projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Btrfs: don't memset new tokens
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
144ad330 409 kref_init(&chan->kref);
71ba0e56 410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
144ad330 419static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 420{
144ad330
SS		 421 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
422
4af66c69
JK		 423 BT_DBG("chan %p", chan);
424
333055f2 425 write_lock(&chan_list_lock);
23691d75 426 list_del(&chan->global_l);
333055f2 427 write_unlock(&chan_list_lock);
23691d75 428
4af66c69 429 kfree(chan);
6ff5abbf
GP		 430}
431
30648372
JK		 432void l2cap_chan_hold(struct l2cap_chan *c)
433{
144ad330 434 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 435
144ad330 436 kref_get(&c->kref);
30648372
JK		 437}
438
439void l2cap_chan_put(struct l2cap_chan *c)
440{
144ad330 441 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 442
144ad330 443 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 444}
445
bd4b1653
AE		 446void l2cap_chan_set_defaults(struct l2cap_chan *chan)
447{
448 chan->fcs = L2CAP_FCS_CRC16;
449 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
450 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
451 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 452 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 453 chan->sec_level = BT_SECURITY_LOW;
454
455 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
456}
457
14a28491 458static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 459{
af05b30b 460 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 461 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 462
9f5a0d7b 463 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 464
8c1d787b 465 chan->conn = conn;
0139418c 466
5491120e
AE		 467 switch (chan->chan_type) {
468 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 469 if (conn->hcon->type == LE_LINK) {
470 /* LE connection */
6fcb06a2 471 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 472 chan->scid = L2CAP_CID_LE_DATA;
473 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 474 } else {
475 /* Alloc CID for connection-oriented socket */
fe4128e0 476 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 477 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 478 }
5491120e
AE		 479 break;
480
481 case L2CAP_CHAN_CONN_LESS:
0139418c 482 /* Connectionless socket */
fe4128e0
GP		 483 chan->scid = L2CAP_CID_CONN_LESS;
484 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 485 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 486 break;
487
416fa752
AE		 488 case L2CAP_CHAN_CONN_FIX_A2MP:
489 chan->scid = L2CAP_CID_A2MP;
490 chan->dcid = L2CAP_CID_A2MP;
491 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
492 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
493 break;
494
5491120e 495 default:
0139418c 496 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 497 chan->scid = L2CAP_CID_SIGNALING;
498 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 499 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 500 }
501
8f7975b1
AE		 502 chan->local_id = L2CAP_BESTEFFORT_ID;
503 chan->local_stype = L2CAP_SERV_BESTEFFORT;
504 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
505 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
506 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
507 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
508
371fd835 509 l2cap_chan_hold(chan);
baa7e1fa 510
3df91ea2 511 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 512}
513
466f8004 514void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 515{
516 mutex_lock(&conn->chan_lock);
517 __l2cap_chan_add(conn, chan);
3df91ea2 518 mutex_unlock(&conn->chan_lock);
0139418c
MH		 519}
520
466f8004 521void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 522{
8c1d787b 523 struct l2cap_conn *conn = chan->conn;
0139418c 524
c9b66675 525 __clear_chan_timer(chan);
0139418c 526
49208c9c 527 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 528
8e87d142 529 if (conn) {
baa7e1fa 530 /* Delete from channel list */
3df91ea2 531 list_del(&chan->list);
3d57dc68 532
371fd835 533 l2cap_chan_put(chan);
baa7e1fa 534
8c1d787b 535 chan->conn = NULL;
3cabbfda
AE		 536
537 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
538 hci_conn_put(conn->hcon);
0139418c
MH		 539 }
540
c0df7f6e
AE		 541 if (chan->ops->teardown)
542 chan->ops->teardown(chan, err);
6be36555 543
2827011f 544 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 545 return;
2ead70b8 546
ee556f66
GP		 547 switch(chan->mode) {
548 case L2CAP_MODE_BASIC:
549 break;
c13ffa62 550
ee556f66 551 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 552 __clear_retrans_timer(chan);
553 __clear_monitor_timer(chan);
554 __clear_ack_timer(chan);
c13ffa62 555
f1c6775b 556 skb_queue_purge(&chan->srej_q);
c13ffa62 557
3c588192
MM		 558 l2cap_seq_list_free(&chan->srej_list);
559 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 560
561 /* fall through */
562
563 case L2CAP_MODE_STREAMING:
564 skb_queue_purge(&chan->tx_q);
565 break;
c13ffa62 566 }
ee556f66
GP		 567
568 return;
0139418c
MH		 569}
570
0f852724 571void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 572{
573 struct l2cap_conn *conn = chan->conn;
574 struct sock *sk = chan->sk;
575
e05dcc32
AE		 576 BT_DBG("chan %p state %s sk %p", chan,
577 state_to_string(chan->state), sk);
4519de9a 578
89bc500e 579 switch (chan->state) {
4519de9a 580 case BT_LISTEN:
c0df7f6e
AE		 581 if (chan->ops->teardown)
582 chan->ops->teardown(chan, 0);
4519de9a
GP		 583 break;
584
585 case BT_CONNECTED:
586 case BT_CONFIG:
715ec005 587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 588 conn->hcon->type == ACL_LINK) {
c9b66675 589 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 590 l2cap_send_disconn_req(conn, chan, reason);
591 } else
592 l2cap_chan_del(chan, reason);
593 break;
594
595 case BT_CONNECT2:
715ec005 596 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 597 conn->hcon->type == ACL_LINK) {
598 struct l2cap_conn_rsp rsp;
599 __u16 result;
600
c5daa683 601 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 602 result = L2CAP_CR_SEC_BLOCK;
603 else
604 result = L2CAP_CR_BAD_PSM;
89bc500e 605 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 606
607 rsp.scid = cpu_to_le16(chan->dcid);
608 rsp.dcid = cpu_to_le16(chan->scid);
609 rsp.result = cpu_to_le16(result);
ac73498c 610 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 611 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
612 sizeof(rsp), &rsp);
613 }
614
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT:
619 case BT_DISCONN:
620 l2cap_chan_del(chan, reason);
621 break;
622
623 default:
c0df7f6e
AE		 624 if (chan->ops->teardown)
625 chan->ops->teardown(chan, 0);
4519de9a
GP		 626 break;
627 }
628}
629
4343478f 630static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 631{
715ec005 632 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 633 switch (chan->sec_level) {
8556edd3
JH		 634 case BT_SECURITY_HIGH:
635 return HCI_AT_DEDICATED_BONDING_MITM;
636 case BT_SECURITY_MEDIUM:
637 return HCI_AT_DEDICATED_BONDING;
638 default:
639 return HCI_AT_NO_BONDING;
640 }
2983fd68 641 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 642 if (chan->sec_level == BT_SECURITY_LOW)
643 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 644
4343478f 645 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 646 return HCI_AT_NO_BONDING_MITM;
00ae4af9 647 else
8556edd3 648 return HCI_AT_NO_BONDING;
00ae4af9 649 } else {
4343478f 650 switch (chan->sec_level) {
00ae4af9 651 case BT_SECURITY_HIGH:
8556edd3 652 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 653 case BT_SECURITY_MEDIUM:
8556edd3 654 return HCI_AT_GENERAL_BONDING;
00ae4af9 655 default:
8556edd3 656 return HCI_AT_NO_BONDING;
00ae4af9 657 }
0684e5f9 658 }
8556edd3
JH		 659}
660
661/* Service level security */
d45fc423 662int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 663{
8c1d787b 664 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 665 __u8 auth_type;
666
4343478f 667 auth_type = l2cap_get_auth_type(chan);
79d554a6 668
4343478f 669 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 670}
671
b5ad8b7f 672static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 673{
674 u8 id;
675
676 /* Get next available identificator.
677 * 1 - 128 are used by kernel.
678 * 129 - 199 are reserved.
679 * 200 - 254 are used by utilities like l2ping, etc.
680 */
681
333055f2 682 spin_lock(&conn->lock);
4e8402a3
MH		 683
684 if (++conn->tx_ident > 128)
685 conn->tx_ident = 1;
686
687 id = conn->tx_ident;
688
333055f2 689 spin_unlock(&conn->lock);
4e8402a3
MH		 690
691 return id;
692}
693
4519de9a 694static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 695{
696 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 697 u8 flags;
4e8402a3
MH		 698
699 BT_DBG("code 0x%2.2x", code);
700
701 if (!skb)
9a9c6a34 702 return;
4e8402a3 703
e702112f
AE		 704 if (lmp_no_flush_capable(conn->hcon->hdev))
705 flags = ACL_START_NO_FLUSH;
706 else
707 flags = ACL_START;
708
14b12d0b 709 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 710 skb->priority = HCI_PRIO_MAX;
14b12d0b 711
73d80deb
LAD		 712 hci_send_acl(conn->hchan, skb, flags);
713}
714
715static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
716{
717 struct hci_conn *hcon = chan->conn->hcon;
718 u16 flags;
719
720 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
721 skb->priority);
722
723 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
724 lmp_no_flush_capable(hcon->hdev))
725 flags = ACL_START_NO_FLUSH;
726 else
727 flags = ACL_START;
14b12d0b 728
73d80deb
LAD		 729 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
730 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 731}
732
b76bbd66
MM		 733static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
734{
735 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
736 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
737
738 if (enh & L2CAP_CTRL_FRAME_TYPE) {
739 /* S-Frame */
740 control->sframe = 1;
741 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
742 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
743
744 control->sar = 0;
745 control->txseq = 0;
746 } else {
747 /* I-Frame */
748 control->sframe = 0;
749 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
750 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
751
752 control->poll = 0;
753 control->super = 0;
754 }
755}
756
b76bbd66
MM		 757static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
758{
759 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
760 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
761
762 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
763 /* S-Frame */
764 control->sframe = 1;
765 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
766 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
767
768 control->sar = 0;
769 control->txseq = 0;
770 } else {
771 /* I-Frame */
772 control->sframe = 0;
773 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
774 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
775
776 control->poll = 0;
777 control->super = 0;
778 }
779}
780
781static inline void __unpack_control(struct l2cap_chan *chan,
782 struct sk_buff *skb)
783{
784 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
785 __unpack_extended_control(get_unaligned_le32(skb->data),
786 &bt_cb(skb)->control);
cec8ab6e 787 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 788 } else {
789 __unpack_enhanced_control(get_unaligned_le16(skb->data),
790 &bt_cb(skb)->control);
cec8ab6e 791 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 792 }
793}
794
b5c6aaed
MM		 795static u32 __pack_extended_control(struct l2cap_ctrl *control)
796{
797 u32 packed;
798
799 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
800 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
801
802 if (control->sframe) {
803 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
804 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
805 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
806 } else {
807 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
808 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
809 }
810
811 return packed;
812}
813
814static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
815{
816 u16 packed;
817
818 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
819 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
820
821 if (control->sframe) {
822 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
823 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
824 packed |= L2CAP_CTRL_FRAME_TYPE;
825 } else {
826 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
827 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
828 }
829
830 return packed;
831}
832
b76bbd66
MM		 833static inline void __pack_control(struct l2cap_chan *chan,
834 struct l2cap_ctrl *control,
835 struct sk_buff *skb)
836{
837 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
838 put_unaligned_le32(__pack_extended_control(control),
839 skb->data + L2CAP_HDR_SIZE);
840 } else {
841 put_unaligned_le16(__pack_enhanced_control(control),
842 skb->data + L2CAP_HDR_SIZE);
843 }
844}
845
ba7aa64f
GP		 846static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
847{
848 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
849 return L2CAP_EXT_HDR_SIZE;
850 else
851 return L2CAP_ENH_HDR_SIZE;
852}
853
a67d7f6f
MM		 854static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
855 u32 control)
b5c6aaed
MM		 856{
857 struct sk_buff *skb;
858 struct l2cap_hdr *lh;
ba7aa64f 859 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 860
861 if (chan->fcs == L2CAP_FCS_CRC16)
862 hlen += L2CAP_FCS_SIZE;
863
a67d7f6f 864 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 865
b5c6aaed 866 if (!skb)
a67d7f6f 867 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 868
869 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
870 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
871 lh->cid = cpu_to_le16(chan->dcid);
872
a67d7f6f
MM		 873 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
874 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
875 else
876 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 877
878 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 879 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 880 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
881 }
882
883 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 884 return skb;
885}
886
887static void l2cap_send_sframe(struct l2cap_chan *chan,
888 struct l2cap_ctrl *control)
889{
890 struct sk_buff *skb;
891 u32 control_field;
892
893 BT_DBG("chan %p, control %p", chan, control);
894
895 if (!control->sframe)
896 return;
897
898 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
899 !control->poll)
900 control->final = 1;
901
902 if (control->super == L2CAP_SUPER_RR)
903 clear_bit(CONN_RNR_SENT, &chan->conn_state);
904 else if (control->super == L2CAP_SUPER_RNR)
905 set_bit(CONN_RNR_SENT, &chan->conn_state);
906
907 if (control->super != L2CAP_SUPER_SREJ) {
908 chan->last_acked_seq = control->reqseq;
909 __clear_ack_timer(chan);
910 }
911
912 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
913 control->final, control->poll, control->super);
914
915 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
916 control_field = __pack_extended_control(control);
917 else
918 control_field = __pack_enhanced_control(control);
919
920 skb = l2cap_create_sframe_pdu(chan, control_field);
921 if (!IS_ERR(skb))
922 l2cap_do_send(chan, skb);
b5c6aaed
MM		 923}
924
c9e3d5e0 925static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 926{
c9e3d5e0
MM		 927 struct l2cap_ctrl control;
928
929 BT_DBG("chan %p, poll %d", chan, poll);
930
931 memset(&control, 0, sizeof(control));
932 control.sframe = 1;
933 control.poll = poll;
934
935 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
936 control.super = L2CAP_SUPER_RNR;
937 else
938 control.super = L2CAP_SUPER_RR;
b5c6aaed 939
c9e3d5e0
MM		 940 control.reqseq = chan->buffer_seq;
941 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 942}
943
b4450035 944static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 945{
c1360a1c 946 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 947}
948
9b27f350
AE		 949static void l2cap_send_conn_req(struct l2cap_chan *chan)
950{
951 struct l2cap_conn *conn = chan->conn;
952 struct l2cap_conn_req req;
953
954 req.scid = cpu_to_le16(chan->scid);
955 req.psm = chan->psm;
956
957 chan->ident = l2cap_get_ident(conn);
958
959 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
960
961 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
962}
963
9f0caeb1
VCG		 964static void l2cap_chan_ready(struct l2cap_chan *chan)
965{
2827011f 966 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 967 chan->conf_state = 0;
968 __clear_chan_timer(chan);
969
54a59aa2 970 chan->state = BT_CONNECTED;
9f0caeb1 971
fd83e2c2 972 chan->ops->ready(chan);
9f0caeb1
VCG		 973}
974
fc7f8a7e 975static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 976{
8c1d787b 977 struct l2cap_conn *conn = chan->conn;
79d554a6 978
9f0caeb1
VCG		 979 if (conn->hcon->type == LE_LINK) {
980 l2cap_chan_ready(chan);
981 return;
982 }
983
79d554a6 984 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 985 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
986 return;
987
d45fc423 988 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 989 __l2cap_no_conn_pending(chan))
990 l2cap_send_conn_req(chan);
79d554a6
MH		 991 } else {
992 struct l2cap_info_req req;
ac73498c 993 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 994
995 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
996 conn->info_ident = l2cap_get_ident(conn);
997
ba13ccd9 998 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 999
1000 l2cap_send_cmd(conn, conn->info_ident,
1001 L2CAP_INFO_REQ, sizeof(req), &req);
1002 }
1003}
1004
cf6c2c0b
GP		 1005static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1006{
1007 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1008 if (!disable_ertm)
cf6c2c0b
GP		 1009 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1010
1011 switch (mode) {
1012 case L2CAP_MODE_ERTM:
1013 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1014 case L2CAP_MODE_STREAMING:
1015 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1016 default:
1017 return 0x00;
1018 }
1019}
1020
4519de9a 1021static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1022{
6be36555 1023 struct sock *sk = chan->sk;
22121fc9
GP		 1024 struct l2cap_disconn_req req;
1025
c13ffa62
GP		 1026 if (!conn)
1027 return;
1028
aad3d0e3 1029 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1030 __clear_retrans_timer(chan);
1031 __clear_monitor_timer(chan);
1032 __clear_ack_timer(chan);
c13ffa62
GP		 1033 }
1034
416fa752
AE		 1035 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1036 __l2cap_state_change(chan, BT_DISCONN);
1037 return;
1038 }
1039
fe4128e0
GP		 1040 req.dcid = cpu_to_le16(chan->dcid);
1041 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1042 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1043 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1044
6be36555 1045 lock_sock(sk);
0e587be7 1046 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1047 __l2cap_chan_set_err(chan, err);
6be36555 1048 release_sock(sk);
22121fc9
GP		 1049}
1050
1da177e4 1051/* ---- L2CAP connections ---- */
4e8402a3
MH		 1052static void l2cap_conn_start(struct l2cap_conn *conn)
1053{
3df91ea2 1054 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1055
1056 BT_DBG("conn %p", conn);
1057
3df91ea2 1058 mutex_lock(&conn->chan_lock);
4e8402a3 1059
3df91ea2 1060 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1061 struct sock *sk = chan->sk;
baa7e1fa 1062
6be36555 1063 l2cap_chan_lock(chan);
4e8402a3 1064
715ec005 1065 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1066 l2cap_chan_unlock(chan);
79d554a6
MH		 1067 continue;
1068 }
1069
89bc500e 1070 if (chan->state == BT_CONNECT) {
d45fc423 1071 if (!l2cap_chan_check_security(chan) ||
b4450035 1072 !__l2cap_no_conn_pending(chan)) {
6be36555 1073 l2cap_chan_unlock(chan);
47731de7
GP		 1074 continue;
1075 }
79d554a6 1076
c1360a1c
GP		 1077 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1078 && test_bit(CONF_STATE2_DEVICE,
1079 &chan->conf_state)) {
89bc500e 1080 l2cap_chan_close(chan, ECONNRESET);
6be36555 1081 l2cap_chan_unlock(chan);
47731de7 1082 continue;
b1235d79 1083 }
47731de7 1084
9b27f350 1085 l2cap_send_conn_req(chan);
47731de7 1086
89bc500e 1087 } else if (chan->state == BT_CONNECT2) {
79d554a6 1088 struct l2cap_conn_rsp rsp;
e9aeb2dd 1089 char buf[128];
fe4128e0
GP		 1090 rsp.scid = cpu_to_le16(chan->dcid);
1091 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1092
d45fc423 1093 if (l2cap_chan_check_security(chan)) {
6be36555 1094 lock_sock(sk);
c5daa683
GP		 1095 if (test_bit(BT_SK_DEFER_SETUP,
1096 &bt_sk(sk)->flags)) {
f66dc81f 1097 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1098 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1099 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1100 if (parent)
1101 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1102
1103 } else {
0e587be7 1104 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1105 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1106 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1107 }
6be36555 1108 release_sock(sk);
79d554a6 1109 } else {
ac73498c
AE		 1110 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1111 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1112 }
1113
fc7f8a7e
GP		 1114 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1115 sizeof(rsp), &rsp);
e9aeb2dd 1116
c1360a1c 1117 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1118 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1119 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1120 continue;
1121 }
1122
c1360a1c 1123 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1124 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1125 l2cap_build_conf_req(chan, buf), buf);
1126 chan->num_conf_req++;
4e8402a3
MH		 1127 }
1128
6be36555 1129 l2cap_chan_unlock(chan);
4e8402a3
MH		 1130 }
1131
3df91ea2 1132 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1133}
1134
c2287681 1135/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1136 * Returns closest match, locked.
1137 */
d9b88702 1138static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1139 bdaddr_t *src,
1140 bdaddr_t *dst)
b62f328b 1141{
23691d75 1142 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1143
23691d75 1144 read_lock(&chan_list_lock);
b62f328b 1145
23691d75
GP		 1146 list_for_each_entry(c, &chan_list, global_l) {
1147 struct sock *sk = c->sk;
fe4128e0 1148
89bc500e 1149 if (state && c->state != state)
b62f328b
VT		 1150 continue;
1151
23691d75 1152 if (c->scid == cid) {
c2287681
IY		 1153 int src_match, dst_match;
1154 int src_any, dst_any;
1155
b62f328b 1156 /* Exact match. */
c2287681
IY		 1157 src_match = !bacmp(&bt_sk(sk)->src, src);
1158 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1159 if (src_match && dst_match) {
23691d75
GP		 1160 read_unlock(&chan_list_lock);
1161 return c;
1162 }
b62f328b
VT		 1163
1164 /* Closest match */
c2287681
IY		 1165 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1166 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1167 if ((src_match && dst_any) || (src_any && dst_match) ||
1168 (src_any && dst_any))
23691d75 1169 c1 = c;
b62f328b
VT		 1170 }
1171 }
280f294f 1172
23691d75 1173 read_unlock(&chan_list_lock);
b62f328b 1174
23691d75 1175 return c1;
b62f328b
VT		 1176}
1177
1178static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1179{
c916fbe4 1180 struct sock *parent, *sk;
23691d75 1181 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1182
1183 BT_DBG("");
1184
1185 /* Check if we have socket listening on cid */
23691d75 1186 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1187 conn->src, conn->dst);
23691d75 1188 if (!pchan)
b62f328b
VT		 1189 return;
1190
23691d75
GP		 1191 parent = pchan->sk;
1192
aa2ac881 1193 lock_sock(parent);
62f3a2cf 1194
80b98027 1195 chan = pchan->ops->new_connection(pchan);
80808e43 1196 if (!chan)
b62f328b
VT		 1197 goto clean;
1198
80808e43 1199 sk = chan->sk;
5d41ce1d 1200
b62f328b 1201 hci_conn_hold(conn->hcon);
a9ea3ed9 1202 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1203
b62f328b
VT		 1204 bacpy(&bt_sk(sk)->src, conn->src);
1205 bacpy(&bt_sk(sk)->dst, conn->dst);
1206
d1010240
GP		 1207 bt_accept_enqueue(parent, sk);
1208
3d57dc68 1209 l2cap_chan_add(conn, chan);
48454079 1210
6754e0df 1211 l2cap_chan_ready(chan);
b62f328b 1212
b62f328b 1213clean:
aa2ac881 1214 release_sock(parent);
b62f328b
VT		 1215}
1216
4e8402a3
MH		 1217static void l2cap_conn_ready(struct l2cap_conn *conn)
1218{
48454079 1219 struct l2cap_chan *chan;
cc110922 1220 struct hci_conn *hcon = conn->hcon;
4e8402a3 1221
79d554a6 1222 BT_DBG("conn %p", conn);
4e8402a3 1223
cc110922 1224 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1225 l2cap_le_conn_ready(conn);
1226
cc110922
VCG		 1227 if (hcon->out && hcon->type == LE_LINK)
1228 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1229
3df91ea2 1230 mutex_lock(&conn->chan_lock);
4e8402a3 1231
3df91ea2 1232 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1233
6be36555 1234 l2cap_chan_lock(chan);
4e8402a3 1235
416fa752
AE		 1236 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1237 l2cap_chan_unlock(chan);
1238 continue;
1239 }
1240
cc110922
VCG		 1241 if (hcon->type == LE_LINK) {
1242 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1243 l2cap_chan_ready(chan);
acd7d370 1244
63128451 1245 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1246 struct sock *sk = chan->sk;
c9b66675 1247 __clear_chan_timer(chan);
6be36555 1248 lock_sock(sk);
0e587be7 1249 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1250 sk->sk_state_change(sk);
6be36555 1251 release_sock(sk);
b501d6a1 1252
89bc500e 1253 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1254 l2cap_do_start(chan);
4e8402a3 1255
6be36555 1256 l2cap_chan_unlock(chan);
4e8402a3 1257 }
79d554a6 1258
3df91ea2 1259 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1260}
1261
1262/* Notify sockets that we cannot guaranty reliability anymore */
1263static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1264{
48454079 1265 struct l2cap_chan *chan;
4e8402a3
MH		 1266
1267 BT_DBG("conn %p", conn);
1268
3df91ea2 1269 mutex_lock(&conn->chan_lock);
4e8402a3 1270
3df91ea2 1271 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1272 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1273 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1274 }
1275
3df91ea2 1276 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1277}
1278
f878fcad 1279static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1280{
f878fcad 1281 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1282 info_timer.work);
4e8402a3 1283
984947dc 1284 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1285 conn->info_ident = 0;
984947dc 1286
4e8402a3
MH		 1287 l2cap_conn_start(conn);
1288}
1289
5d3de7df
VCG		 1290static void l2cap_conn_del(struct hci_conn *hcon, int err)
1291{
1292 struct l2cap_conn *conn = hcon->l2cap_data;
1293 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1294
1295 if (!conn)
1296 return;
1297
1298 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1299
1300 kfree_skb(conn->rx_skb);
1301
3df91ea2
AE		 1302 mutex_lock(&conn->chan_lock);
1303
5d3de7df
VCG		 1304 /* Kill channels */
1305 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1306 l2cap_chan_hold(chan);
6be36555
AE		 1307 l2cap_chan_lock(chan);
1308
5d3de7df 1309 l2cap_chan_del(chan, err);
6be36555
AE		 1310
1311 l2cap_chan_unlock(chan);
1312
80b98027 1313 chan->ops->close(chan);
61d6ef3e 1314 l2cap_chan_put(chan);
5d3de7df
VCG		 1315 }
1316
3df91ea2
AE		 1317 mutex_unlock(&conn->chan_lock);
1318
73d80deb
LAD		 1319 hci_chan_del(conn->hchan);
1320
5d3de7df 1321 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1322 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1323
51a8efd7 1324 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1325 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1326 smp_chan_destroy(conn);
d26a2345 1327 }
5d3de7df
VCG		 1328
1329 hcon->l2cap_data = NULL;
1330 kfree(conn);
1331}
1332
6c9d42a1 1333static void security_timeout(struct work_struct *work)
5d3de7df 1334{
6c9d42a1
GP		 1335 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1336 security_timer.work);
5d3de7df 1337
d06cc416
JH		 1338 BT_DBG("conn %p", conn);
1339
1340 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1341 smp_chan_destroy(conn);
1342 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1343 }
5d3de7df
VCG		 1344}
1345
1da177e4
LT		 1346static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1347{
0139418c 1348 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1349 struct hci_chan *hchan;
1da177e4 1350
0139418c 1351 if (conn || status)
1da177e4
LT		 1352 return conn;
1353
73d80deb
LAD		 1354 hchan = hci_chan_create(hcon);
1355 if (!hchan)
1356 return NULL;
1357
0139418c 1358 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1359 if (!conn) {
1360 hci_chan_del(hchan);
1da177e4 1361 return NULL;
73d80deb 1362 }
1da177e4
LT		 1363
1364 hcon->l2cap_data = conn;
1365 conn->hcon = hcon;
73d80deb 1366 conn->hchan = hchan;
1da177e4 1367
73d80deb 1368 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1369
acd7d370
VT		 1370 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1371 conn->mtu = hcon->hdev->le_mtu;
1372 else
1373 conn->mtu = hcon->hdev->acl_mtu;
1374
1da177e4
LT		 1375 conn->src = &hcon->hdev->bdaddr;
1376 conn->dst = &hcon->dst;
1377
4e8402a3
MH		 1378 conn->feat_mask = 0;
1379
1da177e4 1380 spin_lock_init(&conn->lock);
3df91ea2 1381 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1382
1383 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1384
5d3de7df 1385 if (hcon->type == LE_LINK)
6c9d42a1 1386 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1387 else
030013d8 1388 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1389
9f5a0d7b 1390 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1391
1da177e4
LT		 1392 return conn;
1393}
1394
1da177e4 1395/* ---- Socket interface ---- */
1da177e4 1396
c2287681 1397/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1398 * Returns closest match.
1399 */
c2287681
IY		 1400static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1401 bdaddr_t *src,
1402 bdaddr_t *dst)
1da177e4 1403{
23691d75 1404 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1405
23691d75 1406 read_lock(&chan_list_lock);
e0f0cb56 1407
23691d75
GP		 1408 list_for_each_entry(c, &chan_list, global_l) {
1409 struct sock *sk = c->sk;
fe4128e0 1410
89bc500e 1411 if (state && c->state != state)
1da177e4
LT		 1412 continue;
1413
23691d75 1414 if (c->psm == psm) {
c2287681
IY		 1415 int src_match, dst_match;
1416 int src_any, dst_any;
1417
1da177e4 1418 /* Exact match. */
c2287681
IY		 1419 src_match = !bacmp(&bt_sk(sk)->src, src);
1420 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1421 if (src_match && dst_match) {
a7567b20 1422 read_unlock(&chan_list_lock);
23691d75
GP		 1423 return c;
1424 }
1da177e4
LT		 1425
1426 /* Closest match */
c2287681
IY		 1427 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1428 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1429 if ((src_match && dst_any) || (src_any && dst_match) ||
1430 (src_any && dst_any))
23691d75 1431 c1 = c;
1da177e4
LT		 1432 }
1433 }
1da177e4 1434
23691d75 1435 read_unlock(&chan_list_lock);
e0f0cb56 1436
23691d75 1437 return c1;
1da177e4
LT		 1438}
1439
8e9f9892
AG		 1440int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1441 bdaddr_t *dst, u8 dst_type)
1da177e4 1442{
5d41ce1d 1443 struct sock *sk = chan->sk;
1da177e4 1444 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1445 struct l2cap_conn *conn;
1446 struct hci_conn *hcon;
1447 struct hci_dev *hdev;
09ab6f4c 1448 __u8 auth_type;
44d0e48e 1449 int err;
1da177e4 1450
8e9f9892 1451 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
ab19516a 1452 dst_type, __le16_to_cpu(psm));
1da177e4 1453
af05b30b
GP		 1454 hdev = hci_get_route(dst, src);
1455 if (!hdev)
1da177e4
LT		 1456 return -EHOSTUNREACH;
1457
09fd0de5 1458 hci_dev_lock(hdev);
1da177e4 1459
6be36555 1460 l2cap_chan_lock(chan);
03a00194
GP		 1461
1462 /* PSM must be odd and lsb of upper byte must be 0 */
1463 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1464 chan->chan_type != L2CAP_CHAN_RAW) {
1465 err = -EINVAL;
1466 goto done;
1467 }
1468
1469 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1470 err = -EINVAL;
1471 goto done;
1472 }
1473
1474 switch (chan->mode) {
1475 case L2CAP_MODE_BASIC:
1476 break;
1477 case L2CAP_MODE_ERTM:
1478 case L2CAP_MODE_STREAMING:
1479 if (!disable_ertm)
1480 break;
1481 /* fall through */
1482 default:
1483 err = -ENOTSUPP;
1484 goto done;
1485 }
1486
0797e01d 1487 switch (chan->state) {
03a00194
GP		 1488 case BT_CONNECT:
1489 case BT_CONNECT2:
1490 case BT_CONFIG:
1491 /* Already connecting */
1492 err = 0;
1493 goto done;
1494
1495 case BT_CONNECTED:
1496 /* Already connected */
1497 err = -EISCONN;
1498 goto done;
1499
1500 case BT_OPEN:
1501 case BT_BOUND:
1502 /* Can connect */
1503 break;
1504
1505 default:
1506 err = -EBADFD;
1507 goto done;
1508 }
1509
1510 /* Set destination address and psm */
0797e01d 1511 lock_sock(sk);
9219b2a0 1512 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1513 release_sock(sk);
1514
03a00194
GP		 1515 chan->psm = psm;
1516 chan->dcid = cid;
1da177e4 1517
4343478f 1518 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1519
fe4128e0 1520 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1521 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1522 chan->sec_level, auth_type);
acd7d370 1523 else
8e9f9892 1524 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1525 chan->sec_level, auth_type);
acd7d370 1526
30e76272
VT		 1527 if (IS_ERR(hcon)) {
1528 err = PTR_ERR(hcon);
1da177e4 1529 goto done;
30e76272 1530 }
1da177e4
LT		 1531
1532 conn = l2cap_conn_add(hcon, 0);
1533 if (!conn) {
1534 hci_conn_put(hcon);
30e76272 1535 err = -ENOMEM;
1da177e4
LT		 1536 goto done;
1537 }
1538
9f0caeb1
VCG		 1539 if (hcon->type == LE_LINK) {
1540 err = 0;
1541
1542 if (!list_empty(&conn->chan_l)) {
1543 err = -EBUSY;
1544 hci_conn_put(hcon);
1545 }
1546
1547 if (err)
1548 goto done;
1549 }
1550
1da177e4
LT		 1551 /* Update source addr of the socket */
1552 bacpy(src, conn->src);
1553
6be36555 1554 l2cap_chan_unlock(chan);
48454079 1555 l2cap_chan_add(conn, chan);
6be36555 1556 l2cap_chan_lock(chan);
48454079 1557
6be36555 1558 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1559 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1560
1561 if (hcon->state == BT_CONNECTED) {
715ec005 1562 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1563 __clear_chan_timer(chan);
d45fc423 1564 if (l2cap_chan_check_security(chan))
6be36555 1565 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1566 } else
fc7f8a7e 1567 l2cap_do_start(chan);
1da177e4
LT		 1568 }
1569
30e76272
VT		 1570 err = 0;
1571
1da177e4 1572done:
6be36555 1573 l2cap_chan_unlock(chan);
09fd0de5 1574 hci_dev_unlock(hdev);
1da177e4
LT		 1575 hci_dev_put(hdev);
1576 return err;
1577}
1578
dcba0dba 1579int __l2cap_wait_ack(struct sock *sk)
6161c038 1580{
8c1d787b 1581 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1582 DECLARE_WAITQUEUE(wait, current);
1583 int err = 0;
1584 int timeo = HZ/5;
1585
2b0b05dd 1586 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1587 set_current_state(TASK_INTERRUPTIBLE);
1588 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1589 if (!timeo)
1590 timeo = HZ/5;
1591
1592 if (signal_pending(current)) {
1593 err = sock_intr_errno(timeo);
1594 break;
1595 }
1596
1597 release_sock(sk);
1598 timeo = schedule_timeout(timeo);
1599 lock_sock(sk);
a71a0cf4 1600 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1601
1602 err = sock_error(sk);
1603 if (err)
1604 break;
1605 }
1606 set_current_state(TASK_RUNNING);
2b0b05dd 1607 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1608 return err;
1609}
1610
721c4181 1611static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1612{
721c4181 1613 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1614 monitor_timer.work);
e90bac06 1615
525cd185 1616 BT_DBG("chan %p", chan);
0e98958d 1617
6be36555
AE		 1618 l2cap_chan_lock(chan);
1619
80909e04 1620 if (!chan->conn) {
6be36555 1621 l2cap_chan_unlock(chan);
8d7e1c7f 1622 l2cap_chan_put(chan);
e90bac06
GP		 1623 return;
1624 }
1625
401bb1f7 1626 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1627
6be36555 1628 l2cap_chan_unlock(chan);
8d7e1c7f 1629 l2cap_chan_put(chan);
e90bac06
GP		 1630}
1631
721c4181 1632static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1633{
721c4181 1634 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1635 retrans_timer.work);
e90bac06 1636
49208c9c 1637 BT_DBG("chan %p", chan);
0e98958d 1638
6be36555
AE		 1639 l2cap_chan_lock(chan);
1640
80909e04
MM		 1641 if (!chan->conn) {
1642 l2cap_chan_unlock(chan);
1643 l2cap_chan_put(chan);
1644 return;
1645 }
6be36555 1646
401bb1f7 1647 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1648 l2cap_chan_unlock(chan);
8d7e1c7f 1649 l2cap_chan_put(chan);
e90bac06
GP		 1650}
1651
d660366d
GP		 1652static void l2cap_streaming_send(struct l2cap_chan *chan,
1653 struct sk_buff_head *skbs)
6840ed07 1654{
ccbb84af 1655 struct sk_buff *skb;
3733937d 1656 struct l2cap_ctrl *control;
6840ed07 1657
3733937d
MM		 1658 BT_DBG("chan %p, skbs %p", chan, skbs);
1659
3733937d
MM		 1660 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1661
1662 while (!skb_queue_empty(&chan->tx_q)) {
1663
1664 skb = skb_dequeue(&chan->tx_q);
1665
1666 bt_cb(skb)->control.retries = 1;
1667 control = &bt_cb(skb)->control;
1668
1669 control->reqseq = 0;
1670 control->txseq = chan->next_tx_seq;
1671
1672 __pack_control(chan, control, skb);
6840ed07 1673
47d1ec61 1674 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1675 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1676 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1677 }
1678
4343478f 1679 l2cap_do_send(chan, skb);
6840ed07 1680
b4400672 1681 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1682
836be934 1683 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1684 chan->frames_sent++;
6840ed07 1685 }
6840ed07
GP		 1686}
1687
67c9e840 1688static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1689{
1690 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1691 struct l2cap_ctrl *control;
1692 int sent = 0;
1693
1694 BT_DBG("chan %p", chan);
1c2acffb 1695
89bc500e 1696 if (chan->state != BT_CONNECTED)
c13ffa62 1697 return -ENOTCONN;
e90bac06 1698
94122bbe
MM		 1699 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1700 return 0;
1701
18a48e76
MM		 1702 while (chan->tx_send_head &&
1703 chan->unacked_frames < chan->remote_tx_win &&
1704 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1705
18a48e76 1706 skb = chan->tx_send_head;
e90bac06 1707
18a48e76
MM		 1708 bt_cb(skb)->control.retries = 1;
1709 control = &bt_cb(skb)->control;
95ffa978 1710
e2ab4353 1711 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1712 control->final = 1;
e2ab4353 1713
18a48e76
MM		 1714 control->reqseq = chan->buffer_seq;
1715 chan->last_acked_seq = chan->buffer_seq;
1716 control->txseq = chan->next_tx_seq;
1c2acffb 1717
18a48e76 1718 __pack_control(chan, control, skb);
e90bac06 1719
47d1ec61 1720 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1721 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1722 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1723 }
1724
18a48e76
MM		 1725 /* Clone after data has been modified. Data is assumed to be
1726 read-only (for locking purposes) on cloned sk_buffs.
1727 */
1728 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1729
18a48e76
MM		 1730 if (!tx_skb)
1731 break;
1c2acffb 1732
18a48e76 1733 __set_retrans_timer(chan);
836be934
AE		 1734
1735 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1736 chan->unacked_frames++;
6a026610 1737 chan->frames_sent++;
18a48e76 1738 sent++;
1c2acffb 1739
58d35f87
GP		 1740 if (skb_queue_is_last(&chan->tx_q, skb))
1741 chan->tx_send_head = NULL;
1c2acffb 1742 else
58d35f87 1743 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1744
1745 l2cap_do_send(chan, tx_skb);
b4400672 1746 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1747 }
1748
b4400672
AE		 1749 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1750 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1751
1752 return sent;
9e917af1
GP		 1753}
1754
e1fbd4c1
MM		 1755static void l2cap_ertm_resend(struct l2cap_chan *chan)
1756{
1757 struct l2cap_ctrl control;
1758 struct sk_buff *skb;
1759 struct sk_buff *tx_skb;
1760 u16 seq;
1761
1762 BT_DBG("chan %p", chan);
1763
1764 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1765 return;
1766
1767 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1768 seq = l2cap_seq_list_pop(&chan->retrans_list);
1769
1770 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1771 if (!skb) {
1772 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1773 seq);
1774 continue;
1775 }
1776
1777 bt_cb(skb)->control.retries++;
1778 control = bt_cb(skb)->control;
1779
1780 if (chan->max_tx != 0 &&
1781 bt_cb(skb)->control.retries > chan->max_tx) {
1782 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1783 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1784 l2cap_seq_list_clear(&chan->retrans_list);
1785 break;
1786 }
1787
1788 control.reqseq = chan->buffer_seq;
1789 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1790 control.final = 1;
1791 else
1792 control.final = 0;
1793
1794 if (skb_cloned(skb)) {
1795 /* Cloned sk_buffs are read-only, so we need a
1796 * writeable copy
1797 */
1798 tx_skb = skb_copy(skb, GFP_ATOMIC);
1799 } else {
1800 tx_skb = skb_clone(skb, GFP_ATOMIC);
1801 }
1802
1803 if (!tx_skb) {
1804 l2cap_seq_list_clear(&chan->retrans_list);
1805 break;
1806 }
1807
1808 /* Update skb contents */
1809 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1810 put_unaligned_le32(__pack_extended_control(&control),
1811 tx_skb->data + L2CAP_HDR_SIZE);
1812 } else {
1813 put_unaligned_le16(__pack_enhanced_control(&control),
1814 tx_skb->data + L2CAP_HDR_SIZE);
1815 }
1816
1817 if (chan->fcs == L2CAP_FCS_CRC16) {
1818 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1819 put_unaligned_le16(fcs, skb_put(tx_skb,
1820 L2CAP_FCS_SIZE));
1821 }
1822
1823 l2cap_do_send(chan, tx_skb);
1824
1825 BT_DBG("Resent txseq %d", control.txseq);
1826
1827 chan->last_acked_seq = chan->buffer_seq;
1828 }
1829}
1830
f80842a8
MM		 1831static void l2cap_retransmit(struct l2cap_chan *chan,
1832 struct l2cap_ctrl *control)
1833{
1834 BT_DBG("chan %p, control %p", chan, control);
1835
1836 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1837 l2cap_ertm_resend(chan);
1838}
1839
d2a7ac5d
MM		 1840static void l2cap_retransmit_all(struct l2cap_chan *chan,
1841 struct l2cap_ctrl *control)
1842{
e1fbd4c1
MM		 1843 struct sk_buff *skb;
1844
1845 BT_DBG("chan %p, control %p", chan, control);
1846
1847 if (control->poll)
1848 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1849
1850 l2cap_seq_list_clear(&chan->retrans_list);
1851
1852 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1853 return;
1854
1855 if (chan->unacked_frames) {
1856 skb_queue_walk(&chan->tx_q, skb) {
1857 if (bt_cb(skb)->control.txseq == control->reqseq ||
1858 skb == chan->tx_send_head)
1859 break;
1860 }
1861
1862 skb_queue_walk_from(&chan->tx_q, skb) {
1863 if (skb == chan->tx_send_head)
1864 break;
1865
1866 l2cap_seq_list_append(&chan->retrans_list,
1867 bt_cb(skb)->control.txseq);
1868 }
1869
1870 l2cap_ertm_resend(chan);
1871 }
d2a7ac5d
MM		 1872}
1873
0a0aba42 1874static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1875{
0a0aba42
MM		 1876 struct l2cap_ctrl control;
1877 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1878 chan->last_acked_seq);
1879 int threshold;
9e917af1 1880
0a0aba42
MM		 1881 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1882 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1883
0a0aba42
MM		 1884 memset(&control, 0, sizeof(control));
1885 control.sframe = 1;
dfc909be 1886
0a0aba42
MM		 1887 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1888 chan->rx_state == L2CAP_RX_STATE_RECV) {
1889 __clear_ack_timer(chan);
1890 control.super = L2CAP_SUPER_RNR;
1891 control.reqseq = chan->buffer_seq;
1892 l2cap_send_sframe(chan, &control);
1893 } else {
1894 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1895 l2cap_ertm_send(chan);
1896 /* If any i-frames were sent, they included an ack */
1897 if (chan->buffer_seq == chan->last_acked_seq)
1898 frames_to_ack = 0;
1899 }
dfc909be 1900
c20f8e35 1901 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1902 * Calculate without mul or div
1903 */
c20f8e35 1904 threshold = chan->ack_win;
0a0aba42
MM		 1905 threshold += threshold << 1;
1906 threshold >>= 2;
1907
b4400672 1908 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1909 threshold);
1910
1911 if (frames_to_ack >= threshold) {
1912 __clear_ack_timer(chan);
1913 control.super = L2CAP_SUPER_RR;
1914 control.reqseq = chan->buffer_seq;
1915 l2cap_send_sframe(chan, &control);
1916 frames_to_ack = 0;
1917 }
1c2acffb 1918
0a0aba42
MM		 1919 if (frames_to_ack)
1920 __set_ack_timer(chan);
1921 }
b17e73bb
SJ		 1922}
1923
04124681
GP		 1924static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1925 struct msghdr *msg, int len,
1926 int count, struct sk_buff *skb)
1c2acffb 1927{
0952a57a 1928 struct l2cap_conn *conn = chan->conn;
1c2acffb 1929 struct sk_buff **frag;
90338947 1930 int sent = 0;
1da177e4 1931
59203a21 1932 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1933 return -EFAULT;
1da177e4
LT		 1934
1935 sent += count;
1936 len -= count;
1937
1938 /* Continuation fragments (no L2CAP header) */
1939 frag = &skb_shinfo(skb)->frag_list;
1940 while (len) {
fbe00700
GP		 1941 struct sk_buff *tmp;
1942
1da177e4
LT		 1943 count = min_t(unsigned int, conn->mtu, len);
1944
fbe00700
GP		 1945 tmp = chan->ops->alloc_skb(chan, count,
1946 msg->msg_flags & MSG_DONTWAIT);
1947 if (IS_ERR(tmp))
1948 return PTR_ERR(tmp);
1949
1950 *frag = tmp;
2f7719ce 1951
1c2acffb
GP		 1952 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1953 return -EFAULT;
1da177e4 1954
5e59b791
LAD		 1955 (*frag)->priority = skb->priority;
1956
1da177e4
LT		 1957 sent += count;
1958 len -= count;
1959
2d0ed3d5
GP		 1960 skb->len += (*frag)->len;
1961 skb->data_len += (*frag)->len;
1962
1da177e4
LT		 1963 frag = &(*frag)->next;
1964 }
1da177e4
LT		 1965
1966 return sent;
1c2acffb 1967}
1da177e4 1968
5e59b791 1969static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 1970 struct msghdr *msg, size_t len,
1971 u32 priority)
1c2acffb 1972{
8c1d787b 1973 struct l2cap_conn *conn = chan->conn;
1c2acffb 1974 struct sk_buff *skb;
03a51213 1975 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1976 struct l2cap_hdr *lh;
1977
b4400672 1978 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 1979
1980 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1981
1982 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1983 msg->msg_flags & MSG_DONTWAIT);
1984 if (IS_ERR(skb))
1985 return skb;
1c2acffb 1986
5e59b791
LAD		 1987 skb->priority = priority;
1988
1c2acffb
GP		 1989 /* Create L2CAP header */
1990 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1991 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1992 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1993 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1994
0952a57a 1995 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1996 if (unlikely(err < 0)) {
1997 kfree_skb(skb);
1998 return ERR_PTR(err);
1999 }
2000 return skb;
2001}
2002
5e59b791 2003static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2004 struct msghdr *msg, size_t len,
2005 u32 priority)
1c2acffb 2006{
8c1d787b 2007 struct l2cap_conn *conn = chan->conn;
1c2acffb 2008 struct sk_buff *skb;
f2ba7fae 2009 int err, count;
1c2acffb
GP		 2010 struct l2cap_hdr *lh;
2011
b4400672 2012 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2013
f2ba7fae 2014 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2015
f2ba7fae 2016 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2017 msg->msg_flags & MSG_DONTWAIT);
2018 if (IS_ERR(skb))
2019 return skb;
1c2acffb 2020
5e59b791
LAD		 2021 skb->priority = priority;
2022
1c2acffb
GP		 2023 /* Create L2CAP header */
2024 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2025 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2026 lh->len = cpu_to_le16(len);
1c2acffb 2027
0952a57a 2028 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2029 if (unlikely(err < 0)) {
2030 kfree_skb(skb);
2031 return ERR_PTR(err);
2032 }
2033 return skb;
2034}
2035
ab0ff76d 2036static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2037 struct msghdr *msg, size_t len,
2038 u16 sdulen)
1c2acffb 2039{
8c1d787b 2040 struct l2cap_conn *conn = chan->conn;
1c2acffb 2041 struct sk_buff *skb;
e4ca6d98 2042 int err, count, hlen;
1c2acffb
GP		 2043 struct l2cap_hdr *lh;
2044
b4400672 2045 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2046
0ee0d208
GP		 2047 if (!conn)
2048 return ERR_PTR(-ENOTCONN);
2049
ba7aa64f 2050 hlen = __ertm_hdr_size(chan);
e4ca6d98 2051
c74e560c 2052 if (sdulen)
03a51213 2053 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2054
47d1ec61 2055 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2056 hlen += L2CAP_FCS_SIZE;
fcc203c3 2057
1c2acffb 2058 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2059
2060 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2061 msg->msg_flags & MSG_DONTWAIT);
2062 if (IS_ERR(skb))
2063 return skb;
1c2acffb
GP		 2064
2065 /* Create L2CAP header */
2066 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2067 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2068 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2069
18a48e76
MM		 2070 /* Control header is populated later */
2071 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2072 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2073 else
2074 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2075
c74e560c 2076 if (sdulen)
03a51213 2077 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2078
0952a57a 2079 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2080 if (unlikely(err < 0)) {
2081 kfree_skb(skb);
2082 return ERR_PTR(err);
2083 }
e90bac06 2084
18a48e76 2085 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2086 bt_cb(skb)->control.retries = 0;
1c2acffb 2087 return skb;
1da177e4
LT		 2088}
2089
94122bbe
MM		 2090static int l2cap_segment_sdu(struct l2cap_chan *chan,
2091 struct sk_buff_head *seg_queue,
2092 struct msghdr *msg, size_t len)
c74e560c 2093{
c74e560c 2094 struct sk_buff *skb;
94122bbe
MM		 2095 u16 sdu_len;
2096 size_t pdu_len;
94122bbe 2097 u8 sar;
c74e560c 2098
b4400672 2099 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2100
94122bbe
MM		 2101 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2102 * so fragmented skbs are not used. The HCI layer's handling
2103 * of fragmented skbs is not compatible with ERTM's queueing.
2104 */
c74e560c 2105
94122bbe
MM		 2106 /* PDU size is derived from the HCI MTU */
2107 pdu_len = chan->conn->mtu;
c74e560c 2108
94122bbe
MM		 2109 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2110
2111 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2112 if (chan->fcs)
2113 pdu_len -= L2CAP_FCS_SIZE;
2114
ba7aa64f 2115 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2116
2117 /* Remote device may have requested smaller PDUs */
2118 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2119
2120 if (len <= pdu_len) {
2121 sar = L2CAP_SAR_UNSEGMENTED;
2122 sdu_len = 0;
2123 pdu_len = len;
2124 } else {
2125 sar = L2CAP_SAR_START;
2126 sdu_len = len;
2127 pdu_len -= L2CAP_SDULEN_SIZE;
2128 }
2129
2130 while (len > 0) {
2131 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2132
c74e560c 2133 if (IS_ERR(skb)) {
94122bbe 2134 __skb_queue_purge(seg_queue);
c74e560c
GP		 2135 return PTR_ERR(skb);
2136 }
2137
94122bbe
MM		 2138 bt_cb(skb)->control.sar = sar;
2139 __skb_queue_tail(seg_queue, skb);
2140
2141 len -= pdu_len;
2142 if (sdu_len) {
2143 sdu_len = 0;
2144 pdu_len += L2CAP_SDULEN_SIZE;
2145 }
2146
2147 if (len <= pdu_len) {
2148 sar = L2CAP_SAR_END;
2149 pdu_len = len;
2150 } else {
2151 sar = L2CAP_SAR_CONTINUE;
2152 }
c74e560c 2153 }
c74e560c 2154
f0f62799 2155 return 0;
c74e560c
GP		 2156}
2157
5e59b791
LAD		 2158int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2159 u32 priority)
9a91a04a 2160{
9a91a04a 2161 struct sk_buff *skb;
9a91a04a 2162 int err;
94122bbe 2163 struct sk_buff_head seg_queue;
9a91a04a
GP		 2164
2165 /* Connectionless channel */
715ec005 2166 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2167 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2168 if (IS_ERR(skb))
2169 return PTR_ERR(skb);
2170
2171 l2cap_do_send(chan, skb);
2172 return len;
2173 }
2174
2175 switch (chan->mode) {
2176 case L2CAP_MODE_BASIC:
2177 /* Check outgoing MTU */
2178 if (len > chan->omtu)
2179 return -EMSGSIZE;
2180
2181 /* Create a basic PDU */
5e59b791 2182 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2183 if (IS_ERR(skb))
2184 return PTR_ERR(skb);
2185
2186 l2cap_do_send(chan, skb);
2187 err = len;
2188 break;
2189
2190 case L2CAP_MODE_ERTM:
2191 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2192 /* Check outgoing MTU */
2193 if (len > chan->omtu) {
2194 err = -EMSGSIZE;
2195 break;
2196 }
9a91a04a 2197
94122bbe 2198 __skb_queue_head_init(&seg_queue);
9a91a04a 2199
94122bbe
MM		 2200 /* Do segmentation before calling in to the state machine,
2201 * since it's possible to block while waiting for memory
2202 * allocation.
2203 */
2204 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2205
94122bbe
MM		 2206 /* The channel could have been closed while segmenting,
2207 * check that it is still connected.
2208 */
2209 if (chan->state != BT_CONNECTED) {
2210 __skb_queue_purge(&seg_queue);
2211 err = -ENOTCONN;
9a91a04a
GP		 2212 }
2213
94122bbe 2214 if (err)
9a91a04a 2215 break;
9a91a04a 2216
3733937d 2217 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2218 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2219 else
d660366d 2220 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2221
d660366d 2222 err = len;
9a91a04a 2223
94122bbe
MM		 2224 /* If the skbs were not queued for sending, they'll still be in
2225 * seg_queue and need to be purged.
2226 */
2227 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2228 break;
2229
2230 default:
2231 BT_DBG("bad state %1.1x", chan->mode);
2232 err = -EBADFD;
2233 }
2234
2235 return err;
2236}
2237
d2a7ac5d
MM		 2238static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2239{
bed68bde
MM		 2240 struct l2cap_ctrl control;
2241 u16 seq;
2242
b4400672 2243 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2244
2245 memset(&control, 0, sizeof(control));
2246 control.sframe = 1;
2247 control.super = L2CAP_SUPER_SREJ;
2248
2249 for (seq = chan->expected_tx_seq; seq != txseq;
2250 seq = __next_seq(chan, seq)) {
2251 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2252 control.reqseq = seq;
2253 l2cap_send_sframe(chan, &control);
2254 l2cap_seq_list_append(&chan->srej_list, seq);
2255 }
2256 }
2257
2258 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2259}
2260
2261static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2262{
bed68bde
MM		 2263 struct l2cap_ctrl control;
2264
2265 BT_DBG("chan %p", chan);
2266
2267 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2268 return;
2269
2270 memset(&control, 0, sizeof(control));
2271 control.sframe = 1;
2272 control.super = L2CAP_SUPER_SREJ;
2273 control.reqseq = chan->srej_list.tail;
2274 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2275}
2276
2277static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2278{
bed68bde
MM		 2279 struct l2cap_ctrl control;
2280 u16 initial_head;
2281 u16 seq;
2282
b4400672 2283 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2284
2285 memset(&control, 0, sizeof(control));
2286 control.sframe = 1;
2287 control.super = L2CAP_SUPER_SREJ;
2288
2289 /* Capture initial list head to allow only one pass through the list. */
2290 initial_head = chan->srej_list.head;
2291
2292 do {
2293 seq = l2cap_seq_list_pop(&chan->srej_list);
2294 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2295 break;
2296
2297 control.reqseq = seq;
2298 l2cap_send_sframe(chan, &control);
2299 l2cap_seq_list_append(&chan->srej_list, seq);
2300 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2301}
2302
608bcc6d
MM		 2303static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2304{
2305 struct sk_buff *acked_skb;
2306 u16 ackseq;
2307
b4400672 2308 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2309
2310 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2311 return;
2312
b4400672 2313 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2314 chan->expected_ack_seq, chan->unacked_frames);
2315
2316 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2317 ackseq = __next_seq(chan, ackseq)) {
2318
2319 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2320 if (acked_skb) {
2321 skb_unlink(acked_skb, &chan->tx_q);
2322 kfree_skb(acked_skb);
2323 chan->unacked_frames--;
2324 }
2325 }
2326
2327 chan->expected_ack_seq = reqseq;
2328
2329 if (chan->unacked_frames == 0)
2330 __clear_retrans_timer(chan);
2331
b4400672 2332 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2333}
2334
2335static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2336{
2337 BT_DBG("chan %p", chan);
2338
2339 chan->expected_tx_seq = chan->buffer_seq;
2340 l2cap_seq_list_clear(&chan->srej_list);
2341 skb_queue_purge(&chan->srej_q);
2342 chan->rx_state = L2CAP_RX_STATE_RECV;
2343}
2344
d660366d
GP		 2345static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2346 struct l2cap_ctrl *control,
2347 struct sk_buff_head *skbs, u8 event)
608bcc6d 2348{
608bcc6d
MM		 2349 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2350 event);
2351
2352 switch (event) {
2353 case L2CAP_EV_DATA_REQUEST:
2354 if (chan->tx_send_head == NULL)
2355 chan->tx_send_head = skb_peek(skbs);
2356
2357 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2358 l2cap_ertm_send(chan);
2359 break;
2360 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2361 BT_DBG("Enter LOCAL_BUSY");
2362 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2363
2364 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2365 /* The SREJ_SENT state must be aborted if we are to
2366 * enter the LOCAL_BUSY state.
2367 */
2368 l2cap_abort_rx_srej_sent(chan);
2369 }
2370
2371 l2cap_send_ack(chan);
2372
2373 break;
2374 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2375 BT_DBG("Exit LOCAL_BUSY");
2376 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2377
2378 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2379 struct l2cap_ctrl local_control;
2380
2381 memset(&local_control, 0, sizeof(local_control));
2382 local_control.sframe = 1;
2383 local_control.super = L2CAP_SUPER_RR;
2384 local_control.poll = 1;
2385 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2386 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2387
2388 chan->retry_count = 1;
2389 __set_monitor_timer(chan);
2390 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2391 }
2392 break;
2393 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2394 l2cap_process_reqseq(chan, control->reqseq);
2395 break;
2396 case L2CAP_EV_EXPLICIT_POLL:
2397 l2cap_send_rr_or_rnr(chan, 1);
2398 chan->retry_count = 1;
2399 __set_monitor_timer(chan);
2400 __clear_ack_timer(chan);
2401 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2402 break;
2403 case L2CAP_EV_RETRANS_TO:
2404 l2cap_send_rr_or_rnr(chan, 1);
2405 chan->retry_count = 1;
2406 __set_monitor_timer(chan);
2407 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2408 break;
2409 case L2CAP_EV_RECV_FBIT:
2410 /* Nothing to process */
2411 break;
2412 default:
2413 break;
2414 }
608bcc6d
MM		 2415}
2416
d660366d
GP		 2417static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2418 struct l2cap_ctrl *control,
2419 struct sk_buff_head *skbs, u8 event)
608bcc6d 2420{
608bcc6d
MM		 2421 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2422 event);
2423
2424 switch (event) {
2425 case L2CAP_EV_DATA_REQUEST:
2426 if (chan->tx_send_head == NULL)
2427 chan->tx_send_head = skb_peek(skbs);
2428 /* Queue data, but don't send. */
2429 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2430 break;
2431 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2432 BT_DBG("Enter LOCAL_BUSY");
2433 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2434
2435 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2436 /* The SREJ_SENT state must be aborted if we are to
2437 * enter the LOCAL_BUSY state.
2438 */
2439 l2cap_abort_rx_srej_sent(chan);
2440 }
2441
2442 l2cap_send_ack(chan);
2443
2444 break;
2445 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2446 BT_DBG("Exit LOCAL_BUSY");
2447 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2448
2449 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2450 struct l2cap_ctrl local_control;
2451 memset(&local_control, 0, sizeof(local_control));
2452 local_control.sframe = 1;
2453 local_control.super = L2CAP_SUPER_RR;
2454 local_control.poll = 1;
2455 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2456 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2457
2458 chan->retry_count = 1;
2459 __set_monitor_timer(chan);
2460 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2461 }
2462 break;
2463 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2464 l2cap_process_reqseq(chan, control->reqseq);
2465
2466 /* Fall through */
2467
2468 case L2CAP_EV_RECV_FBIT:
2469 if (control && control->final) {
2470 __clear_monitor_timer(chan);
2471 if (chan->unacked_frames > 0)
2472 __set_retrans_timer(chan);
2473 chan->retry_count = 0;
2474 chan->tx_state = L2CAP_TX_STATE_XMIT;
2475 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2476 }
2477 break;
2478 case L2CAP_EV_EXPLICIT_POLL:
2479 /* Ignore */
2480 break;
2481 case L2CAP_EV_MONITOR_TO:
2482 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2483 l2cap_send_rr_or_rnr(chan, 1);
2484 __set_monitor_timer(chan);
2485 chan->retry_count++;
2486 } else {
2487 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2488 }
2489 break;
2490 default:
2491 break;
2492 }
608bcc6d
MM		 2493}
2494
d660366d
GP		 2495static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2496 struct sk_buff_head *skbs, u8 event)
608bcc6d 2497{
608bcc6d
MM		 2498 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2499 chan, control, skbs, event, chan->tx_state);
2500
2501 switch (chan->tx_state) {
2502 case L2CAP_TX_STATE_XMIT:
d660366d 2503 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2504 break;
2505 case L2CAP_TX_STATE_WAIT_F:
d660366d 2506 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2507 break;
2508 default:
2509 /* Ignore event */
2510 break;
2511 }
608bcc6d
MM		 2512}
2513
4b51dae9
MM		 2514static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2515 struct l2cap_ctrl *control)
2516{
2517 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2518 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2519}
2520
f80842a8
MM		 2521static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2522 struct l2cap_ctrl *control)
2523{
2524 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2525 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2526}
2527
1da177e4
LT		 2528/* Copy frame to all raw sockets on that connection */
2529static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2530{
1da177e4 2531 struct sk_buff *nskb;
48454079 2532 struct l2cap_chan *chan;
1da177e4
LT		 2533
2534 BT_DBG("conn %p", conn);
2535
3df91ea2 2536 mutex_lock(&conn->chan_lock);
3d57dc68 2537
3df91ea2 2538 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2539 struct sock *sk = chan->sk;
715ec005 2540 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2541 continue;
2542
2543 /* Don't send frame to the socket it came from */
2544 if (skb->sk == sk)
2545 continue;
af05b30b
GP		 2546 nskb = skb_clone(skb, GFP_ATOMIC);
2547 if (!nskb)
1da177e4
LT		 2548 continue;
2549
80b98027 2550 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2551 kfree_skb(nskb);
2552 }
3d57dc68 2553
3df91ea2 2554 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2555}
2556
2557/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2558static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2559 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2560{
2561 struct sk_buff *skb, **frag;
2562 struct l2cap_cmd_hdr *cmd;
2563 struct l2cap_hdr *lh;
2564 int len, count;
2565
b4400672
AE		 2566 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2567 conn, code, ident, dlen);
1da177e4
LT		 2568
2569 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2570 count = min_t(unsigned int, conn->mtu, len);
2571
2572 skb = bt_skb_alloc(count, GFP_ATOMIC);
2573 if (!skb)
2574 return NULL;
2575
2576 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2577 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2578
2579 if (conn->hcon->type == LE_LINK)
ac73498c 2580 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2581 else
ac73498c 2582 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2583
2584 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2585 cmd->code = code;
2586 cmd->ident = ident;
aca3192c 2587 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2588
2589 if (dlen) {
2590 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2591 memcpy(skb_put(skb, count), data, count);
2592 data += count;
2593 }
2594
2595 len -= skb->len;
2596
2597 /* Continuation fragments (no L2CAP header) */
2598 frag = &skb_shinfo(skb)->frag_list;
2599 while (len) {
2600 count = min_t(unsigned int, conn->mtu, len);
2601
2602 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2603 if (!*frag)
2604 goto fail;
2605
2606 memcpy(skb_put(*frag, count), data, count);
2607
2608 len -= count;
2609 data += count;
2610
2611 frag = &(*frag)->next;
2612 }
2613
2614 return skb;
2615
2616fail:
2617 kfree_skb(skb);
2618 return NULL;
2619}
2620
2621static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2622{
2623 struct l2cap_conf_opt *opt = *ptr;
2624 int len;
2625
2626 len = L2CAP_CONF_OPT_SIZE + opt->len;
2627 *ptr += len;
2628
2629 *type = opt->type;
2630 *olen = opt->len;
2631
2632 switch (opt->len) {
2633 case 1:
2634 *val = *((u8 *) opt->val);
2635 break;
2636
2637 case 2:
bfaaeb3e 2638 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2639 break;
2640
2641 case 4:
bfaaeb3e 2642 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2643 break;
2644
2645 default:
2646 *val = (unsigned long) opt->val;
2647 break;
2648 }
2649
b4400672 2650 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2651 return len;
2652}
2653
1da177e4
LT		 2654static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2655{
2656 struct l2cap_conf_opt *opt = *ptr;
2657
b4400672 2658 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2659
2660 opt->type = type;
2661 opt->len = len;
2662
2663 switch (len) {
2664 case 1:
2665 *((u8 *) opt->val) = val;
2666 break;
2667
2668 case 2:
4f8b691c 2669 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2670 break;
2671
2672 case 4:
4f8b691c 2673 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2674 break;
2675
2676 default:
2677 memcpy(opt->val, (void *) val, len);
2678 break;
2679 }
2680
2681 *ptr += L2CAP_CONF_OPT_SIZE + len;
2682}
2683
f89cef09
AE		 2684static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2685{
2686 struct l2cap_conf_efs efs;
2687
1ec918ce 2688 switch (chan->mode) {
f89cef09
AE		 2689 case L2CAP_MODE_ERTM:
2690 efs.id = chan->local_id;
2691 efs.stype = chan->local_stype;
2692 efs.msdu = cpu_to_le16(chan->local_msdu);
2693 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2694 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2695 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2696 break;
2697
2698 case L2CAP_MODE_STREAMING:
2699 efs.id = 1;
2700 efs.stype = L2CAP_SERV_BESTEFFORT;
2701 efs.msdu = cpu_to_le16(chan->local_msdu);
2702 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2703 efs.acc_lat = 0;
2704 efs.flush_to = 0;
2705 break;
2706
2707 default:
2708 return;
2709 }
2710
2711 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2712 (unsigned long) &efs);
2713}
2714
721c4181 2715static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2716{
721c4181 2717 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2718 ack_timer.work);
2719 u16 frames_to_ack;
c1b4f43b 2720
2fb9b3d4
GP		 2721 BT_DBG("chan %p", chan);
2722
6be36555
AE		 2723 l2cap_chan_lock(chan);
2724
0362520b
MM		 2725 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2726 chan->last_acked_seq);
6be36555 2727
0362520b
MM		 2728 if (frames_to_ack)
2729 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2730
0362520b 2731 l2cap_chan_unlock(chan);
09bfb2ee 2732 l2cap_chan_put(chan);
c1b4f43b
GP		 2733}
2734
466f8004 2735int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2736{
3c588192
MM		 2737 int err;
2738
105bdf9e
MM		 2739 chan->next_tx_seq = 0;
2740 chan->expected_tx_seq = 0;
42e5c802 2741 chan->expected_ack_seq = 0;
6a026610 2742 chan->unacked_frames = 0;
42e5c802 2743 chan->buffer_seq = 0;
6a026610 2744 chan->frames_sent = 0;
105bdf9e
MM		 2745 chan->last_acked_seq = 0;
2746 chan->sdu = NULL;
2747 chan->sdu_last_frag = NULL;
2748 chan->sdu_len = 0;
2749
d34c34fb
MM		 2750 skb_queue_head_init(&chan->tx_q);
2751
105bdf9e
MM		 2752 if (chan->mode != L2CAP_MODE_ERTM)
2753 return 0;
2754
2755 chan->rx_state = L2CAP_RX_STATE_RECV;
2756 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2757
721c4181
GP		 2758 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2759 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2760 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2761
f1c6775b 2762 skb_queue_head_init(&chan->srej_q);
1890d36b 2763
3c588192
MM		 2764 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2765 if (err < 0)
2766 return err;
2767
9dc9affc
MM		 2768 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2769 if (err < 0)
2770 l2cap_seq_list_free(&chan->srej_list);
2771
2772 return err;
0565c1c2
GP		 2773}
2774
f2fcfcd6
GP		 2775static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2776{
2777 switch (mode) {
2778 case L2CAP_MODE_STREAMING:
2779 case L2CAP_MODE_ERTM:
2780 if (l2cap_mode_supported(mode, remote_feat_mask))
2781 return mode;
2782 /* fall through */
2783 default:
2784 return L2CAP_MODE_BASIC;
2785 }
2786}
2787
6327eb98
AE		 2788static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2789{
2790 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2791}
2792
f89cef09
AE		 2793static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2794{
2795 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2796}
2797
6327eb98
AE		 2798static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2799{
2800 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2801 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2802 /* use extended control field */
2803 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2804 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2805 } else {
6327eb98
AE		 2806 chan->tx_win = min_t(u16, chan->tx_win,
2807 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2808 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2809 }
c20f8e35 2810 chan->ack_win = chan->tx_win;
6327eb98
AE		 2811}
2812
710f9b0a 2813static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2814{
1da177e4 2815 struct l2cap_conf_req *req = data;
0c1bc5c6 2816 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2817 void *ptr = req->data;
c8f79162 2818 u16 size;
1da177e4 2819
49208c9c 2820 BT_DBG("chan %p", chan);
1da177e4 2821
73ffa904 2822 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2823 goto done;
2824
0c1bc5c6 2825 switch (chan->mode) {
f2fcfcd6
GP		 2826 case L2CAP_MODE_STREAMING:
2827 case L2CAP_MODE_ERTM:
c1360a1c 2828 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2829 break;
85eb53c6 2830
f89cef09
AE		 2831 if (__l2cap_efs_supported(chan))
2832 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2833
2ba13ed6 2834 /* fall through */
f2fcfcd6 2835 default:
8c1d787b 2836 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2837 break;
2838 }
2839
2840done:
0c1bc5c6
GP		 2841 if (chan->imtu != L2CAP_DEFAULT_MTU)
2842 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2843
0c1bc5c6 2844 switch (chan->mode) {
65c7c491 2845 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2846 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2847 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2848 break;
2849
62547752
GP		 2850 rfc.mode = L2CAP_MODE_BASIC;
2851 rfc.txwin_size = 0;
2852 rfc.max_transmit = 0;
2853 rfc.retrans_timeout = 0;
2854 rfc.monitor_timeout = 0;
2855 rfc.max_pdu_size = 0;
2856
63406504
GP		 2857 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2858 (unsigned long) &rfc);
65c7c491
MH		 2859 break;
2860
2861 case L2CAP_MODE_ERTM:
2862 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2863 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2864 rfc.retrans_timeout = 0;
2865 rfc.monitor_timeout = 0;
c8f79162
AE		 2866
2867 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2868 L2CAP_EXT_HDR_SIZE -
2869 L2CAP_SDULEN_SIZE -
2870 L2CAP_FCS_SIZE);
2871 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2872
6327eb98
AE		 2873 l2cap_txwin_setup(chan);
2874
2875 rfc.txwin_size = min_t(u16, chan->tx_win,
2876 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2877
63406504
GP		 2878 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2879 (unsigned long) &rfc);
2880
f89cef09
AE		 2881 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2882 l2cap_add_opt_efs(&ptr, chan);
2883
8c1d787b 2884 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2885 break;
2886
47d1ec61 2887 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2888 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2889 chan->fcs = L2CAP_FCS_NONE;
2890 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2891 }
6327eb98
AE		 2892
2893 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2894 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2895 chan->tx_win);
f2fcfcd6
GP		 2896 break;
2897
2898 case L2CAP_MODE_STREAMING:
273759e2 2899 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2900 rfc.mode = L2CAP_MODE_STREAMING;
2901 rfc.txwin_size = 0;
2902 rfc.max_transmit = 0;
2903 rfc.retrans_timeout = 0;
2904 rfc.monitor_timeout = 0;
c8f79162
AE		 2905
2906 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2907 L2CAP_EXT_HDR_SIZE -
2908 L2CAP_SDULEN_SIZE -
2909 L2CAP_FCS_SIZE);
2910 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2911
63406504
GP		 2912 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2913 (unsigned long) &rfc);
2914
f89cef09
AE		 2915 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2916 l2cap_add_opt_efs(&ptr, chan);
2917
8c1d787b 2918 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2919 break;
2920
47d1ec61 2921 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2922 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2923 chan->fcs = L2CAP_FCS_NONE;
2924 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2925 }
65c7c491
MH		 2926 break;
2927 }
1da177e4 2928
fe4128e0 2929 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2930 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2931
2932 return ptr - data;
2933}
2934
73ffa904 2935static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2936{
5dee9e7c
MH		 2937 struct l2cap_conf_rsp *rsp = data;
2938 void *ptr = rsp->data;
73ffa904
GP		 2939 void *req = chan->conf_req;
2940 int len = chan->conf_len;
5dee9e7c
MH		 2941 int type, hint, olen;
2942 unsigned long val;
6464f35f 2943 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2944 struct l2cap_conf_efs efs;
2945 u8 remote_efs = 0;
861d6882 2946 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2947 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2948 u16 size;
1da177e4 2949
73ffa904 2950 BT_DBG("chan %p", chan);
820ae1b8 2951
5dee9e7c
MH		 2952 while (len >= L2CAP_CONF_OPT_SIZE) {
2953 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2954
589d2746 2955 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2956 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2957
2958 switch (type) {
2959 case L2CAP_CONF_MTU:
861d6882 2960 mtu = val;
5dee9e7c
MH		 2961 break;
2962
2963 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2964 chan->flush_to = val;
5dee9e7c
MH		 2965 break;
2966
2967 case L2CAP_CONF_QOS:
2968 break;
2969
6464f35f
MH		 2970 case L2CAP_CONF_RFC:
2971 if (olen == sizeof(rfc))
2972 memcpy(&rfc, (void *) val, olen);
2973 break;
2974
fcc203c3
GP		 2975 case L2CAP_CONF_FCS:
2976 if (val == L2CAP_FCS_NONE)
c1360a1c 2977 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2978 break;
fcc203c3 2979
42dceae2
AE		 2980 case L2CAP_CONF_EFS:
2981 remote_efs = 1;
2982 if (olen == sizeof(efs))
2983 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2984 break;
2985
6327eb98
AE		 2986 case L2CAP_CONF_EWS:
2987 if (!enable_hs)
2988 return -ECONNREFUSED;
fcc203c3 2989
6327eb98
AE		 2990 set_bit(FLAG_EXT_CTRL, &chan->flags);
2991 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2992 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2993 chan->remote_tx_win = val;
fcc203c3
GP		 2994 break;
2995
5dee9e7c
MH		 2996 default:
2997 if (hint)
2998 break;
2999
3000 result = L2CAP_CONF_UNKNOWN;
3001 *((u8 *) ptr++) = type;
3002 break;
3003 }
3004 }
3005
73ffa904 3006 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3007 goto done;
3008
0c1bc5c6 3009 switch (chan->mode) {
f2fcfcd6
GP		 3010 case L2CAP_MODE_STREAMING:
3011 case L2CAP_MODE_ERTM:
c1360a1c 3012 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3013 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 3014 chan->conn->feat_mask);
85eb53c6
GP		 3015 break;
3016 }
3017
42dceae2
AE		 3018 if (remote_efs) {
3019 if (__l2cap_efs_supported(chan))
3020 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3021 else
3022 return -ECONNREFUSED;
3023 }
3024
0c1bc5c6 3025 if (chan->mode != rfc.mode)
f2fcfcd6 3026 return -ECONNREFUSED;
742e519b 3027
f2fcfcd6 3028 break;
f2fcfcd6
GP		 3029 }
3030
3031done:
0c1bc5c6 3032 if (chan->mode != rfc.mode) {
f2fcfcd6 3033 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3034 rfc.mode = chan->mode;
f2fcfcd6 3035
73ffa904 3036 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3037 return -ECONNREFUSED;
3038
3039 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3040 sizeof(rfc), (unsigned long) &rfc);
3041 }
3042
5dee9e7c
MH		 3043 if (result == L2CAP_CONF_SUCCESS) {
3044 /* Configure output options and let the other side know
3045 * which ones we don't like. */
3046
f2fcfcd6
GP		 3047 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3048 result = L2CAP_CONF_UNACCEPT;
3049 else {
0c1bc5c6 3050 chan->omtu = mtu;
c1360a1c 3051 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3052 }
0c1bc5c6 3053 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3054
42dceae2
AE		 3055 if (remote_efs) {
3056 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3057 efs.stype != L2CAP_SERV_NOTRAFIC &&
3058 efs.stype != chan->local_stype) {
3059
3060 result = L2CAP_CONF_UNACCEPT;
3061
3062 if (chan->num_conf_req >= 1)
3063 return -ECONNREFUSED;
3064
3065 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3066 sizeof(efs),
42dceae2 3067 (unsigned long) &efs);
0e8b207e 3068 } else {
3e6b3b95 3069 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3070 result = L2CAP_CONF_PENDING;
3071 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3072 }
3073 }
3074
f2fcfcd6
GP		 3075 switch (rfc.mode) {
3076 case L2CAP_MODE_BASIC:
47d1ec61 3077 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3078 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3079 break;
3080
3081 case L2CAP_MODE_ERTM:
6327eb98
AE		 3082 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3083 chan->remote_tx_win = rfc.txwin_size;
3084 else
3085 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3086
2c03a7a4 3087 chan->remote_max_tx = rfc.max_transmit;
1c762159 3088
c8f79162
AE		 3089 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3090 chan->conn->mtu -
3091 L2CAP_EXT_HDR_SIZE -
3092 L2CAP_SDULEN_SIZE -
3093 L2CAP_FCS_SIZE);
3094 rfc.max_pdu_size = cpu_to_le16(size);
3095 chan->remote_mps = size;
f2fcfcd6 3096
10467e9e 3097 rfc.retrans_timeout =
4fd21a88 3098 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3099 rfc.monitor_timeout =
4fd21a88 3100 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3101
c1360a1c 3102 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3103
3104 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3105 sizeof(rfc), (unsigned long) &rfc);
3106
42dceae2
AE		 3107 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3108 chan->remote_id = efs.id;
3109 chan->remote_stype = efs.stype;
3110 chan->remote_msdu = le16_to_cpu(efs.msdu);
3111 chan->remote_flush_to =
3112 le32_to_cpu(efs.flush_to);
3113 chan->remote_acc_lat =
3114 le32_to_cpu(efs.acc_lat);
3115 chan->remote_sdu_itime =
3116 le32_to_cpu(efs.sdu_itime);
3117 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3118 sizeof(efs), (unsigned long) &efs);
3119 }
f2fcfcd6
GP		 3120 break;
3121
3122 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3123 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3124 chan->conn->mtu -
3125 L2CAP_EXT_HDR_SIZE -
3126 L2CAP_SDULEN_SIZE -
3127 L2CAP_FCS_SIZE);
3128 rfc.max_pdu_size = cpu_to_le16(size);
3129 chan->remote_mps = size;
f2fcfcd6 3130
c1360a1c 3131 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3132
3133 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3134 sizeof(rfc), (unsigned long) &rfc);
3135
f2fcfcd6
GP		 3136 break;
3137
3138 default:
5dee9e7c 3139 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3140
6464f35f 3141 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3142 rfc.mode = chan->mode;
f2fcfcd6 3143 }
6464f35f 3144
f2fcfcd6 3145 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3146 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3147 }
fe4128e0 3148 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3149 rsp->result = cpu_to_le16(result);
59e54bd1 3150 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3151
3152 return ptr - data;
1da177e4
LT		 3153}
3154
b4450035 3155static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3156{
f2fcfcd6
GP		 3157 struct l2cap_conf_req *req = data;
3158 void *ptr = req->data;
3159 int type, olen;
3160 unsigned long val;
36e999a8 3161 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3162 struct l2cap_conf_efs efs;
f2fcfcd6 3163
fe4128e0 3164 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3165
3166 while (len >= L2CAP_CONF_OPT_SIZE) {
3167 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3168
3169 switch (type) {
3170 case L2CAP_CONF_MTU:
3171 if (val < L2CAP_DEFAULT_MIN_MTU) {
3172 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3173 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3174 } else
0c1bc5c6
GP		 3175 chan->imtu = val;
3176 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3177 break;
3178
3179 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3180 chan->flush_to = val;
f2fcfcd6 3181 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3182 2, chan->flush_to);
f2fcfcd6
GP		 3183 break;
3184
3185 case L2CAP_CONF_RFC:
3186 if (olen == sizeof(rfc))
3187 memcpy(&rfc, (void *)val, olen);
3188
c1360a1c 3189 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3190 rfc.mode != chan->mode)
f2fcfcd6
GP		 3191 return -ECONNREFUSED;
3192
47d1ec61 3193 chan->fcs = 0;
f2fcfcd6
GP		 3194
3195 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3196 sizeof(rfc), (unsigned long) &rfc);
3197 break;
6327eb98
AE		 3198
3199 case L2CAP_CONF_EWS:
c20f8e35 3200 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3201 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3202 chan->tx_win);
6327eb98 3203 break;
66af7aaf
AE		 3204
3205 case L2CAP_CONF_EFS:
3206 if (olen == sizeof(efs))
3207 memcpy(&efs, (void *)val, olen);
3208
3209 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3210 efs.stype != L2CAP_SERV_NOTRAFIC &&
3211 efs.stype != chan->local_stype)
3212 return -ECONNREFUSED;
3213
3214 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3215 sizeof(efs), (unsigned long) &efs);
3216 break;
f2fcfcd6
GP		 3217 }
3218 }
3219
0c1bc5c6 3220 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3221 return -ECONNREFUSED;
3222
0c1bc5c6 3223 chan->mode = rfc.mode;
6c2ea7a8 3224
0e8b207e 3225 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3226 switch (rfc.mode) {
3227 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3228 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3229 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3230 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3231 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3232 chan->ack_win = min_t(u16, chan->ack_win,
3233 rfc.txwin_size);
66af7aaf
AE		 3234
3235 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3236 chan->local_msdu = le16_to_cpu(efs.msdu);
3237 chan->local_sdu_itime =
3238 le32_to_cpu(efs.sdu_itime);
3239 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3240 chan->local_flush_to =
3241 le32_to_cpu(efs.flush_to);
3242 }
f2fcfcd6 3243 break;
66af7aaf 3244
f2fcfcd6 3245 case L2CAP_MODE_STREAMING:
47d1ec61 3246 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3247 }
3248 }
3249
fe4128e0 3250 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3251 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3252
3253 return ptr - data;
3254}
3255
fe4128e0 3256static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3257{
3258 struct l2cap_conf_rsp *rsp = data;
3259 void *ptr = rsp->data;
1da177e4 3260
fe4128e0 3261 BT_DBG("chan %p", chan);
1da177e4 3262
fe4128e0 3263 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3264 rsp->result = cpu_to_le16(result);
aca3192c 3265 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3266
3267 return ptr - data;
3268}
3269
8c1d787b 3270void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3271{
3272 struct l2cap_conn_rsp rsp;
8c1d787b 3273 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3274 u8 buf[128];
3275
fe4128e0
GP		 3276 rsp.scid = cpu_to_le16(chan->dcid);
3277 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3278 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3279 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3280 l2cap_send_cmd(conn, chan->ident,
3281 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3282
c1360a1c 3283 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3284 return;
3285
710f9b0a
GP		 3286 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3287 l2cap_build_conf_req(chan, buf), buf);
3288 chan->num_conf_req++;
3289}
3290
47d1ec61 3291static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3292{
7b1c0049
GP		 3293 int type, olen;
3294 unsigned long val;
c20f8e35
MM		 3295 /* Use sane default values in case a misbehaving remote device
3296 * did not send an RFC or extended window size option.
3297 */
3298 u16 txwin_ext = chan->ack_win;
3299 struct l2cap_conf_rfc rfc = {
3300 .mode = chan->mode,
3301 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3302 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3303 .max_pdu_size = cpu_to_le16(chan->imtu),
3304 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3305 };
7b1c0049 3306
47d1ec61 3307 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3308
0c1bc5c6 3309 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3310 return;
3311
3312 while (len >= L2CAP_CONF_OPT_SIZE) {
3313 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3314
c20f8e35
MM		 3315 switch (type) {
3316 case L2CAP_CONF_RFC:
3317 if (olen == sizeof(rfc))
3318 memcpy(&rfc, (void *)val, olen);
8f321f85 3319 break;
c20f8e35
MM		 3320 case L2CAP_CONF_EWS:
3321 txwin_ext = val;
3322 break;
3323 }
7b1c0049
GP		 3324 }
3325
7b1c0049
GP		 3326 switch (rfc.mode) {
3327 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3328 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3329 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3330 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3331 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3332 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3333 else
3334 chan->ack_win = min_t(u16, chan->ack_win,
3335 rfc.txwin_size);
7b1c0049
GP		 3336 break;
3337 case L2CAP_MODE_STREAMING:
47d1ec61 3338 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3339 }
3340}
3341
4e8402a3
MH		 3342static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3343{
e2fd318e 3344 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3345
e2fd318e 3346 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3347 return 0;
3348
3349 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3350 cmd->ident == conn->info_ident) {
17cd3f37 3351 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3352
3353 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3354 conn->info_ident = 0;
984947dc 3355
4e8402a3
MH		 3356 l2cap_conn_start(conn);
3357 }
3358
3359 return 0;
3360}
3361
1da177e4
LT		 3362static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3363{
1da177e4
LT		 3364 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3365 struct l2cap_conn_rsp rsp;
23691d75 3366 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3367 struct sock *parent, *sk = NULL;
e7c29cb1 3368 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3369
3370 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3371 __le16 psm = req->psm;
1da177e4 3372
097db76c 3373 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3374
3375 /* Check if we have socket listening on psm */
c2287681 3376 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3377 if (!pchan) {
1da177e4
LT		 3378 result = L2CAP_CR_BAD_PSM;
3379 goto sendresp;
3380 }
3381
23691d75
GP		 3382 parent = pchan->sk;
3383
3df91ea2 3384 mutex_lock(&conn->chan_lock);
aa2ac881 3385 lock_sock(parent);
e0f0cb56 3386
e7c29cb1 3387 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3388 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3389 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3390 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3391 result = L2CAP_CR_SEC_BLOCK;
3392 goto response;
3393 }
3394
1da177e4
LT		 3395 result = L2CAP_CR_NO_MEM;
3396
2dfa1003
GP		 3397 /* Check if we already have channel with that dcid */
3398 if (__l2cap_get_chan_by_dcid(conn, scid))
3399 goto response;
3400
80b98027 3401 chan = pchan->ops->new_connection(pchan);
80808e43 3402 if (!chan)
1da177e4
LT		 3403 goto response;
3404
80808e43
GP		 3405 sk = chan->sk;
3406
1da177e4
LT		 3407 hci_conn_hold(conn->hcon);
3408
1da177e4
LT		 3409 bacpy(&bt_sk(sk)->src, conn->src);
3410 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3411 chan->psm = psm;
3412 chan->dcid = scid;
1da177e4 3413
d1010240
GP		 3414 bt_accept_enqueue(parent, sk);
3415
6be36555 3416 __l2cap_chan_add(conn, chan);
48454079 3417
fe4128e0 3418 dcid = chan->scid;
1da177e4 3419
c9b66675 3420 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3421
fc7f8a7e 3422 chan->ident = cmd->ident;
1da177e4 3423
984947dc 3424 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3425 if (l2cap_chan_check_security(chan)) {
c5daa683 3426 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3427 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3428 result = L2CAP_CR_PEND;
3429 status = L2CAP_CS_AUTHOR_PEND;
3430 parent->sk_data_ready(parent, 0);
3431 } else {
0e587be7 3432 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3433 result = L2CAP_CR_SUCCESS;
3434 status = L2CAP_CS_NO_INFO;
3435 }
79d554a6 3436 } else {
0e587be7 3437 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3438 result = L2CAP_CR_PEND;
3439 status = L2CAP_CS_AUTHEN_PEND;
3440 }
3441 } else {
0e587be7 3442 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3443 result = L2CAP_CR_PEND;
3444 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3445 }
3446
1da177e4 3447response:
aa2ac881 3448 release_sock(parent);
3df91ea2 3449 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3450
3451sendresp:
aca3192c
YH		 3452 rsp.scid = cpu_to_le16(scid);
3453 rsp.dcid = cpu_to_le16(dcid);
3454 rsp.result = cpu_to_le16(result);
3455 rsp.status = cpu_to_le16(status);
1da177e4 3456 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3457
3458 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3459 struct l2cap_info_req info;
ac73498c 3460 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3461
3462 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3463 conn->info_ident = l2cap_get_ident(conn);
3464
ba13ccd9 3465 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3466
3467 l2cap_send_cmd(conn, conn->info_ident,
3468 L2CAP_INFO_REQ, sizeof(info), &info);
3469 }
3470
c1360a1c 3471 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3472 result == L2CAP_CR_SUCCESS) {
3473 u8 buf[128];
c1360a1c 3474 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3475 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3476 l2cap_build_conf_req(chan, buf), buf);
3477 chan->num_conf_req++;
e9aeb2dd
GP		 3478 }
3479
1da177e4
LT		 3480 return 0;
3481}
3482
3483static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3484{
3485 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3486 u16 scid, dcid, result, status;
48454079 3487 struct l2cap_chan *chan;
1da177e4 3488 u8 req[128];
3df91ea2 3489 int err;
1da177e4
LT		 3490
3491 scid = __le16_to_cpu(rsp->scid);
3492 dcid = __le16_to_cpu(rsp->dcid);
3493 result = __le16_to_cpu(rsp->result);
3494 status = __le16_to_cpu(rsp->status);
3495
1b009c98
AE		 3496 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3497 dcid, scid, result, status);
1da177e4 3498
3df91ea2
AE		 3499 mutex_lock(&conn->chan_lock);
3500
1da177e4 3501 if (scid) {
3df91ea2
AE		 3502 chan = __l2cap_get_chan_by_scid(conn, scid);
3503 if (!chan) {
3504 err = -EFAULT;
3505 goto unlock;
3506 }
1da177e4 3507 } else {
3df91ea2
AE		 3508 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3509 if (!chan) {
3510 err = -EFAULT;
3511 goto unlock;
3512 }
1da177e4
LT		 3513 }
3514
3df91ea2
AE		 3515 err = 0;
3516
6be36555 3517 l2cap_chan_lock(chan);
48454079 3518
1da177e4
LT		 3519 switch (result) {
3520 case L2CAP_CR_SUCCESS:
89bc500e 3521 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3522 chan->ident = 0;
fe4128e0 3523 chan->dcid = dcid;
c1360a1c 3524 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3525
c1360a1c 3526 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3527 break;
3528
1da177e4 3529 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3530 l2cap_build_conf_req(chan, req), req);
3531 chan->num_conf_req++;
1da177e4
LT		 3532 break;
3533
3534 case L2CAP_CR_PEND:
c1360a1c 3535 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3536 break;
3537
3538 default:
48454079 3539 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3540 break;
3541 }
3542
6be36555 3543 l2cap_chan_unlock(chan);
3df91ea2
AE		 3544
3545unlock:
3546 mutex_unlock(&conn->chan_lock);
3547
3548 return err;
1da177e4
LT		 3549}
3550
47d1ec61 3551static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3552{
3553 /* FCS is enabled only in ERTM or streaming mode, if one or both
3554 * sides request it.
3555 */
0c1bc5c6 3556 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3557 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3558 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3559 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3560}
3561
88219a0f 3562static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3563{
3564 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3565 u16 dcid, flags;
3566 u8 rsp[64];
48454079 3567 struct l2cap_chan *chan;
3c588192 3568 int len, err = 0;
1da177e4
LT		 3569
3570 dcid = __le16_to_cpu(req->dcid);
3571 flags = __le16_to_cpu(req->flags);
3572
3573 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3574
baa7e1fa 3575 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3576 if (!chan)
1da177e4
LT		 3577 return -ENOENT;
3578
033b1142 3579 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3580 struct l2cap_cmd_rej_cid rej;
3581
ac73498c 3582 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3583 rej.scid = cpu_to_le16(chan->scid);
3584 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3585
df6bd743
GP		 3586 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3587 sizeof(rej), &rej);
354f60a9 3588 goto unlock;
df6bd743 3589 }
354f60a9 3590
5dee9e7c 3591 /* Reject if config buffer is too small. */
88219a0f 3592 len = cmd_len - sizeof(*req);
7ac28817 3593 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3594 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3595 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3596 L2CAP_CONF_REJECT, flags), rsp);
3597 goto unlock;
3598 }
3599
3600 /* Store config. */
73ffa904
GP		 3601 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3602 chan->conf_len += len;
1da177e4 3603
59e54bd1 3604 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3605 /* Incomplete config. Send empty response. */
3606 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3607 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3608 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3609 goto unlock;
3610 }
3611
3612 /* Complete config. */
73ffa904 3613 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3614 if (len < 0) {
e92c8e70 3615 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3616 goto unlock;
f2fcfcd6 3617 }
1da177e4 3618
5dee9e7c 3619 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3620 chan->num_conf_rsp++;
5dee9e7c 3621
5dee9e7c 3622 /* Reset config buffer. */
73ffa904 3623 chan->conf_len = 0;
5dee9e7c 3624
c1360a1c 3625 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3626 goto unlock;
3627
c1360a1c 3628 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3629 set_default_fcs(chan);
fcc203c3 3630
105bdf9e
MM		 3631 if (chan->mode == L2CAP_MODE_ERTM ||
3632 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3633 err = l2cap_ertm_init(chan);
3634
3635 if (err < 0)
3636 l2cap_send_disconn_req(chan->conn, chan, -err);
3637 else
3638 l2cap_chan_ready(chan);
0565c1c2 3639
876d9484
MH		 3640 goto unlock;
3641 }
3642
c1360a1c 3643 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3644 u8 buf[64];
1da177e4 3645 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3646 l2cap_build_conf_req(chan, buf), buf);
3647 chan->num_conf_req++;
1da177e4
LT		 3648 }
3649
0e8b207e
AE		 3650 /* Got Conf Rsp PENDING from remote side and asume we sent
3651 Conf Rsp PENDING in the code above */
3652 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3653 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3654
3655 /* check compatibility */
3656
3657 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3658 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3659
3660 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3661 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3662 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3663 }
3664
1da177e4 3665unlock:
6be36555 3666 l2cap_chan_unlock(chan);
3c588192 3667 return err;
1da177e4
LT		 3668}
3669
3670static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3671{
3672 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3673 u16 scid, flags, result;
48454079 3674 struct l2cap_chan *chan;
61386cba 3675 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3676 int err = 0;
1da177e4
LT		 3677
3678 scid = __le16_to_cpu(rsp->scid);
3679 flags = __le16_to_cpu(rsp->flags);
3680 result = __le16_to_cpu(rsp->result);
3681
61386cba
AE		 3682 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3683 result, len);
1da177e4 3684
baa7e1fa 3685 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3686 if (!chan)
1da177e4
LT		 3687 return 0;
3688
3689 switch (result) {
3690 case L2CAP_CONF_SUCCESS:
47d1ec61 3691 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3692 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3693 break;
3694
0e8b207e
AE		 3695 case L2CAP_CONF_PENDING:
3696 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3697
3698 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3699 char buf[64];
3700
3701 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3702 buf, &result);
3703 if (len < 0) {
3704 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3705 goto done;
3706 }
3707
3708 /* check compatibility */
3709
3710 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3711 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3712
3713 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3714 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3715 L2CAP_CONF_SUCCESS, 0x0000), buf);
3716 }
3717 goto done;
3718
1da177e4 3719 case L2CAP_CONF_UNACCEPT:
73ffa904 3720 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3721 char req[64];
3722
c2c77ec8 3723 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3724 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3725 goto done;
3726 }
3727
f2fcfcd6
GP		 3728 /* throw out any old stored conf requests */
3729 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3730 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3731 req, &result);
f2fcfcd6 3732 if (len < 0) {
e92c8e70 3733 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3734 goto done;
3735 }
3736
3737 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3738 L2CAP_CONF_REQ, len, req);
73ffa904 3739 chan->num_conf_req++;
f2fcfcd6
GP		 3740 if (result != L2CAP_CONF_SUCCESS)
3741 goto done;
3742 break;
1da177e4
LT		 3743 }
3744
8e87d142 3745 default:
6be36555 3746 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3747
ba13ccd9 3748 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3749 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3750 goto done;
3751 }
3752
59e54bd1 3753 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3754 goto done;
3755
c1360a1c 3756 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3757
c1360a1c 3758 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3759 set_default_fcs(chan);
fcc203c3 3760
105bdf9e
MM		 3761 if (chan->mode == L2CAP_MODE_ERTM ||
3762 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3763 err = l2cap_ertm_init(chan);
0565c1c2 3764
3c588192
MM		 3765 if (err < 0)
3766 l2cap_send_disconn_req(chan->conn, chan, -err);
3767 else
3768 l2cap_chan_ready(chan);
1da177e4
LT		 3769 }
3770
3771done:
6be36555 3772 l2cap_chan_unlock(chan);
3c588192 3773 return err;
1da177e4
LT		 3774}
3775
3776static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3777{
3778 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3779 struct l2cap_disconn_rsp rsp;
3780 u16 dcid, scid;
48454079 3781 struct l2cap_chan *chan;
1da177e4
LT		 3782 struct sock *sk;
3783
3784 scid = __le16_to_cpu(req->scid);
3785 dcid = __le16_to_cpu(req->dcid);
3786
3787 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3788
3df91ea2
AE		 3789 mutex_lock(&conn->chan_lock);
3790
3791 chan = __l2cap_get_chan_by_scid(conn, dcid);
3792 if (!chan) {
3793 mutex_unlock(&conn->chan_lock);
1da177e4 3794 return 0;
3df91ea2 3795 }
1da177e4 3796
6be36555
AE		 3797 l2cap_chan_lock(chan);
3798
48454079
GP		 3799 sk = chan->sk;
3800
fe4128e0
GP		 3801 rsp.dcid = cpu_to_le16(chan->scid);
3802 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3803 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3804
6be36555 3805 lock_sock(sk);
1da177e4 3806 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3807 release_sock(sk);
1da177e4 3808
61d6ef3e 3809 l2cap_chan_hold(chan);
48454079 3810 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3811
3812 l2cap_chan_unlock(chan);
1da177e4 3813
80b98027 3814 chan->ops->close(chan);
61d6ef3e 3815 l2cap_chan_put(chan);
3df91ea2
AE		 3816
3817 mutex_unlock(&conn->chan_lock);
3818
1da177e4
LT		 3819 return 0;
3820}
3821
3822static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3823{
3824 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3825 u16 dcid, scid;
48454079 3826 struct l2cap_chan *chan;
1da177e4
LT		 3827
3828 scid = __le16_to_cpu(rsp->scid);
3829 dcid = __le16_to_cpu(rsp->dcid);
3830
3831 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3832
3df91ea2
AE		 3833 mutex_lock(&conn->chan_lock);
3834
3835 chan = __l2cap_get_chan_by_scid(conn, scid);
3836 if (!chan) {
3837 mutex_unlock(&conn->chan_lock);
1da177e4 3838 return 0;
3df91ea2 3839 }
1da177e4 3840
6be36555 3841 l2cap_chan_lock(chan);
48454079 3842
61d6ef3e 3843 l2cap_chan_hold(chan);
48454079 3844 l2cap_chan_del(chan, 0);
6be36555
AE		 3845
3846 l2cap_chan_unlock(chan);
1da177e4 3847
80b98027 3848 chan->ops->close(chan);
61d6ef3e 3849 l2cap_chan_put(chan);
3df91ea2
AE		 3850
3851 mutex_unlock(&conn->chan_lock);
3852
1da177e4
LT		 3853 return 0;
3854}
3855
3856static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3857{
3858 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3859 u16 type;
3860
3861 type = __le16_to_cpu(req->type);
3862
3863 BT_DBG("type 0x%4.4x", type);
3864
f0709e03
MH		 3865 if (type == L2CAP_IT_FEAT_MASK) {
3866 u8 buf[8];
44dd46de 3867 u32 feat_mask = l2cap_feat_mask;
f0709e03 3868 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3869 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3870 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3871 if (!disable_ertm)
fcc203c3
GP		 3872 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3873 | L2CAP_FEAT_FCS;
a5fd6f30 3874 if (enable_hs)
6327eb98
AE		 3875 feat_mask |= L2CAP_FEAT_EXT_FLOW
3876 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3877
1b7bf4ed 3878 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3879 l2cap_send_cmd(conn, cmd->ident,
3880 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3881 } else if (type == L2CAP_IT_FIXED_CHAN) {
3882 u8 buf[12];
3883 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3884
3885 if (enable_hs)
3886 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3887 else
3888 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3889
ac73498c
AE		 3890 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3891 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3892 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3893 l2cap_send_cmd(conn, cmd->ident,
3894 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3895 } else {
3896 struct l2cap_info_rsp rsp;
3897 rsp.type = cpu_to_le16(type);
ac73498c 3898 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3899 l2cap_send_cmd(conn, cmd->ident,
3900 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3901 }
1da177e4
LT		 3902
3903 return 0;
3904}
3905
3906static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3907{
3908 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3909 u16 type, result;
3910
3911 type = __le16_to_cpu(rsp->type);
3912 result = __le16_to_cpu(rsp->result);
3913
3914 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3915
e90165be
AE		 3916 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3917 if (cmd->ident != conn->info_ident ||
3918 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3919 return 0;
3920
17cd3f37 3921 cancel_delayed_work(&conn->info_timer);
4e8402a3 3922
adb08ede
VT		 3923 if (result != L2CAP_IR_SUCCESS) {
3924 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3925 conn->info_ident = 0;
3926
3927 l2cap_conn_start(conn);
3928
3929 return 0;
3930 }
3931
978c93b9
AE		 3932 switch (type) {
3933 case L2CAP_IT_FEAT_MASK:
83985319 3934 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3935
47ec1dcd 3936 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3937 struct l2cap_info_req req;
ac73498c 3938 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3939
3940 conn->info_ident = l2cap_get_ident(conn);
3941
3942 l2cap_send_cmd(conn, conn->info_ident,
3943 L2CAP_INFO_REQ, sizeof(req), &req);
3944 } else {
3945 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3946 conn->info_ident = 0;
3947
3948 l2cap_conn_start(conn);
3949 }
978c93b9
AE		 3950 break;
3951
3952 case L2CAP_IT_FIXED_CHAN:
3953 conn->fixed_chan_mask = rsp->data[0];
984947dc 3954 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3955 conn->info_ident = 0;
984947dc
MH		 3956
3957 l2cap_conn_start(conn);
978c93b9 3958 break;
984947dc 3959 }
4e8402a3 3960
1da177e4
LT		 3961 return 0;
3962}
3963
f94ff6ff
MM		 3964static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3965 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3966 void *data)
3967{
3968 struct l2cap_create_chan_req *req = data;
3969 struct l2cap_create_chan_rsp rsp;
3970 u16 psm, scid;
3971
3972 if (cmd_len != sizeof(*req))
3973 return -EPROTO;
3974
3975 if (!enable_hs)
3976 return -EINVAL;
3977
3978 psm = le16_to_cpu(req->psm);
3979 scid = le16_to_cpu(req->scid);
3980
ad0ac6ca 3981 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 3982
3983 /* Placeholder: Always reject */
3984 rsp.dcid = 0;
3985 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3986 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3987 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3988
3989 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3990 sizeof(rsp), &rsp);
3991
3992 return 0;
3993}
3994
3995static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3996 struct l2cap_cmd_hdr *cmd, void *data)
3997{
3998 BT_DBG("conn %p", conn);
3999
4000 return l2cap_connect_rsp(conn, cmd, data);
4001}
4002
8d5a04a1 4003static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4004 u16 icid, u16 result)
8d5a04a1
MM		 4005{
4006 struct l2cap_move_chan_rsp rsp;
4007
ad0ac6ca 4008 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4009
4010 rsp.icid = cpu_to_le16(icid);
4011 rsp.result = cpu_to_le16(result);
4012
4013 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4014}
4015
4016static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4017 struct l2cap_chan *chan,
4018 u16 icid, u16 result)
8d5a04a1
MM		 4019{
4020 struct l2cap_move_chan_cfm cfm;
4021 u8 ident;
4022
ad0ac6ca 4023 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4024
4025 ident = l2cap_get_ident(conn);
4026 if (chan)
4027 chan->ident = ident;
4028
4029 cfm.icid = cpu_to_le16(icid);
4030 cfm.result = cpu_to_le16(result);
4031
4032 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4033}
4034
4035static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4036 u16 icid)
8d5a04a1
MM		 4037{
4038 struct l2cap_move_chan_cfm_rsp rsp;
4039
ad0ac6ca 4040 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4041
4042 rsp.icid = cpu_to_le16(icid);
4043 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4044}
4045
4046static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4047 struct l2cap_cmd_hdr *cmd,
4048 u16 cmd_len, void *data)
8d5a04a1
MM		 4049{
4050 struct l2cap_move_chan_req *req = data;
4051 u16 icid = 0;
4052 u16 result = L2CAP_MR_NOT_ALLOWED;
4053
4054 if (cmd_len != sizeof(*req))
4055 return -EPROTO;
4056
4057 icid = le16_to_cpu(req->icid);
4058
ad0ac6ca 4059 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4060
4061 if (!enable_hs)
4062 return -EINVAL;
4063
4064 /* Placeholder: Always refuse */
4065 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4066
4067 return 0;
4068}
4069
4070static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4071 struct l2cap_cmd_hdr *cmd,
4072 u16 cmd_len, void *data)
8d5a04a1
MM		 4073{
4074 struct l2cap_move_chan_rsp *rsp = data;
4075 u16 icid, result;
4076
4077 if (cmd_len != sizeof(*rsp))
4078 return -EPROTO;
4079
4080 icid = le16_to_cpu(rsp->icid);
4081 result = le16_to_cpu(rsp->result);
4082
ad0ac6ca 4083 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4084
4085 /* Placeholder: Always unconfirmed */
4086 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4087
4088 return 0;
4089}
4090
4091static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4092 struct l2cap_cmd_hdr *cmd,
4093 u16 cmd_len, void *data)
8d5a04a1
MM		 4094{
4095 struct l2cap_move_chan_cfm *cfm = data;
4096 u16 icid, result;
4097
4098 if (cmd_len != sizeof(*cfm))
4099 return -EPROTO;
4100
4101 icid = le16_to_cpu(cfm->icid);
4102 result = le16_to_cpu(cfm->result);
4103
ad0ac6ca 4104 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4105
4106 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4107
4108 return 0;
4109}
4110
4111static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4112 struct l2cap_cmd_hdr *cmd,
4113 u16 cmd_len, void *data)
8d5a04a1
MM		 4114{
4115 struct l2cap_move_chan_cfm_rsp *rsp = data;
4116 u16 icid;
4117
4118 if (cmd_len != sizeof(*rsp))
4119 return -EPROTO;
4120
4121 icid = le16_to_cpu(rsp->icid);
4122
ad0ac6ca 4123 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4124
4125 return 0;
4126}
4127
e2174ca4 4128static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4129 u16 to_multiplier)
4130{
4131 u16 max_latency;
4132
4133 if (min > max || min < 6 || max > 3200)
4134 return -EINVAL;
4135
4136 if (to_multiplier < 10 || to_multiplier > 3200)
4137 return -EINVAL;
4138
4139 if (max >= to_multiplier * 8)
4140 return -EINVAL;
4141
4142 max_latency = (to_multiplier * 8 / max) - 1;
4143 if (latency > 499 || latency > max_latency)
4144 return -EINVAL;
4145
4146 return 0;
4147}
4148
4149static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4150 struct l2cap_cmd_hdr *cmd, u8 *data)
4151{
4152 struct hci_conn *hcon = conn->hcon;
4153 struct l2cap_conn_param_update_req *req;
4154 struct l2cap_conn_param_update_rsp rsp;
4155 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4156 int err;
de73115a
CT		 4157
4158 if (!(hcon->link_mode & HCI_LM_MASTER))
4159 return -EINVAL;
4160
4161 cmd_len = __le16_to_cpu(cmd->len);
4162 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4163 return -EPROTO;
4164
4165 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4166 min = __le16_to_cpu(req->min);
4167 max = __le16_to_cpu(req->max);
de73115a
CT		 4168 latency = __le16_to_cpu(req->latency);
4169 to_multiplier = __le16_to_cpu(req->to_multiplier);
4170
4171 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4172 min, max, latency, to_multiplier);
4173
4174 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4175
4176 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4177 if (err)
ac73498c 4178 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4179 else
ac73498c 4180 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4181
4182 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4183 sizeof(rsp), &rsp);
4184
2ce603eb
CT		 4185 if (!err)
4186 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4187
de73115a
CT		 4188 return 0;
4189}
4190
3300d9a9
CT		 4191static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4192 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4193{
4194 int err = 0;
4195
4196 switch (cmd->code) {
4197 case L2CAP_COMMAND_REJ:
4198 l2cap_command_rej(conn, cmd, data);
4199 break;
4200
4201 case L2CAP_CONN_REQ:
4202 err = l2cap_connect_req(conn, cmd, data);
4203 break;
4204
4205 case L2CAP_CONN_RSP:
4206 err = l2cap_connect_rsp(conn, cmd, data);
4207 break;
4208
4209 case L2CAP_CONF_REQ:
4210 err = l2cap_config_req(conn, cmd, cmd_len, data);
4211 break;
4212
4213 case L2CAP_CONF_RSP:
4214 err = l2cap_config_rsp(conn, cmd, data);
4215 break;
4216
4217 case L2CAP_DISCONN_REQ:
4218 err = l2cap_disconnect_req(conn, cmd, data);
4219 break;
4220
4221 case L2CAP_DISCONN_RSP:
4222 err = l2cap_disconnect_rsp(conn, cmd, data);
4223 break;
4224
4225 case L2CAP_ECHO_REQ:
4226 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4227 break;
4228
4229 case L2CAP_ECHO_RSP:
4230 break;
4231
4232 case L2CAP_INFO_REQ:
4233 err = l2cap_information_req(conn, cmd, data);
4234 break;
4235
4236 case L2CAP_INFO_RSP:
4237 err = l2cap_information_rsp(conn, cmd, data);
4238 break;
4239
f94ff6ff
MM		 4240 case L2CAP_CREATE_CHAN_REQ:
4241 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4242 break;
4243
4244 case L2CAP_CREATE_CHAN_RSP:
4245 err = l2cap_create_channel_rsp(conn, cmd, data);
4246 break;
4247
8d5a04a1
MM		 4248 case L2CAP_MOVE_CHAN_REQ:
4249 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4250 break;
4251
4252 case L2CAP_MOVE_CHAN_RSP:
4253 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4254 break;
4255
4256 case L2CAP_MOVE_CHAN_CFM:
4257 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4258 break;
4259
4260 case L2CAP_MOVE_CHAN_CFM_RSP:
4261 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4262 break;
4263
3300d9a9
CT		 4264 default:
4265 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4266 err = -EINVAL;
4267 break;
4268 }
4269
4270 return err;
4271}
4272
4273static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4274 struct l2cap_cmd_hdr *cmd, u8 *data)
4275{
4276 switch (cmd->code) {
4277 case L2CAP_COMMAND_REJ:
4278 return 0;
4279
4280 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4281 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4282
4283 case L2CAP_CONN_PARAM_UPDATE_RSP:
4284 return 0;
4285
4286 default:
4287 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4288 return -EINVAL;
4289 }
4290}
4291
4292static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4293 struct sk_buff *skb)
1da177e4
LT		 4294{
4295 u8 *data = skb->data;
4296 int len = skb->len;
4297 struct l2cap_cmd_hdr cmd;
3300d9a9 4298 int err;
1da177e4
LT		 4299
4300 l2cap_raw_recv(conn, skb);
4301
4302 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4303 u16 cmd_len;
1da177e4
LT		 4304 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4305 data += L2CAP_CMD_HDR_SIZE;
4306 len -= L2CAP_CMD_HDR_SIZE;
4307
88219a0f 4308 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4309
88219a0f 4310 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4311
88219a0f 4312 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4313 BT_DBG("corrupted command");
4314 break;
4315 }
4316
3300d9a9
CT		 4317 if (conn->hcon->type == LE_LINK)
4318 err = l2cap_le_sig_cmd(conn, &cmd, data);
4319 else
4320 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4321
4322 if (err) {
e2fd318e 4323 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4324
4325 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4326
4327 /* FIXME: Map err to a valid reason */
ac73498c 4328 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4329 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4330 }
4331
88219a0f
AV		 4332 data += cmd_len;
4333 len -= cmd_len;
1da177e4
LT		 4334 }
4335
4336 kfree_skb(skb);
4337}
4338
47d1ec61 4339static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4340{
4341 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4342 int hdr_size;
4343
4344 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4345 hdr_size = L2CAP_EXT_HDR_SIZE;
4346 else
4347 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4348
47d1ec61 4349 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4350 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4351 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4352 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4353
4354 if (our_fcs != rcv_fcs)
7a560e5c 4355 return -EBADMSG;
fcc203c3
GP		 4356 }
4357 return 0;
4358}
4359
6ea00485 4360static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4361{
e31f7633 4362 struct l2cap_ctrl control;
d5392c8f 4363
e31f7633 4364 BT_DBG("chan %p", chan);
d5392c8f 4365
e31f7633
MM		 4366 memset(&control, 0, sizeof(control));
4367 control.sframe = 1;
4368 control.final = 1;
4369 control.reqseq = chan->buffer_seq;
4370 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4371
e2ab4353 4372 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4373 control.super = L2CAP_SUPER_RNR;
4374 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4375 }
4376
e31f7633
MM		 4377 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4378 chan->unacked_frames > 0)
4379 __set_retrans_timer(chan);
d5392c8f 4380
e31f7633 4381 /* Send pending iframes */
525cd185 4382 l2cap_ertm_send(chan);
d5392c8f 4383
e2ab4353 4384 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4385 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4386 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4387 * send it now.
4388 */
4389 control.super = L2CAP_SUPER_RR;
4390 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4391 }
4392}
4393
84084a31
MM		 4394static void append_skb_frag(struct sk_buff *skb,
4395 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4396{
84084a31
MM		 4397 /* skb->len reflects data in skb as well as all fragments
4398 * skb->data_len reflects only data in fragments
4399 */
4400 if (!skb_has_frag_list(skb))
4401 skb_shinfo(skb)->frag_list = new_frag;
4402
4403 new_frag->next = NULL;
4404
4405 (*last_frag)->next = new_frag;
4406 *last_frag = new_frag;
4407
4408 skb->len += new_frag->len;
4409 skb->data_len += new_frag->len;
4410 skb->truesize += new_frag->truesize;
4411}
4412
4b51dae9
MM		 4413static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4414 struct l2cap_ctrl *control)
84084a31
MM		 4415{
4416 int err = -EINVAL;
18778a63 4417
4b51dae9 4418 switch (control->sar) {
7e0ef6ee 4419 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4420 if (chan->sdu)
4421 break;
18778a63 4422
80b98027 4423 err = chan->ops->recv(chan, skb);
84084a31 4424 break;
18778a63 4425
7e0ef6ee 4426 case L2CAP_SAR_START:
84084a31
MM		 4427 if (chan->sdu)
4428 break;
18778a63 4429
6f61fd47 4430 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4431 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4432
84084a31
MM		 4433 if (chan->sdu_len > chan->imtu) {
4434 err = -EMSGSIZE;
4435 break;
4436 }
1890d36b 4437
84084a31
MM		 4438 if (skb->len >= chan->sdu_len)
4439 break;
18778a63 4440
84084a31
MM		 4441 chan->sdu = skb;
4442 chan->sdu_last_frag = skb;
18778a63 4443
84084a31
MM		 4444 skb = NULL;
4445 err = 0;
18778a63
GP		 4446 break;
4447
7e0ef6ee 4448 case L2CAP_SAR_CONTINUE:
6f61fd47 4449 if (!chan->sdu)
84084a31 4450 break;
18778a63 4451
84084a31
MM		 4452 append_skb_frag(chan->sdu, skb,
4453 &chan->sdu_last_frag);
4454 skb = NULL;
18778a63 4455
84084a31
MM		 4456 if (chan->sdu->len >= chan->sdu_len)
4457 break;
4178ba46 4458
84084a31 4459 err = 0;
18778a63
GP		 4460 break;
4461
7e0ef6ee 4462 case L2CAP_SAR_END:
6f61fd47 4463 if (!chan->sdu)
84084a31 4464 break;
18778a63 4465
84084a31
MM		 4466 append_skb_frag(chan->sdu, skb,
4467 &chan->sdu_last_frag);
4468 skb = NULL;
4178ba46 4469
84084a31
MM		 4470 if (chan->sdu->len != chan->sdu_len)
4471 break;
18778a63 4472
80b98027 4473 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4474
84084a31
MM		 4475 if (!err) {
4476 /* Reassembly complete */
4477 chan->sdu = NULL;
4478 chan->sdu_last_frag = NULL;
4479 chan->sdu_len = 0;
1890d36b 4480 }
18778a63
GP		 4481 break;
4482 }
4483
84084a31
MM		 4484 if (err) {
4485 kfree_skb(skb);
4486 kfree_skb(chan->sdu);
4487 chan->sdu = NULL;
4488 chan->sdu_last_frag = NULL;
4489 chan->sdu_len = 0;
4490 }
18778a63 4491
84084a31 4492 return err;
18778a63
GP		 4493}
4494
61aa4f5b 4495void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4496{
61aa4f5b 4497 u8 event;
712132eb 4498
61aa4f5b
MM		 4499 if (chan->mode != L2CAP_MODE_ERTM)
4500 return;
712132eb 4501
61aa4f5b 4502 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4503 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4504}
4505
d2a7ac5d
MM		 4506static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4507{
63838725
MM		 4508 int err = 0;
4509 /* Pass sequential frames to l2cap_reassemble_sdu()
4510 * until a gap is encountered.
4511 */
4512
4513 BT_DBG("chan %p", chan);
4514
4515 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4516 struct sk_buff *skb;
4517 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4518 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4519
4520 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4521
4522 if (!skb)
4523 break;
4524
4525 skb_unlink(skb, &chan->srej_q);
4526 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4527 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4528 if (err)
4529 break;
4530 }
4531
4532 if (skb_queue_empty(&chan->srej_q)) {
4533 chan->rx_state = L2CAP_RX_STATE_RECV;
4534 l2cap_send_ack(chan);
4535 }
4536
4537 return err;
d2a7ac5d
MM		 4538}
4539
4540static void l2cap_handle_srej(struct l2cap_chan *chan,
4541 struct l2cap_ctrl *control)
4542{
f80842a8
MM		 4543 struct sk_buff *skb;
4544
4545 BT_DBG("chan %p, control %p", chan, control);
4546
4547 if (control->reqseq == chan->next_tx_seq) {
4548 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4549 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4550 return;
4551 }
4552
4553 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4554
4555 if (skb == NULL) {
4556 BT_DBG("Seq %d not available for retransmission",
4557 control->reqseq);
4558 return;
4559 }
4560
4561 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4562 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4563 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4564 return;
4565 }
4566
4567 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4568
4569 if (control->poll) {
4570 l2cap_pass_to_tx(chan, control);
4571
4572 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4573 l2cap_retransmit(chan, control);
4574 l2cap_ertm_send(chan);
4575
4576 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4577 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4578 chan->srej_save_reqseq = control->reqseq;
4579 }
4580 } else {
4581 l2cap_pass_to_tx_fbit(chan, control);
4582
4583 if (control->final) {
4584 if (chan->srej_save_reqseq != control->reqseq ||
4585 !test_and_clear_bit(CONN_SREJ_ACT,
4586 &chan->conn_state))
4587 l2cap_retransmit(chan, control);
4588 } else {
4589 l2cap_retransmit(chan, control);
4590 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4591 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4592 chan->srej_save_reqseq = control->reqseq;
4593 }
4594 }
4595 }
d2a7ac5d
MM		 4596}
4597
4598static void l2cap_handle_rej(struct l2cap_chan *chan,
4599 struct l2cap_ctrl *control)
4600{
fcd289df
MM		 4601 struct sk_buff *skb;
4602
4603 BT_DBG("chan %p, control %p", chan, control);
4604
4605 if (control->reqseq == chan->next_tx_seq) {
4606 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4607 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4608 return;
4609 }
4610
4611 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4612
4613 if (chan->max_tx && skb &&
4614 bt_cb(skb)->control.retries >= chan->max_tx) {
4615 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4616 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4617 return;
4618 }
4619
4620 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4621
4622 l2cap_pass_to_tx(chan, control);
4623
4624 if (control->final) {
4625 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4626 l2cap_retransmit_all(chan, control);
4627 } else {
4628 l2cap_retransmit_all(chan, control);
4629 l2cap_ertm_send(chan);
4630 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4631 set_bit(CONN_REJ_ACT, &chan->conn_state);
4632 }
d2a7ac5d
MM		 4633}
4634
4b51dae9
MM		 4635static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4636{
4637 BT_DBG("chan %p, txseq %d", chan, txseq);
4638
4639 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4640 chan->expected_tx_seq);
4641
4642 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4643 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4644 chan->tx_win) {
4645 /* See notes below regarding "double poll" and
4646 * invalid packets.
4647 */
4648 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4649 BT_DBG("Invalid/Ignore - after SREJ");
4650 return L2CAP_TXSEQ_INVALID_IGNORE;
4651 } else {
4652 BT_DBG("Invalid - in window after SREJ sent");
4653 return L2CAP_TXSEQ_INVALID;
4654 }
4655 }
4656
4657 if (chan->srej_list.head == txseq) {
4658 BT_DBG("Expected SREJ");
4659 return L2CAP_TXSEQ_EXPECTED_SREJ;
4660 }
4661
4662 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4663 BT_DBG("Duplicate SREJ - txseq already stored");
4664 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4665 }
4666
4667 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4668 BT_DBG("Unexpected SREJ - not requested");
4669 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4670 }
4671 }
4672
4673 if (chan->expected_tx_seq == txseq) {
4674 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4675 chan->tx_win) {
4676 BT_DBG("Invalid - txseq outside tx window");
4677 return L2CAP_TXSEQ_INVALID;
4678 } else {
4679 BT_DBG("Expected");
4680 return L2CAP_TXSEQ_EXPECTED;
4681 }
4682 }
4683
4684 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4685 __seq_offset(chan, chan->expected_tx_seq,
4686 chan->last_acked_seq)){
4687 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4688 return L2CAP_TXSEQ_DUPLICATE;
4689 }
4690
4691 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4692 /* A source of invalid packets is a "double poll" condition,
4693 * where delays cause us to send multiple poll packets. If
4694 * the remote stack receives and processes both polls,
4695 * sequence numbers can wrap around in such a way that a
4696 * resent frame has a sequence number that looks like new data
4697 * with a sequence gap. This would trigger an erroneous SREJ
4698 * request.
4699 *
4700 * Fortunately, this is impossible with a tx window that's
4701 * less than half of the maximum sequence number, which allows
4702 * invalid frames to be safely ignored.
4703 *
4704 * With tx window sizes greater than half of the tx window
4705 * maximum, the frame is invalid and cannot be ignored. This
4706 * causes a disconnect.
4707 */
4708
4709 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4710 BT_DBG("Invalid/Ignore - txseq outside tx window");
4711 return L2CAP_TXSEQ_INVALID_IGNORE;
4712 } else {
4713 BT_DBG("Invalid - txseq outside tx window");
4714 return L2CAP_TXSEQ_INVALID;
4715 }
4716 } else {
4717 BT_DBG("Unexpected - txseq indicates missing frames");
4718 return L2CAP_TXSEQ_UNEXPECTED;
4719 }
4720}
4721
d2a7ac5d
MM		 4722static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4723 struct l2cap_ctrl *control,
4724 struct sk_buff *skb, u8 event)
4725{
4726 int err = 0;
4727 bool skb_in_use = 0;
4728
4729 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4730 event);
4731
4732 switch (event) {
4733 case L2CAP_EV_RECV_IFRAME:
4734 switch (l2cap_classify_txseq(chan, control->txseq)) {
4735 case L2CAP_TXSEQ_EXPECTED:
4736 l2cap_pass_to_tx(chan, control);
4737
4738 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4739 BT_DBG("Busy, discarding expected seq %d",
4740 control->txseq);
4741 break;
4742 }
4743
4744 chan->expected_tx_seq = __next_seq(chan,
4745 control->txseq);
4746
4747 chan->buffer_seq = chan->expected_tx_seq;
4748 skb_in_use = 1;
4749
4750 err = l2cap_reassemble_sdu(chan, skb, control);
4751 if (err)
4752 break;
4753
4754 if (control->final) {
4755 if (!test_and_clear_bit(CONN_REJ_ACT,
4756 &chan->conn_state)) {
4757 control->final = 0;
4758 l2cap_retransmit_all(chan, control);
4759 l2cap_ertm_send(chan);
4760 }
4761 }
4762
4763 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4764 l2cap_send_ack(chan);
4765 break;
4766 case L2CAP_TXSEQ_UNEXPECTED:
4767 l2cap_pass_to_tx(chan, control);
4768
4769 /* Can't issue SREJ frames in the local busy state.
4770 * Drop this frame, it will be seen as missing
4771 * when local busy is exited.
4772 */
4773 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4774 BT_DBG("Busy, discarding unexpected seq %d",
4775 control->txseq);
4776 break;
4777 }
4778
4779 /* There was a gap in the sequence, so an SREJ
4780 * must be sent for each missing frame. The
4781 * current frame is stored for later use.
4782 */
4783 skb_queue_tail(&chan->srej_q, skb);
4784 skb_in_use = 1;
4785 BT_DBG("Queued %p (queue len %d)", skb,
4786 skb_queue_len(&chan->srej_q));
4787
4788 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4789 l2cap_seq_list_clear(&chan->srej_list);
4790 l2cap_send_srej(chan, control->txseq);
4791
4792 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4793 break;
4794 case L2CAP_TXSEQ_DUPLICATE:
4795 l2cap_pass_to_tx(chan, control);
4796 break;
4797 case L2CAP_TXSEQ_INVALID_IGNORE:
4798 break;
4799 case L2CAP_TXSEQ_INVALID:
4800 default:
4801 l2cap_send_disconn_req(chan->conn, chan,
4802 ECONNRESET);
4803 break;
4804 }
4805 break;
4806 case L2CAP_EV_RECV_RR:
4807 l2cap_pass_to_tx(chan, control);
4808 if (control->final) {
4809 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4810
4811 if (!test_and_clear_bit(CONN_REJ_ACT,
4812 &chan->conn_state)) {
4813 control->final = 0;
4814 l2cap_retransmit_all(chan, control);
4815 }
4816
4817 l2cap_ertm_send(chan);
4818 } else if (control->poll) {
4819 l2cap_send_i_or_rr_or_rnr(chan);
4820 } else {
4821 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4822 &chan->conn_state) &&
4823 chan->unacked_frames)
4824 __set_retrans_timer(chan);
4825
4826 l2cap_ertm_send(chan);
4827 }
4828 break;
4829 case L2CAP_EV_RECV_RNR:
4830 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4831 l2cap_pass_to_tx(chan, control);
4832 if (control && control->poll) {
4833 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4834 l2cap_send_rr_or_rnr(chan, 0);
4835 }
4836 __clear_retrans_timer(chan);
4837 l2cap_seq_list_clear(&chan->retrans_list);
4838 break;
4839 case L2CAP_EV_RECV_REJ:
4840 l2cap_handle_rej(chan, control);
4841 break;
4842 case L2CAP_EV_RECV_SREJ:
4843 l2cap_handle_srej(chan, control);
4844 break;
4845 default:
4846 break;
4847 }
4848
4849 if (skb && !skb_in_use) {
4850 BT_DBG("Freeing %p", skb);
4851 kfree_skb(skb);
4852 }
4853
4854 return err;
4855}
4856
4857static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4858 struct l2cap_ctrl *control,
4859 struct sk_buff *skb, u8 event)
4860{
4861 int err = 0;
4862 u16 txseq = control->txseq;
4863 bool skb_in_use = 0;
4864
4865 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4866 event);
4867
4868 switch (event) {
4869 case L2CAP_EV_RECV_IFRAME:
4870 switch (l2cap_classify_txseq(chan, txseq)) {
4871 case L2CAP_TXSEQ_EXPECTED:
4872 /* Keep frame for reassembly later */
4873 l2cap_pass_to_tx(chan, control);
4874 skb_queue_tail(&chan->srej_q, skb);
4875 skb_in_use = 1;
4876 BT_DBG("Queued %p (queue len %d)", skb,
4877 skb_queue_len(&chan->srej_q));
4878
4879 chan->expected_tx_seq = __next_seq(chan, txseq);
4880 break;
4881 case L2CAP_TXSEQ_EXPECTED_SREJ:
4882 l2cap_seq_list_pop(&chan->srej_list);
4883
4884 l2cap_pass_to_tx(chan, control);
4885 skb_queue_tail(&chan->srej_q, skb);
4886 skb_in_use = 1;
4887 BT_DBG("Queued %p (queue len %d)", skb,
4888 skb_queue_len(&chan->srej_q));
4889
4890 err = l2cap_rx_queued_iframes(chan);
4891 if (err)
4892 break;
4893
4894 break;
4895 case L2CAP_TXSEQ_UNEXPECTED:
4896 /* Got a frame that can't be reassembled yet.
4897 * Save it for later, and send SREJs to cover
4898 * the missing frames.
4899 */
4900 skb_queue_tail(&chan->srej_q, skb);
4901 skb_in_use = 1;
4902 BT_DBG("Queued %p (queue len %d)", skb,
4903 skb_queue_len(&chan->srej_q));
4904
4905 l2cap_pass_to_tx(chan, control);
4906 l2cap_send_srej(chan, control->txseq);
4907 break;
4908 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4909 /* This frame was requested with an SREJ, but
4910 * some expected retransmitted frames are
4911 * missing. Request retransmission of missing
4912 * SREJ'd frames.
4913 */
4914 skb_queue_tail(&chan->srej_q, skb);
4915 skb_in_use = 1;
4916 BT_DBG("Queued %p (queue len %d)", skb,
4917 skb_queue_len(&chan->srej_q));
4918
4919 l2cap_pass_to_tx(chan, control);
4920 l2cap_send_srej_list(chan, control->txseq);
4921 break;
4922 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4923 /* We've already queued this frame. Drop this copy. */
4924 l2cap_pass_to_tx(chan, control);
4925 break;
4926 case L2CAP_TXSEQ_DUPLICATE:
4927 /* Expecting a later sequence number, so this frame
4928 * was already received. Ignore it completely.
4929 */
4930 break;
4931 case L2CAP_TXSEQ_INVALID_IGNORE:
4932 break;
4933 case L2CAP_TXSEQ_INVALID:
4934 default:
4935 l2cap_send_disconn_req(chan->conn, chan,
4936 ECONNRESET);
4937 break;
4938 }
4939 break;
4940 case L2CAP_EV_RECV_RR:
4941 l2cap_pass_to_tx(chan, control);
4942 if (control->final) {
4943 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4944
4945 if (!test_and_clear_bit(CONN_REJ_ACT,
4946 &chan->conn_state)) {
4947 control->final = 0;
4948 l2cap_retransmit_all(chan, control);
4949 }
4950
4951 l2cap_ertm_send(chan);
4952 } else if (control->poll) {
4953 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4954 &chan->conn_state) &&
4955 chan->unacked_frames) {
4956 __set_retrans_timer(chan);
4957 }
4958
4959 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4960 l2cap_send_srej_tail(chan);
4961 } else {
4962 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4963 &chan->conn_state) &&
4964 chan->unacked_frames)
4965 __set_retrans_timer(chan);
4966
4967 l2cap_send_ack(chan);
4968 }
4969 break;
4970 case L2CAP_EV_RECV_RNR:
4971 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4972 l2cap_pass_to_tx(chan, control);
4973 if (control->poll) {
4974 l2cap_send_srej_tail(chan);
4975 } else {
4976 struct l2cap_ctrl rr_control;
4977 memset(&rr_control, 0, sizeof(rr_control));
4978 rr_control.sframe = 1;
4979 rr_control.super = L2CAP_SUPER_RR;
4980 rr_control.reqseq = chan->buffer_seq;
4981 l2cap_send_sframe(chan, &rr_control);
4982 }
4983
4984 break;
4985 case L2CAP_EV_RECV_REJ:
4986 l2cap_handle_rej(chan, control);
4987 break;
4988 case L2CAP_EV_RECV_SREJ:
4989 l2cap_handle_srej(chan, control);
4990 break;
4991 }
4992
4993 if (skb && !skb_in_use) {
4994 BT_DBG("Freeing %p", skb);
4995 kfree_skb(skb);
4996 }
4997
4998 return err;
4999}
5000
5001static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5002{
5003 /* Make sure reqseq is for a packet that has been sent but not acked */
5004 u16 unacked;
5005
5006 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5007 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5008}
5009
cec8ab6e
MM		 5010static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5011 struct sk_buff *skb, u8 event)
218bb9df 5012{
d2a7ac5d
MM		 5013 int err = 0;
5014
5015 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5016 control, skb, event, chan->rx_state);
5017
5018 if (__valid_reqseq(chan, control->reqseq)) {
5019 switch (chan->rx_state) {
5020 case L2CAP_RX_STATE_RECV:
5021 err = l2cap_rx_state_recv(chan, control, skb, event);
5022 break;
5023 case L2CAP_RX_STATE_SREJ_SENT:
5024 err = l2cap_rx_state_srej_sent(chan, control, skb,
5025 event);
5026 break;
5027 default:
5028 /* shut it down */
5029 break;
5030 }
5031 } else {
5032 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5033 control->reqseq, chan->next_tx_seq,
5034 chan->expected_ack_seq);
5035 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5036 }
5037
5038 return err;
cec8ab6e
MM		 5039}
5040
5041static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5042 struct sk_buff *skb)
5043{
4b51dae9
MM		 5044 int err = 0;
5045
5046 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5047 chan->rx_state);
5048
5049 if (l2cap_classify_txseq(chan, control->txseq) ==
5050 L2CAP_TXSEQ_EXPECTED) {
5051 l2cap_pass_to_tx(chan, control);
5052
5053 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5054 __next_seq(chan, chan->buffer_seq));
5055
5056 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5057
5058 l2cap_reassemble_sdu(chan, skb, control);
5059 } else {
5060 if (chan->sdu) {
5061 kfree_skb(chan->sdu);
5062 chan->sdu = NULL;
5063 }
5064 chan->sdu_last_frag = NULL;
5065 chan->sdu_len = 0;
5066
5067 if (skb) {
5068 BT_DBG("Freeing %p", skb);
5069 kfree_skb(skb);
5070 }
5071 }
5072
5073 chan->last_acked_seq = control->txseq;
5074 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5075
5076 return err;
cec8ab6e
MM		 5077}
5078
5079static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5080{
5081 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5082 u16 len;
5083 u8 event;
218bb9df 5084
b76bbd66
MM		 5085 __unpack_control(chan, skb);
5086
218bb9df
GP		 5087 len = skb->len;
5088
5089 /*
5090 * We can just drop the corrupted I-frame here.
5091 * Receiver will miss it and start proper recovery
cec8ab6e 5092 * procedures and ask for retransmission.
218bb9df 5093 */
47d1ec61 5094 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5095 goto drop;
5096
cec8ab6e 5097 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5098 len -= L2CAP_SDULEN_SIZE;
218bb9df 5099
47d1ec61 5100 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5101 len -= L2CAP_FCS_SIZE;
218bb9df 5102
47d1ec61 5103 if (len > chan->mps) {
8c1d787b 5104 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5105 goto drop;
5106 }
5107
cec8ab6e
MM		 5108 if (!control->sframe) {
5109 int err;
218bb9df 5110
cec8ab6e
MM		 5111 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5112 control->sar, control->reqseq, control->final,
5113 control->txseq);
218bb9df 5114
cec8ab6e
MM		 5115 /* Validate F-bit - F=0 always valid, F=1 only
5116 * valid in TX WAIT_F
5117 */
5118 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5119 goto drop;
cec8ab6e
MM		 5120
5121 if (chan->mode != L2CAP_MODE_STREAMING) {
5122 event = L2CAP_EV_RECV_IFRAME;
5123 err = l2cap_rx(chan, control, skb, event);
5124 } else {
5125 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5126 }
5127
cec8ab6e
MM		 5128 if (err)
5129 l2cap_send_disconn_req(chan->conn, chan,
5130 ECONNRESET);
218bb9df 5131 } else {
cec8ab6e
MM		 5132 const u8 rx_func_to_event[4] = {
5133 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5134 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5135 };
5136
5137 /* Only I-frames are expected in streaming mode */
5138 if (chan->mode == L2CAP_MODE_STREAMING)
5139 goto drop;
5140
5141 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5142 control->reqseq, control->final, control->poll,
5143 control->super);
5144
218bb9df
GP		 5145 if (len != 0) {
5146 BT_ERR("%d", len);
8c1d787b 5147 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5148 goto drop;
5149 }
5150
cec8ab6e
MM		 5151 /* Validate F and P bits */
5152 if (control->final && (control->poll ||
5153 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5154 goto drop;
5155
5156 event = rx_func_to_event[control->super];
5157 if (l2cap_rx(chan, control, skb, event))
5158 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5159 }
5160
5161 return 0;
5162
5163drop:
5164 kfree_skb(skb);
5165 return 0;
5166}
5167
13ca56e0
AE		 5168static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5169 struct sk_buff *skb)
1da177e4 5170{
48454079 5171 struct l2cap_chan *chan;
1da177e4 5172
baa7e1fa 5173 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5174 if (!chan) {
97e8e89d
AE		 5175 if (cid == L2CAP_CID_A2MP) {
5176 chan = a2mp_channel_create(conn, skb);
5177 if (!chan) {
5178 kfree_skb(skb);
13ca56e0 5179 return;
97e8e89d
AE		 5180 }
5181
5182 l2cap_chan_lock(chan);
5183 } else {
5184 BT_DBG("unknown cid 0x%4.4x", cid);
5185 /* Drop packet and return */
5186 kfree_skb(skb);
13ca56e0 5187 return;
97e8e89d 5188 }
1da177e4
LT		 5189 }
5190
49208c9c 5191 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5192
89bc500e 5193 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5194 goto drop;
5195
0c1bc5c6 5196 switch (chan->mode) {
1c2acffb
GP		 5197 case L2CAP_MODE_BASIC:
5198 /* If socket recv buffers overflows we drop data here
5199 * which is *bad* because L2CAP has to be reliable.
5200 * But we don't have any other choice. L2CAP doesn't
5201 * provide flow control mechanism. */
1da177e4 5202
0c1bc5c6 5203 if (chan->imtu < skb->len)
1c2acffb 5204 goto drop;
1da177e4 5205
80b98027 5206 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5207 goto done;
5208 break;
5209
5210 case L2CAP_MODE_ERTM:
6840ed07 5211 case L2CAP_MODE_STREAMING:
cec8ab6e 5212 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5213 goto done;
5214
1c2acffb 5215 default:
0c1bc5c6 5216 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5217 break;
5218 }
1da177e4
LT		 5219
5220drop:
5221 kfree_skb(skb);
5222
5223done:
6be36555 5224 l2cap_chan_unlock(chan);
1da177e4
LT		 5225}
5226
84104b24
AE		 5227static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5228 struct sk_buff *skb)
1da177e4 5229{
23691d75 5230 struct l2cap_chan *chan;
1da177e4 5231
c2287681 5232 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5233 if (!chan)
1da177e4
LT		 5234 goto drop;
5235
5b4cedaa 5236 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5237
89bc500e 5238 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5239 goto drop;
5240
e13e21dc 5241 if (chan->imtu < skb->len)
1da177e4
LT		 5242 goto drop;
5243
80b98027 5244 if (!chan->ops->recv(chan, skb))
84104b24 5245 return;
1da177e4
LT		 5246
5247drop:
5248 kfree_skb(skb);
1da177e4
LT		 5249}
5250
6810fca7
AE		 5251static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5252 struct sk_buff *skb)
9f69bda6 5253{
23691d75 5254 struct l2cap_chan *chan;
9f69bda6 5255
c2287681 5256 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5257 if (!chan)
9f69bda6
GP		 5258 goto drop;
5259
5b4cedaa 5260 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5261
89bc500e 5262 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5263 goto drop;
5264
e13e21dc 5265 if (chan->imtu < skb->len)
9f69bda6
GP		 5266 goto drop;
5267
80b98027 5268 if (!chan->ops->recv(chan, skb))
6810fca7 5269 return;
9f69bda6
GP		 5270
5271drop:
5272 kfree_skb(skb);
9f69bda6
GP		 5273}
5274
1da177e4
LT		 5275static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5276{
5277 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5278 u16 cid, len;
5279 __le16 psm;
1da177e4
LT		 5280
5281 skb_pull(skb, L2CAP_HDR_SIZE);
5282 cid = __le16_to_cpu(lh->cid);
5283 len = __le16_to_cpu(lh->len);
5284
1c2acffb
GP		 5285 if (len != skb->len) {
5286 kfree_skb(skb);
5287 return;
5288 }
5289
1da177e4
LT		 5290 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5291
5292 switch (cid) {
3300d9a9 5293 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5294 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5295 l2cap_sig_channel(conn, skb);
5296 break;
5297
8db4dc46 5298 case L2CAP_CID_CONN_LESS:
097db76c 5299 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5300 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5301 l2cap_conless_channel(conn, psm, skb);
5302 break;
5303
9f69bda6
GP		 5304 case L2CAP_CID_LE_DATA:
5305 l2cap_att_channel(conn, cid, skb);
5306 break;
5307
b501d6a1
AB		 5308 case L2CAP_CID_SMP:
5309 if (smp_sig_channel(conn, skb))
5310 l2cap_conn_del(conn->hcon, EACCES);
5311 break;
5312
1da177e4
LT		 5313 default:
5314 l2cap_data_channel(conn, cid, skb);
5315 break;
5316 }
5317}
5318
5319/* ---- L2CAP interface with lower layer (HCI) ---- */
5320
686ebf28 5321int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5322{
5323 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5324 struct l2cap_chan *c;
1da177e4 5325
1da177e4
LT		 5326 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5327
5328 /* Find listening sockets and check their link_mode */
23691d75
GP		 5329 read_lock(&chan_list_lock);
5330 list_for_each_entry(c, &chan_list, global_l) {
5331 struct sock *sk = c->sk;
4343478f 5332
89bc500e 5333 if (c->state != BT_LISTEN)
1da177e4
LT		 5334 continue;
5335
5336 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5337 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5338 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5339 lm1 |= HCI_LM_MASTER;
1da177e4 5340 exact++;
2af6b9d5
MH		 5341 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5342 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5343 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5344 lm2 |= HCI_LM_MASTER;
5345 }
1da177e4 5346 }
23691d75 5347 read_unlock(&chan_list_lock);
1da177e4
LT		 5348
5349 return exact ? lm1 : lm2;
5350}
5351
9e664631 5352void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5353{
0139418c
MH		 5354 struct l2cap_conn *conn;
5355
1da177e4
LT		 5356 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5357
1da177e4 5358 if (!status) {
1da177e4
LT		 5359 conn = l2cap_conn_add(hcon, status);
5360 if (conn)
5361 l2cap_conn_ready(conn);
0139418c 5362 } else
e175072f 5363 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5364
1da177e4
LT		 5365}
5366
686ebf28 5367int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5368{
5369 struct l2cap_conn *conn = hcon->l2cap_data;
5370
5371 BT_DBG("hcon %p", hcon);
5372
686ebf28 5373 if (!conn)
9f5a0d7b 5374 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5375 return conn->disc_reason;
5376}
5377
9e664631 5378void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5379{
5380 BT_DBG("hcon %p reason %d", hcon, reason);
5381
e175072f 5382 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5383}
5384
4343478f 5385static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5386{
715ec005 5387 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5388 return;
5389
f62e4323 5390 if (encrypt == 0x00) {
4343478f 5391 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5392 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5393 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5394 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5395 } else {
4343478f 5396 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5397 __clear_chan_timer(chan);
f62e4323
MH		 5398 }
5399}
5400
686ebf28 5401int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5402{
0139418c 5403 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5404 struct l2cap_chan *chan;
1da177e4 5405
0139418c 5406 if (!conn)
1da177e4 5407 return 0;
0139418c 5408
89d8b407 5409 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5410
160dc6ac 5411 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5412 if (!status && encrypt)
5413 smp_distribute_keys(conn, 0);
17cd3f37 5414 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5415 }
5416
3df91ea2 5417 mutex_lock(&conn->chan_lock);
1da177e4 5418
3df91ea2 5419 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5420 l2cap_chan_lock(chan);
1da177e4 5421
89d8b407
AE		 5422 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5423 state_to_string(chan->state));
f1cb9af5 5424
78eb2f98
AE		 5425 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5426 l2cap_chan_unlock(chan);
5427 continue;
5428 }
5429
f1cb9af5
VCG		 5430 if (chan->scid == L2CAP_CID_LE_DATA) {
5431 if (!status && encrypt) {
5432 chan->sec_level = hcon->sec_level;
cf4cd009 5433 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5434 }
5435
6be36555 5436 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5437 continue;
5438 }
5439
c1360a1c 5440 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5441 l2cap_chan_unlock(chan);
6a8d3010
MH		 5442 continue;
5443 }
5444
89bc500e
GP		 5445 if (!status && (chan->state == BT_CONNECTED ||
5446 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5447 struct sock *sk = chan->sk;
5448
c5daa683 5449 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5450 sk->sk_state_change(sk);
5451
4343478f 5452 l2cap_check_encryption(chan, encrypt);
6be36555 5453 l2cap_chan_unlock(chan);
9719f8af
MH		 5454 continue;
5455 }
5456
89bc500e 5457 if (chan->state == BT_CONNECT) {
b1235d79 5458 if (!status) {
9b27f350 5459 l2cap_send_conn_req(chan);
b1235d79 5460 } else {
ba13ccd9 5461 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5462 }
89bc500e 5463 } else if (chan->state == BT_CONNECT2) {
6be36555 5464 struct sock *sk = chan->sk;
b1235d79 5465 struct l2cap_conn_rsp rsp;
df3c3931 5466 __u16 res, stat;
1da177e4 5467
6be36555
AE		 5468 lock_sock(sk);
5469
b1235d79 5470 if (!status) {
c5daa683
GP		 5471 if (test_bit(BT_SK_DEFER_SETUP,
5472 &bt_sk(sk)->flags)) {
df3c3931
JH		 5473 struct sock *parent = bt_sk(sk)->parent;
5474 res = L2CAP_CR_PEND;
5475 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5476 if (parent)
5477 parent->sk_data_ready(parent, 0);
df3c3931 5478 } else {
0e587be7 5479 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5480 res = L2CAP_CR_SUCCESS;
5481 stat = L2CAP_CS_NO_INFO;
5482 }
b1235d79 5483 } else {
0e587be7 5484 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5485 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5486 res = L2CAP_CR_SEC_BLOCK;
5487 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5488 }
5489
6be36555
AE		 5490 release_sock(sk);
5491
fe4128e0
GP		 5492 rsp.scid = cpu_to_le16(chan->dcid);
5493 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5494 rsp.result = cpu_to_le16(res);
5495 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5496 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5497 sizeof(rsp), &rsp);
2d369359
MM		 5498
5499 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5500 res == L2CAP_CR_SUCCESS) {
5501 char buf[128];
5502 set_bit(CONF_REQ_SENT, &chan->conf_state);
5503 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5504 L2CAP_CONF_REQ,
5505 l2cap_build_conf_req(chan, buf),
5506 buf);
5507 chan->num_conf_req++;
5508 }
b1235d79 5509 }
1da177e4 5510
6be36555 5511 l2cap_chan_unlock(chan);
1da177e4
LT		 5512 }
5513
3df91ea2 5514 mutex_unlock(&conn->chan_lock);
b1235d79 5515
1da177e4
LT		 5516 return 0;
5517}
5518
686ebf28 5519int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5520{
5521 struct l2cap_conn *conn = hcon->l2cap_data;
5522
5a08ecce
AE		 5523 if (!conn)
5524 conn = l2cap_conn_add(hcon, 0);
5525
5526 if (!conn)
1da177e4
LT		 5527 goto drop;
5528
5529 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5530
e702112f 5531 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5532 struct l2cap_hdr *hdr;
5533 int len;
5534
5535 if (conn->rx_len) {
5536 BT_ERR("Unexpected start frame (len %d)", skb->len);
5537 kfree_skb(conn->rx_skb);
5538 conn->rx_skb = NULL;
5539 conn->rx_len = 0;
5540 l2cap_conn_unreliable(conn, ECOMM);
5541 }
5542
aae7fe22
AE		 5543 /* Start fragment always begin with Basic L2CAP header */
5544 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5545 BT_ERR("Frame is too short (len %d)", skb->len);
5546 l2cap_conn_unreliable(conn, ECOMM);
5547 goto drop;
5548 }
5549
5550 hdr = (struct l2cap_hdr *) skb->data;
5551 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5552
5553 if (len == skb->len) {
5554 /* Complete frame received */
5555 l2cap_recv_frame(conn, skb);
5556 return 0;
5557 }
5558
5559 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5560
5561 if (skb->len > len) {
5562 BT_ERR("Frame is too long (len %d, expected len %d)",
5563 skb->len, len);
5564 l2cap_conn_unreliable(conn, ECOMM);
5565 goto drop;
5566 }
5567
5568 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5569 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5570 if (!conn->rx_skb)
1da177e4
LT		 5571 goto drop;
5572
d626f62b 5573 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5574 skb->len);
1da177e4
LT		 5575 conn->rx_len = len - skb->len;
5576 } else {
5577 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5578
5579 if (!conn->rx_len) {
5580 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5581 l2cap_conn_unreliable(conn, ECOMM);
5582 goto drop;
5583 }
5584
5585 if (skb->len > conn->rx_len) {
5586 BT_ERR("Fragment is too long (len %d, expected %d)",
5587 skb->len, conn->rx_len);
5588 kfree_skb(conn->rx_skb);
5589 conn->rx_skb = NULL;
5590 conn->rx_len = 0;
5591 l2cap_conn_unreliable(conn, ECOMM);
5592 goto drop;
5593 }
5594
d626f62b 5595 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5596 skb->len);
1da177e4
LT		 5597 conn->rx_len -= skb->len;
5598
5599 if (!conn->rx_len) {
5600 /* Complete frame received */
5601 l2cap_recv_frame(conn, conn->rx_skb);
5602 conn->rx_skb = NULL;
5603 }
5604 }
5605
5606drop:
5607 kfree_skb(skb);
5608 return 0;
5609}
5610
aef7d97c 5611static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5612{
23691d75 5613 struct l2cap_chan *c;
1da177e4 5614
333055f2 5615 read_lock(&chan_list_lock);
1da177e4 5616
23691d75
GP		 5617 list_for_each_entry(c, &chan_list, global_l) {
5618 struct sock *sk = c->sk;
101545f6 5619
903d343e 5620 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5621 batostr(&bt_sk(sk)->src),
5622 batostr(&bt_sk(sk)->dst),
89bc500e 5623 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5624 c->scid, c->dcid, c->imtu, c->omtu,
5625 c->sec_level, c->mode);
61e1b4b7 5626 }
1da177e4 5627
333055f2 5628 read_unlock(&chan_list_lock);
1da177e4 5629
aef7d97c 5630 return 0;
1da177e4
LT		 5631}
5632
aef7d97c
MH		 5633static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5634{
5635 return single_open(file, l2cap_debugfs_show, inode->i_private);
5636}
5637
5638static const struct file_operations l2cap_debugfs_fops = {
5639 .open = l2cap_debugfs_open,
5640 .read = seq_read,
5641 .llseek = seq_lseek,
5642 .release = single_release,
5643};
5644
5645static struct dentry *l2cap_debugfs;
1da177e4 5646
64274518 5647int __init l2cap_init(void)
1da177e4
LT		 5648{
5649 int err;
be9d1227 5650
bb58f747 5651 err = l2cap_init_sockets();
1da177e4
LT		 5652 if (err < 0)
5653 return err;
5654
aef7d97c
MH		 5655 if (bt_debugfs) {
5656 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5657 bt_debugfs, NULL, &l2cap_debugfs_fops);
5658 if (!l2cap_debugfs)
5659 BT_ERR("Failed to create L2CAP debug file");
5660 }
1da177e4 5661
1da177e4 5662 return 0;
1da177e4
LT		 5663}
5664
64274518 5665void l2cap_exit(void)
1da177e4 5666{
aef7d97c 5667 debugfs_remove(l2cap_debugfs);
bb58f747 5668 l2cap_cleanup_sockets();
1da177e4
LT		 5669}
5670
d1c4a17d
GP		 5671module_param(disable_ertm, bool, 0644);
5672MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 4.970485 seconds and 5 git commands to generate.