projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: mgmt: Add device disconnect reason
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
4af66c69 419static void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
4af66c69
JK		 421 BT_DBG("chan %p", chan);
422
333055f2 423 write_lock(&chan_list_lock);
23691d75 424 list_del(&chan->global_l);
333055f2 425 write_unlock(&chan_list_lock);
23691d75 426
4af66c69 427 kfree(chan);
6ff5abbf
GP		 428}
429
30648372
JK		 430void l2cap_chan_hold(struct l2cap_chan *c)
431{
432 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->refcnt));
433
434 atomic_inc(&c->refcnt);
435}
436
437void l2cap_chan_put(struct l2cap_chan *c)
438{
439 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->refcnt));
440
441 if (atomic_dec_and_test(&c->refcnt))
4af66c69 442 l2cap_chan_destroy(c);
30648372
JK		 443}
444
bd4b1653
AE		 445void l2cap_chan_set_defaults(struct l2cap_chan *chan)
446{
447 chan->fcs = L2CAP_FCS_CRC16;
448 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
449 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
450 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 451 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 452 chan->sec_level = BT_SECURITY_LOW;
453
454 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
455}
456
14a28491 457static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 458{
af05b30b 459 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 460 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 461
9f5a0d7b 462 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 463
8c1d787b 464 chan->conn = conn;
0139418c 465
5491120e
AE		 466 switch (chan->chan_type) {
467 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 468 if (conn->hcon->type == LE_LINK) {
469 /* LE connection */
6fcb06a2 470 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 471 chan->scid = L2CAP_CID_LE_DATA;
472 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 473 } else {
474 /* Alloc CID for connection-oriented socket */
fe4128e0 475 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 476 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 477 }
5491120e
AE		 478 break;
479
480 case L2CAP_CHAN_CONN_LESS:
0139418c 481 /* Connectionless socket */
fe4128e0
GP		 482 chan->scid = L2CAP_CID_CONN_LESS;
483 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 484 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 485 break;
486
416fa752
AE		 487 case L2CAP_CHAN_CONN_FIX_A2MP:
488 chan->scid = L2CAP_CID_A2MP;
489 chan->dcid = L2CAP_CID_A2MP;
490 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
491 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
492 break;
493
5491120e 494 default:
0139418c 495 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 496 chan->scid = L2CAP_CID_SIGNALING;
497 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 498 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 499 }
500
8f7975b1
AE		 501 chan->local_id = L2CAP_BESTEFFORT_ID;
502 chan->local_stype = L2CAP_SERV_BESTEFFORT;
503 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
504 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
505 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
506 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
507
371fd835 508 l2cap_chan_hold(chan);
baa7e1fa 509
3df91ea2 510 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 511}
512
466f8004 513void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 514{
515 mutex_lock(&conn->chan_lock);
516 __l2cap_chan_add(conn, chan);
3df91ea2 517 mutex_unlock(&conn->chan_lock);
0139418c
MH		 518}
519
466f8004 520void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 521{
8c1d787b 522 struct l2cap_conn *conn = chan->conn;
0139418c 523
c9b66675 524 __clear_chan_timer(chan);
0139418c 525
49208c9c 526 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 527
8e87d142 528 if (conn) {
baa7e1fa 529 /* Delete from channel list */
3df91ea2 530 list_del(&chan->list);
3d57dc68 531
371fd835 532 l2cap_chan_put(chan);
baa7e1fa 533
8c1d787b 534 chan->conn = NULL;
3cabbfda
AE		 535
536 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
537 hci_conn_put(conn->hcon);
0139418c
MH		 538 }
539
c0df7f6e
AE		 540 if (chan->ops->teardown)
541 chan->ops->teardown(chan, err);
6be36555 542
2827011f 543 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 544 return;
2ead70b8 545
ee556f66
GP		 546 switch(chan->mode) {
547 case L2CAP_MODE_BASIC:
548 break;
c13ffa62 549
ee556f66 550 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 551 __clear_retrans_timer(chan);
552 __clear_monitor_timer(chan);
553 __clear_ack_timer(chan);
c13ffa62 554
f1c6775b 555 skb_queue_purge(&chan->srej_q);
c13ffa62 556
3c588192
MM		 557 l2cap_seq_list_free(&chan->srej_list);
558 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 559
560 /* fall through */
561
562 case L2CAP_MODE_STREAMING:
563 skb_queue_purge(&chan->tx_q);
564 break;
c13ffa62 565 }
ee556f66
GP		 566
567 return;
0139418c
MH		 568}
569
0f852724 570void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 571{
572 struct l2cap_conn *conn = chan->conn;
573 struct sock *sk = chan->sk;
574
e05dcc32
AE		 575 BT_DBG("chan %p state %s sk %p", chan,
576 state_to_string(chan->state), sk);
4519de9a 577
89bc500e 578 switch (chan->state) {
4519de9a 579 case BT_LISTEN:
c0df7f6e
AE		 580 if (chan->ops->teardown)
581 chan->ops->teardown(chan, 0);
4519de9a
GP		 582 break;
583
584 case BT_CONNECTED:
585 case BT_CONFIG:
715ec005 586 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 587 conn->hcon->type == ACL_LINK) {
c9b66675 588 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 589 l2cap_send_disconn_req(conn, chan, reason);
590 } else
591 l2cap_chan_del(chan, reason);
592 break;
593
594 case BT_CONNECT2:
715ec005 595 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 596 conn->hcon->type == ACL_LINK) {
597 struct l2cap_conn_rsp rsp;
598 __u16 result;
599
c5daa683 600 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 601 result = L2CAP_CR_SEC_BLOCK;
602 else
603 result = L2CAP_CR_BAD_PSM;
89bc500e 604 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 605
606 rsp.scid = cpu_to_le16(chan->dcid);
607 rsp.dcid = cpu_to_le16(chan->scid);
608 rsp.result = cpu_to_le16(result);
ac73498c 609 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 610 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
611 sizeof(rsp), &rsp);
612 }
613
614 l2cap_chan_del(chan, reason);
615 break;
616
617 case BT_CONNECT:
618 case BT_DISCONN:
619 l2cap_chan_del(chan, reason);
620 break;
621
622 default:
c0df7f6e
AE		 623 if (chan->ops->teardown)
624 chan->ops->teardown(chan, 0);
4519de9a
GP		 625 break;
626 }
627}
628
4343478f 629static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 630{
715ec005 631 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 632 switch (chan->sec_level) {
8556edd3
JH		 633 case BT_SECURITY_HIGH:
634 return HCI_AT_DEDICATED_BONDING_MITM;
635 case BT_SECURITY_MEDIUM:
636 return HCI_AT_DEDICATED_BONDING;
637 default:
638 return HCI_AT_NO_BONDING;
639 }
2983fd68 640 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 641 if (chan->sec_level == BT_SECURITY_LOW)
642 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 643
4343478f 644 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 645 return HCI_AT_NO_BONDING_MITM;
00ae4af9 646 else
8556edd3 647 return HCI_AT_NO_BONDING;
00ae4af9 648 } else {
4343478f 649 switch (chan->sec_level) {
00ae4af9 650 case BT_SECURITY_HIGH:
8556edd3 651 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 652 case BT_SECURITY_MEDIUM:
8556edd3 653 return HCI_AT_GENERAL_BONDING;
00ae4af9 654 default:
8556edd3 655 return HCI_AT_NO_BONDING;
00ae4af9 656 }
0684e5f9 657 }
8556edd3
JH		 658}
659
660/* Service level security */
d45fc423 661int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 662{
8c1d787b 663 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 664 __u8 auth_type;
665
4343478f 666 auth_type = l2cap_get_auth_type(chan);
79d554a6 667
4343478f 668 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 669}
670
b5ad8b7f 671static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 672{
673 u8 id;
674
675 /* Get next available identificator.
676 * 1 - 128 are used by kernel.
677 * 129 - 199 are reserved.
678 * 200 - 254 are used by utilities like l2ping, etc.
679 */
680
333055f2 681 spin_lock(&conn->lock);
4e8402a3
MH		 682
683 if (++conn->tx_ident > 128)
684 conn->tx_ident = 1;
685
686 id = conn->tx_ident;
687
333055f2 688 spin_unlock(&conn->lock);
4e8402a3
MH		 689
690 return id;
691}
692
4519de9a 693static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 694{
695 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 696 u8 flags;
4e8402a3
MH		 697
698 BT_DBG("code 0x%2.2x", code);
699
700 if (!skb)
9a9c6a34 701 return;
4e8402a3 702
e702112f
AE		 703 if (lmp_no_flush_capable(conn->hcon->hdev))
704 flags = ACL_START_NO_FLUSH;
705 else
706 flags = ACL_START;
707
14b12d0b 708 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 709 skb->priority = HCI_PRIO_MAX;
14b12d0b 710
73d80deb
LAD		 711 hci_send_acl(conn->hchan, skb, flags);
712}
713
714static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
715{
716 struct hci_conn *hcon = chan->conn->hcon;
717 u16 flags;
718
719 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
720 skb->priority);
721
722 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
723 lmp_no_flush_capable(hcon->hdev))
724 flags = ACL_START_NO_FLUSH;
725 else
726 flags = ACL_START;
14b12d0b 727
73d80deb
LAD		 728 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
729 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 730}
731
b76bbd66
MM		 732static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
733{
734 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
735 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
736
737 if (enh & L2CAP_CTRL_FRAME_TYPE) {
738 /* S-Frame */
739 control->sframe = 1;
740 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
741 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
742
743 control->sar = 0;
744 control->txseq = 0;
745 } else {
746 /* I-Frame */
747 control->sframe = 0;
748 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
749 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
750
751 control->poll = 0;
752 control->super = 0;
753 }
754}
755
b76bbd66
MM		 756static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
757{
758 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
759 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
760
761 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
762 /* S-Frame */
763 control->sframe = 1;
764 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
765 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
766
767 control->sar = 0;
768 control->txseq = 0;
769 } else {
770 /* I-Frame */
771 control->sframe = 0;
772 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
773 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
774
775 control->poll = 0;
776 control->super = 0;
777 }
778}
779
780static inline void __unpack_control(struct l2cap_chan *chan,
781 struct sk_buff *skb)
782{
783 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
784 __unpack_extended_control(get_unaligned_le32(skb->data),
785 &bt_cb(skb)->control);
cec8ab6e 786 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 787 } else {
788 __unpack_enhanced_control(get_unaligned_le16(skb->data),
789 &bt_cb(skb)->control);
cec8ab6e 790 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 791 }
792}
793
b5c6aaed
MM		 794static u32 __pack_extended_control(struct l2cap_ctrl *control)
795{
796 u32 packed;
797
798 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
799 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
800
801 if (control->sframe) {
802 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
803 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
804 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
805 } else {
806 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
807 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
808 }
809
810 return packed;
811}
812
813static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
814{
815 u16 packed;
816
817 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
818 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
819
820 if (control->sframe) {
821 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
822 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
823 packed |= L2CAP_CTRL_FRAME_TYPE;
824 } else {
825 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
826 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
827 }
828
829 return packed;
830}
831
b76bbd66
MM		 832static inline void __pack_control(struct l2cap_chan *chan,
833 struct l2cap_ctrl *control,
834 struct sk_buff *skb)
835{
836 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
837 put_unaligned_le32(__pack_extended_control(control),
838 skb->data + L2CAP_HDR_SIZE);
839 } else {
840 put_unaligned_le16(__pack_enhanced_control(control),
841 skb->data + L2CAP_HDR_SIZE);
842 }
843}
844
ba7aa64f
GP		 845static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
846{
847 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
848 return L2CAP_EXT_HDR_SIZE;
849 else
850 return L2CAP_ENH_HDR_SIZE;
851}
852
a67d7f6f
MM		 853static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
854 u32 control)
b5c6aaed
MM		 855{
856 struct sk_buff *skb;
857 struct l2cap_hdr *lh;
ba7aa64f 858 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 859
860 if (chan->fcs == L2CAP_FCS_CRC16)
861 hlen += L2CAP_FCS_SIZE;
862
a67d7f6f 863 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 864
b5c6aaed 865 if (!skb)
a67d7f6f 866 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 867
868 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
869 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
870 lh->cid = cpu_to_le16(chan->dcid);
871
a67d7f6f
MM		 872 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
873 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
874 else
875 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 876
877 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 878 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 879 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
880 }
881
882 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 883 return skb;
884}
885
886static void l2cap_send_sframe(struct l2cap_chan *chan,
887 struct l2cap_ctrl *control)
888{
889 struct sk_buff *skb;
890 u32 control_field;
891
892 BT_DBG("chan %p, control %p", chan, control);
893
894 if (!control->sframe)
895 return;
896
897 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
898 !control->poll)
899 control->final = 1;
900
901 if (control->super == L2CAP_SUPER_RR)
902 clear_bit(CONN_RNR_SENT, &chan->conn_state);
903 else if (control->super == L2CAP_SUPER_RNR)
904 set_bit(CONN_RNR_SENT, &chan->conn_state);
905
906 if (control->super != L2CAP_SUPER_SREJ) {
907 chan->last_acked_seq = control->reqseq;
908 __clear_ack_timer(chan);
909 }
910
911 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
912 control->final, control->poll, control->super);
913
914 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
915 control_field = __pack_extended_control(control);
916 else
917 control_field = __pack_enhanced_control(control);
918
919 skb = l2cap_create_sframe_pdu(chan, control_field);
920 if (!IS_ERR(skb))
921 l2cap_do_send(chan, skb);
b5c6aaed
MM		 922}
923
c9e3d5e0 924static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 925{
c9e3d5e0
MM		 926 struct l2cap_ctrl control;
927
928 BT_DBG("chan %p, poll %d", chan, poll);
929
930 memset(&control, 0, sizeof(control));
931 control.sframe = 1;
932 control.poll = poll;
933
934 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
935 control.super = L2CAP_SUPER_RNR;
936 else
937 control.super = L2CAP_SUPER_RR;
b5c6aaed 938
c9e3d5e0
MM		 939 control.reqseq = chan->buffer_seq;
940 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 941}
942
b4450035 943static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 944{
c1360a1c 945 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 946}
947
9b27f350
AE		 948static void l2cap_send_conn_req(struct l2cap_chan *chan)
949{
950 struct l2cap_conn *conn = chan->conn;
951 struct l2cap_conn_req req;
952
953 req.scid = cpu_to_le16(chan->scid);
954 req.psm = chan->psm;
955
956 chan->ident = l2cap_get_ident(conn);
957
958 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
959
960 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
961}
962
9f0caeb1
VCG		 963static void l2cap_chan_ready(struct l2cap_chan *chan)
964{
2827011f 965 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 966 chan->conf_state = 0;
967 __clear_chan_timer(chan);
968
54a59aa2 969 chan->state = BT_CONNECTED;
9f0caeb1 970
fd83e2c2 971 chan->ops->ready(chan);
9f0caeb1
VCG		 972}
973
fc7f8a7e 974static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 975{
8c1d787b 976 struct l2cap_conn *conn = chan->conn;
79d554a6 977
9f0caeb1
VCG		 978 if (conn->hcon->type == LE_LINK) {
979 l2cap_chan_ready(chan);
980 return;
981 }
982
79d554a6 983 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 984 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
985 return;
986
d45fc423 987 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 988 __l2cap_no_conn_pending(chan))
989 l2cap_send_conn_req(chan);
79d554a6
MH		 990 } else {
991 struct l2cap_info_req req;
ac73498c 992 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 993
994 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
995 conn->info_ident = l2cap_get_ident(conn);
996
ba13ccd9 997 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 998
999 l2cap_send_cmd(conn, conn->info_ident,
1000 L2CAP_INFO_REQ, sizeof(req), &req);
1001 }
1002}
1003
cf6c2c0b
GP		 1004static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1005{
1006 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1007 if (!disable_ertm)
cf6c2c0b
GP		 1008 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1009
1010 switch (mode) {
1011 case L2CAP_MODE_ERTM:
1012 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1013 case L2CAP_MODE_STREAMING:
1014 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1015 default:
1016 return 0x00;
1017 }
1018}
1019
4519de9a 1020static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1021{
6be36555 1022 struct sock *sk = chan->sk;
22121fc9
GP		 1023 struct l2cap_disconn_req req;
1024
c13ffa62
GP		 1025 if (!conn)
1026 return;
1027
0c1bc5c6 1028 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1029 __clear_retrans_timer(chan);
1030 __clear_monitor_timer(chan);
1031 __clear_ack_timer(chan);
c13ffa62
GP		 1032 }
1033
416fa752
AE		 1034 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1035 __l2cap_state_change(chan, BT_DISCONN);
1036 return;
1037 }
1038
fe4128e0
GP		 1039 req.dcid = cpu_to_le16(chan->dcid);
1040 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1041 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1042 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1043
6be36555 1044 lock_sock(sk);
0e587be7 1045 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1046 __l2cap_chan_set_err(chan, err);
6be36555 1047 release_sock(sk);
22121fc9
GP		 1048}
1049
1da177e4 1050/* ---- L2CAP connections ---- */
4e8402a3
MH		 1051static void l2cap_conn_start(struct l2cap_conn *conn)
1052{
3df91ea2 1053 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1054
1055 BT_DBG("conn %p", conn);
1056
3df91ea2 1057 mutex_lock(&conn->chan_lock);
4e8402a3 1058
3df91ea2 1059 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1060 struct sock *sk = chan->sk;
baa7e1fa 1061
6be36555 1062 l2cap_chan_lock(chan);
4e8402a3 1063
715ec005 1064 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1065 l2cap_chan_unlock(chan);
79d554a6
MH		 1066 continue;
1067 }
1068
89bc500e 1069 if (chan->state == BT_CONNECT) {
d45fc423 1070 if (!l2cap_chan_check_security(chan) ||
b4450035 1071 !__l2cap_no_conn_pending(chan)) {
6be36555 1072 l2cap_chan_unlock(chan);
47731de7
GP		 1073 continue;
1074 }
79d554a6 1075
c1360a1c
GP		 1076 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1077 && test_bit(CONF_STATE2_DEVICE,
1078 &chan->conf_state)) {
89bc500e 1079 l2cap_chan_close(chan, ECONNRESET);
6be36555 1080 l2cap_chan_unlock(chan);
47731de7 1081 continue;
b1235d79 1082 }
47731de7 1083
9b27f350 1084 l2cap_send_conn_req(chan);
47731de7 1085
89bc500e 1086 } else if (chan->state == BT_CONNECT2) {
79d554a6 1087 struct l2cap_conn_rsp rsp;
e9aeb2dd 1088 char buf[128];
fe4128e0
GP		 1089 rsp.scid = cpu_to_le16(chan->dcid);
1090 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1091
d45fc423 1092 if (l2cap_chan_check_security(chan)) {
6be36555 1093 lock_sock(sk);
c5daa683
GP		 1094 if (test_bit(BT_SK_DEFER_SETUP,
1095 &bt_sk(sk)->flags)) {
f66dc81f 1096 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1097 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1098 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1099 if (parent)
1100 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1101
1102 } else {
0e587be7 1103 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1104 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1105 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1106 }
6be36555 1107 release_sock(sk);
79d554a6 1108 } else {
ac73498c
AE		 1109 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1110 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1111 }
1112
fc7f8a7e
GP		 1113 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1114 sizeof(rsp), &rsp);
e9aeb2dd 1115
c1360a1c 1116 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1117 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1118 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1119 continue;
1120 }
1121
c1360a1c 1122 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1123 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1124 l2cap_build_conf_req(chan, buf), buf);
1125 chan->num_conf_req++;
4e8402a3
MH		 1126 }
1127
6be36555 1128 l2cap_chan_unlock(chan);
4e8402a3
MH		 1129 }
1130
3df91ea2 1131 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1132}
1133
c2287681 1134/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1135 * Returns closest match, locked.
1136 */
d9b88702 1137static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1138 bdaddr_t *src,
1139 bdaddr_t *dst)
b62f328b 1140{
23691d75 1141 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1142
23691d75 1143 read_lock(&chan_list_lock);
b62f328b 1144
23691d75
GP		 1145 list_for_each_entry(c, &chan_list, global_l) {
1146 struct sock *sk = c->sk;
fe4128e0 1147
89bc500e 1148 if (state && c->state != state)
b62f328b
VT		 1149 continue;
1150
23691d75 1151 if (c->scid == cid) {
c2287681
IY		 1152 int src_match, dst_match;
1153 int src_any, dst_any;
1154
b62f328b 1155 /* Exact match. */
c2287681
IY		 1156 src_match = !bacmp(&bt_sk(sk)->src, src);
1157 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1158 if (src_match && dst_match) {
23691d75
GP		 1159 read_unlock(&chan_list_lock);
1160 return c;
1161 }
b62f328b
VT		 1162
1163 /* Closest match */
c2287681
IY		 1164 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1165 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1166 if ((src_match && dst_any) || (src_any && dst_match) ||
1167 (src_any && dst_any))
23691d75 1168 c1 = c;
b62f328b
VT		 1169 }
1170 }
280f294f 1171
23691d75 1172 read_unlock(&chan_list_lock);
b62f328b 1173
23691d75 1174 return c1;
b62f328b
VT		 1175}
1176
1177static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1178{
c916fbe4 1179 struct sock *parent, *sk;
23691d75 1180 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1181
1182 BT_DBG("");
1183
1184 /* Check if we have socket listening on cid */
23691d75 1185 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1186 conn->src, conn->dst);
23691d75 1187 if (!pchan)
b62f328b
VT		 1188 return;
1189
23691d75
GP		 1190 parent = pchan->sk;
1191
aa2ac881 1192 lock_sock(parent);
62f3a2cf 1193
80b98027 1194 chan = pchan->ops->new_connection(pchan);
80808e43 1195 if (!chan)
b62f328b
VT		 1196 goto clean;
1197
80808e43 1198 sk = chan->sk;
5d41ce1d 1199
b62f328b
VT		 1200 hci_conn_hold(conn->hcon);
1201
b62f328b
VT		 1202 bacpy(&bt_sk(sk)->src, conn->src);
1203 bacpy(&bt_sk(sk)->dst, conn->dst);
1204
d1010240
GP		 1205 bt_accept_enqueue(parent, sk);
1206
3d57dc68 1207 l2cap_chan_add(conn, chan);
48454079 1208
6754e0df 1209 l2cap_chan_ready(chan);
b62f328b 1210
b62f328b 1211clean:
aa2ac881 1212 release_sock(parent);
b62f328b
VT		 1213}
1214
4e8402a3
MH		 1215static void l2cap_conn_ready(struct l2cap_conn *conn)
1216{
48454079 1217 struct l2cap_chan *chan;
4e8402a3 1218
79d554a6 1219 BT_DBG("conn %p", conn);
4e8402a3 1220
b62f328b
VT		 1221 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1222 l2cap_le_conn_ready(conn);
1223
160dc6ac
VCG		 1224 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1225 smp_conn_security(conn, conn->hcon->pending_sec_level);
1226
3df91ea2 1227 mutex_lock(&conn->chan_lock);
4e8402a3 1228
3df91ea2 1229 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1230
6be36555 1231 l2cap_chan_lock(chan);
4e8402a3 1232
416fa752
AE		 1233 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1234 l2cap_chan_unlock(chan);
1235 continue;
1236 }
1237
63128451 1238 if (conn->hcon->type == LE_LINK) {
b501d6a1 1239 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1240 l2cap_chan_ready(chan);
acd7d370 1241
63128451 1242 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1243 struct sock *sk = chan->sk;
c9b66675 1244 __clear_chan_timer(chan);
6be36555 1245 lock_sock(sk);
0e587be7 1246 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1247 sk->sk_state_change(sk);
6be36555 1248 release_sock(sk);
b501d6a1 1249
89bc500e 1250 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1251 l2cap_do_start(chan);
4e8402a3 1252
6be36555 1253 l2cap_chan_unlock(chan);
4e8402a3 1254 }
79d554a6 1255
3df91ea2 1256 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1257}
1258
1259/* Notify sockets that we cannot guaranty reliability anymore */
1260static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1261{
48454079 1262 struct l2cap_chan *chan;
4e8402a3
MH		 1263
1264 BT_DBG("conn %p", conn);
1265
3df91ea2 1266 mutex_lock(&conn->chan_lock);
4e8402a3 1267
3df91ea2 1268 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1269 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1270 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1271 }
1272
3df91ea2 1273 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1274}
1275
f878fcad 1276static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1277{
f878fcad 1278 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1279 info_timer.work);
4e8402a3 1280
984947dc 1281 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1282 conn->info_ident = 0;
984947dc 1283
4e8402a3
MH		 1284 l2cap_conn_start(conn);
1285}
1286
5d3de7df
VCG		 1287static void l2cap_conn_del(struct hci_conn *hcon, int err)
1288{
1289 struct l2cap_conn *conn = hcon->l2cap_data;
1290 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1291
1292 if (!conn)
1293 return;
1294
1295 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1296
1297 kfree_skb(conn->rx_skb);
1298
3df91ea2
AE		 1299 mutex_lock(&conn->chan_lock);
1300
5d3de7df
VCG		 1301 /* Kill channels */
1302 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1303 l2cap_chan_hold(chan);
6be36555
AE		 1304 l2cap_chan_lock(chan);
1305
5d3de7df 1306 l2cap_chan_del(chan, err);
6be36555
AE		 1307
1308 l2cap_chan_unlock(chan);
1309
80b98027 1310 chan->ops->close(chan);
61d6ef3e 1311 l2cap_chan_put(chan);
5d3de7df
VCG		 1312 }
1313
3df91ea2
AE		 1314 mutex_unlock(&conn->chan_lock);
1315
73d80deb
LAD		 1316 hci_chan_del(conn->hchan);
1317
5d3de7df 1318 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1319 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1320
51a8efd7 1321 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1322 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1323 smp_chan_destroy(conn);
d26a2345 1324 }
5d3de7df
VCG		 1325
1326 hcon->l2cap_data = NULL;
1327 kfree(conn);
1328}
1329
6c9d42a1 1330static void security_timeout(struct work_struct *work)
5d3de7df 1331{
6c9d42a1
GP		 1332 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1333 security_timer.work);
5d3de7df 1334
d06cc416
JH		 1335 BT_DBG("conn %p", conn);
1336
1337 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1338 smp_chan_destroy(conn);
1339 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1340 }
5d3de7df
VCG		 1341}
1342
1da177e4
LT		 1343static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1344{
0139418c 1345 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1346 struct hci_chan *hchan;
1da177e4 1347
0139418c 1348 if (conn || status)
1da177e4
LT		 1349 return conn;
1350
73d80deb
LAD		 1351 hchan = hci_chan_create(hcon);
1352 if (!hchan)
1353 return NULL;
1354
0139418c 1355 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1356 if (!conn) {
1357 hci_chan_del(hchan);
1da177e4 1358 return NULL;
73d80deb 1359 }
1da177e4
LT		 1360
1361 hcon->l2cap_data = conn;
1362 conn->hcon = hcon;
73d80deb 1363 conn->hchan = hchan;
1da177e4 1364
73d80deb 1365 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1366
acd7d370
VT		 1367 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1368 conn->mtu = hcon->hdev->le_mtu;
1369 else
1370 conn->mtu = hcon->hdev->acl_mtu;
1371
1da177e4
LT		 1372 conn->src = &hcon->hdev->bdaddr;
1373 conn->dst = &hcon->dst;
1374
4e8402a3
MH		 1375 conn->feat_mask = 0;
1376
1da177e4 1377 spin_lock_init(&conn->lock);
3df91ea2 1378 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1379
1380 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1381
5d3de7df 1382 if (hcon->type == LE_LINK)
6c9d42a1 1383 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1384 else
030013d8 1385 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1386
9f5a0d7b 1387 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1388
1da177e4
LT		 1389 return conn;
1390}
1391
1da177e4 1392/* ---- Socket interface ---- */
1da177e4 1393
c2287681 1394/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1395 * Returns closest match.
1396 */
c2287681
IY		 1397static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1398 bdaddr_t *src,
1399 bdaddr_t *dst)
1da177e4 1400{
23691d75 1401 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1402
23691d75 1403 read_lock(&chan_list_lock);
e0f0cb56 1404
23691d75
GP		 1405 list_for_each_entry(c, &chan_list, global_l) {
1406 struct sock *sk = c->sk;
fe4128e0 1407
89bc500e 1408 if (state && c->state != state)
1da177e4
LT		 1409 continue;
1410
23691d75 1411 if (c->psm == psm) {
c2287681
IY		 1412 int src_match, dst_match;
1413 int src_any, dst_any;
1414
1da177e4 1415 /* Exact match. */
c2287681
IY		 1416 src_match = !bacmp(&bt_sk(sk)->src, src);
1417 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1418 if (src_match && dst_match) {
a7567b20 1419 read_unlock(&chan_list_lock);
23691d75
GP		 1420 return c;
1421 }
1da177e4
LT		 1422
1423 /* Closest match */
c2287681
IY		 1424 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1425 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1426 if ((src_match && dst_any) || (src_any && dst_match) ||
1427 (src_any && dst_any))
23691d75 1428 c1 = c;
1da177e4
LT		 1429 }
1430 }
1da177e4 1431
23691d75 1432 read_unlock(&chan_list_lock);
e0f0cb56 1433
23691d75 1434 return c1;
1da177e4
LT		 1435}
1436
8e9f9892
AG		 1437int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1438 bdaddr_t *dst, u8 dst_type)
1da177e4 1439{
5d41ce1d 1440 struct sock *sk = chan->sk;
1da177e4 1441 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1442 struct l2cap_conn *conn;
1443 struct hci_conn *hcon;
1444 struct hci_dev *hdev;
09ab6f4c 1445 __u8 auth_type;
44d0e48e 1446 int err;
1da177e4 1447
8e9f9892
AG		 1448 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1449 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1450
af05b30b
GP		 1451 hdev = hci_get_route(dst, src);
1452 if (!hdev)
1da177e4
LT		 1453 return -EHOSTUNREACH;
1454
09fd0de5 1455 hci_dev_lock(hdev);
1da177e4 1456
6be36555 1457 l2cap_chan_lock(chan);
03a00194
GP		 1458
1459 /* PSM must be odd and lsb of upper byte must be 0 */
1460 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1461 chan->chan_type != L2CAP_CHAN_RAW) {
1462 err = -EINVAL;
1463 goto done;
1464 }
1465
1466 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1467 err = -EINVAL;
1468 goto done;
1469 }
1470
1471 switch (chan->mode) {
1472 case L2CAP_MODE_BASIC:
1473 break;
1474 case L2CAP_MODE_ERTM:
1475 case L2CAP_MODE_STREAMING:
1476 if (!disable_ertm)
1477 break;
1478 /* fall through */
1479 default:
1480 err = -ENOTSUPP;
1481 goto done;
1482 }
1483
0797e01d 1484 switch (chan->state) {
03a00194
GP		 1485 case BT_CONNECT:
1486 case BT_CONNECT2:
1487 case BT_CONFIG:
1488 /* Already connecting */
1489 err = 0;
1490 goto done;
1491
1492 case BT_CONNECTED:
1493 /* Already connected */
1494 err = -EISCONN;
1495 goto done;
1496
1497 case BT_OPEN:
1498 case BT_BOUND:
1499 /* Can connect */
1500 break;
1501
1502 default:
1503 err = -EBADFD;
1504 goto done;
1505 }
1506
1507 /* Set destination address and psm */
0797e01d 1508 lock_sock(sk);
9219b2a0 1509 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1510 release_sock(sk);
1511
03a00194
GP		 1512 chan->psm = psm;
1513 chan->dcid = cid;
1da177e4 1514
4343478f 1515 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1516
fe4128e0 1517 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1518 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1519 chan->sec_level, auth_type);
acd7d370 1520 else
8e9f9892 1521 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1522 chan->sec_level, auth_type);
acd7d370 1523
30e76272
VT		 1524 if (IS_ERR(hcon)) {
1525 err = PTR_ERR(hcon);
1da177e4 1526 goto done;
30e76272 1527 }
1da177e4
LT		 1528
1529 conn = l2cap_conn_add(hcon, 0);
1530 if (!conn) {
1531 hci_conn_put(hcon);
30e76272 1532 err = -ENOMEM;
1da177e4
LT		 1533 goto done;
1534 }
1535
9f0caeb1
VCG		 1536 if (hcon->type == LE_LINK) {
1537 err = 0;
1538
1539 if (!list_empty(&conn->chan_l)) {
1540 err = -EBUSY;
1541 hci_conn_put(hcon);
1542 }
1543
1544 if (err)
1545 goto done;
1546 }
1547
1da177e4
LT		 1548 /* Update source addr of the socket */
1549 bacpy(src, conn->src);
1550
6be36555 1551 l2cap_chan_unlock(chan);
48454079 1552 l2cap_chan_add(conn, chan);
6be36555 1553 l2cap_chan_lock(chan);
48454079 1554
6be36555 1555 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1556 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1557
1558 if (hcon->state == BT_CONNECTED) {
715ec005 1559 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1560 __clear_chan_timer(chan);
d45fc423 1561 if (l2cap_chan_check_security(chan))
6be36555 1562 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1563 } else
fc7f8a7e 1564 l2cap_do_start(chan);
1da177e4
LT		 1565 }
1566
30e76272
VT		 1567 err = 0;
1568
1da177e4 1569done:
6be36555 1570 l2cap_chan_unlock(chan);
09fd0de5 1571 hci_dev_unlock(hdev);
1da177e4
LT		 1572 hci_dev_put(hdev);
1573 return err;
1574}
1575
dcba0dba 1576int __l2cap_wait_ack(struct sock *sk)
6161c038 1577{
8c1d787b 1578 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1579 DECLARE_WAITQUEUE(wait, current);
1580 int err = 0;
1581 int timeo = HZ/5;
1582
2b0b05dd 1583 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1584 set_current_state(TASK_INTERRUPTIBLE);
1585 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1586 if (!timeo)
1587 timeo = HZ/5;
1588
1589 if (signal_pending(current)) {
1590 err = sock_intr_errno(timeo);
1591 break;
1592 }
1593
1594 release_sock(sk);
1595 timeo = schedule_timeout(timeo);
1596 lock_sock(sk);
a71a0cf4 1597 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1598
1599 err = sock_error(sk);
1600 if (err)
1601 break;
1602 }
1603 set_current_state(TASK_RUNNING);
2b0b05dd 1604 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1605 return err;
1606}
1607
721c4181 1608static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1609{
721c4181 1610 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1611 monitor_timer.work);
e90bac06 1612
525cd185 1613 BT_DBG("chan %p", chan);
0e98958d 1614
6be36555
AE		 1615 l2cap_chan_lock(chan);
1616
80909e04 1617 if (!chan->conn) {
6be36555 1618 l2cap_chan_unlock(chan);
8d7e1c7f 1619 l2cap_chan_put(chan);
e90bac06
GP		 1620 return;
1621 }
1622
401bb1f7 1623 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1624
6be36555 1625 l2cap_chan_unlock(chan);
8d7e1c7f 1626 l2cap_chan_put(chan);
e90bac06
GP		 1627}
1628
721c4181 1629static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1630{
721c4181 1631 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1632 retrans_timer.work);
e90bac06 1633
49208c9c 1634 BT_DBG("chan %p", chan);
0e98958d 1635
6be36555
AE		 1636 l2cap_chan_lock(chan);
1637
80909e04
MM		 1638 if (!chan->conn) {
1639 l2cap_chan_unlock(chan);
1640 l2cap_chan_put(chan);
1641 return;
1642 }
6be36555 1643
401bb1f7 1644 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1645 l2cap_chan_unlock(chan);
8d7e1c7f 1646 l2cap_chan_put(chan);
e90bac06
GP		 1647}
1648
d660366d
GP		 1649static void l2cap_streaming_send(struct l2cap_chan *chan,
1650 struct sk_buff_head *skbs)
6840ed07 1651{
ccbb84af 1652 struct sk_buff *skb;
3733937d 1653 struct l2cap_ctrl *control;
6840ed07 1654
3733937d
MM		 1655 BT_DBG("chan %p, skbs %p", chan, skbs);
1656
3733937d
MM		 1657 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1658
1659 while (!skb_queue_empty(&chan->tx_q)) {
1660
1661 skb = skb_dequeue(&chan->tx_q);
1662
1663 bt_cb(skb)->control.retries = 1;
1664 control = &bt_cb(skb)->control;
1665
1666 control->reqseq = 0;
1667 control->txseq = chan->next_tx_seq;
1668
1669 __pack_control(chan, control, skb);
6840ed07 1670
47d1ec61 1671 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1672 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1673 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1674 }
1675
4343478f 1676 l2cap_do_send(chan, skb);
6840ed07 1677
b4400672 1678 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1679
836be934 1680 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1681 chan->frames_sent++;
6840ed07 1682 }
6840ed07
GP		 1683}
1684
67c9e840 1685static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1686{
1687 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1688 struct l2cap_ctrl *control;
1689 int sent = 0;
1690
1691 BT_DBG("chan %p", chan);
1c2acffb 1692
89bc500e 1693 if (chan->state != BT_CONNECTED)
c13ffa62 1694 return -ENOTCONN;
e90bac06 1695
94122bbe
MM		 1696 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1697 return 0;
1698
18a48e76
MM		 1699 while (chan->tx_send_head &&
1700 chan->unacked_frames < chan->remote_tx_win &&
1701 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1702
18a48e76 1703 skb = chan->tx_send_head;
e90bac06 1704
18a48e76
MM		 1705 bt_cb(skb)->control.retries = 1;
1706 control = &bt_cb(skb)->control;
95ffa978 1707
e2ab4353 1708 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1709 control->final = 1;
e2ab4353 1710
18a48e76
MM		 1711 control->reqseq = chan->buffer_seq;
1712 chan->last_acked_seq = chan->buffer_seq;
1713 control->txseq = chan->next_tx_seq;
1c2acffb 1714
18a48e76 1715 __pack_control(chan, control, skb);
e90bac06 1716
47d1ec61 1717 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1718 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1719 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1720 }
1721
18a48e76
MM		 1722 /* Clone after data has been modified. Data is assumed to be
1723 read-only (for locking purposes) on cloned sk_buffs.
1724 */
1725 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1726
18a48e76
MM		 1727 if (!tx_skb)
1728 break;
1c2acffb 1729
18a48e76 1730 __set_retrans_timer(chan);
836be934
AE		 1731
1732 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1733 chan->unacked_frames++;
6a026610 1734 chan->frames_sent++;
18a48e76 1735 sent++;
1c2acffb 1736
58d35f87
GP		 1737 if (skb_queue_is_last(&chan->tx_q, skb))
1738 chan->tx_send_head = NULL;
1c2acffb 1739 else
58d35f87 1740 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1741
1742 l2cap_do_send(chan, tx_skb);
b4400672 1743 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1744 }
1745
b4400672
AE		 1746 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1747 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1748
1749 return sent;
9e917af1
GP		 1750}
1751
e1fbd4c1
MM		 1752static void l2cap_ertm_resend(struct l2cap_chan *chan)
1753{
1754 struct l2cap_ctrl control;
1755 struct sk_buff *skb;
1756 struct sk_buff *tx_skb;
1757 u16 seq;
1758
1759 BT_DBG("chan %p", chan);
1760
1761 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1762 return;
1763
1764 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1765 seq = l2cap_seq_list_pop(&chan->retrans_list);
1766
1767 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1768 if (!skb) {
1769 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1770 seq);
1771 continue;
1772 }
1773
1774 bt_cb(skb)->control.retries++;
1775 control = bt_cb(skb)->control;
1776
1777 if (chan->max_tx != 0 &&
1778 bt_cb(skb)->control.retries > chan->max_tx) {
1779 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1780 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1781 l2cap_seq_list_clear(&chan->retrans_list);
1782 break;
1783 }
1784
1785 control.reqseq = chan->buffer_seq;
1786 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1787 control.final = 1;
1788 else
1789 control.final = 0;
1790
1791 if (skb_cloned(skb)) {
1792 /* Cloned sk_buffs are read-only, so we need a
1793 * writeable copy
1794 */
1795 tx_skb = skb_copy(skb, GFP_ATOMIC);
1796 } else {
1797 tx_skb = skb_clone(skb, GFP_ATOMIC);
1798 }
1799
1800 if (!tx_skb) {
1801 l2cap_seq_list_clear(&chan->retrans_list);
1802 break;
1803 }
1804
1805 /* Update skb contents */
1806 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1807 put_unaligned_le32(__pack_extended_control(&control),
1808 tx_skb->data + L2CAP_HDR_SIZE);
1809 } else {
1810 put_unaligned_le16(__pack_enhanced_control(&control),
1811 tx_skb->data + L2CAP_HDR_SIZE);
1812 }
1813
1814 if (chan->fcs == L2CAP_FCS_CRC16) {
1815 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1816 put_unaligned_le16(fcs, skb_put(tx_skb,
1817 L2CAP_FCS_SIZE));
1818 }
1819
1820 l2cap_do_send(chan, tx_skb);
1821
1822 BT_DBG("Resent txseq %d", control.txseq);
1823
1824 chan->last_acked_seq = chan->buffer_seq;
1825 }
1826}
1827
f80842a8
MM		 1828static void l2cap_retransmit(struct l2cap_chan *chan,
1829 struct l2cap_ctrl *control)
1830{
1831 BT_DBG("chan %p, control %p", chan, control);
1832
1833 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1834 l2cap_ertm_resend(chan);
1835}
1836
d2a7ac5d
MM		 1837static void l2cap_retransmit_all(struct l2cap_chan *chan,
1838 struct l2cap_ctrl *control)
1839{
e1fbd4c1
MM		 1840 struct sk_buff *skb;
1841
1842 BT_DBG("chan %p, control %p", chan, control);
1843
1844 if (control->poll)
1845 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1846
1847 l2cap_seq_list_clear(&chan->retrans_list);
1848
1849 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1850 return;
1851
1852 if (chan->unacked_frames) {
1853 skb_queue_walk(&chan->tx_q, skb) {
1854 if (bt_cb(skb)->control.txseq == control->reqseq ||
1855 skb == chan->tx_send_head)
1856 break;
1857 }
1858
1859 skb_queue_walk_from(&chan->tx_q, skb) {
1860 if (skb == chan->tx_send_head)
1861 break;
1862
1863 l2cap_seq_list_append(&chan->retrans_list,
1864 bt_cb(skb)->control.txseq);
1865 }
1866
1867 l2cap_ertm_resend(chan);
1868 }
d2a7ac5d
MM		 1869}
1870
0a0aba42 1871static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1872{
0a0aba42
MM		 1873 struct l2cap_ctrl control;
1874 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1875 chan->last_acked_seq);
1876 int threshold;
9e917af1 1877
0a0aba42
MM		 1878 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1879 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1880
0a0aba42
MM		 1881 memset(&control, 0, sizeof(control));
1882 control.sframe = 1;
dfc909be 1883
0a0aba42
MM		 1884 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1885 chan->rx_state == L2CAP_RX_STATE_RECV) {
1886 __clear_ack_timer(chan);
1887 control.super = L2CAP_SUPER_RNR;
1888 control.reqseq = chan->buffer_seq;
1889 l2cap_send_sframe(chan, &control);
1890 } else {
1891 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1892 l2cap_ertm_send(chan);
1893 /* If any i-frames were sent, they included an ack */
1894 if (chan->buffer_seq == chan->last_acked_seq)
1895 frames_to_ack = 0;
1896 }
dfc909be 1897
c20f8e35 1898 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1899 * Calculate without mul or div
1900 */
c20f8e35 1901 threshold = chan->ack_win;
0a0aba42
MM		 1902 threshold += threshold << 1;
1903 threshold >>= 2;
1904
b4400672 1905 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1906 threshold);
1907
1908 if (frames_to_ack >= threshold) {
1909 __clear_ack_timer(chan);
1910 control.super = L2CAP_SUPER_RR;
1911 control.reqseq = chan->buffer_seq;
1912 l2cap_send_sframe(chan, &control);
1913 frames_to_ack = 0;
1914 }
1c2acffb 1915
0a0aba42
MM		 1916 if (frames_to_ack)
1917 __set_ack_timer(chan);
1918 }
b17e73bb
SJ		 1919}
1920
04124681
GP		 1921static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1922 struct msghdr *msg, int len,
1923 int count, struct sk_buff *skb)
1c2acffb 1924{
0952a57a 1925 struct l2cap_conn *conn = chan->conn;
1c2acffb 1926 struct sk_buff **frag;
90338947 1927 int sent = 0;
1da177e4 1928
59203a21 1929 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1930 return -EFAULT;
1da177e4
LT		 1931
1932 sent += count;
1933 len -= count;
1934
1935 /* Continuation fragments (no L2CAP header) */
1936 frag = &skb_shinfo(skb)->frag_list;
1937 while (len) {
fbe00700
GP		 1938 struct sk_buff *tmp;
1939
1da177e4
LT		 1940 count = min_t(unsigned int, conn->mtu, len);
1941
fbe00700
GP		 1942 tmp = chan->ops->alloc_skb(chan, count,
1943 msg->msg_flags & MSG_DONTWAIT);
1944 if (IS_ERR(tmp))
1945 return PTR_ERR(tmp);
1946
1947 *frag = tmp;
2f7719ce 1948
1c2acffb
GP		 1949 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1950 return -EFAULT;
1da177e4 1951
5e59b791
LAD		 1952 (*frag)->priority = skb->priority;
1953
1da177e4
LT		 1954 sent += count;
1955 len -= count;
1956
2d0ed3d5
GP		 1957 skb->len += (*frag)->len;
1958 skb->data_len += (*frag)->len;
1959
1da177e4
LT		 1960 frag = &(*frag)->next;
1961 }
1da177e4
LT		 1962
1963 return sent;
1c2acffb 1964}
1da177e4 1965
5e59b791 1966static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 1967 struct msghdr *msg, size_t len,
1968 u32 priority)
1c2acffb 1969{
8c1d787b 1970 struct l2cap_conn *conn = chan->conn;
1c2acffb 1971 struct sk_buff *skb;
03a51213 1972 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1973 struct l2cap_hdr *lh;
1974
b4400672 1975 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 1976
1977 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1978
1979 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1980 msg->msg_flags & MSG_DONTWAIT);
1981 if (IS_ERR(skb))
1982 return skb;
1c2acffb 1983
5e59b791
LAD		 1984 skb->priority = priority;
1985
1c2acffb
GP		 1986 /* Create L2CAP header */
1987 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1988 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1989 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1990 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1991
0952a57a 1992 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1993 if (unlikely(err < 0)) {
1994 kfree_skb(skb);
1995 return ERR_PTR(err);
1996 }
1997 return skb;
1998}
1999
5e59b791 2000static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2001 struct msghdr *msg, size_t len,
2002 u32 priority)
1c2acffb 2003{
8c1d787b 2004 struct l2cap_conn *conn = chan->conn;
1c2acffb 2005 struct sk_buff *skb;
f2ba7fae 2006 int err, count;
1c2acffb
GP		 2007 struct l2cap_hdr *lh;
2008
b4400672 2009 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2010
f2ba7fae 2011 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2012
f2ba7fae 2013 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2014 msg->msg_flags & MSG_DONTWAIT);
2015 if (IS_ERR(skb))
2016 return skb;
1c2acffb 2017
5e59b791
LAD		 2018 skb->priority = priority;
2019
1c2acffb
GP		 2020 /* Create L2CAP header */
2021 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2022 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2023 lh->len = cpu_to_le16(len);
1c2acffb 2024
0952a57a 2025 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2026 if (unlikely(err < 0)) {
2027 kfree_skb(skb);
2028 return ERR_PTR(err);
2029 }
2030 return skb;
2031}
2032
ab0ff76d 2033static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2034 struct msghdr *msg, size_t len,
2035 u16 sdulen)
1c2acffb 2036{
8c1d787b 2037 struct l2cap_conn *conn = chan->conn;
1c2acffb 2038 struct sk_buff *skb;
e4ca6d98 2039 int err, count, hlen;
1c2acffb
GP		 2040 struct l2cap_hdr *lh;
2041
b4400672 2042 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2043
0ee0d208
GP		 2044 if (!conn)
2045 return ERR_PTR(-ENOTCONN);
2046
ba7aa64f 2047 hlen = __ertm_hdr_size(chan);
e4ca6d98 2048
c74e560c 2049 if (sdulen)
03a51213 2050 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2051
47d1ec61 2052 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2053 hlen += L2CAP_FCS_SIZE;
fcc203c3 2054
1c2acffb 2055 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2056
2057 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2058 msg->msg_flags & MSG_DONTWAIT);
2059 if (IS_ERR(skb))
2060 return skb;
1c2acffb
GP		 2061
2062 /* Create L2CAP header */
2063 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2064 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2065 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2066
18a48e76
MM		 2067 /* Control header is populated later */
2068 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2069 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2070 else
2071 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2072
c74e560c 2073 if (sdulen)
03a51213 2074 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2075
0952a57a 2076 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2077 if (unlikely(err < 0)) {
2078 kfree_skb(skb);
2079 return ERR_PTR(err);
2080 }
e90bac06 2081
18a48e76 2082 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2083 bt_cb(skb)->control.retries = 0;
1c2acffb 2084 return skb;
1da177e4
LT		 2085}
2086
94122bbe
MM		 2087static int l2cap_segment_sdu(struct l2cap_chan *chan,
2088 struct sk_buff_head *seg_queue,
2089 struct msghdr *msg, size_t len)
c74e560c 2090{
c74e560c 2091 struct sk_buff *skb;
94122bbe
MM		 2092 u16 sdu_len;
2093 size_t pdu_len;
94122bbe 2094 u8 sar;
c74e560c 2095
b4400672 2096 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2097
94122bbe
MM		 2098 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2099 * so fragmented skbs are not used. The HCI layer's handling
2100 * of fragmented skbs is not compatible with ERTM's queueing.
2101 */
c74e560c 2102
94122bbe
MM		 2103 /* PDU size is derived from the HCI MTU */
2104 pdu_len = chan->conn->mtu;
c74e560c 2105
94122bbe
MM		 2106 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2107
2108 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2109 if (chan->fcs)
2110 pdu_len -= L2CAP_FCS_SIZE;
2111
ba7aa64f 2112 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2113
2114 /* Remote device may have requested smaller PDUs */
2115 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2116
2117 if (len <= pdu_len) {
2118 sar = L2CAP_SAR_UNSEGMENTED;
2119 sdu_len = 0;
2120 pdu_len = len;
2121 } else {
2122 sar = L2CAP_SAR_START;
2123 sdu_len = len;
2124 pdu_len -= L2CAP_SDULEN_SIZE;
2125 }
2126
2127 while (len > 0) {
2128 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2129
c74e560c 2130 if (IS_ERR(skb)) {
94122bbe 2131 __skb_queue_purge(seg_queue);
c74e560c
GP		 2132 return PTR_ERR(skb);
2133 }
2134
94122bbe
MM		 2135 bt_cb(skb)->control.sar = sar;
2136 __skb_queue_tail(seg_queue, skb);
2137
2138 len -= pdu_len;
2139 if (sdu_len) {
2140 sdu_len = 0;
2141 pdu_len += L2CAP_SDULEN_SIZE;
2142 }
2143
2144 if (len <= pdu_len) {
2145 sar = L2CAP_SAR_END;
2146 pdu_len = len;
2147 } else {
2148 sar = L2CAP_SAR_CONTINUE;
2149 }
c74e560c 2150 }
c74e560c 2151
f0f62799 2152 return 0;
c74e560c
GP		 2153}
2154
5e59b791
LAD		 2155int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2156 u32 priority)
9a91a04a 2157{
9a91a04a 2158 struct sk_buff *skb;
9a91a04a 2159 int err;
94122bbe 2160 struct sk_buff_head seg_queue;
9a91a04a
GP		 2161
2162 /* Connectionless channel */
715ec005 2163 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2164 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2165 if (IS_ERR(skb))
2166 return PTR_ERR(skb);
2167
2168 l2cap_do_send(chan, skb);
2169 return len;
2170 }
2171
2172 switch (chan->mode) {
2173 case L2CAP_MODE_BASIC:
2174 /* Check outgoing MTU */
2175 if (len > chan->omtu)
2176 return -EMSGSIZE;
2177
2178 /* Create a basic PDU */
5e59b791 2179 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2180 if (IS_ERR(skb))
2181 return PTR_ERR(skb);
2182
2183 l2cap_do_send(chan, skb);
2184 err = len;
2185 break;
2186
2187 case L2CAP_MODE_ERTM:
2188 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2189 /* Check outgoing MTU */
2190 if (len > chan->omtu) {
2191 err = -EMSGSIZE;
2192 break;
2193 }
9a91a04a 2194
94122bbe 2195 __skb_queue_head_init(&seg_queue);
9a91a04a 2196
94122bbe
MM		 2197 /* Do segmentation before calling in to the state machine,
2198 * since it's possible to block while waiting for memory
2199 * allocation.
2200 */
2201 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2202
94122bbe
MM		 2203 /* The channel could have been closed while segmenting,
2204 * check that it is still connected.
2205 */
2206 if (chan->state != BT_CONNECTED) {
2207 __skb_queue_purge(&seg_queue);
2208 err = -ENOTCONN;
9a91a04a
GP		 2209 }
2210
94122bbe 2211 if (err)
9a91a04a 2212 break;
9a91a04a 2213
3733937d 2214 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2215 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2216 else
d660366d 2217 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2218
d660366d 2219 err = len;
9a91a04a 2220
94122bbe
MM		 2221 /* If the skbs were not queued for sending, they'll still be in
2222 * seg_queue and need to be purged.
2223 */
2224 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2225 break;
2226
2227 default:
2228 BT_DBG("bad state %1.1x", chan->mode);
2229 err = -EBADFD;
2230 }
2231
2232 return err;
2233}
2234
d2a7ac5d
MM		 2235static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2236{
bed68bde
MM		 2237 struct l2cap_ctrl control;
2238 u16 seq;
2239
b4400672 2240 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2241
2242 memset(&control, 0, sizeof(control));
2243 control.sframe = 1;
2244 control.super = L2CAP_SUPER_SREJ;
2245
2246 for (seq = chan->expected_tx_seq; seq != txseq;
2247 seq = __next_seq(chan, seq)) {
2248 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2249 control.reqseq = seq;
2250 l2cap_send_sframe(chan, &control);
2251 l2cap_seq_list_append(&chan->srej_list, seq);
2252 }
2253 }
2254
2255 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2256}
2257
2258static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2259{
bed68bde
MM		 2260 struct l2cap_ctrl control;
2261
2262 BT_DBG("chan %p", chan);
2263
2264 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2265 return;
2266
2267 memset(&control, 0, sizeof(control));
2268 control.sframe = 1;
2269 control.super = L2CAP_SUPER_SREJ;
2270 control.reqseq = chan->srej_list.tail;
2271 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2272}
2273
2274static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2275{
bed68bde
MM		 2276 struct l2cap_ctrl control;
2277 u16 initial_head;
2278 u16 seq;
2279
b4400672 2280 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2281
2282 memset(&control, 0, sizeof(control));
2283 control.sframe = 1;
2284 control.super = L2CAP_SUPER_SREJ;
2285
2286 /* Capture initial list head to allow only one pass through the list. */
2287 initial_head = chan->srej_list.head;
2288
2289 do {
2290 seq = l2cap_seq_list_pop(&chan->srej_list);
2291 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2292 break;
2293
2294 control.reqseq = seq;
2295 l2cap_send_sframe(chan, &control);
2296 l2cap_seq_list_append(&chan->srej_list, seq);
2297 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2298}
2299
608bcc6d
MM		 2300static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2301{
2302 struct sk_buff *acked_skb;
2303 u16 ackseq;
2304
b4400672 2305 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2306
2307 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2308 return;
2309
b4400672 2310 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2311 chan->expected_ack_seq, chan->unacked_frames);
2312
2313 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2314 ackseq = __next_seq(chan, ackseq)) {
2315
2316 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2317 if (acked_skb) {
2318 skb_unlink(acked_skb, &chan->tx_q);
2319 kfree_skb(acked_skb);
2320 chan->unacked_frames--;
2321 }
2322 }
2323
2324 chan->expected_ack_seq = reqseq;
2325
2326 if (chan->unacked_frames == 0)
2327 __clear_retrans_timer(chan);
2328
b4400672 2329 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2330}
2331
2332static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2333{
2334 BT_DBG("chan %p", chan);
2335
2336 chan->expected_tx_seq = chan->buffer_seq;
2337 l2cap_seq_list_clear(&chan->srej_list);
2338 skb_queue_purge(&chan->srej_q);
2339 chan->rx_state = L2CAP_RX_STATE_RECV;
2340}
2341
d660366d
GP		 2342static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2343 struct l2cap_ctrl *control,
2344 struct sk_buff_head *skbs, u8 event)
608bcc6d 2345{
608bcc6d
MM		 2346 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2347 event);
2348
2349 switch (event) {
2350 case L2CAP_EV_DATA_REQUEST:
2351 if (chan->tx_send_head == NULL)
2352 chan->tx_send_head = skb_peek(skbs);
2353
2354 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2355 l2cap_ertm_send(chan);
2356 break;
2357 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2358 BT_DBG("Enter LOCAL_BUSY");
2359 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2360
2361 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2362 /* The SREJ_SENT state must be aborted if we are to
2363 * enter the LOCAL_BUSY state.
2364 */
2365 l2cap_abort_rx_srej_sent(chan);
2366 }
2367
2368 l2cap_send_ack(chan);
2369
2370 break;
2371 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2372 BT_DBG("Exit LOCAL_BUSY");
2373 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2374
2375 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2376 struct l2cap_ctrl local_control;
2377
2378 memset(&local_control, 0, sizeof(local_control));
2379 local_control.sframe = 1;
2380 local_control.super = L2CAP_SUPER_RR;
2381 local_control.poll = 1;
2382 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2383 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2384
2385 chan->retry_count = 1;
2386 __set_monitor_timer(chan);
2387 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2388 }
2389 break;
2390 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2391 l2cap_process_reqseq(chan, control->reqseq);
2392 break;
2393 case L2CAP_EV_EXPLICIT_POLL:
2394 l2cap_send_rr_or_rnr(chan, 1);
2395 chan->retry_count = 1;
2396 __set_monitor_timer(chan);
2397 __clear_ack_timer(chan);
2398 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2399 break;
2400 case L2CAP_EV_RETRANS_TO:
2401 l2cap_send_rr_or_rnr(chan, 1);
2402 chan->retry_count = 1;
2403 __set_monitor_timer(chan);
2404 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2405 break;
2406 case L2CAP_EV_RECV_FBIT:
2407 /* Nothing to process */
2408 break;
2409 default:
2410 break;
2411 }
608bcc6d
MM		 2412}
2413
d660366d
GP		 2414static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2415 struct l2cap_ctrl *control,
2416 struct sk_buff_head *skbs, u8 event)
608bcc6d 2417{
608bcc6d
MM		 2418 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2419 event);
2420
2421 switch (event) {
2422 case L2CAP_EV_DATA_REQUEST:
2423 if (chan->tx_send_head == NULL)
2424 chan->tx_send_head = skb_peek(skbs);
2425 /* Queue data, but don't send. */
2426 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2427 break;
2428 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2429 BT_DBG("Enter LOCAL_BUSY");
2430 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2431
2432 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2433 /* The SREJ_SENT state must be aborted if we are to
2434 * enter the LOCAL_BUSY state.
2435 */
2436 l2cap_abort_rx_srej_sent(chan);
2437 }
2438
2439 l2cap_send_ack(chan);
2440
2441 break;
2442 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2443 BT_DBG("Exit LOCAL_BUSY");
2444 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2445
2446 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2447 struct l2cap_ctrl local_control;
2448 memset(&local_control, 0, sizeof(local_control));
2449 local_control.sframe = 1;
2450 local_control.super = L2CAP_SUPER_RR;
2451 local_control.poll = 1;
2452 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2453 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2454
2455 chan->retry_count = 1;
2456 __set_monitor_timer(chan);
2457 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2458 }
2459 break;
2460 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2461 l2cap_process_reqseq(chan, control->reqseq);
2462
2463 /* Fall through */
2464
2465 case L2CAP_EV_RECV_FBIT:
2466 if (control && control->final) {
2467 __clear_monitor_timer(chan);
2468 if (chan->unacked_frames > 0)
2469 __set_retrans_timer(chan);
2470 chan->retry_count = 0;
2471 chan->tx_state = L2CAP_TX_STATE_XMIT;
2472 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2473 }
2474 break;
2475 case L2CAP_EV_EXPLICIT_POLL:
2476 /* Ignore */
2477 break;
2478 case L2CAP_EV_MONITOR_TO:
2479 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2480 l2cap_send_rr_or_rnr(chan, 1);
2481 __set_monitor_timer(chan);
2482 chan->retry_count++;
2483 } else {
2484 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2485 }
2486 break;
2487 default:
2488 break;
2489 }
608bcc6d
MM		 2490}
2491
d660366d
GP		 2492static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2493 struct sk_buff_head *skbs, u8 event)
608bcc6d 2494{
608bcc6d
MM		 2495 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2496 chan, control, skbs, event, chan->tx_state);
2497
2498 switch (chan->tx_state) {
2499 case L2CAP_TX_STATE_XMIT:
d660366d 2500 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2501 break;
2502 case L2CAP_TX_STATE_WAIT_F:
d660366d 2503 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2504 break;
2505 default:
2506 /* Ignore event */
2507 break;
2508 }
608bcc6d
MM		 2509}
2510
4b51dae9
MM		 2511static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2512 struct l2cap_ctrl *control)
2513{
2514 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2515 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2516}
2517
f80842a8
MM		 2518static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2519 struct l2cap_ctrl *control)
2520{
2521 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2522 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2523}
2524
1da177e4
LT		 2525/* Copy frame to all raw sockets on that connection */
2526static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2527{
1da177e4 2528 struct sk_buff *nskb;
48454079 2529 struct l2cap_chan *chan;
1da177e4
LT		 2530
2531 BT_DBG("conn %p", conn);
2532
3df91ea2 2533 mutex_lock(&conn->chan_lock);
3d57dc68 2534
3df91ea2 2535 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2536 struct sock *sk = chan->sk;
715ec005 2537 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2538 continue;
2539
2540 /* Don't send frame to the socket it came from */
2541 if (skb->sk == sk)
2542 continue;
af05b30b
GP		 2543 nskb = skb_clone(skb, GFP_ATOMIC);
2544 if (!nskb)
1da177e4
LT		 2545 continue;
2546
80b98027 2547 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2548 kfree_skb(nskb);
2549 }
3d57dc68 2550
3df91ea2 2551 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2552}
2553
2554/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2555static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2556 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2557{
2558 struct sk_buff *skb, **frag;
2559 struct l2cap_cmd_hdr *cmd;
2560 struct l2cap_hdr *lh;
2561 int len, count;
2562
b4400672
AE		 2563 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2564 conn, code, ident, dlen);
1da177e4
LT		 2565
2566 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2567 count = min_t(unsigned int, conn->mtu, len);
2568
2569 skb = bt_skb_alloc(count, GFP_ATOMIC);
2570 if (!skb)
2571 return NULL;
2572
2573 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2574 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2575
2576 if (conn->hcon->type == LE_LINK)
ac73498c 2577 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2578 else
ac73498c 2579 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2580
2581 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2582 cmd->code = code;
2583 cmd->ident = ident;
aca3192c 2584 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2585
2586 if (dlen) {
2587 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2588 memcpy(skb_put(skb, count), data, count);
2589 data += count;
2590 }
2591
2592 len -= skb->len;
2593
2594 /* Continuation fragments (no L2CAP header) */
2595 frag = &skb_shinfo(skb)->frag_list;
2596 while (len) {
2597 count = min_t(unsigned int, conn->mtu, len);
2598
2599 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2600 if (!*frag)
2601 goto fail;
2602
2603 memcpy(skb_put(*frag, count), data, count);
2604
2605 len -= count;
2606 data += count;
2607
2608 frag = &(*frag)->next;
2609 }
2610
2611 return skb;
2612
2613fail:
2614 kfree_skb(skb);
2615 return NULL;
2616}
2617
2618static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2619{
2620 struct l2cap_conf_opt *opt = *ptr;
2621 int len;
2622
2623 len = L2CAP_CONF_OPT_SIZE + opt->len;
2624 *ptr += len;
2625
2626 *type = opt->type;
2627 *olen = opt->len;
2628
2629 switch (opt->len) {
2630 case 1:
2631 *val = *((u8 *) opt->val);
2632 break;
2633
2634 case 2:
bfaaeb3e 2635 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2636 break;
2637
2638 case 4:
bfaaeb3e 2639 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2640 break;
2641
2642 default:
2643 *val = (unsigned long) opt->val;
2644 break;
2645 }
2646
b4400672 2647 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2648 return len;
2649}
2650
1da177e4
LT		 2651static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2652{
2653 struct l2cap_conf_opt *opt = *ptr;
2654
b4400672 2655 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2656
2657 opt->type = type;
2658 opt->len = len;
2659
2660 switch (len) {
2661 case 1:
2662 *((u8 *) opt->val) = val;
2663 break;
2664
2665 case 2:
4f8b691c 2666 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2667 break;
2668
2669 case 4:
4f8b691c 2670 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2671 break;
2672
2673 default:
2674 memcpy(opt->val, (void *) val, len);
2675 break;
2676 }
2677
2678 *ptr += L2CAP_CONF_OPT_SIZE + len;
2679}
2680
f89cef09
AE		 2681static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2682{
2683 struct l2cap_conf_efs efs;
2684
1ec918ce 2685 switch (chan->mode) {
f89cef09
AE		 2686 case L2CAP_MODE_ERTM:
2687 efs.id = chan->local_id;
2688 efs.stype = chan->local_stype;
2689 efs.msdu = cpu_to_le16(chan->local_msdu);
2690 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2691 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2692 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2693 break;
2694
2695 case L2CAP_MODE_STREAMING:
2696 efs.id = 1;
2697 efs.stype = L2CAP_SERV_BESTEFFORT;
2698 efs.msdu = cpu_to_le16(chan->local_msdu);
2699 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2700 efs.acc_lat = 0;
2701 efs.flush_to = 0;
2702 break;
2703
2704 default:
2705 return;
2706 }
2707
2708 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2709 (unsigned long) &efs);
2710}
2711
721c4181 2712static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2713{
721c4181 2714 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2715 ack_timer.work);
2716 u16 frames_to_ack;
c1b4f43b 2717
2fb9b3d4
GP		 2718 BT_DBG("chan %p", chan);
2719
6be36555
AE		 2720 l2cap_chan_lock(chan);
2721
0362520b
MM		 2722 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2723 chan->last_acked_seq);
6be36555 2724
0362520b
MM		 2725 if (frames_to_ack)
2726 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2727
0362520b 2728 l2cap_chan_unlock(chan);
09bfb2ee 2729 l2cap_chan_put(chan);
c1b4f43b
GP		 2730}
2731
466f8004 2732int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2733{
3c588192
MM		 2734 int err;
2735
105bdf9e
MM		 2736 chan->next_tx_seq = 0;
2737 chan->expected_tx_seq = 0;
42e5c802 2738 chan->expected_ack_seq = 0;
6a026610 2739 chan->unacked_frames = 0;
42e5c802 2740 chan->buffer_seq = 0;
6a026610 2741 chan->frames_sent = 0;
105bdf9e
MM		 2742 chan->last_acked_seq = 0;
2743 chan->sdu = NULL;
2744 chan->sdu_last_frag = NULL;
2745 chan->sdu_len = 0;
2746
d34c34fb
MM		 2747 skb_queue_head_init(&chan->tx_q);
2748
105bdf9e
MM		 2749 if (chan->mode != L2CAP_MODE_ERTM)
2750 return 0;
2751
2752 chan->rx_state = L2CAP_RX_STATE_RECV;
2753 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2754
721c4181
GP		 2755 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2756 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2757 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2758
f1c6775b 2759 skb_queue_head_init(&chan->srej_q);
1890d36b 2760
3c588192
MM		 2761 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2762 if (err < 0)
2763 return err;
2764
9dc9affc
MM		 2765 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2766 if (err < 0)
2767 l2cap_seq_list_free(&chan->srej_list);
2768
2769 return err;
0565c1c2
GP		 2770}
2771
f2fcfcd6
GP		 2772static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2773{
2774 switch (mode) {
2775 case L2CAP_MODE_STREAMING:
2776 case L2CAP_MODE_ERTM:
2777 if (l2cap_mode_supported(mode, remote_feat_mask))
2778 return mode;
2779 /* fall through */
2780 default:
2781 return L2CAP_MODE_BASIC;
2782 }
2783}
2784
6327eb98
AE		 2785static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2786{
2787 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2788}
2789
f89cef09
AE		 2790static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2791{
2792 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2793}
2794
6327eb98
AE		 2795static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2796{
2797 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2798 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2799 /* use extended control field */
2800 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2801 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2802 } else {
6327eb98
AE		 2803 chan->tx_win = min_t(u16, chan->tx_win,
2804 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2805 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2806 }
c20f8e35 2807 chan->ack_win = chan->tx_win;
6327eb98
AE		 2808}
2809
710f9b0a 2810static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2811{
1da177e4 2812 struct l2cap_conf_req *req = data;
0c1bc5c6 2813 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2814 void *ptr = req->data;
c8f79162 2815 u16 size;
1da177e4 2816
49208c9c 2817 BT_DBG("chan %p", chan);
1da177e4 2818
73ffa904 2819 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2820 goto done;
2821
0c1bc5c6 2822 switch (chan->mode) {
f2fcfcd6
GP		 2823 case L2CAP_MODE_STREAMING:
2824 case L2CAP_MODE_ERTM:
c1360a1c 2825 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2826 break;
85eb53c6 2827
f89cef09
AE		 2828 if (__l2cap_efs_supported(chan))
2829 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2830
2ba13ed6 2831 /* fall through */
f2fcfcd6 2832 default:
8c1d787b 2833 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2834 break;
2835 }
2836
2837done:
0c1bc5c6
GP		 2838 if (chan->imtu != L2CAP_DEFAULT_MTU)
2839 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2840
0c1bc5c6 2841 switch (chan->mode) {
65c7c491 2842 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2843 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2844 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2845 break;
2846
62547752
GP		 2847 rfc.mode = L2CAP_MODE_BASIC;
2848 rfc.txwin_size = 0;
2849 rfc.max_transmit = 0;
2850 rfc.retrans_timeout = 0;
2851 rfc.monitor_timeout = 0;
2852 rfc.max_pdu_size = 0;
2853
63406504
GP		 2854 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2855 (unsigned long) &rfc);
65c7c491
MH		 2856 break;
2857
2858 case L2CAP_MODE_ERTM:
2859 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2860 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2861 rfc.retrans_timeout = 0;
2862 rfc.monitor_timeout = 0;
c8f79162
AE		 2863
2864 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2865 L2CAP_EXT_HDR_SIZE -
2866 L2CAP_SDULEN_SIZE -
2867 L2CAP_FCS_SIZE);
2868 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2869
6327eb98
AE		 2870 l2cap_txwin_setup(chan);
2871
2872 rfc.txwin_size = min_t(u16, chan->tx_win,
2873 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2874
63406504
GP		 2875 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2876 (unsigned long) &rfc);
2877
f89cef09
AE		 2878 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2879 l2cap_add_opt_efs(&ptr, chan);
2880
8c1d787b 2881 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2882 break;
2883
47d1ec61 2884 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2885 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2886 chan->fcs = L2CAP_FCS_NONE;
2887 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2888 }
6327eb98
AE		 2889
2890 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2891 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2892 chan->tx_win);
f2fcfcd6
GP		 2893 break;
2894
2895 case L2CAP_MODE_STREAMING:
273759e2 2896 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2897 rfc.mode = L2CAP_MODE_STREAMING;
2898 rfc.txwin_size = 0;
2899 rfc.max_transmit = 0;
2900 rfc.retrans_timeout = 0;
2901 rfc.monitor_timeout = 0;
c8f79162
AE		 2902
2903 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2904 L2CAP_EXT_HDR_SIZE -
2905 L2CAP_SDULEN_SIZE -
2906 L2CAP_FCS_SIZE);
2907 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2908
63406504
GP		 2909 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2910 (unsigned long) &rfc);
2911
f89cef09
AE		 2912 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2913 l2cap_add_opt_efs(&ptr, chan);
2914
8c1d787b 2915 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2916 break;
2917
47d1ec61 2918 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2919 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2920 chan->fcs = L2CAP_FCS_NONE;
2921 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2922 }
65c7c491
MH		 2923 break;
2924 }
1da177e4 2925
fe4128e0 2926 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2927 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2928
2929 return ptr - data;
2930}
2931
73ffa904 2932static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2933{
5dee9e7c
MH		 2934 struct l2cap_conf_rsp *rsp = data;
2935 void *ptr = rsp->data;
73ffa904
GP		 2936 void *req = chan->conf_req;
2937 int len = chan->conf_len;
5dee9e7c
MH		 2938 int type, hint, olen;
2939 unsigned long val;
6464f35f 2940 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2941 struct l2cap_conf_efs efs;
2942 u8 remote_efs = 0;
861d6882 2943 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2944 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2945 u16 size;
1da177e4 2946
73ffa904 2947 BT_DBG("chan %p", chan);
820ae1b8 2948
5dee9e7c
MH		 2949 while (len >= L2CAP_CONF_OPT_SIZE) {
2950 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2951
589d2746 2952 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2953 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2954
2955 switch (type) {
2956 case L2CAP_CONF_MTU:
861d6882 2957 mtu = val;
5dee9e7c
MH		 2958 break;
2959
2960 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2961 chan->flush_to = val;
5dee9e7c
MH		 2962 break;
2963
2964 case L2CAP_CONF_QOS:
2965 break;
2966
6464f35f
MH		 2967 case L2CAP_CONF_RFC:
2968 if (olen == sizeof(rfc))
2969 memcpy(&rfc, (void *) val, olen);
2970 break;
2971
fcc203c3
GP		 2972 case L2CAP_CONF_FCS:
2973 if (val == L2CAP_FCS_NONE)
c1360a1c 2974 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2975 break;
fcc203c3 2976
42dceae2
AE		 2977 case L2CAP_CONF_EFS:
2978 remote_efs = 1;
2979 if (olen == sizeof(efs))
2980 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2981 break;
2982
6327eb98
AE		 2983 case L2CAP_CONF_EWS:
2984 if (!enable_hs)
2985 return -ECONNREFUSED;
fcc203c3 2986
6327eb98
AE		 2987 set_bit(FLAG_EXT_CTRL, &chan->flags);
2988 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2989 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2990 chan->remote_tx_win = val;
fcc203c3
GP		 2991 break;
2992
5dee9e7c
MH		 2993 default:
2994 if (hint)
2995 break;
2996
2997 result = L2CAP_CONF_UNKNOWN;
2998 *((u8 *) ptr++) = type;
2999 break;
3000 }
3001 }
3002
73ffa904 3003 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3004 goto done;
3005
0c1bc5c6 3006 switch (chan->mode) {
f2fcfcd6
GP		 3007 case L2CAP_MODE_STREAMING:
3008 case L2CAP_MODE_ERTM:
c1360a1c 3009 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3010 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 3011 chan->conn->feat_mask);
85eb53c6
GP		 3012 break;
3013 }
3014
42dceae2
AE		 3015 if (remote_efs) {
3016 if (__l2cap_efs_supported(chan))
3017 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3018 else
3019 return -ECONNREFUSED;
3020 }
3021
0c1bc5c6 3022 if (chan->mode != rfc.mode)
f2fcfcd6 3023 return -ECONNREFUSED;
742e519b 3024
f2fcfcd6 3025 break;
f2fcfcd6
GP		 3026 }
3027
3028done:
0c1bc5c6 3029 if (chan->mode != rfc.mode) {
f2fcfcd6 3030 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3031 rfc.mode = chan->mode;
f2fcfcd6 3032
73ffa904 3033 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3034 return -ECONNREFUSED;
3035
3036 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3037 sizeof(rfc), (unsigned long) &rfc);
3038 }
3039
5dee9e7c
MH		 3040 if (result == L2CAP_CONF_SUCCESS) {
3041 /* Configure output options and let the other side know
3042 * which ones we don't like. */
3043
f2fcfcd6
GP		 3044 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3045 result = L2CAP_CONF_UNACCEPT;
3046 else {
0c1bc5c6 3047 chan->omtu = mtu;
c1360a1c 3048 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3049 }
0c1bc5c6 3050 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3051
42dceae2
AE		 3052 if (remote_efs) {
3053 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3054 efs.stype != L2CAP_SERV_NOTRAFIC &&
3055 efs.stype != chan->local_stype) {
3056
3057 result = L2CAP_CONF_UNACCEPT;
3058
3059 if (chan->num_conf_req >= 1)
3060 return -ECONNREFUSED;
3061
3062 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3063 sizeof(efs),
42dceae2 3064 (unsigned long) &efs);
0e8b207e 3065 } else {
3e6b3b95 3066 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3067 result = L2CAP_CONF_PENDING;
3068 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3069 }
3070 }
3071
f2fcfcd6
GP		 3072 switch (rfc.mode) {
3073 case L2CAP_MODE_BASIC:
47d1ec61 3074 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3075 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3076 break;
3077
3078 case L2CAP_MODE_ERTM:
6327eb98
AE		 3079 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3080 chan->remote_tx_win = rfc.txwin_size;
3081 else
3082 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3083
2c03a7a4 3084 chan->remote_max_tx = rfc.max_transmit;
1c762159 3085
c8f79162
AE		 3086 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3087 chan->conn->mtu -
3088 L2CAP_EXT_HDR_SIZE -
3089 L2CAP_SDULEN_SIZE -
3090 L2CAP_FCS_SIZE);
3091 rfc.max_pdu_size = cpu_to_le16(size);
3092 chan->remote_mps = size;
f2fcfcd6 3093
10467e9e 3094 rfc.retrans_timeout =
4fd21a88 3095 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3096 rfc.monitor_timeout =
4fd21a88 3097 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3098
c1360a1c 3099 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3100
3101 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3102 sizeof(rfc), (unsigned long) &rfc);
3103
42dceae2
AE		 3104 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3105 chan->remote_id = efs.id;
3106 chan->remote_stype = efs.stype;
3107 chan->remote_msdu = le16_to_cpu(efs.msdu);
3108 chan->remote_flush_to =
3109 le32_to_cpu(efs.flush_to);
3110 chan->remote_acc_lat =
3111 le32_to_cpu(efs.acc_lat);
3112 chan->remote_sdu_itime =
3113 le32_to_cpu(efs.sdu_itime);
3114 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3115 sizeof(efs), (unsigned long) &efs);
3116 }
f2fcfcd6
GP		 3117 break;
3118
3119 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3120 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3121 chan->conn->mtu -
3122 L2CAP_EXT_HDR_SIZE -
3123 L2CAP_SDULEN_SIZE -
3124 L2CAP_FCS_SIZE);
3125 rfc.max_pdu_size = cpu_to_le16(size);
3126 chan->remote_mps = size;
f2fcfcd6 3127
c1360a1c 3128 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3129
3130 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3131 sizeof(rfc), (unsigned long) &rfc);
3132
f2fcfcd6
GP		 3133 break;
3134
3135 default:
5dee9e7c 3136 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3137
6464f35f 3138 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3139 rfc.mode = chan->mode;
f2fcfcd6 3140 }
6464f35f 3141
f2fcfcd6 3142 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3143 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3144 }
fe4128e0 3145 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3146 rsp->result = cpu_to_le16(result);
59e54bd1 3147 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3148
3149 return ptr - data;
1da177e4
LT		 3150}
3151
b4450035 3152static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3153{
f2fcfcd6
GP		 3154 struct l2cap_conf_req *req = data;
3155 void *ptr = req->data;
3156 int type, olen;
3157 unsigned long val;
36e999a8 3158 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3159 struct l2cap_conf_efs efs;
f2fcfcd6 3160
fe4128e0 3161 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3162
3163 while (len >= L2CAP_CONF_OPT_SIZE) {
3164 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3165
3166 switch (type) {
3167 case L2CAP_CONF_MTU:
3168 if (val < L2CAP_DEFAULT_MIN_MTU) {
3169 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3170 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3171 } else
0c1bc5c6
GP		 3172 chan->imtu = val;
3173 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3174 break;
3175
3176 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3177 chan->flush_to = val;
f2fcfcd6 3178 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3179 2, chan->flush_to);
f2fcfcd6
GP		 3180 break;
3181
3182 case L2CAP_CONF_RFC:
3183 if (olen == sizeof(rfc))
3184 memcpy(&rfc, (void *)val, olen);
3185
c1360a1c 3186 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3187 rfc.mode != chan->mode)
f2fcfcd6
GP		 3188 return -ECONNREFUSED;
3189
47d1ec61 3190 chan->fcs = 0;
f2fcfcd6
GP		 3191
3192 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3193 sizeof(rfc), (unsigned long) &rfc);
3194 break;
6327eb98
AE		 3195
3196 case L2CAP_CONF_EWS:
c20f8e35 3197 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3198 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3199 chan->tx_win);
6327eb98 3200 break;
66af7aaf
AE		 3201
3202 case L2CAP_CONF_EFS:
3203 if (olen == sizeof(efs))
3204 memcpy(&efs, (void *)val, olen);
3205
3206 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3207 efs.stype != L2CAP_SERV_NOTRAFIC &&
3208 efs.stype != chan->local_stype)
3209 return -ECONNREFUSED;
3210
3211 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3212 sizeof(efs), (unsigned long) &efs);
3213 break;
f2fcfcd6
GP		 3214 }
3215 }
3216
0c1bc5c6 3217 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3218 return -ECONNREFUSED;
3219
0c1bc5c6 3220 chan->mode = rfc.mode;
6c2ea7a8 3221
0e8b207e 3222 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3223 switch (rfc.mode) {
3224 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3225 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3226 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3227 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3228 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3229 chan->ack_win = min_t(u16, chan->ack_win,
3230 rfc.txwin_size);
66af7aaf
AE		 3231
3232 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3233 chan->local_msdu = le16_to_cpu(efs.msdu);
3234 chan->local_sdu_itime =
3235 le32_to_cpu(efs.sdu_itime);
3236 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3237 chan->local_flush_to =
3238 le32_to_cpu(efs.flush_to);
3239 }
f2fcfcd6 3240 break;
66af7aaf 3241
f2fcfcd6 3242 case L2CAP_MODE_STREAMING:
47d1ec61 3243 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3244 }
3245 }
3246
fe4128e0 3247 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3248 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3249
3250 return ptr - data;
3251}
3252
fe4128e0 3253static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3254{
3255 struct l2cap_conf_rsp *rsp = data;
3256 void *ptr = rsp->data;
1da177e4 3257
fe4128e0 3258 BT_DBG("chan %p", chan);
1da177e4 3259
fe4128e0 3260 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3261 rsp->result = cpu_to_le16(result);
aca3192c 3262 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3263
3264 return ptr - data;
3265}
3266
8c1d787b 3267void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3268{
3269 struct l2cap_conn_rsp rsp;
8c1d787b 3270 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3271 u8 buf[128];
3272
fe4128e0
GP		 3273 rsp.scid = cpu_to_le16(chan->dcid);
3274 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3275 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3276 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3277 l2cap_send_cmd(conn, chan->ident,
3278 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3279
c1360a1c 3280 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3281 return;
3282
710f9b0a
GP		 3283 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3284 l2cap_build_conf_req(chan, buf), buf);
3285 chan->num_conf_req++;
3286}
3287
47d1ec61 3288static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3289{
7b1c0049
GP		 3290 int type, olen;
3291 unsigned long val;
c20f8e35
MM		 3292 /* Use sane default values in case a misbehaving remote device
3293 * did not send an RFC or extended window size option.
3294 */
3295 u16 txwin_ext = chan->ack_win;
3296 struct l2cap_conf_rfc rfc = {
3297 .mode = chan->mode,
3298 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3299 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3300 .max_pdu_size = cpu_to_le16(chan->imtu),
3301 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3302 };
7b1c0049 3303
47d1ec61 3304 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3305
0c1bc5c6 3306 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3307 return;
3308
3309 while (len >= L2CAP_CONF_OPT_SIZE) {
3310 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3311
c20f8e35
MM		 3312 switch (type) {
3313 case L2CAP_CONF_RFC:
3314 if (olen == sizeof(rfc))
3315 memcpy(&rfc, (void *)val, olen);
8f321f85 3316 break;
c20f8e35
MM		 3317 case L2CAP_CONF_EWS:
3318 txwin_ext = val;
3319 break;
3320 }
7b1c0049
GP		 3321 }
3322
7b1c0049
GP		 3323 switch (rfc.mode) {
3324 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3325 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3326 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3327 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3328 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3329 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3330 else
3331 chan->ack_win = min_t(u16, chan->ack_win,
3332 rfc.txwin_size);
7b1c0049
GP		 3333 break;
3334 case L2CAP_MODE_STREAMING:
47d1ec61 3335 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3336 }
3337}
3338
4e8402a3
MH		 3339static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3340{
e2fd318e 3341 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3342
e2fd318e 3343 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3344 return 0;
3345
3346 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3347 cmd->ident == conn->info_ident) {
17cd3f37 3348 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3349
3350 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3351 conn->info_ident = 0;
984947dc 3352
4e8402a3
MH		 3353 l2cap_conn_start(conn);
3354 }
3355
3356 return 0;
3357}
3358
1da177e4
LT		 3359static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3360{
1da177e4
LT		 3361 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3362 struct l2cap_conn_rsp rsp;
23691d75 3363 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3364 struct sock *parent, *sk = NULL;
e7c29cb1 3365 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3366
3367 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3368 __le16 psm = req->psm;
1da177e4 3369
097db76c 3370 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3371
3372 /* Check if we have socket listening on psm */
c2287681 3373 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3374 if (!pchan) {
1da177e4
LT		 3375 result = L2CAP_CR_BAD_PSM;
3376 goto sendresp;
3377 }
3378
23691d75
GP		 3379 parent = pchan->sk;
3380
3df91ea2 3381 mutex_lock(&conn->chan_lock);
aa2ac881 3382 lock_sock(parent);
e0f0cb56 3383
e7c29cb1 3384 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3385 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3386 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3387 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3388 result = L2CAP_CR_SEC_BLOCK;
3389 goto response;
3390 }
3391
1da177e4
LT		 3392 result = L2CAP_CR_NO_MEM;
3393
2dfa1003
GP		 3394 /* Check if we already have channel with that dcid */
3395 if (__l2cap_get_chan_by_dcid(conn, scid))
3396 goto response;
3397
80b98027 3398 chan = pchan->ops->new_connection(pchan);
80808e43 3399 if (!chan)
1da177e4
LT		 3400 goto response;
3401
80808e43
GP		 3402 sk = chan->sk;
3403
1da177e4
LT		 3404 hci_conn_hold(conn->hcon);
3405
1da177e4
LT		 3406 bacpy(&bt_sk(sk)->src, conn->src);
3407 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3408 chan->psm = psm;
3409 chan->dcid = scid;
1da177e4 3410
d1010240
GP		 3411 bt_accept_enqueue(parent, sk);
3412
6be36555 3413 __l2cap_chan_add(conn, chan);
48454079 3414
fe4128e0 3415 dcid = chan->scid;
1da177e4 3416
c9b66675 3417 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3418
fc7f8a7e 3419 chan->ident = cmd->ident;
1da177e4 3420
984947dc 3421 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3422 if (l2cap_chan_check_security(chan)) {
c5daa683 3423 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3424 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3425 result = L2CAP_CR_PEND;
3426 status = L2CAP_CS_AUTHOR_PEND;
3427 parent->sk_data_ready(parent, 0);
3428 } else {
0e587be7 3429 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3430 result = L2CAP_CR_SUCCESS;
3431 status = L2CAP_CS_NO_INFO;
3432 }
79d554a6 3433 } else {
0e587be7 3434 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3435 result = L2CAP_CR_PEND;
3436 status = L2CAP_CS_AUTHEN_PEND;
3437 }
3438 } else {
0e587be7 3439 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3440 result = L2CAP_CR_PEND;
3441 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3442 }
3443
1da177e4 3444response:
aa2ac881 3445 release_sock(parent);
3df91ea2 3446 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3447
3448sendresp:
aca3192c
YH		 3449 rsp.scid = cpu_to_le16(scid);
3450 rsp.dcid = cpu_to_le16(dcid);
3451 rsp.result = cpu_to_le16(result);
3452 rsp.status = cpu_to_le16(status);
1da177e4 3453 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3454
3455 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3456 struct l2cap_info_req info;
ac73498c 3457 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3458
3459 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3460 conn->info_ident = l2cap_get_ident(conn);
3461
ba13ccd9 3462 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3463
3464 l2cap_send_cmd(conn, conn->info_ident,
3465 L2CAP_INFO_REQ, sizeof(info), &info);
3466 }
3467
c1360a1c 3468 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3469 result == L2CAP_CR_SUCCESS) {
3470 u8 buf[128];
c1360a1c 3471 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3472 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3473 l2cap_build_conf_req(chan, buf), buf);
3474 chan->num_conf_req++;
e9aeb2dd
GP		 3475 }
3476
1da177e4
LT		 3477 return 0;
3478}
3479
3480static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3481{
3482 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3483 u16 scid, dcid, result, status;
48454079 3484 struct l2cap_chan *chan;
1da177e4 3485 u8 req[128];
3df91ea2 3486 int err;
1da177e4
LT		 3487
3488 scid = __le16_to_cpu(rsp->scid);
3489 dcid = __le16_to_cpu(rsp->dcid);
3490 result = __le16_to_cpu(rsp->result);
3491 status = __le16_to_cpu(rsp->status);
3492
1b009c98
AE		 3493 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3494 dcid, scid, result, status);
1da177e4 3495
3df91ea2
AE		 3496 mutex_lock(&conn->chan_lock);
3497
1da177e4 3498 if (scid) {
3df91ea2
AE		 3499 chan = __l2cap_get_chan_by_scid(conn, scid);
3500 if (!chan) {
3501 err = -EFAULT;
3502 goto unlock;
3503 }
1da177e4 3504 } else {
3df91ea2
AE		 3505 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3506 if (!chan) {
3507 err = -EFAULT;
3508 goto unlock;
3509 }
1da177e4
LT		 3510 }
3511
3df91ea2
AE		 3512 err = 0;
3513
6be36555 3514 l2cap_chan_lock(chan);
48454079 3515
1da177e4
LT		 3516 switch (result) {
3517 case L2CAP_CR_SUCCESS:
89bc500e 3518 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3519 chan->ident = 0;
fe4128e0 3520 chan->dcid = dcid;
c1360a1c 3521 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3522
c1360a1c 3523 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3524 break;
3525
1da177e4 3526 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3527 l2cap_build_conf_req(chan, req), req);
3528 chan->num_conf_req++;
1da177e4
LT		 3529 break;
3530
3531 case L2CAP_CR_PEND:
c1360a1c 3532 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3533 break;
3534
3535 default:
48454079 3536 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3537 break;
3538 }
3539
6be36555 3540 l2cap_chan_unlock(chan);
3df91ea2
AE		 3541
3542unlock:
3543 mutex_unlock(&conn->chan_lock);
3544
3545 return err;
1da177e4
LT		 3546}
3547
47d1ec61 3548static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3549{
3550 /* FCS is enabled only in ERTM or streaming mode, if one or both
3551 * sides request it.
3552 */
0c1bc5c6 3553 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3554 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3555 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3556 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3557}
3558
88219a0f 3559static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3560{
3561 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3562 u16 dcid, flags;
3563 u8 rsp[64];
48454079 3564 struct l2cap_chan *chan;
3c588192 3565 int len, err = 0;
1da177e4
LT		 3566
3567 dcid = __le16_to_cpu(req->dcid);
3568 flags = __le16_to_cpu(req->flags);
3569
3570 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3571
baa7e1fa 3572 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3573 if (!chan)
1da177e4
LT		 3574 return -ENOENT;
3575
033b1142 3576 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3577 struct l2cap_cmd_rej_cid rej;
3578
ac73498c 3579 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3580 rej.scid = cpu_to_le16(chan->scid);
3581 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3582
df6bd743
GP		 3583 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3584 sizeof(rej), &rej);
354f60a9 3585 goto unlock;
df6bd743 3586 }
354f60a9 3587
5dee9e7c 3588 /* Reject if config buffer is too small. */
88219a0f 3589 len = cmd_len - sizeof(*req);
7ac28817 3590 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3591 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3592 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3593 L2CAP_CONF_REJECT, flags), rsp);
3594 goto unlock;
3595 }
3596
3597 /* Store config. */
73ffa904
GP		 3598 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3599 chan->conf_len += len;
1da177e4 3600
59e54bd1 3601 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3602 /* Incomplete config. Send empty response. */
3603 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3604 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3605 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3606 goto unlock;
3607 }
3608
3609 /* Complete config. */
73ffa904 3610 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3611 if (len < 0) {
e92c8e70 3612 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3613 goto unlock;
f2fcfcd6 3614 }
1da177e4 3615
5dee9e7c 3616 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3617 chan->num_conf_rsp++;
5dee9e7c 3618
5dee9e7c 3619 /* Reset config buffer. */
73ffa904 3620 chan->conf_len = 0;
5dee9e7c 3621
c1360a1c 3622 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3623 goto unlock;
3624
c1360a1c 3625 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3626 set_default_fcs(chan);
fcc203c3 3627
105bdf9e
MM		 3628 if (chan->mode == L2CAP_MODE_ERTM ||
3629 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3630 err = l2cap_ertm_init(chan);
3631
3632 if (err < 0)
3633 l2cap_send_disconn_req(chan->conn, chan, -err);
3634 else
3635 l2cap_chan_ready(chan);
0565c1c2 3636
876d9484
MH		 3637 goto unlock;
3638 }
3639
c1360a1c 3640 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3641 u8 buf[64];
1da177e4 3642 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3643 l2cap_build_conf_req(chan, buf), buf);
3644 chan->num_conf_req++;
1da177e4
LT		 3645 }
3646
0e8b207e
AE		 3647 /* Got Conf Rsp PENDING from remote side and asume we sent
3648 Conf Rsp PENDING in the code above */
3649 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3650 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3651
3652 /* check compatibility */
3653
3654 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3655 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3656
3657 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3658 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3659 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3660 }
3661
1da177e4 3662unlock:
6be36555 3663 l2cap_chan_unlock(chan);
3c588192 3664 return err;
1da177e4
LT		 3665}
3666
3667static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3668{
3669 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3670 u16 scid, flags, result;
48454079 3671 struct l2cap_chan *chan;
61386cba 3672 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3673 int err = 0;
1da177e4
LT		 3674
3675 scid = __le16_to_cpu(rsp->scid);
3676 flags = __le16_to_cpu(rsp->flags);
3677 result = __le16_to_cpu(rsp->result);
3678
61386cba
AE		 3679 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3680 result, len);
1da177e4 3681
baa7e1fa 3682 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3683 if (!chan)
1da177e4
LT		 3684 return 0;
3685
3686 switch (result) {
3687 case L2CAP_CONF_SUCCESS:
47d1ec61 3688 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3689 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3690 break;
3691
0e8b207e
AE		 3692 case L2CAP_CONF_PENDING:
3693 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3694
3695 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3696 char buf[64];
3697
3698 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3699 buf, &result);
3700 if (len < 0) {
3701 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3702 goto done;
3703 }
3704
3705 /* check compatibility */
3706
3707 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3708 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3709
3710 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3711 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3712 L2CAP_CONF_SUCCESS, 0x0000), buf);
3713 }
3714 goto done;
3715
1da177e4 3716 case L2CAP_CONF_UNACCEPT:
73ffa904 3717 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3718 char req[64];
3719
c2c77ec8 3720 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3721 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3722 goto done;
3723 }
3724
f2fcfcd6
GP		 3725 /* throw out any old stored conf requests */
3726 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3727 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3728 req, &result);
f2fcfcd6 3729 if (len < 0) {
e92c8e70 3730 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3731 goto done;
3732 }
3733
3734 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3735 L2CAP_CONF_REQ, len, req);
73ffa904 3736 chan->num_conf_req++;
f2fcfcd6
GP		 3737 if (result != L2CAP_CONF_SUCCESS)
3738 goto done;
3739 break;
1da177e4
LT		 3740 }
3741
8e87d142 3742 default:
6be36555 3743 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3744
ba13ccd9 3745 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3746 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3747 goto done;
3748 }
3749
59e54bd1 3750 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3751 goto done;
3752
c1360a1c 3753 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3754
c1360a1c 3755 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3756 set_default_fcs(chan);
fcc203c3 3757
105bdf9e
MM		 3758 if (chan->mode == L2CAP_MODE_ERTM ||
3759 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3760 err = l2cap_ertm_init(chan);
0565c1c2 3761
3c588192
MM		 3762 if (err < 0)
3763 l2cap_send_disconn_req(chan->conn, chan, -err);
3764 else
3765 l2cap_chan_ready(chan);
1da177e4
LT		 3766 }
3767
3768done:
6be36555 3769 l2cap_chan_unlock(chan);
3c588192 3770 return err;
1da177e4
LT		 3771}
3772
3773static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3774{
3775 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3776 struct l2cap_disconn_rsp rsp;
3777 u16 dcid, scid;
48454079 3778 struct l2cap_chan *chan;
1da177e4
LT		 3779 struct sock *sk;
3780
3781 scid = __le16_to_cpu(req->scid);
3782 dcid = __le16_to_cpu(req->dcid);
3783
3784 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3785
3df91ea2
AE		 3786 mutex_lock(&conn->chan_lock);
3787
3788 chan = __l2cap_get_chan_by_scid(conn, dcid);
3789 if (!chan) {
3790 mutex_unlock(&conn->chan_lock);
1da177e4 3791 return 0;
3df91ea2 3792 }
1da177e4 3793
6be36555
AE		 3794 l2cap_chan_lock(chan);
3795
48454079
GP		 3796 sk = chan->sk;
3797
fe4128e0
GP		 3798 rsp.dcid = cpu_to_le16(chan->scid);
3799 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3800 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3801
6be36555 3802 lock_sock(sk);
1da177e4 3803 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3804 release_sock(sk);
1da177e4 3805
61d6ef3e 3806 l2cap_chan_hold(chan);
48454079 3807 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3808
3809 l2cap_chan_unlock(chan);
1da177e4 3810
80b98027 3811 chan->ops->close(chan);
61d6ef3e 3812 l2cap_chan_put(chan);
3df91ea2
AE		 3813
3814 mutex_unlock(&conn->chan_lock);
3815
1da177e4
LT		 3816 return 0;
3817}
3818
3819static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3820{
3821 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3822 u16 dcid, scid;
48454079 3823 struct l2cap_chan *chan;
1da177e4
LT		 3824
3825 scid = __le16_to_cpu(rsp->scid);
3826 dcid = __le16_to_cpu(rsp->dcid);
3827
3828 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3829
3df91ea2
AE		 3830 mutex_lock(&conn->chan_lock);
3831
3832 chan = __l2cap_get_chan_by_scid(conn, scid);
3833 if (!chan) {
3834 mutex_unlock(&conn->chan_lock);
1da177e4 3835 return 0;
3df91ea2 3836 }
1da177e4 3837
6be36555 3838 l2cap_chan_lock(chan);
48454079 3839
61d6ef3e 3840 l2cap_chan_hold(chan);
48454079 3841 l2cap_chan_del(chan, 0);
6be36555
AE		 3842
3843 l2cap_chan_unlock(chan);
1da177e4 3844
80b98027 3845 chan->ops->close(chan);
61d6ef3e 3846 l2cap_chan_put(chan);
3df91ea2
AE		 3847
3848 mutex_unlock(&conn->chan_lock);
3849
1da177e4
LT		 3850 return 0;
3851}
3852
3853static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3854{
3855 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3856 u16 type;
3857
3858 type = __le16_to_cpu(req->type);
3859
3860 BT_DBG("type 0x%4.4x", type);
3861
f0709e03
MH		 3862 if (type == L2CAP_IT_FEAT_MASK) {
3863 u8 buf[8];
44dd46de 3864 u32 feat_mask = l2cap_feat_mask;
f0709e03 3865 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3866 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3867 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3868 if (!disable_ertm)
fcc203c3
GP		 3869 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3870 | L2CAP_FEAT_FCS;
a5fd6f30 3871 if (enable_hs)
6327eb98
AE		 3872 feat_mask |= L2CAP_FEAT_EXT_FLOW
3873 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3874
1b7bf4ed 3875 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3876 l2cap_send_cmd(conn, cmd->ident,
3877 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3878 } else if (type == L2CAP_IT_FIXED_CHAN) {
3879 u8 buf[12];
3880 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3881
3882 if (enable_hs)
3883 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3884 else
3885 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3886
ac73498c
AE		 3887 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3888 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3889 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3890 l2cap_send_cmd(conn, cmd->ident,
3891 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3892 } else {
3893 struct l2cap_info_rsp rsp;
3894 rsp.type = cpu_to_le16(type);
ac73498c 3895 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3896 l2cap_send_cmd(conn, cmd->ident,
3897 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3898 }
1da177e4
LT		 3899
3900 return 0;
3901}
3902
3903static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3904{
3905 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3906 u16 type, result;
3907
3908 type = __le16_to_cpu(rsp->type);
3909 result = __le16_to_cpu(rsp->result);
3910
3911 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3912
e90165be
AE		 3913 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3914 if (cmd->ident != conn->info_ident ||
3915 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3916 return 0;
3917
17cd3f37 3918 cancel_delayed_work(&conn->info_timer);
4e8402a3 3919
adb08ede
VT		 3920 if (result != L2CAP_IR_SUCCESS) {
3921 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3922 conn->info_ident = 0;
3923
3924 l2cap_conn_start(conn);
3925
3926 return 0;
3927 }
3928
978c93b9
AE		 3929 switch (type) {
3930 case L2CAP_IT_FEAT_MASK:
83985319 3931 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3932
47ec1dcd 3933 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3934 struct l2cap_info_req req;
ac73498c 3935 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3936
3937 conn->info_ident = l2cap_get_ident(conn);
3938
3939 l2cap_send_cmd(conn, conn->info_ident,
3940 L2CAP_INFO_REQ, sizeof(req), &req);
3941 } else {
3942 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3943 conn->info_ident = 0;
3944
3945 l2cap_conn_start(conn);
3946 }
978c93b9
AE		 3947 break;
3948
3949 case L2CAP_IT_FIXED_CHAN:
3950 conn->fixed_chan_mask = rsp->data[0];
984947dc 3951 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3952 conn->info_ident = 0;
984947dc
MH		 3953
3954 l2cap_conn_start(conn);
978c93b9 3955 break;
984947dc 3956 }
4e8402a3 3957
1da177e4
LT		 3958 return 0;
3959}
3960
f94ff6ff
MM		 3961static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3962 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3963 void *data)
3964{
3965 struct l2cap_create_chan_req *req = data;
3966 struct l2cap_create_chan_rsp rsp;
3967 u16 psm, scid;
3968
3969 if (cmd_len != sizeof(*req))
3970 return -EPROTO;
3971
3972 if (!enable_hs)
3973 return -EINVAL;
3974
3975 psm = le16_to_cpu(req->psm);
3976 scid = le16_to_cpu(req->scid);
3977
ad0ac6ca 3978 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 3979
3980 /* Placeholder: Always reject */
3981 rsp.dcid = 0;
3982 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3983 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3984 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3985
3986 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3987 sizeof(rsp), &rsp);
3988
3989 return 0;
3990}
3991
3992static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3993 struct l2cap_cmd_hdr *cmd, void *data)
3994{
3995 BT_DBG("conn %p", conn);
3996
3997 return l2cap_connect_rsp(conn, cmd, data);
3998}
3999
8d5a04a1 4000static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4001 u16 icid, u16 result)
8d5a04a1
MM		 4002{
4003 struct l2cap_move_chan_rsp rsp;
4004
ad0ac6ca 4005 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4006
4007 rsp.icid = cpu_to_le16(icid);
4008 rsp.result = cpu_to_le16(result);
4009
4010 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4011}
4012
4013static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4014 struct l2cap_chan *chan,
4015 u16 icid, u16 result)
8d5a04a1
MM		 4016{
4017 struct l2cap_move_chan_cfm cfm;
4018 u8 ident;
4019
ad0ac6ca 4020 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4021
4022 ident = l2cap_get_ident(conn);
4023 if (chan)
4024 chan->ident = ident;
4025
4026 cfm.icid = cpu_to_le16(icid);
4027 cfm.result = cpu_to_le16(result);
4028
4029 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4030}
4031
4032static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4033 u16 icid)
8d5a04a1
MM		 4034{
4035 struct l2cap_move_chan_cfm_rsp rsp;
4036
ad0ac6ca 4037 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4038
4039 rsp.icid = cpu_to_le16(icid);
4040 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4041}
4042
4043static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4044 struct l2cap_cmd_hdr *cmd,
4045 u16 cmd_len, void *data)
8d5a04a1
MM		 4046{
4047 struct l2cap_move_chan_req *req = data;
4048 u16 icid = 0;
4049 u16 result = L2CAP_MR_NOT_ALLOWED;
4050
4051 if (cmd_len != sizeof(*req))
4052 return -EPROTO;
4053
4054 icid = le16_to_cpu(req->icid);
4055
ad0ac6ca 4056 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4057
4058 if (!enable_hs)
4059 return -EINVAL;
4060
4061 /* Placeholder: Always refuse */
4062 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4063
4064 return 0;
4065}
4066
4067static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4068 struct l2cap_cmd_hdr *cmd,
4069 u16 cmd_len, void *data)
8d5a04a1
MM		 4070{
4071 struct l2cap_move_chan_rsp *rsp = data;
4072 u16 icid, result;
4073
4074 if (cmd_len != sizeof(*rsp))
4075 return -EPROTO;
4076
4077 icid = le16_to_cpu(rsp->icid);
4078 result = le16_to_cpu(rsp->result);
4079
ad0ac6ca 4080 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4081
4082 /* Placeholder: Always unconfirmed */
4083 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4084
4085 return 0;
4086}
4087
4088static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4089 struct l2cap_cmd_hdr *cmd,
4090 u16 cmd_len, void *data)
8d5a04a1
MM		 4091{
4092 struct l2cap_move_chan_cfm *cfm = data;
4093 u16 icid, result;
4094
4095 if (cmd_len != sizeof(*cfm))
4096 return -EPROTO;
4097
4098 icid = le16_to_cpu(cfm->icid);
4099 result = le16_to_cpu(cfm->result);
4100
ad0ac6ca 4101 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4102
4103 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4104
4105 return 0;
4106}
4107
4108static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4109 struct l2cap_cmd_hdr *cmd,
4110 u16 cmd_len, void *data)
8d5a04a1
MM		 4111{
4112 struct l2cap_move_chan_cfm_rsp *rsp = data;
4113 u16 icid;
4114
4115 if (cmd_len != sizeof(*rsp))
4116 return -EPROTO;
4117
4118 icid = le16_to_cpu(rsp->icid);
4119
ad0ac6ca 4120 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4121
4122 return 0;
4123}
4124
e2174ca4 4125static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4126 u16 to_multiplier)
4127{
4128 u16 max_latency;
4129
4130 if (min > max || min < 6 || max > 3200)
4131 return -EINVAL;
4132
4133 if (to_multiplier < 10 || to_multiplier > 3200)
4134 return -EINVAL;
4135
4136 if (max >= to_multiplier * 8)
4137 return -EINVAL;
4138
4139 max_latency = (to_multiplier * 8 / max) - 1;
4140 if (latency > 499 || latency > max_latency)
4141 return -EINVAL;
4142
4143 return 0;
4144}
4145
4146static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4147 struct l2cap_cmd_hdr *cmd, u8 *data)
4148{
4149 struct hci_conn *hcon = conn->hcon;
4150 struct l2cap_conn_param_update_req *req;
4151 struct l2cap_conn_param_update_rsp rsp;
4152 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4153 int err;
de73115a
CT		 4154
4155 if (!(hcon->link_mode & HCI_LM_MASTER))
4156 return -EINVAL;
4157
4158 cmd_len = __le16_to_cpu(cmd->len);
4159 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4160 return -EPROTO;
4161
4162 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4163 min = __le16_to_cpu(req->min);
4164 max = __le16_to_cpu(req->max);
de73115a
CT		 4165 latency = __le16_to_cpu(req->latency);
4166 to_multiplier = __le16_to_cpu(req->to_multiplier);
4167
4168 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4169 min, max, latency, to_multiplier);
4170
4171 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4172
4173 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4174 if (err)
ac73498c 4175 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4176 else
ac73498c 4177 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4178
4179 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4180 sizeof(rsp), &rsp);
4181
2ce603eb
CT		 4182 if (!err)
4183 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4184
de73115a
CT		 4185 return 0;
4186}
4187
3300d9a9
CT		 4188static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4189 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4190{
4191 int err = 0;
4192
4193 switch (cmd->code) {
4194 case L2CAP_COMMAND_REJ:
4195 l2cap_command_rej(conn, cmd, data);
4196 break;
4197
4198 case L2CAP_CONN_REQ:
4199 err = l2cap_connect_req(conn, cmd, data);
4200 break;
4201
4202 case L2CAP_CONN_RSP:
4203 err = l2cap_connect_rsp(conn, cmd, data);
4204 break;
4205
4206 case L2CAP_CONF_REQ:
4207 err = l2cap_config_req(conn, cmd, cmd_len, data);
4208 break;
4209
4210 case L2CAP_CONF_RSP:
4211 err = l2cap_config_rsp(conn, cmd, data);
4212 break;
4213
4214 case L2CAP_DISCONN_REQ:
4215 err = l2cap_disconnect_req(conn, cmd, data);
4216 break;
4217
4218 case L2CAP_DISCONN_RSP:
4219 err = l2cap_disconnect_rsp(conn, cmd, data);
4220 break;
4221
4222 case L2CAP_ECHO_REQ:
4223 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4224 break;
4225
4226 case L2CAP_ECHO_RSP:
4227 break;
4228
4229 case L2CAP_INFO_REQ:
4230 err = l2cap_information_req(conn, cmd, data);
4231 break;
4232
4233 case L2CAP_INFO_RSP:
4234 err = l2cap_information_rsp(conn, cmd, data);
4235 break;
4236
f94ff6ff
MM		 4237 case L2CAP_CREATE_CHAN_REQ:
4238 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4239 break;
4240
4241 case L2CAP_CREATE_CHAN_RSP:
4242 err = l2cap_create_channel_rsp(conn, cmd, data);
4243 break;
4244
8d5a04a1
MM		 4245 case L2CAP_MOVE_CHAN_REQ:
4246 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4247 break;
4248
4249 case L2CAP_MOVE_CHAN_RSP:
4250 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4251 break;
4252
4253 case L2CAP_MOVE_CHAN_CFM:
4254 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4255 break;
4256
4257 case L2CAP_MOVE_CHAN_CFM_RSP:
4258 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4259 break;
4260
3300d9a9
CT		 4261 default:
4262 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4263 err = -EINVAL;
4264 break;
4265 }
4266
4267 return err;
4268}
4269
4270static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4271 struct l2cap_cmd_hdr *cmd, u8 *data)
4272{
4273 switch (cmd->code) {
4274 case L2CAP_COMMAND_REJ:
4275 return 0;
4276
4277 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4278 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4279
4280 case L2CAP_CONN_PARAM_UPDATE_RSP:
4281 return 0;
4282
4283 default:
4284 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4285 return -EINVAL;
4286 }
4287}
4288
4289static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4290 struct sk_buff *skb)
1da177e4
LT		 4291{
4292 u8 *data = skb->data;
4293 int len = skb->len;
4294 struct l2cap_cmd_hdr cmd;
3300d9a9 4295 int err;
1da177e4
LT		 4296
4297 l2cap_raw_recv(conn, skb);
4298
4299 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4300 u16 cmd_len;
1da177e4
LT		 4301 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4302 data += L2CAP_CMD_HDR_SIZE;
4303 len -= L2CAP_CMD_HDR_SIZE;
4304
88219a0f 4305 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4306
88219a0f 4307 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4308
88219a0f 4309 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4310 BT_DBG("corrupted command");
4311 break;
4312 }
4313
3300d9a9
CT		 4314 if (conn->hcon->type == LE_LINK)
4315 err = l2cap_le_sig_cmd(conn, &cmd, data);
4316 else
4317 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4318
4319 if (err) {
e2fd318e 4320 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4321
4322 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4323
4324 /* FIXME: Map err to a valid reason */
ac73498c 4325 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4326 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4327 }
4328
88219a0f
AV		 4329 data += cmd_len;
4330 len -= cmd_len;
1da177e4
LT		 4331 }
4332
4333 kfree_skb(skb);
4334}
4335
47d1ec61 4336static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4337{
4338 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4339 int hdr_size;
4340
4341 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4342 hdr_size = L2CAP_EXT_HDR_SIZE;
4343 else
4344 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4345
47d1ec61 4346 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4347 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4348 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4349 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4350
4351 if (our_fcs != rcv_fcs)
7a560e5c 4352 return -EBADMSG;
fcc203c3
GP		 4353 }
4354 return 0;
4355}
4356
6ea00485 4357static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4358{
e31f7633 4359 struct l2cap_ctrl control;
d5392c8f 4360
e31f7633 4361 BT_DBG("chan %p", chan);
d5392c8f 4362
e31f7633
MM		 4363 memset(&control, 0, sizeof(control));
4364 control.sframe = 1;
4365 control.final = 1;
4366 control.reqseq = chan->buffer_seq;
4367 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4368
e2ab4353 4369 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4370 control.super = L2CAP_SUPER_RNR;
4371 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4372 }
4373
e31f7633
MM		 4374 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4375 chan->unacked_frames > 0)
4376 __set_retrans_timer(chan);
d5392c8f 4377
e31f7633 4378 /* Send pending iframes */
525cd185 4379 l2cap_ertm_send(chan);
d5392c8f 4380
e2ab4353 4381 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4382 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4383 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4384 * send it now.
4385 */
4386 control.super = L2CAP_SUPER_RR;
4387 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4388 }
4389}
4390
84084a31
MM		 4391static void append_skb_frag(struct sk_buff *skb,
4392 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4393{
84084a31
MM		 4394 /* skb->len reflects data in skb as well as all fragments
4395 * skb->data_len reflects only data in fragments
4396 */
4397 if (!skb_has_frag_list(skb))
4398 skb_shinfo(skb)->frag_list = new_frag;
4399
4400 new_frag->next = NULL;
4401
4402 (*last_frag)->next = new_frag;
4403 *last_frag = new_frag;
4404
4405 skb->len += new_frag->len;
4406 skb->data_len += new_frag->len;
4407 skb->truesize += new_frag->truesize;
4408}
4409
4b51dae9
MM		 4410static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4411 struct l2cap_ctrl *control)
84084a31
MM		 4412{
4413 int err = -EINVAL;
18778a63 4414
4b51dae9 4415 switch (control->sar) {
7e0ef6ee 4416 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4417 if (chan->sdu)
4418 break;
18778a63 4419
80b98027 4420 err = chan->ops->recv(chan, skb);
84084a31 4421 break;
18778a63 4422
7e0ef6ee 4423 case L2CAP_SAR_START:
84084a31
MM		 4424 if (chan->sdu)
4425 break;
18778a63 4426
6f61fd47 4427 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4428 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4429
84084a31
MM		 4430 if (chan->sdu_len > chan->imtu) {
4431 err = -EMSGSIZE;
4432 break;
4433 }
1890d36b 4434
84084a31
MM		 4435 if (skb->len >= chan->sdu_len)
4436 break;
18778a63 4437
84084a31
MM		 4438 chan->sdu = skb;
4439 chan->sdu_last_frag = skb;
18778a63 4440
84084a31
MM		 4441 skb = NULL;
4442 err = 0;
18778a63
GP		 4443 break;
4444
7e0ef6ee 4445 case L2CAP_SAR_CONTINUE:
6f61fd47 4446 if (!chan->sdu)
84084a31 4447 break;
18778a63 4448
84084a31
MM		 4449 append_skb_frag(chan->sdu, skb,
4450 &chan->sdu_last_frag);
4451 skb = NULL;
18778a63 4452
84084a31
MM		 4453 if (chan->sdu->len >= chan->sdu_len)
4454 break;
4178ba46 4455
84084a31 4456 err = 0;
18778a63
GP		 4457 break;
4458
7e0ef6ee 4459 case L2CAP_SAR_END:
6f61fd47 4460 if (!chan->sdu)
84084a31 4461 break;
18778a63 4462
84084a31
MM		 4463 append_skb_frag(chan->sdu, skb,
4464 &chan->sdu_last_frag);
4465 skb = NULL;
4178ba46 4466
84084a31
MM		 4467 if (chan->sdu->len != chan->sdu_len)
4468 break;
18778a63 4469
80b98027 4470 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4471
84084a31
MM		 4472 if (!err) {
4473 /* Reassembly complete */
4474 chan->sdu = NULL;
4475 chan->sdu_last_frag = NULL;
4476 chan->sdu_len = 0;
1890d36b 4477 }
18778a63
GP		 4478 break;
4479 }
4480
84084a31
MM		 4481 if (err) {
4482 kfree_skb(skb);
4483 kfree_skb(chan->sdu);
4484 chan->sdu = NULL;
4485 chan->sdu_last_frag = NULL;
4486 chan->sdu_len = 0;
4487 }
18778a63 4488
84084a31 4489 return err;
18778a63
GP		 4490}
4491
61aa4f5b 4492void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4493{
61aa4f5b 4494 u8 event;
712132eb 4495
61aa4f5b
MM		 4496 if (chan->mode != L2CAP_MODE_ERTM)
4497 return;
712132eb 4498
61aa4f5b 4499 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4500 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4501}
4502
d2a7ac5d
MM		 4503static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4504{
63838725
MM		 4505 int err = 0;
4506 /* Pass sequential frames to l2cap_reassemble_sdu()
4507 * until a gap is encountered.
4508 */
4509
4510 BT_DBG("chan %p", chan);
4511
4512 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4513 struct sk_buff *skb;
4514 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4515 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4516
4517 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4518
4519 if (!skb)
4520 break;
4521
4522 skb_unlink(skb, &chan->srej_q);
4523 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4524 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4525 if (err)
4526 break;
4527 }
4528
4529 if (skb_queue_empty(&chan->srej_q)) {
4530 chan->rx_state = L2CAP_RX_STATE_RECV;
4531 l2cap_send_ack(chan);
4532 }
4533
4534 return err;
d2a7ac5d
MM		 4535}
4536
4537static void l2cap_handle_srej(struct l2cap_chan *chan,
4538 struct l2cap_ctrl *control)
4539{
f80842a8
MM		 4540 struct sk_buff *skb;
4541
4542 BT_DBG("chan %p, control %p", chan, control);
4543
4544 if (control->reqseq == chan->next_tx_seq) {
4545 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4546 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4547 return;
4548 }
4549
4550 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4551
4552 if (skb == NULL) {
4553 BT_DBG("Seq %d not available for retransmission",
4554 control->reqseq);
4555 return;
4556 }
4557
4558 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4559 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4560 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4561 return;
4562 }
4563
4564 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4565
4566 if (control->poll) {
4567 l2cap_pass_to_tx(chan, control);
4568
4569 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4570 l2cap_retransmit(chan, control);
4571 l2cap_ertm_send(chan);
4572
4573 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4574 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4575 chan->srej_save_reqseq = control->reqseq;
4576 }
4577 } else {
4578 l2cap_pass_to_tx_fbit(chan, control);
4579
4580 if (control->final) {
4581 if (chan->srej_save_reqseq != control->reqseq ||
4582 !test_and_clear_bit(CONN_SREJ_ACT,
4583 &chan->conn_state))
4584 l2cap_retransmit(chan, control);
4585 } else {
4586 l2cap_retransmit(chan, control);
4587 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4588 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4589 chan->srej_save_reqseq = control->reqseq;
4590 }
4591 }
4592 }
d2a7ac5d
MM		 4593}
4594
4595static void l2cap_handle_rej(struct l2cap_chan *chan,
4596 struct l2cap_ctrl *control)
4597{
fcd289df
MM		 4598 struct sk_buff *skb;
4599
4600 BT_DBG("chan %p, control %p", chan, control);
4601
4602 if (control->reqseq == chan->next_tx_seq) {
4603 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4604 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4605 return;
4606 }
4607
4608 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4609
4610 if (chan->max_tx && skb &&
4611 bt_cb(skb)->control.retries >= chan->max_tx) {
4612 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4613 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4614 return;
4615 }
4616
4617 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4618
4619 l2cap_pass_to_tx(chan, control);
4620
4621 if (control->final) {
4622 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4623 l2cap_retransmit_all(chan, control);
4624 } else {
4625 l2cap_retransmit_all(chan, control);
4626 l2cap_ertm_send(chan);
4627 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4628 set_bit(CONN_REJ_ACT, &chan->conn_state);
4629 }
d2a7ac5d
MM		 4630}
4631
4b51dae9
MM		 4632static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4633{
4634 BT_DBG("chan %p, txseq %d", chan, txseq);
4635
4636 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4637 chan->expected_tx_seq);
4638
4639 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4640 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4641 chan->tx_win) {
4642 /* See notes below regarding "double poll" and
4643 * invalid packets.
4644 */
4645 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4646 BT_DBG("Invalid/Ignore - after SREJ");
4647 return L2CAP_TXSEQ_INVALID_IGNORE;
4648 } else {
4649 BT_DBG("Invalid - in window after SREJ sent");
4650 return L2CAP_TXSEQ_INVALID;
4651 }
4652 }
4653
4654 if (chan->srej_list.head == txseq) {
4655 BT_DBG("Expected SREJ");
4656 return L2CAP_TXSEQ_EXPECTED_SREJ;
4657 }
4658
4659 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4660 BT_DBG("Duplicate SREJ - txseq already stored");
4661 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4662 }
4663
4664 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4665 BT_DBG("Unexpected SREJ - not requested");
4666 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4667 }
4668 }
4669
4670 if (chan->expected_tx_seq == txseq) {
4671 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4672 chan->tx_win) {
4673 BT_DBG("Invalid - txseq outside tx window");
4674 return L2CAP_TXSEQ_INVALID;
4675 } else {
4676 BT_DBG("Expected");
4677 return L2CAP_TXSEQ_EXPECTED;
4678 }
4679 }
4680
4681 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4682 __seq_offset(chan, chan->expected_tx_seq,
4683 chan->last_acked_seq)){
4684 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4685 return L2CAP_TXSEQ_DUPLICATE;
4686 }
4687
4688 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4689 /* A source of invalid packets is a "double poll" condition,
4690 * where delays cause us to send multiple poll packets. If
4691 * the remote stack receives and processes both polls,
4692 * sequence numbers can wrap around in such a way that a
4693 * resent frame has a sequence number that looks like new data
4694 * with a sequence gap. This would trigger an erroneous SREJ
4695 * request.
4696 *
4697 * Fortunately, this is impossible with a tx window that's
4698 * less than half of the maximum sequence number, which allows
4699 * invalid frames to be safely ignored.
4700 *
4701 * With tx window sizes greater than half of the tx window
4702 * maximum, the frame is invalid and cannot be ignored. This
4703 * causes a disconnect.
4704 */
4705
4706 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4707 BT_DBG("Invalid/Ignore - txseq outside tx window");
4708 return L2CAP_TXSEQ_INVALID_IGNORE;
4709 } else {
4710 BT_DBG("Invalid - txseq outside tx window");
4711 return L2CAP_TXSEQ_INVALID;
4712 }
4713 } else {
4714 BT_DBG("Unexpected - txseq indicates missing frames");
4715 return L2CAP_TXSEQ_UNEXPECTED;
4716 }
4717}
4718
d2a7ac5d
MM		 4719static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4720 struct l2cap_ctrl *control,
4721 struct sk_buff *skb, u8 event)
4722{
4723 int err = 0;
4724 bool skb_in_use = 0;
4725
4726 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4727 event);
4728
4729 switch (event) {
4730 case L2CAP_EV_RECV_IFRAME:
4731 switch (l2cap_classify_txseq(chan, control->txseq)) {
4732 case L2CAP_TXSEQ_EXPECTED:
4733 l2cap_pass_to_tx(chan, control);
4734
4735 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4736 BT_DBG("Busy, discarding expected seq %d",
4737 control->txseq);
4738 break;
4739 }
4740
4741 chan->expected_tx_seq = __next_seq(chan,
4742 control->txseq);
4743
4744 chan->buffer_seq = chan->expected_tx_seq;
4745 skb_in_use = 1;
4746
4747 err = l2cap_reassemble_sdu(chan, skb, control);
4748 if (err)
4749 break;
4750
4751 if (control->final) {
4752 if (!test_and_clear_bit(CONN_REJ_ACT,
4753 &chan->conn_state)) {
4754 control->final = 0;
4755 l2cap_retransmit_all(chan, control);
4756 l2cap_ertm_send(chan);
4757 }
4758 }
4759
4760 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4761 l2cap_send_ack(chan);
4762 break;
4763 case L2CAP_TXSEQ_UNEXPECTED:
4764 l2cap_pass_to_tx(chan, control);
4765
4766 /* Can't issue SREJ frames in the local busy state.
4767 * Drop this frame, it will be seen as missing
4768 * when local busy is exited.
4769 */
4770 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4771 BT_DBG("Busy, discarding unexpected seq %d",
4772 control->txseq);
4773 break;
4774 }
4775
4776 /* There was a gap in the sequence, so an SREJ
4777 * must be sent for each missing frame. The
4778 * current frame is stored for later use.
4779 */
4780 skb_queue_tail(&chan->srej_q, skb);
4781 skb_in_use = 1;
4782 BT_DBG("Queued %p (queue len %d)", skb,
4783 skb_queue_len(&chan->srej_q));
4784
4785 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4786 l2cap_seq_list_clear(&chan->srej_list);
4787 l2cap_send_srej(chan, control->txseq);
4788
4789 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4790 break;
4791 case L2CAP_TXSEQ_DUPLICATE:
4792 l2cap_pass_to_tx(chan, control);
4793 break;
4794 case L2CAP_TXSEQ_INVALID_IGNORE:
4795 break;
4796 case L2CAP_TXSEQ_INVALID:
4797 default:
4798 l2cap_send_disconn_req(chan->conn, chan,
4799 ECONNRESET);
4800 break;
4801 }
4802 break;
4803 case L2CAP_EV_RECV_RR:
4804 l2cap_pass_to_tx(chan, control);
4805 if (control->final) {
4806 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4807
4808 if (!test_and_clear_bit(CONN_REJ_ACT,
4809 &chan->conn_state)) {
4810 control->final = 0;
4811 l2cap_retransmit_all(chan, control);
4812 }
4813
4814 l2cap_ertm_send(chan);
4815 } else if (control->poll) {
4816 l2cap_send_i_or_rr_or_rnr(chan);
4817 } else {
4818 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4819 &chan->conn_state) &&
4820 chan->unacked_frames)
4821 __set_retrans_timer(chan);
4822
4823 l2cap_ertm_send(chan);
4824 }
4825 break;
4826 case L2CAP_EV_RECV_RNR:
4827 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4828 l2cap_pass_to_tx(chan, control);
4829 if (control && control->poll) {
4830 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4831 l2cap_send_rr_or_rnr(chan, 0);
4832 }
4833 __clear_retrans_timer(chan);
4834 l2cap_seq_list_clear(&chan->retrans_list);
4835 break;
4836 case L2CAP_EV_RECV_REJ:
4837 l2cap_handle_rej(chan, control);
4838 break;
4839 case L2CAP_EV_RECV_SREJ:
4840 l2cap_handle_srej(chan, control);
4841 break;
4842 default:
4843 break;
4844 }
4845
4846 if (skb && !skb_in_use) {
4847 BT_DBG("Freeing %p", skb);
4848 kfree_skb(skb);
4849 }
4850
4851 return err;
4852}
4853
4854static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4855 struct l2cap_ctrl *control,
4856 struct sk_buff *skb, u8 event)
4857{
4858 int err = 0;
4859 u16 txseq = control->txseq;
4860 bool skb_in_use = 0;
4861
4862 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4863 event);
4864
4865 switch (event) {
4866 case L2CAP_EV_RECV_IFRAME:
4867 switch (l2cap_classify_txseq(chan, txseq)) {
4868 case L2CAP_TXSEQ_EXPECTED:
4869 /* Keep frame for reassembly later */
4870 l2cap_pass_to_tx(chan, control);
4871 skb_queue_tail(&chan->srej_q, skb);
4872 skb_in_use = 1;
4873 BT_DBG("Queued %p (queue len %d)", skb,
4874 skb_queue_len(&chan->srej_q));
4875
4876 chan->expected_tx_seq = __next_seq(chan, txseq);
4877 break;
4878 case L2CAP_TXSEQ_EXPECTED_SREJ:
4879 l2cap_seq_list_pop(&chan->srej_list);
4880
4881 l2cap_pass_to_tx(chan, control);
4882 skb_queue_tail(&chan->srej_q, skb);
4883 skb_in_use = 1;
4884 BT_DBG("Queued %p (queue len %d)", skb,
4885 skb_queue_len(&chan->srej_q));
4886
4887 err = l2cap_rx_queued_iframes(chan);
4888 if (err)
4889 break;
4890
4891 break;
4892 case L2CAP_TXSEQ_UNEXPECTED:
4893 /* Got a frame that can't be reassembled yet.
4894 * Save it for later, and send SREJs to cover
4895 * the missing frames.
4896 */
4897 skb_queue_tail(&chan->srej_q, skb);
4898 skb_in_use = 1;
4899 BT_DBG("Queued %p (queue len %d)", skb,
4900 skb_queue_len(&chan->srej_q));
4901
4902 l2cap_pass_to_tx(chan, control);
4903 l2cap_send_srej(chan, control->txseq);
4904 break;
4905 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4906 /* This frame was requested with an SREJ, but
4907 * some expected retransmitted frames are
4908 * missing. Request retransmission of missing
4909 * SREJ'd frames.
4910 */
4911 skb_queue_tail(&chan->srej_q, skb);
4912 skb_in_use = 1;
4913 BT_DBG("Queued %p (queue len %d)", skb,
4914 skb_queue_len(&chan->srej_q));
4915
4916 l2cap_pass_to_tx(chan, control);
4917 l2cap_send_srej_list(chan, control->txseq);
4918 break;
4919 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4920 /* We've already queued this frame. Drop this copy. */
4921 l2cap_pass_to_tx(chan, control);
4922 break;
4923 case L2CAP_TXSEQ_DUPLICATE:
4924 /* Expecting a later sequence number, so this frame
4925 * was already received. Ignore it completely.
4926 */
4927 break;
4928 case L2CAP_TXSEQ_INVALID_IGNORE:
4929 break;
4930 case L2CAP_TXSEQ_INVALID:
4931 default:
4932 l2cap_send_disconn_req(chan->conn, chan,
4933 ECONNRESET);
4934 break;
4935 }
4936 break;
4937 case L2CAP_EV_RECV_RR:
4938 l2cap_pass_to_tx(chan, control);
4939 if (control->final) {
4940 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4941
4942 if (!test_and_clear_bit(CONN_REJ_ACT,
4943 &chan->conn_state)) {
4944 control->final = 0;
4945 l2cap_retransmit_all(chan, control);
4946 }
4947
4948 l2cap_ertm_send(chan);
4949 } else if (control->poll) {
4950 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4951 &chan->conn_state) &&
4952 chan->unacked_frames) {
4953 __set_retrans_timer(chan);
4954 }
4955
4956 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4957 l2cap_send_srej_tail(chan);
4958 } else {
4959 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4960 &chan->conn_state) &&
4961 chan->unacked_frames)
4962 __set_retrans_timer(chan);
4963
4964 l2cap_send_ack(chan);
4965 }
4966 break;
4967 case L2CAP_EV_RECV_RNR:
4968 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4969 l2cap_pass_to_tx(chan, control);
4970 if (control->poll) {
4971 l2cap_send_srej_tail(chan);
4972 } else {
4973 struct l2cap_ctrl rr_control;
4974 memset(&rr_control, 0, sizeof(rr_control));
4975 rr_control.sframe = 1;
4976 rr_control.super = L2CAP_SUPER_RR;
4977 rr_control.reqseq = chan->buffer_seq;
4978 l2cap_send_sframe(chan, &rr_control);
4979 }
4980
4981 break;
4982 case L2CAP_EV_RECV_REJ:
4983 l2cap_handle_rej(chan, control);
4984 break;
4985 case L2CAP_EV_RECV_SREJ:
4986 l2cap_handle_srej(chan, control);
4987 break;
4988 }
4989
4990 if (skb && !skb_in_use) {
4991 BT_DBG("Freeing %p", skb);
4992 kfree_skb(skb);
4993 }
4994
4995 return err;
4996}
4997
4998static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4999{
5000 /* Make sure reqseq is for a packet that has been sent but not acked */
5001 u16 unacked;
5002
5003 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5004 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5005}
5006
cec8ab6e
MM		 5007static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5008 struct sk_buff *skb, u8 event)
218bb9df 5009{
d2a7ac5d
MM		 5010 int err = 0;
5011
5012 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5013 control, skb, event, chan->rx_state);
5014
5015 if (__valid_reqseq(chan, control->reqseq)) {
5016 switch (chan->rx_state) {
5017 case L2CAP_RX_STATE_RECV:
5018 err = l2cap_rx_state_recv(chan, control, skb, event);
5019 break;
5020 case L2CAP_RX_STATE_SREJ_SENT:
5021 err = l2cap_rx_state_srej_sent(chan, control, skb,
5022 event);
5023 break;
5024 default:
5025 /* shut it down */
5026 break;
5027 }
5028 } else {
5029 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5030 control->reqseq, chan->next_tx_seq,
5031 chan->expected_ack_seq);
5032 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5033 }
5034
5035 return err;
cec8ab6e
MM		 5036}
5037
5038static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5039 struct sk_buff *skb)
5040{
4b51dae9
MM		 5041 int err = 0;
5042
5043 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5044 chan->rx_state);
5045
5046 if (l2cap_classify_txseq(chan, control->txseq) ==
5047 L2CAP_TXSEQ_EXPECTED) {
5048 l2cap_pass_to_tx(chan, control);
5049
5050 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5051 __next_seq(chan, chan->buffer_seq));
5052
5053 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5054
5055 l2cap_reassemble_sdu(chan, skb, control);
5056 } else {
5057 if (chan->sdu) {
5058 kfree_skb(chan->sdu);
5059 chan->sdu = NULL;
5060 }
5061 chan->sdu_last_frag = NULL;
5062 chan->sdu_len = 0;
5063
5064 if (skb) {
5065 BT_DBG("Freeing %p", skb);
5066 kfree_skb(skb);
5067 }
5068 }
5069
5070 chan->last_acked_seq = control->txseq;
5071 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5072
5073 return err;
cec8ab6e
MM		 5074}
5075
5076static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5077{
5078 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5079 u16 len;
5080 u8 event;
218bb9df 5081
b76bbd66
MM		 5082 __unpack_control(chan, skb);
5083
218bb9df
GP		 5084 len = skb->len;
5085
5086 /*
5087 * We can just drop the corrupted I-frame here.
5088 * Receiver will miss it and start proper recovery
cec8ab6e 5089 * procedures and ask for retransmission.
218bb9df 5090 */
47d1ec61 5091 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5092 goto drop;
5093
cec8ab6e 5094 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5095 len -= L2CAP_SDULEN_SIZE;
218bb9df 5096
47d1ec61 5097 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5098 len -= L2CAP_FCS_SIZE;
218bb9df 5099
47d1ec61 5100 if (len > chan->mps) {
8c1d787b 5101 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5102 goto drop;
5103 }
5104
cec8ab6e
MM		 5105 if (!control->sframe) {
5106 int err;
218bb9df 5107
cec8ab6e
MM		 5108 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5109 control->sar, control->reqseq, control->final,
5110 control->txseq);
218bb9df 5111
cec8ab6e
MM		 5112 /* Validate F-bit - F=0 always valid, F=1 only
5113 * valid in TX WAIT_F
5114 */
5115 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5116 goto drop;
cec8ab6e
MM		 5117
5118 if (chan->mode != L2CAP_MODE_STREAMING) {
5119 event = L2CAP_EV_RECV_IFRAME;
5120 err = l2cap_rx(chan, control, skb, event);
5121 } else {
5122 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5123 }
5124
cec8ab6e
MM		 5125 if (err)
5126 l2cap_send_disconn_req(chan->conn, chan,
5127 ECONNRESET);
218bb9df 5128 } else {
cec8ab6e
MM		 5129 const u8 rx_func_to_event[4] = {
5130 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5131 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5132 };
5133
5134 /* Only I-frames are expected in streaming mode */
5135 if (chan->mode == L2CAP_MODE_STREAMING)
5136 goto drop;
5137
5138 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5139 control->reqseq, control->final, control->poll,
5140 control->super);
5141
218bb9df
GP		 5142 if (len != 0) {
5143 BT_ERR("%d", len);
8c1d787b 5144 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5145 goto drop;
5146 }
5147
cec8ab6e
MM		 5148 /* Validate F and P bits */
5149 if (control->final && (control->poll ||
5150 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5151 goto drop;
5152
5153 event = rx_func_to_event[control->super];
5154 if (l2cap_rx(chan, control, skb, event))
5155 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5156 }
5157
5158 return 0;
5159
5160drop:
5161 kfree_skb(skb);
5162 return 0;
5163}
5164
13ca56e0
AE		 5165static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5166 struct sk_buff *skb)
1da177e4 5167{
48454079 5168 struct l2cap_chan *chan;
1da177e4 5169
baa7e1fa 5170 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5171 if (!chan) {
97e8e89d
AE		 5172 if (cid == L2CAP_CID_A2MP) {
5173 chan = a2mp_channel_create(conn, skb);
5174 if (!chan) {
5175 kfree_skb(skb);
13ca56e0 5176 return;
97e8e89d
AE		 5177 }
5178
5179 l2cap_chan_lock(chan);
5180 } else {
5181 BT_DBG("unknown cid 0x%4.4x", cid);
5182 /* Drop packet and return */
5183 kfree_skb(skb);
13ca56e0 5184 return;
97e8e89d 5185 }
1da177e4
LT		 5186 }
5187
49208c9c 5188 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5189
89bc500e 5190 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5191 goto drop;
5192
0c1bc5c6 5193 switch (chan->mode) {
1c2acffb
GP		 5194 case L2CAP_MODE_BASIC:
5195 /* If socket recv buffers overflows we drop data here
5196 * which is *bad* because L2CAP has to be reliable.
5197 * But we don't have any other choice. L2CAP doesn't
5198 * provide flow control mechanism. */
1da177e4 5199
0c1bc5c6 5200 if (chan->imtu < skb->len)
1c2acffb 5201 goto drop;
1da177e4 5202
80b98027 5203 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5204 goto done;
5205 break;
5206
5207 case L2CAP_MODE_ERTM:
6840ed07 5208 case L2CAP_MODE_STREAMING:
cec8ab6e 5209 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5210 goto done;
5211
1c2acffb 5212 default:
0c1bc5c6 5213 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5214 break;
5215 }
1da177e4
LT		 5216
5217drop:
5218 kfree_skb(skb);
5219
5220done:
6be36555 5221 l2cap_chan_unlock(chan);
1da177e4
LT		 5222}
5223
84104b24
AE		 5224static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5225 struct sk_buff *skb)
1da177e4 5226{
23691d75 5227 struct l2cap_chan *chan;
1da177e4 5228
c2287681 5229 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5230 if (!chan)
1da177e4
LT		 5231 goto drop;
5232
5b4cedaa 5233 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5234
89bc500e 5235 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5236 goto drop;
5237
e13e21dc 5238 if (chan->imtu < skb->len)
1da177e4
LT		 5239 goto drop;
5240
80b98027 5241 if (!chan->ops->recv(chan, skb))
84104b24 5242 return;
1da177e4
LT		 5243
5244drop:
5245 kfree_skb(skb);
1da177e4
LT		 5246}
5247
6810fca7
AE		 5248static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5249 struct sk_buff *skb)
9f69bda6 5250{
23691d75 5251 struct l2cap_chan *chan;
9f69bda6 5252
c2287681 5253 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5254 if (!chan)
9f69bda6
GP		 5255 goto drop;
5256
5b4cedaa 5257 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5258
89bc500e 5259 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5260 goto drop;
5261
e13e21dc 5262 if (chan->imtu < skb->len)
9f69bda6
GP		 5263 goto drop;
5264
80b98027 5265 if (!chan->ops->recv(chan, skb))
6810fca7 5266 return;
9f69bda6
GP		 5267
5268drop:
5269 kfree_skb(skb);
9f69bda6
GP		 5270}
5271
1da177e4
LT		 5272static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5273{
5274 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5275 u16 cid, len;
5276 __le16 psm;
1da177e4
LT		 5277
5278 skb_pull(skb, L2CAP_HDR_SIZE);
5279 cid = __le16_to_cpu(lh->cid);
5280 len = __le16_to_cpu(lh->len);
5281
1c2acffb
GP		 5282 if (len != skb->len) {
5283 kfree_skb(skb);
5284 return;
5285 }
5286
1da177e4
LT		 5287 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5288
5289 switch (cid) {
3300d9a9 5290 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5291 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5292 l2cap_sig_channel(conn, skb);
5293 break;
5294
8db4dc46 5295 case L2CAP_CID_CONN_LESS:
097db76c 5296 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5297 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5298 l2cap_conless_channel(conn, psm, skb);
5299 break;
5300
9f69bda6
GP		 5301 case L2CAP_CID_LE_DATA:
5302 l2cap_att_channel(conn, cid, skb);
5303 break;
5304
b501d6a1
AB		 5305 case L2CAP_CID_SMP:
5306 if (smp_sig_channel(conn, skb))
5307 l2cap_conn_del(conn->hcon, EACCES);
5308 break;
5309
1da177e4
LT		 5310 default:
5311 l2cap_data_channel(conn, cid, skb);
5312 break;
5313 }
5314}
5315
5316/* ---- L2CAP interface with lower layer (HCI) ---- */
5317
686ebf28 5318int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5319{
5320 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5321 struct l2cap_chan *c;
1da177e4 5322
1da177e4
LT		 5323 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5324
5325 /* Find listening sockets and check their link_mode */
23691d75
GP		 5326 read_lock(&chan_list_lock);
5327 list_for_each_entry(c, &chan_list, global_l) {
5328 struct sock *sk = c->sk;
4343478f 5329
89bc500e 5330 if (c->state != BT_LISTEN)
1da177e4
LT		 5331 continue;
5332
5333 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5334 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5335 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5336 lm1 |= HCI_LM_MASTER;
1da177e4 5337 exact++;
2af6b9d5
MH		 5338 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5339 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5340 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5341 lm2 |= HCI_LM_MASTER;
5342 }
1da177e4 5343 }
23691d75 5344 read_unlock(&chan_list_lock);
1da177e4
LT		 5345
5346 return exact ? lm1 : lm2;
5347}
5348
9e664631 5349void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5350{
0139418c
MH		 5351 struct l2cap_conn *conn;
5352
1da177e4
LT		 5353 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5354
1da177e4 5355 if (!status) {
1da177e4
LT		 5356 conn = l2cap_conn_add(hcon, status);
5357 if (conn)
5358 l2cap_conn_ready(conn);
0139418c 5359 } else
e175072f 5360 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5361
1da177e4
LT		 5362}
5363
686ebf28 5364int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5365{
5366 struct l2cap_conn *conn = hcon->l2cap_data;
5367
5368 BT_DBG("hcon %p", hcon);
5369
686ebf28 5370 if (!conn)
9f5a0d7b 5371 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5372 return conn->disc_reason;
5373}
5374
9e664631 5375void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5376{
5377 BT_DBG("hcon %p reason %d", hcon, reason);
5378
e175072f 5379 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5380}
5381
4343478f 5382static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5383{
715ec005 5384 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5385 return;
5386
f62e4323 5387 if (encrypt == 0x00) {
4343478f 5388 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5389 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5390 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5391 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5392 } else {
4343478f 5393 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5394 __clear_chan_timer(chan);
f62e4323
MH		 5395 }
5396}
5397
686ebf28 5398int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5399{
0139418c 5400 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5401 struct l2cap_chan *chan;
1da177e4 5402
0139418c 5403 if (!conn)
1da177e4 5404 return 0;
0139418c 5405
89d8b407 5406 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5407
160dc6ac 5408 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5409 if (!status && encrypt)
5410 smp_distribute_keys(conn, 0);
17cd3f37 5411 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5412 }
5413
3df91ea2 5414 mutex_lock(&conn->chan_lock);
1da177e4 5415
3df91ea2 5416 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5417 l2cap_chan_lock(chan);
1da177e4 5418
89d8b407
AE		 5419 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5420 state_to_string(chan->state));
f1cb9af5 5421
78eb2f98
AE		 5422 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5423 l2cap_chan_unlock(chan);
5424 continue;
5425 }
5426
f1cb9af5
VCG		 5427 if (chan->scid == L2CAP_CID_LE_DATA) {
5428 if (!status && encrypt) {
5429 chan->sec_level = hcon->sec_level;
cf4cd009 5430 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5431 }
5432
6be36555 5433 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5434 continue;
5435 }
5436
c1360a1c 5437 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5438 l2cap_chan_unlock(chan);
6a8d3010
MH		 5439 continue;
5440 }
5441
89bc500e
GP		 5442 if (!status && (chan->state == BT_CONNECTED ||
5443 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5444 struct sock *sk = chan->sk;
5445
c5daa683 5446 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5447 sk->sk_state_change(sk);
5448
4343478f 5449 l2cap_check_encryption(chan, encrypt);
6be36555 5450 l2cap_chan_unlock(chan);
9719f8af
MH		 5451 continue;
5452 }
5453
89bc500e 5454 if (chan->state == BT_CONNECT) {
b1235d79 5455 if (!status) {
9b27f350 5456 l2cap_send_conn_req(chan);
b1235d79 5457 } else {
ba13ccd9 5458 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5459 }
89bc500e 5460 } else if (chan->state == BT_CONNECT2) {
6be36555 5461 struct sock *sk = chan->sk;
b1235d79 5462 struct l2cap_conn_rsp rsp;
df3c3931 5463 __u16 res, stat;
1da177e4 5464
6be36555
AE		 5465 lock_sock(sk);
5466
b1235d79 5467 if (!status) {
c5daa683
GP		 5468 if (test_bit(BT_SK_DEFER_SETUP,
5469 &bt_sk(sk)->flags)) {
df3c3931
JH		 5470 struct sock *parent = bt_sk(sk)->parent;
5471 res = L2CAP_CR_PEND;
5472 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5473 if (parent)
5474 parent->sk_data_ready(parent, 0);
df3c3931 5475 } else {
0e587be7 5476 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5477 res = L2CAP_CR_SUCCESS;
5478 stat = L2CAP_CS_NO_INFO;
5479 }
b1235d79 5480 } else {
0e587be7 5481 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5482 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5483 res = L2CAP_CR_SEC_BLOCK;
5484 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5485 }
5486
6be36555
AE		 5487 release_sock(sk);
5488
fe4128e0
GP		 5489 rsp.scid = cpu_to_le16(chan->dcid);
5490 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5491 rsp.result = cpu_to_le16(res);
5492 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5493 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5494 sizeof(rsp), &rsp);
2d369359
MM		 5495
5496 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5497 res == L2CAP_CR_SUCCESS) {
5498 char buf[128];
5499 set_bit(CONF_REQ_SENT, &chan->conf_state);
5500 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5501 L2CAP_CONF_REQ,
5502 l2cap_build_conf_req(chan, buf),
5503 buf);
5504 chan->num_conf_req++;
5505 }
b1235d79 5506 }
1da177e4 5507
6be36555 5508 l2cap_chan_unlock(chan);
1da177e4
LT		 5509 }
5510
3df91ea2 5511 mutex_unlock(&conn->chan_lock);
b1235d79 5512
1da177e4
LT		 5513 return 0;
5514}
5515
686ebf28 5516int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5517{
5518 struct l2cap_conn *conn = hcon->l2cap_data;
5519
5a08ecce
AE		 5520 if (!conn)
5521 conn = l2cap_conn_add(hcon, 0);
5522
5523 if (!conn)
1da177e4
LT		 5524 goto drop;
5525
5526 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5527
e702112f 5528 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5529 struct l2cap_hdr *hdr;
5530 int len;
5531
5532 if (conn->rx_len) {
5533 BT_ERR("Unexpected start frame (len %d)", skb->len);
5534 kfree_skb(conn->rx_skb);
5535 conn->rx_skb = NULL;
5536 conn->rx_len = 0;
5537 l2cap_conn_unreliable(conn, ECOMM);
5538 }
5539
aae7fe22
AE		 5540 /* Start fragment always begin with Basic L2CAP header */
5541 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5542 BT_ERR("Frame is too short (len %d)", skb->len);
5543 l2cap_conn_unreliable(conn, ECOMM);
5544 goto drop;
5545 }
5546
5547 hdr = (struct l2cap_hdr *) skb->data;
5548 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5549
5550 if (len == skb->len) {
5551 /* Complete frame received */
5552 l2cap_recv_frame(conn, skb);
5553 return 0;
5554 }
5555
5556 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5557
5558 if (skb->len > len) {
5559 BT_ERR("Frame is too long (len %d, expected len %d)",
5560 skb->len, len);
5561 l2cap_conn_unreliable(conn, ECOMM);
5562 goto drop;
5563 }
5564
5565 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5566 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5567 if (!conn->rx_skb)
1da177e4
LT		 5568 goto drop;
5569
d626f62b 5570 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5571 skb->len);
1da177e4
LT		 5572 conn->rx_len = len - skb->len;
5573 } else {
5574 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5575
5576 if (!conn->rx_len) {
5577 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5578 l2cap_conn_unreliable(conn, ECOMM);
5579 goto drop;
5580 }
5581
5582 if (skb->len > conn->rx_len) {
5583 BT_ERR("Fragment is too long (len %d, expected %d)",
5584 skb->len, conn->rx_len);
5585 kfree_skb(conn->rx_skb);
5586 conn->rx_skb = NULL;
5587 conn->rx_len = 0;
5588 l2cap_conn_unreliable(conn, ECOMM);
5589 goto drop;
5590 }
5591
d626f62b 5592 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5593 skb->len);
1da177e4
LT		 5594 conn->rx_len -= skb->len;
5595
5596 if (!conn->rx_len) {
5597 /* Complete frame received */
5598 l2cap_recv_frame(conn, conn->rx_skb);
5599 conn->rx_skb = NULL;
5600 }
5601 }
5602
5603drop:
5604 kfree_skb(skb);
5605 return 0;
5606}
5607
aef7d97c 5608static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5609{
23691d75 5610 struct l2cap_chan *c;
1da177e4 5611
333055f2 5612 read_lock(&chan_list_lock);
1da177e4 5613
23691d75
GP		 5614 list_for_each_entry(c, &chan_list, global_l) {
5615 struct sock *sk = c->sk;
101545f6 5616
903d343e 5617 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5618 batostr(&bt_sk(sk)->src),
5619 batostr(&bt_sk(sk)->dst),
89bc500e 5620 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5621 c->scid, c->dcid, c->imtu, c->omtu,
5622 c->sec_level, c->mode);
61e1b4b7 5623 }
1da177e4 5624
333055f2 5625 read_unlock(&chan_list_lock);
1da177e4 5626
aef7d97c 5627 return 0;
1da177e4
LT		 5628}
5629
aef7d97c
MH		 5630static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5631{
5632 return single_open(file, l2cap_debugfs_show, inode->i_private);
5633}
5634
5635static const struct file_operations l2cap_debugfs_fops = {
5636 .open = l2cap_debugfs_open,
5637 .read = seq_read,
5638 .llseek = seq_lseek,
5639 .release = single_release,
5640};
5641
5642static struct dentry *l2cap_debugfs;
1da177e4 5643
64274518 5644int __init l2cap_init(void)
1da177e4
LT		 5645{
5646 int err;
be9d1227 5647
bb58f747 5648 err = l2cap_init_sockets();
1da177e4
LT		 5649 if (err < 0)
5650 return err;
5651
aef7d97c
MH		 5652 if (bt_debugfs) {
5653 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5654 bt_debugfs, NULL, &l2cap_debugfs_fops);
5655 if (!l2cap_debugfs)
5656 BT_ERR("Failed to create L2CAP debug file");
5657 }
1da177e4 5658
1da177e4 5659 return 0;
1da177e4
LT		 5660}
5661
64274518 5662void l2cap_exit(void)
1da177e4 5663{
aef7d97c 5664 debugfs_remove(l2cap_debugfs);
bb58f747 5665 l2cap_cleanup_sockets();
1da177e4
LT		 5666}
5667
d1c4a17d
GP		 5668module_param(disable_ertm, bool, 0644);
5669MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)