projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove unused HCI timeouts definitions
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
434 chan->sec_level = BT_SECURITY_LOW;
435
436 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
437}
438
14a28491 439static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 440{
af05b30b 441 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 442 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 443
9f5a0d7b 444 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 445
8c1d787b 446 chan->conn = conn;
0139418c 447
5491120e
AE		 448 switch (chan->chan_type) {
449 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 450 if (conn->hcon->type == LE_LINK) {
451 /* LE connection */
0c1bc5c6 452 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 453 chan->scid = L2CAP_CID_LE_DATA;
454 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 455 } else {
456 /* Alloc CID for connection-oriented socket */
fe4128e0 457 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 458 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 459 }
5491120e
AE		 460 break;
461
462 case L2CAP_CHAN_CONN_LESS:
0139418c 463 /* Connectionless socket */
fe4128e0
GP		 464 chan->scid = L2CAP_CID_CONN_LESS;
465 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 466 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 467 break;
468
416fa752
AE		 469 case L2CAP_CHAN_CONN_FIX_A2MP:
470 chan->scid = L2CAP_CID_A2MP;
471 chan->dcid = L2CAP_CID_A2MP;
472 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
473 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
474 break;
475
5491120e 476 default:
0139418c 477 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 478 chan->scid = L2CAP_CID_SIGNALING;
479 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 480 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 481 }
482
8f7975b1
AE		 483 chan->local_id = L2CAP_BESTEFFORT_ID;
484 chan->local_stype = L2CAP_SERV_BESTEFFORT;
485 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
486 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
487 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
488 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
489
371fd835 490 l2cap_chan_hold(chan);
baa7e1fa 491
3df91ea2 492 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 493}
494
466f8004 495void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 496{
497 mutex_lock(&conn->chan_lock);
498 __l2cap_chan_add(conn, chan);
3df91ea2 499 mutex_unlock(&conn->chan_lock);
0139418c
MH		 500}
501
466f8004 502void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 503{
8c1d787b 504 struct l2cap_conn *conn = chan->conn;
0139418c 505
c9b66675 506 __clear_chan_timer(chan);
0139418c 507
49208c9c 508 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 509
8e87d142 510 if (conn) {
baa7e1fa 511 /* Delete from channel list */
3df91ea2 512 list_del(&chan->list);
3d57dc68 513
371fd835 514 l2cap_chan_put(chan);
baa7e1fa 515
8c1d787b 516 chan->conn = NULL;
0139418c
MH		 517 hci_conn_put(conn->hcon);
518 }
519
c0df7f6e
AE		 520 if (chan->ops->teardown)
521 chan->ops->teardown(chan, err);
6be36555 522
2827011f 523 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 524 return;
2ead70b8 525
ee556f66
GP		 526 switch(chan->mode) {
527 case L2CAP_MODE_BASIC:
528 break;
c13ffa62 529
ee556f66 530 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 531 __clear_retrans_timer(chan);
532 __clear_monitor_timer(chan);
533 __clear_ack_timer(chan);
c13ffa62 534
f1c6775b 535 skb_queue_purge(&chan->srej_q);
c13ffa62 536
3c588192
MM		 537 l2cap_seq_list_free(&chan->srej_list);
538 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 539
540 /* fall through */
541
542 case L2CAP_MODE_STREAMING:
543 skb_queue_purge(&chan->tx_q);
544 break;
c13ffa62 545 }
ee556f66
GP		 546
547 return;
0139418c
MH		 548}
549
0f852724 550void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 551{
552 struct l2cap_conn *conn = chan->conn;
553 struct sock *sk = chan->sk;
554
e05dcc32
AE		 555 BT_DBG("chan %p state %s sk %p", chan,
556 state_to_string(chan->state), sk);
4519de9a 557
89bc500e 558 switch (chan->state) {
4519de9a 559 case BT_LISTEN:
c0df7f6e
AE		 560 if (chan->ops->teardown)
561 chan->ops->teardown(chan, 0);
4519de9a
GP		 562 break;
563
564 case BT_CONNECTED:
565 case BT_CONFIG:
715ec005 566 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 567 conn->hcon->type == ACL_LINK) {
c9b66675 568 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 569 l2cap_send_disconn_req(conn, chan, reason);
570 } else
571 l2cap_chan_del(chan, reason);
572 break;
573
574 case BT_CONNECT2:
715ec005 575 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 576 conn->hcon->type == ACL_LINK) {
577 struct l2cap_conn_rsp rsp;
578 __u16 result;
579
c5daa683 580 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 581 result = L2CAP_CR_SEC_BLOCK;
582 else
583 result = L2CAP_CR_BAD_PSM;
89bc500e 584 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 585
586 rsp.scid = cpu_to_le16(chan->dcid);
587 rsp.dcid = cpu_to_le16(chan->scid);
588 rsp.result = cpu_to_le16(result);
ac73498c 589 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 590 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
591 sizeof(rsp), &rsp);
592 }
593
594 l2cap_chan_del(chan, reason);
595 break;
596
597 case BT_CONNECT:
598 case BT_DISCONN:
599 l2cap_chan_del(chan, reason);
600 break;
601
602 default:
c0df7f6e
AE		 603 if (chan->ops->teardown)
604 chan->ops->teardown(chan, 0);
4519de9a
GP		 605 break;
606 }
607}
608
4343478f 609static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 610{
715ec005 611 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 612 switch (chan->sec_level) {
8556edd3
JH		 613 case BT_SECURITY_HIGH:
614 return HCI_AT_DEDICATED_BONDING_MITM;
615 case BT_SECURITY_MEDIUM:
616 return HCI_AT_DEDICATED_BONDING;
617 default:
618 return HCI_AT_NO_BONDING;
619 }
2983fd68 620 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 621 if (chan->sec_level == BT_SECURITY_LOW)
622 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 623
4343478f 624 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 625 return HCI_AT_NO_BONDING_MITM;
00ae4af9 626 else
8556edd3 627 return HCI_AT_NO_BONDING;
00ae4af9 628 } else {
4343478f 629 switch (chan->sec_level) {
00ae4af9 630 case BT_SECURITY_HIGH:
8556edd3 631 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 632 case BT_SECURITY_MEDIUM:
8556edd3 633 return HCI_AT_GENERAL_BONDING;
00ae4af9 634 default:
8556edd3 635 return HCI_AT_NO_BONDING;
00ae4af9 636 }
0684e5f9 637 }
8556edd3
JH		 638}
639
640/* Service level security */
d45fc423 641int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 642{
8c1d787b 643 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 644 __u8 auth_type;
645
4343478f 646 auth_type = l2cap_get_auth_type(chan);
79d554a6 647
4343478f 648 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 649}
650
b5ad8b7f 651static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 652{
653 u8 id;
654
655 /* Get next available identificator.
656 * 1 - 128 are used by kernel.
657 * 129 - 199 are reserved.
658 * 200 - 254 are used by utilities like l2ping, etc.
659 */
660
333055f2 661 spin_lock(&conn->lock);
4e8402a3
MH		 662
663 if (++conn->tx_ident > 128)
664 conn->tx_ident = 1;
665
666 id = conn->tx_ident;
667
333055f2 668 spin_unlock(&conn->lock);
4e8402a3
MH		 669
670 return id;
671}
672
4519de9a 673static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 674{
675 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 676 u8 flags;
4e8402a3
MH		 677
678 BT_DBG("code 0x%2.2x", code);
679
680 if (!skb)
9a9c6a34 681 return;
4e8402a3 682
e702112f
AE		 683 if (lmp_no_flush_capable(conn->hcon->hdev))
684 flags = ACL_START_NO_FLUSH;
685 else
686 flags = ACL_START;
687
14b12d0b 688 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 689 skb->priority = HCI_PRIO_MAX;
14b12d0b 690
73d80deb
LAD		 691 hci_send_acl(conn->hchan, skb, flags);
692}
693
694static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
695{
696 struct hci_conn *hcon = chan->conn->hcon;
697 u16 flags;
698
699 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
700 skb->priority);
701
702 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
703 lmp_no_flush_capable(hcon->hdev))
704 flags = ACL_START_NO_FLUSH;
705 else
706 flags = ACL_START;
14b12d0b 707
73d80deb
LAD		 708 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
709 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 710}
711
b76bbd66
MM		 712static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
713{
714 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
715 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
716
717 if (enh & L2CAP_CTRL_FRAME_TYPE) {
718 /* S-Frame */
719 control->sframe = 1;
720 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
721 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
722
723 control->sar = 0;
724 control->txseq = 0;
725 } else {
726 /* I-Frame */
727 control->sframe = 0;
728 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
729 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
730
731 control->poll = 0;
732 control->super = 0;
733 }
734}
735
b76bbd66
MM		 736static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
737{
738 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
739 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
740
741 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
742 /* S-Frame */
743 control->sframe = 1;
744 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
745 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
746
747 control->sar = 0;
748 control->txseq = 0;
749 } else {
750 /* I-Frame */
751 control->sframe = 0;
752 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
753 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
754
755 control->poll = 0;
756 control->super = 0;
757 }
758}
759
760static inline void __unpack_control(struct l2cap_chan *chan,
761 struct sk_buff *skb)
762{
763 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
764 __unpack_extended_control(get_unaligned_le32(skb->data),
765 &bt_cb(skb)->control);
cec8ab6e 766 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 767 } else {
768 __unpack_enhanced_control(get_unaligned_le16(skb->data),
769 &bt_cb(skb)->control);
cec8ab6e 770 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 771 }
772}
773
b5c6aaed
MM		 774static u32 __pack_extended_control(struct l2cap_ctrl *control)
775{
776 u32 packed;
777
778 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
779 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
780
781 if (control->sframe) {
782 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
783 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
784 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
785 } else {
786 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
787 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
788 }
789
790 return packed;
791}
792
793static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
794{
795 u16 packed;
796
797 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
798 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
799
800 if (control->sframe) {
801 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
802 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
803 packed |= L2CAP_CTRL_FRAME_TYPE;
804 } else {
805 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
806 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
807 }
808
809 return packed;
810}
811
b76bbd66
MM		 812static inline void __pack_control(struct l2cap_chan *chan,
813 struct l2cap_ctrl *control,
814 struct sk_buff *skb)
815{
816 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
817 put_unaligned_le32(__pack_extended_control(control),
818 skb->data + L2CAP_HDR_SIZE);
819 } else {
820 put_unaligned_le16(__pack_enhanced_control(control),
821 skb->data + L2CAP_HDR_SIZE);
822 }
823}
824
a67d7f6f
MM		 825static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
826 u32 control)
b5c6aaed
MM		 827{
828 struct sk_buff *skb;
829 struct l2cap_hdr *lh;
a67d7f6f 830 int hlen;
b5c6aaed
MM		 831
832 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
833 hlen = L2CAP_EXT_HDR_SIZE;
834 else
835 hlen = L2CAP_ENH_HDR_SIZE;
836
837 if (chan->fcs == L2CAP_FCS_CRC16)
838 hlen += L2CAP_FCS_SIZE;
839
a67d7f6f 840 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 841
b5c6aaed 842 if (!skb)
a67d7f6f 843 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 844
845 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
846 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
847 lh->cid = cpu_to_le16(chan->dcid);
848
a67d7f6f
MM		 849 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
850 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
851 else
852 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 853
854 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 855 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 856 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
857 }
858
859 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 860 return skb;
861}
862
863static void l2cap_send_sframe(struct l2cap_chan *chan,
864 struct l2cap_ctrl *control)
865{
866 struct sk_buff *skb;
867 u32 control_field;
868
869 BT_DBG("chan %p, control %p", chan, control);
870
871 if (!control->sframe)
872 return;
873
874 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
875 !control->poll)
876 control->final = 1;
877
878 if (control->super == L2CAP_SUPER_RR)
879 clear_bit(CONN_RNR_SENT, &chan->conn_state);
880 else if (control->super == L2CAP_SUPER_RNR)
881 set_bit(CONN_RNR_SENT, &chan->conn_state);
882
883 if (control->super != L2CAP_SUPER_SREJ) {
884 chan->last_acked_seq = control->reqseq;
885 __clear_ack_timer(chan);
886 }
887
888 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
889 control->final, control->poll, control->super);
890
891 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
892 control_field = __pack_extended_control(control);
893 else
894 control_field = __pack_enhanced_control(control);
895
896 skb = l2cap_create_sframe_pdu(chan, control_field);
897 if (!IS_ERR(skb))
898 l2cap_do_send(chan, skb);
b5c6aaed
MM		 899}
900
c9e3d5e0 901static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 902{
c9e3d5e0
MM		 903 struct l2cap_ctrl control;
904
905 BT_DBG("chan %p, poll %d", chan, poll);
906
907 memset(&control, 0, sizeof(control));
908 control.sframe = 1;
909 control.poll = poll;
910
911 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
912 control.super = L2CAP_SUPER_RNR;
913 else
914 control.super = L2CAP_SUPER_RR;
b5c6aaed 915
c9e3d5e0
MM		 916 control.reqseq = chan->buffer_seq;
917 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 918}
919
b4450035 920static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 921{
c1360a1c 922 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 923}
924
9b27f350
AE		 925static void l2cap_send_conn_req(struct l2cap_chan *chan)
926{
927 struct l2cap_conn *conn = chan->conn;
928 struct l2cap_conn_req req;
929
930 req.scid = cpu_to_le16(chan->scid);
931 req.psm = chan->psm;
932
933 chan->ident = l2cap_get_ident(conn);
934
935 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
936
937 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
938}
939
9f0caeb1
VCG		 940static void l2cap_chan_ready(struct l2cap_chan *chan)
941{
2827011f 942 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 943 chan->conf_state = 0;
944 __clear_chan_timer(chan);
945
54a59aa2 946 chan->state = BT_CONNECTED;
9f0caeb1 947
54a59aa2
AE		 948 if (chan->ops->ready)
949 chan->ops->ready(chan);
9f0caeb1
VCG		 950}
951
fc7f8a7e 952static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 953{
8c1d787b 954 struct l2cap_conn *conn = chan->conn;
79d554a6 955
9f0caeb1
VCG		 956 if (conn->hcon->type == LE_LINK) {
957 l2cap_chan_ready(chan);
958 return;
959 }
960
79d554a6 961 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 962 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
963 return;
964
d45fc423 965 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 966 __l2cap_no_conn_pending(chan))
967 l2cap_send_conn_req(chan);
79d554a6
MH		 968 } else {
969 struct l2cap_info_req req;
ac73498c 970 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 971
972 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
973 conn->info_ident = l2cap_get_ident(conn);
974
ba13ccd9 975 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 976
977 l2cap_send_cmd(conn, conn->info_ident,
978 L2CAP_INFO_REQ, sizeof(req), &req);
979 }
980}
981
cf6c2c0b
GP		 982static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
983{
984 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 985 if (!disable_ertm)
cf6c2c0b
GP		 986 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
987
988 switch (mode) {
989 case L2CAP_MODE_ERTM:
990 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
991 case L2CAP_MODE_STREAMING:
992 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
993 default:
994 return 0x00;
995 }
996}
997
4519de9a 998static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 999{
6be36555 1000 struct sock *sk = chan->sk;
22121fc9
GP		 1001 struct l2cap_disconn_req req;
1002
c13ffa62
GP		 1003 if (!conn)
1004 return;
1005
0c1bc5c6 1006 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1007 __clear_retrans_timer(chan);
1008 __clear_monitor_timer(chan);
1009 __clear_ack_timer(chan);
c13ffa62
GP		 1010 }
1011
416fa752
AE		 1012 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1013 __l2cap_state_change(chan, BT_DISCONN);
1014 return;
1015 }
1016
fe4128e0
GP		 1017 req.dcid = cpu_to_le16(chan->dcid);
1018 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1019 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1020 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1021
6be36555 1022 lock_sock(sk);
0e587be7 1023 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1024 __l2cap_chan_set_err(chan, err);
6be36555 1025 release_sock(sk);
22121fc9
GP		 1026}
1027
1da177e4 1028/* ---- L2CAP connections ---- */
4e8402a3
MH		 1029static void l2cap_conn_start(struct l2cap_conn *conn)
1030{
3df91ea2 1031 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1032
1033 BT_DBG("conn %p", conn);
1034
3df91ea2 1035 mutex_lock(&conn->chan_lock);
4e8402a3 1036
3df91ea2 1037 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1038 struct sock *sk = chan->sk;
baa7e1fa 1039
6be36555 1040 l2cap_chan_lock(chan);
4e8402a3 1041
715ec005 1042 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1043 l2cap_chan_unlock(chan);
79d554a6
MH		 1044 continue;
1045 }
1046
89bc500e 1047 if (chan->state == BT_CONNECT) {
d45fc423 1048 if (!l2cap_chan_check_security(chan) ||
b4450035 1049 !__l2cap_no_conn_pending(chan)) {
6be36555 1050 l2cap_chan_unlock(chan);
47731de7
GP		 1051 continue;
1052 }
79d554a6 1053
c1360a1c
GP		 1054 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1055 && test_bit(CONF_STATE2_DEVICE,
1056 &chan->conf_state)) {
89bc500e 1057 l2cap_chan_close(chan, ECONNRESET);
6be36555 1058 l2cap_chan_unlock(chan);
47731de7 1059 continue;
b1235d79 1060 }
47731de7 1061
9b27f350 1062 l2cap_send_conn_req(chan);
47731de7 1063
89bc500e 1064 } else if (chan->state == BT_CONNECT2) {
79d554a6 1065 struct l2cap_conn_rsp rsp;
e9aeb2dd 1066 char buf[128];
fe4128e0
GP		 1067 rsp.scid = cpu_to_le16(chan->dcid);
1068 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1069
d45fc423 1070 if (l2cap_chan_check_security(chan)) {
6be36555 1071 lock_sock(sk);
c5daa683
GP		 1072 if (test_bit(BT_SK_DEFER_SETUP,
1073 &bt_sk(sk)->flags)) {
f66dc81f 1074 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1075 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1076 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1077 if (parent)
1078 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1079
1080 } else {
0e587be7 1081 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1082 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1083 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1084 }
6be36555 1085 release_sock(sk);
79d554a6 1086 } else {
ac73498c
AE		 1087 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1088 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1089 }
1090
fc7f8a7e
GP		 1091 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1092 sizeof(rsp), &rsp);
e9aeb2dd 1093
c1360a1c 1094 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1095 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1096 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1097 continue;
1098 }
1099
c1360a1c 1100 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1101 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1102 l2cap_build_conf_req(chan, buf), buf);
1103 chan->num_conf_req++;
4e8402a3
MH		 1104 }
1105
6be36555 1106 l2cap_chan_unlock(chan);
4e8402a3
MH		 1107 }
1108
3df91ea2 1109 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1110}
1111
c2287681 1112/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1113 * Returns closest match, locked.
1114 */
d9b88702 1115static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1116 bdaddr_t *src,
1117 bdaddr_t *dst)
b62f328b 1118{
23691d75 1119 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1120
23691d75 1121 read_lock(&chan_list_lock);
b62f328b 1122
23691d75
GP		 1123 list_for_each_entry(c, &chan_list, global_l) {
1124 struct sock *sk = c->sk;
fe4128e0 1125
89bc500e 1126 if (state && c->state != state)
b62f328b
VT		 1127 continue;
1128
23691d75 1129 if (c->scid == cid) {
c2287681
IY		 1130 int src_match, dst_match;
1131 int src_any, dst_any;
1132
b62f328b 1133 /* Exact match. */
c2287681
IY		 1134 src_match = !bacmp(&bt_sk(sk)->src, src);
1135 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1136 if (src_match && dst_match) {
23691d75
GP		 1137 read_unlock(&chan_list_lock);
1138 return c;
1139 }
b62f328b
VT		 1140
1141 /* Closest match */
c2287681
IY		 1142 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1143 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1144 if ((src_match && dst_any) || (src_any && dst_match) ||
1145 (src_any && dst_any))
23691d75 1146 c1 = c;
b62f328b
VT		 1147 }
1148 }
280f294f 1149
23691d75 1150 read_unlock(&chan_list_lock);
b62f328b 1151
23691d75 1152 return c1;
b62f328b
VT		 1153}
1154
1155static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1156{
c916fbe4 1157 struct sock *parent, *sk;
23691d75 1158 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1159
1160 BT_DBG("");
1161
1162 /* Check if we have socket listening on cid */
23691d75 1163 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1164 conn->src, conn->dst);
23691d75 1165 if (!pchan)
b62f328b
VT		 1166 return;
1167
23691d75
GP		 1168 parent = pchan->sk;
1169
aa2ac881 1170 lock_sock(parent);
62f3a2cf 1171
80b98027 1172 chan = pchan->ops->new_connection(pchan);
80808e43 1173 if (!chan)
b62f328b
VT		 1174 goto clean;
1175
80808e43 1176 sk = chan->sk;
5d41ce1d 1177
b62f328b
VT		 1178 hci_conn_hold(conn->hcon);
1179
b62f328b
VT		 1180 bacpy(&bt_sk(sk)->src, conn->src);
1181 bacpy(&bt_sk(sk)->dst, conn->dst);
1182
d1010240
GP		 1183 bt_accept_enqueue(parent, sk);
1184
3d57dc68 1185 l2cap_chan_add(conn, chan);
48454079 1186
6754e0df 1187 l2cap_chan_ready(chan);
b62f328b 1188
b62f328b 1189clean:
aa2ac881 1190 release_sock(parent);
b62f328b
VT		 1191}
1192
4e8402a3
MH		 1193static void l2cap_conn_ready(struct l2cap_conn *conn)
1194{
48454079 1195 struct l2cap_chan *chan;
4e8402a3 1196
79d554a6 1197 BT_DBG("conn %p", conn);
4e8402a3 1198
b62f328b
VT		 1199 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1200 l2cap_le_conn_ready(conn);
1201
160dc6ac
VCG		 1202 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1203 smp_conn_security(conn, conn->hcon->pending_sec_level);
1204
3df91ea2 1205 mutex_lock(&conn->chan_lock);
4e8402a3 1206
3df91ea2 1207 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1208
6be36555 1209 l2cap_chan_lock(chan);
4e8402a3 1210
416fa752
AE		 1211 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1212 l2cap_chan_unlock(chan);
1213 continue;
1214 }
1215
63128451 1216 if (conn->hcon->type == LE_LINK) {
b501d6a1 1217 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1218 l2cap_chan_ready(chan);
acd7d370 1219
63128451 1220 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1221 struct sock *sk = chan->sk;
c9b66675 1222 __clear_chan_timer(chan);
6be36555 1223 lock_sock(sk);
0e587be7 1224 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1225 sk->sk_state_change(sk);
6be36555 1226 release_sock(sk);
b501d6a1 1227
89bc500e 1228 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1229 l2cap_do_start(chan);
4e8402a3 1230
6be36555 1231 l2cap_chan_unlock(chan);
4e8402a3 1232 }
79d554a6 1233
3df91ea2 1234 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1235}
1236
1237/* Notify sockets that we cannot guaranty reliability anymore */
1238static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1239{
48454079 1240 struct l2cap_chan *chan;
4e8402a3
MH		 1241
1242 BT_DBG("conn %p", conn);
1243
3df91ea2 1244 mutex_lock(&conn->chan_lock);
4e8402a3 1245
3df91ea2 1246 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1247 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1248 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1249 }
1250
3df91ea2 1251 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1252}
1253
f878fcad 1254static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1255{
f878fcad 1256 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1257 info_timer.work);
4e8402a3 1258
984947dc 1259 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1260 conn->info_ident = 0;
984947dc 1261
4e8402a3
MH		 1262 l2cap_conn_start(conn);
1263}
1264
5d3de7df
VCG		 1265static void l2cap_conn_del(struct hci_conn *hcon, int err)
1266{
1267 struct l2cap_conn *conn = hcon->l2cap_data;
1268 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1269
1270 if (!conn)
1271 return;
1272
1273 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1274
1275 kfree_skb(conn->rx_skb);
1276
3df91ea2
AE		 1277 mutex_lock(&conn->chan_lock);
1278
5d3de7df
VCG		 1279 /* Kill channels */
1280 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1281 l2cap_chan_hold(chan);
6be36555
AE		 1282 l2cap_chan_lock(chan);
1283
5d3de7df 1284 l2cap_chan_del(chan, err);
6be36555
AE		 1285
1286 l2cap_chan_unlock(chan);
1287
80b98027 1288 chan->ops->close(chan);
61d6ef3e 1289 l2cap_chan_put(chan);
5d3de7df
VCG		 1290 }
1291
3df91ea2
AE		 1292 mutex_unlock(&conn->chan_lock);
1293
73d80deb
LAD		 1294 hci_chan_del(conn->hchan);
1295
5d3de7df 1296 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1297 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1298
51a8efd7 1299 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1300 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1301 smp_chan_destroy(conn);
d26a2345 1302 }
5d3de7df
VCG		 1303
1304 hcon->l2cap_data = NULL;
1305 kfree(conn);
1306}
1307
6c9d42a1 1308static void security_timeout(struct work_struct *work)
5d3de7df 1309{
6c9d42a1
GP		 1310 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1311 security_timer.work);
5d3de7df
VCG		 1312
1313 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1314}
1315
1da177e4
LT		 1316static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1317{
0139418c 1318 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1319 struct hci_chan *hchan;
1da177e4 1320
0139418c 1321 if (conn || status)
1da177e4
LT		 1322 return conn;
1323
73d80deb
LAD		 1324 hchan = hci_chan_create(hcon);
1325 if (!hchan)
1326 return NULL;
1327
0139418c 1328 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1329 if (!conn) {
1330 hci_chan_del(hchan);
1da177e4 1331 return NULL;
73d80deb 1332 }
1da177e4
LT		 1333
1334 hcon->l2cap_data = conn;
1335 conn->hcon = hcon;
73d80deb 1336 conn->hchan = hchan;
1da177e4 1337
73d80deb 1338 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1339
acd7d370
VT		 1340 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1341 conn->mtu = hcon->hdev->le_mtu;
1342 else
1343 conn->mtu = hcon->hdev->acl_mtu;
1344
1da177e4
LT		 1345 conn->src = &hcon->hdev->bdaddr;
1346 conn->dst = &hcon->dst;
1347
4e8402a3
MH		 1348 conn->feat_mask = 0;
1349
1da177e4 1350 spin_lock_init(&conn->lock);
3df91ea2 1351 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1352
1353 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1354
5d3de7df 1355 if (hcon->type == LE_LINK)
6c9d42a1 1356 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1357 else
030013d8 1358 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1359
9f5a0d7b 1360 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1361
1da177e4
LT		 1362 return conn;
1363}
1364
1da177e4 1365/* ---- Socket interface ---- */
1da177e4 1366
c2287681 1367/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1368 * Returns closest match.
1369 */
c2287681
IY		 1370static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1371 bdaddr_t *src,
1372 bdaddr_t *dst)
1da177e4 1373{
23691d75 1374 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1375
23691d75 1376 read_lock(&chan_list_lock);
e0f0cb56 1377
23691d75
GP		 1378 list_for_each_entry(c, &chan_list, global_l) {
1379 struct sock *sk = c->sk;
fe4128e0 1380
89bc500e 1381 if (state && c->state != state)
1da177e4
LT		 1382 continue;
1383
23691d75 1384 if (c->psm == psm) {
c2287681
IY		 1385 int src_match, dst_match;
1386 int src_any, dst_any;
1387
1da177e4 1388 /* Exact match. */
c2287681
IY		 1389 src_match = !bacmp(&bt_sk(sk)->src, src);
1390 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1391 if (src_match && dst_match) {
a7567b20 1392 read_unlock(&chan_list_lock);
23691d75
GP		 1393 return c;
1394 }
1da177e4
LT		 1395
1396 /* Closest match */
c2287681
IY		 1397 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1398 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1399 if ((src_match && dst_any) || (src_any && dst_match) ||
1400 (src_any && dst_any))
23691d75 1401 c1 = c;
1da177e4
LT		 1402 }
1403 }
1da177e4 1404
23691d75 1405 read_unlock(&chan_list_lock);
e0f0cb56 1406
23691d75 1407 return c1;
1da177e4
LT		 1408}
1409
8e9f9892
AG		 1410int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1411 bdaddr_t *dst, u8 dst_type)
1da177e4 1412{
5d41ce1d 1413 struct sock *sk = chan->sk;
1da177e4 1414 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1415 struct l2cap_conn *conn;
1416 struct hci_conn *hcon;
1417 struct hci_dev *hdev;
09ab6f4c 1418 __u8 auth_type;
44d0e48e 1419 int err;
1da177e4 1420
8e9f9892
AG		 1421 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1422 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1423
af05b30b
GP		 1424 hdev = hci_get_route(dst, src);
1425 if (!hdev)
1da177e4
LT		 1426 return -EHOSTUNREACH;
1427
09fd0de5 1428 hci_dev_lock(hdev);
1da177e4 1429
6be36555 1430 l2cap_chan_lock(chan);
03a00194
GP		 1431
1432 /* PSM must be odd and lsb of upper byte must be 0 */
1433 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1434 chan->chan_type != L2CAP_CHAN_RAW) {
1435 err = -EINVAL;
1436 goto done;
1437 }
1438
1439 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1440 err = -EINVAL;
1441 goto done;
1442 }
1443
1444 switch (chan->mode) {
1445 case L2CAP_MODE_BASIC:
1446 break;
1447 case L2CAP_MODE_ERTM:
1448 case L2CAP_MODE_STREAMING:
1449 if (!disable_ertm)
1450 break;
1451 /* fall through */
1452 default:
1453 err = -ENOTSUPP;
1454 goto done;
1455 }
1456
0797e01d 1457 switch (chan->state) {
03a00194
GP		 1458 case BT_CONNECT:
1459 case BT_CONNECT2:
1460 case BT_CONFIG:
1461 /* Already connecting */
1462 err = 0;
1463 goto done;
1464
1465 case BT_CONNECTED:
1466 /* Already connected */
1467 err = -EISCONN;
1468 goto done;
1469
1470 case BT_OPEN:
1471 case BT_BOUND:
1472 /* Can connect */
1473 break;
1474
1475 default:
1476 err = -EBADFD;
1477 goto done;
1478 }
1479
1480 /* Set destination address and psm */
0797e01d 1481 lock_sock(sk);
9219b2a0 1482 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1483 release_sock(sk);
1484
03a00194
GP		 1485 chan->psm = psm;
1486 chan->dcid = cid;
1da177e4 1487
4343478f 1488 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1489
fe4128e0 1490 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1491 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1492 chan->sec_level, auth_type);
acd7d370 1493 else
8e9f9892 1494 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1495 chan->sec_level, auth_type);
acd7d370 1496
30e76272
VT		 1497 if (IS_ERR(hcon)) {
1498 err = PTR_ERR(hcon);
1da177e4 1499 goto done;
30e76272 1500 }
1da177e4
LT		 1501
1502 conn = l2cap_conn_add(hcon, 0);
1503 if (!conn) {
1504 hci_conn_put(hcon);
30e76272 1505 err = -ENOMEM;
1da177e4
LT		 1506 goto done;
1507 }
1508
9f0caeb1
VCG		 1509 if (hcon->type == LE_LINK) {
1510 err = 0;
1511
1512 if (!list_empty(&conn->chan_l)) {
1513 err = -EBUSY;
1514 hci_conn_put(hcon);
1515 }
1516
1517 if (err)
1518 goto done;
1519 }
1520
1da177e4
LT		 1521 /* Update source addr of the socket */
1522 bacpy(src, conn->src);
1523
6be36555 1524 l2cap_chan_unlock(chan);
48454079 1525 l2cap_chan_add(conn, chan);
6be36555 1526 l2cap_chan_lock(chan);
48454079 1527
6be36555 1528 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1529 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1530
1531 if (hcon->state == BT_CONNECTED) {
715ec005 1532 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1533 __clear_chan_timer(chan);
d45fc423 1534 if (l2cap_chan_check_security(chan))
6be36555 1535 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1536 } else
fc7f8a7e 1537 l2cap_do_start(chan);
1da177e4
LT		 1538 }
1539
30e76272
VT		 1540 err = 0;
1541
1da177e4 1542done:
6be36555 1543 l2cap_chan_unlock(chan);
09fd0de5 1544 hci_dev_unlock(hdev);
1da177e4
LT		 1545 hci_dev_put(hdev);
1546 return err;
1547}
1548
dcba0dba 1549int __l2cap_wait_ack(struct sock *sk)
6161c038 1550{
8c1d787b 1551 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1552 DECLARE_WAITQUEUE(wait, current);
1553 int err = 0;
1554 int timeo = HZ/5;
1555
2b0b05dd 1556 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1557 set_current_state(TASK_INTERRUPTIBLE);
1558 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1559 if (!timeo)
1560 timeo = HZ/5;
1561
1562 if (signal_pending(current)) {
1563 err = sock_intr_errno(timeo);
1564 break;
1565 }
1566
1567 release_sock(sk);
1568 timeo = schedule_timeout(timeo);
1569 lock_sock(sk);
a71a0cf4 1570 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1571
1572 err = sock_error(sk);
1573 if (err)
1574 break;
1575 }
1576 set_current_state(TASK_RUNNING);
2b0b05dd 1577 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1578 return err;
1579}
1580
721c4181 1581static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1582{
721c4181 1583 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1584 monitor_timer.work);
e90bac06 1585
525cd185 1586 BT_DBG("chan %p", chan);
0e98958d 1587
6be36555
AE		 1588 l2cap_chan_lock(chan);
1589
80909e04 1590 if (!chan->conn) {
6be36555 1591 l2cap_chan_unlock(chan);
8d7e1c7f 1592 l2cap_chan_put(chan);
e90bac06
GP		 1593 return;
1594 }
1595
401bb1f7 1596 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1597
6be36555 1598 l2cap_chan_unlock(chan);
8d7e1c7f 1599 l2cap_chan_put(chan);
e90bac06
GP		 1600}
1601
721c4181 1602static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1603{
721c4181 1604 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1605 retrans_timer.work);
e90bac06 1606
49208c9c 1607 BT_DBG("chan %p", chan);
0e98958d 1608
6be36555
AE		 1609 l2cap_chan_lock(chan);
1610
80909e04
MM		 1611 if (!chan->conn) {
1612 l2cap_chan_unlock(chan);
1613 l2cap_chan_put(chan);
1614 return;
1615 }
6be36555 1616
401bb1f7 1617 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1618 l2cap_chan_unlock(chan);
8d7e1c7f 1619 l2cap_chan_put(chan);
e90bac06
GP		 1620}
1621
d660366d
GP		 1622static void l2cap_streaming_send(struct l2cap_chan *chan,
1623 struct sk_buff_head *skbs)
6840ed07 1624{
ccbb84af 1625 struct sk_buff *skb;
3733937d 1626 struct l2cap_ctrl *control;
6840ed07 1627
3733937d
MM		 1628 BT_DBG("chan %p, skbs %p", chan, skbs);
1629
3733937d
MM		 1630 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1631
1632 while (!skb_queue_empty(&chan->tx_q)) {
1633
1634 skb = skb_dequeue(&chan->tx_q);
1635
1636 bt_cb(skb)->control.retries = 1;
1637 control = &bt_cb(skb)->control;
1638
1639 control->reqseq = 0;
1640 control->txseq = chan->next_tx_seq;
1641
1642 __pack_control(chan, control, skb);
6840ed07 1643
47d1ec61 1644 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1645 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1646 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1647 }
1648
4343478f 1649 l2cap_do_send(chan, skb);
6840ed07 1650
3733937d
MM		 1651 BT_DBG("Sent txseq %d", (int)control->txseq);
1652
836be934 1653 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1654 chan->frames_sent++;
6840ed07 1655 }
6840ed07
GP		 1656}
1657
67c9e840 1658static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1659{
1660 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1661 struct l2cap_ctrl *control;
1662 int sent = 0;
1663
1664 BT_DBG("chan %p", chan);
1c2acffb 1665
89bc500e 1666 if (chan->state != BT_CONNECTED)
c13ffa62 1667 return -ENOTCONN;
e90bac06 1668
94122bbe
MM		 1669 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1670 return 0;
1671
18a48e76
MM		 1672 while (chan->tx_send_head &&
1673 chan->unacked_frames < chan->remote_tx_win &&
1674 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1675
18a48e76 1676 skb = chan->tx_send_head;
e90bac06 1677
18a48e76
MM		 1678 bt_cb(skb)->control.retries = 1;
1679 control = &bt_cb(skb)->control;
95ffa978 1680
e2ab4353 1681 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1682 control->final = 1;
e2ab4353 1683
18a48e76
MM		 1684 control->reqseq = chan->buffer_seq;
1685 chan->last_acked_seq = chan->buffer_seq;
1686 control->txseq = chan->next_tx_seq;
1c2acffb 1687
18a48e76 1688 __pack_control(chan, control, skb);
e90bac06 1689
47d1ec61 1690 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1691 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1692 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1693 }
1694
18a48e76
MM		 1695 /* Clone after data has been modified. Data is assumed to be
1696 read-only (for locking purposes) on cloned sk_buffs.
1697 */
1698 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1699
18a48e76
MM		 1700 if (!tx_skb)
1701 break;
1c2acffb 1702
18a48e76 1703 __set_retrans_timer(chan);
836be934
AE		 1704
1705 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1706 chan->unacked_frames++;
6a026610 1707 chan->frames_sent++;
18a48e76 1708 sent++;
1c2acffb 1709
58d35f87
GP		 1710 if (skb_queue_is_last(&chan->tx_q, skb))
1711 chan->tx_send_head = NULL;
1c2acffb 1712 else
58d35f87 1713 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1714
1715 l2cap_do_send(chan, tx_skb);
1716 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1717 }
1718
18a48e76
MM		 1719 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1720 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1721
1722 return sent;
9e917af1
GP		 1723}
1724
e1fbd4c1
MM		 1725static void l2cap_ertm_resend(struct l2cap_chan *chan)
1726{
1727 struct l2cap_ctrl control;
1728 struct sk_buff *skb;
1729 struct sk_buff *tx_skb;
1730 u16 seq;
1731
1732 BT_DBG("chan %p", chan);
1733
1734 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1735 return;
1736
1737 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1738 seq = l2cap_seq_list_pop(&chan->retrans_list);
1739
1740 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1741 if (!skb) {
1742 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1743 seq);
1744 continue;
1745 }
1746
1747 bt_cb(skb)->control.retries++;
1748 control = bt_cb(skb)->control;
1749
1750 if (chan->max_tx != 0 &&
1751 bt_cb(skb)->control.retries > chan->max_tx) {
1752 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1753 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1754 l2cap_seq_list_clear(&chan->retrans_list);
1755 break;
1756 }
1757
1758 control.reqseq = chan->buffer_seq;
1759 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1760 control.final = 1;
1761 else
1762 control.final = 0;
1763
1764 if (skb_cloned(skb)) {
1765 /* Cloned sk_buffs are read-only, so we need a
1766 * writeable copy
1767 */
1768 tx_skb = skb_copy(skb, GFP_ATOMIC);
1769 } else {
1770 tx_skb = skb_clone(skb, GFP_ATOMIC);
1771 }
1772
1773 if (!tx_skb) {
1774 l2cap_seq_list_clear(&chan->retrans_list);
1775 break;
1776 }
1777
1778 /* Update skb contents */
1779 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1780 put_unaligned_le32(__pack_extended_control(&control),
1781 tx_skb->data + L2CAP_HDR_SIZE);
1782 } else {
1783 put_unaligned_le16(__pack_enhanced_control(&control),
1784 tx_skb->data + L2CAP_HDR_SIZE);
1785 }
1786
1787 if (chan->fcs == L2CAP_FCS_CRC16) {
1788 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1789 put_unaligned_le16(fcs, skb_put(tx_skb,
1790 L2CAP_FCS_SIZE));
1791 }
1792
1793 l2cap_do_send(chan, tx_skb);
1794
1795 BT_DBG("Resent txseq %d", control.txseq);
1796
1797 chan->last_acked_seq = chan->buffer_seq;
1798 }
1799}
1800
f80842a8
MM		 1801static void l2cap_retransmit(struct l2cap_chan *chan,
1802 struct l2cap_ctrl *control)
1803{
1804 BT_DBG("chan %p, control %p", chan, control);
1805
1806 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1807 l2cap_ertm_resend(chan);
1808}
1809
d2a7ac5d
MM		 1810static void l2cap_retransmit_all(struct l2cap_chan *chan,
1811 struct l2cap_ctrl *control)
1812{
e1fbd4c1
MM		 1813 struct sk_buff *skb;
1814
1815 BT_DBG("chan %p, control %p", chan, control);
1816
1817 if (control->poll)
1818 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1819
1820 l2cap_seq_list_clear(&chan->retrans_list);
1821
1822 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1823 return;
1824
1825 if (chan->unacked_frames) {
1826 skb_queue_walk(&chan->tx_q, skb) {
1827 if (bt_cb(skb)->control.txseq == control->reqseq ||
1828 skb == chan->tx_send_head)
1829 break;
1830 }
1831
1832 skb_queue_walk_from(&chan->tx_q, skb) {
1833 if (skb == chan->tx_send_head)
1834 break;
1835
1836 l2cap_seq_list_append(&chan->retrans_list,
1837 bt_cb(skb)->control.txseq);
1838 }
1839
1840 l2cap_ertm_resend(chan);
1841 }
d2a7ac5d
MM		 1842}
1843
0a0aba42 1844static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1845{
0a0aba42
MM		 1846 struct l2cap_ctrl control;
1847 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1848 chan->last_acked_seq);
1849 int threshold;
9e917af1 1850
0a0aba42
MM		 1851 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1852 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1853
0a0aba42
MM		 1854 memset(&control, 0, sizeof(control));
1855 control.sframe = 1;
dfc909be 1856
0a0aba42
MM		 1857 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1858 chan->rx_state == L2CAP_RX_STATE_RECV) {
1859 __clear_ack_timer(chan);
1860 control.super = L2CAP_SUPER_RNR;
1861 control.reqseq = chan->buffer_seq;
1862 l2cap_send_sframe(chan, &control);
1863 } else {
1864 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1865 l2cap_ertm_send(chan);
1866 /* If any i-frames were sent, they included an ack */
1867 if (chan->buffer_seq == chan->last_acked_seq)
1868 frames_to_ack = 0;
1869 }
dfc909be 1870
0a0aba42
MM		 1871 /* Ack now if the tx window is 3/4ths full.
1872 * Calculate without mul or div
1873 */
1874 threshold = chan->tx_win;
1875 threshold += threshold << 1;
1876 threshold >>= 2;
1877
1878 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1879 threshold);
1880
1881 if (frames_to_ack >= threshold) {
1882 __clear_ack_timer(chan);
1883 control.super = L2CAP_SUPER_RR;
1884 control.reqseq = chan->buffer_seq;
1885 l2cap_send_sframe(chan, &control);
1886 frames_to_ack = 0;
1887 }
1c2acffb 1888
0a0aba42
MM		 1889 if (frames_to_ack)
1890 __set_ack_timer(chan);
1891 }
b17e73bb
SJ		 1892}
1893
04124681
GP		 1894static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1895 struct msghdr *msg, int len,
1896 int count, struct sk_buff *skb)
1c2acffb 1897{
0952a57a 1898 struct l2cap_conn *conn = chan->conn;
1c2acffb 1899 struct sk_buff **frag;
90338947 1900 int sent = 0;
1da177e4 1901
59203a21 1902 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1903 return -EFAULT;
1da177e4
LT		 1904
1905 sent += count;
1906 len -= count;
1907
1908 /* Continuation fragments (no L2CAP header) */
1909 frag = &skb_shinfo(skb)->frag_list;
1910 while (len) {
fbe00700
GP		 1911 struct sk_buff *tmp;
1912
1da177e4
LT		 1913 count = min_t(unsigned int, conn->mtu, len);
1914
fbe00700
GP		 1915 tmp = chan->ops->alloc_skb(chan, count,
1916 msg->msg_flags & MSG_DONTWAIT);
1917 if (IS_ERR(tmp))
1918 return PTR_ERR(tmp);
1919
1920 *frag = tmp;
2f7719ce 1921
1c2acffb
GP		 1922 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1923 return -EFAULT;
1da177e4 1924
5e59b791
LAD		 1925 (*frag)->priority = skb->priority;
1926
1da177e4
LT		 1927 sent += count;
1928 len -= count;
1929
2d0ed3d5
GP		 1930 skb->len += (*frag)->len;
1931 skb->data_len += (*frag)->len;
1932
1da177e4
LT		 1933 frag = &(*frag)->next;
1934 }
1da177e4
LT		 1935
1936 return sent;
1c2acffb 1937}
1da177e4 1938
5e59b791
LAD		 1939static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1940 struct msghdr *msg, size_t len,
1941 u32 priority)
1c2acffb 1942{
8c1d787b 1943 struct l2cap_conn *conn = chan->conn;
1c2acffb 1944 struct sk_buff *skb;
03a51213 1945 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1946 struct l2cap_hdr *lh;
1947
6d5922b0 1948 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1949
1950 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1951
1952 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1953 msg->msg_flags & MSG_DONTWAIT);
1954 if (IS_ERR(skb))
1955 return skb;
1c2acffb 1956
5e59b791
LAD		 1957 skb->priority = priority;
1958
1c2acffb
GP		 1959 /* Create L2CAP header */
1960 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1961 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1962 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1963 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1964
0952a57a 1965 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1966 if (unlikely(err < 0)) {
1967 kfree_skb(skb);
1968 return ERR_PTR(err);
1969 }
1970 return skb;
1971}
1972
5e59b791
LAD		 1973static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1974 struct msghdr *msg, size_t len,
1975 u32 priority)
1c2acffb 1976{
8c1d787b 1977 struct l2cap_conn *conn = chan->conn;
1c2acffb 1978 struct sk_buff *skb;
f2ba7fae 1979 int err, count;
1c2acffb
GP		 1980 struct l2cap_hdr *lh;
1981
6d5922b0 1982 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1983
f2ba7fae 1984 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1985
f2ba7fae 1986 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1987 msg->msg_flags & MSG_DONTWAIT);
1988 if (IS_ERR(skb))
1989 return skb;
1c2acffb 1990
5e59b791
LAD		 1991 skb->priority = priority;
1992
1c2acffb
GP		 1993 /* Create L2CAP header */
1994 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1995 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1996 lh->len = cpu_to_le16(len);
1c2acffb 1997
0952a57a 1998 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1999 if (unlikely(err < 0)) {
2000 kfree_skb(skb);
2001 return ERR_PTR(err);
2002 }
2003 return skb;
2004}
2005
ab0ff76d
LAD		 2006static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2007 struct msghdr *msg, size_t len,
94122bbe 2008 u16 sdulen)
1c2acffb 2009{
8c1d787b 2010 struct l2cap_conn *conn = chan->conn;
1c2acffb 2011 struct sk_buff *skb;
e4ca6d98 2012 int err, count, hlen;
1c2acffb
GP		 2013 struct l2cap_hdr *lh;
2014
6d5922b0 2015 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2016
0ee0d208
GP		 2017 if (!conn)
2018 return ERR_PTR(-ENOTCONN);
2019
e4ca6d98
AE		 2020 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2021 hlen = L2CAP_EXT_HDR_SIZE;
2022 else
2023 hlen = L2CAP_ENH_HDR_SIZE;
2024
c74e560c 2025 if (sdulen)
03a51213 2026 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2027
47d1ec61 2028 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2029 hlen += L2CAP_FCS_SIZE;
fcc203c3 2030
1c2acffb 2031 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2032
2033 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2034 msg->msg_flags & MSG_DONTWAIT);
2035 if (IS_ERR(skb))
2036 return skb;
1c2acffb
GP		 2037
2038 /* Create L2CAP header */
2039 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2040 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2041 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2042
18a48e76
MM		 2043 /* Control header is populated later */
2044 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2045 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2046 else
2047 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2048
c74e560c 2049 if (sdulen)
03a51213 2050 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2051
0952a57a 2052 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2053 if (unlikely(err < 0)) {
2054 kfree_skb(skb);
2055 return ERR_PTR(err);
2056 }
e90bac06 2057
18a48e76 2058 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2059 bt_cb(skb)->control.retries = 0;
1c2acffb 2060 return skb;
1da177e4
LT		 2061}
2062
94122bbe
MM		 2063static int l2cap_segment_sdu(struct l2cap_chan *chan,
2064 struct sk_buff_head *seg_queue,
2065 struct msghdr *msg, size_t len)
c74e560c 2066{
c74e560c 2067 struct sk_buff *skb;
94122bbe
MM		 2068 u16 sdu_len;
2069 size_t pdu_len;
2070 int err = 0;
2071 u8 sar;
c74e560c 2072
94122bbe 2073 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2074
94122bbe
MM		 2075 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2076 * so fragmented skbs are not used. The HCI layer's handling
2077 * of fragmented skbs is not compatible with ERTM's queueing.
2078 */
c74e560c 2079
94122bbe
MM		 2080 /* PDU size is derived from the HCI MTU */
2081 pdu_len = chan->conn->mtu;
c74e560c 2082
94122bbe
MM		 2083 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2084
2085 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2086 if (chan->fcs)
2087 pdu_len -= L2CAP_FCS_SIZE;
2088
2089 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2090 pdu_len -= L2CAP_EXT_HDR_SIZE;
2091 else
2092 pdu_len -= L2CAP_ENH_HDR_SIZE;
94122bbe
MM		 2093
2094 /* Remote device may have requested smaller PDUs */
2095 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2096
2097 if (len <= pdu_len) {
2098 sar = L2CAP_SAR_UNSEGMENTED;
2099 sdu_len = 0;
2100 pdu_len = len;
2101 } else {
2102 sar = L2CAP_SAR_START;
2103 sdu_len = len;
2104 pdu_len -= L2CAP_SDULEN_SIZE;
2105 }
2106
2107 while (len > 0) {
2108 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2109
c74e560c 2110 if (IS_ERR(skb)) {
94122bbe 2111 __skb_queue_purge(seg_queue);
c74e560c
GP		 2112 return PTR_ERR(skb);
2113 }
2114
94122bbe
MM		 2115 bt_cb(skb)->control.sar = sar;
2116 __skb_queue_tail(seg_queue, skb);
2117
2118 len -= pdu_len;
2119 if (sdu_len) {
2120 sdu_len = 0;
2121 pdu_len += L2CAP_SDULEN_SIZE;
2122 }
2123
2124 if (len <= pdu_len) {
2125 sar = L2CAP_SAR_END;
2126 pdu_len = len;
2127 } else {
2128 sar = L2CAP_SAR_CONTINUE;
2129 }
c74e560c 2130 }
c74e560c 2131
94122bbe 2132 return err;
c74e560c
GP		 2133}
2134
5e59b791
LAD		 2135int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2136 u32 priority)
9a91a04a 2137{
9a91a04a 2138 struct sk_buff *skb;
9a91a04a 2139 int err;
94122bbe 2140 struct sk_buff_head seg_queue;
9a91a04a
GP		 2141
2142 /* Connectionless channel */
715ec005 2143 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2144 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2145 if (IS_ERR(skb))
2146 return PTR_ERR(skb);
2147
2148 l2cap_do_send(chan, skb);
2149 return len;
2150 }
2151
2152 switch (chan->mode) {
2153 case L2CAP_MODE_BASIC:
2154 /* Check outgoing MTU */
2155 if (len > chan->omtu)
2156 return -EMSGSIZE;
2157
2158 /* Create a basic PDU */
5e59b791 2159 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2160 if (IS_ERR(skb))
2161 return PTR_ERR(skb);
2162
2163 l2cap_do_send(chan, skb);
2164 err = len;
2165 break;
2166
2167 case L2CAP_MODE_ERTM:
2168 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2169 /* Check outgoing MTU */
2170 if (len > chan->omtu) {
2171 err = -EMSGSIZE;
2172 break;
2173 }
9a91a04a 2174
94122bbe 2175 __skb_queue_head_init(&seg_queue);
9a91a04a 2176
94122bbe
MM		 2177 /* Do segmentation before calling in to the state machine,
2178 * since it's possible to block while waiting for memory
2179 * allocation.
2180 */
2181 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2182
94122bbe
MM		 2183 /* The channel could have been closed while segmenting,
2184 * check that it is still connected.
2185 */
2186 if (chan->state != BT_CONNECTED) {
2187 __skb_queue_purge(&seg_queue);
2188 err = -ENOTCONN;
9a91a04a
GP		 2189 }
2190
94122bbe 2191 if (err)
9a91a04a 2192 break;
9a91a04a 2193
3733937d 2194 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2195 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2196 else
d660366d 2197 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2198
d660366d 2199 err = len;
9a91a04a 2200
94122bbe
MM		 2201 /* If the skbs were not queued for sending, they'll still be in
2202 * seg_queue and need to be purged.
2203 */
2204 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2205 break;
2206
2207 default:
2208 BT_DBG("bad state %1.1x", chan->mode);
2209 err = -EBADFD;
2210 }
2211
2212 return err;
2213}
2214
d2a7ac5d
MM		 2215static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2216{
bed68bde
MM		 2217 struct l2cap_ctrl control;
2218 u16 seq;
2219
2220 BT_DBG("chan %p, txseq %d", chan, txseq);
2221
2222 memset(&control, 0, sizeof(control));
2223 control.sframe = 1;
2224 control.super = L2CAP_SUPER_SREJ;
2225
2226 for (seq = chan->expected_tx_seq; seq != txseq;
2227 seq = __next_seq(chan, seq)) {
2228 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2229 control.reqseq = seq;
2230 l2cap_send_sframe(chan, &control);
2231 l2cap_seq_list_append(&chan->srej_list, seq);
2232 }
2233 }
2234
2235 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2236}
2237
2238static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2239{
bed68bde
MM		 2240 struct l2cap_ctrl control;
2241
2242 BT_DBG("chan %p", chan);
2243
2244 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2245 return;
2246
2247 memset(&control, 0, sizeof(control));
2248 control.sframe = 1;
2249 control.super = L2CAP_SUPER_SREJ;
2250 control.reqseq = chan->srej_list.tail;
2251 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2252}
2253
2254static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2255{
bed68bde
MM		 2256 struct l2cap_ctrl control;
2257 u16 initial_head;
2258 u16 seq;
2259
2260 BT_DBG("chan %p, txseq %d", chan, txseq);
2261
2262 memset(&control, 0, sizeof(control));
2263 control.sframe = 1;
2264 control.super = L2CAP_SUPER_SREJ;
2265
2266 /* Capture initial list head to allow only one pass through the list. */
2267 initial_head = chan->srej_list.head;
2268
2269 do {
2270 seq = l2cap_seq_list_pop(&chan->srej_list);
2271 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2272 break;
2273
2274 control.reqseq = seq;
2275 l2cap_send_sframe(chan, &control);
2276 l2cap_seq_list_append(&chan->srej_list, seq);
2277 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2278}
2279
608bcc6d
MM		 2280static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2281{
2282 struct sk_buff *acked_skb;
2283 u16 ackseq;
2284
2285 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2286
2287 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2288 return;
2289
2290 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2291 chan->expected_ack_seq, chan->unacked_frames);
2292
2293 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2294 ackseq = __next_seq(chan, ackseq)) {
2295
2296 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2297 if (acked_skb) {
2298 skb_unlink(acked_skb, &chan->tx_q);
2299 kfree_skb(acked_skb);
2300 chan->unacked_frames--;
2301 }
2302 }
2303
2304 chan->expected_ack_seq = reqseq;
2305
2306 if (chan->unacked_frames == 0)
2307 __clear_retrans_timer(chan);
2308
2309 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2310}
2311
2312static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2313{
2314 BT_DBG("chan %p", chan);
2315
2316 chan->expected_tx_seq = chan->buffer_seq;
2317 l2cap_seq_list_clear(&chan->srej_list);
2318 skb_queue_purge(&chan->srej_q);
2319 chan->rx_state = L2CAP_RX_STATE_RECV;
2320}
2321
d660366d
GP		 2322static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2323 struct l2cap_ctrl *control,
2324 struct sk_buff_head *skbs, u8 event)
608bcc6d 2325{
608bcc6d
MM		 2326 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2327 event);
2328
2329 switch (event) {
2330 case L2CAP_EV_DATA_REQUEST:
2331 if (chan->tx_send_head == NULL)
2332 chan->tx_send_head = skb_peek(skbs);
2333
2334 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2335 l2cap_ertm_send(chan);
2336 break;
2337 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2338 BT_DBG("Enter LOCAL_BUSY");
2339 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2340
2341 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2342 /* The SREJ_SENT state must be aborted if we are to
2343 * enter the LOCAL_BUSY state.
2344 */
2345 l2cap_abort_rx_srej_sent(chan);
2346 }
2347
2348 l2cap_send_ack(chan);
2349
2350 break;
2351 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2352 BT_DBG("Exit LOCAL_BUSY");
2353 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2354
2355 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2356 struct l2cap_ctrl local_control;
2357
2358 memset(&local_control, 0, sizeof(local_control));
2359 local_control.sframe = 1;
2360 local_control.super = L2CAP_SUPER_RR;
2361 local_control.poll = 1;
2362 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2363 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2364
2365 chan->retry_count = 1;
2366 __set_monitor_timer(chan);
2367 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2368 }
2369 break;
2370 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2371 l2cap_process_reqseq(chan, control->reqseq);
2372 break;
2373 case L2CAP_EV_EXPLICIT_POLL:
2374 l2cap_send_rr_or_rnr(chan, 1);
2375 chan->retry_count = 1;
2376 __set_monitor_timer(chan);
2377 __clear_ack_timer(chan);
2378 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2379 break;
2380 case L2CAP_EV_RETRANS_TO:
2381 l2cap_send_rr_or_rnr(chan, 1);
2382 chan->retry_count = 1;
2383 __set_monitor_timer(chan);
2384 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2385 break;
2386 case L2CAP_EV_RECV_FBIT:
2387 /* Nothing to process */
2388 break;
2389 default:
2390 break;
2391 }
608bcc6d
MM		 2392}
2393
d660366d
GP		 2394static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2395 struct l2cap_ctrl *control,
2396 struct sk_buff_head *skbs, u8 event)
608bcc6d 2397{
608bcc6d
MM		 2398 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2399 event);
2400
2401 switch (event) {
2402 case L2CAP_EV_DATA_REQUEST:
2403 if (chan->tx_send_head == NULL)
2404 chan->tx_send_head = skb_peek(skbs);
2405 /* Queue data, but don't send. */
2406 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2407 break;
2408 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2409 BT_DBG("Enter LOCAL_BUSY");
2410 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2411
2412 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2413 /* The SREJ_SENT state must be aborted if we are to
2414 * enter the LOCAL_BUSY state.
2415 */
2416 l2cap_abort_rx_srej_sent(chan);
2417 }
2418
2419 l2cap_send_ack(chan);
2420
2421 break;
2422 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2423 BT_DBG("Exit LOCAL_BUSY");
2424 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2425
2426 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2427 struct l2cap_ctrl local_control;
2428 memset(&local_control, 0, sizeof(local_control));
2429 local_control.sframe = 1;
2430 local_control.super = L2CAP_SUPER_RR;
2431 local_control.poll = 1;
2432 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2433 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2434
2435 chan->retry_count = 1;
2436 __set_monitor_timer(chan);
2437 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2438 }
2439 break;
2440 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2441 l2cap_process_reqseq(chan, control->reqseq);
2442
2443 /* Fall through */
2444
2445 case L2CAP_EV_RECV_FBIT:
2446 if (control && control->final) {
2447 __clear_monitor_timer(chan);
2448 if (chan->unacked_frames > 0)
2449 __set_retrans_timer(chan);
2450 chan->retry_count = 0;
2451 chan->tx_state = L2CAP_TX_STATE_XMIT;
2452 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2453 }
2454 break;
2455 case L2CAP_EV_EXPLICIT_POLL:
2456 /* Ignore */
2457 break;
2458 case L2CAP_EV_MONITOR_TO:
2459 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2460 l2cap_send_rr_or_rnr(chan, 1);
2461 __set_monitor_timer(chan);
2462 chan->retry_count++;
2463 } else {
2464 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2465 }
2466 break;
2467 default:
2468 break;
2469 }
608bcc6d
MM		 2470}
2471
d660366d
GP		 2472static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2473 struct sk_buff_head *skbs, u8 event)
608bcc6d 2474{
608bcc6d
MM		 2475 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2476 chan, control, skbs, event, chan->tx_state);
2477
2478 switch (chan->tx_state) {
2479 case L2CAP_TX_STATE_XMIT:
d660366d 2480 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2481 break;
2482 case L2CAP_TX_STATE_WAIT_F:
d660366d 2483 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2484 break;
2485 default:
2486 /* Ignore event */
2487 break;
2488 }
608bcc6d
MM		 2489}
2490
4b51dae9
MM		 2491static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2492 struct l2cap_ctrl *control)
2493{
2494 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2495 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2496}
2497
f80842a8
MM		 2498static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2499 struct l2cap_ctrl *control)
2500{
2501 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2502 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2503}
2504
1da177e4
LT		 2505/* Copy frame to all raw sockets on that connection */
2506static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2507{
1da177e4 2508 struct sk_buff *nskb;
48454079 2509 struct l2cap_chan *chan;
1da177e4
LT		 2510
2511 BT_DBG("conn %p", conn);
2512
3df91ea2 2513 mutex_lock(&conn->chan_lock);
3d57dc68 2514
3df91ea2 2515 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2516 struct sock *sk = chan->sk;
715ec005 2517 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2518 continue;
2519
2520 /* Don't send frame to the socket it came from */
2521 if (skb->sk == sk)
2522 continue;
af05b30b
GP		 2523 nskb = skb_clone(skb, GFP_ATOMIC);
2524 if (!nskb)
1da177e4
LT		 2525 continue;
2526
80b98027 2527 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2528 kfree_skb(nskb);
2529 }
3d57dc68 2530
3df91ea2 2531 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2532}
2533
2534/* ---- L2CAP signalling commands ---- */
2535static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2536 u8 code, u8 ident, u16 dlen, void *data)
2537{
2538 struct sk_buff *skb, **frag;
2539 struct l2cap_cmd_hdr *cmd;
2540 struct l2cap_hdr *lh;
2541 int len, count;
2542
af05b30b
GP		 2543 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2544 conn, code, ident, dlen);
1da177e4
LT		 2545
2546 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2547 count = min_t(unsigned int, conn->mtu, len);
2548
2549 skb = bt_skb_alloc(count, GFP_ATOMIC);
2550 if (!skb)
2551 return NULL;
2552
2553 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2554 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2555
2556 if (conn->hcon->type == LE_LINK)
ac73498c 2557 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2558 else
ac73498c 2559 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2560
2561 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2562 cmd->code = code;
2563 cmd->ident = ident;
aca3192c 2564 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2565
2566 if (dlen) {
2567 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2568 memcpy(skb_put(skb, count), data, count);
2569 data += count;
2570 }
2571
2572 len -= skb->len;
2573
2574 /* Continuation fragments (no L2CAP header) */
2575 frag = &skb_shinfo(skb)->frag_list;
2576 while (len) {
2577 count = min_t(unsigned int, conn->mtu, len);
2578
2579 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2580 if (!*frag)
2581 goto fail;
2582
2583 memcpy(skb_put(*frag, count), data, count);
2584
2585 len -= count;
2586 data += count;
2587
2588 frag = &(*frag)->next;
2589 }
2590
2591 return skb;
2592
2593fail:
2594 kfree_skb(skb);
2595 return NULL;
2596}
2597
2598static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2599{
2600 struct l2cap_conf_opt *opt = *ptr;
2601 int len;
2602
2603 len = L2CAP_CONF_OPT_SIZE + opt->len;
2604 *ptr += len;
2605
2606 *type = opt->type;
2607 *olen = opt->len;
2608
2609 switch (opt->len) {
2610 case 1:
2611 *val = *((u8 *) opt->val);
2612 break;
2613
2614 case 2:
bfaaeb3e 2615 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2616 break;
2617
2618 case 4:
bfaaeb3e 2619 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2620 break;
2621
2622 default:
2623 *val = (unsigned long) opt->val;
2624 break;
2625 }
2626
2627 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2628 return len;
2629}
2630
1da177e4
LT		 2631static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2632{
2633 struct l2cap_conf_opt *opt = *ptr;
2634
2635 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2636
2637 opt->type = type;
2638 opt->len = len;
2639
2640 switch (len) {
2641 case 1:
2642 *((u8 *) opt->val) = val;
2643 break;
2644
2645 case 2:
4f8b691c 2646 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2647 break;
2648
2649 case 4:
4f8b691c 2650 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2651 break;
2652
2653 default:
2654 memcpy(opt->val, (void *) val, len);
2655 break;
2656 }
2657
2658 *ptr += L2CAP_CONF_OPT_SIZE + len;
2659}
2660
f89cef09
AE		 2661static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2662{
2663 struct l2cap_conf_efs efs;
2664
1ec918ce 2665 switch (chan->mode) {
f89cef09
AE		 2666 case L2CAP_MODE_ERTM:
2667 efs.id = chan->local_id;
2668 efs.stype = chan->local_stype;
2669 efs.msdu = cpu_to_le16(chan->local_msdu);
2670 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2671 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2672 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2673 break;
2674
2675 case L2CAP_MODE_STREAMING:
2676 efs.id = 1;
2677 efs.stype = L2CAP_SERV_BESTEFFORT;
2678 efs.msdu = cpu_to_le16(chan->local_msdu);
2679 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2680 efs.acc_lat = 0;
2681 efs.flush_to = 0;
2682 break;
2683
2684 default:
2685 return;
2686 }
2687
2688 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2689 (unsigned long) &efs);
2690}
2691
721c4181 2692static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2693{
721c4181 2694 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2695 ack_timer.work);
2696 u16 frames_to_ack;
c1b4f43b 2697
2fb9b3d4
GP		 2698 BT_DBG("chan %p", chan);
2699
6be36555
AE		 2700 l2cap_chan_lock(chan);
2701
0362520b
MM		 2702 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2703 chan->last_acked_seq);
6be36555 2704
0362520b
MM		 2705 if (frames_to_ack)
2706 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2707
0362520b 2708 l2cap_chan_unlock(chan);
09bfb2ee 2709 l2cap_chan_put(chan);
c1b4f43b
GP		 2710}
2711
466f8004 2712int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2713{
3c588192
MM		 2714 int err;
2715
105bdf9e
MM		 2716 chan->next_tx_seq = 0;
2717 chan->expected_tx_seq = 0;
42e5c802 2718 chan->expected_ack_seq = 0;
6a026610 2719 chan->unacked_frames = 0;
42e5c802 2720 chan->buffer_seq = 0;
6a026610 2721 chan->frames_sent = 0;
105bdf9e
MM		 2722 chan->last_acked_seq = 0;
2723 chan->sdu = NULL;
2724 chan->sdu_last_frag = NULL;
2725 chan->sdu_len = 0;
2726
d34c34fb
MM		 2727 skb_queue_head_init(&chan->tx_q);
2728
105bdf9e
MM		 2729 if (chan->mode != L2CAP_MODE_ERTM)
2730 return 0;
2731
2732 chan->rx_state = L2CAP_RX_STATE_RECV;
2733 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2734
721c4181
GP		 2735 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2736 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2737 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2738
f1c6775b 2739 skb_queue_head_init(&chan->srej_q);
1890d36b 2740
3c588192
MM		 2741 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2742 if (err < 0)
2743 return err;
2744
9dc9affc
MM		 2745 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2746 if (err < 0)
2747 l2cap_seq_list_free(&chan->srej_list);
2748
2749 return err;
0565c1c2
GP		 2750}
2751
f2fcfcd6
GP		 2752static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2753{
2754 switch (mode) {
2755 case L2CAP_MODE_STREAMING:
2756 case L2CAP_MODE_ERTM:
2757 if (l2cap_mode_supported(mode, remote_feat_mask))
2758 return mode;
2759 /* fall through */
2760 default:
2761 return L2CAP_MODE_BASIC;
2762 }
2763}
2764
6327eb98
AE		 2765static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2766{
2767 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2768}
2769
f89cef09
AE		 2770static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2771{
2772 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2773}
2774
6327eb98
AE		 2775static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2776{
2777 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2778 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2779 /* use extended control field */
2780 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2781 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2782 } else {
6327eb98
AE		 2783 chan->tx_win = min_t(u16, chan->tx_win,
2784 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2785 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2786 }
6327eb98
AE		 2787}
2788
710f9b0a 2789static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2790{
1da177e4 2791 struct l2cap_conf_req *req = data;
0c1bc5c6 2792 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2793 void *ptr = req->data;
c8f79162 2794 u16 size;
1da177e4 2795
49208c9c 2796 BT_DBG("chan %p", chan);
1da177e4 2797
73ffa904 2798 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2799 goto done;
2800
0c1bc5c6 2801 switch (chan->mode) {
f2fcfcd6
GP		 2802 case L2CAP_MODE_STREAMING:
2803 case L2CAP_MODE_ERTM:
c1360a1c 2804 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2805 break;
85eb53c6 2806
f89cef09
AE		 2807 if (__l2cap_efs_supported(chan))
2808 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2809
2ba13ed6 2810 /* fall through */
f2fcfcd6 2811 default:
8c1d787b 2812 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2813 break;
2814 }
2815
2816done:
0c1bc5c6
GP		 2817 if (chan->imtu != L2CAP_DEFAULT_MTU)
2818 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2819
0c1bc5c6 2820 switch (chan->mode) {
65c7c491 2821 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2822 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2823 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2824 break;
2825
62547752
GP		 2826 rfc.mode = L2CAP_MODE_BASIC;
2827 rfc.txwin_size = 0;
2828 rfc.max_transmit = 0;
2829 rfc.retrans_timeout = 0;
2830 rfc.monitor_timeout = 0;
2831 rfc.max_pdu_size = 0;
2832
63406504
GP		 2833 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2834 (unsigned long) &rfc);
65c7c491
MH		 2835 break;
2836
2837 case L2CAP_MODE_ERTM:
2838 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2839 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2840 rfc.retrans_timeout = 0;
2841 rfc.monitor_timeout = 0;
c8f79162
AE		 2842
2843 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2844 L2CAP_EXT_HDR_SIZE -
2845 L2CAP_SDULEN_SIZE -
2846 L2CAP_FCS_SIZE);
2847 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2848
6327eb98
AE		 2849 l2cap_txwin_setup(chan);
2850
2851 rfc.txwin_size = min_t(u16, chan->tx_win,
2852 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2853
63406504
GP		 2854 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2855 (unsigned long) &rfc);
2856
f89cef09
AE		 2857 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2858 l2cap_add_opt_efs(&ptr, chan);
2859
8c1d787b 2860 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2861 break;
2862
47d1ec61 2863 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2864 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2865 chan->fcs = L2CAP_FCS_NONE;
2866 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2867 }
6327eb98
AE		 2868
2869 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2870 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2871 chan->tx_win);
f2fcfcd6
GP		 2872 break;
2873
2874 case L2CAP_MODE_STREAMING:
273759e2 2875 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2876 rfc.mode = L2CAP_MODE_STREAMING;
2877 rfc.txwin_size = 0;
2878 rfc.max_transmit = 0;
2879 rfc.retrans_timeout = 0;
2880 rfc.monitor_timeout = 0;
c8f79162
AE		 2881
2882 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2883 L2CAP_EXT_HDR_SIZE -
2884 L2CAP_SDULEN_SIZE -
2885 L2CAP_FCS_SIZE);
2886 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2887
63406504
GP		 2888 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2889 (unsigned long) &rfc);
2890
f89cef09
AE		 2891 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2892 l2cap_add_opt_efs(&ptr, chan);
2893
8c1d787b 2894 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2895 break;
2896
47d1ec61 2897 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2898 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2899 chan->fcs = L2CAP_FCS_NONE;
2900 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2901 }
65c7c491
MH		 2902 break;
2903 }
1da177e4 2904
fe4128e0 2905 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2906 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2907
2908 return ptr - data;
2909}
2910
73ffa904 2911static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2912{
5dee9e7c
MH		 2913 struct l2cap_conf_rsp *rsp = data;
2914 void *ptr = rsp->data;
73ffa904
GP		 2915 void *req = chan->conf_req;
2916 int len = chan->conf_len;
5dee9e7c
MH		 2917 int type, hint, olen;
2918 unsigned long val;
6464f35f 2919 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2920 struct l2cap_conf_efs efs;
2921 u8 remote_efs = 0;
861d6882 2922 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2923 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2924 u16 size;
1da177e4 2925
73ffa904 2926 BT_DBG("chan %p", chan);
820ae1b8 2927
5dee9e7c
MH		 2928 while (len >= L2CAP_CONF_OPT_SIZE) {
2929 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2930
589d2746 2931 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2932 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2933
2934 switch (type) {
2935 case L2CAP_CONF_MTU:
861d6882 2936 mtu = val;
5dee9e7c
MH		 2937 break;
2938
2939 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2940 chan->flush_to = val;
5dee9e7c
MH		 2941 break;
2942
2943 case L2CAP_CONF_QOS:
2944 break;
2945
6464f35f
MH		 2946 case L2CAP_CONF_RFC:
2947 if (olen == sizeof(rfc))
2948 memcpy(&rfc, (void *) val, olen);
2949 break;
2950
fcc203c3
GP		 2951 case L2CAP_CONF_FCS:
2952 if (val == L2CAP_FCS_NONE)
c1360a1c 2953 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2954 break;
fcc203c3 2955
42dceae2
AE		 2956 case L2CAP_CONF_EFS:
2957 remote_efs = 1;
2958 if (olen == sizeof(efs))
2959 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2960 break;
2961
6327eb98
AE		 2962 case L2CAP_CONF_EWS:
2963 if (!enable_hs)
2964 return -ECONNREFUSED;
fcc203c3 2965
6327eb98
AE		 2966 set_bit(FLAG_EXT_CTRL, &chan->flags);
2967 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2968 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2969 chan->remote_tx_win = val;
fcc203c3
GP		 2970 break;
2971
5dee9e7c
MH		 2972 default:
2973 if (hint)
2974 break;
2975
2976 result = L2CAP_CONF_UNKNOWN;
2977 *((u8 *) ptr++) = type;
2978 break;
2979 }
2980 }
2981
73ffa904 2982 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2983 goto done;
2984
0c1bc5c6 2985 switch (chan->mode) {
f2fcfcd6
GP		 2986 case L2CAP_MODE_STREAMING:
2987 case L2CAP_MODE_ERTM:
c1360a1c 2988 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2989 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2990 chan->conn->feat_mask);
85eb53c6
GP		 2991 break;
2992 }
2993
42dceae2
AE		 2994 if (remote_efs) {
2995 if (__l2cap_efs_supported(chan))
2996 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2997 else
2998 return -ECONNREFUSED;
2999 }
3000
0c1bc5c6 3001 if (chan->mode != rfc.mode)
f2fcfcd6 3002 return -ECONNREFUSED;
742e519b 3003
f2fcfcd6 3004 break;
f2fcfcd6
GP		 3005 }
3006
3007done:
0c1bc5c6 3008 if (chan->mode != rfc.mode) {
f2fcfcd6 3009 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3010 rfc.mode = chan->mode;
f2fcfcd6 3011
73ffa904 3012 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3013 return -ECONNREFUSED;
3014
3015 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3016 sizeof(rfc), (unsigned long) &rfc);
3017 }
3018
5dee9e7c
MH		 3019 if (result == L2CAP_CONF_SUCCESS) {
3020 /* Configure output options and let the other side know
3021 * which ones we don't like. */
3022
f2fcfcd6
GP		 3023 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3024 result = L2CAP_CONF_UNACCEPT;
3025 else {
0c1bc5c6 3026 chan->omtu = mtu;
c1360a1c 3027 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3028 }
0c1bc5c6 3029 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3030
42dceae2
AE		 3031 if (remote_efs) {
3032 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3033 efs.stype != L2CAP_SERV_NOTRAFIC &&
3034 efs.stype != chan->local_stype) {
3035
3036 result = L2CAP_CONF_UNACCEPT;
3037
3038 if (chan->num_conf_req >= 1)
3039 return -ECONNREFUSED;
3040
3041 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3042 sizeof(efs),
42dceae2 3043 (unsigned long) &efs);
0e8b207e 3044 } else {
3e6b3b95 3045 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3046 result = L2CAP_CONF_PENDING;
3047 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3048 }
3049 }
3050
f2fcfcd6
GP		 3051 switch (rfc.mode) {
3052 case L2CAP_MODE_BASIC:
47d1ec61 3053 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3054 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3055 break;
3056
3057 case L2CAP_MODE_ERTM:
6327eb98
AE		 3058 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3059 chan->remote_tx_win = rfc.txwin_size;
3060 else
3061 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3062
2c03a7a4 3063 chan->remote_max_tx = rfc.max_transmit;
1c762159 3064
c8f79162
AE		 3065 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3066 chan->conn->mtu -
3067 L2CAP_EXT_HDR_SIZE -
3068 L2CAP_SDULEN_SIZE -
3069 L2CAP_FCS_SIZE);
3070 rfc.max_pdu_size = cpu_to_le16(size);
3071 chan->remote_mps = size;
f2fcfcd6 3072
10467e9e 3073 rfc.retrans_timeout =
4fd21a88 3074 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3075 rfc.monitor_timeout =
4fd21a88 3076 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3077
c1360a1c 3078 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3079
3080 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3081 sizeof(rfc), (unsigned long) &rfc);
3082
42dceae2
AE		 3083 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3084 chan->remote_id = efs.id;
3085 chan->remote_stype = efs.stype;
3086 chan->remote_msdu = le16_to_cpu(efs.msdu);
3087 chan->remote_flush_to =
3088 le32_to_cpu(efs.flush_to);
3089 chan->remote_acc_lat =
3090 le32_to_cpu(efs.acc_lat);
3091 chan->remote_sdu_itime =
3092 le32_to_cpu(efs.sdu_itime);
3093 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3094 sizeof(efs), (unsigned long) &efs);
3095 }
f2fcfcd6
GP		 3096 break;
3097
3098 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3099 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3100 chan->conn->mtu -
3101 L2CAP_EXT_HDR_SIZE -
3102 L2CAP_SDULEN_SIZE -
3103 L2CAP_FCS_SIZE);
3104 rfc.max_pdu_size = cpu_to_le16(size);
3105 chan->remote_mps = size;
f2fcfcd6 3106
c1360a1c 3107 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3108
3109 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3110 sizeof(rfc), (unsigned long) &rfc);
3111
f2fcfcd6
GP		 3112 break;
3113
3114 default:
5dee9e7c 3115 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3116
6464f35f 3117 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3118 rfc.mode = chan->mode;
f2fcfcd6 3119 }
6464f35f 3120
f2fcfcd6 3121 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3122 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3123 }
fe4128e0 3124 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3125 rsp->result = cpu_to_le16(result);
59e54bd1 3126 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3127
3128 return ptr - data;
1da177e4
LT		 3129}
3130
b4450035 3131static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3132{
f2fcfcd6
GP		 3133 struct l2cap_conf_req *req = data;
3134 void *ptr = req->data;
3135 int type, olen;
3136 unsigned long val;
36e999a8 3137 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3138 struct l2cap_conf_efs efs;
f2fcfcd6 3139
fe4128e0 3140 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3141
3142 while (len >= L2CAP_CONF_OPT_SIZE) {
3143 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3144
3145 switch (type) {
3146 case L2CAP_CONF_MTU:
3147 if (val < L2CAP_DEFAULT_MIN_MTU) {
3148 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3149 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3150 } else
0c1bc5c6
GP		 3151 chan->imtu = val;
3152 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3153 break;
3154
3155 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3156 chan->flush_to = val;
f2fcfcd6 3157 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3158 2, chan->flush_to);
f2fcfcd6
GP		 3159 break;
3160
3161 case L2CAP_CONF_RFC:
3162 if (olen == sizeof(rfc))
3163 memcpy(&rfc, (void *)val, olen);
3164
c1360a1c 3165 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3166 rfc.mode != chan->mode)
f2fcfcd6
GP		 3167 return -ECONNREFUSED;
3168
47d1ec61 3169 chan->fcs = 0;
f2fcfcd6
GP		 3170
3171 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3172 sizeof(rfc), (unsigned long) &rfc);
3173 break;
6327eb98
AE		 3174
3175 case L2CAP_CONF_EWS:
3176 chan->tx_win = min_t(u16, val,
3177 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3178 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3179 chan->tx_win);
6327eb98 3180 break;
66af7aaf
AE		 3181
3182 case L2CAP_CONF_EFS:
3183 if (olen == sizeof(efs))
3184 memcpy(&efs, (void *)val, olen);
3185
3186 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3187 efs.stype != L2CAP_SERV_NOTRAFIC &&
3188 efs.stype != chan->local_stype)
3189 return -ECONNREFUSED;
3190
3191 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3192 sizeof(efs), (unsigned long) &efs);
3193 break;
f2fcfcd6
GP		 3194 }
3195 }
3196
0c1bc5c6 3197 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3198 return -ECONNREFUSED;
3199
0c1bc5c6 3200 chan->mode = rfc.mode;
6c2ea7a8 3201
0e8b207e 3202 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3203 switch (rfc.mode) {
3204 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3205 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3206 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3207 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3208
3209 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3210 chan->local_msdu = le16_to_cpu(efs.msdu);
3211 chan->local_sdu_itime =
3212 le32_to_cpu(efs.sdu_itime);
3213 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3214 chan->local_flush_to =
3215 le32_to_cpu(efs.flush_to);
3216 }
f2fcfcd6 3217 break;
66af7aaf 3218
f2fcfcd6 3219 case L2CAP_MODE_STREAMING:
47d1ec61 3220 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3221 }
3222 }
3223
fe4128e0 3224 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3225 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3226
3227 return ptr - data;
3228}
3229
fe4128e0 3230static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3231{
3232 struct l2cap_conf_rsp *rsp = data;
3233 void *ptr = rsp->data;
1da177e4 3234
fe4128e0 3235 BT_DBG("chan %p", chan);
1da177e4 3236
fe4128e0 3237 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3238 rsp->result = cpu_to_le16(result);
aca3192c 3239 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3240
3241 return ptr - data;
3242}
3243
8c1d787b 3244void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3245{
3246 struct l2cap_conn_rsp rsp;
8c1d787b 3247 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3248 u8 buf[128];
3249
fe4128e0
GP		 3250 rsp.scid = cpu_to_le16(chan->dcid);
3251 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3252 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3253 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3254 l2cap_send_cmd(conn, chan->ident,
3255 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3256
c1360a1c 3257 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3258 return;
3259
710f9b0a
GP		 3260 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3261 l2cap_build_conf_req(chan, buf), buf);
3262 chan->num_conf_req++;
3263}
3264
47d1ec61 3265static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3266{
7b1c0049
GP		 3267 int type, olen;
3268 unsigned long val;
3269 struct l2cap_conf_rfc rfc;
3270
47d1ec61 3271 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3272
0c1bc5c6 3273 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3274 return;
3275
3276 while (len >= L2CAP_CONF_OPT_SIZE) {
3277 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3278
3279 switch (type) {
3280 case L2CAP_CONF_RFC:
3281 if (olen == sizeof(rfc))
3282 memcpy(&rfc, (void *)val, olen);
3283 goto done;
3284 }
3285 }
3286
36e999a8
MM		 3287 /* Use sane default values in case a misbehaving remote device
3288 * did not send an RFC option.
3289 */
3290 rfc.mode = chan->mode;
ac73498c
AE		 3291 rfc.retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3292 rfc.monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36e999a8
MM		 3293 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3294
3295 BT_ERR("Expected RFC option was not found, using defaults");
3296
7b1c0049
GP		 3297done:
3298 switch (rfc.mode) {
3299 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3300 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3301 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3302 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3303 break;
3304 case L2CAP_MODE_STREAMING:
47d1ec61 3305 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3306 }
3307}
3308
4e8402a3
MH		 3309static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3310{
e2fd318e 3311 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3312
e2fd318e 3313 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3314 return 0;
3315
3316 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3317 cmd->ident == conn->info_ident) {
17cd3f37 3318 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3319
3320 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3321 conn->info_ident = 0;
984947dc 3322
4e8402a3
MH		 3323 l2cap_conn_start(conn);
3324 }
3325
3326 return 0;
3327}
3328
1da177e4
LT		 3329static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3330{
1da177e4
LT		 3331 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3332 struct l2cap_conn_rsp rsp;
23691d75 3333 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3334 struct sock *parent, *sk = NULL;
e7c29cb1 3335 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3336
3337 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3338 __le16 psm = req->psm;
1da177e4 3339
097db76c 3340 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3341
3342 /* Check if we have socket listening on psm */
c2287681 3343 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3344 if (!pchan) {
1da177e4
LT		 3345 result = L2CAP_CR_BAD_PSM;
3346 goto sendresp;
3347 }
3348
23691d75
GP		 3349 parent = pchan->sk;
3350
3df91ea2 3351 mutex_lock(&conn->chan_lock);
aa2ac881 3352 lock_sock(parent);
e0f0cb56 3353
e7c29cb1 3354 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3355 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3356 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3357 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3358 result = L2CAP_CR_SEC_BLOCK;
3359 goto response;
3360 }
3361
1da177e4
LT		 3362 result = L2CAP_CR_NO_MEM;
3363
2dfa1003
GP		 3364 /* Check if we already have channel with that dcid */
3365 if (__l2cap_get_chan_by_dcid(conn, scid))
3366 goto response;
3367
80b98027 3368 chan = pchan->ops->new_connection(pchan);
80808e43 3369 if (!chan)
1da177e4
LT		 3370 goto response;
3371
80808e43
GP		 3372 sk = chan->sk;
3373
1da177e4
LT		 3374 hci_conn_hold(conn->hcon);
3375
1da177e4
LT		 3376 bacpy(&bt_sk(sk)->src, conn->src);
3377 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3378 chan->psm = psm;
3379 chan->dcid = scid;
1da177e4 3380
d1010240
GP		 3381 bt_accept_enqueue(parent, sk);
3382
6be36555 3383 __l2cap_chan_add(conn, chan);
48454079 3384
fe4128e0 3385 dcid = chan->scid;
1da177e4 3386
c9b66675 3387 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3388
fc7f8a7e 3389 chan->ident = cmd->ident;
1da177e4 3390
984947dc 3391 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3392 if (l2cap_chan_check_security(chan)) {
c5daa683 3393 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3394 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3395 result = L2CAP_CR_PEND;
3396 status = L2CAP_CS_AUTHOR_PEND;
3397 parent->sk_data_ready(parent, 0);
3398 } else {
0e587be7 3399 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3400 result = L2CAP_CR_SUCCESS;
3401 status = L2CAP_CS_NO_INFO;
3402 }
79d554a6 3403 } else {
0e587be7 3404 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3405 result = L2CAP_CR_PEND;
3406 status = L2CAP_CS_AUTHEN_PEND;
3407 }
3408 } else {
0e587be7 3409 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3410 result = L2CAP_CR_PEND;
3411 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3412 }
3413
1da177e4 3414response:
aa2ac881 3415 release_sock(parent);
3df91ea2 3416 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3417
3418sendresp:
aca3192c
YH		 3419 rsp.scid = cpu_to_le16(scid);
3420 rsp.dcid = cpu_to_le16(dcid);
3421 rsp.result = cpu_to_le16(result);
3422 rsp.status = cpu_to_le16(status);
1da177e4 3423 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3424
3425 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3426 struct l2cap_info_req info;
ac73498c 3427 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3428
3429 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3430 conn->info_ident = l2cap_get_ident(conn);
3431
ba13ccd9 3432 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3433
3434 l2cap_send_cmd(conn, conn->info_ident,
3435 L2CAP_INFO_REQ, sizeof(info), &info);
3436 }
3437
c1360a1c 3438 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3439 result == L2CAP_CR_SUCCESS) {
3440 u8 buf[128];
c1360a1c 3441 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3442 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3443 l2cap_build_conf_req(chan, buf), buf);
3444 chan->num_conf_req++;
e9aeb2dd
GP		 3445 }
3446
1da177e4
LT		 3447 return 0;
3448}
3449
3450static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3451{
3452 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3453 u16 scid, dcid, result, status;
48454079 3454 struct l2cap_chan *chan;
1da177e4 3455 u8 req[128];
3df91ea2 3456 int err;
1da177e4
LT		 3457
3458 scid = __le16_to_cpu(rsp->scid);
3459 dcid = __le16_to_cpu(rsp->dcid);
3460 result = __le16_to_cpu(rsp->result);
3461 status = __le16_to_cpu(rsp->status);
3462
1b009c98
AE		 3463 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3464 dcid, scid, result, status);
1da177e4 3465
3df91ea2
AE		 3466 mutex_lock(&conn->chan_lock);
3467
1da177e4 3468 if (scid) {
3df91ea2
AE		 3469 chan = __l2cap_get_chan_by_scid(conn, scid);
3470 if (!chan) {
3471 err = -EFAULT;
3472 goto unlock;
3473 }
1da177e4 3474 } else {
3df91ea2
AE		 3475 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3476 if (!chan) {
3477 err = -EFAULT;
3478 goto unlock;
3479 }
1da177e4
LT		 3480 }
3481
3df91ea2
AE		 3482 err = 0;
3483
6be36555 3484 l2cap_chan_lock(chan);
48454079 3485
1da177e4
LT		 3486 switch (result) {
3487 case L2CAP_CR_SUCCESS:
89bc500e 3488 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3489 chan->ident = 0;
fe4128e0 3490 chan->dcid = dcid;
c1360a1c 3491 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3492
c1360a1c 3493 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3494 break;
3495
1da177e4 3496 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3497 l2cap_build_conf_req(chan, req), req);
3498 chan->num_conf_req++;
1da177e4
LT		 3499 break;
3500
3501 case L2CAP_CR_PEND:
c1360a1c 3502 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3503 break;
3504
3505 default:
48454079 3506 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3507 break;
3508 }
3509
6be36555 3510 l2cap_chan_unlock(chan);
3df91ea2
AE		 3511
3512unlock:
3513 mutex_unlock(&conn->chan_lock);
3514
3515 return err;
1da177e4
LT		 3516}
3517
47d1ec61 3518static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3519{
3520 /* FCS is enabled only in ERTM or streaming mode, if one or both
3521 * sides request it.
3522 */
0c1bc5c6 3523 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3524 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3525 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3526 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3527}
3528
88219a0f 3529static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3530{
3531 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3532 u16 dcid, flags;
3533 u8 rsp[64];
48454079 3534 struct l2cap_chan *chan;
3c588192 3535 int len, err = 0;
1da177e4
LT		 3536
3537 dcid = __le16_to_cpu(req->dcid);
3538 flags = __le16_to_cpu(req->flags);
3539
3540 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3541
baa7e1fa 3542 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3543 if (!chan)
1da177e4
LT		 3544 return -ENOENT;
3545
033b1142 3546 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3547 struct l2cap_cmd_rej_cid rej;
3548
ac73498c 3549 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3550 rej.scid = cpu_to_le16(chan->scid);
3551 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3552
df6bd743
GP		 3553 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3554 sizeof(rej), &rej);
354f60a9 3555 goto unlock;
df6bd743 3556 }
354f60a9 3557
5dee9e7c 3558 /* Reject if config buffer is too small. */
88219a0f 3559 len = cmd_len - sizeof(*req);
7ac28817 3560 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3561 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3562 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3563 L2CAP_CONF_REJECT, flags), rsp);
3564 goto unlock;
3565 }
3566
3567 /* Store config. */
73ffa904
GP		 3568 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3569 chan->conf_len += len;
1da177e4 3570
59e54bd1 3571 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3572 /* Incomplete config. Send empty response. */
3573 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3574 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3575 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3576 goto unlock;
3577 }
3578
3579 /* Complete config. */
73ffa904 3580 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3581 if (len < 0) {
e92c8e70 3582 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3583 goto unlock;
f2fcfcd6 3584 }
1da177e4 3585
5dee9e7c 3586 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3587 chan->num_conf_rsp++;
5dee9e7c 3588
5dee9e7c 3589 /* Reset config buffer. */
73ffa904 3590 chan->conf_len = 0;
5dee9e7c 3591
c1360a1c 3592 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3593 goto unlock;
3594
c1360a1c 3595 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3596 set_default_fcs(chan);
fcc203c3 3597
105bdf9e
MM		 3598 if (chan->mode == L2CAP_MODE_ERTM ||
3599 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3600 err = l2cap_ertm_init(chan);
3601
3602 if (err < 0)
3603 l2cap_send_disconn_req(chan->conn, chan, -err);
3604 else
3605 l2cap_chan_ready(chan);
0565c1c2 3606
876d9484
MH		 3607 goto unlock;
3608 }
3609
c1360a1c 3610 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3611 u8 buf[64];
1da177e4 3612 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3613 l2cap_build_conf_req(chan, buf), buf);
3614 chan->num_conf_req++;
1da177e4
LT		 3615 }
3616
0e8b207e
AE		 3617 /* Got Conf Rsp PENDING from remote side and asume we sent
3618 Conf Rsp PENDING in the code above */
3619 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3620 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3621
3622 /* check compatibility */
3623
3624 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3625 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3626
3627 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3628 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3629 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3630 }
3631
1da177e4 3632unlock:
6be36555 3633 l2cap_chan_unlock(chan);
3c588192 3634 return err;
1da177e4
LT		 3635}
3636
3637static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3638{
3639 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3640 u16 scid, flags, result;
48454079 3641 struct l2cap_chan *chan;
61386cba 3642 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3643 int err = 0;
1da177e4
LT		 3644
3645 scid = __le16_to_cpu(rsp->scid);
3646 flags = __le16_to_cpu(rsp->flags);
3647 result = __le16_to_cpu(rsp->result);
3648
61386cba
AE		 3649 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3650 result, len);
1da177e4 3651
baa7e1fa 3652 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3653 if (!chan)
1da177e4
LT		 3654 return 0;
3655
3656 switch (result) {
3657 case L2CAP_CONF_SUCCESS:
47d1ec61 3658 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3659 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3660 break;
3661
0e8b207e
AE		 3662 case L2CAP_CONF_PENDING:
3663 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3664
3665 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3666 char buf[64];
3667
3668 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3669 buf, &result);
3670 if (len < 0) {
3671 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3672 goto done;
3673 }
3674
3675 /* check compatibility */
3676
3677 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3678 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3679
3680 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3681 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3682 L2CAP_CONF_SUCCESS, 0x0000), buf);
3683 }
3684 goto done;
3685
1da177e4 3686 case L2CAP_CONF_UNACCEPT:
73ffa904 3687 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3688 char req[64];
3689
c2c77ec8 3690 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3691 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3692 goto done;
3693 }
3694
f2fcfcd6
GP		 3695 /* throw out any old stored conf requests */
3696 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3697 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3698 req, &result);
f2fcfcd6 3699 if (len < 0) {
e92c8e70 3700 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3701 goto done;
3702 }
3703
3704 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3705 L2CAP_CONF_REQ, len, req);
73ffa904 3706 chan->num_conf_req++;
f2fcfcd6
GP		 3707 if (result != L2CAP_CONF_SUCCESS)
3708 goto done;
3709 break;
1da177e4
LT		 3710 }
3711
8e87d142 3712 default:
6be36555 3713 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3714
ba13ccd9 3715 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3716 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3717 goto done;
3718 }
3719
59e54bd1 3720 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3721 goto done;
3722
c1360a1c 3723 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3724
c1360a1c 3725 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3726 set_default_fcs(chan);
fcc203c3 3727
105bdf9e
MM		 3728 if (chan->mode == L2CAP_MODE_ERTM ||
3729 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3730 err = l2cap_ertm_init(chan);
0565c1c2 3731
3c588192
MM		 3732 if (err < 0)
3733 l2cap_send_disconn_req(chan->conn, chan, -err);
3734 else
3735 l2cap_chan_ready(chan);
1da177e4
LT		 3736 }
3737
3738done:
6be36555 3739 l2cap_chan_unlock(chan);
3c588192 3740 return err;
1da177e4
LT		 3741}
3742
3743static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3744{
3745 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3746 struct l2cap_disconn_rsp rsp;
3747 u16 dcid, scid;
48454079 3748 struct l2cap_chan *chan;
1da177e4
LT		 3749 struct sock *sk;
3750
3751 scid = __le16_to_cpu(req->scid);
3752 dcid = __le16_to_cpu(req->dcid);
3753
3754 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3755
3df91ea2
AE		 3756 mutex_lock(&conn->chan_lock);
3757
3758 chan = __l2cap_get_chan_by_scid(conn, dcid);
3759 if (!chan) {
3760 mutex_unlock(&conn->chan_lock);
1da177e4 3761 return 0;
3df91ea2 3762 }
1da177e4 3763
6be36555
AE		 3764 l2cap_chan_lock(chan);
3765
48454079
GP		 3766 sk = chan->sk;
3767
fe4128e0
GP		 3768 rsp.dcid = cpu_to_le16(chan->scid);
3769 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3770 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3771
6be36555 3772 lock_sock(sk);
1da177e4 3773 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3774 release_sock(sk);
1da177e4 3775
61d6ef3e 3776 l2cap_chan_hold(chan);
48454079 3777 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3778
3779 l2cap_chan_unlock(chan);
1da177e4 3780
80b98027 3781 chan->ops->close(chan);
61d6ef3e 3782 l2cap_chan_put(chan);
3df91ea2
AE		 3783
3784 mutex_unlock(&conn->chan_lock);
3785
1da177e4
LT		 3786 return 0;
3787}
3788
3789static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3790{
3791 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3792 u16 dcid, scid;
48454079 3793 struct l2cap_chan *chan;
1da177e4
LT		 3794
3795 scid = __le16_to_cpu(rsp->scid);
3796 dcid = __le16_to_cpu(rsp->dcid);
3797
3798 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3799
3df91ea2
AE		 3800 mutex_lock(&conn->chan_lock);
3801
3802 chan = __l2cap_get_chan_by_scid(conn, scid);
3803 if (!chan) {
3804 mutex_unlock(&conn->chan_lock);
1da177e4 3805 return 0;
3df91ea2 3806 }
1da177e4 3807
6be36555 3808 l2cap_chan_lock(chan);
48454079 3809
61d6ef3e 3810 l2cap_chan_hold(chan);
48454079 3811 l2cap_chan_del(chan, 0);
6be36555
AE		 3812
3813 l2cap_chan_unlock(chan);
1da177e4 3814
80b98027 3815 chan->ops->close(chan);
61d6ef3e 3816 l2cap_chan_put(chan);
3df91ea2
AE		 3817
3818 mutex_unlock(&conn->chan_lock);
3819
1da177e4
LT		 3820 return 0;
3821}
3822
3823static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3824{
3825 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3826 u16 type;
3827
3828 type = __le16_to_cpu(req->type);
3829
3830 BT_DBG("type 0x%4.4x", type);
3831
f0709e03
MH		 3832 if (type == L2CAP_IT_FEAT_MASK) {
3833 u8 buf[8];
44dd46de 3834 u32 feat_mask = l2cap_feat_mask;
f0709e03 3835 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3836 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3837 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3838 if (!disable_ertm)
fcc203c3
GP		 3839 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3840 | L2CAP_FEAT_FCS;
a5fd6f30 3841 if (enable_hs)
6327eb98
AE		 3842 feat_mask |= L2CAP_FEAT_EXT_FLOW
3843 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3844
1b7bf4ed 3845 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3846 l2cap_send_cmd(conn, cmd->ident,
3847 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3848 } else if (type == L2CAP_IT_FIXED_CHAN) {
3849 u8 buf[12];
3850 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3851
3852 if (enable_hs)
3853 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3854 else
3855 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3856
ac73498c
AE		 3857 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3858 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3859 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3860 l2cap_send_cmd(conn, cmd->ident,
3861 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3862 } else {
3863 struct l2cap_info_rsp rsp;
3864 rsp.type = cpu_to_le16(type);
ac73498c 3865 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3866 l2cap_send_cmd(conn, cmd->ident,
3867 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3868 }
1da177e4
LT		 3869
3870 return 0;
3871}
3872
3873static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3874{
3875 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3876 u16 type, result;
3877
3878 type = __le16_to_cpu(rsp->type);
3879 result = __le16_to_cpu(rsp->result);
3880
3881 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3882
e90165be
AE		 3883 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3884 if (cmd->ident != conn->info_ident ||
3885 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3886 return 0;
3887
17cd3f37 3888 cancel_delayed_work(&conn->info_timer);
4e8402a3 3889
adb08ede
VT		 3890 if (result != L2CAP_IR_SUCCESS) {
3891 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3892 conn->info_ident = 0;
3893
3894 l2cap_conn_start(conn);
3895
3896 return 0;
3897 }
3898
978c93b9
AE		 3899 switch (type) {
3900 case L2CAP_IT_FEAT_MASK:
83985319 3901 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3902
47ec1dcd 3903 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3904 struct l2cap_info_req req;
ac73498c 3905 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3906
3907 conn->info_ident = l2cap_get_ident(conn);
3908
3909 l2cap_send_cmd(conn, conn->info_ident,
3910 L2CAP_INFO_REQ, sizeof(req), &req);
3911 } else {
3912 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3913 conn->info_ident = 0;
3914
3915 l2cap_conn_start(conn);
3916 }
978c93b9
AE		 3917 break;
3918
3919 case L2CAP_IT_FIXED_CHAN:
3920 conn->fixed_chan_mask = rsp->data[0];
984947dc 3921 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3922 conn->info_ident = 0;
984947dc
MH		 3923
3924 l2cap_conn_start(conn);
978c93b9 3925 break;
984947dc 3926 }
4e8402a3 3927
1da177e4
LT		 3928 return 0;
3929}
3930
f94ff6ff
MM		 3931static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3932 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3933 void *data)
3934{
3935 struct l2cap_create_chan_req *req = data;
3936 struct l2cap_create_chan_rsp rsp;
3937 u16 psm, scid;
3938
3939 if (cmd_len != sizeof(*req))
3940 return -EPROTO;
3941
3942 if (!enable_hs)
3943 return -EINVAL;
3944
3945 psm = le16_to_cpu(req->psm);
3946 scid = le16_to_cpu(req->scid);
3947
3948 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3949
3950 /* Placeholder: Always reject */
3951 rsp.dcid = 0;
3952 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3953 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3954 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3955
3956 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3957 sizeof(rsp), &rsp);
3958
3959 return 0;
3960}
3961
3962static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3963 struct l2cap_cmd_hdr *cmd, void *data)
3964{
3965 BT_DBG("conn %p", conn);
3966
3967 return l2cap_connect_rsp(conn, cmd, data);
3968}
3969
8d5a04a1
MM		 3970static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3971 u16 icid, u16 result)
3972{
3973 struct l2cap_move_chan_rsp rsp;
3974
3975 BT_DBG("icid %d, result %d", icid, result);
3976
3977 rsp.icid = cpu_to_le16(icid);
3978 rsp.result = cpu_to_le16(result);
3979
3980 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3981}
3982
3983static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3984 struct l2cap_chan *chan, u16 icid, u16 result)
3985{
3986 struct l2cap_move_chan_cfm cfm;
3987 u8 ident;
3988
3989 BT_DBG("icid %d, result %d", icid, result);
3990
3991 ident = l2cap_get_ident(conn);
3992 if (chan)
3993 chan->ident = ident;
3994
3995 cfm.icid = cpu_to_le16(icid);
3996 cfm.result = cpu_to_le16(result);
3997
3998 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3999}
4000
4001static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4002 u16 icid)
4003{
4004 struct l2cap_move_chan_cfm_rsp rsp;
4005
4006 BT_DBG("icid %d", icid);
4007
4008 rsp.icid = cpu_to_le16(icid);
4009 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4010}
4011
4012static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4013 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4014{
4015 struct l2cap_move_chan_req *req = data;
4016 u16 icid = 0;
4017 u16 result = L2CAP_MR_NOT_ALLOWED;
4018
4019 if (cmd_len != sizeof(*req))
4020 return -EPROTO;
4021
4022 icid = le16_to_cpu(req->icid);
4023
4024 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4025
4026 if (!enable_hs)
4027 return -EINVAL;
4028
4029 /* Placeholder: Always refuse */
4030 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4031
4032 return 0;
4033}
4034
4035static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4036 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4037{
4038 struct l2cap_move_chan_rsp *rsp = data;
4039 u16 icid, result;
4040
4041 if (cmd_len != sizeof(*rsp))
4042 return -EPROTO;
4043
4044 icid = le16_to_cpu(rsp->icid);
4045 result = le16_to_cpu(rsp->result);
4046
4047 BT_DBG("icid %d, result %d", icid, result);
4048
4049 /* Placeholder: Always unconfirmed */
4050 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4051
4052 return 0;
4053}
4054
4055static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4056 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4057{
4058 struct l2cap_move_chan_cfm *cfm = data;
4059 u16 icid, result;
4060
4061 if (cmd_len != sizeof(*cfm))
4062 return -EPROTO;
4063
4064 icid = le16_to_cpu(cfm->icid);
4065 result = le16_to_cpu(cfm->result);
4066
4067 BT_DBG("icid %d, result %d", icid, result);
4068
4069 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4070
4071 return 0;
4072}
4073
4074static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4075 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4076{
4077 struct l2cap_move_chan_cfm_rsp *rsp = data;
4078 u16 icid;
4079
4080 if (cmd_len != sizeof(*rsp))
4081 return -EPROTO;
4082
4083 icid = le16_to_cpu(rsp->icid);
4084
4085 BT_DBG("icid %d", icid);
4086
4087 return 0;
4088}
4089
e2174ca4 4090static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4091 u16 to_multiplier)
4092{
4093 u16 max_latency;
4094
4095 if (min > max || min < 6 || max > 3200)
4096 return -EINVAL;
4097
4098 if (to_multiplier < 10 || to_multiplier > 3200)
4099 return -EINVAL;
4100
4101 if (max >= to_multiplier * 8)
4102 return -EINVAL;
4103
4104 max_latency = (to_multiplier * 8 / max) - 1;
4105 if (latency > 499 || latency > max_latency)
4106 return -EINVAL;
4107
4108 return 0;
4109}
4110
4111static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4112 struct l2cap_cmd_hdr *cmd, u8 *data)
4113{
4114 struct hci_conn *hcon = conn->hcon;
4115 struct l2cap_conn_param_update_req *req;
4116 struct l2cap_conn_param_update_rsp rsp;
4117 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4118 int err;
de73115a
CT		 4119
4120 if (!(hcon->link_mode & HCI_LM_MASTER))
4121 return -EINVAL;
4122
4123 cmd_len = __le16_to_cpu(cmd->len);
4124 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4125 return -EPROTO;
4126
4127 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4128 min = __le16_to_cpu(req->min);
4129 max = __le16_to_cpu(req->max);
de73115a
CT		 4130 latency = __le16_to_cpu(req->latency);
4131 to_multiplier = __le16_to_cpu(req->to_multiplier);
4132
4133 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4134 min, max, latency, to_multiplier);
4135
4136 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4137
4138 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4139 if (err)
ac73498c 4140 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4141 else
ac73498c 4142 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4143
4144 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4145 sizeof(rsp), &rsp);
4146
2ce603eb
CT		 4147 if (!err)
4148 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4149
de73115a
CT		 4150 return 0;
4151}
4152
3300d9a9
CT		 4153static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4154 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4155{
4156 int err = 0;
4157
4158 switch (cmd->code) {
4159 case L2CAP_COMMAND_REJ:
4160 l2cap_command_rej(conn, cmd, data);
4161 break;
4162
4163 case L2CAP_CONN_REQ:
4164 err = l2cap_connect_req(conn, cmd, data);
4165 break;
4166
4167 case L2CAP_CONN_RSP:
4168 err = l2cap_connect_rsp(conn, cmd, data);
4169 break;
4170
4171 case L2CAP_CONF_REQ:
4172 err = l2cap_config_req(conn, cmd, cmd_len, data);
4173 break;
4174
4175 case L2CAP_CONF_RSP:
4176 err = l2cap_config_rsp(conn, cmd, data);
4177 break;
4178
4179 case L2CAP_DISCONN_REQ:
4180 err = l2cap_disconnect_req(conn, cmd, data);
4181 break;
4182
4183 case L2CAP_DISCONN_RSP:
4184 err = l2cap_disconnect_rsp(conn, cmd, data);
4185 break;
4186
4187 case L2CAP_ECHO_REQ:
4188 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4189 break;
4190
4191 case L2CAP_ECHO_RSP:
4192 break;
4193
4194 case L2CAP_INFO_REQ:
4195 err = l2cap_information_req(conn, cmd, data);
4196 break;
4197
4198 case L2CAP_INFO_RSP:
4199 err = l2cap_information_rsp(conn, cmd, data);
4200 break;
4201
f94ff6ff
MM		 4202 case L2CAP_CREATE_CHAN_REQ:
4203 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4204 break;
4205
4206 case L2CAP_CREATE_CHAN_RSP:
4207 err = l2cap_create_channel_rsp(conn, cmd, data);
4208 break;
4209
8d5a04a1
MM		 4210 case L2CAP_MOVE_CHAN_REQ:
4211 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4212 break;
4213
4214 case L2CAP_MOVE_CHAN_RSP:
4215 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4216 break;
4217
4218 case L2CAP_MOVE_CHAN_CFM:
4219 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4220 break;
4221
4222 case L2CAP_MOVE_CHAN_CFM_RSP:
4223 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4224 break;
4225
3300d9a9
CT		 4226 default:
4227 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4228 err = -EINVAL;
4229 break;
4230 }
4231
4232 return err;
4233}
4234
4235static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4236 struct l2cap_cmd_hdr *cmd, u8 *data)
4237{
4238 switch (cmd->code) {
4239 case L2CAP_COMMAND_REJ:
4240 return 0;
4241
4242 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4243 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4244
4245 case L2CAP_CONN_PARAM_UPDATE_RSP:
4246 return 0;
4247
4248 default:
4249 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4250 return -EINVAL;
4251 }
4252}
4253
4254static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4255 struct sk_buff *skb)
1da177e4
LT		 4256{
4257 u8 *data = skb->data;
4258 int len = skb->len;
4259 struct l2cap_cmd_hdr cmd;
3300d9a9 4260 int err;
1da177e4
LT		 4261
4262 l2cap_raw_recv(conn, skb);
4263
4264 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4265 u16 cmd_len;
1da177e4
LT		 4266 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4267 data += L2CAP_CMD_HDR_SIZE;
4268 len -= L2CAP_CMD_HDR_SIZE;
4269
88219a0f 4270 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4271
88219a0f 4272 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4273
88219a0f 4274 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4275 BT_DBG("corrupted command");
4276 break;
4277 }
4278
3300d9a9
CT		 4279 if (conn->hcon->type == LE_LINK)
4280 err = l2cap_le_sig_cmd(conn, &cmd, data);
4281 else
4282 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4283
4284 if (err) {
e2fd318e 4285 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4286
4287 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4288
4289 /* FIXME: Map err to a valid reason */
ac73498c 4290 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4291 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4292 }
4293
88219a0f
AV		 4294 data += cmd_len;
4295 len -= cmd_len;
1da177e4
LT		 4296 }
4297
4298 kfree_skb(skb);
4299}
4300
47d1ec61 4301static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4302{
4303 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4304 int hdr_size;
4305
4306 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4307 hdr_size = L2CAP_EXT_HDR_SIZE;
4308 else
4309 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4310
47d1ec61 4311 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4312 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4313 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4314 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4315
4316 if (our_fcs != rcv_fcs)
7a560e5c 4317 return -EBADMSG;
fcc203c3
GP		 4318 }
4319 return 0;
4320}
4321
6ea00485 4322static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4323{
e31f7633 4324 struct l2cap_ctrl control;
d5392c8f 4325
e31f7633 4326 BT_DBG("chan %p", chan);
d5392c8f 4327
e31f7633
MM		 4328 memset(&control, 0, sizeof(control));
4329 control.sframe = 1;
4330 control.final = 1;
4331 control.reqseq = chan->buffer_seq;
4332 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4333
e2ab4353 4334 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4335 control.super = L2CAP_SUPER_RNR;
4336 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4337 }
4338
e31f7633
MM		 4339 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4340 chan->unacked_frames > 0)
4341 __set_retrans_timer(chan);
d5392c8f 4342
e31f7633 4343 /* Send pending iframes */
525cd185 4344 l2cap_ertm_send(chan);
d5392c8f 4345
e2ab4353 4346 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4347 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4348 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4349 * send it now.
4350 */
4351 control.super = L2CAP_SUPER_RR;
4352 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4353 }
4354}
4355
84084a31
MM		 4356static void append_skb_frag(struct sk_buff *skb,
4357 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4358{
84084a31
MM		 4359 /* skb->len reflects data in skb as well as all fragments
4360 * skb->data_len reflects only data in fragments
4361 */
4362 if (!skb_has_frag_list(skb))
4363 skb_shinfo(skb)->frag_list = new_frag;
4364
4365 new_frag->next = NULL;
4366
4367 (*last_frag)->next = new_frag;
4368 *last_frag = new_frag;
4369
4370 skb->len += new_frag->len;
4371 skb->data_len += new_frag->len;
4372 skb->truesize += new_frag->truesize;
4373}
4374
4b51dae9
MM		 4375static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4376 struct l2cap_ctrl *control)
84084a31
MM		 4377{
4378 int err = -EINVAL;
18778a63 4379
4b51dae9 4380 switch (control->sar) {
7e0ef6ee 4381 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4382 if (chan->sdu)
4383 break;
18778a63 4384
80b98027 4385 err = chan->ops->recv(chan, skb);
84084a31 4386 break;
18778a63 4387
7e0ef6ee 4388 case L2CAP_SAR_START:
84084a31
MM		 4389 if (chan->sdu)
4390 break;
18778a63 4391
6f61fd47 4392 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4393 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4394
84084a31
MM		 4395 if (chan->sdu_len > chan->imtu) {
4396 err = -EMSGSIZE;
4397 break;
4398 }
1890d36b 4399
84084a31
MM		 4400 if (skb->len >= chan->sdu_len)
4401 break;
18778a63 4402
84084a31
MM		 4403 chan->sdu = skb;
4404 chan->sdu_last_frag = skb;
18778a63 4405
84084a31
MM		 4406 skb = NULL;
4407 err = 0;
18778a63
GP		 4408 break;
4409
7e0ef6ee 4410 case L2CAP_SAR_CONTINUE:
6f61fd47 4411 if (!chan->sdu)
84084a31 4412 break;
18778a63 4413
84084a31
MM		 4414 append_skb_frag(chan->sdu, skb,
4415 &chan->sdu_last_frag);
4416 skb = NULL;
18778a63 4417
84084a31
MM		 4418 if (chan->sdu->len >= chan->sdu_len)
4419 break;
4178ba46 4420
84084a31 4421 err = 0;
18778a63
GP		 4422 break;
4423
7e0ef6ee 4424 case L2CAP_SAR_END:
6f61fd47 4425 if (!chan->sdu)
84084a31 4426 break;
18778a63 4427
84084a31
MM		 4428 append_skb_frag(chan->sdu, skb,
4429 &chan->sdu_last_frag);
4430 skb = NULL;
4178ba46 4431
84084a31
MM		 4432 if (chan->sdu->len != chan->sdu_len)
4433 break;
18778a63 4434
80b98027 4435 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4436
84084a31
MM		 4437 if (!err) {
4438 /* Reassembly complete */
4439 chan->sdu = NULL;
4440 chan->sdu_last_frag = NULL;
4441 chan->sdu_len = 0;
1890d36b 4442 }
18778a63
GP		 4443 break;
4444 }
4445
84084a31
MM		 4446 if (err) {
4447 kfree_skb(skb);
4448 kfree_skb(chan->sdu);
4449 chan->sdu = NULL;
4450 chan->sdu_last_frag = NULL;
4451 chan->sdu_len = 0;
4452 }
18778a63 4453
84084a31 4454 return err;
18778a63
GP		 4455}
4456
61aa4f5b 4457void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4458{
61aa4f5b 4459 u8 event;
712132eb 4460
61aa4f5b
MM		 4461 if (chan->mode != L2CAP_MODE_ERTM)
4462 return;
712132eb 4463
61aa4f5b 4464 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4465 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4466}
4467
d2a7ac5d
MM		 4468static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4469{
63838725
MM		 4470 int err = 0;
4471 /* Pass sequential frames to l2cap_reassemble_sdu()
4472 * until a gap is encountered.
4473 */
4474
4475 BT_DBG("chan %p", chan);
4476
4477 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4478 struct sk_buff *skb;
4479 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4480 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4481
4482 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4483
4484 if (!skb)
4485 break;
4486
4487 skb_unlink(skb, &chan->srej_q);
4488 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4489 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4490 if (err)
4491 break;
4492 }
4493
4494 if (skb_queue_empty(&chan->srej_q)) {
4495 chan->rx_state = L2CAP_RX_STATE_RECV;
4496 l2cap_send_ack(chan);
4497 }
4498
4499 return err;
d2a7ac5d
MM		 4500}
4501
4502static void l2cap_handle_srej(struct l2cap_chan *chan,
4503 struct l2cap_ctrl *control)
4504{
f80842a8
MM		 4505 struct sk_buff *skb;
4506
4507 BT_DBG("chan %p, control %p", chan, control);
4508
4509 if (control->reqseq == chan->next_tx_seq) {
4510 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4511 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4512 return;
4513 }
4514
4515 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4516
4517 if (skb == NULL) {
4518 BT_DBG("Seq %d not available for retransmission",
4519 control->reqseq);
4520 return;
4521 }
4522
4523 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4524 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4525 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4526 return;
4527 }
4528
4529 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4530
4531 if (control->poll) {
4532 l2cap_pass_to_tx(chan, control);
4533
4534 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4535 l2cap_retransmit(chan, control);
4536 l2cap_ertm_send(chan);
4537
4538 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4539 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4540 chan->srej_save_reqseq = control->reqseq;
4541 }
4542 } else {
4543 l2cap_pass_to_tx_fbit(chan, control);
4544
4545 if (control->final) {
4546 if (chan->srej_save_reqseq != control->reqseq ||
4547 !test_and_clear_bit(CONN_SREJ_ACT,
4548 &chan->conn_state))
4549 l2cap_retransmit(chan, control);
4550 } else {
4551 l2cap_retransmit(chan, control);
4552 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4553 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4554 chan->srej_save_reqseq = control->reqseq;
4555 }
4556 }
4557 }
d2a7ac5d
MM		 4558}
4559
4560static void l2cap_handle_rej(struct l2cap_chan *chan,
4561 struct l2cap_ctrl *control)
4562{
fcd289df
MM		 4563 struct sk_buff *skb;
4564
4565 BT_DBG("chan %p, control %p", chan, control);
4566
4567 if (control->reqseq == chan->next_tx_seq) {
4568 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4569 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4570 return;
4571 }
4572
4573 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4574
4575 if (chan->max_tx && skb &&
4576 bt_cb(skb)->control.retries >= chan->max_tx) {
4577 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4578 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4579 return;
4580 }
4581
4582 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4583
4584 l2cap_pass_to_tx(chan, control);
4585
4586 if (control->final) {
4587 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4588 l2cap_retransmit_all(chan, control);
4589 } else {
4590 l2cap_retransmit_all(chan, control);
4591 l2cap_ertm_send(chan);
4592 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4593 set_bit(CONN_REJ_ACT, &chan->conn_state);
4594 }
d2a7ac5d
MM		 4595}
4596
4b51dae9
MM		 4597static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4598{
4599 BT_DBG("chan %p, txseq %d", chan, txseq);
4600
4601 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4602 chan->expected_tx_seq);
4603
4604 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4605 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4606 chan->tx_win) {
4607 /* See notes below regarding "double poll" and
4608 * invalid packets.
4609 */
4610 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4611 BT_DBG("Invalid/Ignore - after SREJ");
4612 return L2CAP_TXSEQ_INVALID_IGNORE;
4613 } else {
4614 BT_DBG("Invalid - in window after SREJ sent");
4615 return L2CAP_TXSEQ_INVALID;
4616 }
4617 }
4618
4619 if (chan->srej_list.head == txseq) {
4620 BT_DBG("Expected SREJ");
4621 return L2CAP_TXSEQ_EXPECTED_SREJ;
4622 }
4623
4624 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4625 BT_DBG("Duplicate SREJ - txseq already stored");
4626 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4627 }
4628
4629 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4630 BT_DBG("Unexpected SREJ - not requested");
4631 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4632 }
4633 }
4634
4635 if (chan->expected_tx_seq == txseq) {
4636 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4637 chan->tx_win) {
4638 BT_DBG("Invalid - txseq outside tx window");
4639 return L2CAP_TXSEQ_INVALID;
4640 } else {
4641 BT_DBG("Expected");
4642 return L2CAP_TXSEQ_EXPECTED;
4643 }
4644 }
4645
4646 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4647 __seq_offset(chan, chan->expected_tx_seq,
4648 chan->last_acked_seq)){
4649 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4650 return L2CAP_TXSEQ_DUPLICATE;
4651 }
4652
4653 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4654 /* A source of invalid packets is a "double poll" condition,
4655 * where delays cause us to send multiple poll packets. If
4656 * the remote stack receives and processes both polls,
4657 * sequence numbers can wrap around in such a way that a
4658 * resent frame has a sequence number that looks like new data
4659 * with a sequence gap. This would trigger an erroneous SREJ
4660 * request.
4661 *
4662 * Fortunately, this is impossible with a tx window that's
4663 * less than half of the maximum sequence number, which allows
4664 * invalid frames to be safely ignored.
4665 *
4666 * With tx window sizes greater than half of the tx window
4667 * maximum, the frame is invalid and cannot be ignored. This
4668 * causes a disconnect.
4669 */
4670
4671 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4672 BT_DBG("Invalid/Ignore - txseq outside tx window");
4673 return L2CAP_TXSEQ_INVALID_IGNORE;
4674 } else {
4675 BT_DBG("Invalid - txseq outside tx window");
4676 return L2CAP_TXSEQ_INVALID;
4677 }
4678 } else {
4679 BT_DBG("Unexpected - txseq indicates missing frames");
4680 return L2CAP_TXSEQ_UNEXPECTED;
4681 }
4682}
4683
d2a7ac5d
MM		 4684static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4685 struct l2cap_ctrl *control,
4686 struct sk_buff *skb, u8 event)
4687{
4688 int err = 0;
4689 bool skb_in_use = 0;
4690
4691 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4692 event);
4693
4694 switch (event) {
4695 case L2CAP_EV_RECV_IFRAME:
4696 switch (l2cap_classify_txseq(chan, control->txseq)) {
4697 case L2CAP_TXSEQ_EXPECTED:
4698 l2cap_pass_to_tx(chan, control);
4699
4700 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4701 BT_DBG("Busy, discarding expected seq %d",
4702 control->txseq);
4703 break;
4704 }
4705
4706 chan->expected_tx_seq = __next_seq(chan,
4707 control->txseq);
4708
4709 chan->buffer_seq = chan->expected_tx_seq;
4710 skb_in_use = 1;
4711
4712 err = l2cap_reassemble_sdu(chan, skb, control);
4713 if (err)
4714 break;
4715
4716 if (control->final) {
4717 if (!test_and_clear_bit(CONN_REJ_ACT,
4718 &chan->conn_state)) {
4719 control->final = 0;
4720 l2cap_retransmit_all(chan, control);
4721 l2cap_ertm_send(chan);
4722 }
4723 }
4724
4725 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4726 l2cap_send_ack(chan);
4727 break;
4728 case L2CAP_TXSEQ_UNEXPECTED:
4729 l2cap_pass_to_tx(chan, control);
4730
4731 /* Can't issue SREJ frames in the local busy state.
4732 * Drop this frame, it will be seen as missing
4733 * when local busy is exited.
4734 */
4735 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4736 BT_DBG("Busy, discarding unexpected seq %d",
4737 control->txseq);
4738 break;
4739 }
4740
4741 /* There was a gap in the sequence, so an SREJ
4742 * must be sent for each missing frame. The
4743 * current frame is stored for later use.
4744 */
4745 skb_queue_tail(&chan->srej_q, skb);
4746 skb_in_use = 1;
4747 BT_DBG("Queued %p (queue len %d)", skb,
4748 skb_queue_len(&chan->srej_q));
4749
4750 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4751 l2cap_seq_list_clear(&chan->srej_list);
4752 l2cap_send_srej(chan, control->txseq);
4753
4754 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4755 break;
4756 case L2CAP_TXSEQ_DUPLICATE:
4757 l2cap_pass_to_tx(chan, control);
4758 break;
4759 case L2CAP_TXSEQ_INVALID_IGNORE:
4760 break;
4761 case L2CAP_TXSEQ_INVALID:
4762 default:
4763 l2cap_send_disconn_req(chan->conn, chan,
4764 ECONNRESET);
4765 break;
4766 }
4767 break;
4768 case L2CAP_EV_RECV_RR:
4769 l2cap_pass_to_tx(chan, control);
4770 if (control->final) {
4771 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4772
4773 if (!test_and_clear_bit(CONN_REJ_ACT,
4774 &chan->conn_state)) {
4775 control->final = 0;
4776 l2cap_retransmit_all(chan, control);
4777 }
4778
4779 l2cap_ertm_send(chan);
4780 } else if (control->poll) {
4781 l2cap_send_i_or_rr_or_rnr(chan);
4782 } else {
4783 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4784 &chan->conn_state) &&
4785 chan->unacked_frames)
4786 __set_retrans_timer(chan);
4787
4788 l2cap_ertm_send(chan);
4789 }
4790 break;
4791 case L2CAP_EV_RECV_RNR:
4792 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4793 l2cap_pass_to_tx(chan, control);
4794 if (control && control->poll) {
4795 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4796 l2cap_send_rr_or_rnr(chan, 0);
4797 }
4798 __clear_retrans_timer(chan);
4799 l2cap_seq_list_clear(&chan->retrans_list);
4800 break;
4801 case L2CAP_EV_RECV_REJ:
4802 l2cap_handle_rej(chan, control);
4803 break;
4804 case L2CAP_EV_RECV_SREJ:
4805 l2cap_handle_srej(chan, control);
4806 break;
4807 default:
4808 break;
4809 }
4810
4811 if (skb && !skb_in_use) {
4812 BT_DBG("Freeing %p", skb);
4813 kfree_skb(skb);
4814 }
4815
4816 return err;
4817}
4818
4819static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4820 struct l2cap_ctrl *control,
4821 struct sk_buff *skb, u8 event)
4822{
4823 int err = 0;
4824 u16 txseq = control->txseq;
4825 bool skb_in_use = 0;
4826
4827 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4828 event);
4829
4830 switch (event) {
4831 case L2CAP_EV_RECV_IFRAME:
4832 switch (l2cap_classify_txseq(chan, txseq)) {
4833 case L2CAP_TXSEQ_EXPECTED:
4834 /* Keep frame for reassembly later */
4835 l2cap_pass_to_tx(chan, control);
4836 skb_queue_tail(&chan->srej_q, skb);
4837 skb_in_use = 1;
4838 BT_DBG("Queued %p (queue len %d)", skb,
4839 skb_queue_len(&chan->srej_q));
4840
4841 chan->expected_tx_seq = __next_seq(chan, txseq);
4842 break;
4843 case L2CAP_TXSEQ_EXPECTED_SREJ:
4844 l2cap_seq_list_pop(&chan->srej_list);
4845
4846 l2cap_pass_to_tx(chan, control);
4847 skb_queue_tail(&chan->srej_q, skb);
4848 skb_in_use = 1;
4849 BT_DBG("Queued %p (queue len %d)", skb,
4850 skb_queue_len(&chan->srej_q));
4851
4852 err = l2cap_rx_queued_iframes(chan);
4853 if (err)
4854 break;
4855
4856 break;
4857 case L2CAP_TXSEQ_UNEXPECTED:
4858 /* Got a frame that can't be reassembled yet.
4859 * Save it for later, and send SREJs to cover
4860 * the missing frames.
4861 */
4862 skb_queue_tail(&chan->srej_q, skb);
4863 skb_in_use = 1;
4864 BT_DBG("Queued %p (queue len %d)", skb,
4865 skb_queue_len(&chan->srej_q));
4866
4867 l2cap_pass_to_tx(chan, control);
4868 l2cap_send_srej(chan, control->txseq);
4869 break;
4870 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4871 /* This frame was requested with an SREJ, but
4872 * some expected retransmitted frames are
4873 * missing. Request retransmission of missing
4874 * SREJ'd frames.
4875 */
4876 skb_queue_tail(&chan->srej_q, skb);
4877 skb_in_use = 1;
4878 BT_DBG("Queued %p (queue len %d)", skb,
4879 skb_queue_len(&chan->srej_q));
4880
4881 l2cap_pass_to_tx(chan, control);
4882 l2cap_send_srej_list(chan, control->txseq);
4883 break;
4884 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4885 /* We've already queued this frame. Drop this copy. */
4886 l2cap_pass_to_tx(chan, control);
4887 break;
4888 case L2CAP_TXSEQ_DUPLICATE:
4889 /* Expecting a later sequence number, so this frame
4890 * was already received. Ignore it completely.
4891 */
4892 break;
4893 case L2CAP_TXSEQ_INVALID_IGNORE:
4894 break;
4895 case L2CAP_TXSEQ_INVALID:
4896 default:
4897 l2cap_send_disconn_req(chan->conn, chan,
4898 ECONNRESET);
4899 break;
4900 }
4901 break;
4902 case L2CAP_EV_RECV_RR:
4903 l2cap_pass_to_tx(chan, control);
4904 if (control->final) {
4905 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4906
4907 if (!test_and_clear_bit(CONN_REJ_ACT,
4908 &chan->conn_state)) {
4909 control->final = 0;
4910 l2cap_retransmit_all(chan, control);
4911 }
4912
4913 l2cap_ertm_send(chan);
4914 } else if (control->poll) {
4915 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4916 &chan->conn_state) &&
4917 chan->unacked_frames) {
4918 __set_retrans_timer(chan);
4919 }
4920
4921 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4922 l2cap_send_srej_tail(chan);
4923 } else {
4924 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4925 &chan->conn_state) &&
4926 chan->unacked_frames)
4927 __set_retrans_timer(chan);
4928
4929 l2cap_send_ack(chan);
4930 }
4931 break;
4932 case L2CAP_EV_RECV_RNR:
4933 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4934 l2cap_pass_to_tx(chan, control);
4935 if (control->poll) {
4936 l2cap_send_srej_tail(chan);
4937 } else {
4938 struct l2cap_ctrl rr_control;
4939 memset(&rr_control, 0, sizeof(rr_control));
4940 rr_control.sframe = 1;
4941 rr_control.super = L2CAP_SUPER_RR;
4942 rr_control.reqseq = chan->buffer_seq;
4943 l2cap_send_sframe(chan, &rr_control);
4944 }
4945
4946 break;
4947 case L2CAP_EV_RECV_REJ:
4948 l2cap_handle_rej(chan, control);
4949 break;
4950 case L2CAP_EV_RECV_SREJ:
4951 l2cap_handle_srej(chan, control);
4952 break;
4953 }
4954
4955 if (skb && !skb_in_use) {
4956 BT_DBG("Freeing %p", skb);
4957 kfree_skb(skb);
4958 }
4959
4960 return err;
4961}
4962
4963static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4964{
4965 /* Make sure reqseq is for a packet that has been sent but not acked */
4966 u16 unacked;
4967
4968 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4969 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4970}
4971
cec8ab6e
MM		 4972static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4973 struct sk_buff *skb, u8 event)
218bb9df 4974{
d2a7ac5d
MM		 4975 int err = 0;
4976
4977 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4978 control, skb, event, chan->rx_state);
4979
4980 if (__valid_reqseq(chan, control->reqseq)) {
4981 switch (chan->rx_state) {
4982 case L2CAP_RX_STATE_RECV:
4983 err = l2cap_rx_state_recv(chan, control, skb, event);
4984 break;
4985 case L2CAP_RX_STATE_SREJ_SENT:
4986 err = l2cap_rx_state_srej_sent(chan, control, skb,
4987 event);
4988 break;
4989 default:
4990 /* shut it down */
4991 break;
4992 }
4993 } else {
4994 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
4995 control->reqseq, chan->next_tx_seq,
4996 chan->expected_ack_seq);
4997 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4998 }
4999
5000 return err;
cec8ab6e
MM		 5001}
5002
5003static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5004 struct sk_buff *skb)
5005{
4b51dae9
MM		 5006 int err = 0;
5007
5008 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5009 chan->rx_state);
5010
5011 if (l2cap_classify_txseq(chan, control->txseq) ==
5012 L2CAP_TXSEQ_EXPECTED) {
5013 l2cap_pass_to_tx(chan, control);
5014
5015 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5016 __next_seq(chan, chan->buffer_seq));
5017
5018 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5019
5020 l2cap_reassemble_sdu(chan, skb, control);
5021 } else {
5022 if (chan->sdu) {
5023 kfree_skb(chan->sdu);
5024 chan->sdu = NULL;
5025 }
5026 chan->sdu_last_frag = NULL;
5027 chan->sdu_len = 0;
5028
5029 if (skb) {
5030 BT_DBG("Freeing %p", skb);
5031 kfree_skb(skb);
5032 }
5033 }
5034
5035 chan->last_acked_seq = control->txseq;
5036 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5037
5038 return err;
cec8ab6e
MM		 5039}
5040
5041static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5042{
5043 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5044 u16 len;
5045 u8 event;
218bb9df 5046
b76bbd66
MM		 5047 __unpack_control(chan, skb);
5048
218bb9df
GP		 5049 len = skb->len;
5050
5051 /*
5052 * We can just drop the corrupted I-frame here.
5053 * Receiver will miss it and start proper recovery
cec8ab6e 5054 * procedures and ask for retransmission.
218bb9df 5055 */
47d1ec61 5056 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5057 goto drop;
5058
cec8ab6e 5059 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5060 len -= L2CAP_SDULEN_SIZE;
218bb9df 5061
47d1ec61 5062 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5063 len -= L2CAP_FCS_SIZE;
218bb9df 5064
47d1ec61 5065 if (len > chan->mps) {
8c1d787b 5066 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5067 goto drop;
5068 }
5069
cec8ab6e
MM		 5070 if (!control->sframe) {
5071 int err;
218bb9df 5072
cec8ab6e
MM		 5073 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5074 control->sar, control->reqseq, control->final,
5075 control->txseq);
218bb9df 5076
cec8ab6e
MM		 5077 /* Validate F-bit - F=0 always valid, F=1 only
5078 * valid in TX WAIT_F
5079 */
5080 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5081 goto drop;
cec8ab6e
MM		 5082
5083 if (chan->mode != L2CAP_MODE_STREAMING) {
5084 event = L2CAP_EV_RECV_IFRAME;
5085 err = l2cap_rx(chan, control, skb, event);
5086 } else {
5087 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5088 }
5089
cec8ab6e
MM		 5090 if (err)
5091 l2cap_send_disconn_req(chan->conn, chan,
5092 ECONNRESET);
218bb9df 5093 } else {
cec8ab6e
MM		 5094 const u8 rx_func_to_event[4] = {
5095 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5096 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5097 };
5098
5099 /* Only I-frames are expected in streaming mode */
5100 if (chan->mode == L2CAP_MODE_STREAMING)
5101 goto drop;
5102
5103 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5104 control->reqseq, control->final, control->poll,
5105 control->super);
5106
218bb9df
GP		 5107 if (len != 0) {
5108 BT_ERR("%d", len);
8c1d787b 5109 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5110 goto drop;
5111 }
5112
cec8ab6e
MM		 5113 /* Validate F and P bits */
5114 if (control->final && (control->poll ||
5115 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5116 goto drop;
5117
5118 event = rx_func_to_event[control->super];
5119 if (l2cap_rx(chan, control, skb, event))
5120 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5121 }
5122
5123 return 0;
5124
5125drop:
5126 kfree_skb(skb);
5127 return 0;
5128}
5129
1da177e4
LT		 5130static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
5131{
48454079 5132 struct l2cap_chan *chan;
1da177e4 5133
baa7e1fa 5134 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5135 if (!chan) {
97e8e89d
AE		 5136 if (cid == L2CAP_CID_A2MP) {
5137 chan = a2mp_channel_create(conn, skb);
5138 if (!chan) {
5139 kfree_skb(skb);
5140 return 0;
5141 }
5142
5143 l2cap_chan_lock(chan);
5144 } else {
5145 BT_DBG("unknown cid 0x%4.4x", cid);
5146 /* Drop packet and return */
5147 kfree_skb(skb);
5148 return 0;
5149 }
1da177e4
LT		 5150 }
5151
49208c9c 5152 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5153
89bc500e 5154 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5155 goto drop;
5156
0c1bc5c6 5157 switch (chan->mode) {
1c2acffb
GP		 5158 case L2CAP_MODE_BASIC:
5159 /* If socket recv buffers overflows we drop data here
5160 * which is *bad* because L2CAP has to be reliable.
5161 * But we don't have any other choice. L2CAP doesn't
5162 * provide flow control mechanism. */
1da177e4 5163
0c1bc5c6 5164 if (chan->imtu < skb->len)
1c2acffb 5165 goto drop;
1da177e4 5166
80b98027 5167 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5168 goto done;
5169 break;
5170
5171 case L2CAP_MODE_ERTM:
6840ed07 5172 case L2CAP_MODE_STREAMING:
cec8ab6e 5173 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5174 goto done;
5175
1c2acffb 5176 default:
0c1bc5c6 5177 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5178 break;
5179 }
1da177e4
LT		 5180
5181drop:
5182 kfree_skb(skb);
5183
5184done:
6be36555 5185 l2cap_chan_unlock(chan);
0139418c 5186
1da177e4
LT		 5187 return 0;
5188}
5189
8e036fc3 5190static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 5191{
23691d75 5192 struct l2cap_chan *chan;
1da177e4 5193
c2287681 5194 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5195 if (!chan)
1da177e4
LT		 5196 goto drop;
5197
5b4cedaa 5198 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5199
89bc500e 5200 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5201 goto drop;
5202
e13e21dc 5203 if (chan->imtu < skb->len)
1da177e4
LT		 5204 goto drop;
5205
80b98027 5206 if (!chan->ops->recv(chan, skb))
5b4cedaa 5207 return 0;
1da177e4
LT		 5208
5209drop:
5210 kfree_skb(skb);
5211
1da177e4
LT		 5212 return 0;
5213}
5214
d9b88702
AE		 5215static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5216 struct sk_buff *skb)
9f69bda6 5217{
23691d75 5218 struct l2cap_chan *chan;
9f69bda6 5219
c2287681 5220 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5221 if (!chan)
9f69bda6
GP		 5222 goto drop;
5223
5b4cedaa 5224 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5225
89bc500e 5226 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5227 goto drop;
5228
e13e21dc 5229 if (chan->imtu < skb->len)
9f69bda6
GP		 5230 goto drop;
5231
80b98027 5232 if (!chan->ops->recv(chan, skb))
5b4cedaa 5233 return 0;
9f69bda6
GP		 5234
5235drop:
5236 kfree_skb(skb);
5237
9f69bda6
GP		 5238 return 0;
5239}
5240
1da177e4
LT		 5241static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5242{
5243 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5244 u16 cid, len;
5245 __le16 psm;
1da177e4
LT		 5246
5247 skb_pull(skb, L2CAP_HDR_SIZE);
5248 cid = __le16_to_cpu(lh->cid);
5249 len = __le16_to_cpu(lh->len);
5250
1c2acffb
GP		 5251 if (len != skb->len) {
5252 kfree_skb(skb);
5253 return;
5254 }
5255
1da177e4
LT		 5256 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5257
5258 switch (cid) {
3300d9a9 5259 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5260 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5261 l2cap_sig_channel(conn, skb);
5262 break;
5263
8db4dc46 5264 case L2CAP_CID_CONN_LESS:
097db76c 5265 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5266 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5267 l2cap_conless_channel(conn, psm, skb);
5268 break;
5269
9f69bda6
GP		 5270 case L2CAP_CID_LE_DATA:
5271 l2cap_att_channel(conn, cid, skb);
5272 break;
5273
b501d6a1
AB		 5274 case L2CAP_CID_SMP:
5275 if (smp_sig_channel(conn, skb))
5276 l2cap_conn_del(conn->hcon, EACCES);
5277 break;
5278
1da177e4
LT		 5279 default:
5280 l2cap_data_channel(conn, cid, skb);
5281 break;
5282 }
5283}
5284
5285/* ---- L2CAP interface with lower layer (HCI) ---- */
5286
686ebf28 5287int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5288{
5289 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5290 struct l2cap_chan *c;
1da177e4 5291
1da177e4
LT		 5292 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5293
5294 /* Find listening sockets and check their link_mode */
23691d75
GP		 5295 read_lock(&chan_list_lock);
5296 list_for_each_entry(c, &chan_list, global_l) {
5297 struct sock *sk = c->sk;
4343478f 5298
89bc500e 5299 if (c->state != BT_LISTEN)
1da177e4
LT		 5300 continue;
5301
5302 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5303 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5304 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5305 lm1 |= HCI_LM_MASTER;
1da177e4 5306 exact++;
2af6b9d5
MH		 5307 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5308 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5309 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5310 lm2 |= HCI_LM_MASTER;
5311 }
1da177e4 5312 }
23691d75 5313 read_unlock(&chan_list_lock);
1da177e4
LT		 5314
5315 return exact ? lm1 : lm2;
5316}
5317
686ebf28 5318int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5319{
0139418c
MH		 5320 struct l2cap_conn *conn;
5321
1da177e4
LT		 5322 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5323
1da177e4 5324 if (!status) {
1da177e4
LT		 5325 conn = l2cap_conn_add(hcon, status);
5326 if (conn)
5327 l2cap_conn_ready(conn);
0139418c 5328 } else
e175072f 5329 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5330
5331 return 0;
5332}
5333
686ebf28 5334int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5335{
5336 struct l2cap_conn *conn = hcon->l2cap_data;
5337
5338 BT_DBG("hcon %p", hcon);
5339
686ebf28 5340 if (!conn)
9f5a0d7b 5341 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5342 return conn->disc_reason;
5343}
5344
686ebf28 5345int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5346{
5347 BT_DBG("hcon %p reason %d", hcon, reason);
5348
e175072f 5349 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5350 return 0;
5351}
5352
4343478f 5353static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5354{
715ec005 5355 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5356 return;
5357
f62e4323 5358 if (encrypt == 0x00) {
4343478f 5359 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5360 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5361 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5362 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5363 } else {
4343478f 5364 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5365 __clear_chan_timer(chan);
f62e4323
MH		 5366 }
5367}
5368
686ebf28 5369int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5370{
0139418c 5371 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5372 struct l2cap_chan *chan;
1da177e4 5373
0139418c 5374 if (!conn)
1da177e4 5375 return 0;
0139418c 5376
1da177e4
LT		 5377 BT_DBG("conn %p", conn);
5378
160dc6ac 5379 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5380 if (!status && encrypt)
5381 smp_distribute_keys(conn, 0);
17cd3f37 5382 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5383 }
5384
3df91ea2 5385 mutex_lock(&conn->chan_lock);
1da177e4 5386
3df91ea2 5387 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5388 l2cap_chan_lock(chan);
1da177e4 5389
f1cb9af5
VCG		 5390 BT_DBG("chan->scid %d", chan->scid);
5391
5392 if (chan->scid == L2CAP_CID_LE_DATA) {
5393 if (!status && encrypt) {
5394 chan->sec_level = hcon->sec_level;
cf4cd009 5395 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5396 }
5397
6be36555 5398 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5399 continue;
5400 }
5401
c1360a1c 5402 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5403 l2cap_chan_unlock(chan);
6a8d3010
MH		 5404 continue;
5405 }
5406
89bc500e
GP		 5407 if (!status && (chan->state == BT_CONNECTED ||
5408 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5409 struct sock *sk = chan->sk;
5410
c5daa683 5411 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5412 sk->sk_state_change(sk);
5413
4343478f 5414 l2cap_check_encryption(chan, encrypt);
6be36555 5415 l2cap_chan_unlock(chan);
9719f8af
MH		 5416 continue;
5417 }
5418
89bc500e 5419 if (chan->state == BT_CONNECT) {
b1235d79 5420 if (!status) {
9b27f350 5421 l2cap_send_conn_req(chan);
b1235d79 5422 } else {
ba13ccd9 5423 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5424 }
89bc500e 5425 } else if (chan->state == BT_CONNECT2) {
6be36555 5426 struct sock *sk = chan->sk;
b1235d79 5427 struct l2cap_conn_rsp rsp;
df3c3931 5428 __u16 res, stat;
1da177e4 5429
6be36555
AE		 5430 lock_sock(sk);
5431
b1235d79 5432 if (!status) {
c5daa683
GP		 5433 if (test_bit(BT_SK_DEFER_SETUP,
5434 &bt_sk(sk)->flags)) {
df3c3931
JH		 5435 struct sock *parent = bt_sk(sk)->parent;
5436 res = L2CAP_CR_PEND;
5437 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5438 if (parent)
5439 parent->sk_data_ready(parent, 0);
df3c3931 5440 } else {
0e587be7 5441 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5442 res = L2CAP_CR_SUCCESS;
5443 stat = L2CAP_CS_NO_INFO;
5444 }
b1235d79 5445 } else {
0e587be7 5446 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5447 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5448 res = L2CAP_CR_SEC_BLOCK;
5449 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5450 }
5451
6be36555
AE		 5452 release_sock(sk);
5453
fe4128e0
GP		 5454 rsp.scid = cpu_to_le16(chan->dcid);
5455 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5456 rsp.result = cpu_to_le16(res);
5457 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5458 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5459 sizeof(rsp), &rsp);
2d369359
MM		 5460
5461 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5462 res == L2CAP_CR_SUCCESS) {
5463 char buf[128];
5464 set_bit(CONF_REQ_SENT, &chan->conf_state);
5465 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5466 L2CAP_CONF_REQ,
5467 l2cap_build_conf_req(chan, buf),
5468 buf);
5469 chan->num_conf_req++;
5470 }
b1235d79 5471 }
1da177e4 5472
6be36555 5473 l2cap_chan_unlock(chan);
1da177e4
LT		 5474 }
5475
3df91ea2 5476 mutex_unlock(&conn->chan_lock);
b1235d79 5477
1da177e4
LT		 5478 return 0;
5479}
5480
686ebf28 5481int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5482{
5483 struct l2cap_conn *conn = hcon->l2cap_data;
5484
5a08ecce
AE		 5485 if (!conn)
5486 conn = l2cap_conn_add(hcon, 0);
5487
5488 if (!conn)
1da177e4
LT		 5489 goto drop;
5490
5491 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5492
e702112f 5493 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5494 struct l2cap_hdr *hdr;
5495 int len;
5496
5497 if (conn->rx_len) {
5498 BT_ERR("Unexpected start frame (len %d)", skb->len);
5499 kfree_skb(conn->rx_skb);
5500 conn->rx_skb = NULL;
5501 conn->rx_len = 0;
5502 l2cap_conn_unreliable(conn, ECOMM);
5503 }
5504
aae7fe22
AE		 5505 /* Start fragment always begin with Basic L2CAP header */
5506 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5507 BT_ERR("Frame is too short (len %d)", skb->len);
5508 l2cap_conn_unreliable(conn, ECOMM);
5509 goto drop;
5510 }
5511
5512 hdr = (struct l2cap_hdr *) skb->data;
5513 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5514
5515 if (len == skb->len) {
5516 /* Complete frame received */
5517 l2cap_recv_frame(conn, skb);
5518 return 0;
5519 }
5520
5521 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5522
5523 if (skb->len > len) {
5524 BT_ERR("Frame is too long (len %d, expected len %d)",
5525 skb->len, len);
5526 l2cap_conn_unreliable(conn, ECOMM);
5527 goto drop;
5528 }
5529
5530 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5531 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5532 if (!conn->rx_skb)
1da177e4
LT		 5533 goto drop;
5534
d626f62b 5535 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5536 skb->len);
1da177e4
LT		 5537 conn->rx_len = len - skb->len;
5538 } else {
5539 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5540
5541 if (!conn->rx_len) {
5542 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5543 l2cap_conn_unreliable(conn, ECOMM);
5544 goto drop;
5545 }
5546
5547 if (skb->len > conn->rx_len) {
5548 BT_ERR("Fragment is too long (len %d, expected %d)",
5549 skb->len, conn->rx_len);
5550 kfree_skb(conn->rx_skb);
5551 conn->rx_skb = NULL;
5552 conn->rx_len = 0;
5553 l2cap_conn_unreliable(conn, ECOMM);
5554 goto drop;
5555 }
5556
d626f62b 5557 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5558 skb->len);
1da177e4
LT		 5559 conn->rx_len -= skb->len;
5560
5561 if (!conn->rx_len) {
5562 /* Complete frame received */
5563 l2cap_recv_frame(conn, conn->rx_skb);
5564 conn->rx_skb = NULL;
5565 }
5566 }
5567
5568drop:
5569 kfree_skb(skb);
5570 return 0;
5571}
5572
aef7d97c 5573static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5574{
23691d75 5575 struct l2cap_chan *c;
1da177e4 5576
333055f2 5577 read_lock(&chan_list_lock);
1da177e4 5578
23691d75
GP		 5579 list_for_each_entry(c, &chan_list, global_l) {
5580 struct sock *sk = c->sk;
101545f6 5581
903d343e 5582 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5583 batostr(&bt_sk(sk)->src),
5584 batostr(&bt_sk(sk)->dst),
89bc500e 5585 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5586 c->scid, c->dcid, c->imtu, c->omtu,
5587 c->sec_level, c->mode);
61e1b4b7 5588 }
1da177e4 5589
333055f2 5590 read_unlock(&chan_list_lock);
1da177e4 5591
aef7d97c 5592 return 0;
1da177e4
LT		 5593}
5594
aef7d97c
MH		 5595static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5596{
5597 return single_open(file, l2cap_debugfs_show, inode->i_private);
5598}
5599
5600static const struct file_operations l2cap_debugfs_fops = {
5601 .open = l2cap_debugfs_open,
5602 .read = seq_read,
5603 .llseek = seq_lseek,
5604 .release = single_release,
5605};
5606
5607static struct dentry *l2cap_debugfs;
1da177e4 5608
64274518 5609int __init l2cap_init(void)
1da177e4
LT		 5610{
5611 int err;
be9d1227 5612
bb58f747 5613 err = l2cap_init_sockets();
1da177e4
LT		 5614 if (err < 0)
5615 return err;
5616
aef7d97c
MH		 5617 if (bt_debugfs) {
5618 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5619 bt_debugfs, NULL, &l2cap_debugfs_fops);
5620 if (!l2cap_debugfs)
5621 BT_ERR("Failed to create L2CAP debug file");
5622 }
1da177e4 5623
1da177e4 5624 return 0;
1da177e4
LT		 5625}
5626
64274518 5627void l2cap_exit(void)
1da177e4 5628{
aef7d97c 5629 debugfs_remove(l2cap_debugfs);
bb58f747 5630 l2cap_cleanup_sockets();
1da177e4
LT		 5631}
5632
d1c4a17d
GP		 5633module_param(disable_ertm, bool, 0644);
5634MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)