projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Update l2cap_send_i_or_rr_or_rnr to fit the spec better
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
b191e031 60bool disable_ertm = 1;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 74 struct l2cap_chan *chan, int err);
1da177e4 75
608bcc6d
MM		 76static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
77 struct sk_buff_head *skbs, u8 event);
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
baa7e1fa 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 93{
3df91ea2 94 struct l2cap_chan *c;
3d57dc68 95
3df91ea2
AE		 96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->scid == cid)
98 return c;
0139418c 99 }
3df91ea2 100 return NULL;
0139418c
MH		 101}
102
103/* Find channel with given SCID.
ef191ade 104 * Returns locked channel. */
baa7e1fa 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa 108
3df91ea2 109 mutex_lock(&conn->chan_lock);
baa7e1fa 110 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 111 if (c)
112 l2cap_chan_lock(c);
3df91ea2
AE		 113 mutex_unlock(&conn->chan_lock);
114
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
3df91ea2 120 struct l2cap_chan *c;
3d57dc68 121
3df91ea2
AE		 122 list_for_each_entry(c, &conn->chan_l, list) {
123 if (c->ident == ident)
124 return c;
0139418c 125 }
3df91ea2 126 return NULL;
0139418c
MH		 127}
128
23691d75 129static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 130{
23691d75 131 struct l2cap_chan *c;
9e4425ff 132
23691d75
GP		 133 list_for_each_entry(c, &chan_list, global_l) {
134 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 135 return c;
9e4425ff 136 }
250938cb 137 return NULL;
9e4425ff
GP		 138}
139
140int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
141{
73b2ec18
GP		 142 int err;
143
333055f2 144 write_lock(&chan_list_lock);
9e4425ff 145
23691d75 146 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 147 err = -EADDRINUSE;
148 goto done;
9e4425ff
GP		 149 }
150
73b2ec18
GP		 151 if (psm) {
152 chan->psm = psm;
153 chan->sport = psm;
154 err = 0;
155 } else {
156 u16 p;
157
158 err = -EINVAL;
159 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 160 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 161 chan->psm = cpu_to_le16(p);
162 chan->sport = cpu_to_le16(p);
163 err = 0;
164 break;
165 }
166 }
9e4425ff 167
73b2ec18 168done:
333055f2 169 write_unlock(&chan_list_lock);
73b2ec18 170 return err;
9e4425ff
GP		 171}
172
173int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
174{
333055f2 175 write_lock(&chan_list_lock);
9e4425ff
GP		 176
177 chan->scid = scid;
178
333055f2 179 write_unlock(&chan_list_lock);
9e4425ff
GP		 180
181 return 0;
182}
183
baa7e1fa 184static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 185{
8db4dc46 186 u16 cid = L2CAP_CID_DYN_START;
0139418c 187
8db4dc46 188 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 189 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 190 return cid;
191 }
192
193 return 0;
194}
195
0e587be7 196static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 197{
42d2d87c 198 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 199 state_to_string(state));
200
89bc500e
GP		 201 chan->state = state;
202 chan->ops->state_change(chan->data, state);
203}
204
0e587be7
AE		 205static void l2cap_state_change(struct l2cap_chan *chan, int state)
206{
207 struct sock *sk = chan->sk;
208
209 lock_sock(sk);
210 __l2cap_state_change(chan, state);
211 release_sock(sk);
212}
213
2e0052e4
AE		 214static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
215{
216 struct sock *sk = chan->sk;
217
218 sk->sk_err = err;
219}
220
221static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
222{
223 struct sock *sk = chan->sk;
224
225 lock_sock(sk);
226 __l2cap_chan_set_err(chan, err);
227 release_sock(sk);
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
ba3bd0ee 385 chan->ops->close(chan->data);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
434 chan->sec_level = BT_SECURITY_LOW;
435
436 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
437}
438
14a28491 439static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 440{
af05b30b 441 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 442 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 443
9f5a0d7b 444 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 445
8c1d787b 446 chan->conn = conn;
0139418c 447
5491120e
AE		 448 switch (chan->chan_type) {
449 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 450 if (conn->hcon->type == LE_LINK) {
451 /* LE connection */
0c1bc5c6 452 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 453 chan->scid = L2CAP_CID_LE_DATA;
454 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 455 } else {
456 /* Alloc CID for connection-oriented socket */
fe4128e0 457 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 458 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 459 }
5491120e
AE		 460 break;
461
462 case L2CAP_CHAN_CONN_LESS:
0139418c 463 /* Connectionless socket */
fe4128e0
GP		 464 chan->scid = L2CAP_CID_CONN_LESS;
465 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 466 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 467 break;
468
469 default:
0139418c 470 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 471 chan->scid = L2CAP_CID_SIGNALING;
472 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 473 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 474 }
475
8f7975b1
AE		 476 chan->local_id = L2CAP_BESTEFFORT_ID;
477 chan->local_stype = L2CAP_SERV_BESTEFFORT;
478 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
479 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
480 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
481 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
482
371fd835 483 l2cap_chan_hold(chan);
baa7e1fa 484
3df91ea2 485 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 486}
487
14a28491 488static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 489{
490 mutex_lock(&conn->chan_lock);
491 __l2cap_chan_add(conn, chan);
3df91ea2 492 mutex_unlock(&conn->chan_lock);
0139418c
MH		 493}
494
4519de9a 495static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 496{
48454079 497 struct sock *sk = chan->sk;
8c1d787b 498 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 499 struct sock *parent = bt_sk(sk)->parent;
500
c9b66675 501 __clear_chan_timer(chan);
0139418c 502
49208c9c 503 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 504
8e87d142 505 if (conn) {
baa7e1fa 506 /* Delete from channel list */
3df91ea2 507 list_del(&chan->list);
3d57dc68 508
371fd835 509 l2cap_chan_put(chan);
baa7e1fa 510
8c1d787b 511 chan->conn = NULL;
0139418c
MH		 512 hci_conn_put(conn->hcon);
513 }
514
6be36555
AE		 515 lock_sock(sk);
516
0e587be7 517 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 518 sock_set_flag(sk, SOCK_ZAPPED);
519
520 if (err)
2e0052e4 521 __l2cap_chan_set_err(chan, err);
0139418c
MH		 522
523 if (parent) {
524 bt_accept_unlink(sk);
525 parent->sk_data_ready(parent, 0);
526 } else
527 sk->sk_state_change(sk);
c13ffa62 528
6be36555
AE		 529 release_sock(sk);
530
2827011f 531 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 532 return;
2ead70b8 533
58d35f87 534 skb_queue_purge(&chan->tx_q);
c13ffa62 535
0c1bc5c6 536 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 537 __clear_retrans_timer(chan);
538 __clear_monitor_timer(chan);
539 __clear_ack_timer(chan);
c13ffa62 540
f1c6775b 541 skb_queue_purge(&chan->srej_q);
c13ffa62 542
3c588192
MM		 543 l2cap_seq_list_free(&chan->srej_list);
544 l2cap_seq_list_free(&chan->retrans_list);
c13ffa62 545 }
0139418c
MH		 546}
547
4519de9a
GP		 548static void l2cap_chan_cleanup_listen(struct sock *parent)
549{
550 struct sock *sk;
551
552 BT_DBG("parent %p", parent);
553
554 /* Close not yet accepted channels */
0f852724 555 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 556 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 557
6be36555 558 l2cap_chan_lock(chan);
c9b66675 559 __clear_chan_timer(chan);
ba3bd0ee 560 l2cap_chan_close(chan, ECONNRESET);
6be36555 561 l2cap_chan_unlock(chan);
3df91ea2 562
ba3bd0ee 563 chan->ops->close(chan->data);
0f852724 564 }
4519de9a
GP		 565}
566
0f852724 567void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 568{
569 struct l2cap_conn *conn = chan->conn;
570 struct sock *sk = chan->sk;
571
e05dcc32
AE		 572 BT_DBG("chan %p state %s sk %p", chan,
573 state_to_string(chan->state), sk);
4519de9a 574
89bc500e 575 switch (chan->state) {
4519de9a 576 case BT_LISTEN:
6be36555 577 lock_sock(sk);
4519de9a 578 l2cap_chan_cleanup_listen(sk);
89bc500e 579
0e587be7 580 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 581 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 582 release_sock(sk);
4519de9a
GP		 583 break;
584
585 case BT_CONNECTED:
586 case BT_CONFIG:
715ec005 587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 588 conn->hcon->type == ACL_LINK) {
c9b66675 589 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 590 l2cap_send_disconn_req(conn, chan, reason);
591 } else
592 l2cap_chan_del(chan, reason);
593 break;
594
595 case BT_CONNECT2:
715ec005 596 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 597 conn->hcon->type == ACL_LINK) {
598 struct l2cap_conn_rsp rsp;
599 __u16 result;
600
c5daa683 601 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 602 result = L2CAP_CR_SEC_BLOCK;
603 else
604 result = L2CAP_CR_BAD_PSM;
89bc500e 605 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 606
607 rsp.scid = cpu_to_le16(chan->dcid);
608 rsp.dcid = cpu_to_le16(chan->scid);
609 rsp.result = cpu_to_le16(result);
610 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
611 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
612 sizeof(rsp), &rsp);
613 }
614
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT:
619 case BT_DISCONN:
620 l2cap_chan_del(chan, reason);
621 break;
622
623 default:
6be36555 624 lock_sock(sk);
4519de9a 625 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 626 release_sock(sk);
4519de9a
GP		 627 break;
628 }
629}
630
4343478f 631static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 632{
715ec005 633 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 634 switch (chan->sec_level) {
8556edd3
JH		 635 case BT_SECURITY_HIGH:
636 return HCI_AT_DEDICATED_BONDING_MITM;
637 case BT_SECURITY_MEDIUM:
638 return HCI_AT_DEDICATED_BONDING;
639 default:
640 return HCI_AT_NO_BONDING;
641 }
fe4128e0 642 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 643 if (chan->sec_level == BT_SECURITY_LOW)
644 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 645
4343478f 646 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 647 return HCI_AT_NO_BONDING_MITM;
00ae4af9 648 else
8556edd3 649 return HCI_AT_NO_BONDING;
00ae4af9 650 } else {
4343478f 651 switch (chan->sec_level) {
00ae4af9 652 case BT_SECURITY_HIGH:
8556edd3 653 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 654 case BT_SECURITY_MEDIUM:
8556edd3 655 return HCI_AT_GENERAL_BONDING;
00ae4af9 656 default:
8556edd3 657 return HCI_AT_NO_BONDING;
00ae4af9 658 }
0684e5f9 659 }
8556edd3
JH		 660}
661
662/* Service level security */
d45fc423 663int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 664{
8c1d787b 665 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 666 __u8 auth_type;
667
4343478f 668 auth_type = l2cap_get_auth_type(chan);
79d554a6 669
4343478f 670 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 671}
672
b5ad8b7f 673static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 674{
675 u8 id;
676
677 /* Get next available identificator.
678 * 1 - 128 are used by kernel.
679 * 129 - 199 are reserved.
680 * 200 - 254 are used by utilities like l2ping, etc.
681 */
682
333055f2 683 spin_lock(&conn->lock);
4e8402a3
MH		 684
685 if (++conn->tx_ident > 128)
686 conn->tx_ident = 1;
687
688 id = conn->tx_ident;
689
333055f2 690 spin_unlock(&conn->lock);
4e8402a3
MH		 691
692 return id;
693}
694
4519de9a 695static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 696{
697 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 698 u8 flags;
4e8402a3
MH		 699
700 BT_DBG("code 0x%2.2x", code);
701
702 if (!skb)
9a9c6a34 703 return;
4e8402a3 704
e702112f
AE		 705 if (lmp_no_flush_capable(conn->hcon->hdev))
706 flags = ACL_START_NO_FLUSH;
707 else
708 flags = ACL_START;
709
14b12d0b 710 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 711 skb->priority = HCI_PRIO_MAX;
14b12d0b 712
73d80deb
LAD		 713 hci_send_acl(conn->hchan, skb, flags);
714}
715
716static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
717{
718 struct hci_conn *hcon = chan->conn->hcon;
719 u16 flags;
720
721 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
722 skb->priority);
723
724 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
725 lmp_no_flush_capable(hcon->hdev))
726 flags = ACL_START_NO_FLUSH;
727 else
728 flags = ACL_START;
14b12d0b 729
73d80deb
LAD		 730 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
731 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 732}
733
b76bbd66
MM		 734static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
735{
736 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
737 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
738
739 if (enh & L2CAP_CTRL_FRAME_TYPE) {
740 /* S-Frame */
741 control->sframe = 1;
742 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
743 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
744
745 control->sar = 0;
746 control->txseq = 0;
747 } else {
748 /* I-Frame */
749 control->sframe = 0;
750 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
751 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
752
753 control->poll = 0;
754 control->super = 0;
755 }
756}
757
b76bbd66
MM		 758static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
759{
760 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
761 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
762
763 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
764 /* S-Frame */
765 control->sframe = 1;
766 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
767 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
768
769 control->sar = 0;
770 control->txseq = 0;
771 } else {
772 /* I-Frame */
773 control->sframe = 0;
774 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
775 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
776
777 control->poll = 0;
778 control->super = 0;
779 }
780}
781
782static inline void __unpack_control(struct l2cap_chan *chan,
783 struct sk_buff *skb)
784{
785 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
786 __unpack_extended_control(get_unaligned_le32(skb->data),
787 &bt_cb(skb)->control);
cec8ab6e 788 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 789 } else {
790 __unpack_enhanced_control(get_unaligned_le16(skb->data),
791 &bt_cb(skb)->control);
cec8ab6e 792 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 793 }
794}
795
b5c6aaed
MM		 796static u32 __pack_extended_control(struct l2cap_ctrl *control)
797{
798 u32 packed;
799
800 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
801 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
802
803 if (control->sframe) {
804 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
805 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
806 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
807 } else {
808 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
809 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
810 }
811
812 return packed;
813}
814
815static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
816{
817 u16 packed;
818
819 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
820 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
821
822 if (control->sframe) {
823 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
824 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
825 packed |= L2CAP_CTRL_FRAME_TYPE;
826 } else {
827 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
828 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
829 }
830
831 return packed;
832}
833
b76bbd66
MM		 834static inline void __pack_control(struct l2cap_chan *chan,
835 struct l2cap_ctrl *control,
836 struct sk_buff *skb)
837{
838 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
839 put_unaligned_le32(__pack_extended_control(control),
840 skb->data + L2CAP_HDR_SIZE);
841 } else {
842 put_unaligned_le16(__pack_enhanced_control(control),
843 skb->data + L2CAP_HDR_SIZE);
844 }
845}
846
a67d7f6f
MM		 847static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
848 u32 control)
b5c6aaed
MM		 849{
850 struct sk_buff *skb;
851 struct l2cap_hdr *lh;
a67d7f6f 852 int hlen;
b5c6aaed
MM		 853
854 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
855 hlen = L2CAP_EXT_HDR_SIZE;
856 else
857 hlen = L2CAP_ENH_HDR_SIZE;
858
859 if (chan->fcs == L2CAP_FCS_CRC16)
860 hlen += L2CAP_FCS_SIZE;
861
a67d7f6f 862 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 863
b5c6aaed 864 if (!skb)
a67d7f6f 865 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 866
867 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
868 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
869 lh->cid = cpu_to_le16(chan->dcid);
870
a67d7f6f
MM		 871 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
872 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
873 else
874 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 875
876 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 877 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 878 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
879 }
880
881 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 882 return skb;
883}
884
885static void l2cap_send_sframe(struct l2cap_chan *chan,
886 struct l2cap_ctrl *control)
887{
888 struct sk_buff *skb;
889 u32 control_field;
890
891 BT_DBG("chan %p, control %p", chan, control);
892
893 if (!control->sframe)
894 return;
895
896 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
897 !control->poll)
898 control->final = 1;
899
900 if (control->super == L2CAP_SUPER_RR)
901 clear_bit(CONN_RNR_SENT, &chan->conn_state);
902 else if (control->super == L2CAP_SUPER_RNR)
903 set_bit(CONN_RNR_SENT, &chan->conn_state);
904
905 if (control->super != L2CAP_SUPER_SREJ) {
906 chan->last_acked_seq = control->reqseq;
907 __clear_ack_timer(chan);
908 }
909
910 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
911 control->final, control->poll, control->super);
912
913 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
914 control_field = __pack_extended_control(control);
915 else
916 control_field = __pack_enhanced_control(control);
917
918 skb = l2cap_create_sframe_pdu(chan, control_field);
919 if (!IS_ERR(skb))
920 l2cap_do_send(chan, skb);
b5c6aaed
MM		 921}
922
923static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
924{
925 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
926 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
927 set_bit(CONN_RNR_SENT, &chan->conn_state);
928 } else
929 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
930
931 control |= __set_reqseq(chan, chan->buffer_seq);
b5c6aaed
MM		 932}
933
b4450035 934static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 935{
c1360a1c 936 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 937}
938
9b27f350
AE		 939static void l2cap_send_conn_req(struct l2cap_chan *chan)
940{
941 struct l2cap_conn *conn = chan->conn;
942 struct l2cap_conn_req req;
943
944 req.scid = cpu_to_le16(chan->scid);
945 req.psm = chan->psm;
946
947 chan->ident = l2cap_get_ident(conn);
948
949 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
950
951 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
952}
953
9f0caeb1
VCG		 954static void l2cap_chan_ready(struct l2cap_chan *chan)
955{
956 struct sock *sk = chan->sk;
957 struct sock *parent;
958
959 lock_sock(sk);
960
961 parent = bt_sk(sk)->parent;
962
963 BT_DBG("sk %p, parent %p", sk, parent);
964
2827011f 965 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 966 chan->conf_state = 0;
967 __clear_chan_timer(chan);
968
969 __l2cap_state_change(chan, BT_CONNECTED);
970 sk->sk_state_change(sk);
971
972 if (parent)
973 parent->sk_data_ready(parent, 0);
974
975 release_sock(sk);
976}
977
fc7f8a7e 978static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 979{
8c1d787b 980 struct l2cap_conn *conn = chan->conn;
79d554a6 981
9f0caeb1
VCG		 982 if (conn->hcon->type == LE_LINK) {
983 l2cap_chan_ready(chan);
984 return;
985 }
986
79d554a6 987 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 988 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
989 return;
990
d45fc423 991 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 992 __l2cap_no_conn_pending(chan))
993 l2cap_send_conn_req(chan);
79d554a6
MH		 994 } else {
995 struct l2cap_info_req req;
996 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
997
998 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
999 conn->info_ident = l2cap_get_ident(conn);
1000
ba13ccd9 1001 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1002
1003 l2cap_send_cmd(conn, conn->info_ident,
1004 L2CAP_INFO_REQ, sizeof(req), &req);
1005 }
1006}
1007
cf6c2c0b
GP		 1008static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1009{
1010 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1011 if (!disable_ertm)
cf6c2c0b
GP		 1012 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1013
1014 switch (mode) {
1015 case L2CAP_MODE_ERTM:
1016 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1017 case L2CAP_MODE_STREAMING:
1018 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1019 default:
1020 return 0x00;
1021 }
1022}
1023
4519de9a 1024static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1025{
6be36555 1026 struct sock *sk = chan->sk;
22121fc9
GP		 1027 struct l2cap_disconn_req req;
1028
c13ffa62
GP		 1029 if (!conn)
1030 return;
1031
0c1bc5c6 1032 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1033 __clear_retrans_timer(chan);
1034 __clear_monitor_timer(chan);
1035 __clear_ack_timer(chan);
c13ffa62
GP		 1036 }
1037
fe4128e0
GP		 1038 req.dcid = cpu_to_le16(chan->dcid);
1039 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1040 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1041 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1042
6be36555 1043 lock_sock(sk);
0e587be7 1044 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1045 __l2cap_chan_set_err(chan, err);
6be36555 1046 release_sock(sk);
22121fc9
GP		 1047}
1048
1da177e4 1049/* ---- L2CAP connections ---- */
4e8402a3
MH		 1050static void l2cap_conn_start(struct l2cap_conn *conn)
1051{
3df91ea2 1052 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1053
1054 BT_DBG("conn %p", conn);
1055
3df91ea2 1056 mutex_lock(&conn->chan_lock);
4e8402a3 1057
3df91ea2 1058 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1059 struct sock *sk = chan->sk;
baa7e1fa 1060
6be36555 1061 l2cap_chan_lock(chan);
4e8402a3 1062
715ec005 1063 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1064 l2cap_chan_unlock(chan);
79d554a6
MH		 1065 continue;
1066 }
1067
89bc500e 1068 if (chan->state == BT_CONNECT) {
d45fc423 1069 if (!l2cap_chan_check_security(chan) ||
b4450035 1070 !__l2cap_no_conn_pending(chan)) {
6be36555 1071 l2cap_chan_unlock(chan);
47731de7
GP		 1072 continue;
1073 }
79d554a6 1074
c1360a1c
GP		 1075 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1076 && test_bit(CONF_STATE2_DEVICE,
1077 &chan->conf_state)) {
89bc500e 1078 l2cap_chan_close(chan, ECONNRESET);
6be36555 1079 l2cap_chan_unlock(chan);
47731de7 1080 continue;
b1235d79 1081 }
47731de7 1082
9b27f350 1083 l2cap_send_conn_req(chan);
47731de7 1084
89bc500e 1085 } else if (chan->state == BT_CONNECT2) {
79d554a6 1086 struct l2cap_conn_rsp rsp;
e9aeb2dd 1087 char buf[128];
fe4128e0
GP		 1088 rsp.scid = cpu_to_le16(chan->dcid);
1089 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1090
d45fc423 1091 if (l2cap_chan_check_security(chan)) {
6be36555 1092 lock_sock(sk);
c5daa683
GP		 1093 if (test_bit(BT_SK_DEFER_SETUP,
1094 &bt_sk(sk)->flags)) {
f66dc81f
MH		 1095 struct sock *parent = bt_sk(sk)->parent;
1096 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1097 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1098 if (parent)
1099 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1100
1101 } else {
0e587be7 1102 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1103 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1104 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1105 }
6be36555 1106 release_sock(sk);
79d554a6
MH		 1107 } else {
1108 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1109 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1110 }
1111
fc7f8a7e
GP		 1112 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1113 sizeof(rsp), &rsp);
e9aeb2dd 1114
c1360a1c 1115 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1116 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1117 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1118 continue;
1119 }
1120
c1360a1c 1121 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1122 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1123 l2cap_build_conf_req(chan, buf), buf);
1124 chan->num_conf_req++;
4e8402a3
MH		 1125 }
1126
6be36555 1127 l2cap_chan_unlock(chan);
4e8402a3
MH		 1128 }
1129
3df91ea2 1130 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1131}
1132
c2287681 1133/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1134 * Returns closest match, locked.
1135 */
d9b88702 1136static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1137 bdaddr_t *src,
1138 bdaddr_t *dst)
b62f328b 1139{
23691d75 1140 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1141
23691d75 1142 read_lock(&chan_list_lock);
b62f328b 1143
23691d75
GP		 1144 list_for_each_entry(c, &chan_list, global_l) {
1145 struct sock *sk = c->sk;
fe4128e0 1146
89bc500e 1147 if (state && c->state != state)
b62f328b
VT		 1148 continue;
1149
23691d75 1150 if (c->scid == cid) {
c2287681
IY		 1151 int src_match, dst_match;
1152 int src_any, dst_any;
1153
b62f328b 1154 /* Exact match. */
c2287681
IY		 1155 src_match = !bacmp(&bt_sk(sk)->src, src);
1156 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1157 if (src_match && dst_match) {
23691d75
GP		 1158 read_unlock(&chan_list_lock);
1159 return c;
1160 }
b62f328b
VT		 1161
1162 /* Closest match */
c2287681
IY		 1163 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1164 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1165 if ((src_match && dst_any) || (src_any && dst_match) ||
1166 (src_any && dst_any))
23691d75 1167 c1 = c;
b62f328b
VT		 1168 }
1169 }
280f294f 1170
23691d75 1171 read_unlock(&chan_list_lock);
b62f328b 1172
23691d75 1173 return c1;
b62f328b
VT		 1174}
1175
1176static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1177{
c916fbe4 1178 struct sock *parent, *sk;
23691d75 1179 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1180
1181 BT_DBG("");
1182
1183 /* Check if we have socket listening on cid */
23691d75 1184 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1185 conn->src, conn->dst);
23691d75 1186 if (!pchan)
b62f328b
VT		 1187 return;
1188
23691d75
GP		 1189 parent = pchan->sk;
1190
aa2ac881 1191 lock_sock(parent);
62f3a2cf 1192
b62f328b
VT		 1193 /* Check for backlog size */
1194 if (sk_acceptq_is_full(parent)) {
1195 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1196 goto clean;
1197 }
1198
80808e43
GP		 1199 chan = pchan->ops->new_connection(pchan->data);
1200 if (!chan)
b62f328b
VT		 1201 goto clean;
1202
80808e43 1203 sk = chan->sk;
5d41ce1d 1204
b62f328b
VT		 1205 hci_conn_hold(conn->hcon);
1206
b62f328b
VT		 1207 bacpy(&bt_sk(sk)->src, conn->src);
1208 bacpy(&bt_sk(sk)->dst, conn->dst);
1209
d1010240
GP		 1210 bt_accept_enqueue(parent, sk);
1211
3d57dc68 1212 l2cap_chan_add(conn, chan);
48454079 1213
c9b66675 1214 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1215
0e587be7 1216 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1217 parent->sk_data_ready(parent, 0);
1218
b62f328b 1219clean:
aa2ac881 1220 release_sock(parent);
b62f328b
VT		 1221}
1222
4e8402a3
MH		 1223static void l2cap_conn_ready(struct l2cap_conn *conn)
1224{
48454079 1225 struct l2cap_chan *chan;
4e8402a3 1226
79d554a6 1227 BT_DBG("conn %p", conn);
4e8402a3 1228
b62f328b
VT		 1229 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1230 l2cap_le_conn_ready(conn);
1231
160dc6ac
VCG		 1232 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1233 smp_conn_security(conn, conn->hcon->pending_sec_level);
1234
3df91ea2 1235 mutex_lock(&conn->chan_lock);
4e8402a3 1236
3df91ea2 1237 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1238
6be36555 1239 l2cap_chan_lock(chan);
4e8402a3 1240
63128451 1241 if (conn->hcon->type == LE_LINK) {
b501d6a1 1242 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1243 l2cap_chan_ready(chan);
acd7d370 1244
63128451 1245 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1246 struct sock *sk = chan->sk;
c9b66675 1247 __clear_chan_timer(chan);
6be36555 1248 lock_sock(sk);
0e587be7 1249 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1250 sk->sk_state_change(sk);
6be36555 1251 release_sock(sk);
b501d6a1 1252
89bc500e 1253 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1254 l2cap_do_start(chan);
4e8402a3 1255
6be36555 1256 l2cap_chan_unlock(chan);
4e8402a3 1257 }
79d554a6 1258
3df91ea2 1259 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1260}
1261
1262/* Notify sockets that we cannot guaranty reliability anymore */
1263static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1264{
48454079 1265 struct l2cap_chan *chan;
4e8402a3
MH		 1266
1267 BT_DBG("conn %p", conn);
1268
3df91ea2 1269 mutex_lock(&conn->chan_lock);
4e8402a3 1270
3df91ea2 1271 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1272 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1273 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1274 }
1275
3df91ea2 1276 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1277}
1278
f878fcad 1279static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1280{
f878fcad 1281 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1282 info_timer.work);
4e8402a3 1283
984947dc 1284 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1285 conn->info_ident = 0;
984947dc 1286
4e8402a3
MH		 1287 l2cap_conn_start(conn);
1288}
1289
5d3de7df
VCG		 1290static void l2cap_conn_del(struct hci_conn *hcon, int err)
1291{
1292 struct l2cap_conn *conn = hcon->l2cap_data;
1293 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1294
1295 if (!conn)
1296 return;
1297
1298 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1299
1300 kfree_skb(conn->rx_skb);
1301
3df91ea2
AE		 1302 mutex_lock(&conn->chan_lock);
1303
5d3de7df
VCG		 1304 /* Kill channels */
1305 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1306 l2cap_chan_hold(chan);
6be36555
AE		 1307 l2cap_chan_lock(chan);
1308
5d3de7df 1309 l2cap_chan_del(chan, err);
6be36555
AE		 1310
1311 l2cap_chan_unlock(chan);
1312
5d3de7df 1313 chan->ops->close(chan->data);
61d6ef3e 1314 l2cap_chan_put(chan);
5d3de7df
VCG		 1315 }
1316
3df91ea2
AE		 1317 mutex_unlock(&conn->chan_lock);
1318
73d80deb
LAD		 1319 hci_chan_del(conn->hchan);
1320
5d3de7df 1321 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1322 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1323
51a8efd7 1324 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1325 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1326 smp_chan_destroy(conn);
d26a2345 1327 }
5d3de7df
VCG		 1328
1329 hcon->l2cap_data = NULL;
1330 kfree(conn);
1331}
1332
6c9d42a1 1333static void security_timeout(struct work_struct *work)
5d3de7df 1334{
6c9d42a1
GP		 1335 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1336 security_timer.work);
5d3de7df
VCG		 1337
1338 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1339}
1340
1da177e4
LT		 1341static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1342{
0139418c 1343 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1344 struct hci_chan *hchan;
1da177e4 1345
0139418c 1346 if (conn || status)
1da177e4
LT		 1347 return conn;
1348
73d80deb
LAD		 1349 hchan = hci_chan_create(hcon);
1350 if (!hchan)
1351 return NULL;
1352
0139418c 1353 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1354 if (!conn) {
1355 hci_chan_del(hchan);
1da177e4 1356 return NULL;
73d80deb 1357 }
1da177e4
LT		 1358
1359 hcon->l2cap_data = conn;
1360 conn->hcon = hcon;
73d80deb 1361 conn->hchan = hchan;
1da177e4 1362
73d80deb 1363 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1364
acd7d370
VT		 1365 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1366 conn->mtu = hcon->hdev->le_mtu;
1367 else
1368 conn->mtu = hcon->hdev->acl_mtu;
1369
1da177e4
LT		 1370 conn->src = &hcon->hdev->bdaddr;
1371 conn->dst = &hcon->dst;
1372
4e8402a3
MH		 1373 conn->feat_mask = 0;
1374
1da177e4 1375 spin_lock_init(&conn->lock);
3df91ea2 1376 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1377
1378 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1379
5d3de7df 1380 if (hcon->type == LE_LINK)
6c9d42a1 1381 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1382 else
030013d8 1383 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1384
9f5a0d7b 1385 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1386
1da177e4
LT		 1387 return conn;
1388}
1389
1da177e4 1390/* ---- Socket interface ---- */
1da177e4 1391
c2287681 1392/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1393 * Returns closest match.
1394 */
c2287681
IY		 1395static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1396 bdaddr_t *src,
1397 bdaddr_t *dst)
1da177e4 1398{
23691d75 1399 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1400
23691d75 1401 read_lock(&chan_list_lock);
e0f0cb56 1402
23691d75
GP		 1403 list_for_each_entry(c, &chan_list, global_l) {
1404 struct sock *sk = c->sk;
fe4128e0 1405
89bc500e 1406 if (state && c->state != state)
1da177e4
LT		 1407 continue;
1408
23691d75 1409 if (c->psm == psm) {
c2287681
IY		 1410 int src_match, dst_match;
1411 int src_any, dst_any;
1412
1da177e4 1413 /* Exact match. */
c2287681
IY		 1414 src_match = !bacmp(&bt_sk(sk)->src, src);
1415 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1416 if (src_match && dst_match) {
a7567b20 1417 read_unlock(&chan_list_lock);
23691d75
GP		 1418 return c;
1419 }
1da177e4
LT		 1420
1421 /* Closest match */
c2287681
IY		 1422 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1423 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1424 if ((src_match && dst_any) || (src_any && dst_match) ||
1425 (src_any && dst_any))
23691d75 1426 c1 = c;
1da177e4
LT		 1427 }
1428 }
1da177e4 1429
23691d75 1430 read_unlock(&chan_list_lock);
e0f0cb56 1431
23691d75 1432 return c1;
1da177e4
LT		 1433}
1434
8e9f9892
AG		 1435int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1436 bdaddr_t *dst, u8 dst_type)
1da177e4 1437{
5d41ce1d 1438 struct sock *sk = chan->sk;
1da177e4 1439 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1440 struct l2cap_conn *conn;
1441 struct hci_conn *hcon;
1442 struct hci_dev *hdev;
09ab6f4c 1443 __u8 auth_type;
44d0e48e 1444 int err;
1da177e4 1445
8e9f9892
AG		 1446 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1447 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1448
af05b30b
GP		 1449 hdev = hci_get_route(dst, src);
1450 if (!hdev)
1da177e4
LT		 1451 return -EHOSTUNREACH;
1452
09fd0de5 1453 hci_dev_lock(hdev);
1da177e4 1454
6be36555 1455 l2cap_chan_lock(chan);
03a00194
GP		 1456
1457 /* PSM must be odd and lsb of upper byte must be 0 */
1458 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1459 chan->chan_type != L2CAP_CHAN_RAW) {
1460 err = -EINVAL;
1461 goto done;
1462 }
1463
1464 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1465 err = -EINVAL;
1466 goto done;
1467 }
1468
1469 switch (chan->mode) {
1470 case L2CAP_MODE_BASIC:
1471 break;
1472 case L2CAP_MODE_ERTM:
1473 case L2CAP_MODE_STREAMING:
1474 if (!disable_ertm)
1475 break;
1476 /* fall through */
1477 default:
1478 err = -ENOTSUPP;
1479 goto done;
1480 }
1481
6be36555
AE		 1482 lock_sock(sk);
1483
03a00194
GP		 1484 switch (sk->sk_state) {
1485 case BT_CONNECT:
1486 case BT_CONNECT2:
1487 case BT_CONFIG:
1488 /* Already connecting */
1489 err = 0;
6be36555 1490 release_sock(sk);
03a00194
GP		 1491 goto done;
1492
1493 case BT_CONNECTED:
1494 /* Already connected */
1495 err = -EISCONN;
6be36555 1496 release_sock(sk);
03a00194
GP		 1497 goto done;
1498
1499 case BT_OPEN:
1500 case BT_BOUND:
1501 /* Can connect */
1502 break;
1503
1504 default:
1505 err = -EBADFD;
6be36555 1506 release_sock(sk);
03a00194
GP		 1507 goto done;
1508 }
1509
1510 /* Set destination address and psm */
9219b2a0 1511 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1512
1513 release_sock(sk);
1514
03a00194
GP		 1515 chan->psm = psm;
1516 chan->dcid = cid;
1da177e4 1517
4343478f 1518 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1519
fe4128e0 1520 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1521 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1522 chan->sec_level, auth_type);
acd7d370 1523 else
8e9f9892 1524 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1525 chan->sec_level, auth_type);
acd7d370 1526
30e76272
VT		 1527 if (IS_ERR(hcon)) {
1528 err = PTR_ERR(hcon);
1da177e4 1529 goto done;
30e76272 1530 }
1da177e4
LT		 1531
1532 conn = l2cap_conn_add(hcon, 0);
1533 if (!conn) {
1534 hci_conn_put(hcon);
30e76272 1535 err = -ENOMEM;
1da177e4
LT		 1536 goto done;
1537 }
1538
9f0caeb1
VCG		 1539 if (hcon->type == LE_LINK) {
1540 err = 0;
1541
1542 if (!list_empty(&conn->chan_l)) {
1543 err = -EBUSY;
1544 hci_conn_put(hcon);
1545 }
1546
1547 if (err)
1548 goto done;
1549 }
1550
1da177e4
LT		 1551 /* Update source addr of the socket */
1552 bacpy(src, conn->src);
1553
6be36555 1554 l2cap_chan_unlock(chan);
48454079 1555 l2cap_chan_add(conn, chan);
6be36555 1556 l2cap_chan_lock(chan);
48454079 1557
6be36555 1558 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1559 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1560
1561 if (hcon->state == BT_CONNECTED) {
715ec005 1562 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1563 __clear_chan_timer(chan);
d45fc423 1564 if (l2cap_chan_check_security(chan))
6be36555 1565 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1566 } else
fc7f8a7e 1567 l2cap_do_start(chan);
1da177e4
LT		 1568 }
1569
30e76272
VT		 1570 err = 0;
1571
1da177e4 1572done:
6be36555 1573 l2cap_chan_unlock(chan);
09fd0de5 1574 hci_dev_unlock(hdev);
1da177e4
LT		 1575 hci_dev_put(hdev);
1576 return err;
1577}
1578
dcba0dba 1579int __l2cap_wait_ack(struct sock *sk)
6161c038 1580{
8c1d787b 1581 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1582 DECLARE_WAITQUEUE(wait, current);
1583 int err = 0;
1584 int timeo = HZ/5;
1585
2b0b05dd 1586 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1587 set_current_state(TASK_INTERRUPTIBLE);
1588 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1589 if (!timeo)
1590 timeo = HZ/5;
1591
1592 if (signal_pending(current)) {
1593 err = sock_intr_errno(timeo);
1594 break;
1595 }
1596
1597 release_sock(sk);
1598 timeo = schedule_timeout(timeo);
1599 lock_sock(sk);
a71a0cf4 1600 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1601
1602 err = sock_error(sk);
1603 if (err)
1604 break;
1605 }
1606 set_current_state(TASK_RUNNING);
2b0b05dd 1607 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1608 return err;
1609}
1610
721c4181 1611static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1612{
721c4181
GP		 1613 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1614 monitor_timer.work);
e90bac06 1615
525cd185 1616 BT_DBG("chan %p", chan);
0e98958d 1617
6be36555
AE		 1618 l2cap_chan_lock(chan);
1619
2c03a7a4 1620 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1621 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1622 l2cap_chan_unlock(chan);
8d7e1c7f 1623 l2cap_chan_put(chan);
e90bac06
GP		 1624 return;
1625 }
1626
6a026610 1627 chan->retry_count++;
1a09bcb9 1628 __set_monitor_timer(chan);
e90bac06 1629
525cd185 1630 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1631 l2cap_chan_unlock(chan);
8d7e1c7f 1632 l2cap_chan_put(chan);
e90bac06
GP		 1633}
1634
721c4181 1635static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1636{
721c4181
GP		 1637 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1638 retrans_timer.work);
e90bac06 1639
49208c9c 1640 BT_DBG("chan %p", chan);
0e98958d 1641
6be36555
AE		 1642 l2cap_chan_lock(chan);
1643
6a026610 1644 chan->retry_count = 1;
1a09bcb9 1645 __set_monitor_timer(chan);
e90bac06 1646
e2ab4353 1647 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1648
525cd185 1649 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1650
1651 l2cap_chan_unlock(chan);
8d7e1c7f 1652 l2cap_chan_put(chan);
e90bac06
GP		 1653}
1654
3733937d
MM		 1655static int l2cap_streaming_send(struct l2cap_chan *chan,
1656 struct sk_buff_head *skbs)
6840ed07 1657{
ccbb84af 1658 struct sk_buff *skb;
3733937d 1659 struct l2cap_ctrl *control;
6840ed07 1660
3733937d
MM		 1661 BT_DBG("chan %p, skbs %p", chan, skbs);
1662
1663 if (chan->state != BT_CONNECTED)
1664 return -ENOTCONN;
1665
1666 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1667
1668 while (!skb_queue_empty(&chan->tx_q)) {
1669
1670 skb = skb_dequeue(&chan->tx_q);
1671
1672 bt_cb(skb)->control.retries = 1;
1673 control = &bt_cb(skb)->control;
1674
1675 control->reqseq = 0;
1676 control->txseq = chan->next_tx_seq;
1677
1678 __pack_control(chan, control, skb);
6840ed07 1679
47d1ec61 1680 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1681 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1682 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1683 }
1684
4343478f 1685 l2cap_do_send(chan, skb);
6840ed07 1686
3733937d
MM		 1687 BT_DBG("Sent txseq %d", (int)control->txseq);
1688
836be934 1689 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1690 chan->frames_sent++;
6840ed07 1691 }
3733937d
MM		 1692
1693 return 0;
6840ed07
GP		 1694}
1695
67c9e840 1696static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1697{
1698 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1699 struct l2cap_ctrl *control;
1700 int sent = 0;
1701
1702 BT_DBG("chan %p", chan);
1c2acffb 1703
89bc500e 1704 if (chan->state != BT_CONNECTED)
c13ffa62 1705 return -ENOTCONN;
e90bac06 1706
94122bbe
MM		 1707 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1708 return 0;
1709
18a48e76
MM		 1710 while (chan->tx_send_head &&
1711 chan->unacked_frames < chan->remote_tx_win &&
1712 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1713
18a48e76 1714 skb = chan->tx_send_head;
e90bac06 1715
18a48e76
MM		 1716 bt_cb(skb)->control.retries = 1;
1717 control = &bt_cb(skb)->control;
95ffa978 1718
e2ab4353 1719 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1720 control->final = 1;
e2ab4353 1721
18a48e76
MM		 1722 control->reqseq = chan->buffer_seq;
1723 chan->last_acked_seq = chan->buffer_seq;
1724 control->txseq = chan->next_tx_seq;
1c2acffb 1725
18a48e76 1726 __pack_control(chan, control, skb);
e90bac06 1727
47d1ec61 1728 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1729 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1730 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1731 }
1732
18a48e76
MM		 1733 /* Clone after data has been modified. Data is assumed to be
1734 read-only (for locking purposes) on cloned sk_buffs.
1735 */
1736 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1737
18a48e76
MM		 1738 if (!tx_skb)
1739 break;
1c2acffb 1740
18a48e76 1741 __set_retrans_timer(chan);
836be934
AE		 1742
1743 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1744 chan->unacked_frames++;
6a026610 1745 chan->frames_sent++;
18a48e76 1746 sent++;
1c2acffb 1747
58d35f87
GP		 1748 if (skb_queue_is_last(&chan->tx_q, skb))
1749 chan->tx_send_head = NULL;
1c2acffb 1750 else
58d35f87 1751 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1752
1753 l2cap_do_send(chan, tx_skb);
1754 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1755 }
1756
18a48e76
MM		 1757 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1758 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1759
1760 return sent;
9e917af1
GP		 1761}
1762
0a0aba42 1763static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1764{
0a0aba42
MM		 1765 struct l2cap_ctrl control;
1766 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1767 chan->last_acked_seq);
1768 int threshold;
9e917af1 1769
0a0aba42
MM		 1770 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1771 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1772
0a0aba42
MM		 1773 memset(&control, 0, sizeof(control));
1774 control.sframe = 1;
dfc909be 1775
0a0aba42
MM		 1776 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1777 chan->rx_state == L2CAP_RX_STATE_RECV) {
1778 __clear_ack_timer(chan);
1779 control.super = L2CAP_SUPER_RNR;
1780 control.reqseq = chan->buffer_seq;
1781 l2cap_send_sframe(chan, &control);
1782 } else {
1783 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1784 l2cap_ertm_send(chan);
1785 /* If any i-frames were sent, they included an ack */
1786 if (chan->buffer_seq == chan->last_acked_seq)
1787 frames_to_ack = 0;
1788 }
dfc909be 1789
0a0aba42
MM		 1790 /* Ack now if the tx window is 3/4ths full.
1791 * Calculate without mul or div
1792 */
1793 threshold = chan->tx_win;
1794 threshold += threshold << 1;
1795 threshold >>= 2;
1796
1797 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1798 threshold);
1799
1800 if (frames_to_ack >= threshold) {
1801 __clear_ack_timer(chan);
1802 control.super = L2CAP_SUPER_RR;
1803 control.reqseq = chan->buffer_seq;
1804 l2cap_send_sframe(chan, &control);
1805 frames_to_ack = 0;
1806 }
1c2acffb 1807
0a0aba42
MM		 1808 if (frames_to_ack)
1809 __set_ack_timer(chan);
1810 }
b17e73bb
SJ		 1811}
1812
04124681
GP		 1813static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1814 struct msghdr *msg, int len,
1815 int count, struct sk_buff *skb)
1c2acffb 1816{
0952a57a 1817 struct l2cap_conn *conn = chan->conn;
1c2acffb 1818 struct sk_buff **frag;
90338947 1819 int sent = 0;
1da177e4 1820
59203a21 1821 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1822 return -EFAULT;
1da177e4
LT		 1823
1824 sent += count;
1825 len -= count;
1826
1827 /* Continuation fragments (no L2CAP header) */
1828 frag = &skb_shinfo(skb)->frag_list;
1829 while (len) {
fbe00700
GP		 1830 struct sk_buff *tmp;
1831
1da177e4
LT		 1832 count = min_t(unsigned int, conn->mtu, len);
1833
fbe00700
GP		 1834 tmp = chan->ops->alloc_skb(chan, count,
1835 msg->msg_flags & MSG_DONTWAIT);
1836 if (IS_ERR(tmp))
1837 return PTR_ERR(tmp);
1838
1839 *frag = tmp;
2f7719ce 1840
1c2acffb
GP		 1841 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1842 return -EFAULT;
1da177e4 1843
5e59b791
LAD		 1844 (*frag)->priority = skb->priority;
1845
1da177e4
LT		 1846 sent += count;
1847 len -= count;
1848
2d0ed3d5
GP		 1849 skb->len += (*frag)->len;
1850 skb->data_len += (*frag)->len;
1851
1da177e4
LT		 1852 frag = &(*frag)->next;
1853 }
1da177e4
LT		 1854
1855 return sent;
1c2acffb 1856}
1da177e4 1857
5e59b791
LAD		 1858static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1859 struct msghdr *msg, size_t len,
1860 u32 priority)
1c2acffb 1861{
8c1d787b 1862 struct l2cap_conn *conn = chan->conn;
1c2acffb 1863 struct sk_buff *skb;
03a51213 1864 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1865 struct l2cap_hdr *lh;
1866
6d5922b0 1867 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1868
1869 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1870
1871 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1872 msg->msg_flags & MSG_DONTWAIT);
1873 if (IS_ERR(skb))
1874 return skb;
1c2acffb 1875
5e59b791
LAD		 1876 skb->priority = priority;
1877
1c2acffb
GP		 1878 /* Create L2CAP header */
1879 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1880 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1881 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1882 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1883
0952a57a 1884 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1885 if (unlikely(err < 0)) {
1886 kfree_skb(skb);
1887 return ERR_PTR(err);
1888 }
1889 return skb;
1890}
1891
5e59b791
LAD		 1892static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1893 struct msghdr *msg, size_t len,
1894 u32 priority)
1c2acffb 1895{
8c1d787b 1896 struct l2cap_conn *conn = chan->conn;
1c2acffb 1897 struct sk_buff *skb;
f2ba7fae 1898 int err, count;
1c2acffb
GP		 1899 struct l2cap_hdr *lh;
1900
6d5922b0 1901 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1902
f2ba7fae 1903 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1904
f2ba7fae 1905 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1906 msg->msg_flags & MSG_DONTWAIT);
1907 if (IS_ERR(skb))
1908 return skb;
1c2acffb 1909
5e59b791
LAD		 1910 skb->priority = priority;
1911
1c2acffb
GP		 1912 /* Create L2CAP header */
1913 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1914 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1915 lh->len = cpu_to_le16(len);
1c2acffb 1916
0952a57a 1917 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1918 if (unlikely(err < 0)) {
1919 kfree_skb(skb);
1920 return ERR_PTR(err);
1921 }
1922 return skb;
1923}
1924
ab0ff76d
LAD		 1925static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1926 struct msghdr *msg, size_t len,
94122bbe 1927 u16 sdulen)
1c2acffb 1928{
8c1d787b 1929 struct l2cap_conn *conn = chan->conn;
1c2acffb 1930 struct sk_buff *skb;
e4ca6d98 1931 int err, count, hlen;
1c2acffb
GP		 1932 struct l2cap_hdr *lh;
1933
6d5922b0 1934 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1935
0ee0d208
GP		 1936 if (!conn)
1937 return ERR_PTR(-ENOTCONN);
1938
e4ca6d98
AE		 1939 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1940 hlen = L2CAP_EXT_HDR_SIZE;
1941 else
1942 hlen = L2CAP_ENH_HDR_SIZE;
1943
c74e560c 1944 if (sdulen)
03a51213 1945 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1946
47d1ec61 1947 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1948 hlen += L2CAP_FCS_SIZE;
fcc203c3 1949
1c2acffb 1950 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1951
1952 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1953 msg->msg_flags & MSG_DONTWAIT);
1954 if (IS_ERR(skb))
1955 return skb;
1c2acffb
GP		 1956
1957 /* Create L2CAP header */
1958 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1959 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1960 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 1961
18a48e76
MM		 1962 /* Control header is populated later */
1963 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1964 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1965 else
1966 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 1967
c74e560c 1968 if (sdulen)
03a51213 1969 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1970
0952a57a 1971 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1972 if (unlikely(err < 0)) {
1973 kfree_skb(skb);
1974 return ERR_PTR(err);
1975 }
e90bac06 1976
18a48e76 1977 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 1978 bt_cb(skb)->control.retries = 0;
1c2acffb 1979 return skb;
1da177e4
LT		 1980}
1981
94122bbe
MM		 1982static int l2cap_segment_sdu(struct l2cap_chan *chan,
1983 struct sk_buff_head *seg_queue,
1984 struct msghdr *msg, size_t len)
c74e560c 1985{
c74e560c 1986 struct sk_buff *skb;
94122bbe
MM		 1987 u16 sdu_len;
1988 size_t pdu_len;
1989 int err = 0;
1990 u8 sar;
c74e560c 1991
94122bbe 1992 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 1993
94122bbe
MM		 1994 /* It is critical that ERTM PDUs fit in a single HCI fragment,
1995 * so fragmented skbs are not used. The HCI layer's handling
1996 * of fragmented skbs is not compatible with ERTM's queueing.
1997 */
c74e560c 1998
94122bbe
MM		 1999 /* PDU size is derived from the HCI MTU */
2000 pdu_len = chan->conn->mtu;
c74e560c 2001
94122bbe
MM		 2002 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2003
2004 /* Adjust for largest possible L2CAP overhead. */
2005 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2006
2007 /* Remote device may have requested smaller PDUs */
2008 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2009
2010 if (len <= pdu_len) {
2011 sar = L2CAP_SAR_UNSEGMENTED;
2012 sdu_len = 0;
2013 pdu_len = len;
2014 } else {
2015 sar = L2CAP_SAR_START;
2016 sdu_len = len;
2017 pdu_len -= L2CAP_SDULEN_SIZE;
2018 }
2019
2020 while (len > 0) {
2021 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2022
c74e560c 2023 if (IS_ERR(skb)) {
94122bbe 2024 __skb_queue_purge(seg_queue);
c74e560c
GP		 2025 return PTR_ERR(skb);
2026 }
2027
94122bbe
MM		 2028 bt_cb(skb)->control.sar = sar;
2029 __skb_queue_tail(seg_queue, skb);
2030
2031 len -= pdu_len;
2032 if (sdu_len) {
2033 sdu_len = 0;
2034 pdu_len += L2CAP_SDULEN_SIZE;
2035 }
2036
2037 if (len <= pdu_len) {
2038 sar = L2CAP_SAR_END;
2039 pdu_len = len;
2040 } else {
2041 sar = L2CAP_SAR_CONTINUE;
2042 }
c74e560c 2043 }
c74e560c 2044
94122bbe 2045 return err;
c74e560c
GP		 2046}
2047
5e59b791
LAD		 2048int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2049 u32 priority)
9a91a04a 2050{
9a91a04a 2051 struct sk_buff *skb;
9a91a04a 2052 int err;
94122bbe 2053 struct sk_buff_head seg_queue;
9a91a04a
GP		 2054
2055 /* Connectionless channel */
715ec005 2056 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2057 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2058 if (IS_ERR(skb))
2059 return PTR_ERR(skb);
2060
2061 l2cap_do_send(chan, skb);
2062 return len;
2063 }
2064
2065 switch (chan->mode) {
2066 case L2CAP_MODE_BASIC:
2067 /* Check outgoing MTU */
2068 if (len > chan->omtu)
2069 return -EMSGSIZE;
2070
2071 /* Create a basic PDU */
5e59b791 2072 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2073 if (IS_ERR(skb))
2074 return PTR_ERR(skb);
2075
2076 l2cap_do_send(chan, skb);
2077 err = len;
2078 break;
2079
2080 case L2CAP_MODE_ERTM:
2081 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2082 /* Check outgoing MTU */
2083 if (len > chan->omtu) {
2084 err = -EMSGSIZE;
2085 break;
2086 }
9a91a04a 2087
94122bbe 2088 __skb_queue_head_init(&seg_queue);
9a91a04a 2089
94122bbe
MM		 2090 /* Do segmentation before calling in to the state machine,
2091 * since it's possible to block while waiting for memory
2092 * allocation.
2093 */
2094 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2095
94122bbe
MM		 2096 /* The channel could have been closed while segmenting,
2097 * check that it is still connected.
2098 */
2099 if (chan->state != BT_CONNECTED) {
2100 __skb_queue_purge(&seg_queue);
2101 err = -ENOTCONN;
9a91a04a
GP		 2102 }
2103
94122bbe 2104 if (err)
9a91a04a 2105 break;
9a91a04a 2106
3733937d 2107 if (chan->mode == L2CAP_MODE_ERTM)
608bcc6d
MM		 2108 err = l2cap_tx(chan, 0, &seg_queue,
2109 L2CAP_EV_DATA_REQUEST);
3733937d
MM		 2110 else
2111 err = l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2112
608bcc6d 2113 if (!err)
9a91a04a
GP		 2114 err = len;
2115
94122bbe
MM		 2116 /* If the skbs were not queued for sending, they'll still be in
2117 * seg_queue and need to be purged.
2118 */
2119 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2120 break;
2121
2122 default:
2123 BT_DBG("bad state %1.1x", chan->mode);
2124 err = -EBADFD;
2125 }
2126
2127 return err;
2128}
2129
608bcc6d
MM		 2130static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2131{
2132 struct sk_buff *acked_skb;
2133 u16 ackseq;
2134
2135 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2136
2137 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2138 return;
2139
2140 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2141 chan->expected_ack_seq, chan->unacked_frames);
2142
2143 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2144 ackseq = __next_seq(chan, ackseq)) {
2145
2146 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2147 if (acked_skb) {
2148 skb_unlink(acked_skb, &chan->tx_q);
2149 kfree_skb(acked_skb);
2150 chan->unacked_frames--;
2151 }
2152 }
2153
2154 chan->expected_ack_seq = reqseq;
2155
2156 if (chan->unacked_frames == 0)
2157 __clear_retrans_timer(chan);
2158
2159 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2160}
2161
2162static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2163{
2164 BT_DBG("chan %p", chan);
2165
2166 chan->expected_tx_seq = chan->buffer_seq;
2167 l2cap_seq_list_clear(&chan->srej_list);
2168 skb_queue_purge(&chan->srej_q);
2169 chan->rx_state = L2CAP_RX_STATE_RECV;
2170}
2171
2172static int l2cap_tx_state_xmit(struct l2cap_chan *chan,
2173 struct l2cap_ctrl *control,
2174 struct sk_buff_head *skbs, u8 event)
2175{
2176 int err = 0;
2177
2178 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2179 event);
2180
2181 switch (event) {
2182 case L2CAP_EV_DATA_REQUEST:
2183 if (chan->tx_send_head == NULL)
2184 chan->tx_send_head = skb_peek(skbs);
2185
2186 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2187 l2cap_ertm_send(chan);
2188 break;
2189 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2190 BT_DBG("Enter LOCAL_BUSY");
2191 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2192
2193 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2194 /* The SREJ_SENT state must be aborted if we are to
2195 * enter the LOCAL_BUSY state.
2196 */
2197 l2cap_abort_rx_srej_sent(chan);
2198 }
2199
2200 l2cap_send_ack(chan);
2201
2202 break;
2203 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2204 BT_DBG("Exit LOCAL_BUSY");
2205 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2206
2207 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2208 struct l2cap_ctrl local_control;
2209
2210 memset(&local_control, 0, sizeof(local_control));
2211 local_control.sframe = 1;
2212 local_control.super = L2CAP_SUPER_RR;
2213 local_control.poll = 1;
2214 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2215 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2216
2217 chan->retry_count = 1;
2218 __set_monitor_timer(chan);
2219 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2220 }
2221 break;
2222 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2223 l2cap_process_reqseq(chan, control->reqseq);
2224 break;
2225 case L2CAP_EV_EXPLICIT_POLL:
2226 l2cap_send_rr_or_rnr(chan, 1);
2227 chan->retry_count = 1;
2228 __set_monitor_timer(chan);
2229 __clear_ack_timer(chan);
2230 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2231 break;
2232 case L2CAP_EV_RETRANS_TO:
2233 l2cap_send_rr_or_rnr(chan, 1);
2234 chan->retry_count = 1;
2235 __set_monitor_timer(chan);
2236 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2237 break;
2238 case L2CAP_EV_RECV_FBIT:
2239 /* Nothing to process */
2240 break;
2241 default:
2242 break;
2243 }
2244
2245 return err;
2246}
2247
2248static int l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2249 struct l2cap_ctrl *control,
2250 struct sk_buff_head *skbs, u8 event)
2251{
2252 int err = 0;
2253
2254 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2255 event);
2256
2257 switch (event) {
2258 case L2CAP_EV_DATA_REQUEST:
2259 if (chan->tx_send_head == NULL)
2260 chan->tx_send_head = skb_peek(skbs);
2261 /* Queue data, but don't send. */
2262 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2263 break;
2264 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2265 BT_DBG("Enter LOCAL_BUSY");
2266 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2267
2268 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2269 /* The SREJ_SENT state must be aborted if we are to
2270 * enter the LOCAL_BUSY state.
2271 */
2272 l2cap_abort_rx_srej_sent(chan);
2273 }
2274
2275 l2cap_send_ack(chan);
2276
2277 break;
2278 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2279 BT_DBG("Exit LOCAL_BUSY");
2280 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2281
2282 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2283 struct l2cap_ctrl local_control;
2284 memset(&local_control, 0, sizeof(local_control));
2285 local_control.sframe = 1;
2286 local_control.super = L2CAP_SUPER_RR;
2287 local_control.poll = 1;
2288 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2289 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2290
2291 chan->retry_count = 1;
2292 __set_monitor_timer(chan);
2293 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2294 }
2295 break;
2296 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2297 l2cap_process_reqseq(chan, control->reqseq);
2298
2299 /* Fall through */
2300
2301 case L2CAP_EV_RECV_FBIT:
2302 if (control && control->final) {
2303 __clear_monitor_timer(chan);
2304 if (chan->unacked_frames > 0)
2305 __set_retrans_timer(chan);
2306 chan->retry_count = 0;
2307 chan->tx_state = L2CAP_TX_STATE_XMIT;
2308 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2309 }
2310 break;
2311 case L2CAP_EV_EXPLICIT_POLL:
2312 /* Ignore */
2313 break;
2314 case L2CAP_EV_MONITOR_TO:
2315 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2316 l2cap_send_rr_or_rnr(chan, 1);
2317 __set_monitor_timer(chan);
2318 chan->retry_count++;
2319 } else {
2320 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2321 }
2322 break;
2323 default:
2324 break;
2325 }
2326
2327 return err;
2328}
2329
2330static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2331 struct sk_buff_head *skbs, u8 event)
2332{
2333 int err = 0;
2334
2335 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2336 chan, control, skbs, event, chan->tx_state);
2337
2338 switch (chan->tx_state) {
2339 case L2CAP_TX_STATE_XMIT:
2340 err = l2cap_tx_state_xmit(chan, control, skbs, event);
2341 break;
2342 case L2CAP_TX_STATE_WAIT_F:
2343 err = l2cap_tx_state_wait_f(chan, control, skbs, event);
2344 break;
2345 default:
2346 /* Ignore event */
2347 break;
2348 }
2349
2350 return err;
2351}
2352
4b51dae9
MM		 2353static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2354 struct l2cap_ctrl *control)
2355{
2356 BT_DBG("chan %p, control %p", chan, control);
2357 l2cap_tx(chan, control, 0, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2358}
2359
1da177e4
LT		 2360/* Copy frame to all raw sockets on that connection */
2361static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2362{
1da177e4 2363 struct sk_buff *nskb;
48454079 2364 struct l2cap_chan *chan;
1da177e4
LT		 2365
2366 BT_DBG("conn %p", conn);
2367
3df91ea2 2368 mutex_lock(&conn->chan_lock);
3d57dc68 2369
3df91ea2 2370 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2371 struct sock *sk = chan->sk;
715ec005 2372 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2373 continue;
2374
2375 /* Don't send frame to the socket it came from */
2376 if (skb->sk == sk)
2377 continue;
af05b30b
GP		 2378 nskb = skb_clone(skb, GFP_ATOMIC);
2379 if (!nskb)
1da177e4
LT		 2380 continue;
2381
23070494 2382 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2383 kfree_skb(nskb);
2384 }
3d57dc68 2385
3df91ea2 2386 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2387}
2388
2389/* ---- L2CAP signalling commands ---- */
2390static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2391 u8 code, u8 ident, u16 dlen, void *data)
2392{
2393 struct sk_buff *skb, **frag;
2394 struct l2cap_cmd_hdr *cmd;
2395 struct l2cap_hdr *lh;
2396 int len, count;
2397
af05b30b
GP		 2398 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2399 conn, code, ident, dlen);
1da177e4
LT		 2400
2401 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2402 count = min_t(unsigned int, conn->mtu, len);
2403
2404 skb = bt_skb_alloc(count, GFP_ATOMIC);
2405 if (!skb)
2406 return NULL;
2407
2408 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2409 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2410
2411 if (conn->hcon->type == LE_LINK)
2412 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2413 else
2414 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2415
2416 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2417 cmd->code = code;
2418 cmd->ident = ident;
aca3192c 2419 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2420
2421 if (dlen) {
2422 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2423 memcpy(skb_put(skb, count), data, count);
2424 data += count;
2425 }
2426
2427 len -= skb->len;
2428
2429 /* Continuation fragments (no L2CAP header) */
2430 frag = &skb_shinfo(skb)->frag_list;
2431 while (len) {
2432 count = min_t(unsigned int, conn->mtu, len);
2433
2434 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2435 if (!*frag)
2436 goto fail;
2437
2438 memcpy(skb_put(*frag, count), data, count);
2439
2440 len -= count;
2441 data += count;
2442
2443 frag = &(*frag)->next;
2444 }
2445
2446 return skb;
2447
2448fail:
2449 kfree_skb(skb);
2450 return NULL;
2451}
2452
2453static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2454{
2455 struct l2cap_conf_opt *opt = *ptr;
2456 int len;
2457
2458 len = L2CAP_CONF_OPT_SIZE + opt->len;
2459 *ptr += len;
2460
2461 *type = opt->type;
2462 *olen = opt->len;
2463
2464 switch (opt->len) {
2465 case 1:
2466 *val = *((u8 *) opt->val);
2467 break;
2468
2469 case 2:
bfaaeb3e 2470 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2471 break;
2472
2473 case 4:
bfaaeb3e 2474 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2475 break;
2476
2477 default:
2478 *val = (unsigned long) opt->val;
2479 break;
2480 }
2481
2482 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2483 return len;
2484}
2485
1da177e4
LT		 2486static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2487{
2488 struct l2cap_conf_opt *opt = *ptr;
2489
2490 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2491
2492 opt->type = type;
2493 opt->len = len;
2494
2495 switch (len) {
2496 case 1:
2497 *((u8 *) opt->val) = val;
2498 break;
2499
2500 case 2:
4f8b691c 2501 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2502 break;
2503
2504 case 4:
4f8b691c 2505 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2506 break;
2507
2508 default:
2509 memcpy(opt->val, (void *) val, len);
2510 break;
2511 }
2512
2513 *ptr += L2CAP_CONF_OPT_SIZE + len;
2514}
2515
f89cef09
AE		 2516static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2517{
2518 struct l2cap_conf_efs efs;
2519
1ec918ce 2520 switch (chan->mode) {
f89cef09
AE		 2521 case L2CAP_MODE_ERTM:
2522 efs.id = chan->local_id;
2523 efs.stype = chan->local_stype;
2524 efs.msdu = cpu_to_le16(chan->local_msdu);
2525 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2526 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2527 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2528 break;
2529
2530 case L2CAP_MODE_STREAMING:
2531 efs.id = 1;
2532 efs.stype = L2CAP_SERV_BESTEFFORT;
2533 efs.msdu = cpu_to_le16(chan->local_msdu);
2534 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2535 efs.acc_lat = 0;
2536 efs.flush_to = 0;
2537 break;
2538
2539 default:
2540 return;
2541 }
2542
2543 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2544 (unsigned long) &efs);
2545}
2546
721c4181 2547static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2548{
721c4181
GP		 2549 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2550 ack_timer.work);
c1b4f43b 2551
2fb9b3d4
GP		 2552 BT_DBG("chan %p", chan);
2553
6be36555
AE		 2554 l2cap_chan_lock(chan);
2555
0a0aba42 2556 l2cap_send_ack(chan);
6be36555
AE		 2557
2558 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2559
2560 l2cap_chan_put(chan);
c1b4f43b
GP		 2561}
2562
3c588192 2563static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2564{
3c588192
MM		 2565 int err;
2566
105bdf9e
MM		 2567 chan->next_tx_seq = 0;
2568 chan->expected_tx_seq = 0;
42e5c802 2569 chan->expected_ack_seq = 0;
6a026610 2570 chan->unacked_frames = 0;
42e5c802 2571 chan->buffer_seq = 0;
6a026610 2572 chan->frames_sent = 0;
105bdf9e
MM		 2573 chan->last_acked_seq = 0;
2574 chan->sdu = NULL;
2575 chan->sdu_last_frag = NULL;
2576 chan->sdu_len = 0;
2577
d34c34fb
MM		 2578 skb_queue_head_init(&chan->tx_q);
2579
105bdf9e
MM		 2580 if (chan->mode != L2CAP_MODE_ERTM)
2581 return 0;
2582
2583 chan->rx_state = L2CAP_RX_STATE_RECV;
2584 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2585
721c4181
GP		 2586 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2587 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2588 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2589
f1c6775b 2590 skb_queue_head_init(&chan->srej_q);
1890d36b 2591
3c588192
MM		 2592 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2593 if (err < 0)
2594 return err;
2595
9dc9affc
MM		 2596 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2597 if (err < 0)
2598 l2cap_seq_list_free(&chan->srej_list);
2599
2600 return err;
0565c1c2
GP		 2601}
2602
f2fcfcd6
GP		 2603static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2604{
2605 switch (mode) {
2606 case L2CAP_MODE_STREAMING:
2607 case L2CAP_MODE_ERTM:
2608 if (l2cap_mode_supported(mode, remote_feat_mask))
2609 return mode;
2610 /* fall through */
2611 default:
2612 return L2CAP_MODE_BASIC;
2613 }
2614}
2615
6327eb98
AE		 2616static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2617{
2618 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2619}
2620
f89cef09
AE		 2621static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2622{
2623 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2624}
2625
6327eb98
AE		 2626static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2627{
2628 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2629 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2630 /* use extended control field */
2631 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2632 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2633 } else {
6327eb98
AE		 2634 chan->tx_win = min_t(u16, chan->tx_win,
2635 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2636 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2637 }
6327eb98
AE		 2638}
2639
710f9b0a 2640static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2641{
1da177e4 2642 struct l2cap_conf_req *req = data;
0c1bc5c6 2643 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2644 void *ptr = req->data;
c8f79162 2645 u16 size;
1da177e4 2646
49208c9c 2647 BT_DBG("chan %p", chan);
1da177e4 2648
73ffa904 2649 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2650 goto done;
2651
0c1bc5c6 2652 switch (chan->mode) {
f2fcfcd6
GP		 2653 case L2CAP_MODE_STREAMING:
2654 case L2CAP_MODE_ERTM:
c1360a1c 2655 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2656 break;
85eb53c6 2657
f89cef09
AE		 2658 if (__l2cap_efs_supported(chan))
2659 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2660
2ba13ed6 2661 /* fall through */
f2fcfcd6 2662 default:
8c1d787b 2663 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2664 break;
2665 }
2666
2667done:
0c1bc5c6
GP		 2668 if (chan->imtu != L2CAP_DEFAULT_MTU)
2669 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2670
0c1bc5c6 2671 switch (chan->mode) {
65c7c491 2672 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2673 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2674 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2675 break;
2676
62547752
GP		 2677 rfc.mode = L2CAP_MODE_BASIC;
2678 rfc.txwin_size = 0;
2679 rfc.max_transmit = 0;
2680 rfc.retrans_timeout = 0;
2681 rfc.monitor_timeout = 0;
2682 rfc.max_pdu_size = 0;
2683
63406504
GP		 2684 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2685 (unsigned long) &rfc);
65c7c491
MH		 2686 break;
2687
2688 case L2CAP_MODE_ERTM:
2689 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2690 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2691 rfc.retrans_timeout = 0;
2692 rfc.monitor_timeout = 0;
c8f79162
AE		 2693
2694 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2695 L2CAP_EXT_HDR_SIZE -
2696 L2CAP_SDULEN_SIZE -
2697 L2CAP_FCS_SIZE);
2698 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2699
6327eb98
AE		 2700 l2cap_txwin_setup(chan);
2701
2702 rfc.txwin_size = min_t(u16, chan->tx_win,
2703 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2704
63406504
GP		 2705 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2706 (unsigned long) &rfc);
2707
f89cef09
AE		 2708 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2709 l2cap_add_opt_efs(&ptr, chan);
2710
8c1d787b 2711 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2712 break;
2713
47d1ec61 2714 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2715 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2716 chan->fcs = L2CAP_FCS_NONE;
2717 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2718 }
6327eb98
AE		 2719
2720 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2721 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2722 chan->tx_win);
f2fcfcd6
GP		 2723 break;
2724
2725 case L2CAP_MODE_STREAMING:
2726 rfc.mode = L2CAP_MODE_STREAMING;
2727 rfc.txwin_size = 0;
2728 rfc.max_transmit = 0;
2729 rfc.retrans_timeout = 0;
2730 rfc.monitor_timeout = 0;
c8f79162
AE		 2731
2732 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2733 L2CAP_EXT_HDR_SIZE -
2734 L2CAP_SDULEN_SIZE -
2735 L2CAP_FCS_SIZE);
2736 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2737
63406504
GP		 2738 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2739 (unsigned long) &rfc);
2740
f89cef09
AE		 2741 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2742 l2cap_add_opt_efs(&ptr, chan);
2743
8c1d787b 2744 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2745 break;
2746
47d1ec61 2747 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2748 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2749 chan->fcs = L2CAP_FCS_NONE;
2750 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2751 }
65c7c491
MH		 2752 break;
2753 }
1da177e4 2754
fe4128e0 2755 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2756 req->flags = cpu_to_le16(0);
1da177e4
LT		 2757
2758 return ptr - data;
2759}
2760
73ffa904 2761static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2762{
5dee9e7c
MH		 2763 struct l2cap_conf_rsp *rsp = data;
2764 void *ptr = rsp->data;
73ffa904
GP		 2765 void *req = chan->conf_req;
2766 int len = chan->conf_len;
5dee9e7c
MH		 2767 int type, hint, olen;
2768 unsigned long val;
6464f35f 2769 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2770 struct l2cap_conf_efs efs;
2771 u8 remote_efs = 0;
861d6882 2772 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2773 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2774 u16 size;
1da177e4 2775
73ffa904 2776 BT_DBG("chan %p", chan);
820ae1b8 2777
5dee9e7c
MH		 2778 while (len >= L2CAP_CONF_OPT_SIZE) {
2779 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2780
589d2746 2781 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2782 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2783
2784 switch (type) {
2785 case L2CAP_CONF_MTU:
861d6882 2786 mtu = val;
5dee9e7c
MH		 2787 break;
2788
2789 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2790 chan->flush_to = val;
5dee9e7c
MH		 2791 break;
2792
2793 case L2CAP_CONF_QOS:
2794 break;
2795
6464f35f
MH		 2796 case L2CAP_CONF_RFC:
2797 if (olen == sizeof(rfc))
2798 memcpy(&rfc, (void *) val, olen);
2799 break;
2800
fcc203c3
GP		 2801 case L2CAP_CONF_FCS:
2802 if (val == L2CAP_FCS_NONE)
c1360a1c 2803 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2804 break;
fcc203c3 2805
42dceae2
AE		 2806 case L2CAP_CONF_EFS:
2807 remote_efs = 1;
2808 if (olen == sizeof(efs))
2809 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2810 break;
2811
6327eb98
AE		 2812 case L2CAP_CONF_EWS:
2813 if (!enable_hs)
2814 return -ECONNREFUSED;
fcc203c3 2815
6327eb98
AE		 2816 set_bit(FLAG_EXT_CTRL, &chan->flags);
2817 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2818 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2819 chan->remote_tx_win = val;
fcc203c3
GP		 2820 break;
2821
5dee9e7c
MH		 2822 default:
2823 if (hint)
2824 break;
2825
2826 result = L2CAP_CONF_UNKNOWN;
2827 *((u8 *) ptr++) = type;
2828 break;
2829 }
2830 }
2831
73ffa904 2832 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2833 goto done;
2834
0c1bc5c6 2835 switch (chan->mode) {
f2fcfcd6
GP		 2836 case L2CAP_MODE_STREAMING:
2837 case L2CAP_MODE_ERTM:
c1360a1c 2838 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2839 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2840 chan->conn->feat_mask);
85eb53c6
GP		 2841 break;
2842 }
2843
42dceae2
AE		 2844 if (remote_efs) {
2845 if (__l2cap_efs_supported(chan))
2846 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2847 else
2848 return -ECONNREFUSED;
2849 }
2850
0c1bc5c6 2851 if (chan->mode != rfc.mode)
f2fcfcd6 2852 return -ECONNREFUSED;
742e519b 2853
f2fcfcd6 2854 break;
f2fcfcd6
GP		 2855 }
2856
2857done:
0c1bc5c6 2858 if (chan->mode != rfc.mode) {
f2fcfcd6 2859 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2860 rfc.mode = chan->mode;
f2fcfcd6 2861
73ffa904 2862 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2863 return -ECONNREFUSED;
2864
2865 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2866 sizeof(rfc), (unsigned long) &rfc);
2867 }
2868
5dee9e7c
MH		 2869 if (result == L2CAP_CONF_SUCCESS) {
2870 /* Configure output options and let the other side know
2871 * which ones we don't like. */
2872
f2fcfcd6
GP		 2873 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2874 result = L2CAP_CONF_UNACCEPT;
2875 else {
0c1bc5c6 2876 chan->omtu = mtu;
c1360a1c 2877 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2878 }
0c1bc5c6 2879 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2880
42dceae2
AE		 2881 if (remote_efs) {
2882 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2883 efs.stype != L2CAP_SERV_NOTRAFIC &&
2884 efs.stype != chan->local_stype) {
2885
2886 result = L2CAP_CONF_UNACCEPT;
2887
2888 if (chan->num_conf_req >= 1)
2889 return -ECONNREFUSED;
2890
2891 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2892 sizeof(efs),
42dceae2 2893 (unsigned long) &efs);
0e8b207e 2894 } else {
3e6b3b95 2895 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2896 result = L2CAP_CONF_PENDING;
2897 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2898 }
2899 }
2900
f2fcfcd6
GP		 2901 switch (rfc.mode) {
2902 case L2CAP_MODE_BASIC:
47d1ec61 2903 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2904 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2905 break;
2906
2907 case L2CAP_MODE_ERTM:
6327eb98
AE		 2908 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2909 chan->remote_tx_win = rfc.txwin_size;
2910 else
2911 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2912
2c03a7a4 2913 chan->remote_max_tx = rfc.max_transmit;
1c762159 2914
c8f79162
AE		 2915 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2916 chan->conn->mtu -
2917 L2CAP_EXT_HDR_SIZE -
2918 L2CAP_SDULEN_SIZE -
2919 L2CAP_FCS_SIZE);
2920 rfc.max_pdu_size = cpu_to_le16(size);
2921 chan->remote_mps = size;
f2fcfcd6 2922
10467e9e 2923 rfc.retrans_timeout =
4fd21a88 2924 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2925 rfc.monitor_timeout =
4fd21a88 2926 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2927
c1360a1c 2928 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2929
2930 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2931 sizeof(rfc), (unsigned long) &rfc);
2932
42dceae2
AE		 2933 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2934 chan->remote_id = efs.id;
2935 chan->remote_stype = efs.stype;
2936 chan->remote_msdu = le16_to_cpu(efs.msdu);
2937 chan->remote_flush_to =
2938 le32_to_cpu(efs.flush_to);
2939 chan->remote_acc_lat =
2940 le32_to_cpu(efs.acc_lat);
2941 chan->remote_sdu_itime =
2942 le32_to_cpu(efs.sdu_itime);
2943 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2944 sizeof(efs), (unsigned long) &efs);
2945 }
f2fcfcd6
GP		 2946 break;
2947
2948 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2949 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2950 chan->conn->mtu -
2951 L2CAP_EXT_HDR_SIZE -
2952 L2CAP_SDULEN_SIZE -
2953 L2CAP_FCS_SIZE);
2954 rfc.max_pdu_size = cpu_to_le16(size);
2955 chan->remote_mps = size;
f2fcfcd6 2956
c1360a1c 2957 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2958
2959 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2960 sizeof(rfc), (unsigned long) &rfc);
2961
f2fcfcd6
GP		 2962 break;
2963
2964 default:
5dee9e7c 2965 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2966
6464f35f 2967 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2968 rfc.mode = chan->mode;
f2fcfcd6 2969 }
6464f35f 2970
f2fcfcd6 2971 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2972 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2973 }
fe4128e0 2974 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2975 rsp->result = cpu_to_le16(result);
2976 rsp->flags = cpu_to_le16(0x0000);
2977
2978 return ptr - data;
1da177e4
LT		 2979}
2980
b4450035 2981static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2982{
f2fcfcd6
GP		 2983 struct l2cap_conf_req *req = data;
2984 void *ptr = req->data;
2985 int type, olen;
2986 unsigned long val;
36e999a8 2987 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2988 struct l2cap_conf_efs efs;
f2fcfcd6 2989
fe4128e0 2990 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2991
2992 while (len >= L2CAP_CONF_OPT_SIZE) {
2993 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2994
2995 switch (type) {
2996 case L2CAP_CONF_MTU:
2997 if (val < L2CAP_DEFAULT_MIN_MTU) {
2998 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2999 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3000 } else
0c1bc5c6
GP		 3001 chan->imtu = val;
3002 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3003 break;
3004
3005 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3006 chan->flush_to = val;
f2fcfcd6 3007 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3008 2, chan->flush_to);
f2fcfcd6
GP		 3009 break;
3010
3011 case L2CAP_CONF_RFC:
3012 if (olen == sizeof(rfc))
3013 memcpy(&rfc, (void *)val, olen);
3014
c1360a1c 3015 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3016 rfc.mode != chan->mode)
f2fcfcd6
GP		 3017 return -ECONNREFUSED;
3018
47d1ec61 3019 chan->fcs = 0;
f2fcfcd6
GP		 3020
3021 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3022 sizeof(rfc), (unsigned long) &rfc);
3023 break;
6327eb98
AE		 3024
3025 case L2CAP_CONF_EWS:
3026 chan->tx_win = min_t(u16, val,
3027 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3028 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3029 chan->tx_win);
6327eb98 3030 break;
66af7aaf
AE		 3031
3032 case L2CAP_CONF_EFS:
3033 if (olen == sizeof(efs))
3034 memcpy(&efs, (void *)val, olen);
3035
3036 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3037 efs.stype != L2CAP_SERV_NOTRAFIC &&
3038 efs.stype != chan->local_stype)
3039 return -ECONNREFUSED;
3040
3041 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3042 sizeof(efs), (unsigned long) &efs);
3043 break;
f2fcfcd6
GP		 3044 }
3045 }
3046
0c1bc5c6 3047 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3048 return -ECONNREFUSED;
3049
0c1bc5c6 3050 chan->mode = rfc.mode;
6c2ea7a8 3051
0e8b207e 3052 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3053 switch (rfc.mode) {
3054 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3055 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3056 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3057 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3058
3059 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3060 chan->local_msdu = le16_to_cpu(efs.msdu);
3061 chan->local_sdu_itime =
3062 le32_to_cpu(efs.sdu_itime);
3063 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3064 chan->local_flush_to =
3065 le32_to_cpu(efs.flush_to);
3066 }
f2fcfcd6 3067 break;
66af7aaf 3068
f2fcfcd6 3069 case L2CAP_MODE_STREAMING:
47d1ec61 3070 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3071 }
3072 }
3073
fe4128e0 3074 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 3075 req->flags = cpu_to_le16(0x0000);
3076
3077 return ptr - data;
3078}
3079
fe4128e0 3080static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3081{
3082 struct l2cap_conf_rsp *rsp = data;
3083 void *ptr = rsp->data;
1da177e4 3084
fe4128e0 3085 BT_DBG("chan %p", chan);
1da177e4 3086
fe4128e0 3087 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3088 rsp->result = cpu_to_le16(result);
aca3192c 3089 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3090
3091 return ptr - data;
3092}
3093
8c1d787b 3094void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3095{
3096 struct l2cap_conn_rsp rsp;
8c1d787b 3097 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3098 u8 buf[128];
3099
fe4128e0
GP		 3100 rsp.scid = cpu_to_le16(chan->dcid);
3101 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 3102 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3103 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3104 l2cap_send_cmd(conn, chan->ident,
3105 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3106
c1360a1c 3107 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3108 return;
3109
710f9b0a
GP		 3110 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3111 l2cap_build_conf_req(chan, buf), buf);
3112 chan->num_conf_req++;
3113}
3114
47d1ec61 3115static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3116{
7b1c0049
GP		 3117 int type, olen;
3118 unsigned long val;
3119 struct l2cap_conf_rfc rfc;
3120
47d1ec61 3121 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3122
0c1bc5c6 3123 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3124 return;
3125
3126 while (len >= L2CAP_CONF_OPT_SIZE) {
3127 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3128
3129 switch (type) {
3130 case L2CAP_CONF_RFC:
3131 if (olen == sizeof(rfc))
3132 memcpy(&rfc, (void *)val, olen);
3133 goto done;
3134 }
3135 }
3136
36e999a8
MM		 3137 /* Use sane default values in case a misbehaving remote device
3138 * did not send an RFC option.
3139 */
3140 rfc.mode = chan->mode;
3141 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3142 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3143 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3144
3145 BT_ERR("Expected RFC option was not found, using defaults");
3146
7b1c0049
GP		 3147done:
3148 switch (rfc.mode) {
3149 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3150 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3151 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3152 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3153 break;
3154 case L2CAP_MODE_STREAMING:
47d1ec61 3155 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3156 }
3157}
3158
4e8402a3
MH		 3159static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3160{
e2fd318e 3161 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3162
e2fd318e 3163 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3164 return 0;
3165
3166 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3167 cmd->ident == conn->info_ident) {
17cd3f37 3168 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3169
3170 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3171 conn->info_ident = 0;
984947dc 3172
4e8402a3
MH		 3173 l2cap_conn_start(conn);
3174 }
3175
3176 return 0;
3177}
3178
1da177e4
LT		 3179static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3180{
1da177e4
LT		 3181 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3182 struct l2cap_conn_rsp rsp;
23691d75 3183 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3184 struct sock *parent, *sk = NULL;
e7c29cb1 3185 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3186
3187 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3188 __le16 psm = req->psm;
1da177e4 3189
097db76c 3190 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3191
3192 /* Check if we have socket listening on psm */
c2287681 3193 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3194 if (!pchan) {
1da177e4
LT		 3195 result = L2CAP_CR_BAD_PSM;
3196 goto sendresp;
3197 }
3198
23691d75
GP		 3199 parent = pchan->sk;
3200
3df91ea2 3201 mutex_lock(&conn->chan_lock);
aa2ac881 3202 lock_sock(parent);
e0f0cb56 3203
e7c29cb1
MH		 3204 /* Check if the ACL is secure enough (if not SDP) */
3205 if (psm != cpu_to_le16(0x0001) &&
3206 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3207 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3208 result = L2CAP_CR_SEC_BLOCK;
3209 goto response;
3210 }
3211
1da177e4
LT		 3212 result = L2CAP_CR_NO_MEM;
3213
3214 /* Check for backlog size */
3215 if (sk_acceptq_is_full(parent)) {
8e87d142 3216 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3217 goto response;
3218 }
3219
80808e43
GP		 3220 chan = pchan->ops->new_connection(pchan->data);
3221 if (!chan)
1da177e4
LT		 3222 goto response;
3223
80808e43
GP		 3224 sk = chan->sk;
3225
1da177e4 3226 /* Check if we already have channel with that dcid */
baa7e1fa 3227 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3228 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3229 chan->ops->close(chan->data);
1da177e4
LT		 3230 goto response;
3231 }
3232
3233 hci_conn_hold(conn->hcon);
3234
1da177e4
LT		 3235 bacpy(&bt_sk(sk)->src, conn->src);
3236 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3237 chan->psm = psm;
3238 chan->dcid = scid;
1da177e4 3239
d1010240
GP		 3240 bt_accept_enqueue(parent, sk);
3241
6be36555 3242 __l2cap_chan_add(conn, chan);
48454079 3243
fe4128e0 3244 dcid = chan->scid;
1da177e4 3245
c9b66675 3246 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3247
fc7f8a7e 3248 chan->ident = cmd->ident;
1da177e4 3249
984947dc 3250 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3251 if (l2cap_chan_check_security(chan)) {
c5daa683 3252 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3253 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3254 result = L2CAP_CR_PEND;
3255 status = L2CAP_CS_AUTHOR_PEND;
3256 parent->sk_data_ready(parent, 0);
3257 } else {
0e587be7 3258 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3259 result = L2CAP_CR_SUCCESS;
3260 status = L2CAP_CS_NO_INFO;
3261 }
79d554a6 3262 } else {
0e587be7 3263 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3264 result = L2CAP_CR_PEND;
3265 status = L2CAP_CS_AUTHEN_PEND;
3266 }
3267 } else {
0e587be7 3268 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3269 result = L2CAP_CR_PEND;
3270 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3271 }
3272
1da177e4 3273response:
aa2ac881 3274 release_sock(parent);
3df91ea2 3275 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3276
3277sendresp:
aca3192c
YH		 3278 rsp.scid = cpu_to_le16(scid);
3279 rsp.dcid = cpu_to_le16(dcid);
3280 rsp.result = cpu_to_le16(result);
3281 rsp.status = cpu_to_le16(status);
1da177e4 3282 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3283
3284 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3285 struct l2cap_info_req info;
3286 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3287
3288 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3289 conn->info_ident = l2cap_get_ident(conn);
3290
ba13ccd9 3291 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3292
3293 l2cap_send_cmd(conn, conn->info_ident,
3294 L2CAP_INFO_REQ, sizeof(info), &info);
3295 }
3296
c1360a1c 3297 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3298 result == L2CAP_CR_SUCCESS) {
3299 u8 buf[128];
c1360a1c 3300 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3301 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3302 l2cap_build_conf_req(chan, buf), buf);
3303 chan->num_conf_req++;
e9aeb2dd
GP		 3304 }
3305
1da177e4
LT		 3306 return 0;
3307}
3308
3309static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3310{
3311 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3312 u16 scid, dcid, result, status;
48454079 3313 struct l2cap_chan *chan;
1da177e4 3314 u8 req[128];
3df91ea2 3315 int err;
1da177e4
LT		 3316
3317 scid = __le16_to_cpu(rsp->scid);
3318 dcid = __le16_to_cpu(rsp->dcid);
3319 result = __le16_to_cpu(rsp->result);
3320 status = __le16_to_cpu(rsp->status);
3321
1b009c98
AE		 3322 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3323 dcid, scid, result, status);
1da177e4 3324
3df91ea2
AE		 3325 mutex_lock(&conn->chan_lock);
3326
1da177e4 3327 if (scid) {
3df91ea2
AE		 3328 chan = __l2cap_get_chan_by_scid(conn, scid);
3329 if (!chan) {
3330 err = -EFAULT;
3331 goto unlock;
3332 }
1da177e4 3333 } else {
3df91ea2
AE		 3334 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3335 if (!chan) {
3336 err = -EFAULT;
3337 goto unlock;
3338 }
1da177e4
LT		 3339 }
3340
3df91ea2
AE		 3341 err = 0;
3342
6be36555 3343 l2cap_chan_lock(chan);
48454079 3344
1da177e4
LT		 3345 switch (result) {
3346 case L2CAP_CR_SUCCESS:
89bc500e 3347 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3348 chan->ident = 0;
fe4128e0 3349 chan->dcid = dcid;
c1360a1c 3350 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3351
c1360a1c 3352 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3353 break;
3354
1da177e4 3355 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3356 l2cap_build_conf_req(chan, req), req);
3357 chan->num_conf_req++;
1da177e4
LT		 3358 break;
3359
3360 case L2CAP_CR_PEND:
c1360a1c 3361 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3362 break;
3363
3364 default:
48454079 3365 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3366 break;
3367 }
3368
6be36555 3369 l2cap_chan_unlock(chan);
3df91ea2
AE		 3370
3371unlock:
3372 mutex_unlock(&conn->chan_lock);
3373
3374 return err;
1da177e4
LT		 3375}
3376
47d1ec61 3377static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3378{
3379 /* FCS is enabled only in ERTM or streaming mode, if one or both
3380 * sides request it.
3381 */
0c1bc5c6 3382 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3383 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3384 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3385 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3386}
3387
88219a0f 3388static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3389{
3390 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3391 u16 dcid, flags;
3392 u8 rsp[64];
48454079 3393 struct l2cap_chan *chan;
3c588192 3394 int len, err = 0;
1da177e4
LT		 3395
3396 dcid = __le16_to_cpu(req->dcid);
3397 flags = __le16_to_cpu(req->flags);
3398
3399 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3400
baa7e1fa 3401 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3402 if (!chan)
1da177e4
LT		 3403 return -ENOENT;
3404
033b1142 3405 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3406 struct l2cap_cmd_rej_cid rej;
3407
3408 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3409 rej.scid = cpu_to_le16(chan->scid);
3410 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3411
df6bd743
GP		 3412 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3413 sizeof(rej), &rej);
354f60a9 3414 goto unlock;
df6bd743 3415 }
354f60a9 3416
5dee9e7c 3417 /* Reject if config buffer is too small. */
88219a0f 3418 len = cmd_len - sizeof(*req);
7ac28817 3419 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3420 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3421 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3422 L2CAP_CONF_REJECT, flags), rsp);
3423 goto unlock;
3424 }
3425
3426 /* Store config. */
73ffa904
GP		 3427 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3428 chan->conf_len += len;
1da177e4
LT		 3429
3430 if (flags & 0x0001) {
3431 /* Incomplete config. Send empty response. */
3432 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3433 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3434 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3435 goto unlock;
3436 }
3437
3438 /* Complete config. */
73ffa904 3439 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3440 if (len < 0) {
e92c8e70 3441 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3442 goto unlock;
f2fcfcd6 3443 }
1da177e4 3444
5dee9e7c 3445 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3446 chan->num_conf_rsp++;
5dee9e7c 3447
5dee9e7c 3448 /* Reset config buffer. */
73ffa904 3449 chan->conf_len = 0;
5dee9e7c 3450
c1360a1c 3451 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3452 goto unlock;
3453
c1360a1c 3454 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3455 set_default_fcs(chan);
fcc203c3 3456
89bc500e 3457 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3458
105bdf9e
MM		 3459 if (chan->mode == L2CAP_MODE_ERTM ||
3460 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3461 err = l2cap_ertm_init(chan);
3462
3463 if (err < 0)
3464 l2cap_send_disconn_req(chan->conn, chan, -err);
3465 else
3466 l2cap_chan_ready(chan);
0565c1c2 3467
876d9484
MH		 3468 goto unlock;
3469 }
3470
c1360a1c 3471 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3472 u8 buf[64];
1da177e4 3473 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3474 l2cap_build_conf_req(chan, buf), buf);
3475 chan->num_conf_req++;
1da177e4
LT		 3476 }
3477
0e8b207e
AE		 3478 /* Got Conf Rsp PENDING from remote side and asume we sent
3479 Conf Rsp PENDING in the code above */
3480 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3481 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3482
3483 /* check compatibility */
3484
3485 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3486 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3487
3488 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3489 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3490 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3491 }
3492
1da177e4 3493unlock:
6be36555 3494 l2cap_chan_unlock(chan);
3c588192 3495 return err;
1da177e4
LT		 3496}
3497
3498static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3499{
3500 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3501 u16 scid, flags, result;
48454079 3502 struct l2cap_chan *chan;
61386cba 3503 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3504 int err = 0;
1da177e4
LT		 3505
3506 scid = __le16_to_cpu(rsp->scid);
3507 flags = __le16_to_cpu(rsp->flags);
3508 result = __le16_to_cpu(rsp->result);
3509
61386cba
AE		 3510 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3511 result, len);
1da177e4 3512
baa7e1fa 3513 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3514 if (!chan)
1da177e4
LT		 3515 return 0;
3516
3517 switch (result) {
3518 case L2CAP_CONF_SUCCESS:
47d1ec61 3519 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3520 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3521 break;
3522
0e8b207e
AE		 3523 case L2CAP_CONF_PENDING:
3524 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3525
3526 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3527 char buf[64];
3528
3529 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3530 buf, &result);
3531 if (len < 0) {
3532 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3533 goto done;
3534 }
3535
3536 /* check compatibility */
3537
3538 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3539 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3540
3541 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3542 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3543 L2CAP_CONF_SUCCESS, 0x0000), buf);
3544 }
3545 goto done;
3546
1da177e4 3547 case L2CAP_CONF_UNACCEPT:
73ffa904 3548 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3549 char req[64];
3550
c2c77ec8 3551 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3552 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3553 goto done;
3554 }
3555
f2fcfcd6
GP		 3556 /* throw out any old stored conf requests */
3557 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3558 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3559 req, &result);
f2fcfcd6 3560 if (len < 0) {
e92c8e70 3561 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3562 goto done;
3563 }
3564
3565 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3566 L2CAP_CONF_REQ, len, req);
73ffa904 3567 chan->num_conf_req++;
f2fcfcd6
GP		 3568 if (result != L2CAP_CONF_SUCCESS)
3569 goto done;
3570 break;
1da177e4
LT		 3571 }
3572
8e87d142 3573 default:
6be36555 3574 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3575
ba13ccd9 3576 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3577 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3578 goto done;
3579 }
3580
3581 if (flags & 0x01)
3582 goto done;
3583
c1360a1c 3584 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3585
c1360a1c 3586 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3587 set_default_fcs(chan);
fcc203c3 3588
89bc500e 3589 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3590 if (chan->mode == L2CAP_MODE_ERTM ||
3591 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3592 err = l2cap_ertm_init(chan);
0565c1c2 3593
3c588192
MM		 3594 if (err < 0)
3595 l2cap_send_disconn_req(chan->conn, chan, -err);
3596 else
3597 l2cap_chan_ready(chan);
1da177e4
LT		 3598 }
3599
3600done:
6be36555 3601 l2cap_chan_unlock(chan);
3c588192 3602 return err;
1da177e4
LT		 3603}
3604
3605static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3606{
3607 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3608 struct l2cap_disconn_rsp rsp;
3609 u16 dcid, scid;
48454079 3610 struct l2cap_chan *chan;
1da177e4
LT		 3611 struct sock *sk;
3612
3613 scid = __le16_to_cpu(req->scid);
3614 dcid = __le16_to_cpu(req->dcid);
3615
3616 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3617
3df91ea2
AE		 3618 mutex_lock(&conn->chan_lock);
3619
3620 chan = __l2cap_get_chan_by_scid(conn, dcid);
3621 if (!chan) {
3622 mutex_unlock(&conn->chan_lock);
1da177e4 3623 return 0;
3df91ea2 3624 }
1da177e4 3625
6be36555
AE		 3626 l2cap_chan_lock(chan);
3627
48454079
GP		 3628 sk = chan->sk;
3629
fe4128e0
GP		 3630 rsp.dcid = cpu_to_le16(chan->scid);
3631 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3632 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3633
6be36555 3634 lock_sock(sk);
1da177e4 3635 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3636 release_sock(sk);
1da177e4 3637
61d6ef3e 3638 l2cap_chan_hold(chan);
48454079 3639 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3640
3641 l2cap_chan_unlock(chan);
1da177e4 3642
ba3bd0ee 3643 chan->ops->close(chan->data);
61d6ef3e 3644 l2cap_chan_put(chan);
3df91ea2
AE		 3645
3646 mutex_unlock(&conn->chan_lock);
3647
1da177e4
LT		 3648 return 0;
3649}
3650
3651static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3652{
3653 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3654 u16 dcid, scid;
48454079 3655 struct l2cap_chan *chan;
1da177e4
LT		 3656
3657 scid = __le16_to_cpu(rsp->scid);
3658 dcid = __le16_to_cpu(rsp->dcid);
3659
3660 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3661
3df91ea2
AE		 3662 mutex_lock(&conn->chan_lock);
3663
3664 chan = __l2cap_get_chan_by_scid(conn, scid);
3665 if (!chan) {
3666 mutex_unlock(&conn->chan_lock);
1da177e4 3667 return 0;
3df91ea2 3668 }
1da177e4 3669
6be36555 3670 l2cap_chan_lock(chan);
48454079 3671
61d6ef3e 3672 l2cap_chan_hold(chan);
48454079 3673 l2cap_chan_del(chan, 0);
6be36555
AE		 3674
3675 l2cap_chan_unlock(chan);
1da177e4 3676
ba3bd0ee 3677 chan->ops->close(chan->data);
61d6ef3e 3678 l2cap_chan_put(chan);
3df91ea2
AE		 3679
3680 mutex_unlock(&conn->chan_lock);
3681
1da177e4
LT		 3682 return 0;
3683}
3684
3685static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3686{
3687 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3688 u16 type;
3689
3690 type = __le16_to_cpu(req->type);
3691
3692 BT_DBG("type 0x%4.4x", type);
3693
f0709e03
MH		 3694 if (type == L2CAP_IT_FEAT_MASK) {
3695 u8 buf[8];
44dd46de 3696 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3697 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3698 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3699 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3700 if (!disable_ertm)
fcc203c3
GP		 3701 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3702 | L2CAP_FEAT_FCS;
a5fd6f30 3703 if (enable_hs)
6327eb98
AE		 3704 feat_mask |= L2CAP_FEAT_EXT_FLOW
3705 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3706
1b7bf4ed 3707 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3708 l2cap_send_cmd(conn, cmd->ident,
3709 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3710 } else if (type == L2CAP_IT_FIXED_CHAN) {
3711 u8 buf[12];
3712 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3713
3714 if (enable_hs)
3715 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3716 else
3717 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3718
e1027a7c
MH		 3719 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3720 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3721 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3722 l2cap_send_cmd(conn, cmd->ident,
3723 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3724 } else {
3725 struct l2cap_info_rsp rsp;
3726 rsp.type = cpu_to_le16(type);
3727 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3728 l2cap_send_cmd(conn, cmd->ident,
3729 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3730 }
1da177e4
LT		 3731
3732 return 0;
3733}
3734
3735static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3736{
3737 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3738 u16 type, result;
3739
3740 type = __le16_to_cpu(rsp->type);
3741 result = __le16_to_cpu(rsp->result);
3742
3743 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3744
e90165be
AE		 3745 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3746 if (cmd->ident != conn->info_ident ||
3747 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3748 return 0;
3749
17cd3f37 3750 cancel_delayed_work(&conn->info_timer);
4e8402a3 3751
adb08ede
VT		 3752 if (result != L2CAP_IR_SUCCESS) {
3753 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3754 conn->info_ident = 0;
3755
3756 l2cap_conn_start(conn);
3757
3758 return 0;
3759 }
3760
978c93b9
AE		 3761 switch (type) {
3762 case L2CAP_IT_FEAT_MASK:
83985319 3763 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3764
47ec1dcd 3765 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3766 struct l2cap_info_req req;
3767 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3768
3769 conn->info_ident = l2cap_get_ident(conn);
3770
3771 l2cap_send_cmd(conn, conn->info_ident,
3772 L2CAP_INFO_REQ, sizeof(req), &req);
3773 } else {
3774 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3775 conn->info_ident = 0;
3776
3777 l2cap_conn_start(conn);
3778 }
978c93b9
AE		 3779 break;
3780
3781 case L2CAP_IT_FIXED_CHAN:
3782 conn->fixed_chan_mask = rsp->data[0];
984947dc 3783 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3784 conn->info_ident = 0;
984947dc
MH		 3785
3786 l2cap_conn_start(conn);
978c93b9 3787 break;
984947dc 3788 }
4e8402a3 3789
1da177e4
LT		 3790 return 0;
3791}
3792
f94ff6ff
MM		 3793static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3794 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3795 void *data)
3796{
3797 struct l2cap_create_chan_req *req = data;
3798 struct l2cap_create_chan_rsp rsp;
3799 u16 psm, scid;
3800
3801 if (cmd_len != sizeof(*req))
3802 return -EPROTO;
3803
3804 if (!enable_hs)
3805 return -EINVAL;
3806
3807 psm = le16_to_cpu(req->psm);
3808 scid = le16_to_cpu(req->scid);
3809
3810 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3811
3812 /* Placeholder: Always reject */
3813 rsp.dcid = 0;
3814 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3815 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3816 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3817
3818 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3819 sizeof(rsp), &rsp);
3820
3821 return 0;
3822}
3823
3824static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3825 struct l2cap_cmd_hdr *cmd, void *data)
3826{
3827 BT_DBG("conn %p", conn);
3828
3829 return l2cap_connect_rsp(conn, cmd, data);
3830}
3831
8d5a04a1
MM		 3832static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3833 u16 icid, u16 result)
3834{
3835 struct l2cap_move_chan_rsp rsp;
3836
3837 BT_DBG("icid %d, result %d", icid, result);
3838
3839 rsp.icid = cpu_to_le16(icid);
3840 rsp.result = cpu_to_le16(result);
3841
3842 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3843}
3844
3845static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3846 struct l2cap_chan *chan, u16 icid, u16 result)
3847{
3848 struct l2cap_move_chan_cfm cfm;
3849 u8 ident;
3850
3851 BT_DBG("icid %d, result %d", icid, result);
3852
3853 ident = l2cap_get_ident(conn);
3854 if (chan)
3855 chan->ident = ident;
3856
3857 cfm.icid = cpu_to_le16(icid);
3858 cfm.result = cpu_to_le16(result);
3859
3860 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3861}
3862
3863static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3864 u16 icid)
3865{
3866 struct l2cap_move_chan_cfm_rsp rsp;
3867
3868 BT_DBG("icid %d", icid);
3869
3870 rsp.icid = cpu_to_le16(icid);
3871 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3872}
3873
3874static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3875 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3876{
3877 struct l2cap_move_chan_req *req = data;
3878 u16 icid = 0;
3879 u16 result = L2CAP_MR_NOT_ALLOWED;
3880
3881 if (cmd_len != sizeof(*req))
3882 return -EPROTO;
3883
3884 icid = le16_to_cpu(req->icid);
3885
3886 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3887
3888 if (!enable_hs)
3889 return -EINVAL;
3890
3891 /* Placeholder: Always refuse */
3892 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3893
3894 return 0;
3895}
3896
3897static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3898 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3899{
3900 struct l2cap_move_chan_rsp *rsp = data;
3901 u16 icid, result;
3902
3903 if (cmd_len != sizeof(*rsp))
3904 return -EPROTO;
3905
3906 icid = le16_to_cpu(rsp->icid);
3907 result = le16_to_cpu(rsp->result);
3908
3909 BT_DBG("icid %d, result %d", icid, result);
3910
3911 /* Placeholder: Always unconfirmed */
3912 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3913
3914 return 0;
3915}
3916
3917static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3918 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3919{
3920 struct l2cap_move_chan_cfm *cfm = data;
3921 u16 icid, result;
3922
3923 if (cmd_len != sizeof(*cfm))
3924 return -EPROTO;
3925
3926 icid = le16_to_cpu(cfm->icid);
3927 result = le16_to_cpu(cfm->result);
3928
3929 BT_DBG("icid %d, result %d", icid, result);
3930
3931 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3932
3933 return 0;
3934}
3935
3936static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3937 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3938{
3939 struct l2cap_move_chan_cfm_rsp *rsp = data;
3940 u16 icid;
3941
3942 if (cmd_len != sizeof(*rsp))
3943 return -EPROTO;
3944
3945 icid = le16_to_cpu(rsp->icid);
3946
3947 BT_DBG("icid %d", icid);
3948
3949 return 0;
3950}
3951
e2174ca4 3952static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3953 u16 to_multiplier)
3954{
3955 u16 max_latency;
3956
3957 if (min > max || min < 6 || max > 3200)
3958 return -EINVAL;
3959
3960 if (to_multiplier < 10 || to_multiplier > 3200)
3961 return -EINVAL;
3962
3963 if (max >= to_multiplier * 8)
3964 return -EINVAL;
3965
3966 max_latency = (to_multiplier * 8 / max) - 1;
3967 if (latency > 499 || latency > max_latency)
3968 return -EINVAL;
3969
3970 return 0;
3971}
3972
3973static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3974 struct l2cap_cmd_hdr *cmd, u8 *data)
3975{
3976 struct hci_conn *hcon = conn->hcon;
3977 struct l2cap_conn_param_update_req *req;
3978 struct l2cap_conn_param_update_rsp rsp;
3979 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3980 int err;
de73115a
CT		 3981
3982 if (!(hcon->link_mode & HCI_LM_MASTER))
3983 return -EINVAL;
3984
3985 cmd_len = __le16_to_cpu(cmd->len);
3986 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3987 return -EPROTO;
3988
3989 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3990 min = __le16_to_cpu(req->min);
3991 max = __le16_to_cpu(req->max);
de73115a
CT		 3992 latency = __le16_to_cpu(req->latency);
3993 to_multiplier = __le16_to_cpu(req->to_multiplier);
3994
3995 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3996 min, max, latency, to_multiplier);
3997
3998 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3999
4000 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4001 if (err)
de73115a
CT		 4002 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4003 else
4004 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4005
4006 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4007 sizeof(rsp), &rsp);
4008
2ce603eb
CT		 4009 if (!err)
4010 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4011
de73115a
CT		 4012 return 0;
4013}
4014
3300d9a9
CT		 4015static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4016 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4017{
4018 int err = 0;
4019
4020 switch (cmd->code) {
4021 case L2CAP_COMMAND_REJ:
4022 l2cap_command_rej(conn, cmd, data);
4023 break;
4024
4025 case L2CAP_CONN_REQ:
4026 err = l2cap_connect_req(conn, cmd, data);
4027 break;
4028
4029 case L2CAP_CONN_RSP:
4030 err = l2cap_connect_rsp(conn, cmd, data);
4031 break;
4032
4033 case L2CAP_CONF_REQ:
4034 err = l2cap_config_req(conn, cmd, cmd_len, data);
4035 break;
4036
4037 case L2CAP_CONF_RSP:
4038 err = l2cap_config_rsp(conn, cmd, data);
4039 break;
4040
4041 case L2CAP_DISCONN_REQ:
4042 err = l2cap_disconnect_req(conn, cmd, data);
4043 break;
4044
4045 case L2CAP_DISCONN_RSP:
4046 err = l2cap_disconnect_rsp(conn, cmd, data);
4047 break;
4048
4049 case L2CAP_ECHO_REQ:
4050 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4051 break;
4052
4053 case L2CAP_ECHO_RSP:
4054 break;
4055
4056 case L2CAP_INFO_REQ:
4057 err = l2cap_information_req(conn, cmd, data);
4058 break;
4059
4060 case L2CAP_INFO_RSP:
4061 err = l2cap_information_rsp(conn, cmd, data);
4062 break;
4063
f94ff6ff
MM		 4064 case L2CAP_CREATE_CHAN_REQ:
4065 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4066 break;
4067
4068 case L2CAP_CREATE_CHAN_RSP:
4069 err = l2cap_create_channel_rsp(conn, cmd, data);
4070 break;
4071
8d5a04a1
MM		 4072 case L2CAP_MOVE_CHAN_REQ:
4073 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4074 break;
4075
4076 case L2CAP_MOVE_CHAN_RSP:
4077 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4078 break;
4079
4080 case L2CAP_MOVE_CHAN_CFM:
4081 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4082 break;
4083
4084 case L2CAP_MOVE_CHAN_CFM_RSP:
4085 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4086 break;
4087
3300d9a9
CT		 4088 default:
4089 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4090 err = -EINVAL;
4091 break;
4092 }
4093
4094 return err;
4095}
4096
4097static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4098 struct l2cap_cmd_hdr *cmd, u8 *data)
4099{
4100 switch (cmd->code) {
4101 case L2CAP_COMMAND_REJ:
4102 return 0;
4103
4104 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4105 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4106
4107 case L2CAP_CONN_PARAM_UPDATE_RSP:
4108 return 0;
4109
4110 default:
4111 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4112 return -EINVAL;
4113 }
4114}
4115
4116static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4117 struct sk_buff *skb)
1da177e4
LT		 4118{
4119 u8 *data = skb->data;
4120 int len = skb->len;
4121 struct l2cap_cmd_hdr cmd;
3300d9a9 4122 int err;
1da177e4
LT		 4123
4124 l2cap_raw_recv(conn, skb);
4125
4126 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4127 u16 cmd_len;
1da177e4
LT		 4128 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4129 data += L2CAP_CMD_HDR_SIZE;
4130 len -= L2CAP_CMD_HDR_SIZE;
4131
88219a0f 4132 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4133
88219a0f 4134 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4135
88219a0f 4136 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4137 BT_DBG("corrupted command");
4138 break;
4139 }
4140
3300d9a9
CT		 4141 if (conn->hcon->type == LE_LINK)
4142 err = l2cap_le_sig_cmd(conn, &cmd, data);
4143 else
4144 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4145
4146 if (err) {
e2fd318e 4147 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4148
4149 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4150
4151 /* FIXME: Map err to a valid reason */
e2fd318e 4152 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4153 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4154 }
4155
88219a0f
AV		 4156 data += cmd_len;
4157 len -= cmd_len;
1da177e4
LT		 4158 }
4159
4160 kfree_skb(skb);
4161}
4162
47d1ec61 4163static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4164{
4165 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4166 int hdr_size;
4167
4168 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4169 hdr_size = L2CAP_EXT_HDR_SIZE;
4170 else
4171 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4172
47d1ec61 4173 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4174 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4175 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4176 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4177
4178 if (our_fcs != rcv_fcs)
7a560e5c 4179 return -EBADMSG;
fcc203c3
GP		 4180 }
4181 return 0;
4182}
4183
525cd185 4184static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4185{
e31f7633 4186 struct l2cap_ctrl control;
d5392c8f 4187
e31f7633 4188 BT_DBG("chan %p", chan);
d5392c8f 4189
e31f7633
MM		 4190 memset(&control, 0, sizeof(control));
4191 control.sframe = 1;
4192 control.final = 1;
4193 control.reqseq = chan->buffer_seq;
4194 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4195
e2ab4353 4196 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4197 control.super = L2CAP_SUPER_RNR;
4198 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4199 }
4200
e31f7633
MM		 4201 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4202 chan->unacked_frames > 0)
4203 __set_retrans_timer(chan);
d5392c8f 4204
e31f7633 4205 /* Send pending iframes */
525cd185 4206 l2cap_ertm_send(chan);
d5392c8f 4207
e2ab4353 4208 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4209 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4210 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4211 * send it now.
4212 */
4213 control.super = L2CAP_SUPER_RR;
4214 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4215 }
4216}
4217
84084a31
MM		 4218static void append_skb_frag(struct sk_buff *skb,
4219 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4220{
84084a31
MM		 4221 /* skb->len reflects data in skb as well as all fragments
4222 * skb->data_len reflects only data in fragments
4223 */
4224 if (!skb_has_frag_list(skb))
4225 skb_shinfo(skb)->frag_list = new_frag;
4226
4227 new_frag->next = NULL;
4228
4229 (*last_frag)->next = new_frag;
4230 *last_frag = new_frag;
4231
4232 skb->len += new_frag->len;
4233 skb->data_len += new_frag->len;
4234 skb->truesize += new_frag->truesize;
4235}
4236
4b51dae9
MM		 4237static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4238 struct l2cap_ctrl *control)
84084a31
MM		 4239{
4240 int err = -EINVAL;
18778a63 4241
4b51dae9 4242 switch (control->sar) {
7e0ef6ee 4243 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4244 if (chan->sdu)
4245 break;
18778a63 4246
84084a31
MM		 4247 err = chan->ops->recv(chan->data, skb);
4248 break;
18778a63 4249
7e0ef6ee 4250 case L2CAP_SAR_START:
84084a31
MM		 4251 if (chan->sdu)
4252 break;
18778a63 4253
6f61fd47 4254 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4255 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4256
84084a31
MM		 4257 if (chan->sdu_len > chan->imtu) {
4258 err = -EMSGSIZE;
4259 break;
4260 }
1890d36b 4261
84084a31
MM		 4262 if (skb->len >= chan->sdu_len)
4263 break;
18778a63 4264
84084a31
MM		 4265 chan->sdu = skb;
4266 chan->sdu_last_frag = skb;
18778a63 4267
84084a31
MM		 4268 skb = NULL;
4269 err = 0;
18778a63
GP		 4270 break;
4271
7e0ef6ee 4272 case L2CAP_SAR_CONTINUE:
6f61fd47 4273 if (!chan->sdu)
84084a31 4274 break;
18778a63 4275
84084a31
MM		 4276 append_skb_frag(chan->sdu, skb,
4277 &chan->sdu_last_frag);
4278 skb = NULL;
18778a63 4279
84084a31
MM		 4280 if (chan->sdu->len >= chan->sdu_len)
4281 break;
4178ba46 4282
84084a31 4283 err = 0;
18778a63
GP		 4284 break;
4285
7e0ef6ee 4286 case L2CAP_SAR_END:
6f61fd47 4287 if (!chan->sdu)
84084a31 4288 break;
18778a63 4289
84084a31
MM		 4290 append_skb_frag(chan->sdu, skb,
4291 &chan->sdu_last_frag);
4292 skb = NULL;
4178ba46 4293
84084a31
MM		 4294 if (chan->sdu->len != chan->sdu_len)
4295 break;
18778a63 4296
84084a31 4297 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4298
84084a31
MM		 4299 if (!err) {
4300 /* Reassembly complete */
4301 chan->sdu = NULL;
4302 chan->sdu_last_frag = NULL;
4303 chan->sdu_len = 0;
1890d36b 4304 }
18778a63
GP		 4305 break;
4306 }
4307
84084a31
MM		 4308 if (err) {
4309 kfree_skb(skb);
4310 kfree_skb(chan->sdu);
4311 chan->sdu = NULL;
4312 chan->sdu_last_frag = NULL;
4313 chan->sdu_len = 0;
4314 }
18778a63 4315
84084a31 4316 return err;
18778a63
GP		 4317}
4318
61aa4f5b 4319void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4320{
61aa4f5b 4321 u8 event;
712132eb 4322
61aa4f5b
MM		 4323 if (chan->mode != L2CAP_MODE_ERTM)
4324 return;
712132eb 4325
61aa4f5b
MM		 4326 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
4327 l2cap_tx(chan, 0, 0, event);
1890d36b
GP		 4328}
4329
4b51dae9
MM		 4330static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4331{
4332 BT_DBG("chan %p, txseq %d", chan, txseq);
4333
4334 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4335 chan->expected_tx_seq);
4336
4337 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4338 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4339 chan->tx_win) {
4340 /* See notes below regarding "double poll" and
4341 * invalid packets.
4342 */
4343 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4344 BT_DBG("Invalid/Ignore - after SREJ");
4345 return L2CAP_TXSEQ_INVALID_IGNORE;
4346 } else {
4347 BT_DBG("Invalid - in window after SREJ sent");
4348 return L2CAP_TXSEQ_INVALID;
4349 }
4350 }
4351
4352 if (chan->srej_list.head == txseq) {
4353 BT_DBG("Expected SREJ");
4354 return L2CAP_TXSEQ_EXPECTED_SREJ;
4355 }
4356
4357 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4358 BT_DBG("Duplicate SREJ - txseq already stored");
4359 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4360 }
4361
4362 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4363 BT_DBG("Unexpected SREJ - not requested");
4364 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4365 }
4366 }
4367
4368 if (chan->expected_tx_seq == txseq) {
4369 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4370 chan->tx_win) {
4371 BT_DBG("Invalid - txseq outside tx window");
4372 return L2CAP_TXSEQ_INVALID;
4373 } else {
4374 BT_DBG("Expected");
4375 return L2CAP_TXSEQ_EXPECTED;
4376 }
4377 }
4378
4379 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4380 __seq_offset(chan, chan->expected_tx_seq,
4381 chan->last_acked_seq)){
4382 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4383 return L2CAP_TXSEQ_DUPLICATE;
4384 }
4385
4386 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4387 /* A source of invalid packets is a "double poll" condition,
4388 * where delays cause us to send multiple poll packets. If
4389 * the remote stack receives and processes both polls,
4390 * sequence numbers can wrap around in such a way that a
4391 * resent frame has a sequence number that looks like new data
4392 * with a sequence gap. This would trigger an erroneous SREJ
4393 * request.
4394 *
4395 * Fortunately, this is impossible with a tx window that's
4396 * less than half of the maximum sequence number, which allows
4397 * invalid frames to be safely ignored.
4398 *
4399 * With tx window sizes greater than half of the tx window
4400 * maximum, the frame is invalid and cannot be ignored. This
4401 * causes a disconnect.
4402 */
4403
4404 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4405 BT_DBG("Invalid/Ignore - txseq outside tx window");
4406 return L2CAP_TXSEQ_INVALID_IGNORE;
4407 } else {
4408 BT_DBG("Invalid - txseq outside tx window");
4409 return L2CAP_TXSEQ_INVALID;
4410 }
4411 } else {
4412 BT_DBG("Unexpected - txseq indicates missing frames");
4413 return L2CAP_TXSEQ_UNEXPECTED;
4414 }
4415}
4416
cec8ab6e
MM		 4417static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4418 struct sk_buff *skb, u8 event)
218bb9df 4419{
cec8ab6e
MM		 4420 /* Placeholder */
4421 return -ENOTSUPP;
4422}
4423
4424static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4425 struct sk_buff *skb)
4426{
4b51dae9
MM		 4427 int err = 0;
4428
4429 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
4430 chan->rx_state);
4431
4432 if (l2cap_classify_txseq(chan, control->txseq) ==
4433 L2CAP_TXSEQ_EXPECTED) {
4434 l2cap_pass_to_tx(chan, control);
4435
4436 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
4437 __next_seq(chan, chan->buffer_seq));
4438
4439 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4440
4441 l2cap_reassemble_sdu(chan, skb, control);
4442 } else {
4443 if (chan->sdu) {
4444 kfree_skb(chan->sdu);
4445 chan->sdu = NULL;
4446 }
4447 chan->sdu_last_frag = NULL;
4448 chan->sdu_len = 0;
4449
4450 if (skb) {
4451 BT_DBG("Freeing %p", skb);
4452 kfree_skb(skb);
4453 }
4454 }
4455
4456 chan->last_acked_seq = control->txseq;
4457 chan->expected_tx_seq = __next_seq(chan, control->txseq);
4458
4459 return err;
cec8ab6e
MM		 4460}
4461
4462static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4463{
4464 struct l2cap_ctrl *control = &bt_cb(skb)->control;
4465 u16 len;
4466 u8 event;
218bb9df 4467
b76bbd66
MM		 4468 __unpack_control(chan, skb);
4469
218bb9df
GP		 4470 len = skb->len;
4471
4472 /*
4473 * We can just drop the corrupted I-frame here.
4474 * Receiver will miss it and start proper recovery
cec8ab6e 4475 * procedures and ask for retransmission.
218bb9df 4476 */
47d1ec61 4477 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4478 goto drop;
4479
cec8ab6e 4480 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 4481 len -= L2CAP_SDULEN_SIZE;
218bb9df 4482
47d1ec61 4483 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4484 len -= L2CAP_FCS_SIZE;
218bb9df 4485
47d1ec61 4486 if (len > chan->mps) {
8c1d787b 4487 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4488 goto drop;
4489 }
4490
cec8ab6e
MM		 4491 if (!control->sframe) {
4492 int err;
218bb9df 4493
cec8ab6e
MM		 4494 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
4495 control->sar, control->reqseq, control->final,
4496 control->txseq);
218bb9df 4497
cec8ab6e
MM		 4498 /* Validate F-bit - F=0 always valid, F=1 only
4499 * valid in TX WAIT_F
4500 */
4501 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 4502 goto drop;
cec8ab6e
MM		 4503
4504 if (chan->mode != L2CAP_MODE_STREAMING) {
4505 event = L2CAP_EV_RECV_IFRAME;
4506 err = l2cap_rx(chan, control, skb, event);
4507 } else {
4508 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 4509 }
4510
cec8ab6e
MM		 4511 if (err)
4512 l2cap_send_disconn_req(chan->conn, chan,
4513 ECONNRESET);
218bb9df 4514 } else {
cec8ab6e
MM		 4515 const u8 rx_func_to_event[4] = {
4516 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
4517 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
4518 };
4519
4520 /* Only I-frames are expected in streaming mode */
4521 if (chan->mode == L2CAP_MODE_STREAMING)
4522 goto drop;
4523
4524 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
4525 control->reqseq, control->final, control->poll,
4526 control->super);
4527
218bb9df
GP		 4528 if (len != 0) {
4529 BT_ERR("%d", len);
8c1d787b 4530 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4531 goto drop;
4532 }
4533
cec8ab6e
MM		 4534 /* Validate F and P bits */
4535 if (control->final && (control->poll ||
4536 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
4537 goto drop;
4538
4539 event = rx_func_to_event[control->super];
4540 if (l2cap_rx(chan, control, skb, event))
4541 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4542 }
4543
4544 return 0;
4545
4546drop:
4547 kfree_skb(skb);
4548 return 0;
4549}
4550
1da177e4
LT		 4551static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4552{
48454079 4553 struct l2cap_chan *chan;
1da177e4 4554
baa7e1fa 4555 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4556 if (!chan) {
1da177e4 4557 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4558 /* Drop packet and return */
3379013b 4559 kfree_skb(skb);
6be36555 4560 return 0;
1da177e4
LT		 4561 }
4562
49208c9c 4563 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4564
89bc500e 4565 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4566 goto drop;
4567
0c1bc5c6 4568 switch (chan->mode) {
1c2acffb
GP		 4569 case L2CAP_MODE_BASIC:
4570 /* If socket recv buffers overflows we drop data here
4571 * which is *bad* because L2CAP has to be reliable.
4572 * But we don't have any other choice. L2CAP doesn't
4573 * provide flow control mechanism. */
1da177e4 4574
0c1bc5c6 4575 if (chan->imtu < skb->len)
1c2acffb 4576 goto drop;
1da177e4 4577
23070494 4578 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4579 goto done;
4580 break;
4581
4582 case L2CAP_MODE_ERTM:
6840ed07 4583 case L2CAP_MODE_STREAMING:
cec8ab6e 4584 l2cap_data_rcv(chan, skb);
6840ed07
GP		 4585 goto done;
4586
1c2acffb 4587 default:
0c1bc5c6 4588 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4589 break;
4590 }
1da177e4
LT		 4591
4592drop:
4593 kfree_skb(skb);
4594
4595done:
6be36555 4596 l2cap_chan_unlock(chan);
0139418c 4597
1da177e4
LT		 4598 return 0;
4599}
4600
8e036fc3 4601static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4602{
23691d75 4603 struct l2cap_chan *chan;
1da177e4 4604
c2287681 4605 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4606 if (!chan)
1da177e4
LT		 4607 goto drop;
4608
5b4cedaa 4609 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4610
89bc500e 4611 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4612 goto drop;
4613
e13e21dc 4614 if (chan->imtu < skb->len)
1da177e4
LT		 4615 goto drop;
4616
23070494 4617 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4618 return 0;
1da177e4
LT		 4619
4620drop:
4621 kfree_skb(skb);
4622
1da177e4
LT		 4623 return 0;
4624}
4625
d9b88702
AE		 4626static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4627 struct sk_buff *skb)
9f69bda6 4628{
23691d75 4629 struct l2cap_chan *chan;
9f69bda6 4630
c2287681 4631 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4632 if (!chan)
9f69bda6
GP		 4633 goto drop;
4634
5b4cedaa 4635 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4636
89bc500e 4637 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4638 goto drop;
4639
e13e21dc 4640 if (chan->imtu < skb->len)
9f69bda6
GP		 4641 goto drop;
4642
23070494 4643 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4644 return 0;
9f69bda6
GP		 4645
4646drop:
4647 kfree_skb(skb);
4648
9f69bda6
GP		 4649 return 0;
4650}
4651
1da177e4
LT		 4652static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4653{
4654 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4655 u16 cid, len;
4656 __le16 psm;
1da177e4
LT		 4657
4658 skb_pull(skb, L2CAP_HDR_SIZE);
4659 cid = __le16_to_cpu(lh->cid);
4660 len = __le16_to_cpu(lh->len);
4661
1c2acffb
GP		 4662 if (len != skb->len) {
4663 kfree_skb(skb);
4664 return;
4665 }
4666
1da177e4
LT		 4667 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4668
4669 switch (cid) {
3300d9a9 4670 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4671 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4672 l2cap_sig_channel(conn, skb);
4673 break;
4674
8db4dc46 4675 case L2CAP_CID_CONN_LESS:
097db76c 4676 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4677 skb_pull(skb, 2);
4678 l2cap_conless_channel(conn, psm, skb);
4679 break;
4680
9f69bda6
GP		 4681 case L2CAP_CID_LE_DATA:
4682 l2cap_att_channel(conn, cid, skb);
4683 break;
4684
b501d6a1
AB		 4685 case L2CAP_CID_SMP:
4686 if (smp_sig_channel(conn, skb))
4687 l2cap_conn_del(conn->hcon, EACCES);
4688 break;
4689
1da177e4
LT		 4690 default:
4691 l2cap_data_channel(conn, cid, skb);
4692 break;
4693 }
4694}
4695
4696/* ---- L2CAP interface with lower layer (HCI) ---- */
4697
686ebf28 4698int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4699{
4700 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4701 struct l2cap_chan *c;
1da177e4 4702
1da177e4
LT		 4703 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4704
4705 /* Find listening sockets and check their link_mode */
23691d75
GP		 4706 read_lock(&chan_list_lock);
4707 list_for_each_entry(c, &chan_list, global_l) {
4708 struct sock *sk = c->sk;
4343478f 4709
89bc500e 4710 if (c->state != BT_LISTEN)
1da177e4
LT		 4711 continue;
4712
4713 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4714 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4715 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4716 lm1 |= HCI_LM_MASTER;
1da177e4 4717 exact++;
2af6b9d5
MH		 4718 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4719 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4720 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4721 lm2 |= HCI_LM_MASTER;
4722 }
1da177e4 4723 }
23691d75 4724 read_unlock(&chan_list_lock);
1da177e4
LT		 4725
4726 return exact ? lm1 : lm2;
4727}
4728
686ebf28 4729int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4730{
0139418c
MH		 4731 struct l2cap_conn *conn;
4732
1da177e4
LT		 4733 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4734
1da177e4 4735 if (!status) {
1da177e4
LT		 4736 conn = l2cap_conn_add(hcon, status);
4737 if (conn)
4738 l2cap_conn_ready(conn);
0139418c 4739 } else
e175072f 4740 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4741
4742 return 0;
4743}
4744
686ebf28 4745int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4746{
4747 struct l2cap_conn *conn = hcon->l2cap_data;
4748
4749 BT_DBG("hcon %p", hcon);
4750
686ebf28 4751 if (!conn)
9f5a0d7b 4752 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4753 return conn->disc_reason;
4754}
4755
686ebf28 4756int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4757{
4758 BT_DBG("hcon %p reason %d", hcon, reason);
4759
e175072f 4760 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4761 return 0;
4762}
4763
4343478f 4764static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4765{
715ec005 4766 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4767 return;
4768
f62e4323 4769 if (encrypt == 0x00) {
4343478f 4770 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4771 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4772 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4773 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4774 } else {
4343478f 4775 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4776 __clear_chan_timer(chan);
f62e4323
MH		 4777 }
4778}
4779
686ebf28 4780int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4781{
0139418c 4782 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4783 struct l2cap_chan *chan;
1da177e4 4784
0139418c 4785 if (!conn)
1da177e4 4786 return 0;
0139418c 4787
1da177e4
LT		 4788 BT_DBG("conn %p", conn);
4789
160dc6ac 4790 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4791 if (!status && encrypt)
4792 smp_distribute_keys(conn, 0);
17cd3f37 4793 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4794 }
4795
3df91ea2 4796 mutex_lock(&conn->chan_lock);
1da177e4 4797
3df91ea2 4798 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4799 l2cap_chan_lock(chan);
1da177e4 4800
f1cb9af5
VCG		 4801 BT_DBG("chan->scid %d", chan->scid);
4802
4803 if (chan->scid == L2CAP_CID_LE_DATA) {
4804 if (!status && encrypt) {
4805 chan->sec_level = hcon->sec_level;
cf4cd009 4806 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4807 }
4808
6be36555 4809 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4810 continue;
4811 }
4812
c1360a1c 4813 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4814 l2cap_chan_unlock(chan);
6a8d3010
MH		 4815 continue;
4816 }
4817
89bc500e
GP		 4818 if (!status && (chan->state == BT_CONNECTED ||
4819 chan->state == BT_CONFIG)) {
a7d7723a
GP		 4820 struct sock *sk = chan->sk;
4821
c5daa683 4822 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 4823 sk->sk_state_change(sk);
4824
4343478f 4825 l2cap_check_encryption(chan, encrypt);
6be36555 4826 l2cap_chan_unlock(chan);
9719f8af
MH		 4827 continue;
4828 }
4829
89bc500e 4830 if (chan->state == BT_CONNECT) {
b1235d79 4831 if (!status) {
9b27f350 4832 l2cap_send_conn_req(chan);
b1235d79 4833 } else {
ba13ccd9 4834 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4835 }
89bc500e 4836 } else if (chan->state == BT_CONNECT2) {
6be36555 4837 struct sock *sk = chan->sk;
b1235d79 4838 struct l2cap_conn_rsp rsp;
df3c3931 4839 __u16 res, stat;
1da177e4 4840
6be36555
AE		 4841 lock_sock(sk);
4842
b1235d79 4843 if (!status) {
c5daa683
GP		 4844 if (test_bit(BT_SK_DEFER_SETUP,
4845 &bt_sk(sk)->flags)) {
df3c3931
JH		 4846 struct sock *parent = bt_sk(sk)->parent;
4847 res = L2CAP_CR_PEND;
4848 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4849 if (parent)
4850 parent->sk_data_ready(parent, 0);
df3c3931 4851 } else {
0e587be7 4852 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4853 res = L2CAP_CR_SUCCESS;
4854 stat = L2CAP_CS_NO_INFO;
4855 }
b1235d79 4856 } else {
0e587be7 4857 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4858 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4859 res = L2CAP_CR_SEC_BLOCK;
4860 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4861 }
4862
6be36555
AE		 4863 release_sock(sk);
4864
fe4128e0
GP		 4865 rsp.scid = cpu_to_le16(chan->dcid);
4866 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4867 rsp.result = cpu_to_le16(res);
4868 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4869 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4870 sizeof(rsp), &rsp);
b1235d79 4871 }
1da177e4 4872
6be36555 4873 l2cap_chan_unlock(chan);
1da177e4
LT		 4874 }
4875
3df91ea2 4876 mutex_unlock(&conn->chan_lock);
b1235d79 4877
1da177e4
LT		 4878 return 0;
4879}
4880
686ebf28 4881int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4882{
4883 struct l2cap_conn *conn = hcon->l2cap_data;
4884
5a08ecce
AE		 4885 if (!conn)
4886 conn = l2cap_conn_add(hcon, 0);
4887
4888 if (!conn)
1da177e4
LT		 4889 goto drop;
4890
4891 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4892
e702112f 4893 if (!(flags & ACL_CONT)) {
1da177e4
LT		 4894 struct l2cap_hdr *hdr;
4895 int len;
4896
4897 if (conn->rx_len) {
4898 BT_ERR("Unexpected start frame (len %d)", skb->len);
4899 kfree_skb(conn->rx_skb);
4900 conn->rx_skb = NULL;
4901 conn->rx_len = 0;
4902 l2cap_conn_unreliable(conn, ECOMM);
4903 }
4904
aae7fe22
AE		 4905 /* Start fragment always begin with Basic L2CAP header */
4906 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4907 BT_ERR("Frame is too short (len %d)", skb->len);
4908 l2cap_conn_unreliable(conn, ECOMM);
4909 goto drop;
4910 }
4911
4912 hdr = (struct l2cap_hdr *) skb->data;
4913 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4914
4915 if (len == skb->len) {
4916 /* Complete frame received */
4917 l2cap_recv_frame(conn, skb);
4918 return 0;
4919 }
4920
4921 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4922
4923 if (skb->len > len) {
4924 BT_ERR("Frame is too long (len %d, expected len %d)",
4925 skb->len, len);
4926 l2cap_conn_unreliable(conn, ECOMM);
4927 goto drop;
4928 }
4929
4930 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4931 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4932 if (!conn->rx_skb)
1da177e4
LT		 4933 goto drop;
4934
d626f62b 4935 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4936 skb->len);
1da177e4
LT		 4937 conn->rx_len = len - skb->len;
4938 } else {
4939 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4940
4941 if (!conn->rx_len) {
4942 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4943 l2cap_conn_unreliable(conn, ECOMM);
4944 goto drop;
4945 }
4946
4947 if (skb->len > conn->rx_len) {
4948 BT_ERR("Fragment is too long (len %d, expected %d)",
4949 skb->len, conn->rx_len);
4950 kfree_skb(conn->rx_skb);
4951 conn->rx_skb = NULL;
4952 conn->rx_len = 0;
4953 l2cap_conn_unreliable(conn, ECOMM);
4954 goto drop;
4955 }
4956
d626f62b 4957 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4958 skb->len);
1da177e4
LT		 4959 conn->rx_len -= skb->len;
4960
4961 if (!conn->rx_len) {
4962 /* Complete frame received */
4963 l2cap_recv_frame(conn, conn->rx_skb);
4964 conn->rx_skb = NULL;
4965 }
4966 }
4967
4968drop:
4969 kfree_skb(skb);
4970 return 0;
4971}
4972
aef7d97c 4973static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4974{
23691d75 4975 struct l2cap_chan *c;
1da177e4 4976
333055f2 4977 read_lock(&chan_list_lock);
1da177e4 4978
23691d75
GP		 4979 list_for_each_entry(c, &chan_list, global_l) {
4980 struct sock *sk = c->sk;
101545f6 4981
903d343e 4982 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4983 batostr(&bt_sk(sk)->src),
4984 batostr(&bt_sk(sk)->dst),
89bc500e 4985 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4986 c->scid, c->dcid, c->imtu, c->omtu,
4987 c->sec_level, c->mode);
61e1b4b7 4988 }
1da177e4 4989
333055f2 4990 read_unlock(&chan_list_lock);
1da177e4 4991
aef7d97c 4992 return 0;
1da177e4
LT		 4993}
4994
aef7d97c
MH		 4995static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4996{
4997 return single_open(file, l2cap_debugfs_show, inode->i_private);
4998}
4999
5000static const struct file_operations l2cap_debugfs_fops = {
5001 .open = l2cap_debugfs_open,
5002 .read = seq_read,
5003 .llseek = seq_lseek,
5004 .release = single_release,
5005};
5006
5007static struct dentry *l2cap_debugfs;
1da177e4 5008
64274518 5009int __init l2cap_init(void)
1da177e4
LT		 5010{
5011 int err;
be9d1227 5012
bb58f747 5013 err = l2cap_init_sockets();
1da177e4
LT		 5014 if (err < 0)
5015 return err;
5016
aef7d97c
MH		 5017 if (bt_debugfs) {
5018 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5019 bt_debugfs, NULL, &l2cap_debugfs_fops);
5020 if (!l2cap_debugfs)
5021 BT_ERR("Failed to create L2CAP debug file");
5022 }
1da177e4 5023
1da177e4 5024 return 0;
1da177e4
LT		 5025}
5026
64274518 5027void l2cap_exit(void)
1da177e4 5028{
aef7d97c 5029 debugfs_remove(l2cap_debugfs);
bb58f747 5030 l2cap_cleanup_sockets();
1da177e4
LT		 5031}
5032
d1c4a17d
GP		 5033module_param(disable_ertm, bool, 0644);
5034MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)