projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix not removing hci_conn for failed LE connection
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
434 chan->sec_level = BT_SECURITY_LOW;
435
436 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
437}
438
14a28491 439static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 440{
af05b30b 441 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 442 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 443
9f5a0d7b 444 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 445
8c1d787b 446 chan->conn = conn;
0139418c 447
5491120e
AE		 448 switch (chan->chan_type) {
449 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 450 if (conn->hcon->type == LE_LINK) {
451 /* LE connection */
0c1bc5c6 452 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 453 chan->scid = L2CAP_CID_LE_DATA;
454 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 455 } else {
456 /* Alloc CID for connection-oriented socket */
fe4128e0 457 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 458 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 459 }
5491120e
AE		 460 break;
461
462 case L2CAP_CHAN_CONN_LESS:
0139418c 463 /* Connectionless socket */
fe4128e0
GP		 464 chan->scid = L2CAP_CID_CONN_LESS;
465 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 466 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 467 break;
468
416fa752
AE		 469 case L2CAP_CHAN_CONN_FIX_A2MP:
470 chan->scid = L2CAP_CID_A2MP;
471 chan->dcid = L2CAP_CID_A2MP;
472 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
473 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
474 break;
475
5491120e 476 default:
0139418c 477 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 478 chan->scid = L2CAP_CID_SIGNALING;
479 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 480 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 481 }
482
8f7975b1
AE		 483 chan->local_id = L2CAP_BESTEFFORT_ID;
484 chan->local_stype = L2CAP_SERV_BESTEFFORT;
485 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
486 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
487 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
488 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
489
371fd835 490 l2cap_chan_hold(chan);
baa7e1fa 491
3df91ea2 492 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 493}
494
466f8004 495void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 496{
497 mutex_lock(&conn->chan_lock);
498 __l2cap_chan_add(conn, chan);
3df91ea2 499 mutex_unlock(&conn->chan_lock);
0139418c
MH		 500}
501
466f8004 502void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 503{
8c1d787b 504 struct l2cap_conn *conn = chan->conn;
0139418c 505
c9b66675 506 __clear_chan_timer(chan);
0139418c 507
49208c9c 508 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 509
8e87d142 510 if (conn) {
baa7e1fa 511 /* Delete from channel list */
3df91ea2 512 list_del(&chan->list);
3d57dc68 513
371fd835 514 l2cap_chan_put(chan);
baa7e1fa 515
8c1d787b 516 chan->conn = NULL;
3cabbfda
AE		 517
518 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
519 hci_conn_put(conn->hcon);
0139418c
MH		 520 }
521
c0df7f6e
AE		 522 if (chan->ops->teardown)
523 chan->ops->teardown(chan, err);
6be36555 524
2827011f 525 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 526 return;
2ead70b8 527
ee556f66
GP		 528 switch(chan->mode) {
529 case L2CAP_MODE_BASIC:
530 break;
c13ffa62 531
ee556f66 532 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 533 __clear_retrans_timer(chan);
534 __clear_monitor_timer(chan);
535 __clear_ack_timer(chan);
c13ffa62 536
f1c6775b 537 skb_queue_purge(&chan->srej_q);
c13ffa62 538
3c588192
MM		 539 l2cap_seq_list_free(&chan->srej_list);
540 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 541
542 /* fall through */
543
544 case L2CAP_MODE_STREAMING:
545 skb_queue_purge(&chan->tx_q);
546 break;
c13ffa62 547 }
ee556f66
GP		 548
549 return;
0139418c
MH		 550}
551
0f852724 552void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 553{
554 struct l2cap_conn *conn = chan->conn;
555 struct sock *sk = chan->sk;
556
e05dcc32
AE		 557 BT_DBG("chan %p state %s sk %p", chan,
558 state_to_string(chan->state), sk);
4519de9a 559
89bc500e 560 switch (chan->state) {
4519de9a 561 case BT_LISTEN:
c0df7f6e
AE		 562 if (chan->ops->teardown)
563 chan->ops->teardown(chan, 0);
4519de9a
GP		 564 break;
565
566 case BT_CONNECTED:
567 case BT_CONFIG:
715ec005 568 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 569 conn->hcon->type == ACL_LINK) {
c9b66675 570 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 571 l2cap_send_disconn_req(conn, chan, reason);
572 } else
573 l2cap_chan_del(chan, reason);
574 break;
575
576 case BT_CONNECT2:
715ec005 577 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 578 conn->hcon->type == ACL_LINK) {
579 struct l2cap_conn_rsp rsp;
580 __u16 result;
581
c5daa683 582 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 583 result = L2CAP_CR_SEC_BLOCK;
584 else
585 result = L2CAP_CR_BAD_PSM;
89bc500e 586 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 587
588 rsp.scid = cpu_to_le16(chan->dcid);
589 rsp.dcid = cpu_to_le16(chan->scid);
590 rsp.result = cpu_to_le16(result);
ac73498c 591 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 592 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
593 sizeof(rsp), &rsp);
594 }
595
596 l2cap_chan_del(chan, reason);
597 break;
598
599 case BT_CONNECT:
600 case BT_DISCONN:
601 l2cap_chan_del(chan, reason);
602 break;
603
604 default:
c0df7f6e
AE		 605 if (chan->ops->teardown)
606 chan->ops->teardown(chan, 0);
4519de9a
GP		 607 break;
608 }
609}
610
4343478f 611static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 612{
715ec005 613 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 614 switch (chan->sec_level) {
8556edd3
JH		 615 case BT_SECURITY_HIGH:
616 return HCI_AT_DEDICATED_BONDING_MITM;
617 case BT_SECURITY_MEDIUM:
618 return HCI_AT_DEDICATED_BONDING;
619 default:
620 return HCI_AT_NO_BONDING;
621 }
2983fd68 622 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 623 if (chan->sec_level == BT_SECURITY_LOW)
624 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 625
4343478f 626 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 627 return HCI_AT_NO_BONDING_MITM;
00ae4af9 628 else
8556edd3 629 return HCI_AT_NO_BONDING;
00ae4af9 630 } else {
4343478f 631 switch (chan->sec_level) {
00ae4af9 632 case BT_SECURITY_HIGH:
8556edd3 633 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 634 case BT_SECURITY_MEDIUM:
8556edd3 635 return HCI_AT_GENERAL_BONDING;
00ae4af9 636 default:
8556edd3 637 return HCI_AT_NO_BONDING;
00ae4af9 638 }
0684e5f9 639 }
8556edd3
JH		 640}
641
642/* Service level security */
d45fc423 643int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 644{
8c1d787b 645 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 646 __u8 auth_type;
647
4343478f 648 auth_type = l2cap_get_auth_type(chan);
79d554a6 649
4343478f 650 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 651}
652
b5ad8b7f 653static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 654{
655 u8 id;
656
657 /* Get next available identificator.
658 * 1 - 128 are used by kernel.
659 * 129 - 199 are reserved.
660 * 200 - 254 are used by utilities like l2ping, etc.
661 */
662
333055f2 663 spin_lock(&conn->lock);
4e8402a3
MH		 664
665 if (++conn->tx_ident > 128)
666 conn->tx_ident = 1;
667
668 id = conn->tx_ident;
669
333055f2 670 spin_unlock(&conn->lock);
4e8402a3
MH		 671
672 return id;
673}
674
4519de9a 675static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 676{
677 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 678 u8 flags;
4e8402a3
MH		 679
680 BT_DBG("code 0x%2.2x", code);
681
682 if (!skb)
9a9c6a34 683 return;
4e8402a3 684
e702112f
AE		 685 if (lmp_no_flush_capable(conn->hcon->hdev))
686 flags = ACL_START_NO_FLUSH;
687 else
688 flags = ACL_START;
689
14b12d0b 690 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 691 skb->priority = HCI_PRIO_MAX;
14b12d0b 692
73d80deb
LAD		 693 hci_send_acl(conn->hchan, skb, flags);
694}
695
696static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
697{
698 struct hci_conn *hcon = chan->conn->hcon;
699 u16 flags;
700
701 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
702 skb->priority);
703
704 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
705 lmp_no_flush_capable(hcon->hdev))
706 flags = ACL_START_NO_FLUSH;
707 else
708 flags = ACL_START;
14b12d0b 709
73d80deb
LAD		 710 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
711 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 712}
713
b76bbd66
MM		 714static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
715{
716 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
717 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
718
719 if (enh & L2CAP_CTRL_FRAME_TYPE) {
720 /* S-Frame */
721 control->sframe = 1;
722 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
723 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
724
725 control->sar = 0;
726 control->txseq = 0;
727 } else {
728 /* I-Frame */
729 control->sframe = 0;
730 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
731 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
732
733 control->poll = 0;
734 control->super = 0;
735 }
736}
737
b76bbd66
MM		 738static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
739{
740 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
741 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
742
743 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
744 /* S-Frame */
745 control->sframe = 1;
746 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
747 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
748
749 control->sar = 0;
750 control->txseq = 0;
751 } else {
752 /* I-Frame */
753 control->sframe = 0;
754 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
755 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
756
757 control->poll = 0;
758 control->super = 0;
759 }
760}
761
762static inline void __unpack_control(struct l2cap_chan *chan,
763 struct sk_buff *skb)
764{
765 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
766 __unpack_extended_control(get_unaligned_le32(skb->data),
767 &bt_cb(skb)->control);
cec8ab6e 768 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 769 } else {
770 __unpack_enhanced_control(get_unaligned_le16(skb->data),
771 &bt_cb(skb)->control);
cec8ab6e 772 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 773 }
774}
775
b5c6aaed
MM		 776static u32 __pack_extended_control(struct l2cap_ctrl *control)
777{
778 u32 packed;
779
780 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
781 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
782
783 if (control->sframe) {
784 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
785 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
786 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
787 } else {
788 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
789 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
790 }
791
792 return packed;
793}
794
795static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
796{
797 u16 packed;
798
799 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
800 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
801
802 if (control->sframe) {
803 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
804 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
805 packed |= L2CAP_CTRL_FRAME_TYPE;
806 } else {
807 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
808 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
809 }
810
811 return packed;
812}
813
b76bbd66
MM		 814static inline void __pack_control(struct l2cap_chan *chan,
815 struct l2cap_ctrl *control,
816 struct sk_buff *skb)
817{
818 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
819 put_unaligned_le32(__pack_extended_control(control),
820 skb->data + L2CAP_HDR_SIZE);
821 } else {
822 put_unaligned_le16(__pack_enhanced_control(control),
823 skb->data + L2CAP_HDR_SIZE);
824 }
825}
826
ba7aa64f
GP		 827static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
828{
829 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
830 return L2CAP_EXT_HDR_SIZE;
831 else
832 return L2CAP_ENH_HDR_SIZE;
833}
834
a67d7f6f
MM		 835static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
836 u32 control)
b5c6aaed
MM		 837{
838 struct sk_buff *skb;
839 struct l2cap_hdr *lh;
ba7aa64f 840 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 841
842 if (chan->fcs == L2CAP_FCS_CRC16)
843 hlen += L2CAP_FCS_SIZE;
844
a67d7f6f 845 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 846
b5c6aaed 847 if (!skb)
a67d7f6f 848 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 849
850 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
851 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
852 lh->cid = cpu_to_le16(chan->dcid);
853
a67d7f6f
MM		 854 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
855 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
856 else
857 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 858
859 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 860 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 861 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
862 }
863
864 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 865 return skb;
866}
867
868static void l2cap_send_sframe(struct l2cap_chan *chan,
869 struct l2cap_ctrl *control)
870{
871 struct sk_buff *skb;
872 u32 control_field;
873
874 BT_DBG("chan %p, control %p", chan, control);
875
876 if (!control->sframe)
877 return;
878
879 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
880 !control->poll)
881 control->final = 1;
882
883 if (control->super == L2CAP_SUPER_RR)
884 clear_bit(CONN_RNR_SENT, &chan->conn_state);
885 else if (control->super == L2CAP_SUPER_RNR)
886 set_bit(CONN_RNR_SENT, &chan->conn_state);
887
888 if (control->super != L2CAP_SUPER_SREJ) {
889 chan->last_acked_seq = control->reqseq;
890 __clear_ack_timer(chan);
891 }
892
893 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
894 control->final, control->poll, control->super);
895
896 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
897 control_field = __pack_extended_control(control);
898 else
899 control_field = __pack_enhanced_control(control);
900
901 skb = l2cap_create_sframe_pdu(chan, control_field);
902 if (!IS_ERR(skb))
903 l2cap_do_send(chan, skb);
b5c6aaed
MM		 904}
905
c9e3d5e0 906static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 907{
c9e3d5e0
MM		 908 struct l2cap_ctrl control;
909
910 BT_DBG("chan %p, poll %d", chan, poll);
911
912 memset(&control, 0, sizeof(control));
913 control.sframe = 1;
914 control.poll = poll;
915
916 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
917 control.super = L2CAP_SUPER_RNR;
918 else
919 control.super = L2CAP_SUPER_RR;
b5c6aaed 920
c9e3d5e0
MM		 921 control.reqseq = chan->buffer_seq;
922 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 923}
924
b4450035 925static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 926{
c1360a1c 927 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 928}
929
9b27f350
AE		 930static void l2cap_send_conn_req(struct l2cap_chan *chan)
931{
932 struct l2cap_conn *conn = chan->conn;
933 struct l2cap_conn_req req;
934
935 req.scid = cpu_to_le16(chan->scid);
936 req.psm = chan->psm;
937
938 chan->ident = l2cap_get_ident(conn);
939
940 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
941
942 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
943}
944
9f0caeb1
VCG		 945static void l2cap_chan_ready(struct l2cap_chan *chan)
946{
2827011f 947 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 948 chan->conf_state = 0;
949 __clear_chan_timer(chan);
950
54a59aa2 951 chan->state = BT_CONNECTED;
9f0caeb1 952
fd83e2c2 953 chan->ops->ready(chan);
9f0caeb1
VCG		 954}
955
fc7f8a7e 956static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 957{
8c1d787b 958 struct l2cap_conn *conn = chan->conn;
79d554a6 959
9f0caeb1
VCG		 960 if (conn->hcon->type == LE_LINK) {
961 l2cap_chan_ready(chan);
962 return;
963 }
964
79d554a6 965 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 966 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
967 return;
968
d45fc423 969 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 970 __l2cap_no_conn_pending(chan))
971 l2cap_send_conn_req(chan);
79d554a6
MH		 972 } else {
973 struct l2cap_info_req req;
ac73498c 974 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 975
976 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
977 conn->info_ident = l2cap_get_ident(conn);
978
ba13ccd9 979 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 980
981 l2cap_send_cmd(conn, conn->info_ident,
982 L2CAP_INFO_REQ, sizeof(req), &req);
983 }
984}
985
cf6c2c0b
GP		 986static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
987{
988 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 989 if (!disable_ertm)
cf6c2c0b
GP		 990 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
991
992 switch (mode) {
993 case L2CAP_MODE_ERTM:
994 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
995 case L2CAP_MODE_STREAMING:
996 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
997 default:
998 return 0x00;
999 }
1000}
1001
4519de9a 1002static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1003{
6be36555 1004 struct sock *sk = chan->sk;
22121fc9
GP		 1005 struct l2cap_disconn_req req;
1006
c13ffa62
GP		 1007 if (!conn)
1008 return;
1009
0c1bc5c6 1010 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1011 __clear_retrans_timer(chan);
1012 __clear_monitor_timer(chan);
1013 __clear_ack_timer(chan);
c13ffa62
GP		 1014 }
1015
416fa752
AE		 1016 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1017 __l2cap_state_change(chan, BT_DISCONN);
1018 return;
1019 }
1020
fe4128e0
GP		 1021 req.dcid = cpu_to_le16(chan->dcid);
1022 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1023 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1024 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1025
6be36555 1026 lock_sock(sk);
0e587be7 1027 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1028 __l2cap_chan_set_err(chan, err);
6be36555 1029 release_sock(sk);
22121fc9
GP		 1030}
1031
1da177e4 1032/* ---- L2CAP connections ---- */
4e8402a3
MH		 1033static void l2cap_conn_start(struct l2cap_conn *conn)
1034{
3df91ea2 1035 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1036
1037 BT_DBG("conn %p", conn);
1038
3df91ea2 1039 mutex_lock(&conn->chan_lock);
4e8402a3 1040
3df91ea2 1041 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1042 struct sock *sk = chan->sk;
baa7e1fa 1043
6be36555 1044 l2cap_chan_lock(chan);
4e8402a3 1045
715ec005 1046 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1047 l2cap_chan_unlock(chan);
79d554a6
MH		 1048 continue;
1049 }
1050
89bc500e 1051 if (chan->state == BT_CONNECT) {
d45fc423 1052 if (!l2cap_chan_check_security(chan) ||
b4450035 1053 !__l2cap_no_conn_pending(chan)) {
6be36555 1054 l2cap_chan_unlock(chan);
47731de7
GP		 1055 continue;
1056 }
79d554a6 1057
c1360a1c
GP		 1058 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1059 && test_bit(CONF_STATE2_DEVICE,
1060 &chan->conf_state)) {
89bc500e 1061 l2cap_chan_close(chan, ECONNRESET);
6be36555 1062 l2cap_chan_unlock(chan);
47731de7 1063 continue;
b1235d79 1064 }
47731de7 1065
9b27f350 1066 l2cap_send_conn_req(chan);
47731de7 1067
89bc500e 1068 } else if (chan->state == BT_CONNECT2) {
79d554a6 1069 struct l2cap_conn_rsp rsp;
e9aeb2dd 1070 char buf[128];
fe4128e0
GP		 1071 rsp.scid = cpu_to_le16(chan->dcid);
1072 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1073
d45fc423 1074 if (l2cap_chan_check_security(chan)) {
6be36555 1075 lock_sock(sk);
c5daa683
GP		 1076 if (test_bit(BT_SK_DEFER_SETUP,
1077 &bt_sk(sk)->flags)) {
f66dc81f 1078 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1079 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1080 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1081 if (parent)
1082 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1083
1084 } else {
0e587be7 1085 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1086 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1087 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1088 }
6be36555 1089 release_sock(sk);
79d554a6 1090 } else {
ac73498c
AE		 1091 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1092 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1093 }
1094
fc7f8a7e
GP		 1095 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1096 sizeof(rsp), &rsp);
e9aeb2dd 1097
c1360a1c 1098 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1099 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1100 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1101 continue;
1102 }
1103
c1360a1c 1104 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1105 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1106 l2cap_build_conf_req(chan, buf), buf);
1107 chan->num_conf_req++;
4e8402a3
MH		 1108 }
1109
6be36555 1110 l2cap_chan_unlock(chan);
4e8402a3
MH		 1111 }
1112
3df91ea2 1113 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1114}
1115
c2287681 1116/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1117 * Returns closest match, locked.
1118 */
d9b88702 1119static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1120 bdaddr_t *src,
1121 bdaddr_t *dst)
b62f328b 1122{
23691d75 1123 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1124
23691d75 1125 read_lock(&chan_list_lock);
b62f328b 1126
23691d75
GP		 1127 list_for_each_entry(c, &chan_list, global_l) {
1128 struct sock *sk = c->sk;
fe4128e0 1129
89bc500e 1130 if (state && c->state != state)
b62f328b
VT		 1131 continue;
1132
23691d75 1133 if (c->scid == cid) {
c2287681
IY		 1134 int src_match, dst_match;
1135 int src_any, dst_any;
1136
b62f328b 1137 /* Exact match. */
c2287681
IY		 1138 src_match = !bacmp(&bt_sk(sk)->src, src);
1139 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1140 if (src_match && dst_match) {
23691d75
GP		 1141 read_unlock(&chan_list_lock);
1142 return c;
1143 }
b62f328b
VT		 1144
1145 /* Closest match */
c2287681
IY		 1146 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1147 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1148 if ((src_match && dst_any) || (src_any && dst_match) ||
1149 (src_any && dst_any))
23691d75 1150 c1 = c;
b62f328b
VT		 1151 }
1152 }
280f294f 1153
23691d75 1154 read_unlock(&chan_list_lock);
b62f328b 1155
23691d75 1156 return c1;
b62f328b
VT		 1157}
1158
1159static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1160{
c916fbe4 1161 struct sock *parent, *sk;
23691d75 1162 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1163
1164 BT_DBG("");
1165
1166 /* Check if we have socket listening on cid */
23691d75 1167 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1168 conn->src, conn->dst);
23691d75 1169 if (!pchan)
b62f328b
VT		 1170 return;
1171
23691d75
GP		 1172 parent = pchan->sk;
1173
aa2ac881 1174 lock_sock(parent);
62f3a2cf 1175
80b98027 1176 chan = pchan->ops->new_connection(pchan);
80808e43 1177 if (!chan)
b62f328b
VT		 1178 goto clean;
1179
80808e43 1180 sk = chan->sk;
5d41ce1d 1181
b62f328b
VT		 1182 hci_conn_hold(conn->hcon);
1183
b62f328b
VT		 1184 bacpy(&bt_sk(sk)->src, conn->src);
1185 bacpy(&bt_sk(sk)->dst, conn->dst);
1186
d1010240
GP		 1187 bt_accept_enqueue(parent, sk);
1188
3d57dc68 1189 l2cap_chan_add(conn, chan);
48454079 1190
6754e0df 1191 l2cap_chan_ready(chan);
b62f328b 1192
b62f328b 1193clean:
aa2ac881 1194 release_sock(parent);
b62f328b
VT		 1195}
1196
4e8402a3
MH		 1197static void l2cap_conn_ready(struct l2cap_conn *conn)
1198{
48454079 1199 struct l2cap_chan *chan;
4e8402a3 1200
79d554a6 1201 BT_DBG("conn %p", conn);
4e8402a3 1202
b62f328b
VT		 1203 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1204 l2cap_le_conn_ready(conn);
1205
160dc6ac
VCG		 1206 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1207 smp_conn_security(conn, conn->hcon->pending_sec_level);
1208
3df91ea2 1209 mutex_lock(&conn->chan_lock);
4e8402a3 1210
3df91ea2 1211 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1212
6be36555 1213 l2cap_chan_lock(chan);
4e8402a3 1214
416fa752
AE		 1215 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1216 l2cap_chan_unlock(chan);
1217 continue;
1218 }
1219
63128451 1220 if (conn->hcon->type == LE_LINK) {
b501d6a1 1221 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1222 l2cap_chan_ready(chan);
acd7d370 1223
63128451 1224 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1225 struct sock *sk = chan->sk;
c9b66675 1226 __clear_chan_timer(chan);
6be36555 1227 lock_sock(sk);
0e587be7 1228 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1229 sk->sk_state_change(sk);
6be36555 1230 release_sock(sk);
b501d6a1 1231
89bc500e 1232 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1233 l2cap_do_start(chan);
4e8402a3 1234
6be36555 1235 l2cap_chan_unlock(chan);
4e8402a3 1236 }
79d554a6 1237
3df91ea2 1238 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1239}
1240
1241/* Notify sockets that we cannot guaranty reliability anymore */
1242static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1243{
48454079 1244 struct l2cap_chan *chan;
4e8402a3
MH		 1245
1246 BT_DBG("conn %p", conn);
1247
3df91ea2 1248 mutex_lock(&conn->chan_lock);
4e8402a3 1249
3df91ea2 1250 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1251 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1252 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1253 }
1254
3df91ea2 1255 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1256}
1257
f878fcad 1258static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1259{
f878fcad 1260 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1261 info_timer.work);
4e8402a3 1262
984947dc 1263 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1264 conn->info_ident = 0;
984947dc 1265
4e8402a3
MH		 1266 l2cap_conn_start(conn);
1267}
1268
5d3de7df
VCG		 1269static void l2cap_conn_del(struct hci_conn *hcon, int err)
1270{
1271 struct l2cap_conn *conn = hcon->l2cap_data;
1272 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1273
1274 if (!conn)
1275 return;
1276
1277 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1278
1279 kfree_skb(conn->rx_skb);
1280
3df91ea2
AE		 1281 mutex_lock(&conn->chan_lock);
1282
5d3de7df
VCG		 1283 /* Kill channels */
1284 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1285 l2cap_chan_hold(chan);
6be36555
AE		 1286 l2cap_chan_lock(chan);
1287
5d3de7df 1288 l2cap_chan_del(chan, err);
6be36555
AE		 1289
1290 l2cap_chan_unlock(chan);
1291
80b98027 1292 chan->ops->close(chan);
61d6ef3e 1293 l2cap_chan_put(chan);
5d3de7df
VCG		 1294 }
1295
3df91ea2
AE		 1296 mutex_unlock(&conn->chan_lock);
1297
73d80deb
LAD		 1298 hci_chan_del(conn->hchan);
1299
5d3de7df 1300 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1301 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1302
51a8efd7 1303 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1304 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1305 smp_chan_destroy(conn);
d26a2345 1306 }
5d3de7df
VCG		 1307
1308 hcon->l2cap_data = NULL;
1309 kfree(conn);
1310}
1311
6c9d42a1 1312static void security_timeout(struct work_struct *work)
5d3de7df 1313{
6c9d42a1
GP		 1314 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1315 security_timer.work);
5d3de7df
VCG		 1316
1317 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1318}
1319
1da177e4
LT		 1320static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1321{
0139418c 1322 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1323 struct hci_chan *hchan;
1da177e4 1324
0139418c 1325 if (conn || status)
1da177e4
LT		 1326 return conn;
1327
73d80deb
LAD		 1328 hchan = hci_chan_create(hcon);
1329 if (!hchan)
1330 return NULL;
1331
0139418c 1332 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1333 if (!conn) {
1334 hci_chan_del(hchan);
1da177e4 1335 return NULL;
73d80deb 1336 }
1da177e4
LT		 1337
1338 hcon->l2cap_data = conn;
1339 conn->hcon = hcon;
73d80deb 1340 conn->hchan = hchan;
1da177e4 1341
73d80deb 1342 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1343
acd7d370
VT		 1344 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1345 conn->mtu = hcon->hdev->le_mtu;
1346 else
1347 conn->mtu = hcon->hdev->acl_mtu;
1348
1da177e4
LT		 1349 conn->src = &hcon->hdev->bdaddr;
1350 conn->dst = &hcon->dst;
1351
4e8402a3
MH		 1352 conn->feat_mask = 0;
1353
1da177e4 1354 spin_lock_init(&conn->lock);
3df91ea2 1355 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1356
1357 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1358
5d3de7df 1359 if (hcon->type == LE_LINK)
6c9d42a1 1360 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1361 else
030013d8 1362 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1363
9f5a0d7b 1364 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1365
1da177e4
LT		 1366 return conn;
1367}
1368
1da177e4 1369/* ---- Socket interface ---- */
1da177e4 1370
c2287681 1371/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1372 * Returns closest match.
1373 */
c2287681
IY		 1374static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1375 bdaddr_t *src,
1376 bdaddr_t *dst)
1da177e4 1377{
23691d75 1378 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1379
23691d75 1380 read_lock(&chan_list_lock);
e0f0cb56 1381
23691d75
GP		 1382 list_for_each_entry(c, &chan_list, global_l) {
1383 struct sock *sk = c->sk;
fe4128e0 1384
89bc500e 1385 if (state && c->state != state)
1da177e4
LT		 1386 continue;
1387
23691d75 1388 if (c->psm == psm) {
c2287681
IY		 1389 int src_match, dst_match;
1390 int src_any, dst_any;
1391
1da177e4 1392 /* Exact match. */
c2287681
IY		 1393 src_match = !bacmp(&bt_sk(sk)->src, src);
1394 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1395 if (src_match && dst_match) {
a7567b20 1396 read_unlock(&chan_list_lock);
23691d75
GP		 1397 return c;
1398 }
1da177e4
LT		 1399
1400 /* Closest match */
c2287681
IY		 1401 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1402 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1403 if ((src_match && dst_any) || (src_any && dst_match) ||
1404 (src_any && dst_any))
23691d75 1405 c1 = c;
1da177e4
LT		 1406 }
1407 }
1da177e4 1408
23691d75 1409 read_unlock(&chan_list_lock);
e0f0cb56 1410
23691d75 1411 return c1;
1da177e4
LT		 1412}
1413
8e9f9892
AG		 1414int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1415 bdaddr_t *dst, u8 dst_type)
1da177e4 1416{
5d41ce1d 1417 struct sock *sk = chan->sk;
1da177e4 1418 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1419 struct l2cap_conn *conn;
1420 struct hci_conn *hcon;
1421 struct hci_dev *hdev;
09ab6f4c 1422 __u8 auth_type;
44d0e48e 1423 int err;
1da177e4 1424
8e9f9892
AG		 1425 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1426 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1427
af05b30b
GP		 1428 hdev = hci_get_route(dst, src);
1429 if (!hdev)
1da177e4
LT		 1430 return -EHOSTUNREACH;
1431
09fd0de5 1432 hci_dev_lock(hdev);
1da177e4 1433
6be36555 1434 l2cap_chan_lock(chan);
03a00194
GP		 1435
1436 /* PSM must be odd and lsb of upper byte must be 0 */
1437 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1438 chan->chan_type != L2CAP_CHAN_RAW) {
1439 err = -EINVAL;
1440 goto done;
1441 }
1442
1443 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1444 err = -EINVAL;
1445 goto done;
1446 }
1447
1448 switch (chan->mode) {
1449 case L2CAP_MODE_BASIC:
1450 break;
1451 case L2CAP_MODE_ERTM:
1452 case L2CAP_MODE_STREAMING:
1453 if (!disable_ertm)
1454 break;
1455 /* fall through */
1456 default:
1457 err = -ENOTSUPP;
1458 goto done;
1459 }
1460
0797e01d 1461 switch (chan->state) {
03a00194
GP		 1462 case BT_CONNECT:
1463 case BT_CONNECT2:
1464 case BT_CONFIG:
1465 /* Already connecting */
1466 err = 0;
1467 goto done;
1468
1469 case BT_CONNECTED:
1470 /* Already connected */
1471 err = -EISCONN;
1472 goto done;
1473
1474 case BT_OPEN:
1475 case BT_BOUND:
1476 /* Can connect */
1477 break;
1478
1479 default:
1480 err = -EBADFD;
1481 goto done;
1482 }
1483
1484 /* Set destination address and psm */
0797e01d 1485 lock_sock(sk);
9219b2a0 1486 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1487 release_sock(sk);
1488
03a00194
GP		 1489 chan->psm = psm;
1490 chan->dcid = cid;
1da177e4 1491
4343478f 1492 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1493
fe4128e0 1494 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1495 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1496 chan->sec_level, auth_type);
acd7d370 1497 else
8e9f9892 1498 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1499 chan->sec_level, auth_type);
acd7d370 1500
30e76272
VT		 1501 if (IS_ERR(hcon)) {
1502 err = PTR_ERR(hcon);
1da177e4 1503 goto done;
30e76272 1504 }
1da177e4
LT		 1505
1506 conn = l2cap_conn_add(hcon, 0);
1507 if (!conn) {
1508 hci_conn_put(hcon);
30e76272 1509 err = -ENOMEM;
1da177e4
LT		 1510 goto done;
1511 }
1512
9f0caeb1
VCG		 1513 if (hcon->type == LE_LINK) {
1514 err = 0;
1515
1516 if (!list_empty(&conn->chan_l)) {
1517 err = -EBUSY;
1518 hci_conn_put(hcon);
1519 }
1520
1521 if (err)
1522 goto done;
1523 }
1524
1da177e4
LT		 1525 /* Update source addr of the socket */
1526 bacpy(src, conn->src);
1527
6be36555 1528 l2cap_chan_unlock(chan);
48454079 1529 l2cap_chan_add(conn, chan);
6be36555 1530 l2cap_chan_lock(chan);
48454079 1531
6be36555 1532 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1533 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1534
1535 if (hcon->state == BT_CONNECTED) {
715ec005 1536 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1537 __clear_chan_timer(chan);
d45fc423 1538 if (l2cap_chan_check_security(chan))
6be36555 1539 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1540 } else
fc7f8a7e 1541 l2cap_do_start(chan);
1da177e4
LT		 1542 }
1543
30e76272
VT		 1544 err = 0;
1545
1da177e4 1546done:
6be36555 1547 l2cap_chan_unlock(chan);
09fd0de5 1548 hci_dev_unlock(hdev);
1da177e4
LT		 1549 hci_dev_put(hdev);
1550 return err;
1551}
1552
dcba0dba 1553int __l2cap_wait_ack(struct sock *sk)
6161c038 1554{
8c1d787b 1555 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1556 DECLARE_WAITQUEUE(wait, current);
1557 int err = 0;
1558 int timeo = HZ/5;
1559
2b0b05dd 1560 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1561 set_current_state(TASK_INTERRUPTIBLE);
1562 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1563 if (!timeo)
1564 timeo = HZ/5;
1565
1566 if (signal_pending(current)) {
1567 err = sock_intr_errno(timeo);
1568 break;
1569 }
1570
1571 release_sock(sk);
1572 timeo = schedule_timeout(timeo);
1573 lock_sock(sk);
a71a0cf4 1574 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1575
1576 err = sock_error(sk);
1577 if (err)
1578 break;
1579 }
1580 set_current_state(TASK_RUNNING);
2b0b05dd 1581 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1582 return err;
1583}
1584
721c4181 1585static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1586{
721c4181 1587 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1588 monitor_timer.work);
e90bac06 1589
525cd185 1590 BT_DBG("chan %p", chan);
0e98958d 1591
6be36555
AE		 1592 l2cap_chan_lock(chan);
1593
80909e04 1594 if (!chan->conn) {
6be36555 1595 l2cap_chan_unlock(chan);
8d7e1c7f 1596 l2cap_chan_put(chan);
e90bac06
GP		 1597 return;
1598 }
1599
401bb1f7 1600 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1601
6be36555 1602 l2cap_chan_unlock(chan);
8d7e1c7f 1603 l2cap_chan_put(chan);
e90bac06
GP		 1604}
1605
721c4181 1606static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1607{
721c4181 1608 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1609 retrans_timer.work);
e90bac06 1610
49208c9c 1611 BT_DBG("chan %p", chan);
0e98958d 1612
6be36555
AE		 1613 l2cap_chan_lock(chan);
1614
80909e04
MM		 1615 if (!chan->conn) {
1616 l2cap_chan_unlock(chan);
1617 l2cap_chan_put(chan);
1618 return;
1619 }
6be36555 1620
401bb1f7 1621 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1622 l2cap_chan_unlock(chan);
8d7e1c7f 1623 l2cap_chan_put(chan);
e90bac06
GP		 1624}
1625
d660366d
GP		 1626static void l2cap_streaming_send(struct l2cap_chan *chan,
1627 struct sk_buff_head *skbs)
6840ed07 1628{
ccbb84af 1629 struct sk_buff *skb;
3733937d 1630 struct l2cap_ctrl *control;
6840ed07 1631
3733937d
MM		 1632 BT_DBG("chan %p, skbs %p", chan, skbs);
1633
3733937d
MM		 1634 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1635
1636 while (!skb_queue_empty(&chan->tx_q)) {
1637
1638 skb = skb_dequeue(&chan->tx_q);
1639
1640 bt_cb(skb)->control.retries = 1;
1641 control = &bt_cb(skb)->control;
1642
1643 control->reqseq = 0;
1644 control->txseq = chan->next_tx_seq;
1645
1646 __pack_control(chan, control, skb);
6840ed07 1647
47d1ec61 1648 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1649 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1650 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1651 }
1652
4343478f 1653 l2cap_do_send(chan, skb);
6840ed07 1654
3733937d
MM		 1655 BT_DBG("Sent txseq %d", (int)control->txseq);
1656
836be934 1657 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1658 chan->frames_sent++;
6840ed07 1659 }
6840ed07
GP		 1660}
1661
67c9e840 1662static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1663{
1664 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1665 struct l2cap_ctrl *control;
1666 int sent = 0;
1667
1668 BT_DBG("chan %p", chan);
1c2acffb 1669
89bc500e 1670 if (chan->state != BT_CONNECTED)
c13ffa62 1671 return -ENOTCONN;
e90bac06 1672
94122bbe
MM		 1673 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1674 return 0;
1675
18a48e76
MM		 1676 while (chan->tx_send_head &&
1677 chan->unacked_frames < chan->remote_tx_win &&
1678 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1679
18a48e76 1680 skb = chan->tx_send_head;
e90bac06 1681
18a48e76
MM		 1682 bt_cb(skb)->control.retries = 1;
1683 control = &bt_cb(skb)->control;
95ffa978 1684
e2ab4353 1685 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1686 control->final = 1;
e2ab4353 1687
18a48e76
MM		 1688 control->reqseq = chan->buffer_seq;
1689 chan->last_acked_seq = chan->buffer_seq;
1690 control->txseq = chan->next_tx_seq;
1c2acffb 1691
18a48e76 1692 __pack_control(chan, control, skb);
e90bac06 1693
47d1ec61 1694 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1695 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1696 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1697 }
1698
18a48e76
MM		 1699 /* Clone after data has been modified. Data is assumed to be
1700 read-only (for locking purposes) on cloned sk_buffs.
1701 */
1702 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1703
18a48e76
MM		 1704 if (!tx_skb)
1705 break;
1c2acffb 1706
18a48e76 1707 __set_retrans_timer(chan);
836be934
AE		 1708
1709 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1710 chan->unacked_frames++;
6a026610 1711 chan->frames_sent++;
18a48e76 1712 sent++;
1c2acffb 1713
58d35f87
GP		 1714 if (skb_queue_is_last(&chan->tx_q, skb))
1715 chan->tx_send_head = NULL;
1c2acffb 1716 else
58d35f87 1717 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1718
1719 l2cap_do_send(chan, tx_skb);
1720 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1721 }
1722
18a48e76
MM		 1723 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1724 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1725
1726 return sent;
9e917af1
GP		 1727}
1728
e1fbd4c1
MM		 1729static void l2cap_ertm_resend(struct l2cap_chan *chan)
1730{
1731 struct l2cap_ctrl control;
1732 struct sk_buff *skb;
1733 struct sk_buff *tx_skb;
1734 u16 seq;
1735
1736 BT_DBG("chan %p", chan);
1737
1738 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1739 return;
1740
1741 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1742 seq = l2cap_seq_list_pop(&chan->retrans_list);
1743
1744 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1745 if (!skb) {
1746 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1747 seq);
1748 continue;
1749 }
1750
1751 bt_cb(skb)->control.retries++;
1752 control = bt_cb(skb)->control;
1753
1754 if (chan->max_tx != 0 &&
1755 bt_cb(skb)->control.retries > chan->max_tx) {
1756 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1757 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1758 l2cap_seq_list_clear(&chan->retrans_list);
1759 break;
1760 }
1761
1762 control.reqseq = chan->buffer_seq;
1763 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1764 control.final = 1;
1765 else
1766 control.final = 0;
1767
1768 if (skb_cloned(skb)) {
1769 /* Cloned sk_buffs are read-only, so we need a
1770 * writeable copy
1771 */
1772 tx_skb = skb_copy(skb, GFP_ATOMIC);
1773 } else {
1774 tx_skb = skb_clone(skb, GFP_ATOMIC);
1775 }
1776
1777 if (!tx_skb) {
1778 l2cap_seq_list_clear(&chan->retrans_list);
1779 break;
1780 }
1781
1782 /* Update skb contents */
1783 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1784 put_unaligned_le32(__pack_extended_control(&control),
1785 tx_skb->data + L2CAP_HDR_SIZE);
1786 } else {
1787 put_unaligned_le16(__pack_enhanced_control(&control),
1788 tx_skb->data + L2CAP_HDR_SIZE);
1789 }
1790
1791 if (chan->fcs == L2CAP_FCS_CRC16) {
1792 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1793 put_unaligned_le16(fcs, skb_put(tx_skb,
1794 L2CAP_FCS_SIZE));
1795 }
1796
1797 l2cap_do_send(chan, tx_skb);
1798
1799 BT_DBG("Resent txseq %d", control.txseq);
1800
1801 chan->last_acked_seq = chan->buffer_seq;
1802 }
1803}
1804
f80842a8
MM		 1805static void l2cap_retransmit(struct l2cap_chan *chan,
1806 struct l2cap_ctrl *control)
1807{
1808 BT_DBG("chan %p, control %p", chan, control);
1809
1810 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1811 l2cap_ertm_resend(chan);
1812}
1813
d2a7ac5d
MM		 1814static void l2cap_retransmit_all(struct l2cap_chan *chan,
1815 struct l2cap_ctrl *control)
1816{
e1fbd4c1
MM		 1817 struct sk_buff *skb;
1818
1819 BT_DBG("chan %p, control %p", chan, control);
1820
1821 if (control->poll)
1822 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1823
1824 l2cap_seq_list_clear(&chan->retrans_list);
1825
1826 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1827 return;
1828
1829 if (chan->unacked_frames) {
1830 skb_queue_walk(&chan->tx_q, skb) {
1831 if (bt_cb(skb)->control.txseq == control->reqseq ||
1832 skb == chan->tx_send_head)
1833 break;
1834 }
1835
1836 skb_queue_walk_from(&chan->tx_q, skb) {
1837 if (skb == chan->tx_send_head)
1838 break;
1839
1840 l2cap_seq_list_append(&chan->retrans_list,
1841 bt_cb(skb)->control.txseq);
1842 }
1843
1844 l2cap_ertm_resend(chan);
1845 }
d2a7ac5d
MM		 1846}
1847
0a0aba42 1848static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1849{
0a0aba42
MM		 1850 struct l2cap_ctrl control;
1851 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1852 chan->last_acked_seq);
1853 int threshold;
9e917af1 1854
0a0aba42
MM		 1855 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1856 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1857
0a0aba42
MM		 1858 memset(&control, 0, sizeof(control));
1859 control.sframe = 1;
dfc909be 1860
0a0aba42
MM		 1861 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1862 chan->rx_state == L2CAP_RX_STATE_RECV) {
1863 __clear_ack_timer(chan);
1864 control.super = L2CAP_SUPER_RNR;
1865 control.reqseq = chan->buffer_seq;
1866 l2cap_send_sframe(chan, &control);
1867 } else {
1868 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1869 l2cap_ertm_send(chan);
1870 /* If any i-frames were sent, they included an ack */
1871 if (chan->buffer_seq == chan->last_acked_seq)
1872 frames_to_ack = 0;
1873 }
dfc909be 1874
0a0aba42
MM		 1875 /* Ack now if the tx window is 3/4ths full.
1876 * Calculate without mul or div
1877 */
1878 threshold = chan->tx_win;
1879 threshold += threshold << 1;
1880 threshold >>= 2;
1881
1882 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1883 threshold);
1884
1885 if (frames_to_ack >= threshold) {
1886 __clear_ack_timer(chan);
1887 control.super = L2CAP_SUPER_RR;
1888 control.reqseq = chan->buffer_seq;
1889 l2cap_send_sframe(chan, &control);
1890 frames_to_ack = 0;
1891 }
1c2acffb 1892
0a0aba42
MM		 1893 if (frames_to_ack)
1894 __set_ack_timer(chan);
1895 }
b17e73bb
SJ		 1896}
1897
04124681
GP		 1898static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1899 struct msghdr *msg, int len,
1900 int count, struct sk_buff *skb)
1c2acffb 1901{
0952a57a 1902 struct l2cap_conn *conn = chan->conn;
1c2acffb 1903 struct sk_buff **frag;
90338947 1904 int sent = 0;
1da177e4 1905
59203a21 1906 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1907 return -EFAULT;
1da177e4
LT		 1908
1909 sent += count;
1910 len -= count;
1911
1912 /* Continuation fragments (no L2CAP header) */
1913 frag = &skb_shinfo(skb)->frag_list;
1914 while (len) {
fbe00700
GP		 1915 struct sk_buff *tmp;
1916
1da177e4
LT		 1917 count = min_t(unsigned int, conn->mtu, len);
1918
fbe00700
GP		 1919 tmp = chan->ops->alloc_skb(chan, count,
1920 msg->msg_flags & MSG_DONTWAIT);
1921 if (IS_ERR(tmp))
1922 return PTR_ERR(tmp);
1923
1924 *frag = tmp;
2f7719ce 1925
1c2acffb
GP		 1926 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1927 return -EFAULT;
1da177e4 1928
5e59b791
LAD		 1929 (*frag)->priority = skb->priority;
1930
1da177e4
LT		 1931 sent += count;
1932 len -= count;
1933
2d0ed3d5
GP		 1934 skb->len += (*frag)->len;
1935 skb->data_len += (*frag)->len;
1936
1da177e4
LT		 1937 frag = &(*frag)->next;
1938 }
1da177e4
LT		 1939
1940 return sent;
1c2acffb 1941}
1da177e4 1942
5e59b791
LAD		 1943static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1944 struct msghdr *msg, size_t len,
1945 u32 priority)
1c2acffb 1946{
8c1d787b 1947 struct l2cap_conn *conn = chan->conn;
1c2acffb 1948 struct sk_buff *skb;
03a51213 1949 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1950 struct l2cap_hdr *lh;
1951
6d5922b0 1952 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1953
1954 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1955
1956 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1957 msg->msg_flags & MSG_DONTWAIT);
1958 if (IS_ERR(skb))
1959 return skb;
1c2acffb 1960
5e59b791
LAD		 1961 skb->priority = priority;
1962
1c2acffb
GP		 1963 /* Create L2CAP header */
1964 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1965 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1966 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1967 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1968
0952a57a 1969 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1970 if (unlikely(err < 0)) {
1971 kfree_skb(skb);
1972 return ERR_PTR(err);
1973 }
1974 return skb;
1975}
1976
5e59b791
LAD		 1977static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1978 struct msghdr *msg, size_t len,
1979 u32 priority)
1c2acffb 1980{
8c1d787b 1981 struct l2cap_conn *conn = chan->conn;
1c2acffb 1982 struct sk_buff *skb;
f2ba7fae 1983 int err, count;
1c2acffb
GP		 1984 struct l2cap_hdr *lh;
1985
6d5922b0 1986 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1987
f2ba7fae 1988 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1989
f2ba7fae 1990 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1991 msg->msg_flags & MSG_DONTWAIT);
1992 if (IS_ERR(skb))
1993 return skb;
1c2acffb 1994
5e59b791
LAD		 1995 skb->priority = priority;
1996
1c2acffb
GP		 1997 /* Create L2CAP header */
1998 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1999 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2000 lh->len = cpu_to_le16(len);
1c2acffb 2001
0952a57a 2002 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2003 if (unlikely(err < 0)) {
2004 kfree_skb(skb);
2005 return ERR_PTR(err);
2006 }
2007 return skb;
2008}
2009
ab0ff76d
LAD		 2010static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2011 struct msghdr *msg, size_t len,
94122bbe 2012 u16 sdulen)
1c2acffb 2013{
8c1d787b 2014 struct l2cap_conn *conn = chan->conn;
1c2acffb 2015 struct sk_buff *skb;
e4ca6d98 2016 int err, count, hlen;
1c2acffb
GP		 2017 struct l2cap_hdr *lh;
2018
6d5922b0 2019 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2020
0ee0d208
GP		 2021 if (!conn)
2022 return ERR_PTR(-ENOTCONN);
2023
ba7aa64f 2024 hlen = __ertm_hdr_size(chan);
e4ca6d98 2025
c74e560c 2026 if (sdulen)
03a51213 2027 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2028
47d1ec61 2029 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2030 hlen += L2CAP_FCS_SIZE;
fcc203c3 2031
1c2acffb 2032 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2033
2034 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2035 msg->msg_flags & MSG_DONTWAIT);
2036 if (IS_ERR(skb))
2037 return skb;
1c2acffb
GP		 2038
2039 /* Create L2CAP header */
2040 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2041 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2042 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2043
18a48e76
MM		 2044 /* Control header is populated later */
2045 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2046 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2047 else
2048 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2049
c74e560c 2050 if (sdulen)
03a51213 2051 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2052
0952a57a 2053 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2054 if (unlikely(err < 0)) {
2055 kfree_skb(skb);
2056 return ERR_PTR(err);
2057 }
e90bac06 2058
18a48e76 2059 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2060 bt_cb(skb)->control.retries = 0;
1c2acffb 2061 return skb;
1da177e4
LT		 2062}
2063
94122bbe
MM		 2064static int l2cap_segment_sdu(struct l2cap_chan *chan,
2065 struct sk_buff_head *seg_queue,
2066 struct msghdr *msg, size_t len)
c74e560c 2067{
c74e560c 2068 struct sk_buff *skb;
94122bbe
MM		 2069 u16 sdu_len;
2070 size_t pdu_len;
94122bbe 2071 u8 sar;
c74e560c 2072
94122bbe 2073 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2074
94122bbe
MM		 2075 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2076 * so fragmented skbs are not used. The HCI layer's handling
2077 * of fragmented skbs is not compatible with ERTM's queueing.
2078 */
c74e560c 2079
94122bbe
MM		 2080 /* PDU size is derived from the HCI MTU */
2081 pdu_len = chan->conn->mtu;
c74e560c 2082
94122bbe
MM		 2083 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2084
2085 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2086 if (chan->fcs)
2087 pdu_len -= L2CAP_FCS_SIZE;
2088
ba7aa64f 2089 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2090
2091 /* Remote device may have requested smaller PDUs */
2092 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2093
2094 if (len <= pdu_len) {
2095 sar = L2CAP_SAR_UNSEGMENTED;
2096 sdu_len = 0;
2097 pdu_len = len;
2098 } else {
2099 sar = L2CAP_SAR_START;
2100 sdu_len = len;
2101 pdu_len -= L2CAP_SDULEN_SIZE;
2102 }
2103
2104 while (len > 0) {
2105 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2106
c74e560c 2107 if (IS_ERR(skb)) {
94122bbe 2108 __skb_queue_purge(seg_queue);
c74e560c
GP		 2109 return PTR_ERR(skb);
2110 }
2111
94122bbe
MM		 2112 bt_cb(skb)->control.sar = sar;
2113 __skb_queue_tail(seg_queue, skb);
2114
2115 len -= pdu_len;
2116 if (sdu_len) {
2117 sdu_len = 0;
2118 pdu_len += L2CAP_SDULEN_SIZE;
2119 }
2120
2121 if (len <= pdu_len) {
2122 sar = L2CAP_SAR_END;
2123 pdu_len = len;
2124 } else {
2125 sar = L2CAP_SAR_CONTINUE;
2126 }
c74e560c 2127 }
c74e560c 2128
f0f62799 2129 return 0;
c74e560c
GP		 2130}
2131
5e59b791
LAD		 2132int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2133 u32 priority)
9a91a04a 2134{
9a91a04a 2135 struct sk_buff *skb;
9a91a04a 2136 int err;
94122bbe 2137 struct sk_buff_head seg_queue;
9a91a04a
GP		 2138
2139 /* Connectionless channel */
715ec005 2140 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2141 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2142 if (IS_ERR(skb))
2143 return PTR_ERR(skb);
2144
2145 l2cap_do_send(chan, skb);
2146 return len;
2147 }
2148
2149 switch (chan->mode) {
2150 case L2CAP_MODE_BASIC:
2151 /* Check outgoing MTU */
2152 if (len > chan->omtu)
2153 return -EMSGSIZE;
2154
2155 /* Create a basic PDU */
5e59b791 2156 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2157 if (IS_ERR(skb))
2158 return PTR_ERR(skb);
2159
2160 l2cap_do_send(chan, skb);
2161 err = len;
2162 break;
2163
2164 case L2CAP_MODE_ERTM:
2165 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2166 /* Check outgoing MTU */
2167 if (len > chan->omtu) {
2168 err = -EMSGSIZE;
2169 break;
2170 }
9a91a04a 2171
94122bbe 2172 __skb_queue_head_init(&seg_queue);
9a91a04a 2173
94122bbe
MM		 2174 /* Do segmentation before calling in to the state machine,
2175 * since it's possible to block while waiting for memory
2176 * allocation.
2177 */
2178 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2179
94122bbe
MM		 2180 /* The channel could have been closed while segmenting,
2181 * check that it is still connected.
2182 */
2183 if (chan->state != BT_CONNECTED) {
2184 __skb_queue_purge(&seg_queue);
2185 err = -ENOTCONN;
9a91a04a
GP		 2186 }
2187
94122bbe 2188 if (err)
9a91a04a 2189 break;
9a91a04a 2190
3733937d 2191 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2192 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2193 else
d660366d 2194 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2195
d660366d 2196 err = len;
9a91a04a 2197
94122bbe
MM		 2198 /* If the skbs were not queued for sending, they'll still be in
2199 * seg_queue and need to be purged.
2200 */
2201 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2202 break;
2203
2204 default:
2205 BT_DBG("bad state %1.1x", chan->mode);
2206 err = -EBADFD;
2207 }
2208
2209 return err;
2210}
2211
d2a7ac5d
MM		 2212static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2213{
bed68bde
MM		 2214 struct l2cap_ctrl control;
2215 u16 seq;
2216
2217 BT_DBG("chan %p, txseq %d", chan, txseq);
2218
2219 memset(&control, 0, sizeof(control));
2220 control.sframe = 1;
2221 control.super = L2CAP_SUPER_SREJ;
2222
2223 for (seq = chan->expected_tx_seq; seq != txseq;
2224 seq = __next_seq(chan, seq)) {
2225 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2226 control.reqseq = seq;
2227 l2cap_send_sframe(chan, &control);
2228 l2cap_seq_list_append(&chan->srej_list, seq);
2229 }
2230 }
2231
2232 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2233}
2234
2235static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2236{
bed68bde
MM		 2237 struct l2cap_ctrl control;
2238
2239 BT_DBG("chan %p", chan);
2240
2241 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2242 return;
2243
2244 memset(&control, 0, sizeof(control));
2245 control.sframe = 1;
2246 control.super = L2CAP_SUPER_SREJ;
2247 control.reqseq = chan->srej_list.tail;
2248 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2249}
2250
2251static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2252{
bed68bde
MM		 2253 struct l2cap_ctrl control;
2254 u16 initial_head;
2255 u16 seq;
2256
2257 BT_DBG("chan %p, txseq %d", chan, txseq);
2258
2259 memset(&control, 0, sizeof(control));
2260 control.sframe = 1;
2261 control.super = L2CAP_SUPER_SREJ;
2262
2263 /* Capture initial list head to allow only one pass through the list. */
2264 initial_head = chan->srej_list.head;
2265
2266 do {
2267 seq = l2cap_seq_list_pop(&chan->srej_list);
2268 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2269 break;
2270
2271 control.reqseq = seq;
2272 l2cap_send_sframe(chan, &control);
2273 l2cap_seq_list_append(&chan->srej_list, seq);
2274 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2275}
2276
608bcc6d
MM		 2277static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2278{
2279 struct sk_buff *acked_skb;
2280 u16 ackseq;
2281
2282 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2283
2284 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2285 return;
2286
2287 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2288 chan->expected_ack_seq, chan->unacked_frames);
2289
2290 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2291 ackseq = __next_seq(chan, ackseq)) {
2292
2293 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2294 if (acked_skb) {
2295 skb_unlink(acked_skb, &chan->tx_q);
2296 kfree_skb(acked_skb);
2297 chan->unacked_frames--;
2298 }
2299 }
2300
2301 chan->expected_ack_seq = reqseq;
2302
2303 if (chan->unacked_frames == 0)
2304 __clear_retrans_timer(chan);
2305
2306 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2307}
2308
2309static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2310{
2311 BT_DBG("chan %p", chan);
2312
2313 chan->expected_tx_seq = chan->buffer_seq;
2314 l2cap_seq_list_clear(&chan->srej_list);
2315 skb_queue_purge(&chan->srej_q);
2316 chan->rx_state = L2CAP_RX_STATE_RECV;
2317}
2318
d660366d
GP		 2319static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2320 struct l2cap_ctrl *control,
2321 struct sk_buff_head *skbs, u8 event)
608bcc6d 2322{
608bcc6d
MM		 2323 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2324 event);
2325
2326 switch (event) {
2327 case L2CAP_EV_DATA_REQUEST:
2328 if (chan->tx_send_head == NULL)
2329 chan->tx_send_head = skb_peek(skbs);
2330
2331 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2332 l2cap_ertm_send(chan);
2333 break;
2334 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2335 BT_DBG("Enter LOCAL_BUSY");
2336 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2337
2338 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2339 /* The SREJ_SENT state must be aborted if we are to
2340 * enter the LOCAL_BUSY state.
2341 */
2342 l2cap_abort_rx_srej_sent(chan);
2343 }
2344
2345 l2cap_send_ack(chan);
2346
2347 break;
2348 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2349 BT_DBG("Exit LOCAL_BUSY");
2350 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2351
2352 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2353 struct l2cap_ctrl local_control;
2354
2355 memset(&local_control, 0, sizeof(local_control));
2356 local_control.sframe = 1;
2357 local_control.super = L2CAP_SUPER_RR;
2358 local_control.poll = 1;
2359 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2360 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2361
2362 chan->retry_count = 1;
2363 __set_monitor_timer(chan);
2364 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2365 }
2366 break;
2367 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2368 l2cap_process_reqseq(chan, control->reqseq);
2369 break;
2370 case L2CAP_EV_EXPLICIT_POLL:
2371 l2cap_send_rr_or_rnr(chan, 1);
2372 chan->retry_count = 1;
2373 __set_monitor_timer(chan);
2374 __clear_ack_timer(chan);
2375 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2376 break;
2377 case L2CAP_EV_RETRANS_TO:
2378 l2cap_send_rr_or_rnr(chan, 1);
2379 chan->retry_count = 1;
2380 __set_monitor_timer(chan);
2381 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2382 break;
2383 case L2CAP_EV_RECV_FBIT:
2384 /* Nothing to process */
2385 break;
2386 default:
2387 break;
2388 }
608bcc6d
MM		 2389}
2390
d660366d
GP		 2391static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2392 struct l2cap_ctrl *control,
2393 struct sk_buff_head *skbs, u8 event)
608bcc6d 2394{
608bcc6d
MM		 2395 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2396 event);
2397
2398 switch (event) {
2399 case L2CAP_EV_DATA_REQUEST:
2400 if (chan->tx_send_head == NULL)
2401 chan->tx_send_head = skb_peek(skbs);
2402 /* Queue data, but don't send. */
2403 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2404 break;
2405 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2406 BT_DBG("Enter LOCAL_BUSY");
2407 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2408
2409 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2410 /* The SREJ_SENT state must be aborted if we are to
2411 * enter the LOCAL_BUSY state.
2412 */
2413 l2cap_abort_rx_srej_sent(chan);
2414 }
2415
2416 l2cap_send_ack(chan);
2417
2418 break;
2419 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2420 BT_DBG("Exit LOCAL_BUSY");
2421 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2422
2423 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2424 struct l2cap_ctrl local_control;
2425 memset(&local_control, 0, sizeof(local_control));
2426 local_control.sframe = 1;
2427 local_control.super = L2CAP_SUPER_RR;
2428 local_control.poll = 1;
2429 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2430 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2431
2432 chan->retry_count = 1;
2433 __set_monitor_timer(chan);
2434 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2435 }
2436 break;
2437 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2438 l2cap_process_reqseq(chan, control->reqseq);
2439
2440 /* Fall through */
2441
2442 case L2CAP_EV_RECV_FBIT:
2443 if (control && control->final) {
2444 __clear_monitor_timer(chan);
2445 if (chan->unacked_frames > 0)
2446 __set_retrans_timer(chan);
2447 chan->retry_count = 0;
2448 chan->tx_state = L2CAP_TX_STATE_XMIT;
2449 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2450 }
2451 break;
2452 case L2CAP_EV_EXPLICIT_POLL:
2453 /* Ignore */
2454 break;
2455 case L2CAP_EV_MONITOR_TO:
2456 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2457 l2cap_send_rr_or_rnr(chan, 1);
2458 __set_monitor_timer(chan);
2459 chan->retry_count++;
2460 } else {
2461 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2462 }
2463 break;
2464 default:
2465 break;
2466 }
608bcc6d
MM		 2467}
2468
d660366d
GP		 2469static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2470 struct sk_buff_head *skbs, u8 event)
608bcc6d 2471{
608bcc6d
MM		 2472 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2473 chan, control, skbs, event, chan->tx_state);
2474
2475 switch (chan->tx_state) {
2476 case L2CAP_TX_STATE_XMIT:
d660366d 2477 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2478 break;
2479 case L2CAP_TX_STATE_WAIT_F:
d660366d 2480 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2481 break;
2482 default:
2483 /* Ignore event */
2484 break;
2485 }
608bcc6d
MM		 2486}
2487
4b51dae9
MM		 2488static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2489 struct l2cap_ctrl *control)
2490{
2491 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2492 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2493}
2494
f80842a8
MM		 2495static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2496 struct l2cap_ctrl *control)
2497{
2498 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2499 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2500}
2501
1da177e4
LT		 2502/* Copy frame to all raw sockets on that connection */
2503static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2504{
1da177e4 2505 struct sk_buff *nskb;
48454079 2506 struct l2cap_chan *chan;
1da177e4
LT		 2507
2508 BT_DBG("conn %p", conn);
2509
3df91ea2 2510 mutex_lock(&conn->chan_lock);
3d57dc68 2511
3df91ea2 2512 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2513 struct sock *sk = chan->sk;
715ec005 2514 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2515 continue;
2516
2517 /* Don't send frame to the socket it came from */
2518 if (skb->sk == sk)
2519 continue;
af05b30b
GP		 2520 nskb = skb_clone(skb, GFP_ATOMIC);
2521 if (!nskb)
1da177e4
LT		 2522 continue;
2523
80b98027 2524 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2525 kfree_skb(nskb);
2526 }
3d57dc68 2527
3df91ea2 2528 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2529}
2530
2531/* ---- L2CAP signalling commands ---- */
2532static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2533 u8 code, u8 ident, u16 dlen, void *data)
2534{
2535 struct sk_buff *skb, **frag;
2536 struct l2cap_cmd_hdr *cmd;
2537 struct l2cap_hdr *lh;
2538 int len, count;
2539
af05b30b
GP		 2540 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2541 conn, code, ident, dlen);
1da177e4
LT		 2542
2543 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2544 count = min_t(unsigned int, conn->mtu, len);
2545
2546 skb = bt_skb_alloc(count, GFP_ATOMIC);
2547 if (!skb)
2548 return NULL;
2549
2550 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2551 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2552
2553 if (conn->hcon->type == LE_LINK)
ac73498c 2554 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2555 else
ac73498c 2556 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2557
2558 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2559 cmd->code = code;
2560 cmd->ident = ident;
aca3192c 2561 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2562
2563 if (dlen) {
2564 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2565 memcpy(skb_put(skb, count), data, count);
2566 data += count;
2567 }
2568
2569 len -= skb->len;
2570
2571 /* Continuation fragments (no L2CAP header) */
2572 frag = &skb_shinfo(skb)->frag_list;
2573 while (len) {
2574 count = min_t(unsigned int, conn->mtu, len);
2575
2576 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2577 if (!*frag)
2578 goto fail;
2579
2580 memcpy(skb_put(*frag, count), data, count);
2581
2582 len -= count;
2583 data += count;
2584
2585 frag = &(*frag)->next;
2586 }
2587
2588 return skb;
2589
2590fail:
2591 kfree_skb(skb);
2592 return NULL;
2593}
2594
2595static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2596{
2597 struct l2cap_conf_opt *opt = *ptr;
2598 int len;
2599
2600 len = L2CAP_CONF_OPT_SIZE + opt->len;
2601 *ptr += len;
2602
2603 *type = opt->type;
2604 *olen = opt->len;
2605
2606 switch (opt->len) {
2607 case 1:
2608 *val = *((u8 *) opt->val);
2609 break;
2610
2611 case 2:
bfaaeb3e 2612 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2613 break;
2614
2615 case 4:
bfaaeb3e 2616 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2617 break;
2618
2619 default:
2620 *val = (unsigned long) opt->val;
2621 break;
2622 }
2623
2624 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2625 return len;
2626}
2627
1da177e4
LT		 2628static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2629{
2630 struct l2cap_conf_opt *opt = *ptr;
2631
2632 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2633
2634 opt->type = type;
2635 opt->len = len;
2636
2637 switch (len) {
2638 case 1:
2639 *((u8 *) opt->val) = val;
2640 break;
2641
2642 case 2:
4f8b691c 2643 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2644 break;
2645
2646 case 4:
4f8b691c 2647 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2648 break;
2649
2650 default:
2651 memcpy(opt->val, (void *) val, len);
2652 break;
2653 }
2654
2655 *ptr += L2CAP_CONF_OPT_SIZE + len;
2656}
2657
f89cef09
AE		 2658static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2659{
2660 struct l2cap_conf_efs efs;
2661
1ec918ce 2662 switch (chan->mode) {
f89cef09
AE		 2663 case L2CAP_MODE_ERTM:
2664 efs.id = chan->local_id;
2665 efs.stype = chan->local_stype;
2666 efs.msdu = cpu_to_le16(chan->local_msdu);
2667 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2668 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2669 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2670 break;
2671
2672 case L2CAP_MODE_STREAMING:
2673 efs.id = 1;
2674 efs.stype = L2CAP_SERV_BESTEFFORT;
2675 efs.msdu = cpu_to_le16(chan->local_msdu);
2676 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2677 efs.acc_lat = 0;
2678 efs.flush_to = 0;
2679 break;
2680
2681 default:
2682 return;
2683 }
2684
2685 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2686 (unsigned long) &efs);
2687}
2688
721c4181 2689static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2690{
721c4181 2691 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2692 ack_timer.work);
2693 u16 frames_to_ack;
c1b4f43b 2694
2fb9b3d4
GP		 2695 BT_DBG("chan %p", chan);
2696
6be36555
AE		 2697 l2cap_chan_lock(chan);
2698
0362520b
MM		 2699 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2700 chan->last_acked_seq);
6be36555 2701
0362520b
MM		 2702 if (frames_to_ack)
2703 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2704
0362520b 2705 l2cap_chan_unlock(chan);
09bfb2ee 2706 l2cap_chan_put(chan);
c1b4f43b
GP		 2707}
2708
466f8004 2709int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2710{
3c588192
MM		 2711 int err;
2712
105bdf9e
MM		 2713 chan->next_tx_seq = 0;
2714 chan->expected_tx_seq = 0;
42e5c802 2715 chan->expected_ack_seq = 0;
6a026610 2716 chan->unacked_frames = 0;
42e5c802 2717 chan->buffer_seq = 0;
6a026610 2718 chan->frames_sent = 0;
105bdf9e
MM		 2719 chan->last_acked_seq = 0;
2720 chan->sdu = NULL;
2721 chan->sdu_last_frag = NULL;
2722 chan->sdu_len = 0;
2723
d34c34fb
MM		 2724 skb_queue_head_init(&chan->tx_q);
2725
105bdf9e
MM		 2726 if (chan->mode != L2CAP_MODE_ERTM)
2727 return 0;
2728
2729 chan->rx_state = L2CAP_RX_STATE_RECV;
2730 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2731
721c4181
GP		 2732 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2733 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2734 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2735
f1c6775b 2736 skb_queue_head_init(&chan->srej_q);
1890d36b 2737
3c588192
MM		 2738 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2739 if (err < 0)
2740 return err;
2741
9dc9affc
MM		 2742 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2743 if (err < 0)
2744 l2cap_seq_list_free(&chan->srej_list);
2745
2746 return err;
0565c1c2
GP		 2747}
2748
f2fcfcd6
GP		 2749static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2750{
2751 switch (mode) {
2752 case L2CAP_MODE_STREAMING:
2753 case L2CAP_MODE_ERTM:
2754 if (l2cap_mode_supported(mode, remote_feat_mask))
2755 return mode;
2756 /* fall through */
2757 default:
2758 return L2CAP_MODE_BASIC;
2759 }
2760}
2761
6327eb98
AE		 2762static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2763{
2764 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2765}
2766
f89cef09
AE		 2767static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2768{
2769 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2770}
2771
6327eb98
AE		 2772static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2773{
2774 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2775 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2776 /* use extended control field */
2777 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2778 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2779 } else {
6327eb98
AE		 2780 chan->tx_win = min_t(u16, chan->tx_win,
2781 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2782 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2783 }
6327eb98
AE		 2784}
2785
710f9b0a 2786static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2787{
1da177e4 2788 struct l2cap_conf_req *req = data;
0c1bc5c6 2789 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2790 void *ptr = req->data;
c8f79162 2791 u16 size;
1da177e4 2792
49208c9c 2793 BT_DBG("chan %p", chan);
1da177e4 2794
73ffa904 2795 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2796 goto done;
2797
0c1bc5c6 2798 switch (chan->mode) {
f2fcfcd6
GP		 2799 case L2CAP_MODE_STREAMING:
2800 case L2CAP_MODE_ERTM:
c1360a1c 2801 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2802 break;
85eb53c6 2803
f89cef09
AE		 2804 if (__l2cap_efs_supported(chan))
2805 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2806
2ba13ed6 2807 /* fall through */
f2fcfcd6 2808 default:
8c1d787b 2809 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2810 break;
2811 }
2812
2813done:
0c1bc5c6
GP		 2814 if (chan->imtu != L2CAP_DEFAULT_MTU)
2815 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2816
0c1bc5c6 2817 switch (chan->mode) {
65c7c491 2818 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2819 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2820 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2821 break;
2822
62547752
GP		 2823 rfc.mode = L2CAP_MODE_BASIC;
2824 rfc.txwin_size = 0;
2825 rfc.max_transmit = 0;
2826 rfc.retrans_timeout = 0;
2827 rfc.monitor_timeout = 0;
2828 rfc.max_pdu_size = 0;
2829
63406504
GP		 2830 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2831 (unsigned long) &rfc);
65c7c491
MH		 2832 break;
2833
2834 case L2CAP_MODE_ERTM:
2835 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2836 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2837 rfc.retrans_timeout = 0;
2838 rfc.monitor_timeout = 0;
c8f79162
AE		 2839
2840 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2841 L2CAP_EXT_HDR_SIZE -
2842 L2CAP_SDULEN_SIZE -
2843 L2CAP_FCS_SIZE);
2844 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2845
6327eb98
AE		 2846 l2cap_txwin_setup(chan);
2847
2848 rfc.txwin_size = min_t(u16, chan->tx_win,
2849 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2850
63406504
GP		 2851 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2852 (unsigned long) &rfc);
2853
f89cef09
AE		 2854 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2855 l2cap_add_opt_efs(&ptr, chan);
2856
8c1d787b 2857 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2858 break;
2859
47d1ec61 2860 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2861 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2862 chan->fcs = L2CAP_FCS_NONE;
2863 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2864 }
6327eb98
AE		 2865
2866 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2867 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2868 chan->tx_win);
f2fcfcd6
GP		 2869 break;
2870
2871 case L2CAP_MODE_STREAMING:
273759e2 2872 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2873 rfc.mode = L2CAP_MODE_STREAMING;
2874 rfc.txwin_size = 0;
2875 rfc.max_transmit = 0;
2876 rfc.retrans_timeout = 0;
2877 rfc.monitor_timeout = 0;
c8f79162
AE		 2878
2879 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2880 L2CAP_EXT_HDR_SIZE -
2881 L2CAP_SDULEN_SIZE -
2882 L2CAP_FCS_SIZE);
2883 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2884
63406504
GP		 2885 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2886 (unsigned long) &rfc);
2887
f89cef09
AE		 2888 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2889 l2cap_add_opt_efs(&ptr, chan);
2890
8c1d787b 2891 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2892 break;
2893
47d1ec61 2894 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2895 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2896 chan->fcs = L2CAP_FCS_NONE;
2897 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2898 }
65c7c491
MH		 2899 break;
2900 }
1da177e4 2901
fe4128e0 2902 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2903 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2904
2905 return ptr - data;
2906}
2907
73ffa904 2908static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2909{
5dee9e7c
MH		 2910 struct l2cap_conf_rsp *rsp = data;
2911 void *ptr = rsp->data;
73ffa904
GP		 2912 void *req = chan->conf_req;
2913 int len = chan->conf_len;
5dee9e7c
MH		 2914 int type, hint, olen;
2915 unsigned long val;
6464f35f 2916 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2917 struct l2cap_conf_efs efs;
2918 u8 remote_efs = 0;
861d6882 2919 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2920 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2921 u16 size;
1da177e4 2922
73ffa904 2923 BT_DBG("chan %p", chan);
820ae1b8 2924
5dee9e7c
MH		 2925 while (len >= L2CAP_CONF_OPT_SIZE) {
2926 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2927
589d2746 2928 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2929 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2930
2931 switch (type) {
2932 case L2CAP_CONF_MTU:
861d6882 2933 mtu = val;
5dee9e7c
MH		 2934 break;
2935
2936 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2937 chan->flush_to = val;
5dee9e7c
MH		 2938 break;
2939
2940 case L2CAP_CONF_QOS:
2941 break;
2942
6464f35f
MH		 2943 case L2CAP_CONF_RFC:
2944 if (olen == sizeof(rfc))
2945 memcpy(&rfc, (void *) val, olen);
2946 break;
2947
fcc203c3
GP		 2948 case L2CAP_CONF_FCS:
2949 if (val == L2CAP_FCS_NONE)
c1360a1c 2950 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2951 break;
fcc203c3 2952
42dceae2
AE		 2953 case L2CAP_CONF_EFS:
2954 remote_efs = 1;
2955 if (olen == sizeof(efs))
2956 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2957 break;
2958
6327eb98
AE		 2959 case L2CAP_CONF_EWS:
2960 if (!enable_hs)
2961 return -ECONNREFUSED;
fcc203c3 2962
6327eb98
AE		 2963 set_bit(FLAG_EXT_CTRL, &chan->flags);
2964 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2965 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2966 chan->remote_tx_win = val;
fcc203c3
GP		 2967 break;
2968
5dee9e7c
MH		 2969 default:
2970 if (hint)
2971 break;
2972
2973 result = L2CAP_CONF_UNKNOWN;
2974 *((u8 *) ptr++) = type;
2975 break;
2976 }
2977 }
2978
73ffa904 2979 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2980 goto done;
2981
0c1bc5c6 2982 switch (chan->mode) {
f2fcfcd6
GP		 2983 case L2CAP_MODE_STREAMING:
2984 case L2CAP_MODE_ERTM:
c1360a1c 2985 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2986 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2987 chan->conn->feat_mask);
85eb53c6
GP		 2988 break;
2989 }
2990
42dceae2
AE		 2991 if (remote_efs) {
2992 if (__l2cap_efs_supported(chan))
2993 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2994 else
2995 return -ECONNREFUSED;
2996 }
2997
0c1bc5c6 2998 if (chan->mode != rfc.mode)
f2fcfcd6 2999 return -ECONNREFUSED;
742e519b 3000
f2fcfcd6 3001 break;
f2fcfcd6
GP		 3002 }
3003
3004done:
0c1bc5c6 3005 if (chan->mode != rfc.mode) {
f2fcfcd6 3006 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3007 rfc.mode = chan->mode;
f2fcfcd6 3008
73ffa904 3009 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3010 return -ECONNREFUSED;
3011
3012 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3013 sizeof(rfc), (unsigned long) &rfc);
3014 }
3015
5dee9e7c
MH		 3016 if (result == L2CAP_CONF_SUCCESS) {
3017 /* Configure output options and let the other side know
3018 * which ones we don't like. */
3019
f2fcfcd6
GP		 3020 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3021 result = L2CAP_CONF_UNACCEPT;
3022 else {
0c1bc5c6 3023 chan->omtu = mtu;
c1360a1c 3024 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3025 }
0c1bc5c6 3026 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3027
42dceae2
AE		 3028 if (remote_efs) {
3029 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3030 efs.stype != L2CAP_SERV_NOTRAFIC &&
3031 efs.stype != chan->local_stype) {
3032
3033 result = L2CAP_CONF_UNACCEPT;
3034
3035 if (chan->num_conf_req >= 1)
3036 return -ECONNREFUSED;
3037
3038 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3039 sizeof(efs),
42dceae2 3040 (unsigned long) &efs);
0e8b207e 3041 } else {
3e6b3b95 3042 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3043 result = L2CAP_CONF_PENDING;
3044 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3045 }
3046 }
3047
f2fcfcd6
GP		 3048 switch (rfc.mode) {
3049 case L2CAP_MODE_BASIC:
47d1ec61 3050 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3051 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3052 break;
3053
3054 case L2CAP_MODE_ERTM:
6327eb98
AE		 3055 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3056 chan->remote_tx_win = rfc.txwin_size;
3057 else
3058 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3059
2c03a7a4 3060 chan->remote_max_tx = rfc.max_transmit;
1c762159 3061
c8f79162
AE		 3062 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3063 chan->conn->mtu -
3064 L2CAP_EXT_HDR_SIZE -
3065 L2CAP_SDULEN_SIZE -
3066 L2CAP_FCS_SIZE);
3067 rfc.max_pdu_size = cpu_to_le16(size);
3068 chan->remote_mps = size;
f2fcfcd6 3069
10467e9e 3070 rfc.retrans_timeout =
4fd21a88 3071 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3072 rfc.monitor_timeout =
4fd21a88 3073 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3074
c1360a1c 3075 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3076
3077 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3078 sizeof(rfc), (unsigned long) &rfc);
3079
42dceae2
AE		 3080 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3081 chan->remote_id = efs.id;
3082 chan->remote_stype = efs.stype;
3083 chan->remote_msdu = le16_to_cpu(efs.msdu);
3084 chan->remote_flush_to =
3085 le32_to_cpu(efs.flush_to);
3086 chan->remote_acc_lat =
3087 le32_to_cpu(efs.acc_lat);
3088 chan->remote_sdu_itime =
3089 le32_to_cpu(efs.sdu_itime);
3090 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3091 sizeof(efs), (unsigned long) &efs);
3092 }
f2fcfcd6
GP		 3093 break;
3094
3095 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3096 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3097 chan->conn->mtu -
3098 L2CAP_EXT_HDR_SIZE -
3099 L2CAP_SDULEN_SIZE -
3100 L2CAP_FCS_SIZE);
3101 rfc.max_pdu_size = cpu_to_le16(size);
3102 chan->remote_mps = size;
f2fcfcd6 3103
c1360a1c 3104 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3105
3106 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3107 sizeof(rfc), (unsigned long) &rfc);
3108
f2fcfcd6
GP		 3109 break;
3110
3111 default:
5dee9e7c 3112 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3113
6464f35f 3114 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3115 rfc.mode = chan->mode;
f2fcfcd6 3116 }
6464f35f 3117
f2fcfcd6 3118 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3119 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3120 }
fe4128e0 3121 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3122 rsp->result = cpu_to_le16(result);
59e54bd1 3123 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3124
3125 return ptr - data;
1da177e4
LT		 3126}
3127
b4450035 3128static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3129{
f2fcfcd6
GP		 3130 struct l2cap_conf_req *req = data;
3131 void *ptr = req->data;
3132 int type, olen;
3133 unsigned long val;
36e999a8 3134 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3135 struct l2cap_conf_efs efs;
f2fcfcd6 3136
fe4128e0 3137 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3138
3139 while (len >= L2CAP_CONF_OPT_SIZE) {
3140 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3141
3142 switch (type) {
3143 case L2CAP_CONF_MTU:
3144 if (val < L2CAP_DEFAULT_MIN_MTU) {
3145 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3146 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3147 } else
0c1bc5c6
GP		 3148 chan->imtu = val;
3149 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3150 break;
3151
3152 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3153 chan->flush_to = val;
f2fcfcd6 3154 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3155 2, chan->flush_to);
f2fcfcd6
GP		 3156 break;
3157
3158 case L2CAP_CONF_RFC:
3159 if (olen == sizeof(rfc))
3160 memcpy(&rfc, (void *)val, olen);
3161
c1360a1c 3162 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3163 rfc.mode != chan->mode)
f2fcfcd6
GP		 3164 return -ECONNREFUSED;
3165
47d1ec61 3166 chan->fcs = 0;
f2fcfcd6
GP		 3167
3168 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3169 sizeof(rfc), (unsigned long) &rfc);
3170 break;
6327eb98
AE		 3171
3172 case L2CAP_CONF_EWS:
3173 chan->tx_win = min_t(u16, val,
3174 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3176 chan->tx_win);
6327eb98 3177 break;
66af7aaf
AE		 3178
3179 case L2CAP_CONF_EFS:
3180 if (olen == sizeof(efs))
3181 memcpy(&efs, (void *)val, olen);
3182
3183 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3184 efs.stype != L2CAP_SERV_NOTRAFIC &&
3185 efs.stype != chan->local_stype)
3186 return -ECONNREFUSED;
3187
3188 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3189 sizeof(efs), (unsigned long) &efs);
3190 break;
f2fcfcd6
GP		 3191 }
3192 }
3193
0c1bc5c6 3194 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3195 return -ECONNREFUSED;
3196
0c1bc5c6 3197 chan->mode = rfc.mode;
6c2ea7a8 3198
0e8b207e 3199 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3200 switch (rfc.mode) {
3201 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3202 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3203 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3204 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3205
3206 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3207 chan->local_msdu = le16_to_cpu(efs.msdu);
3208 chan->local_sdu_itime =
3209 le32_to_cpu(efs.sdu_itime);
3210 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3211 chan->local_flush_to =
3212 le32_to_cpu(efs.flush_to);
3213 }
f2fcfcd6 3214 break;
66af7aaf 3215
f2fcfcd6 3216 case L2CAP_MODE_STREAMING:
47d1ec61 3217 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3218 }
3219 }
3220
fe4128e0 3221 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3222 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3223
3224 return ptr - data;
3225}
3226
fe4128e0 3227static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3228{
3229 struct l2cap_conf_rsp *rsp = data;
3230 void *ptr = rsp->data;
1da177e4 3231
fe4128e0 3232 BT_DBG("chan %p", chan);
1da177e4 3233
fe4128e0 3234 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3235 rsp->result = cpu_to_le16(result);
aca3192c 3236 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3237
3238 return ptr - data;
3239}
3240
8c1d787b 3241void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3242{
3243 struct l2cap_conn_rsp rsp;
8c1d787b 3244 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3245 u8 buf[128];
3246
fe4128e0
GP		 3247 rsp.scid = cpu_to_le16(chan->dcid);
3248 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3249 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3250 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3251 l2cap_send_cmd(conn, chan->ident,
3252 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3253
c1360a1c 3254 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3255 return;
3256
710f9b0a
GP		 3257 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3258 l2cap_build_conf_req(chan, buf), buf);
3259 chan->num_conf_req++;
3260}
3261
47d1ec61 3262static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3263{
7b1c0049
GP		 3264 int type, olen;
3265 unsigned long val;
3266 struct l2cap_conf_rfc rfc;
3267
47d1ec61 3268 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3269
0c1bc5c6 3270 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3271 return;
3272
3273 while (len >= L2CAP_CONF_OPT_SIZE) {
3274 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3275
3276 switch (type) {
3277 case L2CAP_CONF_RFC:
3278 if (olen == sizeof(rfc))
3279 memcpy(&rfc, (void *)val, olen);
3280 goto done;
3281 }
3282 }
3283
36e999a8
MM		 3284 /* Use sane default values in case a misbehaving remote device
3285 * did not send an RFC option.
3286 */
3287 rfc.mode = chan->mode;
ac73498c
AE		 3288 rfc.retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3289 rfc.monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36e999a8
MM		 3290 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3291
3292 BT_ERR("Expected RFC option was not found, using defaults");
3293
7b1c0049
GP		 3294done:
3295 switch (rfc.mode) {
3296 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3297 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3298 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3299 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3300 break;
3301 case L2CAP_MODE_STREAMING:
47d1ec61 3302 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3303 }
3304}
3305
4e8402a3
MH		 3306static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3307{
e2fd318e 3308 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3309
e2fd318e 3310 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3311 return 0;
3312
3313 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3314 cmd->ident == conn->info_ident) {
17cd3f37 3315 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3316
3317 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3318 conn->info_ident = 0;
984947dc 3319
4e8402a3
MH		 3320 l2cap_conn_start(conn);
3321 }
3322
3323 return 0;
3324}
3325
1da177e4
LT		 3326static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3327{
1da177e4
LT		 3328 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3329 struct l2cap_conn_rsp rsp;
23691d75 3330 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3331 struct sock *parent, *sk = NULL;
e7c29cb1 3332 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3333
3334 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3335 __le16 psm = req->psm;
1da177e4 3336
097db76c 3337 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3338
3339 /* Check if we have socket listening on psm */
c2287681 3340 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3341 if (!pchan) {
1da177e4
LT		 3342 result = L2CAP_CR_BAD_PSM;
3343 goto sendresp;
3344 }
3345
23691d75
GP		 3346 parent = pchan->sk;
3347
3df91ea2 3348 mutex_lock(&conn->chan_lock);
aa2ac881 3349 lock_sock(parent);
e0f0cb56 3350
e7c29cb1 3351 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3352 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3353 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3354 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3355 result = L2CAP_CR_SEC_BLOCK;
3356 goto response;
3357 }
3358
1da177e4
LT		 3359 result = L2CAP_CR_NO_MEM;
3360
2dfa1003
GP		 3361 /* Check if we already have channel with that dcid */
3362 if (__l2cap_get_chan_by_dcid(conn, scid))
3363 goto response;
3364
80b98027 3365 chan = pchan->ops->new_connection(pchan);
80808e43 3366 if (!chan)
1da177e4
LT		 3367 goto response;
3368
80808e43
GP		 3369 sk = chan->sk;
3370
1da177e4
LT		 3371 hci_conn_hold(conn->hcon);
3372
1da177e4
LT		 3373 bacpy(&bt_sk(sk)->src, conn->src);
3374 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3375 chan->psm = psm;
3376 chan->dcid = scid;
1da177e4 3377
d1010240
GP		 3378 bt_accept_enqueue(parent, sk);
3379
6be36555 3380 __l2cap_chan_add(conn, chan);
48454079 3381
fe4128e0 3382 dcid = chan->scid;
1da177e4 3383
c9b66675 3384 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3385
fc7f8a7e 3386 chan->ident = cmd->ident;
1da177e4 3387
984947dc 3388 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3389 if (l2cap_chan_check_security(chan)) {
c5daa683 3390 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3391 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3392 result = L2CAP_CR_PEND;
3393 status = L2CAP_CS_AUTHOR_PEND;
3394 parent->sk_data_ready(parent, 0);
3395 } else {
0e587be7 3396 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3397 result = L2CAP_CR_SUCCESS;
3398 status = L2CAP_CS_NO_INFO;
3399 }
79d554a6 3400 } else {
0e587be7 3401 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3402 result = L2CAP_CR_PEND;
3403 status = L2CAP_CS_AUTHEN_PEND;
3404 }
3405 } else {
0e587be7 3406 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3407 result = L2CAP_CR_PEND;
3408 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3409 }
3410
1da177e4 3411response:
aa2ac881 3412 release_sock(parent);
3df91ea2 3413 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3414
3415sendresp:
aca3192c
YH		 3416 rsp.scid = cpu_to_le16(scid);
3417 rsp.dcid = cpu_to_le16(dcid);
3418 rsp.result = cpu_to_le16(result);
3419 rsp.status = cpu_to_le16(status);
1da177e4 3420 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3421
3422 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3423 struct l2cap_info_req info;
ac73498c 3424 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3425
3426 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3427 conn->info_ident = l2cap_get_ident(conn);
3428
ba13ccd9 3429 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3430
3431 l2cap_send_cmd(conn, conn->info_ident,
3432 L2CAP_INFO_REQ, sizeof(info), &info);
3433 }
3434
c1360a1c 3435 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3436 result == L2CAP_CR_SUCCESS) {
3437 u8 buf[128];
c1360a1c 3438 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3439 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3440 l2cap_build_conf_req(chan, buf), buf);
3441 chan->num_conf_req++;
e9aeb2dd
GP		 3442 }
3443
1da177e4
LT		 3444 return 0;
3445}
3446
3447static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3448{
3449 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3450 u16 scid, dcid, result, status;
48454079 3451 struct l2cap_chan *chan;
1da177e4 3452 u8 req[128];
3df91ea2 3453 int err;
1da177e4
LT		 3454
3455 scid = __le16_to_cpu(rsp->scid);
3456 dcid = __le16_to_cpu(rsp->dcid);
3457 result = __le16_to_cpu(rsp->result);
3458 status = __le16_to_cpu(rsp->status);
3459
1b009c98
AE		 3460 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3461 dcid, scid, result, status);
1da177e4 3462
3df91ea2
AE		 3463 mutex_lock(&conn->chan_lock);
3464
1da177e4 3465 if (scid) {
3df91ea2
AE		 3466 chan = __l2cap_get_chan_by_scid(conn, scid);
3467 if (!chan) {
3468 err = -EFAULT;
3469 goto unlock;
3470 }
1da177e4 3471 } else {
3df91ea2
AE		 3472 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3473 if (!chan) {
3474 err = -EFAULT;
3475 goto unlock;
3476 }
1da177e4
LT		 3477 }
3478
3df91ea2
AE		 3479 err = 0;
3480
6be36555 3481 l2cap_chan_lock(chan);
48454079 3482
1da177e4
LT		 3483 switch (result) {
3484 case L2CAP_CR_SUCCESS:
89bc500e 3485 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3486 chan->ident = 0;
fe4128e0 3487 chan->dcid = dcid;
c1360a1c 3488 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3489
c1360a1c 3490 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3491 break;
3492
1da177e4 3493 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3494 l2cap_build_conf_req(chan, req), req);
3495 chan->num_conf_req++;
1da177e4
LT		 3496 break;
3497
3498 case L2CAP_CR_PEND:
c1360a1c 3499 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3500 break;
3501
3502 default:
48454079 3503 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3504 break;
3505 }
3506
6be36555 3507 l2cap_chan_unlock(chan);
3df91ea2
AE		 3508
3509unlock:
3510 mutex_unlock(&conn->chan_lock);
3511
3512 return err;
1da177e4
LT		 3513}
3514
47d1ec61 3515static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3516{
3517 /* FCS is enabled only in ERTM or streaming mode, if one or both
3518 * sides request it.
3519 */
0c1bc5c6 3520 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3521 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3522 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3523 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3524}
3525
88219a0f 3526static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3527{
3528 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3529 u16 dcid, flags;
3530 u8 rsp[64];
48454079 3531 struct l2cap_chan *chan;
3c588192 3532 int len, err = 0;
1da177e4
LT		 3533
3534 dcid = __le16_to_cpu(req->dcid);
3535 flags = __le16_to_cpu(req->flags);
3536
3537 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3538
baa7e1fa 3539 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3540 if (!chan)
1da177e4
LT		 3541 return -ENOENT;
3542
033b1142 3543 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3544 struct l2cap_cmd_rej_cid rej;
3545
ac73498c 3546 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3547 rej.scid = cpu_to_le16(chan->scid);
3548 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3549
df6bd743
GP		 3550 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3551 sizeof(rej), &rej);
354f60a9 3552 goto unlock;
df6bd743 3553 }
354f60a9 3554
5dee9e7c 3555 /* Reject if config buffer is too small. */
88219a0f 3556 len = cmd_len - sizeof(*req);
7ac28817 3557 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3558 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3559 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3560 L2CAP_CONF_REJECT, flags), rsp);
3561 goto unlock;
3562 }
3563
3564 /* Store config. */
73ffa904
GP		 3565 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3566 chan->conf_len += len;
1da177e4 3567
59e54bd1 3568 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3569 /* Incomplete config. Send empty response. */
3570 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3571 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3572 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3573 goto unlock;
3574 }
3575
3576 /* Complete config. */
73ffa904 3577 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3578 if (len < 0) {
e92c8e70 3579 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3580 goto unlock;
f2fcfcd6 3581 }
1da177e4 3582
5dee9e7c 3583 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3584 chan->num_conf_rsp++;
5dee9e7c 3585
5dee9e7c 3586 /* Reset config buffer. */
73ffa904 3587 chan->conf_len = 0;
5dee9e7c 3588
c1360a1c 3589 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3590 goto unlock;
3591
c1360a1c 3592 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3593 set_default_fcs(chan);
fcc203c3 3594
105bdf9e
MM		 3595 if (chan->mode == L2CAP_MODE_ERTM ||
3596 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3597 err = l2cap_ertm_init(chan);
3598
3599 if (err < 0)
3600 l2cap_send_disconn_req(chan->conn, chan, -err);
3601 else
3602 l2cap_chan_ready(chan);
0565c1c2 3603
876d9484
MH		 3604 goto unlock;
3605 }
3606
c1360a1c 3607 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3608 u8 buf[64];
1da177e4 3609 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3610 l2cap_build_conf_req(chan, buf), buf);
3611 chan->num_conf_req++;
1da177e4
LT		 3612 }
3613
0e8b207e
AE		 3614 /* Got Conf Rsp PENDING from remote side and asume we sent
3615 Conf Rsp PENDING in the code above */
3616 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3617 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3618
3619 /* check compatibility */
3620
3621 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3622 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3623
3624 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3625 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3626 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3627 }
3628
1da177e4 3629unlock:
6be36555 3630 l2cap_chan_unlock(chan);
3c588192 3631 return err;
1da177e4
LT		 3632}
3633
3634static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3635{
3636 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3637 u16 scid, flags, result;
48454079 3638 struct l2cap_chan *chan;
61386cba 3639 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3640 int err = 0;
1da177e4
LT		 3641
3642 scid = __le16_to_cpu(rsp->scid);
3643 flags = __le16_to_cpu(rsp->flags);
3644 result = __le16_to_cpu(rsp->result);
3645
61386cba
AE		 3646 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3647 result, len);
1da177e4 3648
baa7e1fa 3649 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3650 if (!chan)
1da177e4
LT		 3651 return 0;
3652
3653 switch (result) {
3654 case L2CAP_CONF_SUCCESS:
47d1ec61 3655 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3656 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3657 break;
3658
0e8b207e
AE		 3659 case L2CAP_CONF_PENDING:
3660 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3661
3662 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3663 char buf[64];
3664
3665 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3666 buf, &result);
3667 if (len < 0) {
3668 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3669 goto done;
3670 }
3671
3672 /* check compatibility */
3673
3674 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3675 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3676
3677 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3678 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3679 L2CAP_CONF_SUCCESS, 0x0000), buf);
3680 }
3681 goto done;
3682
1da177e4 3683 case L2CAP_CONF_UNACCEPT:
73ffa904 3684 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3685 char req[64];
3686
c2c77ec8 3687 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3688 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3689 goto done;
3690 }
3691
f2fcfcd6
GP		 3692 /* throw out any old stored conf requests */
3693 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3694 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3695 req, &result);
f2fcfcd6 3696 if (len < 0) {
e92c8e70 3697 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3698 goto done;
3699 }
3700
3701 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3702 L2CAP_CONF_REQ, len, req);
73ffa904 3703 chan->num_conf_req++;
f2fcfcd6
GP		 3704 if (result != L2CAP_CONF_SUCCESS)
3705 goto done;
3706 break;
1da177e4
LT		 3707 }
3708
8e87d142 3709 default:
6be36555 3710 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3711
ba13ccd9 3712 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3713 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3714 goto done;
3715 }
3716
59e54bd1 3717 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3718 goto done;
3719
c1360a1c 3720 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3721
c1360a1c 3722 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3723 set_default_fcs(chan);
fcc203c3 3724
105bdf9e
MM		 3725 if (chan->mode == L2CAP_MODE_ERTM ||
3726 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3727 err = l2cap_ertm_init(chan);
0565c1c2 3728
3c588192
MM		 3729 if (err < 0)
3730 l2cap_send_disconn_req(chan->conn, chan, -err);
3731 else
3732 l2cap_chan_ready(chan);
1da177e4
LT		 3733 }
3734
3735done:
6be36555 3736 l2cap_chan_unlock(chan);
3c588192 3737 return err;
1da177e4
LT		 3738}
3739
3740static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3741{
3742 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3743 struct l2cap_disconn_rsp rsp;
3744 u16 dcid, scid;
48454079 3745 struct l2cap_chan *chan;
1da177e4
LT		 3746 struct sock *sk;
3747
3748 scid = __le16_to_cpu(req->scid);
3749 dcid = __le16_to_cpu(req->dcid);
3750
3751 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3752
3df91ea2
AE		 3753 mutex_lock(&conn->chan_lock);
3754
3755 chan = __l2cap_get_chan_by_scid(conn, dcid);
3756 if (!chan) {
3757 mutex_unlock(&conn->chan_lock);
1da177e4 3758 return 0;
3df91ea2 3759 }
1da177e4 3760
6be36555
AE		 3761 l2cap_chan_lock(chan);
3762
48454079
GP		 3763 sk = chan->sk;
3764
fe4128e0
GP		 3765 rsp.dcid = cpu_to_le16(chan->scid);
3766 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3767 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3768
6be36555 3769 lock_sock(sk);
1da177e4 3770 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3771 release_sock(sk);
1da177e4 3772
61d6ef3e 3773 l2cap_chan_hold(chan);
48454079 3774 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3775
3776 l2cap_chan_unlock(chan);
1da177e4 3777
80b98027 3778 chan->ops->close(chan);
61d6ef3e 3779 l2cap_chan_put(chan);
3df91ea2
AE		 3780
3781 mutex_unlock(&conn->chan_lock);
3782
1da177e4
LT		 3783 return 0;
3784}
3785
3786static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3787{
3788 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3789 u16 dcid, scid;
48454079 3790 struct l2cap_chan *chan;
1da177e4
LT		 3791
3792 scid = __le16_to_cpu(rsp->scid);
3793 dcid = __le16_to_cpu(rsp->dcid);
3794
3795 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3796
3df91ea2
AE		 3797 mutex_lock(&conn->chan_lock);
3798
3799 chan = __l2cap_get_chan_by_scid(conn, scid);
3800 if (!chan) {
3801 mutex_unlock(&conn->chan_lock);
1da177e4 3802 return 0;
3df91ea2 3803 }
1da177e4 3804
6be36555 3805 l2cap_chan_lock(chan);
48454079 3806
61d6ef3e 3807 l2cap_chan_hold(chan);
48454079 3808 l2cap_chan_del(chan, 0);
6be36555
AE		 3809
3810 l2cap_chan_unlock(chan);
1da177e4 3811
80b98027 3812 chan->ops->close(chan);
61d6ef3e 3813 l2cap_chan_put(chan);
3df91ea2
AE		 3814
3815 mutex_unlock(&conn->chan_lock);
3816
1da177e4
LT		 3817 return 0;
3818}
3819
3820static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3821{
3822 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3823 u16 type;
3824
3825 type = __le16_to_cpu(req->type);
3826
3827 BT_DBG("type 0x%4.4x", type);
3828
f0709e03
MH		 3829 if (type == L2CAP_IT_FEAT_MASK) {
3830 u8 buf[8];
44dd46de 3831 u32 feat_mask = l2cap_feat_mask;
f0709e03 3832 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3833 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3834 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3835 if (!disable_ertm)
fcc203c3
GP		 3836 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3837 | L2CAP_FEAT_FCS;
a5fd6f30 3838 if (enable_hs)
6327eb98
AE		 3839 feat_mask |= L2CAP_FEAT_EXT_FLOW
3840 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3841
1b7bf4ed 3842 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3843 l2cap_send_cmd(conn, cmd->ident,
3844 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3845 } else if (type == L2CAP_IT_FIXED_CHAN) {
3846 u8 buf[12];
3847 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3848
3849 if (enable_hs)
3850 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3851 else
3852 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3853
ac73498c
AE		 3854 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3855 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3856 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3857 l2cap_send_cmd(conn, cmd->ident,
3858 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3859 } else {
3860 struct l2cap_info_rsp rsp;
3861 rsp.type = cpu_to_le16(type);
ac73498c 3862 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3863 l2cap_send_cmd(conn, cmd->ident,
3864 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3865 }
1da177e4
LT		 3866
3867 return 0;
3868}
3869
3870static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3871{
3872 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3873 u16 type, result;
3874
3875 type = __le16_to_cpu(rsp->type);
3876 result = __le16_to_cpu(rsp->result);
3877
3878 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3879
e90165be
AE		 3880 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3881 if (cmd->ident != conn->info_ident ||
3882 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3883 return 0;
3884
17cd3f37 3885 cancel_delayed_work(&conn->info_timer);
4e8402a3 3886
adb08ede
VT		 3887 if (result != L2CAP_IR_SUCCESS) {
3888 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3889 conn->info_ident = 0;
3890
3891 l2cap_conn_start(conn);
3892
3893 return 0;
3894 }
3895
978c93b9
AE		 3896 switch (type) {
3897 case L2CAP_IT_FEAT_MASK:
83985319 3898 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3899
47ec1dcd 3900 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3901 struct l2cap_info_req req;
ac73498c 3902 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3903
3904 conn->info_ident = l2cap_get_ident(conn);
3905
3906 l2cap_send_cmd(conn, conn->info_ident,
3907 L2CAP_INFO_REQ, sizeof(req), &req);
3908 } else {
3909 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3910 conn->info_ident = 0;
3911
3912 l2cap_conn_start(conn);
3913 }
978c93b9
AE		 3914 break;
3915
3916 case L2CAP_IT_FIXED_CHAN:
3917 conn->fixed_chan_mask = rsp->data[0];
984947dc 3918 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3919 conn->info_ident = 0;
984947dc
MH		 3920
3921 l2cap_conn_start(conn);
978c93b9 3922 break;
984947dc 3923 }
4e8402a3 3924
1da177e4
LT		 3925 return 0;
3926}
3927
f94ff6ff
MM		 3928static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3929 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3930 void *data)
3931{
3932 struct l2cap_create_chan_req *req = data;
3933 struct l2cap_create_chan_rsp rsp;
3934 u16 psm, scid;
3935
3936 if (cmd_len != sizeof(*req))
3937 return -EPROTO;
3938
3939 if (!enable_hs)
3940 return -EINVAL;
3941
3942 psm = le16_to_cpu(req->psm);
3943 scid = le16_to_cpu(req->scid);
3944
3945 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3946
3947 /* Placeholder: Always reject */
3948 rsp.dcid = 0;
3949 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3950 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3951 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3952
3953 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3954 sizeof(rsp), &rsp);
3955
3956 return 0;
3957}
3958
3959static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3960 struct l2cap_cmd_hdr *cmd, void *data)
3961{
3962 BT_DBG("conn %p", conn);
3963
3964 return l2cap_connect_rsp(conn, cmd, data);
3965}
3966
8d5a04a1
MM		 3967static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3968 u16 icid, u16 result)
3969{
3970 struct l2cap_move_chan_rsp rsp;
3971
3972 BT_DBG("icid %d, result %d", icid, result);
3973
3974 rsp.icid = cpu_to_le16(icid);
3975 rsp.result = cpu_to_le16(result);
3976
3977 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3978}
3979
3980static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3981 struct l2cap_chan *chan, u16 icid, u16 result)
3982{
3983 struct l2cap_move_chan_cfm cfm;
3984 u8 ident;
3985
3986 BT_DBG("icid %d, result %d", icid, result);
3987
3988 ident = l2cap_get_ident(conn);
3989 if (chan)
3990 chan->ident = ident;
3991
3992 cfm.icid = cpu_to_le16(icid);
3993 cfm.result = cpu_to_le16(result);
3994
3995 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3996}
3997
3998static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3999 u16 icid)
4000{
4001 struct l2cap_move_chan_cfm_rsp rsp;
4002
4003 BT_DBG("icid %d", icid);
4004
4005 rsp.icid = cpu_to_le16(icid);
4006 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4007}
4008
4009static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4010 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4011{
4012 struct l2cap_move_chan_req *req = data;
4013 u16 icid = 0;
4014 u16 result = L2CAP_MR_NOT_ALLOWED;
4015
4016 if (cmd_len != sizeof(*req))
4017 return -EPROTO;
4018
4019 icid = le16_to_cpu(req->icid);
4020
4021 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4022
4023 if (!enable_hs)
4024 return -EINVAL;
4025
4026 /* Placeholder: Always refuse */
4027 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4028
4029 return 0;
4030}
4031
4032static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4033 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4034{
4035 struct l2cap_move_chan_rsp *rsp = data;
4036 u16 icid, result;
4037
4038 if (cmd_len != sizeof(*rsp))
4039 return -EPROTO;
4040
4041 icid = le16_to_cpu(rsp->icid);
4042 result = le16_to_cpu(rsp->result);
4043
4044 BT_DBG("icid %d, result %d", icid, result);
4045
4046 /* Placeholder: Always unconfirmed */
4047 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4048
4049 return 0;
4050}
4051
4052static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4053 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4054{
4055 struct l2cap_move_chan_cfm *cfm = data;
4056 u16 icid, result;
4057
4058 if (cmd_len != sizeof(*cfm))
4059 return -EPROTO;
4060
4061 icid = le16_to_cpu(cfm->icid);
4062 result = le16_to_cpu(cfm->result);
4063
4064 BT_DBG("icid %d, result %d", icid, result);
4065
4066 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4067
4068 return 0;
4069}
4070
4071static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4072 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4073{
4074 struct l2cap_move_chan_cfm_rsp *rsp = data;
4075 u16 icid;
4076
4077 if (cmd_len != sizeof(*rsp))
4078 return -EPROTO;
4079
4080 icid = le16_to_cpu(rsp->icid);
4081
4082 BT_DBG("icid %d", icid);
4083
4084 return 0;
4085}
4086
e2174ca4 4087static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4088 u16 to_multiplier)
4089{
4090 u16 max_latency;
4091
4092 if (min > max || min < 6 || max > 3200)
4093 return -EINVAL;
4094
4095 if (to_multiplier < 10 || to_multiplier > 3200)
4096 return -EINVAL;
4097
4098 if (max >= to_multiplier * 8)
4099 return -EINVAL;
4100
4101 max_latency = (to_multiplier * 8 / max) - 1;
4102 if (latency > 499 || latency > max_latency)
4103 return -EINVAL;
4104
4105 return 0;
4106}
4107
4108static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4109 struct l2cap_cmd_hdr *cmd, u8 *data)
4110{
4111 struct hci_conn *hcon = conn->hcon;
4112 struct l2cap_conn_param_update_req *req;
4113 struct l2cap_conn_param_update_rsp rsp;
4114 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4115 int err;
de73115a
CT		 4116
4117 if (!(hcon->link_mode & HCI_LM_MASTER))
4118 return -EINVAL;
4119
4120 cmd_len = __le16_to_cpu(cmd->len);
4121 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4122 return -EPROTO;
4123
4124 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4125 min = __le16_to_cpu(req->min);
4126 max = __le16_to_cpu(req->max);
de73115a
CT		 4127 latency = __le16_to_cpu(req->latency);
4128 to_multiplier = __le16_to_cpu(req->to_multiplier);
4129
4130 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4131 min, max, latency, to_multiplier);
4132
4133 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4134
4135 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4136 if (err)
ac73498c 4137 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4138 else
ac73498c 4139 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4140
4141 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4142 sizeof(rsp), &rsp);
4143
2ce603eb
CT		 4144 if (!err)
4145 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4146
de73115a
CT		 4147 return 0;
4148}
4149
3300d9a9
CT		 4150static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4151 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4152{
4153 int err = 0;
4154
4155 switch (cmd->code) {
4156 case L2CAP_COMMAND_REJ:
4157 l2cap_command_rej(conn, cmd, data);
4158 break;
4159
4160 case L2CAP_CONN_REQ:
4161 err = l2cap_connect_req(conn, cmd, data);
4162 break;
4163
4164 case L2CAP_CONN_RSP:
4165 err = l2cap_connect_rsp(conn, cmd, data);
4166 break;
4167
4168 case L2CAP_CONF_REQ:
4169 err = l2cap_config_req(conn, cmd, cmd_len, data);
4170 break;
4171
4172 case L2CAP_CONF_RSP:
4173 err = l2cap_config_rsp(conn, cmd, data);
4174 break;
4175
4176 case L2CAP_DISCONN_REQ:
4177 err = l2cap_disconnect_req(conn, cmd, data);
4178 break;
4179
4180 case L2CAP_DISCONN_RSP:
4181 err = l2cap_disconnect_rsp(conn, cmd, data);
4182 break;
4183
4184 case L2CAP_ECHO_REQ:
4185 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4186 break;
4187
4188 case L2CAP_ECHO_RSP:
4189 break;
4190
4191 case L2CAP_INFO_REQ:
4192 err = l2cap_information_req(conn, cmd, data);
4193 break;
4194
4195 case L2CAP_INFO_RSP:
4196 err = l2cap_information_rsp(conn, cmd, data);
4197 break;
4198
f94ff6ff
MM		 4199 case L2CAP_CREATE_CHAN_REQ:
4200 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4201 break;
4202
4203 case L2CAP_CREATE_CHAN_RSP:
4204 err = l2cap_create_channel_rsp(conn, cmd, data);
4205 break;
4206
8d5a04a1
MM		 4207 case L2CAP_MOVE_CHAN_REQ:
4208 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4209 break;
4210
4211 case L2CAP_MOVE_CHAN_RSP:
4212 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4213 break;
4214
4215 case L2CAP_MOVE_CHAN_CFM:
4216 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4217 break;
4218
4219 case L2CAP_MOVE_CHAN_CFM_RSP:
4220 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4221 break;
4222
3300d9a9
CT		 4223 default:
4224 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4225 err = -EINVAL;
4226 break;
4227 }
4228
4229 return err;
4230}
4231
4232static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4233 struct l2cap_cmd_hdr *cmd, u8 *data)
4234{
4235 switch (cmd->code) {
4236 case L2CAP_COMMAND_REJ:
4237 return 0;
4238
4239 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4240 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4241
4242 case L2CAP_CONN_PARAM_UPDATE_RSP:
4243 return 0;
4244
4245 default:
4246 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4247 return -EINVAL;
4248 }
4249}
4250
4251static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4252 struct sk_buff *skb)
1da177e4
LT		 4253{
4254 u8 *data = skb->data;
4255 int len = skb->len;
4256 struct l2cap_cmd_hdr cmd;
3300d9a9 4257 int err;
1da177e4
LT		 4258
4259 l2cap_raw_recv(conn, skb);
4260
4261 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4262 u16 cmd_len;
1da177e4
LT		 4263 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4264 data += L2CAP_CMD_HDR_SIZE;
4265 len -= L2CAP_CMD_HDR_SIZE;
4266
88219a0f 4267 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4268
88219a0f 4269 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4270
88219a0f 4271 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4272 BT_DBG("corrupted command");
4273 break;
4274 }
4275
3300d9a9
CT		 4276 if (conn->hcon->type == LE_LINK)
4277 err = l2cap_le_sig_cmd(conn, &cmd, data);
4278 else
4279 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4280
4281 if (err) {
e2fd318e 4282 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4283
4284 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4285
4286 /* FIXME: Map err to a valid reason */
ac73498c 4287 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4288 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4289 }
4290
88219a0f
AV		 4291 data += cmd_len;
4292 len -= cmd_len;
1da177e4
LT		 4293 }
4294
4295 kfree_skb(skb);
4296}
4297
47d1ec61 4298static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4299{
4300 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4301 int hdr_size;
4302
4303 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4304 hdr_size = L2CAP_EXT_HDR_SIZE;
4305 else
4306 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4307
47d1ec61 4308 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4309 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4310 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4311 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4312
4313 if (our_fcs != rcv_fcs)
7a560e5c 4314 return -EBADMSG;
fcc203c3
GP		 4315 }
4316 return 0;
4317}
4318
6ea00485 4319static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4320{
e31f7633 4321 struct l2cap_ctrl control;
d5392c8f 4322
e31f7633 4323 BT_DBG("chan %p", chan);
d5392c8f 4324
e31f7633
MM		 4325 memset(&control, 0, sizeof(control));
4326 control.sframe = 1;
4327 control.final = 1;
4328 control.reqseq = chan->buffer_seq;
4329 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4330
e2ab4353 4331 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4332 control.super = L2CAP_SUPER_RNR;
4333 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4334 }
4335
e31f7633
MM		 4336 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4337 chan->unacked_frames > 0)
4338 __set_retrans_timer(chan);
d5392c8f 4339
e31f7633 4340 /* Send pending iframes */
525cd185 4341 l2cap_ertm_send(chan);
d5392c8f 4342
e2ab4353 4343 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4344 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4345 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4346 * send it now.
4347 */
4348 control.super = L2CAP_SUPER_RR;
4349 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4350 }
4351}
4352
84084a31
MM		 4353static void append_skb_frag(struct sk_buff *skb,
4354 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4355{
84084a31
MM		 4356 /* skb->len reflects data in skb as well as all fragments
4357 * skb->data_len reflects only data in fragments
4358 */
4359 if (!skb_has_frag_list(skb))
4360 skb_shinfo(skb)->frag_list = new_frag;
4361
4362 new_frag->next = NULL;
4363
4364 (*last_frag)->next = new_frag;
4365 *last_frag = new_frag;
4366
4367 skb->len += new_frag->len;
4368 skb->data_len += new_frag->len;
4369 skb->truesize += new_frag->truesize;
4370}
4371
4b51dae9
MM		 4372static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4373 struct l2cap_ctrl *control)
84084a31
MM		 4374{
4375 int err = -EINVAL;
18778a63 4376
4b51dae9 4377 switch (control->sar) {
7e0ef6ee 4378 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4379 if (chan->sdu)
4380 break;
18778a63 4381
80b98027 4382 err = chan->ops->recv(chan, skb);
84084a31 4383 break;
18778a63 4384
7e0ef6ee 4385 case L2CAP_SAR_START:
84084a31
MM		 4386 if (chan->sdu)
4387 break;
18778a63 4388
6f61fd47 4389 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4390 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4391
84084a31
MM		 4392 if (chan->sdu_len > chan->imtu) {
4393 err = -EMSGSIZE;
4394 break;
4395 }
1890d36b 4396
84084a31
MM		 4397 if (skb->len >= chan->sdu_len)
4398 break;
18778a63 4399
84084a31
MM		 4400 chan->sdu = skb;
4401 chan->sdu_last_frag = skb;
18778a63 4402
84084a31
MM		 4403 skb = NULL;
4404 err = 0;
18778a63
GP		 4405 break;
4406
7e0ef6ee 4407 case L2CAP_SAR_CONTINUE:
6f61fd47 4408 if (!chan->sdu)
84084a31 4409 break;
18778a63 4410
84084a31
MM		 4411 append_skb_frag(chan->sdu, skb,
4412 &chan->sdu_last_frag);
4413 skb = NULL;
18778a63 4414
84084a31
MM		 4415 if (chan->sdu->len >= chan->sdu_len)
4416 break;
4178ba46 4417
84084a31 4418 err = 0;
18778a63
GP		 4419 break;
4420
7e0ef6ee 4421 case L2CAP_SAR_END:
6f61fd47 4422 if (!chan->sdu)
84084a31 4423 break;
18778a63 4424
84084a31
MM		 4425 append_skb_frag(chan->sdu, skb,
4426 &chan->sdu_last_frag);
4427 skb = NULL;
4178ba46 4428
84084a31
MM		 4429 if (chan->sdu->len != chan->sdu_len)
4430 break;
18778a63 4431
80b98027 4432 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4433
84084a31
MM		 4434 if (!err) {
4435 /* Reassembly complete */
4436 chan->sdu = NULL;
4437 chan->sdu_last_frag = NULL;
4438 chan->sdu_len = 0;
1890d36b 4439 }
18778a63
GP		 4440 break;
4441 }
4442
84084a31
MM		 4443 if (err) {
4444 kfree_skb(skb);
4445 kfree_skb(chan->sdu);
4446 chan->sdu = NULL;
4447 chan->sdu_last_frag = NULL;
4448 chan->sdu_len = 0;
4449 }
18778a63 4450
84084a31 4451 return err;
18778a63
GP		 4452}
4453
61aa4f5b 4454void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4455{
61aa4f5b 4456 u8 event;
712132eb 4457
61aa4f5b
MM		 4458 if (chan->mode != L2CAP_MODE_ERTM)
4459 return;
712132eb 4460
61aa4f5b 4461 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4462 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4463}
4464
d2a7ac5d
MM		 4465static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4466{
63838725
MM		 4467 int err = 0;
4468 /* Pass sequential frames to l2cap_reassemble_sdu()
4469 * until a gap is encountered.
4470 */
4471
4472 BT_DBG("chan %p", chan);
4473
4474 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4475 struct sk_buff *skb;
4476 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4477 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4478
4479 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4480
4481 if (!skb)
4482 break;
4483
4484 skb_unlink(skb, &chan->srej_q);
4485 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4486 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4487 if (err)
4488 break;
4489 }
4490
4491 if (skb_queue_empty(&chan->srej_q)) {
4492 chan->rx_state = L2CAP_RX_STATE_RECV;
4493 l2cap_send_ack(chan);
4494 }
4495
4496 return err;
d2a7ac5d
MM		 4497}
4498
4499static void l2cap_handle_srej(struct l2cap_chan *chan,
4500 struct l2cap_ctrl *control)
4501{
f80842a8
MM		 4502 struct sk_buff *skb;
4503
4504 BT_DBG("chan %p, control %p", chan, control);
4505
4506 if (control->reqseq == chan->next_tx_seq) {
4507 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4508 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4509 return;
4510 }
4511
4512 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4513
4514 if (skb == NULL) {
4515 BT_DBG("Seq %d not available for retransmission",
4516 control->reqseq);
4517 return;
4518 }
4519
4520 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4521 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4522 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4523 return;
4524 }
4525
4526 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4527
4528 if (control->poll) {
4529 l2cap_pass_to_tx(chan, control);
4530
4531 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4532 l2cap_retransmit(chan, control);
4533 l2cap_ertm_send(chan);
4534
4535 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4536 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4537 chan->srej_save_reqseq = control->reqseq;
4538 }
4539 } else {
4540 l2cap_pass_to_tx_fbit(chan, control);
4541
4542 if (control->final) {
4543 if (chan->srej_save_reqseq != control->reqseq ||
4544 !test_and_clear_bit(CONN_SREJ_ACT,
4545 &chan->conn_state))
4546 l2cap_retransmit(chan, control);
4547 } else {
4548 l2cap_retransmit(chan, control);
4549 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4550 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4551 chan->srej_save_reqseq = control->reqseq;
4552 }
4553 }
4554 }
d2a7ac5d
MM		 4555}
4556
4557static void l2cap_handle_rej(struct l2cap_chan *chan,
4558 struct l2cap_ctrl *control)
4559{
fcd289df
MM		 4560 struct sk_buff *skb;
4561
4562 BT_DBG("chan %p, control %p", chan, control);
4563
4564 if (control->reqseq == chan->next_tx_seq) {
4565 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4566 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4567 return;
4568 }
4569
4570 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4571
4572 if (chan->max_tx && skb &&
4573 bt_cb(skb)->control.retries >= chan->max_tx) {
4574 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4575 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4576 return;
4577 }
4578
4579 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4580
4581 l2cap_pass_to_tx(chan, control);
4582
4583 if (control->final) {
4584 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4585 l2cap_retransmit_all(chan, control);
4586 } else {
4587 l2cap_retransmit_all(chan, control);
4588 l2cap_ertm_send(chan);
4589 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4590 set_bit(CONN_REJ_ACT, &chan->conn_state);
4591 }
d2a7ac5d
MM		 4592}
4593
4b51dae9
MM		 4594static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4595{
4596 BT_DBG("chan %p, txseq %d", chan, txseq);
4597
4598 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4599 chan->expected_tx_seq);
4600
4601 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4602 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4603 chan->tx_win) {
4604 /* See notes below regarding "double poll" and
4605 * invalid packets.
4606 */
4607 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4608 BT_DBG("Invalid/Ignore - after SREJ");
4609 return L2CAP_TXSEQ_INVALID_IGNORE;
4610 } else {
4611 BT_DBG("Invalid - in window after SREJ sent");
4612 return L2CAP_TXSEQ_INVALID;
4613 }
4614 }
4615
4616 if (chan->srej_list.head == txseq) {
4617 BT_DBG("Expected SREJ");
4618 return L2CAP_TXSEQ_EXPECTED_SREJ;
4619 }
4620
4621 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4622 BT_DBG("Duplicate SREJ - txseq already stored");
4623 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4624 }
4625
4626 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4627 BT_DBG("Unexpected SREJ - not requested");
4628 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4629 }
4630 }
4631
4632 if (chan->expected_tx_seq == txseq) {
4633 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4634 chan->tx_win) {
4635 BT_DBG("Invalid - txseq outside tx window");
4636 return L2CAP_TXSEQ_INVALID;
4637 } else {
4638 BT_DBG("Expected");
4639 return L2CAP_TXSEQ_EXPECTED;
4640 }
4641 }
4642
4643 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4644 __seq_offset(chan, chan->expected_tx_seq,
4645 chan->last_acked_seq)){
4646 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4647 return L2CAP_TXSEQ_DUPLICATE;
4648 }
4649
4650 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4651 /* A source of invalid packets is a "double poll" condition,
4652 * where delays cause us to send multiple poll packets. If
4653 * the remote stack receives and processes both polls,
4654 * sequence numbers can wrap around in such a way that a
4655 * resent frame has a sequence number that looks like new data
4656 * with a sequence gap. This would trigger an erroneous SREJ
4657 * request.
4658 *
4659 * Fortunately, this is impossible with a tx window that's
4660 * less than half of the maximum sequence number, which allows
4661 * invalid frames to be safely ignored.
4662 *
4663 * With tx window sizes greater than half of the tx window
4664 * maximum, the frame is invalid and cannot be ignored. This
4665 * causes a disconnect.
4666 */
4667
4668 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4669 BT_DBG("Invalid/Ignore - txseq outside tx window");
4670 return L2CAP_TXSEQ_INVALID_IGNORE;
4671 } else {
4672 BT_DBG("Invalid - txseq outside tx window");
4673 return L2CAP_TXSEQ_INVALID;
4674 }
4675 } else {
4676 BT_DBG("Unexpected - txseq indicates missing frames");
4677 return L2CAP_TXSEQ_UNEXPECTED;
4678 }
4679}
4680
d2a7ac5d
MM		 4681static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4682 struct l2cap_ctrl *control,
4683 struct sk_buff *skb, u8 event)
4684{
4685 int err = 0;
4686 bool skb_in_use = 0;
4687
4688 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4689 event);
4690
4691 switch (event) {
4692 case L2CAP_EV_RECV_IFRAME:
4693 switch (l2cap_classify_txseq(chan, control->txseq)) {
4694 case L2CAP_TXSEQ_EXPECTED:
4695 l2cap_pass_to_tx(chan, control);
4696
4697 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4698 BT_DBG("Busy, discarding expected seq %d",
4699 control->txseq);
4700 break;
4701 }
4702
4703 chan->expected_tx_seq = __next_seq(chan,
4704 control->txseq);
4705
4706 chan->buffer_seq = chan->expected_tx_seq;
4707 skb_in_use = 1;
4708
4709 err = l2cap_reassemble_sdu(chan, skb, control);
4710 if (err)
4711 break;
4712
4713 if (control->final) {
4714 if (!test_and_clear_bit(CONN_REJ_ACT,
4715 &chan->conn_state)) {
4716 control->final = 0;
4717 l2cap_retransmit_all(chan, control);
4718 l2cap_ertm_send(chan);
4719 }
4720 }
4721
4722 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4723 l2cap_send_ack(chan);
4724 break;
4725 case L2CAP_TXSEQ_UNEXPECTED:
4726 l2cap_pass_to_tx(chan, control);
4727
4728 /* Can't issue SREJ frames in the local busy state.
4729 * Drop this frame, it will be seen as missing
4730 * when local busy is exited.
4731 */
4732 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4733 BT_DBG("Busy, discarding unexpected seq %d",
4734 control->txseq);
4735 break;
4736 }
4737
4738 /* There was a gap in the sequence, so an SREJ
4739 * must be sent for each missing frame. The
4740 * current frame is stored for later use.
4741 */
4742 skb_queue_tail(&chan->srej_q, skb);
4743 skb_in_use = 1;
4744 BT_DBG("Queued %p (queue len %d)", skb,
4745 skb_queue_len(&chan->srej_q));
4746
4747 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4748 l2cap_seq_list_clear(&chan->srej_list);
4749 l2cap_send_srej(chan, control->txseq);
4750
4751 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4752 break;
4753 case L2CAP_TXSEQ_DUPLICATE:
4754 l2cap_pass_to_tx(chan, control);
4755 break;
4756 case L2CAP_TXSEQ_INVALID_IGNORE:
4757 break;
4758 case L2CAP_TXSEQ_INVALID:
4759 default:
4760 l2cap_send_disconn_req(chan->conn, chan,
4761 ECONNRESET);
4762 break;
4763 }
4764 break;
4765 case L2CAP_EV_RECV_RR:
4766 l2cap_pass_to_tx(chan, control);
4767 if (control->final) {
4768 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4769
4770 if (!test_and_clear_bit(CONN_REJ_ACT,
4771 &chan->conn_state)) {
4772 control->final = 0;
4773 l2cap_retransmit_all(chan, control);
4774 }
4775
4776 l2cap_ertm_send(chan);
4777 } else if (control->poll) {
4778 l2cap_send_i_or_rr_or_rnr(chan);
4779 } else {
4780 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4781 &chan->conn_state) &&
4782 chan->unacked_frames)
4783 __set_retrans_timer(chan);
4784
4785 l2cap_ertm_send(chan);
4786 }
4787 break;
4788 case L2CAP_EV_RECV_RNR:
4789 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4790 l2cap_pass_to_tx(chan, control);
4791 if (control && control->poll) {
4792 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4793 l2cap_send_rr_or_rnr(chan, 0);
4794 }
4795 __clear_retrans_timer(chan);
4796 l2cap_seq_list_clear(&chan->retrans_list);
4797 break;
4798 case L2CAP_EV_RECV_REJ:
4799 l2cap_handle_rej(chan, control);
4800 break;
4801 case L2CAP_EV_RECV_SREJ:
4802 l2cap_handle_srej(chan, control);
4803 break;
4804 default:
4805 break;
4806 }
4807
4808 if (skb && !skb_in_use) {
4809 BT_DBG("Freeing %p", skb);
4810 kfree_skb(skb);
4811 }
4812
4813 return err;
4814}
4815
4816static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4817 struct l2cap_ctrl *control,
4818 struct sk_buff *skb, u8 event)
4819{
4820 int err = 0;
4821 u16 txseq = control->txseq;
4822 bool skb_in_use = 0;
4823
4824 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4825 event);
4826
4827 switch (event) {
4828 case L2CAP_EV_RECV_IFRAME:
4829 switch (l2cap_classify_txseq(chan, txseq)) {
4830 case L2CAP_TXSEQ_EXPECTED:
4831 /* Keep frame for reassembly later */
4832 l2cap_pass_to_tx(chan, control);
4833 skb_queue_tail(&chan->srej_q, skb);
4834 skb_in_use = 1;
4835 BT_DBG("Queued %p (queue len %d)", skb,
4836 skb_queue_len(&chan->srej_q));
4837
4838 chan->expected_tx_seq = __next_seq(chan, txseq);
4839 break;
4840 case L2CAP_TXSEQ_EXPECTED_SREJ:
4841 l2cap_seq_list_pop(&chan->srej_list);
4842
4843 l2cap_pass_to_tx(chan, control);
4844 skb_queue_tail(&chan->srej_q, skb);
4845 skb_in_use = 1;
4846 BT_DBG("Queued %p (queue len %d)", skb,
4847 skb_queue_len(&chan->srej_q));
4848
4849 err = l2cap_rx_queued_iframes(chan);
4850 if (err)
4851 break;
4852
4853 break;
4854 case L2CAP_TXSEQ_UNEXPECTED:
4855 /* Got a frame that can't be reassembled yet.
4856 * Save it for later, and send SREJs to cover
4857 * the missing frames.
4858 */
4859 skb_queue_tail(&chan->srej_q, skb);
4860 skb_in_use = 1;
4861 BT_DBG("Queued %p (queue len %d)", skb,
4862 skb_queue_len(&chan->srej_q));
4863
4864 l2cap_pass_to_tx(chan, control);
4865 l2cap_send_srej(chan, control->txseq);
4866 break;
4867 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4868 /* This frame was requested with an SREJ, but
4869 * some expected retransmitted frames are
4870 * missing. Request retransmission of missing
4871 * SREJ'd frames.
4872 */
4873 skb_queue_tail(&chan->srej_q, skb);
4874 skb_in_use = 1;
4875 BT_DBG("Queued %p (queue len %d)", skb,
4876 skb_queue_len(&chan->srej_q));
4877
4878 l2cap_pass_to_tx(chan, control);
4879 l2cap_send_srej_list(chan, control->txseq);
4880 break;
4881 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4882 /* We've already queued this frame. Drop this copy. */
4883 l2cap_pass_to_tx(chan, control);
4884 break;
4885 case L2CAP_TXSEQ_DUPLICATE:
4886 /* Expecting a later sequence number, so this frame
4887 * was already received. Ignore it completely.
4888 */
4889 break;
4890 case L2CAP_TXSEQ_INVALID_IGNORE:
4891 break;
4892 case L2CAP_TXSEQ_INVALID:
4893 default:
4894 l2cap_send_disconn_req(chan->conn, chan,
4895 ECONNRESET);
4896 break;
4897 }
4898 break;
4899 case L2CAP_EV_RECV_RR:
4900 l2cap_pass_to_tx(chan, control);
4901 if (control->final) {
4902 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4903
4904 if (!test_and_clear_bit(CONN_REJ_ACT,
4905 &chan->conn_state)) {
4906 control->final = 0;
4907 l2cap_retransmit_all(chan, control);
4908 }
4909
4910 l2cap_ertm_send(chan);
4911 } else if (control->poll) {
4912 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4913 &chan->conn_state) &&
4914 chan->unacked_frames) {
4915 __set_retrans_timer(chan);
4916 }
4917
4918 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4919 l2cap_send_srej_tail(chan);
4920 } else {
4921 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4922 &chan->conn_state) &&
4923 chan->unacked_frames)
4924 __set_retrans_timer(chan);
4925
4926 l2cap_send_ack(chan);
4927 }
4928 break;
4929 case L2CAP_EV_RECV_RNR:
4930 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4931 l2cap_pass_to_tx(chan, control);
4932 if (control->poll) {
4933 l2cap_send_srej_tail(chan);
4934 } else {
4935 struct l2cap_ctrl rr_control;
4936 memset(&rr_control, 0, sizeof(rr_control));
4937 rr_control.sframe = 1;
4938 rr_control.super = L2CAP_SUPER_RR;
4939 rr_control.reqseq = chan->buffer_seq;
4940 l2cap_send_sframe(chan, &rr_control);
4941 }
4942
4943 break;
4944 case L2CAP_EV_RECV_REJ:
4945 l2cap_handle_rej(chan, control);
4946 break;
4947 case L2CAP_EV_RECV_SREJ:
4948 l2cap_handle_srej(chan, control);
4949 break;
4950 }
4951
4952 if (skb && !skb_in_use) {
4953 BT_DBG("Freeing %p", skb);
4954 kfree_skb(skb);
4955 }
4956
4957 return err;
4958}
4959
4960static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4961{
4962 /* Make sure reqseq is for a packet that has been sent but not acked */
4963 u16 unacked;
4964
4965 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4966 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4967}
4968
cec8ab6e
MM		 4969static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4970 struct sk_buff *skb, u8 event)
218bb9df 4971{
d2a7ac5d
MM		 4972 int err = 0;
4973
4974 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4975 control, skb, event, chan->rx_state);
4976
4977 if (__valid_reqseq(chan, control->reqseq)) {
4978 switch (chan->rx_state) {
4979 case L2CAP_RX_STATE_RECV:
4980 err = l2cap_rx_state_recv(chan, control, skb, event);
4981 break;
4982 case L2CAP_RX_STATE_SREJ_SENT:
4983 err = l2cap_rx_state_srej_sent(chan, control, skb,
4984 event);
4985 break;
4986 default:
4987 /* shut it down */
4988 break;
4989 }
4990 } else {
4991 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
4992 control->reqseq, chan->next_tx_seq,
4993 chan->expected_ack_seq);
4994 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4995 }
4996
4997 return err;
cec8ab6e
MM		 4998}
4999
5000static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5001 struct sk_buff *skb)
5002{
4b51dae9
MM		 5003 int err = 0;
5004
5005 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5006 chan->rx_state);
5007
5008 if (l2cap_classify_txseq(chan, control->txseq) ==
5009 L2CAP_TXSEQ_EXPECTED) {
5010 l2cap_pass_to_tx(chan, control);
5011
5012 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5013 __next_seq(chan, chan->buffer_seq));
5014
5015 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5016
5017 l2cap_reassemble_sdu(chan, skb, control);
5018 } else {
5019 if (chan->sdu) {
5020 kfree_skb(chan->sdu);
5021 chan->sdu = NULL;
5022 }
5023 chan->sdu_last_frag = NULL;
5024 chan->sdu_len = 0;
5025
5026 if (skb) {
5027 BT_DBG("Freeing %p", skb);
5028 kfree_skb(skb);
5029 }
5030 }
5031
5032 chan->last_acked_seq = control->txseq;
5033 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5034
5035 return err;
cec8ab6e
MM		 5036}
5037
5038static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5039{
5040 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5041 u16 len;
5042 u8 event;
218bb9df 5043
b76bbd66
MM		 5044 __unpack_control(chan, skb);
5045
218bb9df
GP		 5046 len = skb->len;
5047
5048 /*
5049 * We can just drop the corrupted I-frame here.
5050 * Receiver will miss it and start proper recovery
cec8ab6e 5051 * procedures and ask for retransmission.
218bb9df 5052 */
47d1ec61 5053 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5054 goto drop;
5055
cec8ab6e 5056 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5057 len -= L2CAP_SDULEN_SIZE;
218bb9df 5058
47d1ec61 5059 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5060 len -= L2CAP_FCS_SIZE;
218bb9df 5061
47d1ec61 5062 if (len > chan->mps) {
8c1d787b 5063 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5064 goto drop;
5065 }
5066
cec8ab6e
MM		 5067 if (!control->sframe) {
5068 int err;
218bb9df 5069
cec8ab6e
MM		 5070 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5071 control->sar, control->reqseq, control->final,
5072 control->txseq);
218bb9df 5073
cec8ab6e
MM		 5074 /* Validate F-bit - F=0 always valid, F=1 only
5075 * valid in TX WAIT_F
5076 */
5077 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5078 goto drop;
cec8ab6e
MM		 5079
5080 if (chan->mode != L2CAP_MODE_STREAMING) {
5081 event = L2CAP_EV_RECV_IFRAME;
5082 err = l2cap_rx(chan, control, skb, event);
5083 } else {
5084 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5085 }
5086
cec8ab6e
MM		 5087 if (err)
5088 l2cap_send_disconn_req(chan->conn, chan,
5089 ECONNRESET);
218bb9df 5090 } else {
cec8ab6e
MM		 5091 const u8 rx_func_to_event[4] = {
5092 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5093 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5094 };
5095
5096 /* Only I-frames are expected in streaming mode */
5097 if (chan->mode == L2CAP_MODE_STREAMING)
5098 goto drop;
5099
5100 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5101 control->reqseq, control->final, control->poll,
5102 control->super);
5103
218bb9df
GP		 5104 if (len != 0) {
5105 BT_ERR("%d", len);
8c1d787b 5106 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5107 goto drop;
5108 }
5109
cec8ab6e
MM		 5110 /* Validate F and P bits */
5111 if (control->final && (control->poll ||
5112 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5113 goto drop;
5114
5115 event = rx_func_to_event[control->super];
5116 if (l2cap_rx(chan, control, skb, event))
5117 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5118 }
5119
5120 return 0;
5121
5122drop:
5123 kfree_skb(skb);
5124 return 0;
5125}
5126
13ca56e0
AE		 5127static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5128 struct sk_buff *skb)
1da177e4 5129{
48454079 5130 struct l2cap_chan *chan;
1da177e4 5131
baa7e1fa 5132 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5133 if (!chan) {
97e8e89d
AE		 5134 if (cid == L2CAP_CID_A2MP) {
5135 chan = a2mp_channel_create(conn, skb);
5136 if (!chan) {
5137 kfree_skb(skb);
13ca56e0 5138 return;
97e8e89d
AE		 5139 }
5140
5141 l2cap_chan_lock(chan);
5142 } else {
5143 BT_DBG("unknown cid 0x%4.4x", cid);
5144 /* Drop packet and return */
5145 kfree_skb(skb);
13ca56e0 5146 return;
97e8e89d 5147 }
1da177e4
LT		 5148 }
5149
49208c9c 5150 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5151
89bc500e 5152 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5153 goto drop;
5154
0c1bc5c6 5155 switch (chan->mode) {
1c2acffb
GP		 5156 case L2CAP_MODE_BASIC:
5157 /* If socket recv buffers overflows we drop data here
5158 * which is *bad* because L2CAP has to be reliable.
5159 * But we don't have any other choice. L2CAP doesn't
5160 * provide flow control mechanism. */
1da177e4 5161
0c1bc5c6 5162 if (chan->imtu < skb->len)
1c2acffb 5163 goto drop;
1da177e4 5164
80b98027 5165 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5166 goto done;
5167 break;
5168
5169 case L2CAP_MODE_ERTM:
6840ed07 5170 case L2CAP_MODE_STREAMING:
cec8ab6e 5171 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5172 goto done;
5173
1c2acffb 5174 default:
0c1bc5c6 5175 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5176 break;
5177 }
1da177e4
LT		 5178
5179drop:
5180 kfree_skb(skb);
5181
5182done:
6be36555 5183 l2cap_chan_unlock(chan);
1da177e4
LT		 5184}
5185
84104b24
AE		 5186static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5187 struct sk_buff *skb)
1da177e4 5188{
23691d75 5189 struct l2cap_chan *chan;
1da177e4 5190
c2287681 5191 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5192 if (!chan)
1da177e4
LT		 5193 goto drop;
5194
5b4cedaa 5195 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5196
89bc500e 5197 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5198 goto drop;
5199
e13e21dc 5200 if (chan->imtu < skb->len)
1da177e4
LT		 5201 goto drop;
5202
80b98027 5203 if (!chan->ops->recv(chan, skb))
84104b24 5204 return;
1da177e4
LT		 5205
5206drop:
5207 kfree_skb(skb);
1da177e4
LT		 5208}
5209
6810fca7
AE		 5210static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5211 struct sk_buff *skb)
9f69bda6 5212{
23691d75 5213 struct l2cap_chan *chan;
9f69bda6 5214
c2287681 5215 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5216 if (!chan)
9f69bda6
GP		 5217 goto drop;
5218
5b4cedaa 5219 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5220
89bc500e 5221 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5222 goto drop;
5223
e13e21dc 5224 if (chan->imtu < skb->len)
9f69bda6
GP		 5225 goto drop;
5226
80b98027 5227 if (!chan->ops->recv(chan, skb))
6810fca7 5228 return;
9f69bda6
GP		 5229
5230drop:
5231 kfree_skb(skb);
9f69bda6
GP		 5232}
5233
1da177e4
LT		 5234static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5235{
5236 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5237 u16 cid, len;
5238 __le16 psm;
1da177e4
LT		 5239
5240 skb_pull(skb, L2CAP_HDR_SIZE);
5241 cid = __le16_to_cpu(lh->cid);
5242 len = __le16_to_cpu(lh->len);
5243
1c2acffb
GP		 5244 if (len != skb->len) {
5245 kfree_skb(skb);
5246 return;
5247 }
5248
1da177e4
LT		 5249 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5250
5251 switch (cid) {
3300d9a9 5252 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5253 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5254 l2cap_sig_channel(conn, skb);
5255 break;
5256
8db4dc46 5257 case L2CAP_CID_CONN_LESS:
097db76c 5258 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5259 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5260 l2cap_conless_channel(conn, psm, skb);
5261 break;
5262
9f69bda6
GP		 5263 case L2CAP_CID_LE_DATA:
5264 l2cap_att_channel(conn, cid, skb);
5265 break;
5266
b501d6a1
AB		 5267 case L2CAP_CID_SMP:
5268 if (smp_sig_channel(conn, skb))
5269 l2cap_conn_del(conn->hcon, EACCES);
5270 break;
5271
1da177e4
LT		 5272 default:
5273 l2cap_data_channel(conn, cid, skb);
5274 break;
5275 }
5276}
5277
5278/* ---- L2CAP interface with lower layer (HCI) ---- */
5279
686ebf28 5280int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5281{
5282 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5283 struct l2cap_chan *c;
1da177e4 5284
1da177e4
LT		 5285 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5286
5287 /* Find listening sockets and check their link_mode */
23691d75
GP		 5288 read_lock(&chan_list_lock);
5289 list_for_each_entry(c, &chan_list, global_l) {
5290 struct sock *sk = c->sk;
4343478f 5291
89bc500e 5292 if (c->state != BT_LISTEN)
1da177e4
LT		 5293 continue;
5294
5295 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5296 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5297 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5298 lm1 |= HCI_LM_MASTER;
1da177e4 5299 exact++;
2af6b9d5
MH		 5300 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5301 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5302 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5303 lm2 |= HCI_LM_MASTER;
5304 }
1da177e4 5305 }
23691d75 5306 read_unlock(&chan_list_lock);
1da177e4
LT		 5307
5308 return exact ? lm1 : lm2;
5309}
5310
686ebf28 5311int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5312{
0139418c
MH		 5313 struct l2cap_conn *conn;
5314
1da177e4
LT		 5315 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5316
1da177e4 5317 if (!status) {
1da177e4
LT		 5318 conn = l2cap_conn_add(hcon, status);
5319 if (conn)
5320 l2cap_conn_ready(conn);
0139418c 5321 } else
e175072f 5322 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5323
5324 return 0;
5325}
5326
686ebf28 5327int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5328{
5329 struct l2cap_conn *conn = hcon->l2cap_data;
5330
5331 BT_DBG("hcon %p", hcon);
5332
686ebf28 5333 if (!conn)
9f5a0d7b 5334 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5335 return conn->disc_reason;
5336}
5337
686ebf28 5338int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5339{
5340 BT_DBG("hcon %p reason %d", hcon, reason);
5341
e175072f 5342 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5343 return 0;
5344}
5345
4343478f 5346static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5347{
715ec005 5348 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5349 return;
5350
f62e4323 5351 if (encrypt == 0x00) {
4343478f 5352 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5353 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5354 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5355 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5356 } else {
4343478f 5357 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5358 __clear_chan_timer(chan);
f62e4323
MH		 5359 }
5360}
5361
686ebf28 5362int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5363{
0139418c 5364 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5365 struct l2cap_chan *chan;
1da177e4 5366
0139418c 5367 if (!conn)
1da177e4 5368 return 0;
0139418c 5369
1da177e4
LT		 5370 BT_DBG("conn %p", conn);
5371
160dc6ac 5372 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5373 if (!status && encrypt)
5374 smp_distribute_keys(conn, 0);
17cd3f37 5375 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5376 }
5377
3df91ea2 5378 mutex_lock(&conn->chan_lock);
1da177e4 5379
3df91ea2 5380 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5381 l2cap_chan_lock(chan);
1da177e4 5382
f1cb9af5
VCG		 5383 BT_DBG("chan->scid %d", chan->scid);
5384
5385 if (chan->scid == L2CAP_CID_LE_DATA) {
5386 if (!status && encrypt) {
5387 chan->sec_level = hcon->sec_level;
cf4cd009 5388 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5389 }
5390
6be36555 5391 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5392 continue;
5393 }
5394
c1360a1c 5395 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5396 l2cap_chan_unlock(chan);
6a8d3010
MH		 5397 continue;
5398 }
5399
89bc500e
GP		 5400 if (!status && (chan->state == BT_CONNECTED ||
5401 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5402 struct sock *sk = chan->sk;
5403
c5daa683 5404 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5405 sk->sk_state_change(sk);
5406
4343478f 5407 l2cap_check_encryption(chan, encrypt);
6be36555 5408 l2cap_chan_unlock(chan);
9719f8af
MH		 5409 continue;
5410 }
5411
89bc500e 5412 if (chan->state == BT_CONNECT) {
b1235d79 5413 if (!status) {
9b27f350 5414 l2cap_send_conn_req(chan);
b1235d79 5415 } else {
ba13ccd9 5416 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5417 }
89bc500e 5418 } else if (chan->state == BT_CONNECT2) {
6be36555 5419 struct sock *sk = chan->sk;
b1235d79 5420 struct l2cap_conn_rsp rsp;
df3c3931 5421 __u16 res, stat;
1da177e4 5422
6be36555
AE		 5423 lock_sock(sk);
5424
b1235d79 5425 if (!status) {
c5daa683
GP		 5426 if (test_bit(BT_SK_DEFER_SETUP,
5427 &bt_sk(sk)->flags)) {
df3c3931
JH		 5428 struct sock *parent = bt_sk(sk)->parent;
5429 res = L2CAP_CR_PEND;
5430 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5431 if (parent)
5432 parent->sk_data_ready(parent, 0);
df3c3931 5433 } else {
0e587be7 5434 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5435 res = L2CAP_CR_SUCCESS;
5436 stat = L2CAP_CS_NO_INFO;
5437 }
b1235d79 5438 } else {
0e587be7 5439 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5440 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5441 res = L2CAP_CR_SEC_BLOCK;
5442 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5443 }
5444
6be36555
AE		 5445 release_sock(sk);
5446
fe4128e0
GP		 5447 rsp.scid = cpu_to_le16(chan->dcid);
5448 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5449 rsp.result = cpu_to_le16(res);
5450 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5451 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5452 sizeof(rsp), &rsp);
2d369359
MM		 5453
5454 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5455 res == L2CAP_CR_SUCCESS) {
5456 char buf[128];
5457 set_bit(CONF_REQ_SENT, &chan->conf_state);
5458 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5459 L2CAP_CONF_REQ,
5460 l2cap_build_conf_req(chan, buf),
5461 buf);
5462 chan->num_conf_req++;
5463 }
b1235d79 5464 }
1da177e4 5465
6be36555 5466 l2cap_chan_unlock(chan);
1da177e4
LT		 5467 }
5468
3df91ea2 5469 mutex_unlock(&conn->chan_lock);
b1235d79 5470
1da177e4
LT		 5471 return 0;
5472}
5473
686ebf28 5474int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5475{
5476 struct l2cap_conn *conn = hcon->l2cap_data;
5477
5a08ecce
AE		 5478 if (!conn)
5479 conn = l2cap_conn_add(hcon, 0);
5480
5481 if (!conn)
1da177e4
LT		 5482 goto drop;
5483
5484 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5485
e702112f 5486 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5487 struct l2cap_hdr *hdr;
5488 int len;
5489
5490 if (conn->rx_len) {
5491 BT_ERR("Unexpected start frame (len %d)", skb->len);
5492 kfree_skb(conn->rx_skb);
5493 conn->rx_skb = NULL;
5494 conn->rx_len = 0;
5495 l2cap_conn_unreliable(conn, ECOMM);
5496 }
5497
aae7fe22
AE		 5498 /* Start fragment always begin with Basic L2CAP header */
5499 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5500 BT_ERR("Frame is too short (len %d)", skb->len);
5501 l2cap_conn_unreliable(conn, ECOMM);
5502 goto drop;
5503 }
5504
5505 hdr = (struct l2cap_hdr *) skb->data;
5506 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5507
5508 if (len == skb->len) {
5509 /* Complete frame received */
5510 l2cap_recv_frame(conn, skb);
5511 return 0;
5512 }
5513
5514 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5515
5516 if (skb->len > len) {
5517 BT_ERR("Frame is too long (len %d, expected len %d)",
5518 skb->len, len);
5519 l2cap_conn_unreliable(conn, ECOMM);
5520 goto drop;
5521 }
5522
5523 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5524 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5525 if (!conn->rx_skb)
1da177e4
LT		 5526 goto drop;
5527
d626f62b 5528 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5529 skb->len);
1da177e4
LT		 5530 conn->rx_len = len - skb->len;
5531 } else {
5532 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5533
5534 if (!conn->rx_len) {
5535 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5536 l2cap_conn_unreliable(conn, ECOMM);
5537 goto drop;
5538 }
5539
5540 if (skb->len > conn->rx_len) {
5541 BT_ERR("Fragment is too long (len %d, expected %d)",
5542 skb->len, conn->rx_len);
5543 kfree_skb(conn->rx_skb);
5544 conn->rx_skb = NULL;
5545 conn->rx_len = 0;
5546 l2cap_conn_unreliable(conn, ECOMM);
5547 goto drop;
5548 }
5549
d626f62b 5550 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5551 skb->len);
1da177e4
LT		 5552 conn->rx_len -= skb->len;
5553
5554 if (!conn->rx_len) {
5555 /* Complete frame received */
5556 l2cap_recv_frame(conn, conn->rx_skb);
5557 conn->rx_skb = NULL;
5558 }
5559 }
5560
5561drop:
5562 kfree_skb(skb);
5563 return 0;
5564}
5565
aef7d97c 5566static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5567{
23691d75 5568 struct l2cap_chan *c;
1da177e4 5569
333055f2 5570 read_lock(&chan_list_lock);
1da177e4 5571
23691d75
GP		 5572 list_for_each_entry(c, &chan_list, global_l) {
5573 struct sock *sk = c->sk;
101545f6 5574
903d343e 5575 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5576 batostr(&bt_sk(sk)->src),
5577 batostr(&bt_sk(sk)->dst),
89bc500e 5578 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5579 c->scid, c->dcid, c->imtu, c->omtu,
5580 c->sec_level, c->mode);
61e1b4b7 5581 }
1da177e4 5582
333055f2 5583 read_unlock(&chan_list_lock);
1da177e4 5584
aef7d97c 5585 return 0;
1da177e4
LT		 5586}
5587
aef7d97c
MH		 5588static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5589{
5590 return single_open(file, l2cap_debugfs_show, inode->i_private);
5591}
5592
5593static const struct file_operations l2cap_debugfs_fops = {
5594 .open = l2cap_debugfs_open,
5595 .read = seq_read,
5596 .llseek = seq_lseek,
5597 .release = single_release,
5598};
5599
5600static struct dentry *l2cap_debugfs;
1da177e4 5601
64274518 5602int __init l2cap_init(void)
1da177e4
LT		 5603{
5604 int err;
be9d1227 5605
bb58f747 5606 err = l2cap_init_sockets();
1da177e4
LT		 5607 if (err < 0)
5608 return err;
5609
aef7d97c
MH		 5610 if (bt_debugfs) {
5611 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5612 bt_debugfs, NULL, &l2cap_debugfs_fops);
5613 if (!l2cap_debugfs)
5614 BT_ERR("Failed to create L2CAP debug file");
5615 }
1da177e4 5616
1da177e4 5617 return 0;
1da177e4
LT		 5618}
5619
64274518 5620void l2cap_exit(void)
1da177e4 5621{
aef7d97c 5622 debugfs_remove(l2cap_debugfs);
bb58f747 5623 l2cap_cleanup_sockets();
1da177e4
LT		 5624}
5625
d1c4a17d
GP		 5626module_param(disable_ertm, bool, 0644);
5627MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)