1da177e4
LT		 3848 return 0;
3849}
3850
3851static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3852{
3853 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3854 u16 type;
3855
3856 type = __le16_to_cpu(req->type);
3857
3858 BT_DBG("type 0x%4.4x", type);
3859
f0709e03
MH		 3860 if (type == L2CAP_IT_FEAT_MASK) {
3861 u8 buf[8];
44dd46de 3862 u32 feat_mask = l2cap_feat_mask;
f0709e03 3863 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3864 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3865 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3866 if (!disable_ertm)
fcc203c3
GP		 3867 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3868 | L2CAP_FEAT_FCS;
a5fd6f30 3869 if (enable_hs)
6327eb98
AE		 3870 feat_mask |= L2CAP_FEAT_EXT_FLOW
3871 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3872
1b7bf4ed 3873 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3874 l2cap_send_cmd(conn, cmd->ident,
3875 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3876 } else if (type == L2CAP_IT_FIXED_CHAN) {
3877 u8 buf[12];
3878 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3879
3880 if (enable_hs)
3881 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3882 else
3883 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3884
ac73498c
AE		 3885 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3886 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3887 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3888 l2cap_send_cmd(conn, cmd->ident,
3889 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3890 } else {
3891 struct l2cap_info_rsp rsp;
3892 rsp.type = cpu_to_le16(type);
ac73498c 3893 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3894 l2cap_send_cmd(conn, cmd->ident,
3895 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3896 }
1da177e4
LT		 3897
3898 return 0;
3899}
3900
3901static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3902{
3903 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3904 u16 type, result;
3905
3906 type = __le16_to_cpu(rsp->type);
3907 result = __le16_to_cpu(rsp->result);
3908
3909 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3910
e90165be
AE		 3911 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3912 if (cmd->ident != conn->info_ident ||
3913 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3914 return 0;
3915
17cd3f37 3916 cancel_delayed_work(&conn->info_timer);
4e8402a3 3917
adb08ede
VT		 3918 if (result != L2CAP_IR_SUCCESS) {
3919 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3920 conn->info_ident = 0;
3921
3922 l2cap_conn_start(conn);
3923
3924 return 0;
3925 }
3926
978c93b9
AE		 3927 switch (type) {
3928 case L2CAP_IT_FEAT_MASK:
83985319 3929 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3930
47ec1dcd 3931 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3932 struct l2cap_info_req req;
ac73498c 3933 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3934
3935 conn->info_ident = l2cap_get_ident(conn);
3936
3937 l2cap_send_cmd(conn, conn->info_ident,
3938 L2CAP_INFO_REQ, sizeof(req), &req);
3939 } else {
3940 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3941 conn->info_ident = 0;
3942
3943 l2cap_conn_start(conn);
3944 }
978c93b9
AE		 3945 break;
3946
3947 case L2CAP_IT_FIXED_CHAN:
3948 conn->fixed_chan_mask = rsp->data[0];
984947dc 3949 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3950 conn->info_ident = 0;
984947dc
MH		 3951
3952 l2cap_conn_start(conn);
978c93b9 3953 break;
984947dc 3954 }
4e8402a3 3955
1da177e4
LT		 3956 return 0;
3957}
3958
f94ff6ff
MM		 3959static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3960 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3961 void *data)
3962{
3963 struct l2cap_create_chan_req *req = data;
3964 struct l2cap_create_chan_rsp rsp;
3965 u16 psm, scid;
3966
3967 if (cmd_len != sizeof(*req))
3968 return -EPROTO;
3969
3970 if (!enable_hs)
3971 return -EINVAL;
3972
3973 psm = le16_to_cpu(req->psm);
3974 scid = le16_to_cpu(req->scid);
3975
ad0ac6ca 3976 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 3977
3978 /* Placeholder: Always reject */
3979 rsp.dcid = 0;
3980 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3981 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3982 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3983
3984 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3985 sizeof(rsp), &rsp);
3986
3987 return 0;
3988}
3989
3990static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3991 struct l2cap_cmd_hdr *cmd, void *data)
3992{
3993 BT_DBG("conn %p", conn);
3994
3995 return l2cap_connect_rsp(conn, cmd, data);
3996}
3997
8d5a04a1 3998static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 3999 u16 icid, u16 result)
8d5a04a1
MM		 4000{
4001 struct l2cap_move_chan_rsp rsp;
4002
ad0ac6ca 4003 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4004
4005 rsp.icid = cpu_to_le16(icid);
4006 rsp.result = cpu_to_le16(result);
4007
4008 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4009}
4010
4011static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4012 struct l2cap_chan *chan,
4013 u16 icid, u16 result)
8d5a04a1
MM		 4014{
4015 struct l2cap_move_chan_cfm cfm;
4016 u8 ident;
4017
ad0ac6ca 4018 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4019
4020 ident = l2cap_get_ident(conn);
4021 if (chan)
4022 chan->ident = ident;
4023
4024 cfm.icid = cpu_to_le16(icid);
4025 cfm.result = cpu_to_le16(result);
4026
4027 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4028}
4029
4030static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4031 u16 icid)
8d5a04a1
MM		 4032{
4033 struct l2cap_move_chan_cfm_rsp rsp;
4034
ad0ac6ca 4035 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4036
4037 rsp.icid = cpu_to_le16(icid);
4038 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4039}
4040
4041static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4042 struct l2cap_cmd_hdr *cmd,
4043 u16 cmd_len, void *data)
8d5a04a1
MM		 4044{
4045 struct l2cap_move_chan_req *req = data;
4046 u16 icid = 0;
4047 u16 result = L2CAP_MR_NOT_ALLOWED;
4048
4049 if (cmd_len != sizeof(*req))
4050 return -EPROTO;
4051
4052 icid = le16_to_cpu(req->icid);
4053
ad0ac6ca 4054 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4055
4056 if (!enable_hs)
4057 return -EINVAL;
4058
4059 /* Placeholder: Always refuse */
4060 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4061
4062 return 0;
4063}
4064
4065static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4066 struct l2cap_cmd_hdr *cmd,
4067 u16 cmd_len, void *data)
8d5a04a1
MM		 4068{
4069 struct l2cap_move_chan_rsp *rsp = data;
4070 u16 icid, result;
4071
4072 if (cmd_len != sizeof(*rsp))
4073 return -EPROTO;
4074
4075 icid = le16_to_cpu(rsp->icid);
4076 result = le16_to_cpu(rsp->result);
4077
ad0ac6ca 4078 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4079
4080 /* Placeholder: Always unconfirmed */
4081 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4082
4083 return 0;
4084}
4085
4086static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4087 struct l2cap_cmd_hdr *cmd,
4088 u16 cmd_len, void *data)
8d5a04a1
MM		 4089{
4090 struct l2cap_move_chan_cfm *cfm = data;
4091 u16 icid, result;
4092
4093 if (cmd_len != sizeof(*cfm))
4094 return -EPROTO;
4095
4096 icid = le16_to_cpu(cfm->icid);
4097 result = le16_to_cpu(cfm->result);
4098
ad0ac6ca 4099 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4100
4101 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4102
4103 return 0;
4104}
4105
4106static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4107 struct l2cap_cmd_hdr *cmd,
4108 u16 cmd_len, void *data)
8d5a04a1
MM		 4109{
4110 struct l2cap_move_chan_cfm_rsp *rsp = data;
4111 u16 icid;
4112
4113 if (cmd_len != sizeof(*rsp))
4114 return -EPROTO;
4115
4116 icid = le16_to_cpu(rsp->icid);
4117
ad0ac6ca 4118 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4119
4120 return 0;
4121}
4122
e2174ca4 4123static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4124 u16 to_multiplier)
4125{
4126 u16 max_latency;
4127
4128 if (min > max || min < 6 || max > 3200)
4129 return -EINVAL;
4130
4131 if (to_multiplier < 10 || to_multiplier > 3200)
4132 return -EINVAL;
4133
4134 if (max >= to_multiplier * 8)
4135 return -EINVAL;
4136
4137 max_latency = (to_multiplier * 8 / max) - 1;
4138 if (latency > 499 || latency > max_latency)
4139 return -EINVAL;
4140
4141 return 0;
4142}
4143
4144static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4145 struct l2cap_cmd_hdr *cmd, u8 *data)
4146{
4147 struct hci_conn *hcon = conn->hcon;
4148 struct l2cap_conn_param_update_req *req;
4149 struct l2cap_conn_param_update_rsp rsp;
4150 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4151 int err;
de73115a
CT		 4152
4153 if (!(hcon->link_mode & HCI_LM_MASTER))
4154 return -EINVAL;
4155
4156 cmd_len = __le16_to_cpu(cmd->len);
4157 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4158 return -EPROTO;
4159
4160 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4161 min = __le16_to_cpu(req->min);
4162 max = __le16_to_cpu(req->max);
de73115a
CT		 4163 latency = __le16_to_cpu(req->latency);
4164 to_multiplier = __le16_to_cpu(req->to_multiplier);
4165
4166 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4167 min, max, latency, to_multiplier);
4168
4169 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4170
4171 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4172 if (err)
ac73498c 4173 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4174 else
ac73498c 4175 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4176
4177 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4178 sizeof(rsp), &rsp);
4179
2ce603eb
CT		 4180 if (!err)
4181 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4182
de73115a
CT		 4183 return 0;
4184}
4185
3300d9a9
CT		 4186static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4187 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4188{
4189 int err = 0;
4190
4191 switch (cmd->code) {
4192 case L2CAP_COMMAND_REJ:
4193 l2cap_command_rej(conn, cmd, data);
4194 break;
4195
4196 case L2CAP_CONN_REQ:
4197 err = l2cap_connect_req(conn, cmd, data);
4198 break;
4199
4200 case L2CAP_CONN_RSP:
4201 err = l2cap_connect_rsp(conn, cmd, data);
4202 break;
4203
4204 case L2CAP_CONF_REQ:
4205 err = l2cap_config_req(conn, cmd, cmd_len, data);
4206 break;
4207
4208 case L2CAP_CONF_RSP:
4209 err = l2cap_config_rsp(conn, cmd, data);
4210 break;
4211
4212 case L2CAP_DISCONN_REQ:
4213 err = l2cap_disconnect_req(conn, cmd, data);
4214 break;
4215
4216 case L2CAP_DISCONN_RSP:
4217 err = l2cap_disconnect_rsp(conn, cmd, data);
4218 break;
4219
4220 case L2CAP_ECHO_REQ:
4221 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4222 break;
4223
4224 case L2CAP_ECHO_RSP:
4225 break;
4226
4227 case L2CAP_INFO_REQ:
4228 err = l2cap_information_req(conn, cmd, data);
4229 break;
4230
4231 case L2CAP_INFO_RSP:
4232 err = l2cap_information_rsp(conn, cmd, data);
4233 break;
4234
f94ff6ff
MM		 4235 case L2CAP_CREATE_CHAN_REQ:
4236 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4237 break;
4238
4239 case L2CAP_CREATE_CHAN_RSP:
4240 err = l2cap_create_channel_rsp(conn, cmd, data);
4241 break;
4242
8d5a04a1
MM		 4243 case L2CAP_MOVE_CHAN_REQ:
4244 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4245 break;
4246
4247 case L2CAP_MOVE_CHAN_RSP:
4248 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4249 break;
4250
4251 case L2CAP_MOVE_CHAN_CFM:
4252 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4253 break;
4254
4255 case L2CAP_MOVE_CHAN_CFM_RSP:
4256 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4257 break;
4258
3300d9a9
CT		 4259 default:
4260 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4261 err = -EINVAL;
4262 break;
4263 }
4264
4265 return err;
4266}
4267
4268static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4269 struct l2cap_cmd_hdr *cmd, u8 *data)
4270{
4271 switch (cmd->code) {
4272 case L2CAP_COMMAND_REJ:
4273 return 0;
4274
4275 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4276 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4277
4278 case L2CAP_CONN_PARAM_UPDATE_RSP:
4279 return 0;
4280
4281 default:
4282 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4283 return -EINVAL;
4284 }
4285}
4286
4287static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4288 struct sk_buff *skb)
1da177e4
LT		 4289{
4290 u8 *data = skb->data;
4291 int len = skb->len;
4292 struct l2cap_cmd_hdr cmd;
3300d9a9 4293 int err;
1da177e4
LT		 4294
4295 l2cap_raw_recv(conn, skb);
4296
4297 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4298 u16 cmd_len;
1da177e4
LT		 4299 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4300 data += L2CAP_CMD_HDR_SIZE;
4301 len -= L2CAP_CMD_HDR_SIZE;
4302
88219a0f 4303 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4304
88219a0f 4305 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4306
88219a0f 4307 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4308 BT_DBG("corrupted command");
4309 break;
4310 }
4311
3300d9a9
CT		 4312 if (conn->hcon->type == LE_LINK)
4313 err = l2cap_le_sig_cmd(conn, &cmd, data);
4314 else
4315 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4316
4317 if (err) {
e2fd318e 4318 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4319
4320 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4321
4322 /* FIXME: Map err to a valid reason */
ac73498c 4323 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4324 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4325 }
4326
88219a0f
AV		 4327 data += cmd_len;
4328 len -= cmd_len;
1da177e4
LT		 4329 }
4330
4331 kfree_skb(skb);
4332}
4333
47d1ec61 4334static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4335{
4336 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4337 int hdr_size;
4338
4339 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4340 hdr_size = L2CAP_EXT_HDR_SIZE;
4341 else
4342 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4343
47d1ec61 4344 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4345 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4346 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4347 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4348
4349 if (our_fcs != rcv_fcs)
7a560e5c 4350 return -EBADMSG;
fcc203c3
GP		 4351 }
4352 return 0;
4353}
4354
6ea00485 4355static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4356{
e31f7633 4357 struct l2cap_ctrl control;
d5392c8f 4358
e31f7633 4359 BT_DBG("chan %p", chan);
d5392c8f 4360
e31f7633
MM		 4361 memset(&control, 0, sizeof(control));
4362 control.sframe = 1;
4363 control.final = 1;
4364 control.reqseq = chan->buffer_seq;
4365 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4366
e2ab4353 4367 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4368 control.super = L2CAP_SUPER_RNR;
4369 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4370 }
4371
e31f7633
MM		 4372 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4373 chan->unacked_frames > 0)
4374 __set_retrans_timer(chan);
d5392c8f 4375
e31f7633 4376 /* Send pending iframes */
525cd185 4377 l2cap_ertm_send(chan);
d5392c8f 4378
e2ab4353 4379 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4380 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4381 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4382 * send it now.
4383 */
4384 control.super = L2CAP_SUPER_RR;
4385 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4386 }
4387}
4388
84084a31
MM		 4389static void append_skb_frag(struct sk_buff *skb,
4390 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4391{
84084a31
MM		 4392 /* skb->len reflects data in skb as well as all fragments
4393 * skb->data_len reflects only data in fragments
4394 */
4395 if (!skb_has_frag_list(skb))
4396 skb_shinfo(skb)->frag_list = new_frag;
4397
4398 new_frag->next = NULL;
4399
4400 (*last_frag)->next = new_frag;
4401 *last_frag = new_frag;
4402
4403 skb->len += new_frag->len;
4404 skb->data_len += new_frag->len;
4405 skb->truesize += new_frag->truesize;
4406}
4407
4b51dae9
MM		 4408static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4409 struct l2cap_ctrl *control)
84084a31
MM		 4410{
4411 int err = -EINVAL;
18778a63 4412
4b51dae9 4413 switch (control->sar) {
7e0ef6ee 4414 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4415 if (chan->sdu)
4416 break;
18778a63 4417
80b98027 4418 err = chan->ops->recv(chan, skb);
84084a31 4419 break;
18778a63 4420
7e0ef6ee 4421 case L2CAP_SAR_START:
84084a31
MM		 4422 if (chan->sdu)
4423 break;
18778a63 4424
6f61fd47 4425 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4426 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4427
84084a31
MM		 4428 if (chan->sdu_len > chan->imtu) {
4429 err = -EMSGSIZE;
4430 break;
4431 }
1890d36b 4432
84084a31
MM		 4433 if (skb->len >= chan->sdu_len)
4434 break;
18778a63 4435
84084a31
MM		 4436 chan->sdu = skb;
4437 chan->sdu_last_frag = skb;
18778a63 4438
84084a31
MM		 4439 skb = NULL;
4440 err = 0;
18778a63
GP		 4441 break;
4442
7e0ef6ee 4443 case L2CAP_SAR_CONTINUE:
6f61fd47 4444 if (!chan->sdu)
84084a31 4445 break;
18778a63 4446
84084a31
MM		 4447 append_skb_frag(chan->sdu, skb,
4448 &chan->sdu_last_frag);
4449 skb = NULL;
18778a63 4450
84084a31
MM		 4451 if (chan->sdu->len >= chan->sdu_len)
4452 break;
4178ba46 4453
84084a31 4454 err = 0;
18778a63
GP		 4455 break;
4456
7e0ef6ee 4457 case L2CAP_SAR_END:
6f61fd47 4458 if (!chan->sdu)
84084a31 4459 break;
18778a63 4460
84084a31
MM		 4461 append_skb_frag(chan->sdu, skb,
4462 &chan->sdu_last_frag);
4463 skb = NULL;
4178ba46 4464
84084a31
MM		 4465 if (chan->sdu->len != chan->sdu_len)
4466 break;
18778a63 4467
80b98027 4468 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4469
84084a31
MM		 4470 if (!err) {
4471 /* Reassembly complete */
4472 chan->sdu = NULL;
4473 chan->sdu_last_frag = NULL;
4474 chan->sdu_len = 0;
1890d36b 4475 }
18778a63
GP		 4476 break;
4477 }
4478
84084a31
MM		 4479 if (err) {
4480 kfree_skb(skb);
4481 kfree_skb(chan->sdu);
4482 chan->sdu = NULL;
4483 chan->sdu_last_frag = NULL;
4484 chan->sdu_len = 0;
4485 }
18778a63 4486
84084a31 4487 return err;
18778a63
GP		 4488}
4489
61aa4f5b 4490void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4491{
61aa4f5b 4492 u8 event;
712132eb 4493
61aa4f5b
MM		 4494 if (chan->mode != L2CAP_MODE_ERTM)
4495 return;
712132eb 4496
61aa4f5b 4497 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4498 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4499}
4500
d2a7ac5d
MM		 4501static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4502{
63838725
MM		 4503 int err = 0;
4504 /* Pass sequential frames to l2cap_reassemble_sdu()
4505 * until a gap is encountered.
4506 */
4507
4508 BT_DBG("chan %p", chan);
4509
4510 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4511 struct sk_buff *skb;
4512 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4513 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4514
4515 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4516
4517 if (!skb)
4518 break;
4519
4520 skb_unlink(skb, &chan->srej_q);
4521 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4522 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4523 if (err)
4524 break;
4525 }
4526
4527 if (skb_queue_empty(&chan->srej_q)) {
4528 chan->rx_state = L2CAP_RX_STATE_RECV;
4529 l2cap_send_ack(chan);
4530 }
4531
4532 return err;
d2a7ac5d
MM		 4533}
4534
4535static void l2cap_handle_srej(struct l2cap_chan *chan,
4536 struct l2cap_ctrl *control)
4537{
f80842a8
MM		 4538 struct sk_buff *skb;
4539
4540 BT_DBG("chan %p, control %p", chan, control);
4541
4542 if (control->reqseq == chan->next_tx_seq) {
4543 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4544 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4545 return;
4546 }
4547
4548 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4549
4550 if (skb == NULL) {
4551 BT_DBG("Seq %d not available for retransmission",
4552 control->reqseq);
4553 return;
4554 }
4555
4556 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4557 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4558 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4559 return;
4560 }
4561
4562 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4563
4564 if (control->poll) {
4565 l2cap_pass_to_tx(chan, control);
4566
4567 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4568 l2cap_retransmit(chan, control);
4569 l2cap_ertm_send(chan);
4570
4571 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4572 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4573 chan->srej_save_reqseq = control->reqseq;
4574 }
4575 } else {
4576 l2cap_pass_to_tx_fbit(chan, control);
4577
4578 if (control->final) {
4579 if (chan->srej_save_reqseq != control->reqseq ||
4580 !test_and_clear_bit(CONN_SREJ_ACT,
4581 &chan->conn_state))
4582 l2cap_retransmit(chan, control);
4583 } else {
4584 l2cap_retransmit(chan, control);
4585 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4586 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4587 chan->srej_save_reqseq = control->reqseq;
4588 }
4589 }
4590 }
d2a7ac5d
MM		 4591}
4592
4593static void l2cap_handle_rej(struct l2cap_chan *chan,
4594 struct l2cap_ctrl *control)
4595{
fcd289df
MM		 4596 struct sk_buff *skb;
4597
4598 BT_DBG("chan %p, control %p", chan, control);
4599
4600 if (control->reqseq == chan->next_tx_seq) {
4601 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4602 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4603 return;
4604 }
4605
4606 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4607
4608 if (chan->max_tx && skb &&
4609 bt_cb(skb)->control.retries >= chan->max_tx) {
4610 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4611 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4612 return;
4613 }
4614
4615 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4616
4617 l2cap_pass_to_tx(chan, control);
4618
4619 if (control->final) {
4620 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4621 l2cap_retransmit_all(chan, control);
4622 } else {
4623 l2cap_retransmit_all(chan, control);
4624 l2cap_ertm_send(chan);
4625 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4626 set_bit(CONN_REJ_ACT, &chan->conn_state);
4627 }
d2a7ac5d
MM		 4628}
4629
4b51dae9
MM		 4630static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4631{
4632 BT_DBG("chan %p, txseq %d", chan, txseq);
4633
4634 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4635 chan->expected_tx_seq);
4636
4637 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4638 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4639 chan->tx_win) {
4640 /* See notes below regarding "double poll" and
4641 * invalid packets.
4642 */
4643 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4644 BT_DBG("Invalid/Ignore - after SREJ");
4645 return L2CAP_TXSEQ_INVALID_IGNORE;
4646 } else {
4647 BT_DBG("Invalid - in window after SREJ sent");
4648 return L2CAP_TXSEQ_INVALID;
4649 }
4650 }
4651
4652 if (chan->srej_list.head == txseq) {
4653 BT_DBG("Expected SREJ");
4654 return L2CAP_TXSEQ_EXPECTED_SREJ;
4655 }
4656
4657 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4658 BT_DBG("Duplicate SREJ - txseq already stored");
4659 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4660 }
4661
4662 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4663 BT_DBG("Unexpected SREJ - not requested");
4664 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4665 }
4666 }
4667
4668 if (chan->expected_tx_seq == txseq) {
4669 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4670 chan->tx_win) {
4671 BT_DBG("Invalid - txseq outside tx window");
4672 return L2CAP_TXSEQ_INVALID;
4673 } else {
4674 BT_DBG("Expected");
4675 return L2CAP_TXSEQ_EXPECTED;
4676 }
4677 }
4678
4679 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4680 __seq_offset(chan, chan->expected_tx_seq,
4681 chan->last_acked_seq)){
4682 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4683 return L2CAP_TXSEQ_DUPLICATE;
4684 }
4685
4686 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4687 /* A source of invalid packets is a "double poll" condition,
4688 * where delays cause us to send multiple poll packets. If
4689 * the remote stack receives and processes both polls,
4690 * sequence numbers can wrap around in such a way that a
4691 * resent frame has a sequence number that looks like new data
4692 * with a sequence gap. This would trigger an erroneous SREJ
4693 * request.
4694 *
4695 * Fortunately, this is impossible with a tx window that's
4696 * less than half of the maximum sequence number, which allows
4697 * invalid frames to be safely ignored.
4698 *
4699 * With tx window sizes greater than half of the tx window
4700 * maximum, the frame is invalid and cannot be ignored. This
4701 * causes a disconnect.
4702 */
4703
4704 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4705 BT_DBG("Invalid/Ignore - txseq outside tx window");
4706 return L2CAP_TXSEQ_INVALID_IGNORE;
4707 } else {
4708 BT_DBG("Invalid - txseq outside tx window");
4709 return L2CAP_TXSEQ_INVALID;
4710 }
4711 } else {
4712 BT_DBG("Unexpected - txseq indicates missing frames");
4713 return L2CAP_TXSEQ_UNEXPECTED;
4714 }
4715}
4716
d2a7ac5d
MM		 4717static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4718 struct l2cap_ctrl *control,
4719 struct sk_buff *skb, u8 event)
4720{
4721 int err = 0;
4722 bool skb_in_use = 0;
4723
4724 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4725 event);
4726
4727 switch (event) {
4728 case L2CAP_EV_RECV_IFRAME:
4729 switch (l2cap_classify_txseq(chan, control->txseq)) {
4730 case L2CAP_TXSEQ_EXPECTED:
4731 l2cap_pass_to_tx(chan, control);
4732
4733 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4734 BT_DBG("Busy, discarding expected seq %d",
4735 control->txseq);
4736 break;
4737 }
4738
4739 chan->expected_tx_seq = __next_seq(chan,
4740 control->txseq);
4741
4742 chan->buffer_seq = chan->expected_tx_seq;
4743 skb_in_use = 1;
4744
4745 err = l2cap_reassemble_sdu(chan, skb, control);
4746 if (err)
4747 break;
4748
4749 if (control->final) {
4750 if (!test_and_clear_bit(CONN_REJ_ACT,
4751 &chan->conn_state)) {
4752 control->final = 0;
4753 l2cap_retransmit_all(chan, control);
4754 l2cap_ertm_send(chan);
4755 }
4756 }
4757
4758 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4759 l2cap_send_ack(chan);
4760 break;
4761 case L2CAP_TXSEQ_UNEXPECTED:
4762 l2cap_pass_to_tx(chan, control);
4763
4764 /* Can't issue SREJ frames in the local busy state.
4765 * Drop this frame, it will be seen as missing
4766 * when local busy is exited.
4767 */
4768 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4769 BT_DBG("Busy, discarding unexpected seq %d",
4770 control->txseq);
4771 break;
4772 }
4773
4774 /* There was a gap in the sequence, so an SREJ
4775 * must be sent for each missing frame. The
4776 * current frame is stored for later use.
4777 */
4778 skb_queue_tail(&chan->srej_q, skb);
4779 skb_in_use = 1;
4780 BT_DBG("Queued %p (queue len %d)", skb,
4781 skb_queue_len(&chan->srej_q));
4782
4783 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4784 l2cap_seq_list_clear(&chan->srej_list);
4785 l2cap_send_srej(chan, control->txseq);
4786
4787 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4788 break;
4789 case L2CAP_TXSEQ_DUPLICATE:
4790 l2cap_pass_to_tx(chan, control);
4791 break;
4792 case L2CAP_TXSEQ_INVALID_IGNORE:
4793 break;
4794 case L2CAP_TXSEQ_INVALID:
4795 default:
4796 l2cap_send_disconn_req(chan->conn, chan,
4797 ECONNRESET);
4798 break;
4799 }
4800 break;
4801 case L2CAP_EV_RECV_RR:
4802 l2cap_pass_to_tx(chan, control);
4803 if (control->final) {
4804 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4805
4806 if (!test_and_clear_bit(CONN_REJ_ACT,
4807 &chan->conn_state)) {
4808 control->final = 0;
4809 l2cap_retransmit_all(chan, control);
4810 }
4811
4812 l2cap_ertm_send(chan);
4813 } else if (control->poll) {
4814 l2cap_send_i_or_rr_or_rnr(chan);
4815 } else {
4816 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4817 &chan->conn_state) &&
4818 chan->unacked_frames)
4819 __set_retrans_timer(chan);
4820
4821 l2cap_ertm_send(chan);
4822 }
4823 break;
4824 case L2CAP_EV_RECV_RNR:
4825 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4826 l2cap_pass_to_tx(chan, control);
4827 if (control && control->poll) {
4828 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4829 l2cap_send_rr_or_rnr(chan, 0);
4830 }
4831 __clear_retrans_timer(chan);
4832 l2cap_seq_list_clear(&chan->retrans_list);
4833 break;
4834 case L2CAP_EV_RECV_REJ:
4835 l2cap_handle_rej(chan, control);
4836 break;
4837 case L2CAP_EV_RECV_SREJ:
4838 l2cap_handle_srej(chan, control);
4839 break;
4840 default:
4841 break;
4842 }
4843
4844 if (skb && !skb_in_use) {
4845 BT_DBG("Freeing %p", skb);
4846 kfree_skb(skb);
4847 }
4848
4849 return err;
4850}
4851
4852static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4853 struct l2cap_ctrl *control,
4854 struct sk_buff *skb, u8 event)
4855{
4856 int err = 0;
4857 u16 txseq = control->txseq;
4858 bool skb_in_use = 0;
4859
4860 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4861 event);
4862
4863 switch (event) {
4864 case L2CAP_EV_RECV_IFRAME:
4865 switch (l2cap_classify_txseq(chan, txseq)) {
4866 case L2CAP_TXSEQ_EXPECTED:
4867 /* Keep frame for reassembly later */
4868 l2cap_pass_to_tx(chan, control);
4869 skb_queue_tail(&chan->srej_q, skb);
4870 skb_in_use = 1;
4871 BT_DBG("Queued %p (queue len %d)", skb,
4872 skb_queue_len(&chan->srej_q));
4873
4874 chan->expected_tx_seq = __next_seq(chan, txseq);
4875 break;
4876 case L2CAP_TXSEQ_EXPECTED_SREJ:
4877 l2cap_seq_list_pop(&chan->srej_list);
4878
4879 l2cap_pass_to_tx(chan, control);
4880 skb_queue_tail(&chan->srej_q, skb);
4881 skb_in_use = 1;
4882 BT_DBG("Queued %p (queue len %d)", skb,
4883 skb_queue_len(&chan->srej_q));
4884
4885 err = l2cap_rx_queued_iframes(chan);
4886 if (err)
4887 break;
4888
4889 break;
4890 case L2CAP_TXSEQ_UNEXPECTED:
4891 /* Got a frame that can't be reassembled yet.
4892 * Save it for later, and send SREJs to cover
4893 * the missing frames.
4894 */
4895 skb_queue_tail(&chan->srej_q, skb);
4896 skb_in_use = 1;
4897 BT_DBG("Queued %p (queue len %d)", skb,
4898 skb_queue_len(&chan->srej_q));
4899
4900 l2cap_pass_to_tx(chan, control);
4901 l2cap_send_srej(chan, control->txseq);
4902 break;
4903 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4904 /* This frame was requested with an SREJ, but
4905 * some expected retransmitted frames are
4906 * missing. Request retransmission of missing
4907 * SREJ'd frames.
4908 */
4909 skb_queue_tail(&chan->srej_q, skb);
4910 skb_in_use = 1;
4911 BT_DBG("Queued %p (queue len %d)", skb,
4912 skb_queue_len(&chan->srej_q));
4913
4914 l2cap_pass_to_tx(chan, control);
4915 l2cap_send_srej_list(chan, control->txseq);
4916 break;
4917 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4918 /* We've already queued this frame. Drop this copy. */
4919 l2cap_pass_to_tx(chan, control);
4920 break;
4921 case L2CAP_TXSEQ_DUPLICATE:
4922 /* Expecting a later sequence number, so this frame
4923 * was already received. Ignore it completely.
4924 */
4925 break;
4926 case L2CAP_TXSEQ_INVALID_IGNORE:
4927 break;
4928 case L2CAP_TXSEQ_INVALID:
4929 default:
4930 l2cap_send_disconn_req(chan->conn, chan,
4931 ECONNRESET);
4932 break;
4933 }
4934 break;
4935 case L2CAP_EV_RECV_RR:
4936 l2cap_pass_to_tx(chan, control);
4937 if (control->final) {
4938 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4939
4940 if (!test_and_clear_bit(CONN_REJ_ACT,
4941 &chan->conn_state)) {
4942 control->final = 0;
4943 l2cap_retransmit_all(chan, control);
4944 }
4945
4946 l2cap_ertm_send(chan);
4947 } else if (control->poll) {
4948 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4949 &chan->conn_state) &&
4950 chan->unacked_frames) {
4951 __set_retrans_timer(chan);
4952 }
4953
4954 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4955 l2cap_send_srej_tail(chan);
4956 } else {
4957 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4958 &chan->conn_state) &&
4959 chan->unacked_frames)
4960 __set_retrans_timer(chan);
4961
4962 l2cap_send_ack(chan);
4963 }
4964 break;
4965 case L2CAP_EV_RECV_RNR:
4966 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4967 l2cap_pass_to_tx(chan, control);
4968 if (control->poll) {
4969 l2cap_send_srej_tail(chan);
4970 } else {
4971 struct l2cap_ctrl rr_control;
4972 memset(&rr_control, 0, sizeof(rr_control));
4973 rr_control.sframe = 1;
4974 rr_control.super = L2CAP_SUPER_RR;
4975 rr_control.reqseq = chan->buffer_seq;
4976 l2cap_send_sframe(chan, &rr_control);
4977 }
4978
4979 break;
4980 case L2CAP_EV_RECV_REJ:
4981 l2cap_handle_rej(chan, control);
4982 break;
4983 case L2CAP_EV_RECV_SREJ:
4984 l2cap_handle_srej(chan, control);
4985 break;
4986 }
4987
4988 if (skb && !skb_in_use) {
4989 BT_DBG("Freeing %p", skb);
4990 kfree_skb(skb);
4991 }
4992
4993 return err;
4994}
4995
4996static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4997{
4998 /* Make sure reqseq is for a packet that has been sent but not acked */
4999 u16 unacked;
5000
5001 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5002 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5003}
5004
cec8ab6e
MM		 5005static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5006 struct sk_buff *skb, u8 event)
218bb9df 5007{
d2a7ac5d
MM		 5008 int err = 0;
5009
5010 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5011 control, skb, event, chan->rx_state);
5012
5013 if (__valid_reqseq(chan, control->reqseq)) {
5014 switch (chan->rx_state) {
5015 case L2CAP_RX_STATE_RECV:
5016 err = l2cap_rx_state_recv(chan, control, skb, event);
5017 break;
5018 case L2CAP_RX_STATE_SREJ_SENT:
5019 err = l2cap_rx_state_srej_sent(chan, control, skb,
5020 event);
5021 break;
5022 default:
5023 /* shut it down */
5024 break;
5025 }
5026 } else {
5027 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5028 control->reqseq, chan->next_tx_seq,
5029 chan->expected_ack_seq);
5030 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5031 }
5032
5033 return err;
cec8ab6e
MM		 5034}
5035
5036static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5037 struct sk_buff *skb)
5038{
4b51dae9
MM		 5039 int err = 0;
5040
5041 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5042 chan->rx_state);
5043
5044 if (l2cap_classify_txseq(chan, control->txseq) ==
5045 L2CAP_TXSEQ_EXPECTED) {
5046 l2cap_pass_to_tx(chan, control);
5047
5048 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5049 __next_seq(chan, chan->buffer_seq));
5050
5051 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5052
5053 l2cap_reassemble_sdu(chan, skb, control);
5054 } else {
5055 if (chan->sdu) {
5056 kfree_skb(chan->sdu);
5057 chan->sdu = NULL;
5058 }
5059 chan->sdu_last_frag = NULL;
5060 chan->sdu_len = 0;
5061
5062 if (skb) {
5063 BT_DBG("Freeing %p", skb);
5064 kfree_skb(skb);
5065 }
5066 }
5067
5068 chan->last_acked_seq = control->txseq;
5069 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5070
5071 return err;
cec8ab6e
MM		 5072}
5073
5074static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5075{
5076 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5077 u16 len;
5078 u8 event;
218bb9df 5079
b76bbd66
MM		 5080 __unpack_control(chan, skb);
5081
218bb9df
GP		 5082 len = skb->len;
5083
5084 /*
5085 * We can just drop the corrupted I-frame here.
5086 * Receiver will miss it and start proper recovery
cec8ab6e 5087 * procedures and ask for retransmission.
218bb9df 5088 */
47d1ec61 5089 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5090 goto drop;
5091
cec8ab6e 5092 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5093 len -= L2CAP_SDULEN_SIZE;
218bb9df 5094
47d1ec61 5095 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5096 len -= L2CAP_FCS_SIZE;
218bb9df 5097
47d1ec61 5098 if (len > chan->mps) {
8c1d787b 5099 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5100 goto drop;
5101 }
5102
cec8ab6e
MM		 5103 if (!control->sframe) {
5104 int err;
218bb9df 5105
cec8ab6e
MM		 5106 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5107 control->sar, control->reqseq, control->final,
5108 control->txseq);
218bb9df 5109
cec8ab6e
MM		 5110 /* Validate F-bit - F=0 always valid, F=1 only
5111 * valid in TX WAIT_F
5112 */
5113 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5114 goto drop;
cec8ab6e
MM		 5115
5116 if (chan->mode != L2CAP_MODE_STREAMING) {
5117 event = L2CAP_EV_RECV_IFRAME;
5118 err = l2cap_rx(chan, control, skb, event);
5119 } else {
5120 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5121 }
5122
cec8ab6e
MM		 5123 if (err)
5124 l2cap_send_disconn_req(chan->conn, chan,
5125 ECONNRESET);
218bb9df 5126 } else {
cec8ab6e
MM		 5127 const u8 rx_func_to_event[4] = {
5128 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5129 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5130 };
5131
5132 /* Only I-frames are expected in streaming mode */
5133 if (chan->mode == L2CAP_MODE_STREAMING)
5134 goto drop;
5135
5136 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5137 control->reqseq, control->final, control->poll,
5138 control->super);
5139
218bb9df
GP		 5140 if (len != 0) {
5141 BT_ERR("%d", len);
8c1d787b 5142 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5143 goto drop;
5144 }
5145
cec8ab6e
MM		 5146 /* Validate F and P bits */
5147 if (control->final && (control->poll ||
5148 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5149 goto drop;
5150
5151 event = rx_func_to_event[control->super];
5152 if (l2cap_rx(chan, control, skb, event))
5153 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5154 }
5155
5156 return 0;
5157
5158drop:
5159 kfree_skb(skb);
5160 return 0;
5161}
5162
13ca56e0
AE		 5163static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5164 struct sk_buff *skb)
1da177e4 5165{
48454079 5166 struct l2cap_chan *chan;
1da177e4 5167
baa7e1fa 5168 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5169 if (!chan) {
97e8e89d
AE		 5170 if (cid == L2CAP_CID_A2MP) {
5171 chan = a2mp_channel_create(conn, skb);
5172 if (!chan) {
5173 kfree_skb(skb);
13ca56e0 5174 return;
97e8e89d
AE		 5175 }
5176
5177 l2cap_chan_lock(chan);
5178 } else {
5179 BT_DBG("unknown cid 0x%4.4x", cid);
5180 /* Drop packet and return */
5181 kfree_skb(skb);
13ca56e0 5182 return;
97e8e89d 5183 }
1da177e4
LT		 5184 }
5185
49208c9c 5186 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5187
89bc500e 5188 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5189 goto drop;
5190
0c1bc5c6 5191 switch (chan->mode) {
1c2acffb
GP		 5192 case L2CAP_MODE_BASIC:
5193 /* If socket recv buffers overflows we drop data here
5194 * which is *bad* because L2CAP has to be reliable.
5195 * But we don't have any other choice. L2CAP doesn't
5196 * provide flow control mechanism. */
1da177e4 5197
0c1bc5c6 5198 if (chan->imtu < skb->len)
1c2acffb 5199 goto drop;
1da177e4 5200
80b98027 5201 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5202 goto done;
5203 break;
5204
5205 case L2CAP_MODE_ERTM:
6840ed07 5206 case L2CAP_MODE_STREAMING:
cec8ab6e 5207 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5208 goto done;
5209
1c2acffb 5210 default:
0c1bc5c6 5211 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5212 break;
5213 }
1da177e4
LT		 5214
5215drop:
5216 kfree_skb(skb);
5217
5218done:
6be36555 5219 l2cap_chan_unlock(chan);
1da177e4
LT		 5220}
5221
84104b24
AE		 5222static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5223 struct sk_buff *skb)
1da177e4 5224{
23691d75 5225 struct l2cap_chan *chan;
1da177e4 5226
c2287681 5227 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5228 if (!chan)
1da177e4
LT		 5229 goto drop;
5230
5b4cedaa 5231 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5232
89bc500e 5233 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5234 goto drop;
5235
e13e21dc 5236 if (chan->imtu < skb->len)
1da177e4
LT		 5237 goto drop;
5238
80b98027 5239 if (!chan->ops->recv(chan, skb))
84104b24 5240 return;
1da177e4
LT		 5241
5242drop:
5243 kfree_skb(skb);
1da177e4
LT		 5244}
5245
6810fca7
AE		 5246static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5247 struct sk_buff *skb)
9f69bda6 5248{
23691d75 5249 struct l2cap_chan *chan;
9f69bda6 5250
c2287681 5251 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5252 if (!chan)
9f69bda6
GP		 5253 goto drop;
5254
5b4cedaa 5255 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5256
89bc500e 5257 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5258 goto drop;
5259
e13e21dc 5260 if (chan->imtu < skb->len)
9f69bda6
GP		 5261 goto drop;
5262
80b98027 5263 if (!chan->ops->recv(chan, skb))
6810fca7 5264 return;
9f69bda6
GP		 5265
5266drop:
5267 kfree_skb(skb);
9f69bda6
GP		 5268}
5269
1da177e4
LT		 5270static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5271{
5272 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5273 u16 cid, len;
5274 __le16 psm;
1da177e4
LT		 5275
5276 skb_pull(skb, L2CAP_HDR_SIZE);
5277 cid = __le16_to_cpu(lh->cid);
5278 len = __le16_to_cpu(lh->len);
5279
1c2acffb
GP		 5280 if (len != skb->len) {
5281 kfree_skb(skb);
5282 return;
5283 }
5284
1da177e4
LT		 5285 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5286
5287 switch (cid) {
3300d9a9 5288 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5289 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5290 l2cap_sig_channel(conn, skb);
5291 break;
5292
8db4dc46 5293 case L2CAP_CID_CONN_LESS:
097db76c 5294 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5295 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5296 l2cap_conless_channel(conn, psm, skb);
5297 break;
5298
9f69bda6
GP		 5299 case L2CAP_CID_LE_DATA:
5300 l2cap_att_channel(conn, cid, skb);
5301 break;
5302
b501d6a1
AB		 5303 case L2CAP_CID_SMP:
5304 if (smp_sig_channel(conn, skb))
5305 l2cap_conn_del(conn->hcon, EACCES);
5306 break;
5307
1da177e4
LT		 5308 default:
5309 l2cap_data_channel(conn, cid, skb);
5310 break;
5311 }
5312}
5313
5314/* ---- L2CAP interface with lower layer (HCI) ---- */
5315
686ebf28 5316int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5317{
5318 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5319 struct l2cap_chan *c;
1da177e4 5320
1da177e4
LT		 5321 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5322
5323 /* Find listening sockets and check their link_mode */
23691d75
GP		 5324 read_lock(&chan_list_lock);
5325 list_for_each_entry(c, &chan_list, global_l) {
5326 struct sock *sk = c->sk;
4343478f 5327
89bc500e 5328 if (c->state != BT_LISTEN)
1da177e4
LT		 5329 continue;
5330
5331 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5332 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5333 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5334 lm1 |= HCI_LM_MASTER;
1da177e4 5335 exact++;
2af6b9d5
MH		 5336 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5337 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5338 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5339 lm2 |= HCI_LM_MASTER;
5340 }
1da177e4 5341 }
23691d75 5342 read_unlock(&chan_list_lock);
1da177e4
LT		 5343
5344 return exact ? lm1 : lm2;
5345}
5346
9e664631 5347void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5348{
0139418c
MH		 5349 struct l2cap_conn *conn;
5350
1da177e4
LT		 5351 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5352
1da177e4 5353 if (!status) {
1da177e4
LT		 5354 conn = l2cap_conn_add(hcon, status);
5355 if (conn)
5356 l2cap_conn_ready(conn);
0139418c 5357 } else
e175072f 5358 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5359
1da177e4
LT		 5360}
5361
686ebf28 5362int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5363{
5364 struct l2cap_conn *conn = hcon->l2cap_data;
5365
5366 BT_DBG("hcon %p", hcon);
5367
686ebf28 5368 if (!conn)
9f5a0d7b 5369 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5370 return conn->disc_reason;
5371}
5372
9e664631 5373void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5374{
5375 BT_DBG("hcon %p reason %d", hcon, reason);
5376
e175072f 5377 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5378}
5379
4343478f 5380static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5381{
715ec005 5382 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5383 return;
5384
f62e4323 5385 if (encrypt == 0x00) {
4343478f 5386 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5387 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5388 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5389 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5390 } else {
4343478f 5391 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5392 __clear_chan_timer(chan);
f62e4323
MH		 5393 }
5394}
5395
686ebf28 5396int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5397{
0139418c 5398 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5399 struct l2cap_chan *chan;
1da177e4 5400
0139418c 5401 if (!conn)
1da177e4 5402 return 0;
0139418c 5403
89d8b407 5404 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5405
160dc6ac 5406 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5407 if (!status && encrypt)
5408 smp_distribute_keys(conn, 0);
17cd3f37 5409 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5410 }
5411
3df91ea2 5412 mutex_lock(&conn->chan_lock);
1da177e4 5413
3df91ea2 5414 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5415 l2cap_chan_lock(chan);
1da177e4 5416
89d8b407
AE		 5417 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5418 state_to_string(chan->state));
f1cb9af5 5419
78eb2f98
AE		 5420 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5421 l2cap_chan_unlock(chan);
5422 continue;
5423 }
5424
f1cb9af5
VCG		 5425 if (chan->scid == L2CAP_CID_LE_DATA) {
5426 if (!status && encrypt) {
5427 chan->sec_level = hcon->sec_level;
cf4cd009 5428 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5429 }
5430
6be36555 5431 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5432 continue;
5433 }
5434
c1360a1c 5435 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5436 l2cap_chan_unlock(chan);
6a8d3010
MH		 5437 continue;
5438 }
5439
89bc500e
GP		 5440 if (!status && (chan->state == BT_CONNECTED ||
5441 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5442 struct sock *sk = chan->sk;
5443
c5daa683 5444 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5445 sk->sk_state_change(sk);
5446
4343478f 5447 l2cap_check_encryption(chan, encrypt);
6be36555 5448 l2cap_chan_unlock(chan);
9719f8af
MH		 5449 continue;
5450 }
5451
89bc500e 5452 if (chan->state == BT_CONNECT) {
b1235d79 5453 if (!status) {
9b27f350 5454 l2cap_send_conn_req(chan);
b1235d79 5455 } else {
ba13ccd9 5456 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5457 }
89bc500e 5458 } else if (chan->state == BT_CONNECT2) {
6be36555 5459 struct sock *sk = chan->sk;
b1235d79 5460 struct l2cap_conn_rsp rsp;
df3c3931 5461 __u16 res, stat;
1da177e4 5462
6be36555
AE		 5463 lock_sock(sk);
5464
b1235d79 5465 if (!status) {
c5daa683
GP		 5466 if (test_bit(BT_SK_DEFER_SETUP,
5467 &bt_sk(sk)->flags)) {
df3c3931
JH		 5468 struct sock *parent = bt_sk(sk)->parent;
5469 res = L2CAP_CR_PEND;
5470 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5471 if (parent)
5472 parent->sk_data_ready(parent, 0);
df3c3931 5473 } else {
0e587be7 5474 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5475 res = L2CAP_CR_SUCCESS;
5476 stat = L2CAP_CS_NO_INFO;
5477 }
b1235d79 5478 } else {
0e587be7 5479 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5480 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5481 res = L2CAP_CR_SEC_BLOCK;
5482 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5483 }
5484
6be36555
AE		 5485 release_sock(sk);
5486
fe4128e0
GP		 5487 rsp.scid = cpu_to_le16(chan->dcid);
5488 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5489 rsp.result = cpu_to_le16(res);
5490 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5491 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5492 sizeof(rsp), &rsp);
2d369359
MM		 5493
5494 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5495 res == L2CAP_CR_SUCCESS) {
5496 char buf[128];
5497 set_bit(CONF_REQ_SENT, &chan->conf_state);
5498 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5499 L2CAP_CONF_REQ,
5500 l2cap_build_conf_req(chan, buf),
5501 buf);
5502 chan->num_conf_req++;
5503 }
b1235d79 5504 }
1da177e4 5505
6be36555 5506 l2cap_chan_unlock(chan);
1da177e4
LT		 5507 }
5508
3df91ea2 5509 mutex_unlock(&conn->chan_lock);
b1235d79 5510
1da177e4
LT		 5511 return 0;
5512}
5513
686ebf28 5514int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5515{
5516 struct l2cap_conn *conn = hcon->l2cap_data;
5517
5a08ecce
AE		 5518 if (!conn)
5519 conn = l2cap_conn_add(hcon, 0);
5520
5521 if (!conn)
1da177e4
LT		 5522 goto drop;
5523
5524 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5525
e702112f 5526 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5527 struct l2cap_hdr *hdr;
5528 int len;
5529
5530 if (conn->rx_len) {
5531 BT_ERR("Unexpected start frame (len %d)", skb->len);
5532 kfree_skb(conn->rx_skb);
5533 conn->rx_skb = NULL;
5534 conn->rx_len = 0;
5535 l2cap_conn_unreliable(conn, ECOMM);
5536 }
5537
aae7fe22
AE		 5538 /* Start fragment always begin with Basic L2CAP header */
5539 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5540 BT_ERR("Frame is too short (len %d)", skb->len);
5541 l2cap_conn_unreliable(conn, ECOMM);
5542 goto drop;
5543 }
5544
5545 hdr = (struct l2cap_hdr *) skb->data;
5546 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5547
5548 if (len == skb->len) {
5549 /* Complete frame received */
5550 l2cap_recv_frame(conn, skb);
5551 return 0;
5552 }
5553
5554 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5555
5556 if (skb->len > len) {
5557 BT_ERR("Frame is too long (len %d, expected len %d)",
5558 skb->len, len);
5559 l2cap_conn_unreliable(conn, ECOMM);
5560 goto drop;
5561 }
5562
5563 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5564 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5565 if (!conn->rx_skb)
1da177e4
LT		 5566 goto drop;
5567
d626f62b 5568 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5569 skb->len);
1da177e4
LT		 5570 conn->rx_len = len - skb->len;
5571 } else {
5572 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5573
5574 if (!conn->rx_len) {
5575 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5576 l2cap_conn_unreliable(conn, ECOMM);
5577 goto drop;
5578 }
5579
5580 if (skb->len > conn->rx_len) {
5581 BT_ERR("Fragment is too long (len %d, expected %d)",
5582 skb->len, conn->rx_len);
5583 kfree_skb(conn->rx_skb);
5584 conn->rx_skb = NULL;
5585 conn->rx_len = 0;
5586 l2cap_conn_unreliable(conn, ECOMM);
5587 goto drop;
5588 }
5589
d626f62b 5590 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5591 skb->len);
1da177e4
LT		 5592 conn->rx_len -= skb->len;
5593
5594 if (!conn->rx_len) {
5595 /* Complete frame received */
5596 l2cap_recv_frame(conn, conn->rx_skb);
5597 conn->rx_skb = NULL;
5598 }
5599 }
5600
5601drop:
5602 kfree_skb(skb);
5603 return 0;
5604}
5605
aef7d97c 5606static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5607{
23691d75 5608 struct l2cap_chan *c;
1da177e4 5609
333055f2 5610 read_lock(&chan_list_lock);
1da177e4 5611
23691d75
GP		 5612 list_for_each_entry(c, &chan_list, global_l) {
5613 struct sock *sk = c->sk;
101545f6 5614
903d343e 5615 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5616 batostr(&bt_sk(sk)->src),
5617 batostr(&bt_sk(sk)->dst),
89bc500e 5618 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5619 c->scid, c->dcid, c->imtu, c->omtu,
5620 c->sec_level, c->mode);
61e1b4b7 5621 }
1da177e4 5622
333055f2 5623 read_unlock(&chan_list_lock);
1da177e4 5624
aef7d97c 5625 return 0;
1da177e4
LT		 5626}
5627
aef7d97c
MH		 5628static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5629{
5630 return single_open(file, l2cap_debugfs_show, inode->i_private);
5631}
5632
5633static const struct file_operations l2cap_debugfs_fops = {
5634 .open = l2cap_debugfs_open,
5635 .read = seq_read,
5636 .llseek = seq_lseek,
5637 .release = single_release,
5638};
5639
5640static struct dentry *l2cap_debugfs;
1da177e4 5641
64274518 5642int __init l2cap_init(void)
1da177e4
LT		 5643{
5644 int err;
be9d1227 5645
bb58f747 5646 err = l2cap_init_sockets();
1da177e4
LT		 5647 if (err < 0)
5648 return err;
5649
aef7d97c
MH		 5650 if (bt_debugfs) {
5651 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5652 bt_debugfs, NULL, &l2cap_debugfs_fops);
5653 if (!l2cap_debugfs)
5654 BT_ERR("Failed to create L2CAP debug file");
5655 }
1da177e4 5656
1da177e4 5657 return 0;
1da177e4
LT		 5658}
5659
64274518 5660void l2cap_exit(void)
1da177e4 5661{
aef7d97c 5662 debugfs_remove(l2cap_debugfs);
bb58f747 5663 l2cap_cleanup_sockets();
1da177e4
LT		 5664}
5665
d1c4a17d
GP		 5666module_param(disable_ertm, bool, 0644);
5667MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)