projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Move check for backlog size to l2cap_sock.c
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
1da177e4 40
d1de6d46 41bool disable_ertm;
f0709e03 42
47ec1dcd 43static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 44static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 45
b5ad8b7f
JB		 46static LIST_HEAD(chan_list);
47static DEFINE_RWLOCK(chan_list_lock);
1da177e4 48
1da177e4
LT		 49static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
50 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 51static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
52 void *data);
710f9b0a 53static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 54static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 55 struct l2cap_chan *chan, int err);
1da177e4 56
d660366d 57static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 58 struct sk_buff_head *skbs, u8 event);
59
0139418c 60/* ---- L2CAP channels ---- */
71ba0e56 61
baa7e1fa 62static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 63{
3df91ea2 64 struct l2cap_chan *c;
3d57dc68 65
3df91ea2
AE		 66 list_for_each_entry(c, &conn->chan_l, list) {
67 if (c->dcid == cid)
68 return c;
0139418c 69 }
3df91ea2 70 return NULL;
0139418c
MH		 71}
72
baa7e1fa 73static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 74{
3df91ea2 75 struct l2cap_chan *c;
3d57dc68 76
3df91ea2
AE		 77 list_for_each_entry(c, &conn->chan_l, list) {
78 if (c->scid == cid)
79 return c;
0139418c 80 }
3df91ea2 81 return NULL;
0139418c
MH		 82}
83
84/* Find channel with given SCID.
ef191ade 85 * Returns locked channel. */
baa7e1fa 86static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 87{
48454079 88 struct l2cap_chan *c;
baa7e1fa 89
3df91ea2 90 mutex_lock(&conn->chan_lock);
baa7e1fa 91 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 92 if (c)
93 l2cap_chan_lock(c);
3df91ea2
AE		 94 mutex_unlock(&conn->chan_lock);
95
48454079 96 return c;
0139418c
MH		 97}
98
baa7e1fa 99static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 100{
3df91ea2 101 struct l2cap_chan *c;
3d57dc68 102
3df91ea2
AE		 103 list_for_each_entry(c, &conn->chan_l, list) {
104 if (c->ident == ident)
105 return c;
0139418c 106 }
3df91ea2 107 return NULL;
0139418c
MH		 108}
109
23691d75 110static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 111{
23691d75 112 struct l2cap_chan *c;
9e4425ff 113
23691d75
GP		 114 list_for_each_entry(c, &chan_list, global_l) {
115 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 116 return c;
9e4425ff 117 }
250938cb 118 return NULL;
9e4425ff
GP		 119}
120
121int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
122{
73b2ec18
GP		 123 int err;
124
333055f2 125 write_lock(&chan_list_lock);
9e4425ff 126
23691d75 127 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 128 err = -EADDRINUSE;
129 goto done;
9e4425ff
GP		 130 }
131
73b2ec18
GP		 132 if (psm) {
133 chan->psm = psm;
134 chan->sport = psm;
135 err = 0;
136 } else {
137 u16 p;
138
139 err = -EINVAL;
140 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 141 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 142 chan->psm = cpu_to_le16(p);
143 chan->sport = cpu_to_le16(p);
144 err = 0;
145 break;
146 }
147 }
9e4425ff 148
73b2ec18 149done:
333055f2 150 write_unlock(&chan_list_lock);
73b2ec18 151 return err;
9e4425ff
GP		 152}
153
154int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
155{
333055f2 156 write_lock(&chan_list_lock);
9e4425ff
GP		 157
158 chan->scid = scid;
159
333055f2 160 write_unlock(&chan_list_lock);
9e4425ff
GP		 161
162 return 0;
163}
164
baa7e1fa 165static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 166{
8db4dc46 167 u16 cid = L2CAP_CID_DYN_START;
0139418c 168
8db4dc46 169 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 170 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 171 return cid;
172 }
173
174 return 0;
175}
176
0e587be7 177static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 178{
42d2d87c 179 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 180 state_to_string(state));
181
89bc500e 182 chan->state = state;
80b98027 183 chan->ops->state_change(chan, state);
89bc500e
GP		 184}
185
0e587be7
AE		 186static void l2cap_state_change(struct l2cap_chan *chan, int state)
187{
188 struct sock *sk = chan->sk;
189
190 lock_sock(sk);
191 __l2cap_state_change(chan, state);
192 release_sock(sk);
193}
194
2e0052e4
AE		 195static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
196{
197 struct sock *sk = chan->sk;
198
199 sk->sk_err = err;
200}
201
202static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
203{
204 struct sock *sk = chan->sk;
205
206 lock_sock(sk);
207 __l2cap_chan_set_err(chan, err);
208 release_sock(sk);
209}
210
4239d16f
MM		 211static void __set_retrans_timer(struct l2cap_chan *chan)
212{
213 if (!delayed_work_pending(&chan->monitor_timer) &&
214 chan->retrans_timeout) {
215 l2cap_set_timer(chan, &chan->retrans_timer,
216 msecs_to_jiffies(chan->retrans_timeout));
217 }
218}
219
220static void __set_monitor_timer(struct l2cap_chan *chan)
221{
222 __clear_retrans_timer(chan);
223 if (chan->monitor_timeout) {
224 l2cap_set_timer(chan, &chan->monitor_timer,
225 msecs_to_jiffies(chan->monitor_timeout));
226 }
227}
228
608bcc6d
MM		 229static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
230 u16 seq)
231{
232 struct sk_buff *skb;
233
234 skb_queue_walk(head, skb) {
235 if (bt_cb(skb)->control.txseq == seq)
236 return skb;
237 }
238
239 return NULL;
240}
241
3c588192
MM		 242/* ---- L2CAP sequence number lists ---- */
243
244/* For ERTM, ordered lists of sequence numbers must be tracked for
245 * SREJ requests that are received and for frames that are to be
246 * retransmitted. These seq_list functions implement a singly-linked
247 * list in an array, where membership in the list can also be checked
248 * in constant time. Items can also be added to the tail of the list
249 * and removed from the head in constant time, without further memory
250 * allocs or frees.
251 */
252
253static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
254{
255 size_t alloc_size, i;
256
257 /* Allocated size is a power of 2 to map sequence numbers
258 * (which may be up to 14 bits) in to a smaller array that is
259 * sized for the negotiated ERTM transmit windows.
260 */
261 alloc_size = roundup_pow_of_two(size);
262
263 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
264 if (!seq_list->list)
265 return -ENOMEM;
266
267 seq_list->mask = alloc_size - 1;
268 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
269 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
270 for (i = 0; i < alloc_size; i++)
271 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
272
273 return 0;
274}
275
276static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
277{
278 kfree(seq_list->list);
279}
280
281static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
282 u16 seq)
283{
284 /* Constant-time check for list membership */
285 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
286}
287
288static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
289{
290 u16 mask = seq_list->mask;
291
292 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
293 /* In case someone tries to pop the head of an empty list */
294 return L2CAP_SEQ_LIST_CLEAR;
295 } else if (seq_list->head == seq) {
296 /* Head can be removed in constant time */
297 seq_list->head = seq_list->list[seq & mask];
298 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
299
300 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
301 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
302 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
303 }
304 } else {
305 /* Walk the list to find the sequence number */
306 u16 prev = seq_list->head;
307 while (seq_list->list[prev & mask] != seq) {
308 prev = seq_list->list[prev & mask];
309 if (prev == L2CAP_SEQ_LIST_TAIL)
310 return L2CAP_SEQ_LIST_CLEAR;
311 }
312
313 /* Unlink the number from the list and clear it */
314 seq_list->list[prev & mask] = seq_list->list[seq & mask];
315 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
316 if (seq_list->tail == seq)
317 seq_list->tail = prev;
318 }
319 return seq;
320}
321
322static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
323{
324 /* Remove the head in constant time */
325 return l2cap_seq_list_remove(seq_list, seq_list->head);
326}
327
328static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
329{
f522ae36 330 u16 i;
3c588192 331
f522ae36
GP		 332 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
333 return;
334
335 for (i = 0; i <= seq_list->mask; i++)
336 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
337
338 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
339 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 340}
341
342static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
343{
344 u16 mask = seq_list->mask;
345
346 /* All appends happen in constant time */
347
f522ae36
GP		 348 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
349 return;
3c588192 350
f522ae36
GP		 351 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
352 seq_list->head = seq;
353 else
354 seq_list->list[seq_list->tail & mask] = seq;
355
356 seq_list->tail = seq;
357 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 358}
359
721c4181 360static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 361{
721c4181
GP		 362 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
363 chan_timer.work);
3df91ea2 364 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 365 int reason;
366
e05dcc32 367 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 368
3df91ea2 369 mutex_lock(&conn->chan_lock);
6be36555 370 l2cap_chan_lock(chan);
ab07801d 371
89bc500e 372 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 373 reason = ECONNREFUSED;
89bc500e 374 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 375 chan->sec_level != BT_SECURITY_SDP)
376 reason = ECONNREFUSED;
377 else
378 reason = ETIMEDOUT;
379
0f852724 380 l2cap_chan_close(chan, reason);
ab07801d 381
6be36555 382 l2cap_chan_unlock(chan);
ab07801d 383
80b98027 384 chan->ops->close(chan);
3df91ea2
AE		 385 mutex_unlock(&conn->chan_lock);
386
371fd835 387 l2cap_chan_put(chan);
ab07801d
GP		 388}
389
eef1d9b6 390struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 391{
392 struct l2cap_chan *chan;
393
394 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
395 if (!chan)
396 return NULL;
397
c03b355e
AE		 398 mutex_init(&chan->lock);
399
333055f2 400 write_lock(&chan_list_lock);
23691d75 401 list_add(&chan->global_l, &chan_list);
333055f2 402 write_unlock(&chan_list_lock);
23691d75 403
721c4181 404 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 405
89bc500e
GP		 406 chan->state = BT_OPEN;
407
71ba0e56
GP		 408 atomic_set(&chan->refcnt, 1);
409
2827011f
MM		 410 /* This flag is cleared in l2cap_chan_ready() */
411 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
412
eef1d9b6 413 BT_DBG("chan %p", chan);
abc545b8 414
48454079
GP		 415 return chan;
416}
417
23691d75 418void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 419{
333055f2 420 write_lock(&chan_list_lock);
23691d75 421 list_del(&chan->global_l);
333055f2 422 write_unlock(&chan_list_lock);
23691d75 423
371fd835 424 l2cap_chan_put(chan);
6ff5abbf
GP		 425}
426
bd4b1653
AE		 427void l2cap_chan_set_defaults(struct l2cap_chan *chan)
428{
429 chan->fcs = L2CAP_FCS_CRC16;
430 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
431 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
432 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
433 chan->sec_level = BT_SECURITY_LOW;
434
435 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
436}
437
14a28491 438static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 439{
af05b30b 440 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 441 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 442
9f5a0d7b 443 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 444
8c1d787b 445 chan->conn = conn;
0139418c 446
5491120e
AE		 447 switch (chan->chan_type) {
448 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 449 if (conn->hcon->type == LE_LINK) {
450 /* LE connection */
0c1bc5c6 451 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 452 chan->scid = L2CAP_CID_LE_DATA;
453 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 454 } else {
455 /* Alloc CID for connection-oriented socket */
fe4128e0 456 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 457 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 458 }
5491120e
AE		 459 break;
460
461 case L2CAP_CHAN_CONN_LESS:
0139418c 462 /* Connectionless socket */
fe4128e0
GP		 463 chan->scid = L2CAP_CID_CONN_LESS;
464 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 465 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 466 break;
467
468 default:
0139418c 469 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 470 chan->scid = L2CAP_CID_SIGNALING;
471 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 472 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 473 }
474
8f7975b1
AE		 475 chan->local_id = L2CAP_BESTEFFORT_ID;
476 chan->local_stype = L2CAP_SERV_BESTEFFORT;
477 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
478 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
479 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
480 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
481
371fd835 482 l2cap_chan_hold(chan);
baa7e1fa 483
3df91ea2 484 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 485}
486
14a28491 487static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 488{
489 mutex_lock(&conn->chan_lock);
490 __l2cap_chan_add(conn, chan);
3df91ea2 491 mutex_unlock(&conn->chan_lock);
0139418c
MH		 492}
493
4519de9a 494static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 495{
8c1d787b 496 struct l2cap_conn *conn = chan->conn;
0139418c 497
c9b66675 498 __clear_chan_timer(chan);
0139418c 499
49208c9c 500 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 501
8e87d142 502 if (conn) {
baa7e1fa 503 /* Delete from channel list */
3df91ea2 504 list_del(&chan->list);
3d57dc68 505
371fd835 506 l2cap_chan_put(chan);
baa7e1fa 507
8c1d787b 508 chan->conn = NULL;
0139418c
MH		 509 hci_conn_put(conn->hcon);
510 }
511
c0df7f6e
AE		 512 if (chan->ops->teardown)
513 chan->ops->teardown(chan, err);
6be36555 514
2827011f 515 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 516 return;
2ead70b8 517
ee556f66
GP		 518 switch(chan->mode) {
519 case L2CAP_MODE_BASIC:
520 break;
c13ffa62 521
ee556f66 522 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 523 __clear_retrans_timer(chan);
524 __clear_monitor_timer(chan);
525 __clear_ack_timer(chan);
c13ffa62 526
f1c6775b 527 skb_queue_purge(&chan->srej_q);
c13ffa62 528
3c588192
MM		 529 l2cap_seq_list_free(&chan->srej_list);
530 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 531
532 /* fall through */
533
534 case L2CAP_MODE_STREAMING:
535 skb_queue_purge(&chan->tx_q);
536 break;
c13ffa62 537 }
ee556f66
GP		 538
539 return;
0139418c
MH		 540}
541
0f852724 542void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 543{
544 struct l2cap_conn *conn = chan->conn;
545 struct sock *sk = chan->sk;
546
e05dcc32
AE		 547 BT_DBG("chan %p state %s sk %p", chan,
548 state_to_string(chan->state), sk);
4519de9a 549
89bc500e 550 switch (chan->state) {
4519de9a 551 case BT_LISTEN:
c0df7f6e
AE		 552 if (chan->ops->teardown)
553 chan->ops->teardown(chan, 0);
4519de9a
GP		 554 break;
555
556 case BT_CONNECTED:
557 case BT_CONFIG:
715ec005 558 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 559 conn->hcon->type == ACL_LINK) {
c9b66675 560 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 561 l2cap_send_disconn_req(conn, chan, reason);
562 } else
563 l2cap_chan_del(chan, reason);
564 break;
565
566 case BT_CONNECT2:
715ec005 567 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 568 conn->hcon->type == ACL_LINK) {
569 struct l2cap_conn_rsp rsp;
570 __u16 result;
571
c5daa683 572 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 573 result = L2CAP_CR_SEC_BLOCK;
574 else
575 result = L2CAP_CR_BAD_PSM;
89bc500e 576 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 577
578 rsp.scid = cpu_to_le16(chan->dcid);
579 rsp.dcid = cpu_to_le16(chan->scid);
580 rsp.result = cpu_to_le16(result);
ac73498c 581 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 582 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
583 sizeof(rsp), &rsp);
584 }
585
586 l2cap_chan_del(chan, reason);
587 break;
588
589 case BT_CONNECT:
590 case BT_DISCONN:
591 l2cap_chan_del(chan, reason);
592 break;
593
594 default:
c0df7f6e
AE		 595 if (chan->ops->teardown)
596 chan->ops->teardown(chan, 0);
4519de9a
GP		 597 break;
598 }
599}
600
4343478f 601static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 602{
715ec005 603 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 604 switch (chan->sec_level) {
8556edd3
JH		 605 case BT_SECURITY_HIGH:
606 return HCI_AT_DEDICATED_BONDING_MITM;
607 case BT_SECURITY_MEDIUM:
608 return HCI_AT_DEDICATED_BONDING;
609 default:
610 return HCI_AT_NO_BONDING;
611 }
2983fd68 612 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 613 if (chan->sec_level == BT_SECURITY_LOW)
614 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 615
4343478f 616 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 617 return HCI_AT_NO_BONDING_MITM;
00ae4af9 618 else
8556edd3 619 return HCI_AT_NO_BONDING;
00ae4af9 620 } else {
4343478f 621 switch (chan->sec_level) {
00ae4af9 622 case BT_SECURITY_HIGH:
8556edd3 623 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 624 case BT_SECURITY_MEDIUM:
8556edd3 625 return HCI_AT_GENERAL_BONDING;
00ae4af9 626 default:
8556edd3 627 return HCI_AT_NO_BONDING;
00ae4af9 628 }
0684e5f9 629 }
8556edd3
JH		 630}
631
632/* Service level security */
d45fc423 633int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 634{
8c1d787b 635 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 636 __u8 auth_type;
637
4343478f 638 auth_type = l2cap_get_auth_type(chan);
79d554a6 639
4343478f 640 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 641}
642
b5ad8b7f 643static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 644{
645 u8 id;
646
647 /* Get next available identificator.
648 * 1 - 128 are used by kernel.
649 * 129 - 199 are reserved.
650 * 200 - 254 are used by utilities like l2ping, etc.
651 */
652
333055f2 653 spin_lock(&conn->lock);
4e8402a3
MH		 654
655 if (++conn->tx_ident > 128)
656 conn->tx_ident = 1;
657
658 id = conn->tx_ident;
659
333055f2 660 spin_unlock(&conn->lock);
4e8402a3
MH		 661
662 return id;
663}
664
4519de9a 665static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 666{
667 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 668 u8 flags;
4e8402a3
MH		 669
670 BT_DBG("code 0x%2.2x", code);
671
672 if (!skb)
9a9c6a34 673 return;
4e8402a3 674
e702112f
AE		 675 if (lmp_no_flush_capable(conn->hcon->hdev))
676 flags = ACL_START_NO_FLUSH;
677 else
678 flags = ACL_START;
679
14b12d0b 680 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 681 skb->priority = HCI_PRIO_MAX;
14b12d0b 682
73d80deb
LAD		 683 hci_send_acl(conn->hchan, skb, flags);
684}
685
686static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
687{
688 struct hci_conn *hcon = chan->conn->hcon;
689 u16 flags;
690
691 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
692 skb->priority);
693
694 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
695 lmp_no_flush_capable(hcon->hdev))
696 flags = ACL_START_NO_FLUSH;
697 else
698 flags = ACL_START;
14b12d0b 699
73d80deb
LAD		 700 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
701 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 702}
703
b76bbd66
MM		 704static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
705{
706 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
707 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
708
709 if (enh & L2CAP_CTRL_FRAME_TYPE) {
710 /* S-Frame */
711 control->sframe = 1;
712 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
713 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
714
715 control->sar = 0;
716 control->txseq = 0;
717 } else {
718 /* I-Frame */
719 control->sframe = 0;
720 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
721 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
722
723 control->poll = 0;
724 control->super = 0;
725 }
726}
727
b76bbd66
MM		 728static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
729{
730 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
731 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
732
733 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
734 /* S-Frame */
735 control->sframe = 1;
736 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
737 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
738
739 control->sar = 0;
740 control->txseq = 0;
741 } else {
742 /* I-Frame */
743 control->sframe = 0;
744 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
745 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
746
747 control->poll = 0;
748 control->super = 0;
749 }
750}
751
752static inline void __unpack_control(struct l2cap_chan *chan,
753 struct sk_buff *skb)
754{
755 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
756 __unpack_extended_control(get_unaligned_le32(skb->data),
757 &bt_cb(skb)->control);
cec8ab6e 758 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 759 } else {
760 __unpack_enhanced_control(get_unaligned_le16(skb->data),
761 &bt_cb(skb)->control);
cec8ab6e 762 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 763 }
764}
765
b5c6aaed
MM		 766static u32 __pack_extended_control(struct l2cap_ctrl *control)
767{
768 u32 packed;
769
770 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
771 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
772
773 if (control->sframe) {
774 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
775 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
776 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
777 } else {
778 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
779 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
780 }
781
782 return packed;
783}
784
785static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
786{
787 u16 packed;
788
789 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
790 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
791
792 if (control->sframe) {
793 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
794 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
795 packed |= L2CAP_CTRL_FRAME_TYPE;
796 } else {
797 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
798 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
799 }
800
801 return packed;
802}
803
b76bbd66
MM		 804static inline void __pack_control(struct l2cap_chan *chan,
805 struct l2cap_ctrl *control,
806 struct sk_buff *skb)
807{
808 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
809 put_unaligned_le32(__pack_extended_control(control),
810 skb->data + L2CAP_HDR_SIZE);
811 } else {
812 put_unaligned_le16(__pack_enhanced_control(control),
813 skb->data + L2CAP_HDR_SIZE);
814 }
815}
816
a67d7f6f
MM		 817static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
818 u32 control)
b5c6aaed
MM		 819{
820 struct sk_buff *skb;
821 struct l2cap_hdr *lh;
a67d7f6f 822 int hlen;
b5c6aaed
MM		 823
824 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
825 hlen = L2CAP_EXT_HDR_SIZE;
826 else
827 hlen = L2CAP_ENH_HDR_SIZE;
828
829 if (chan->fcs == L2CAP_FCS_CRC16)
830 hlen += L2CAP_FCS_SIZE;
831
a67d7f6f 832 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 833
b5c6aaed 834 if (!skb)
a67d7f6f 835 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 836
837 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
838 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
839 lh->cid = cpu_to_le16(chan->dcid);
840
a67d7f6f
MM		 841 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
842 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
843 else
844 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 845
846 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 847 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 848 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
849 }
850
851 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 852 return skb;
853}
854
855static void l2cap_send_sframe(struct l2cap_chan *chan,
856 struct l2cap_ctrl *control)
857{
858 struct sk_buff *skb;
859 u32 control_field;
860
861 BT_DBG("chan %p, control %p", chan, control);
862
863 if (!control->sframe)
864 return;
865
866 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
867 !control->poll)
868 control->final = 1;
869
870 if (control->super == L2CAP_SUPER_RR)
871 clear_bit(CONN_RNR_SENT, &chan->conn_state);
872 else if (control->super == L2CAP_SUPER_RNR)
873 set_bit(CONN_RNR_SENT, &chan->conn_state);
874
875 if (control->super != L2CAP_SUPER_SREJ) {
876 chan->last_acked_seq = control->reqseq;
877 __clear_ack_timer(chan);
878 }
879
880 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
881 control->final, control->poll, control->super);
882
883 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
884 control_field = __pack_extended_control(control);
885 else
886 control_field = __pack_enhanced_control(control);
887
888 skb = l2cap_create_sframe_pdu(chan, control_field);
889 if (!IS_ERR(skb))
890 l2cap_do_send(chan, skb);
b5c6aaed
MM		 891}
892
c9e3d5e0 893static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 894{
c9e3d5e0
MM		 895 struct l2cap_ctrl control;
896
897 BT_DBG("chan %p, poll %d", chan, poll);
898
899 memset(&control, 0, sizeof(control));
900 control.sframe = 1;
901 control.poll = poll;
902
903 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
904 control.super = L2CAP_SUPER_RNR;
905 else
906 control.super = L2CAP_SUPER_RR;
b5c6aaed 907
c9e3d5e0
MM		 908 control.reqseq = chan->buffer_seq;
909 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 910}
911
b4450035 912static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 913{
c1360a1c 914 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 915}
916
9b27f350
AE		 917static void l2cap_send_conn_req(struct l2cap_chan *chan)
918{
919 struct l2cap_conn *conn = chan->conn;
920 struct l2cap_conn_req req;
921
922 req.scid = cpu_to_le16(chan->scid);
923 req.psm = chan->psm;
924
925 chan->ident = l2cap_get_ident(conn);
926
927 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
928
929 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
930}
931
9f0caeb1
VCG		 932static void l2cap_chan_ready(struct l2cap_chan *chan)
933{
2827011f 934 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 935 chan->conf_state = 0;
936 __clear_chan_timer(chan);
937
54a59aa2 938 chan->state = BT_CONNECTED;
9f0caeb1 939
54a59aa2
AE		 940 if (chan->ops->ready)
941 chan->ops->ready(chan);
9f0caeb1
VCG		 942}
943
fc7f8a7e 944static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 945{
8c1d787b 946 struct l2cap_conn *conn = chan->conn;
79d554a6 947
9f0caeb1
VCG		 948 if (conn->hcon->type == LE_LINK) {
949 l2cap_chan_ready(chan);
950 return;
951 }
952
79d554a6 953 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 954 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
955 return;
956
d45fc423 957 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 958 __l2cap_no_conn_pending(chan))
959 l2cap_send_conn_req(chan);
79d554a6
MH		 960 } else {
961 struct l2cap_info_req req;
ac73498c 962 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 963
964 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
965 conn->info_ident = l2cap_get_ident(conn);
966
ba13ccd9 967 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 968
969 l2cap_send_cmd(conn, conn->info_ident,
970 L2CAP_INFO_REQ, sizeof(req), &req);
971 }
972}
973
cf6c2c0b
GP		 974static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
975{
976 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 977 if (!disable_ertm)
cf6c2c0b
GP		 978 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
979
980 switch (mode) {
981 case L2CAP_MODE_ERTM:
982 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
983 case L2CAP_MODE_STREAMING:
984 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
985 default:
986 return 0x00;
987 }
988}
989
4519de9a 990static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 991{
6be36555 992 struct sock *sk = chan->sk;
22121fc9
GP		 993 struct l2cap_disconn_req req;
994
c13ffa62
GP		 995 if (!conn)
996 return;
997
0c1bc5c6 998 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 999 __clear_retrans_timer(chan);
1000 __clear_monitor_timer(chan);
1001 __clear_ack_timer(chan);
c13ffa62
GP		 1002 }
1003
fe4128e0
GP		 1004 req.dcid = cpu_to_le16(chan->dcid);
1005 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1006 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1007 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1008
6be36555 1009 lock_sock(sk);
0e587be7 1010 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1011 __l2cap_chan_set_err(chan, err);
6be36555 1012 release_sock(sk);
22121fc9
GP		 1013}
1014
1da177e4 1015/* ---- L2CAP connections ---- */
4e8402a3
MH		 1016static void l2cap_conn_start(struct l2cap_conn *conn)
1017{
3df91ea2 1018 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1019
1020 BT_DBG("conn %p", conn);
1021
3df91ea2 1022 mutex_lock(&conn->chan_lock);
4e8402a3 1023
3df91ea2 1024 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1025 struct sock *sk = chan->sk;
baa7e1fa 1026
6be36555 1027 l2cap_chan_lock(chan);
4e8402a3 1028
715ec005 1029 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1030 l2cap_chan_unlock(chan);
79d554a6
MH		 1031 continue;
1032 }
1033
89bc500e 1034 if (chan->state == BT_CONNECT) {
d45fc423 1035 if (!l2cap_chan_check_security(chan) ||
b4450035 1036 !__l2cap_no_conn_pending(chan)) {
6be36555 1037 l2cap_chan_unlock(chan);
47731de7
GP		 1038 continue;
1039 }
79d554a6 1040
c1360a1c
GP		 1041 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1042 && test_bit(CONF_STATE2_DEVICE,
1043 &chan->conf_state)) {
89bc500e 1044 l2cap_chan_close(chan, ECONNRESET);
6be36555 1045 l2cap_chan_unlock(chan);
47731de7 1046 continue;
b1235d79 1047 }
47731de7 1048
9b27f350 1049 l2cap_send_conn_req(chan);
47731de7 1050
89bc500e 1051 } else if (chan->state == BT_CONNECT2) {
79d554a6 1052 struct l2cap_conn_rsp rsp;
e9aeb2dd 1053 char buf[128];
fe4128e0
GP		 1054 rsp.scid = cpu_to_le16(chan->dcid);
1055 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1056
d45fc423 1057 if (l2cap_chan_check_security(chan)) {
6be36555 1058 lock_sock(sk);
c5daa683
GP		 1059 if (test_bit(BT_SK_DEFER_SETUP,
1060 &bt_sk(sk)->flags)) {
f66dc81f 1061 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1062 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1063 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1064 if (parent)
1065 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1066
1067 } else {
0e587be7 1068 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1069 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1070 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1071 }
6be36555 1072 release_sock(sk);
79d554a6 1073 } else {
ac73498c
AE		 1074 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1075 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1076 }
1077
fc7f8a7e
GP		 1078 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1079 sizeof(rsp), &rsp);
e9aeb2dd 1080
c1360a1c 1081 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1082 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1083 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1084 continue;
1085 }
1086
c1360a1c 1087 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1088 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1089 l2cap_build_conf_req(chan, buf), buf);
1090 chan->num_conf_req++;
4e8402a3
MH		 1091 }
1092
6be36555 1093 l2cap_chan_unlock(chan);
4e8402a3
MH		 1094 }
1095
3df91ea2 1096 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1097}
1098
c2287681 1099/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1100 * Returns closest match, locked.
1101 */
d9b88702 1102static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1103 bdaddr_t *src,
1104 bdaddr_t *dst)
b62f328b 1105{
23691d75 1106 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1107
23691d75 1108 read_lock(&chan_list_lock);
b62f328b 1109
23691d75
GP		 1110 list_for_each_entry(c, &chan_list, global_l) {
1111 struct sock *sk = c->sk;
fe4128e0 1112
89bc500e 1113 if (state && c->state != state)
b62f328b
VT		 1114 continue;
1115
23691d75 1116 if (c->scid == cid) {
c2287681
IY		 1117 int src_match, dst_match;
1118 int src_any, dst_any;
1119
b62f328b 1120 /* Exact match. */
c2287681
IY		 1121 src_match = !bacmp(&bt_sk(sk)->src, src);
1122 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1123 if (src_match && dst_match) {
23691d75
GP		 1124 read_unlock(&chan_list_lock);
1125 return c;
1126 }
b62f328b
VT		 1127
1128 /* Closest match */
c2287681
IY		 1129 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1130 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1131 if ((src_match && dst_any) || (src_any && dst_match) ||
1132 (src_any && dst_any))
23691d75 1133 c1 = c;
b62f328b
VT		 1134 }
1135 }
280f294f 1136
23691d75 1137 read_unlock(&chan_list_lock);
b62f328b 1138
23691d75 1139 return c1;
b62f328b
VT		 1140}
1141
1142static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1143{
c916fbe4 1144 struct sock *parent, *sk;
23691d75 1145 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1146
1147 BT_DBG("");
1148
1149 /* Check if we have socket listening on cid */
23691d75 1150 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1151 conn->src, conn->dst);
23691d75 1152 if (!pchan)
b62f328b
VT		 1153 return;
1154
23691d75
GP		 1155 parent = pchan->sk;
1156
aa2ac881 1157 lock_sock(parent);
62f3a2cf 1158
80b98027 1159 chan = pchan->ops->new_connection(pchan);
80808e43 1160 if (!chan)
b62f328b
VT		 1161 goto clean;
1162
80808e43 1163 sk = chan->sk;
5d41ce1d 1164
b62f328b
VT		 1165 hci_conn_hold(conn->hcon);
1166
b62f328b
VT		 1167 bacpy(&bt_sk(sk)->src, conn->src);
1168 bacpy(&bt_sk(sk)->dst, conn->dst);
1169
d1010240
GP		 1170 bt_accept_enqueue(parent, sk);
1171
3d57dc68 1172 l2cap_chan_add(conn, chan);
48454079 1173
6754e0df 1174 l2cap_chan_ready(chan);
b62f328b 1175
b62f328b 1176clean:
aa2ac881 1177 release_sock(parent);
b62f328b
VT		 1178}
1179
4e8402a3
MH		 1180static void l2cap_conn_ready(struct l2cap_conn *conn)
1181{
48454079 1182 struct l2cap_chan *chan;
4e8402a3 1183
79d554a6 1184 BT_DBG("conn %p", conn);
4e8402a3 1185
b62f328b
VT		 1186 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1187 l2cap_le_conn_ready(conn);
1188
160dc6ac
VCG		 1189 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1190 smp_conn_security(conn, conn->hcon->pending_sec_level);
1191
3df91ea2 1192 mutex_lock(&conn->chan_lock);
4e8402a3 1193
3df91ea2 1194 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1195
6be36555 1196 l2cap_chan_lock(chan);
4e8402a3 1197
63128451 1198 if (conn->hcon->type == LE_LINK) {
b501d6a1 1199 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1200 l2cap_chan_ready(chan);
acd7d370 1201
63128451 1202 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1203 struct sock *sk = chan->sk;
c9b66675 1204 __clear_chan_timer(chan);
6be36555 1205 lock_sock(sk);
0e587be7 1206 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1207 sk->sk_state_change(sk);
6be36555 1208 release_sock(sk);
b501d6a1 1209
89bc500e 1210 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1211 l2cap_do_start(chan);
4e8402a3 1212
6be36555 1213 l2cap_chan_unlock(chan);
4e8402a3 1214 }
79d554a6 1215
3df91ea2 1216 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1217}
1218
1219/* Notify sockets that we cannot guaranty reliability anymore */
1220static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1221{
48454079 1222 struct l2cap_chan *chan;
4e8402a3
MH		 1223
1224 BT_DBG("conn %p", conn);
1225
3df91ea2 1226 mutex_lock(&conn->chan_lock);
4e8402a3 1227
3df91ea2 1228 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1229 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1230 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1231 }
1232
3df91ea2 1233 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1234}
1235
f878fcad 1236static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1237{
f878fcad 1238 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1239 info_timer.work);
4e8402a3 1240
984947dc 1241 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1242 conn->info_ident = 0;
984947dc 1243
4e8402a3
MH		 1244 l2cap_conn_start(conn);
1245}
1246
5d3de7df
VCG		 1247static void l2cap_conn_del(struct hci_conn *hcon, int err)
1248{
1249 struct l2cap_conn *conn = hcon->l2cap_data;
1250 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1251
1252 if (!conn)
1253 return;
1254
1255 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1256
1257 kfree_skb(conn->rx_skb);
1258
3df91ea2
AE		 1259 mutex_lock(&conn->chan_lock);
1260
5d3de7df
VCG		 1261 /* Kill channels */
1262 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1263 l2cap_chan_hold(chan);
6be36555
AE		 1264 l2cap_chan_lock(chan);
1265
5d3de7df 1266 l2cap_chan_del(chan, err);
6be36555
AE		 1267
1268 l2cap_chan_unlock(chan);
1269
80b98027 1270 chan->ops->close(chan);
61d6ef3e 1271 l2cap_chan_put(chan);
5d3de7df
VCG		 1272 }
1273
3df91ea2
AE		 1274 mutex_unlock(&conn->chan_lock);
1275
73d80deb
LAD		 1276 hci_chan_del(conn->hchan);
1277
5d3de7df 1278 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1279 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1280
51a8efd7 1281 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1282 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1283 smp_chan_destroy(conn);
d26a2345 1284 }
5d3de7df
VCG		 1285
1286 hcon->l2cap_data = NULL;
1287 kfree(conn);
1288}
1289
6c9d42a1 1290static void security_timeout(struct work_struct *work)
5d3de7df 1291{
6c9d42a1
GP		 1292 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1293 security_timer.work);
5d3de7df
VCG		 1294
1295 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1296}
1297
1da177e4
LT		 1298static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1299{
0139418c 1300 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1301 struct hci_chan *hchan;
1da177e4 1302
0139418c 1303 if (conn || status)
1da177e4
LT		 1304 return conn;
1305
73d80deb
LAD		 1306 hchan = hci_chan_create(hcon);
1307 if (!hchan)
1308 return NULL;
1309
0139418c 1310 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1311 if (!conn) {
1312 hci_chan_del(hchan);
1da177e4 1313 return NULL;
73d80deb 1314 }
1da177e4
LT		 1315
1316 hcon->l2cap_data = conn;
1317 conn->hcon = hcon;
73d80deb 1318 conn->hchan = hchan;
1da177e4 1319
73d80deb 1320 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1321
acd7d370
VT		 1322 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1323 conn->mtu = hcon->hdev->le_mtu;
1324 else
1325 conn->mtu = hcon->hdev->acl_mtu;
1326
1da177e4
LT		 1327 conn->src = &hcon->hdev->bdaddr;
1328 conn->dst = &hcon->dst;
1329
4e8402a3
MH		 1330 conn->feat_mask = 0;
1331
1da177e4 1332 spin_lock_init(&conn->lock);
3df91ea2 1333 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1334
1335 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1336
5d3de7df 1337 if (hcon->type == LE_LINK)
6c9d42a1 1338 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1339 else
030013d8 1340 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1341
9f5a0d7b 1342 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1343
1da177e4
LT		 1344 return conn;
1345}
1346
1da177e4 1347/* ---- Socket interface ---- */
1da177e4 1348
c2287681 1349/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1350 * Returns closest match.
1351 */
c2287681
IY		 1352static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1353 bdaddr_t *src,
1354 bdaddr_t *dst)
1da177e4 1355{
23691d75 1356 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1357
23691d75 1358 read_lock(&chan_list_lock);
e0f0cb56 1359
23691d75
GP		 1360 list_for_each_entry(c, &chan_list, global_l) {
1361 struct sock *sk = c->sk;
fe4128e0 1362
89bc500e 1363 if (state && c->state != state)
1da177e4
LT		 1364 continue;
1365
23691d75 1366 if (c->psm == psm) {
c2287681
IY		 1367 int src_match, dst_match;
1368 int src_any, dst_any;
1369
1da177e4 1370 /* Exact match. */
c2287681
IY		 1371 src_match = !bacmp(&bt_sk(sk)->src, src);
1372 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1373 if (src_match && dst_match) {
a7567b20 1374 read_unlock(&chan_list_lock);
23691d75
GP		 1375 return c;
1376 }
1da177e4
LT		 1377
1378 /* Closest match */
c2287681
IY		 1379 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1380 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1381 if ((src_match && dst_any) || (src_any && dst_match) ||
1382 (src_any && dst_any))
23691d75 1383 c1 = c;
1da177e4
LT		 1384 }
1385 }
1da177e4 1386
23691d75 1387 read_unlock(&chan_list_lock);
e0f0cb56 1388
23691d75 1389 return c1;
1da177e4
LT		 1390}
1391
8e9f9892
AG		 1392int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1393 bdaddr_t *dst, u8 dst_type)
1da177e4 1394{
5d41ce1d 1395 struct sock *sk = chan->sk;
1da177e4 1396 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1397 struct l2cap_conn *conn;
1398 struct hci_conn *hcon;
1399 struct hci_dev *hdev;
09ab6f4c 1400 __u8 auth_type;
44d0e48e 1401 int err;
1da177e4 1402
8e9f9892
AG		 1403 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1404 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1405
af05b30b
GP		 1406 hdev = hci_get_route(dst, src);
1407 if (!hdev)
1da177e4
LT		 1408 return -EHOSTUNREACH;
1409
09fd0de5 1410 hci_dev_lock(hdev);
1da177e4 1411
6be36555 1412 l2cap_chan_lock(chan);
03a00194
GP		 1413
1414 /* PSM must be odd and lsb of upper byte must be 0 */
1415 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1416 chan->chan_type != L2CAP_CHAN_RAW) {
1417 err = -EINVAL;
1418 goto done;
1419 }
1420
1421 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1422 err = -EINVAL;
1423 goto done;
1424 }
1425
1426 switch (chan->mode) {
1427 case L2CAP_MODE_BASIC:
1428 break;
1429 case L2CAP_MODE_ERTM:
1430 case L2CAP_MODE_STREAMING:
1431 if (!disable_ertm)
1432 break;
1433 /* fall through */
1434 default:
1435 err = -ENOTSUPP;
1436 goto done;
1437 }
1438
0797e01d 1439 switch (chan->state) {
03a00194
GP		 1440 case BT_CONNECT:
1441 case BT_CONNECT2:
1442 case BT_CONFIG:
1443 /* Already connecting */
1444 err = 0;
1445 goto done;
1446
1447 case BT_CONNECTED:
1448 /* Already connected */
1449 err = -EISCONN;
1450 goto done;
1451
1452 case BT_OPEN:
1453 case BT_BOUND:
1454 /* Can connect */
1455 break;
1456
1457 default:
1458 err = -EBADFD;
1459 goto done;
1460 }
1461
1462 /* Set destination address and psm */
0797e01d 1463 lock_sock(sk);
9219b2a0 1464 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1465 release_sock(sk);
1466
03a00194
GP		 1467 chan->psm = psm;
1468 chan->dcid = cid;
1da177e4 1469
4343478f 1470 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1471
fe4128e0 1472 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1473 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1474 chan->sec_level, auth_type);
acd7d370 1475 else
8e9f9892 1476 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1477 chan->sec_level, auth_type);
acd7d370 1478
30e76272
VT		 1479 if (IS_ERR(hcon)) {
1480 err = PTR_ERR(hcon);
1da177e4 1481 goto done;
30e76272 1482 }
1da177e4
LT		 1483
1484 conn = l2cap_conn_add(hcon, 0);
1485 if (!conn) {
1486 hci_conn_put(hcon);
30e76272 1487 err = -ENOMEM;
1da177e4
LT		 1488 goto done;
1489 }
1490
9f0caeb1
VCG		 1491 if (hcon->type == LE_LINK) {
1492 err = 0;
1493
1494 if (!list_empty(&conn->chan_l)) {
1495 err = -EBUSY;
1496 hci_conn_put(hcon);
1497 }
1498
1499 if (err)
1500 goto done;
1501 }
1502
1da177e4
LT		 1503 /* Update source addr of the socket */
1504 bacpy(src, conn->src);
1505
6be36555 1506 l2cap_chan_unlock(chan);
48454079 1507 l2cap_chan_add(conn, chan);
6be36555 1508 l2cap_chan_lock(chan);
48454079 1509
6be36555 1510 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1511 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1512
1513 if (hcon->state == BT_CONNECTED) {
715ec005 1514 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1515 __clear_chan_timer(chan);
d45fc423 1516 if (l2cap_chan_check_security(chan))
6be36555 1517 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1518 } else
fc7f8a7e 1519 l2cap_do_start(chan);
1da177e4
LT		 1520 }
1521
30e76272
VT		 1522 err = 0;
1523
1da177e4 1524done:
6be36555 1525 l2cap_chan_unlock(chan);
09fd0de5 1526 hci_dev_unlock(hdev);
1da177e4
LT		 1527 hci_dev_put(hdev);
1528 return err;
1529}
1530
dcba0dba 1531int __l2cap_wait_ack(struct sock *sk)
6161c038 1532{
8c1d787b 1533 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1534 DECLARE_WAITQUEUE(wait, current);
1535 int err = 0;
1536 int timeo = HZ/5;
1537
2b0b05dd 1538 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1539 set_current_state(TASK_INTERRUPTIBLE);
1540 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1541 if (!timeo)
1542 timeo = HZ/5;
1543
1544 if (signal_pending(current)) {
1545 err = sock_intr_errno(timeo);
1546 break;
1547 }
1548
1549 release_sock(sk);
1550 timeo = schedule_timeout(timeo);
1551 lock_sock(sk);
a71a0cf4 1552 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1553
1554 err = sock_error(sk);
1555 if (err)
1556 break;
1557 }
1558 set_current_state(TASK_RUNNING);
2b0b05dd 1559 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1560 return err;
1561}
1562
721c4181 1563static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1564{
721c4181 1565 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1566 monitor_timer.work);
e90bac06 1567
525cd185 1568 BT_DBG("chan %p", chan);
0e98958d 1569
6be36555
AE		 1570 l2cap_chan_lock(chan);
1571
80909e04 1572 if (!chan->conn) {
6be36555 1573 l2cap_chan_unlock(chan);
8d7e1c7f 1574 l2cap_chan_put(chan);
e90bac06
GP		 1575 return;
1576 }
1577
401bb1f7 1578 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1579
6be36555 1580 l2cap_chan_unlock(chan);
8d7e1c7f 1581 l2cap_chan_put(chan);
e90bac06
GP		 1582}
1583
721c4181 1584static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1585{
721c4181 1586 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1587 retrans_timer.work);
e90bac06 1588
49208c9c 1589 BT_DBG("chan %p", chan);
0e98958d 1590
6be36555
AE		 1591 l2cap_chan_lock(chan);
1592
80909e04
MM		 1593 if (!chan->conn) {
1594 l2cap_chan_unlock(chan);
1595 l2cap_chan_put(chan);
1596 return;
1597 }
6be36555 1598
401bb1f7 1599 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1600 l2cap_chan_unlock(chan);
8d7e1c7f 1601 l2cap_chan_put(chan);
e90bac06
GP		 1602}
1603
d660366d
GP		 1604static void l2cap_streaming_send(struct l2cap_chan *chan,
1605 struct sk_buff_head *skbs)
6840ed07 1606{
ccbb84af 1607 struct sk_buff *skb;
3733937d 1608 struct l2cap_ctrl *control;
6840ed07 1609
3733937d
MM		 1610 BT_DBG("chan %p, skbs %p", chan, skbs);
1611
3733937d
MM		 1612 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1613
1614 while (!skb_queue_empty(&chan->tx_q)) {
1615
1616 skb = skb_dequeue(&chan->tx_q);
1617
1618 bt_cb(skb)->control.retries = 1;
1619 control = &bt_cb(skb)->control;
1620
1621 control->reqseq = 0;
1622 control->txseq = chan->next_tx_seq;
1623
1624 __pack_control(chan, control, skb);
6840ed07 1625
47d1ec61 1626 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1627 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1628 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1629 }
1630
4343478f 1631 l2cap_do_send(chan, skb);
6840ed07 1632
3733937d
MM		 1633 BT_DBG("Sent txseq %d", (int)control->txseq);
1634
836be934 1635 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1636 chan->frames_sent++;
6840ed07 1637 }
6840ed07
GP		 1638}
1639
67c9e840 1640static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1641{
1642 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1643 struct l2cap_ctrl *control;
1644 int sent = 0;
1645
1646 BT_DBG("chan %p", chan);
1c2acffb 1647
89bc500e 1648 if (chan->state != BT_CONNECTED)
c13ffa62 1649 return -ENOTCONN;
e90bac06 1650
94122bbe
MM		 1651 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1652 return 0;
1653
18a48e76
MM		 1654 while (chan->tx_send_head &&
1655 chan->unacked_frames < chan->remote_tx_win &&
1656 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1657
18a48e76 1658 skb = chan->tx_send_head;
e90bac06 1659
18a48e76
MM		 1660 bt_cb(skb)->control.retries = 1;
1661 control = &bt_cb(skb)->control;
95ffa978 1662
e2ab4353 1663 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1664 control->final = 1;
e2ab4353 1665
18a48e76
MM		 1666 control->reqseq = chan->buffer_seq;
1667 chan->last_acked_seq = chan->buffer_seq;
1668 control->txseq = chan->next_tx_seq;
1c2acffb 1669
18a48e76 1670 __pack_control(chan, control, skb);
e90bac06 1671
47d1ec61 1672 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1673 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1674 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1675 }
1676
18a48e76
MM		 1677 /* Clone after data has been modified. Data is assumed to be
1678 read-only (for locking purposes) on cloned sk_buffs.
1679 */
1680 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1681
18a48e76
MM		 1682 if (!tx_skb)
1683 break;
1c2acffb 1684
18a48e76 1685 __set_retrans_timer(chan);
836be934
AE		 1686
1687 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1688 chan->unacked_frames++;
6a026610 1689 chan->frames_sent++;
18a48e76 1690 sent++;
1c2acffb 1691
58d35f87
GP		 1692 if (skb_queue_is_last(&chan->tx_q, skb))
1693 chan->tx_send_head = NULL;
1c2acffb 1694 else
58d35f87 1695 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1696
1697 l2cap_do_send(chan, tx_skb);
1698 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1699 }
1700
18a48e76
MM		 1701 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1702 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1703
1704 return sent;
9e917af1
GP		 1705}
1706
e1fbd4c1
MM		 1707static void l2cap_ertm_resend(struct l2cap_chan *chan)
1708{
1709 struct l2cap_ctrl control;
1710 struct sk_buff *skb;
1711 struct sk_buff *tx_skb;
1712 u16 seq;
1713
1714 BT_DBG("chan %p", chan);
1715
1716 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1717 return;
1718
1719 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1720 seq = l2cap_seq_list_pop(&chan->retrans_list);
1721
1722 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1723 if (!skb) {
1724 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1725 seq);
1726 continue;
1727 }
1728
1729 bt_cb(skb)->control.retries++;
1730 control = bt_cb(skb)->control;
1731
1732 if (chan->max_tx != 0 &&
1733 bt_cb(skb)->control.retries > chan->max_tx) {
1734 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1735 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1736 l2cap_seq_list_clear(&chan->retrans_list);
1737 break;
1738 }
1739
1740 control.reqseq = chan->buffer_seq;
1741 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1742 control.final = 1;
1743 else
1744 control.final = 0;
1745
1746 if (skb_cloned(skb)) {
1747 /* Cloned sk_buffs are read-only, so we need a
1748 * writeable copy
1749 */
1750 tx_skb = skb_copy(skb, GFP_ATOMIC);
1751 } else {
1752 tx_skb = skb_clone(skb, GFP_ATOMIC);
1753 }
1754
1755 if (!tx_skb) {
1756 l2cap_seq_list_clear(&chan->retrans_list);
1757 break;
1758 }
1759
1760 /* Update skb contents */
1761 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1762 put_unaligned_le32(__pack_extended_control(&control),
1763 tx_skb->data + L2CAP_HDR_SIZE);
1764 } else {
1765 put_unaligned_le16(__pack_enhanced_control(&control),
1766 tx_skb->data + L2CAP_HDR_SIZE);
1767 }
1768
1769 if (chan->fcs == L2CAP_FCS_CRC16) {
1770 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1771 put_unaligned_le16(fcs, skb_put(tx_skb,
1772 L2CAP_FCS_SIZE));
1773 }
1774
1775 l2cap_do_send(chan, tx_skb);
1776
1777 BT_DBG("Resent txseq %d", control.txseq);
1778
1779 chan->last_acked_seq = chan->buffer_seq;
1780 }
1781}
1782
f80842a8
MM		 1783static void l2cap_retransmit(struct l2cap_chan *chan,
1784 struct l2cap_ctrl *control)
1785{
1786 BT_DBG("chan %p, control %p", chan, control);
1787
1788 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1789 l2cap_ertm_resend(chan);
1790}
1791
d2a7ac5d
MM		 1792static void l2cap_retransmit_all(struct l2cap_chan *chan,
1793 struct l2cap_ctrl *control)
1794{
e1fbd4c1
MM		 1795 struct sk_buff *skb;
1796
1797 BT_DBG("chan %p, control %p", chan, control);
1798
1799 if (control->poll)
1800 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1801
1802 l2cap_seq_list_clear(&chan->retrans_list);
1803
1804 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1805 return;
1806
1807 if (chan->unacked_frames) {
1808 skb_queue_walk(&chan->tx_q, skb) {
1809 if (bt_cb(skb)->control.txseq == control->reqseq ||
1810 skb == chan->tx_send_head)
1811 break;
1812 }
1813
1814 skb_queue_walk_from(&chan->tx_q, skb) {
1815 if (skb == chan->tx_send_head)
1816 break;
1817
1818 l2cap_seq_list_append(&chan->retrans_list,
1819 bt_cb(skb)->control.txseq);
1820 }
1821
1822 l2cap_ertm_resend(chan);
1823 }
d2a7ac5d
MM		 1824}
1825
0a0aba42 1826static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1827{
0a0aba42
MM		 1828 struct l2cap_ctrl control;
1829 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1830 chan->last_acked_seq);
1831 int threshold;
9e917af1 1832
0a0aba42
MM		 1833 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1834 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1835
0a0aba42
MM		 1836 memset(&control, 0, sizeof(control));
1837 control.sframe = 1;
dfc909be 1838
0a0aba42
MM		 1839 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1840 chan->rx_state == L2CAP_RX_STATE_RECV) {
1841 __clear_ack_timer(chan);
1842 control.super = L2CAP_SUPER_RNR;
1843 control.reqseq = chan->buffer_seq;
1844 l2cap_send_sframe(chan, &control);
1845 } else {
1846 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1847 l2cap_ertm_send(chan);
1848 /* If any i-frames were sent, they included an ack */
1849 if (chan->buffer_seq == chan->last_acked_seq)
1850 frames_to_ack = 0;
1851 }
dfc909be 1852
0a0aba42
MM		 1853 /* Ack now if the tx window is 3/4ths full.
1854 * Calculate without mul or div
1855 */
1856 threshold = chan->tx_win;
1857 threshold += threshold << 1;
1858 threshold >>= 2;
1859
1860 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1861 threshold);
1862
1863 if (frames_to_ack >= threshold) {
1864 __clear_ack_timer(chan);
1865 control.super = L2CAP_SUPER_RR;
1866 control.reqseq = chan->buffer_seq;
1867 l2cap_send_sframe(chan, &control);
1868 frames_to_ack = 0;
1869 }
1c2acffb 1870
0a0aba42
MM		 1871 if (frames_to_ack)
1872 __set_ack_timer(chan);
1873 }
b17e73bb
SJ		 1874}
1875
04124681
GP		 1876static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1877 struct msghdr *msg, int len,
1878 int count, struct sk_buff *skb)
1c2acffb 1879{
0952a57a 1880 struct l2cap_conn *conn = chan->conn;
1c2acffb 1881 struct sk_buff **frag;
90338947 1882 int sent = 0;
1da177e4 1883
59203a21 1884 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1885 return -EFAULT;
1da177e4
LT		 1886
1887 sent += count;
1888 len -= count;
1889
1890 /* Continuation fragments (no L2CAP header) */
1891 frag = &skb_shinfo(skb)->frag_list;
1892 while (len) {
fbe00700
GP		 1893 struct sk_buff *tmp;
1894
1da177e4
LT		 1895 count = min_t(unsigned int, conn->mtu, len);
1896
fbe00700
GP		 1897 tmp = chan->ops->alloc_skb(chan, count,
1898 msg->msg_flags & MSG_DONTWAIT);
1899 if (IS_ERR(tmp))
1900 return PTR_ERR(tmp);
1901
1902 *frag = tmp;
2f7719ce 1903
1c2acffb
GP		 1904 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1905 return -EFAULT;
1da177e4 1906
5e59b791
LAD		 1907 (*frag)->priority = skb->priority;
1908
1da177e4
LT		 1909 sent += count;
1910 len -= count;
1911
2d0ed3d5
GP		 1912 skb->len += (*frag)->len;
1913 skb->data_len += (*frag)->len;
1914
1da177e4
LT		 1915 frag = &(*frag)->next;
1916 }
1da177e4
LT		 1917
1918 return sent;
1c2acffb 1919}
1da177e4 1920
5e59b791
LAD		 1921static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1922 struct msghdr *msg, size_t len,
1923 u32 priority)
1c2acffb 1924{
8c1d787b 1925 struct l2cap_conn *conn = chan->conn;
1c2acffb 1926 struct sk_buff *skb;
03a51213 1927 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1928 struct l2cap_hdr *lh;
1929
6d5922b0 1930 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1931
1932 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1933
1934 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1935 msg->msg_flags & MSG_DONTWAIT);
1936 if (IS_ERR(skb))
1937 return skb;
1c2acffb 1938
5e59b791
LAD		 1939 skb->priority = priority;
1940
1c2acffb
GP		 1941 /* Create L2CAP header */
1942 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1943 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1944 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1945 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1946
0952a57a 1947 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1948 if (unlikely(err < 0)) {
1949 kfree_skb(skb);
1950 return ERR_PTR(err);
1951 }
1952 return skb;
1953}
1954
5e59b791
LAD		 1955static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1956 struct msghdr *msg, size_t len,
1957 u32 priority)
1c2acffb 1958{
8c1d787b 1959 struct l2cap_conn *conn = chan->conn;
1c2acffb 1960 struct sk_buff *skb;
f2ba7fae 1961 int err, count;
1c2acffb
GP		 1962 struct l2cap_hdr *lh;
1963
6d5922b0 1964 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1965
f2ba7fae 1966 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1967
f2ba7fae 1968 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1969 msg->msg_flags & MSG_DONTWAIT);
1970 if (IS_ERR(skb))
1971 return skb;
1c2acffb 1972
5e59b791
LAD		 1973 skb->priority = priority;
1974
1c2acffb
GP		 1975 /* Create L2CAP header */
1976 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1977 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1978 lh->len = cpu_to_le16(len);
1c2acffb 1979
0952a57a 1980 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1981 if (unlikely(err < 0)) {
1982 kfree_skb(skb);
1983 return ERR_PTR(err);
1984 }
1985 return skb;
1986}
1987
ab0ff76d
LAD		 1988static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1989 struct msghdr *msg, size_t len,
94122bbe 1990 u16 sdulen)
1c2acffb 1991{
8c1d787b 1992 struct l2cap_conn *conn = chan->conn;
1c2acffb 1993 struct sk_buff *skb;
e4ca6d98 1994 int err, count, hlen;
1c2acffb
GP		 1995 struct l2cap_hdr *lh;
1996
6d5922b0 1997 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1998
0ee0d208
GP		 1999 if (!conn)
2000 return ERR_PTR(-ENOTCONN);
2001
e4ca6d98
AE		 2002 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2003 hlen = L2CAP_EXT_HDR_SIZE;
2004 else
2005 hlen = L2CAP_ENH_HDR_SIZE;
2006
c74e560c 2007 if (sdulen)
03a51213 2008 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2009
47d1ec61 2010 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2011 hlen += L2CAP_FCS_SIZE;
fcc203c3 2012
1c2acffb 2013 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2014
2015 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2016 msg->msg_flags & MSG_DONTWAIT);
2017 if (IS_ERR(skb))
2018 return skb;
1c2acffb
GP		 2019
2020 /* Create L2CAP header */
2021 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2022 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2023 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2024
18a48e76
MM		 2025 /* Control header is populated later */
2026 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2027 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2028 else
2029 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2030
c74e560c 2031 if (sdulen)
03a51213 2032 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2033
0952a57a 2034 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2035 if (unlikely(err < 0)) {
2036 kfree_skb(skb);
2037 return ERR_PTR(err);
2038 }
e90bac06 2039
18a48e76 2040 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2041 bt_cb(skb)->control.retries = 0;
1c2acffb 2042 return skb;
1da177e4
LT		 2043}
2044
94122bbe
MM		 2045static int l2cap_segment_sdu(struct l2cap_chan *chan,
2046 struct sk_buff_head *seg_queue,
2047 struct msghdr *msg, size_t len)
c74e560c 2048{
c74e560c 2049 struct sk_buff *skb;
94122bbe
MM		 2050 u16 sdu_len;
2051 size_t pdu_len;
2052 int err = 0;
2053 u8 sar;
c74e560c 2054
94122bbe 2055 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2056
94122bbe
MM		 2057 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2058 * so fragmented skbs are not used. The HCI layer's handling
2059 * of fragmented skbs is not compatible with ERTM's queueing.
2060 */
c74e560c 2061
94122bbe
MM		 2062 /* PDU size is derived from the HCI MTU */
2063 pdu_len = chan->conn->mtu;
c74e560c 2064
94122bbe
MM		 2065 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2066
2067 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2068 if (chan->fcs)
2069 pdu_len -= L2CAP_FCS_SIZE;
2070
2071 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2072 pdu_len -= L2CAP_EXT_HDR_SIZE;
2073 else
2074 pdu_len -= L2CAP_ENH_HDR_SIZE;
94122bbe
MM		 2075
2076 /* Remote device may have requested smaller PDUs */
2077 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2078
2079 if (len <= pdu_len) {
2080 sar = L2CAP_SAR_UNSEGMENTED;
2081 sdu_len = 0;
2082 pdu_len = len;
2083 } else {
2084 sar = L2CAP_SAR_START;
2085 sdu_len = len;
2086 pdu_len -= L2CAP_SDULEN_SIZE;
2087 }
2088
2089 while (len > 0) {
2090 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2091
c74e560c 2092 if (IS_ERR(skb)) {
94122bbe 2093 __skb_queue_purge(seg_queue);
c74e560c
GP		 2094 return PTR_ERR(skb);
2095 }
2096
94122bbe
MM		 2097 bt_cb(skb)->control.sar = sar;
2098 __skb_queue_tail(seg_queue, skb);
2099
2100 len -= pdu_len;
2101 if (sdu_len) {
2102 sdu_len = 0;
2103 pdu_len += L2CAP_SDULEN_SIZE;
2104 }
2105
2106 if (len <= pdu_len) {
2107 sar = L2CAP_SAR_END;
2108 pdu_len = len;
2109 } else {
2110 sar = L2CAP_SAR_CONTINUE;
2111 }
c74e560c 2112 }
c74e560c 2113
94122bbe 2114 return err;
c74e560c
GP		 2115}
2116
5e59b791
LAD		 2117int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2118 u32 priority)
9a91a04a 2119{
9a91a04a 2120 struct sk_buff *skb;
9a91a04a 2121 int err;
94122bbe 2122 struct sk_buff_head seg_queue;
9a91a04a
GP		 2123
2124 /* Connectionless channel */
715ec005 2125 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2126 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2127 if (IS_ERR(skb))
2128 return PTR_ERR(skb);
2129
2130 l2cap_do_send(chan, skb);
2131 return len;
2132 }
2133
2134 switch (chan->mode) {
2135 case L2CAP_MODE_BASIC:
2136 /* Check outgoing MTU */
2137 if (len > chan->omtu)
2138 return -EMSGSIZE;
2139
2140 /* Create a basic PDU */
5e59b791 2141 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2142 if (IS_ERR(skb))
2143 return PTR_ERR(skb);
2144
2145 l2cap_do_send(chan, skb);
2146 err = len;
2147 break;
2148
2149 case L2CAP_MODE_ERTM:
2150 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2151 /* Check outgoing MTU */
2152 if (len > chan->omtu) {
2153 err = -EMSGSIZE;
2154 break;
2155 }
9a91a04a 2156
94122bbe 2157 __skb_queue_head_init(&seg_queue);
9a91a04a 2158
94122bbe
MM		 2159 /* Do segmentation before calling in to the state machine,
2160 * since it's possible to block while waiting for memory
2161 * allocation.
2162 */
2163 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2164
94122bbe
MM		 2165 /* The channel could have been closed while segmenting,
2166 * check that it is still connected.
2167 */
2168 if (chan->state != BT_CONNECTED) {
2169 __skb_queue_purge(&seg_queue);
2170 err = -ENOTCONN;
9a91a04a
GP		 2171 }
2172
94122bbe 2173 if (err)
9a91a04a 2174 break;
9a91a04a 2175
3733937d 2176 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2177 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2178 else
d660366d 2179 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2180
d660366d 2181 err = len;
9a91a04a 2182
94122bbe
MM		 2183 /* If the skbs were not queued for sending, they'll still be in
2184 * seg_queue and need to be purged.
2185 */
2186 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2187 break;
2188
2189 default:
2190 BT_DBG("bad state %1.1x", chan->mode);
2191 err = -EBADFD;
2192 }
2193
2194 return err;
2195}
2196
d2a7ac5d
MM		 2197static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2198{
bed68bde
MM		 2199 struct l2cap_ctrl control;
2200 u16 seq;
2201
2202 BT_DBG("chan %p, txseq %d", chan, txseq);
2203
2204 memset(&control, 0, sizeof(control));
2205 control.sframe = 1;
2206 control.super = L2CAP_SUPER_SREJ;
2207
2208 for (seq = chan->expected_tx_seq; seq != txseq;
2209 seq = __next_seq(chan, seq)) {
2210 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2211 control.reqseq = seq;
2212 l2cap_send_sframe(chan, &control);
2213 l2cap_seq_list_append(&chan->srej_list, seq);
2214 }
2215 }
2216
2217 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2218}
2219
2220static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2221{
bed68bde
MM		 2222 struct l2cap_ctrl control;
2223
2224 BT_DBG("chan %p", chan);
2225
2226 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2227 return;
2228
2229 memset(&control, 0, sizeof(control));
2230 control.sframe = 1;
2231 control.super = L2CAP_SUPER_SREJ;
2232 control.reqseq = chan->srej_list.tail;
2233 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2234}
2235
2236static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2237{
bed68bde
MM		 2238 struct l2cap_ctrl control;
2239 u16 initial_head;
2240 u16 seq;
2241
2242 BT_DBG("chan %p, txseq %d", chan, txseq);
2243
2244 memset(&control, 0, sizeof(control));
2245 control.sframe = 1;
2246 control.super = L2CAP_SUPER_SREJ;
2247
2248 /* Capture initial list head to allow only one pass through the list. */
2249 initial_head = chan->srej_list.head;
2250
2251 do {
2252 seq = l2cap_seq_list_pop(&chan->srej_list);
2253 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2254 break;
2255
2256 control.reqseq = seq;
2257 l2cap_send_sframe(chan, &control);
2258 l2cap_seq_list_append(&chan->srej_list, seq);
2259 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2260}
2261
608bcc6d
MM		 2262static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2263{
2264 struct sk_buff *acked_skb;
2265 u16 ackseq;
2266
2267 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2268
2269 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2270 return;
2271
2272 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2273 chan->expected_ack_seq, chan->unacked_frames);
2274
2275 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2276 ackseq = __next_seq(chan, ackseq)) {
2277
2278 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2279 if (acked_skb) {
2280 skb_unlink(acked_skb, &chan->tx_q);
2281 kfree_skb(acked_skb);
2282 chan->unacked_frames--;
2283 }
2284 }
2285
2286 chan->expected_ack_seq = reqseq;
2287
2288 if (chan->unacked_frames == 0)
2289 __clear_retrans_timer(chan);
2290
2291 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2292}
2293
2294static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2295{
2296 BT_DBG("chan %p", chan);
2297
2298 chan->expected_tx_seq = chan->buffer_seq;
2299 l2cap_seq_list_clear(&chan->srej_list);
2300 skb_queue_purge(&chan->srej_q);
2301 chan->rx_state = L2CAP_RX_STATE_RECV;
2302}
2303
d660366d
GP		 2304static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2305 struct l2cap_ctrl *control,
2306 struct sk_buff_head *skbs, u8 event)
608bcc6d 2307{
608bcc6d
MM		 2308 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2309 event);
2310
2311 switch (event) {
2312 case L2CAP_EV_DATA_REQUEST:
2313 if (chan->tx_send_head == NULL)
2314 chan->tx_send_head = skb_peek(skbs);
2315
2316 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2317 l2cap_ertm_send(chan);
2318 break;
2319 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2320 BT_DBG("Enter LOCAL_BUSY");
2321 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2322
2323 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2324 /* The SREJ_SENT state must be aborted if we are to
2325 * enter the LOCAL_BUSY state.
2326 */
2327 l2cap_abort_rx_srej_sent(chan);
2328 }
2329
2330 l2cap_send_ack(chan);
2331
2332 break;
2333 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2334 BT_DBG("Exit LOCAL_BUSY");
2335 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2336
2337 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2338 struct l2cap_ctrl local_control;
2339
2340 memset(&local_control, 0, sizeof(local_control));
2341 local_control.sframe = 1;
2342 local_control.super = L2CAP_SUPER_RR;
2343 local_control.poll = 1;
2344 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2345 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2346
2347 chan->retry_count = 1;
2348 __set_monitor_timer(chan);
2349 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2350 }
2351 break;
2352 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2353 l2cap_process_reqseq(chan, control->reqseq);
2354 break;
2355 case L2CAP_EV_EXPLICIT_POLL:
2356 l2cap_send_rr_or_rnr(chan, 1);
2357 chan->retry_count = 1;
2358 __set_monitor_timer(chan);
2359 __clear_ack_timer(chan);
2360 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2361 break;
2362 case L2CAP_EV_RETRANS_TO:
2363 l2cap_send_rr_or_rnr(chan, 1);
2364 chan->retry_count = 1;
2365 __set_monitor_timer(chan);
2366 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2367 break;
2368 case L2CAP_EV_RECV_FBIT:
2369 /* Nothing to process */
2370 break;
2371 default:
2372 break;
2373 }
608bcc6d
MM		 2374}
2375
d660366d
GP		 2376static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2377 struct l2cap_ctrl *control,
2378 struct sk_buff_head *skbs, u8 event)
608bcc6d 2379{
608bcc6d
MM		 2380 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2381 event);
2382
2383 switch (event) {
2384 case L2CAP_EV_DATA_REQUEST:
2385 if (chan->tx_send_head == NULL)
2386 chan->tx_send_head = skb_peek(skbs);
2387 /* Queue data, but don't send. */
2388 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2389 break;
2390 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2391 BT_DBG("Enter LOCAL_BUSY");
2392 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2393
2394 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2395 /* The SREJ_SENT state must be aborted if we are to
2396 * enter the LOCAL_BUSY state.
2397 */
2398 l2cap_abort_rx_srej_sent(chan);
2399 }
2400
2401 l2cap_send_ack(chan);
2402
2403 break;
2404 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2405 BT_DBG("Exit LOCAL_BUSY");
2406 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2407
2408 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2409 struct l2cap_ctrl local_control;
2410 memset(&local_control, 0, sizeof(local_control));
2411 local_control.sframe = 1;
2412 local_control.super = L2CAP_SUPER_RR;
2413 local_control.poll = 1;
2414 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2415 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2416
2417 chan->retry_count = 1;
2418 __set_monitor_timer(chan);
2419 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2420 }
2421 break;
2422 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2423 l2cap_process_reqseq(chan, control->reqseq);
2424
2425 /* Fall through */
2426
2427 case L2CAP_EV_RECV_FBIT:
2428 if (control && control->final) {
2429 __clear_monitor_timer(chan);
2430 if (chan->unacked_frames > 0)
2431 __set_retrans_timer(chan);
2432 chan->retry_count = 0;
2433 chan->tx_state = L2CAP_TX_STATE_XMIT;
2434 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2435 }
2436 break;
2437 case L2CAP_EV_EXPLICIT_POLL:
2438 /* Ignore */
2439 break;
2440 case L2CAP_EV_MONITOR_TO:
2441 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2442 l2cap_send_rr_or_rnr(chan, 1);
2443 __set_monitor_timer(chan);
2444 chan->retry_count++;
2445 } else {
2446 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2447 }
2448 break;
2449 default:
2450 break;
2451 }
608bcc6d
MM		 2452}
2453
d660366d
GP		 2454static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2455 struct sk_buff_head *skbs, u8 event)
608bcc6d 2456{
608bcc6d
MM		 2457 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2458 chan, control, skbs, event, chan->tx_state);
2459
2460 switch (chan->tx_state) {
2461 case L2CAP_TX_STATE_XMIT:
d660366d 2462 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2463 break;
2464 case L2CAP_TX_STATE_WAIT_F:
d660366d 2465 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2466 break;
2467 default:
2468 /* Ignore event */
2469 break;
2470 }
608bcc6d
MM		 2471}
2472
4b51dae9
MM		 2473static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2474 struct l2cap_ctrl *control)
2475{
2476 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2477 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2478}
2479
f80842a8
MM		 2480static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2481 struct l2cap_ctrl *control)
2482{
2483 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2484 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2485}
2486
1da177e4
LT		 2487/* Copy frame to all raw sockets on that connection */
2488static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2489{
1da177e4 2490 struct sk_buff *nskb;
48454079 2491 struct l2cap_chan *chan;
1da177e4
LT		 2492
2493 BT_DBG("conn %p", conn);
2494
3df91ea2 2495 mutex_lock(&conn->chan_lock);
3d57dc68 2496
3df91ea2 2497 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2498 struct sock *sk = chan->sk;
715ec005 2499 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2500 continue;
2501
2502 /* Don't send frame to the socket it came from */
2503 if (skb->sk == sk)
2504 continue;
af05b30b
GP		 2505 nskb = skb_clone(skb, GFP_ATOMIC);
2506 if (!nskb)
1da177e4
LT		 2507 continue;
2508
80b98027 2509 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2510 kfree_skb(nskb);
2511 }
3d57dc68 2512
3df91ea2 2513 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2514}
2515
2516/* ---- L2CAP signalling commands ---- */
2517static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2518 u8 code, u8 ident, u16 dlen, void *data)
2519{
2520 struct sk_buff *skb, **frag;
2521 struct l2cap_cmd_hdr *cmd;
2522 struct l2cap_hdr *lh;
2523 int len, count;
2524
af05b30b
GP		 2525 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2526 conn, code, ident, dlen);
1da177e4
LT		 2527
2528 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2529 count = min_t(unsigned int, conn->mtu, len);
2530
2531 skb = bt_skb_alloc(count, GFP_ATOMIC);
2532 if (!skb)
2533 return NULL;
2534
2535 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2536 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2537
2538 if (conn->hcon->type == LE_LINK)
ac73498c 2539 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2540 else
ac73498c 2541 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2542
2543 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2544 cmd->code = code;
2545 cmd->ident = ident;
aca3192c 2546 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2547
2548 if (dlen) {
2549 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2550 memcpy(skb_put(skb, count), data, count);
2551 data += count;
2552 }
2553
2554 len -= skb->len;
2555
2556 /* Continuation fragments (no L2CAP header) */
2557 frag = &skb_shinfo(skb)->frag_list;
2558 while (len) {
2559 count = min_t(unsigned int, conn->mtu, len);
2560
2561 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2562 if (!*frag)
2563 goto fail;
2564
2565 memcpy(skb_put(*frag, count), data, count);
2566
2567 len -= count;
2568 data += count;
2569
2570 frag = &(*frag)->next;
2571 }
2572
2573 return skb;
2574
2575fail:
2576 kfree_skb(skb);
2577 return NULL;
2578}
2579
2580static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2581{
2582 struct l2cap_conf_opt *opt = *ptr;
2583 int len;
2584
2585 len = L2CAP_CONF_OPT_SIZE + opt->len;
2586 *ptr += len;
2587
2588 *type = opt->type;
2589 *olen = opt->len;
2590
2591 switch (opt->len) {
2592 case 1:
2593 *val = *((u8 *) opt->val);
2594 break;
2595
2596 case 2:
bfaaeb3e 2597 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2598 break;
2599
2600 case 4:
bfaaeb3e 2601 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2602 break;
2603
2604 default:
2605 *val = (unsigned long) opt->val;
2606 break;
2607 }
2608
2609 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2610 return len;
2611}
2612
1da177e4
LT		 2613static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2614{
2615 struct l2cap_conf_opt *opt = *ptr;
2616
2617 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2618
2619 opt->type = type;
2620 opt->len = len;
2621
2622 switch (len) {
2623 case 1:
2624 *((u8 *) opt->val) = val;
2625 break;
2626
2627 case 2:
4f8b691c 2628 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2629 break;
2630
2631 case 4:
4f8b691c 2632 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2633 break;
2634
2635 default:
2636 memcpy(opt->val, (void *) val, len);
2637 break;
2638 }
2639
2640 *ptr += L2CAP_CONF_OPT_SIZE + len;
2641}
2642
f89cef09
AE		 2643static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2644{
2645 struct l2cap_conf_efs efs;
2646
1ec918ce 2647 switch (chan->mode) {
f89cef09
AE		 2648 case L2CAP_MODE_ERTM:
2649 efs.id = chan->local_id;
2650 efs.stype = chan->local_stype;
2651 efs.msdu = cpu_to_le16(chan->local_msdu);
2652 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2653 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2654 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2655 break;
2656
2657 case L2CAP_MODE_STREAMING:
2658 efs.id = 1;
2659 efs.stype = L2CAP_SERV_BESTEFFORT;
2660 efs.msdu = cpu_to_le16(chan->local_msdu);
2661 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2662 efs.acc_lat = 0;
2663 efs.flush_to = 0;
2664 break;
2665
2666 default:
2667 return;
2668 }
2669
2670 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2671 (unsigned long) &efs);
2672}
2673
721c4181 2674static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2675{
721c4181 2676 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2677 ack_timer.work);
2678 u16 frames_to_ack;
c1b4f43b 2679
2fb9b3d4
GP		 2680 BT_DBG("chan %p", chan);
2681
6be36555
AE		 2682 l2cap_chan_lock(chan);
2683
0362520b
MM		 2684 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2685 chan->last_acked_seq);
6be36555 2686
0362520b
MM		 2687 if (frames_to_ack)
2688 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2689
0362520b 2690 l2cap_chan_unlock(chan);
09bfb2ee 2691 l2cap_chan_put(chan);
c1b4f43b
GP		 2692}
2693
3c588192 2694static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2695{
3c588192
MM		 2696 int err;
2697
105bdf9e
MM		 2698 chan->next_tx_seq = 0;
2699 chan->expected_tx_seq = 0;
42e5c802 2700 chan->expected_ack_seq = 0;
6a026610 2701 chan->unacked_frames = 0;
42e5c802 2702 chan->buffer_seq = 0;
6a026610 2703 chan->frames_sent = 0;
105bdf9e
MM		 2704 chan->last_acked_seq = 0;
2705 chan->sdu = NULL;
2706 chan->sdu_last_frag = NULL;
2707 chan->sdu_len = 0;
2708
d34c34fb
MM		 2709 skb_queue_head_init(&chan->tx_q);
2710
105bdf9e
MM		 2711 if (chan->mode != L2CAP_MODE_ERTM)
2712 return 0;
2713
2714 chan->rx_state = L2CAP_RX_STATE_RECV;
2715 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2716
721c4181
GP		 2717 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2718 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2719 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2720
f1c6775b 2721 skb_queue_head_init(&chan->srej_q);
1890d36b 2722
3c588192
MM		 2723 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2724 if (err < 0)
2725 return err;
2726
9dc9affc
MM		 2727 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2728 if (err < 0)
2729 l2cap_seq_list_free(&chan->srej_list);
2730
2731 return err;
0565c1c2
GP		 2732}
2733
f2fcfcd6
GP		 2734static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2735{
2736 switch (mode) {
2737 case L2CAP_MODE_STREAMING:
2738 case L2CAP_MODE_ERTM:
2739 if (l2cap_mode_supported(mode, remote_feat_mask))
2740 return mode;
2741 /* fall through */
2742 default:
2743 return L2CAP_MODE_BASIC;
2744 }
2745}
2746
6327eb98
AE		 2747static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2748{
2749 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2750}
2751
f89cef09
AE		 2752static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2753{
2754 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2755}
2756
6327eb98
AE		 2757static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2758{
2759 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2760 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2761 /* use extended control field */
2762 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2763 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2764 } else {
6327eb98
AE		 2765 chan->tx_win = min_t(u16, chan->tx_win,
2766 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2767 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2768 }
6327eb98
AE		 2769}
2770
710f9b0a 2771static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2772{
1da177e4 2773 struct l2cap_conf_req *req = data;
0c1bc5c6 2774 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2775 void *ptr = req->data;
c8f79162 2776 u16 size;
1da177e4 2777
49208c9c 2778 BT_DBG("chan %p", chan);
1da177e4 2779
73ffa904 2780 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2781 goto done;
2782
0c1bc5c6 2783 switch (chan->mode) {
f2fcfcd6
GP		 2784 case L2CAP_MODE_STREAMING:
2785 case L2CAP_MODE_ERTM:
c1360a1c 2786 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2787 break;
85eb53c6 2788
f89cef09
AE		 2789 if (__l2cap_efs_supported(chan))
2790 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2791
2ba13ed6 2792 /* fall through */
f2fcfcd6 2793 default:
8c1d787b 2794 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2795 break;
2796 }
2797
2798done:
0c1bc5c6
GP		 2799 if (chan->imtu != L2CAP_DEFAULT_MTU)
2800 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2801
0c1bc5c6 2802 switch (chan->mode) {
65c7c491 2803 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2804 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2805 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2806 break;
2807
62547752
GP		 2808 rfc.mode = L2CAP_MODE_BASIC;
2809 rfc.txwin_size = 0;
2810 rfc.max_transmit = 0;
2811 rfc.retrans_timeout = 0;
2812 rfc.monitor_timeout = 0;
2813 rfc.max_pdu_size = 0;
2814
63406504
GP		 2815 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2816 (unsigned long) &rfc);
65c7c491
MH		 2817 break;
2818
2819 case L2CAP_MODE_ERTM:
2820 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2821 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2822 rfc.retrans_timeout = 0;
2823 rfc.monitor_timeout = 0;
c8f79162
AE		 2824
2825 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2826 L2CAP_EXT_HDR_SIZE -
2827 L2CAP_SDULEN_SIZE -
2828 L2CAP_FCS_SIZE);
2829 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2830
6327eb98
AE		 2831 l2cap_txwin_setup(chan);
2832
2833 rfc.txwin_size = min_t(u16, chan->tx_win,
2834 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2835
63406504
GP		 2836 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2837 (unsigned long) &rfc);
2838
f89cef09
AE		 2839 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2840 l2cap_add_opt_efs(&ptr, chan);
2841
8c1d787b 2842 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2843 break;
2844
47d1ec61 2845 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2846 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2847 chan->fcs = L2CAP_FCS_NONE;
2848 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2849 }
6327eb98
AE		 2850
2851 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2852 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2853 chan->tx_win);
f2fcfcd6
GP		 2854 break;
2855
2856 case L2CAP_MODE_STREAMING:
273759e2 2857 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2858 rfc.mode = L2CAP_MODE_STREAMING;
2859 rfc.txwin_size = 0;
2860 rfc.max_transmit = 0;
2861 rfc.retrans_timeout = 0;
2862 rfc.monitor_timeout = 0;
c8f79162
AE		 2863
2864 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2865 L2CAP_EXT_HDR_SIZE -
2866 L2CAP_SDULEN_SIZE -
2867 L2CAP_FCS_SIZE);
2868 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2869
63406504
GP		 2870 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2871 (unsigned long) &rfc);
2872
f89cef09
AE		 2873 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2874 l2cap_add_opt_efs(&ptr, chan);
2875
8c1d787b 2876 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2877 break;
2878
47d1ec61 2879 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2880 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2881 chan->fcs = L2CAP_FCS_NONE;
2882 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2883 }
65c7c491
MH		 2884 break;
2885 }
1da177e4 2886
fe4128e0 2887 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2888 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2889
2890 return ptr - data;
2891}
2892
73ffa904 2893static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2894{
5dee9e7c
MH		 2895 struct l2cap_conf_rsp *rsp = data;
2896 void *ptr = rsp->data;
73ffa904
GP		 2897 void *req = chan->conf_req;
2898 int len = chan->conf_len;
5dee9e7c
MH		 2899 int type, hint, olen;
2900 unsigned long val;
6464f35f 2901 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2902 struct l2cap_conf_efs efs;
2903 u8 remote_efs = 0;
861d6882 2904 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2905 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2906 u16 size;
1da177e4 2907
73ffa904 2908 BT_DBG("chan %p", chan);
820ae1b8 2909
5dee9e7c
MH		 2910 while (len >= L2CAP_CONF_OPT_SIZE) {
2911 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2912
589d2746 2913 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2914 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2915
2916 switch (type) {
2917 case L2CAP_CONF_MTU:
861d6882 2918 mtu = val;
5dee9e7c
MH		 2919 break;
2920
2921 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2922 chan->flush_to = val;
5dee9e7c
MH		 2923 break;
2924
2925 case L2CAP_CONF_QOS:
2926 break;
2927
6464f35f
MH		 2928 case L2CAP_CONF_RFC:
2929 if (olen == sizeof(rfc))
2930 memcpy(&rfc, (void *) val, olen);
2931 break;
2932
fcc203c3
GP		 2933 case L2CAP_CONF_FCS:
2934 if (val == L2CAP_FCS_NONE)
c1360a1c 2935 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2936 break;
fcc203c3 2937
42dceae2
AE		 2938 case L2CAP_CONF_EFS:
2939 remote_efs = 1;
2940 if (olen == sizeof(efs))
2941 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2942 break;
2943
6327eb98
AE		 2944 case L2CAP_CONF_EWS:
2945 if (!enable_hs)
2946 return -ECONNREFUSED;
fcc203c3 2947
6327eb98
AE		 2948 set_bit(FLAG_EXT_CTRL, &chan->flags);
2949 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2950 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2951 chan->remote_tx_win = val;
fcc203c3
GP		 2952 break;
2953
5dee9e7c
MH		 2954 default:
2955 if (hint)
2956 break;
2957
2958 result = L2CAP_CONF_UNKNOWN;
2959 *((u8 *) ptr++) = type;
2960 break;
2961 }
2962 }
2963
73ffa904 2964 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2965 goto done;
2966
0c1bc5c6 2967 switch (chan->mode) {
f2fcfcd6
GP		 2968 case L2CAP_MODE_STREAMING:
2969 case L2CAP_MODE_ERTM:
c1360a1c 2970 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2971 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2972 chan->conn->feat_mask);
85eb53c6
GP		 2973 break;
2974 }
2975
42dceae2
AE		 2976 if (remote_efs) {
2977 if (__l2cap_efs_supported(chan))
2978 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2979 else
2980 return -ECONNREFUSED;
2981 }
2982
0c1bc5c6 2983 if (chan->mode != rfc.mode)
f2fcfcd6 2984 return -ECONNREFUSED;
742e519b 2985
f2fcfcd6 2986 break;
f2fcfcd6
GP		 2987 }
2988
2989done:
0c1bc5c6 2990 if (chan->mode != rfc.mode) {
f2fcfcd6 2991 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2992 rfc.mode = chan->mode;
f2fcfcd6 2993
73ffa904 2994 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2995 return -ECONNREFUSED;
2996
2997 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2998 sizeof(rfc), (unsigned long) &rfc);
2999 }
3000
5dee9e7c
MH		 3001 if (result == L2CAP_CONF_SUCCESS) {
3002 /* Configure output options and let the other side know
3003 * which ones we don't like. */
3004
f2fcfcd6
GP		 3005 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3006 result = L2CAP_CONF_UNACCEPT;
3007 else {
0c1bc5c6 3008 chan->omtu = mtu;
c1360a1c 3009 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3010 }
0c1bc5c6 3011 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3012
42dceae2
AE		 3013 if (remote_efs) {
3014 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3015 efs.stype != L2CAP_SERV_NOTRAFIC &&
3016 efs.stype != chan->local_stype) {
3017
3018 result = L2CAP_CONF_UNACCEPT;
3019
3020 if (chan->num_conf_req >= 1)
3021 return -ECONNREFUSED;
3022
3023 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3024 sizeof(efs),
42dceae2 3025 (unsigned long) &efs);
0e8b207e 3026 } else {
3e6b3b95 3027 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3028 result = L2CAP_CONF_PENDING;
3029 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3030 }
3031 }
3032
f2fcfcd6
GP		 3033 switch (rfc.mode) {
3034 case L2CAP_MODE_BASIC:
47d1ec61 3035 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3036 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3037 break;
3038
3039 case L2CAP_MODE_ERTM:
6327eb98
AE		 3040 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3041 chan->remote_tx_win = rfc.txwin_size;
3042 else
3043 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3044
2c03a7a4 3045 chan->remote_max_tx = rfc.max_transmit;
1c762159 3046
c8f79162
AE		 3047 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3048 chan->conn->mtu -
3049 L2CAP_EXT_HDR_SIZE -
3050 L2CAP_SDULEN_SIZE -
3051 L2CAP_FCS_SIZE);
3052 rfc.max_pdu_size = cpu_to_le16(size);
3053 chan->remote_mps = size;
f2fcfcd6 3054
10467e9e 3055 rfc.retrans_timeout =
4fd21a88 3056 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3057 rfc.monitor_timeout =
4fd21a88 3058 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3059
c1360a1c 3060 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3061
3062 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3063 sizeof(rfc), (unsigned long) &rfc);
3064
42dceae2
AE		 3065 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3066 chan->remote_id = efs.id;
3067 chan->remote_stype = efs.stype;
3068 chan->remote_msdu = le16_to_cpu(efs.msdu);
3069 chan->remote_flush_to =
3070 le32_to_cpu(efs.flush_to);
3071 chan->remote_acc_lat =
3072 le32_to_cpu(efs.acc_lat);
3073 chan->remote_sdu_itime =
3074 le32_to_cpu(efs.sdu_itime);
3075 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3076 sizeof(efs), (unsigned long) &efs);
3077 }
f2fcfcd6
GP		 3078 break;
3079
3080 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3081 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3082 chan->conn->mtu -
3083 L2CAP_EXT_HDR_SIZE -
3084 L2CAP_SDULEN_SIZE -
3085 L2CAP_FCS_SIZE);
3086 rfc.max_pdu_size = cpu_to_le16(size);
3087 chan->remote_mps = size;
f2fcfcd6 3088
c1360a1c 3089 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3090
3091 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3092 sizeof(rfc), (unsigned long) &rfc);
3093
f2fcfcd6
GP		 3094 break;
3095
3096 default:
5dee9e7c 3097 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3098
6464f35f 3099 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3100 rfc.mode = chan->mode;
f2fcfcd6 3101 }
6464f35f 3102
f2fcfcd6 3103 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3104 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3105 }
fe4128e0 3106 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3107 rsp->result = cpu_to_le16(result);
59e54bd1 3108 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3109
3110 return ptr - data;
1da177e4
LT		 3111}
3112
b4450035 3113static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3114{
f2fcfcd6
GP		 3115 struct l2cap_conf_req *req = data;
3116 void *ptr = req->data;
3117 int type, olen;
3118 unsigned long val;
36e999a8 3119 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3120 struct l2cap_conf_efs efs;
f2fcfcd6 3121
fe4128e0 3122 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3123
3124 while (len >= L2CAP_CONF_OPT_SIZE) {
3125 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3126
3127 switch (type) {
3128 case L2CAP_CONF_MTU:
3129 if (val < L2CAP_DEFAULT_MIN_MTU) {
3130 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3131 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3132 } else
0c1bc5c6
GP		 3133 chan->imtu = val;
3134 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3135 break;
3136
3137 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3138 chan->flush_to = val;
f2fcfcd6 3139 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3140 2, chan->flush_to);
f2fcfcd6
GP		 3141 break;
3142
3143 case L2CAP_CONF_RFC:
3144 if (olen == sizeof(rfc))
3145 memcpy(&rfc, (void *)val, olen);
3146
c1360a1c 3147 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3148 rfc.mode != chan->mode)
f2fcfcd6
GP		 3149 return -ECONNREFUSED;
3150
47d1ec61 3151 chan->fcs = 0;
f2fcfcd6
GP		 3152
3153 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3154 sizeof(rfc), (unsigned long) &rfc);
3155 break;
6327eb98
AE		 3156
3157 case L2CAP_CONF_EWS:
3158 chan->tx_win = min_t(u16, val,
3159 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3160 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3161 chan->tx_win);
6327eb98 3162 break;
66af7aaf
AE		 3163
3164 case L2CAP_CONF_EFS:
3165 if (olen == sizeof(efs))
3166 memcpy(&efs, (void *)val, olen);
3167
3168 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3169 efs.stype != L2CAP_SERV_NOTRAFIC &&
3170 efs.stype != chan->local_stype)
3171 return -ECONNREFUSED;
3172
3173 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3174 sizeof(efs), (unsigned long) &efs);
3175 break;
f2fcfcd6
GP		 3176 }
3177 }
3178
0c1bc5c6 3179 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3180 return -ECONNREFUSED;
3181
0c1bc5c6 3182 chan->mode = rfc.mode;
6c2ea7a8 3183
0e8b207e 3184 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3185 switch (rfc.mode) {
3186 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3187 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3188 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3189 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3190
3191 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3192 chan->local_msdu = le16_to_cpu(efs.msdu);
3193 chan->local_sdu_itime =
3194 le32_to_cpu(efs.sdu_itime);
3195 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3196 chan->local_flush_to =
3197 le32_to_cpu(efs.flush_to);
3198 }
f2fcfcd6 3199 break;
66af7aaf 3200
f2fcfcd6 3201 case L2CAP_MODE_STREAMING:
47d1ec61 3202 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3203 }
3204 }
3205
fe4128e0 3206 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3207 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3208
3209 return ptr - data;
3210}
3211
fe4128e0 3212static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3213{
3214 struct l2cap_conf_rsp *rsp = data;
3215 void *ptr = rsp->data;
1da177e4 3216
fe4128e0 3217 BT_DBG("chan %p", chan);
1da177e4 3218
fe4128e0 3219 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3220 rsp->result = cpu_to_le16(result);
aca3192c 3221 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3222
3223 return ptr - data;
3224}
3225
8c1d787b 3226void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3227{
3228 struct l2cap_conn_rsp rsp;
8c1d787b 3229 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3230 u8 buf[128];
3231
fe4128e0
GP		 3232 rsp.scid = cpu_to_le16(chan->dcid);
3233 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3234 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3235 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3236 l2cap_send_cmd(conn, chan->ident,
3237 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3238
c1360a1c 3239 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3240 return;
3241
710f9b0a
GP		 3242 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3243 l2cap_build_conf_req(chan, buf), buf);
3244 chan->num_conf_req++;
3245}
3246
47d1ec61 3247static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3248{
7b1c0049
GP		 3249 int type, olen;
3250 unsigned long val;
3251 struct l2cap_conf_rfc rfc;
3252
47d1ec61 3253 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3254
0c1bc5c6 3255 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3256 return;
3257
3258 while (len >= L2CAP_CONF_OPT_SIZE) {
3259 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3260
3261 switch (type) {
3262 case L2CAP_CONF_RFC:
3263 if (olen == sizeof(rfc))
3264 memcpy(&rfc, (void *)val, olen);
3265 goto done;
3266 }
3267 }
3268
36e999a8
MM		 3269 /* Use sane default values in case a misbehaving remote device
3270 * did not send an RFC option.
3271 */
3272 rfc.mode = chan->mode;
ac73498c
AE		 3273 rfc.retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3274 rfc.monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36e999a8
MM		 3275 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3276
3277 BT_ERR("Expected RFC option was not found, using defaults");
3278
7b1c0049
GP		 3279done:
3280 switch (rfc.mode) {
3281 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3282 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3283 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3284 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3285 break;
3286 case L2CAP_MODE_STREAMING:
47d1ec61 3287 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3288 }
3289}
3290
4e8402a3
MH		 3291static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3292{
e2fd318e 3293 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3294
e2fd318e 3295 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3296 return 0;
3297
3298 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3299 cmd->ident == conn->info_ident) {
17cd3f37 3300 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3301
3302 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3303 conn->info_ident = 0;
984947dc 3304
4e8402a3
MH		 3305 l2cap_conn_start(conn);
3306 }
3307
3308 return 0;
3309}
3310
1da177e4
LT		 3311static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3312{
1da177e4
LT		 3313 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3314 struct l2cap_conn_rsp rsp;
23691d75 3315 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3316 struct sock *parent, *sk = NULL;
e7c29cb1 3317 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3318
3319 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3320 __le16 psm = req->psm;
1da177e4 3321
097db76c 3322 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3323
3324 /* Check if we have socket listening on psm */
c2287681 3325 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3326 if (!pchan) {
1da177e4
LT		 3327 result = L2CAP_CR_BAD_PSM;
3328 goto sendresp;
3329 }
3330
23691d75
GP		 3331 parent = pchan->sk;
3332
3df91ea2 3333 mutex_lock(&conn->chan_lock);
aa2ac881 3334 lock_sock(parent);
e0f0cb56 3335
e7c29cb1 3336 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3337 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3338 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3339 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3340 result = L2CAP_CR_SEC_BLOCK;
3341 goto response;
3342 }
3343
1da177e4
LT		 3344 result = L2CAP_CR_NO_MEM;
3345
80b98027 3346 chan = pchan->ops->new_connection(pchan);
80808e43 3347 if (!chan)
1da177e4
LT		 3348 goto response;
3349
80808e43
GP		 3350 sk = chan->sk;
3351
1da177e4 3352 /* Check if we already have channel with that dcid */
baa7e1fa 3353 if (__l2cap_get_chan_by_dcid(conn, scid)) {
c0df7f6e
AE		 3354 if (chan->ops->teardown)
3355 chan->ops->teardown(chan, 0);
3356
80b98027 3357 chan->ops->close(chan);
1da177e4
LT		 3358 goto response;
3359 }
3360
3361 hci_conn_hold(conn->hcon);
3362
1da177e4
LT		 3363 bacpy(&bt_sk(sk)->src, conn->src);
3364 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3365 chan->psm = psm;
3366 chan->dcid = scid;
1da177e4 3367
d1010240
GP		 3368 bt_accept_enqueue(parent, sk);
3369
6be36555 3370 __l2cap_chan_add(conn, chan);
48454079 3371
fe4128e0 3372 dcid = chan->scid;
1da177e4 3373
c9b66675 3374 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3375
fc7f8a7e 3376 chan->ident = cmd->ident;
1da177e4 3377
984947dc 3378 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3379 if (l2cap_chan_check_security(chan)) {
c5daa683 3380 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3381 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3382 result = L2CAP_CR_PEND;
3383 status = L2CAP_CS_AUTHOR_PEND;
3384 parent->sk_data_ready(parent, 0);
3385 } else {
0e587be7 3386 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3387 result = L2CAP_CR_SUCCESS;
3388 status = L2CAP_CS_NO_INFO;
3389 }
79d554a6 3390 } else {
0e587be7 3391 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3392 result = L2CAP_CR_PEND;
3393 status = L2CAP_CS_AUTHEN_PEND;
3394 }
3395 } else {
0e587be7 3396 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3397 result = L2CAP_CR_PEND;
3398 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3399 }
3400
1da177e4 3401response:
aa2ac881 3402 release_sock(parent);
3df91ea2 3403 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3404
3405sendresp:
aca3192c
YH		 3406 rsp.scid = cpu_to_le16(scid);
3407 rsp.dcid = cpu_to_le16(dcid);
3408 rsp.result = cpu_to_le16(result);
3409 rsp.status = cpu_to_le16(status);
1da177e4 3410 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3411
3412 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3413 struct l2cap_info_req info;
ac73498c 3414 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3415
3416 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3417 conn->info_ident = l2cap_get_ident(conn);
3418
ba13ccd9 3419 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3420
3421 l2cap_send_cmd(conn, conn->info_ident,
3422 L2CAP_INFO_REQ, sizeof(info), &info);
3423 }
3424
c1360a1c 3425 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3426 result == L2CAP_CR_SUCCESS) {
3427 u8 buf[128];
c1360a1c 3428 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3429 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3430 l2cap_build_conf_req(chan, buf), buf);
3431 chan->num_conf_req++;
e9aeb2dd
GP		 3432 }
3433
1da177e4
LT		 3434 return 0;
3435}
3436
3437static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3438{
3439 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3440 u16 scid, dcid, result, status;
48454079 3441 struct l2cap_chan *chan;
1da177e4 3442 u8 req[128];
3df91ea2 3443 int err;
1da177e4
LT		 3444
3445 scid = __le16_to_cpu(rsp->scid);
3446 dcid = __le16_to_cpu(rsp->dcid);
3447 result = __le16_to_cpu(rsp->result);
3448 status = __le16_to_cpu(rsp->status);
3449
1b009c98
AE		 3450 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3451 dcid, scid, result, status);
1da177e4 3452
3df91ea2
AE		 3453 mutex_lock(&conn->chan_lock);
3454
1da177e4 3455 if (scid) {
3df91ea2
AE		 3456 chan = __l2cap_get_chan_by_scid(conn, scid);
3457 if (!chan) {
3458 err = -EFAULT;
3459 goto unlock;
3460 }
1da177e4 3461 } else {
3df91ea2
AE		 3462 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3463 if (!chan) {
3464 err = -EFAULT;
3465 goto unlock;
3466 }
1da177e4
LT		 3467 }
3468
3df91ea2
AE		 3469 err = 0;
3470
6be36555 3471 l2cap_chan_lock(chan);
48454079 3472
1da177e4
LT		 3473 switch (result) {
3474 case L2CAP_CR_SUCCESS:
89bc500e 3475 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3476 chan->ident = 0;
fe4128e0 3477 chan->dcid = dcid;
c1360a1c 3478 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3479
c1360a1c 3480 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3481 break;
3482
1da177e4 3483 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3484 l2cap_build_conf_req(chan, req), req);
3485 chan->num_conf_req++;
1da177e4
LT		 3486 break;
3487
3488 case L2CAP_CR_PEND:
c1360a1c 3489 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3490 break;
3491
3492 default:
48454079 3493 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3494 break;
3495 }
3496
6be36555 3497 l2cap_chan_unlock(chan);
3df91ea2
AE		 3498
3499unlock:
3500 mutex_unlock(&conn->chan_lock);
3501
3502 return err;
1da177e4
LT		 3503}
3504
47d1ec61 3505static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3506{
3507 /* FCS is enabled only in ERTM or streaming mode, if one or both
3508 * sides request it.
3509 */
0c1bc5c6 3510 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3511 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3512 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3513 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3514}
3515
88219a0f 3516static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3517{
3518 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3519 u16 dcid, flags;
3520 u8 rsp[64];
48454079 3521 struct l2cap_chan *chan;
3c588192 3522 int len, err = 0;
1da177e4
LT		 3523
3524 dcid = __le16_to_cpu(req->dcid);
3525 flags = __le16_to_cpu(req->flags);
3526
3527 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3528
baa7e1fa 3529 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3530 if (!chan)
1da177e4
LT		 3531 return -ENOENT;
3532
033b1142 3533 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3534 struct l2cap_cmd_rej_cid rej;
3535
ac73498c 3536 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3537 rej.scid = cpu_to_le16(chan->scid);
3538 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3539
df6bd743
GP		 3540 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3541 sizeof(rej), &rej);
354f60a9 3542 goto unlock;
df6bd743 3543 }
354f60a9 3544
5dee9e7c 3545 /* Reject if config buffer is too small. */
88219a0f 3546 len = cmd_len - sizeof(*req);
7ac28817 3547 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3548 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3549 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3550 L2CAP_CONF_REJECT, flags), rsp);
3551 goto unlock;
3552 }
3553
3554 /* Store config. */
73ffa904
GP		 3555 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3556 chan->conf_len += len;
1da177e4 3557
59e54bd1 3558 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3559 /* Incomplete config. Send empty response. */
3560 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3561 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3562 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3563 goto unlock;
3564 }
3565
3566 /* Complete config. */
73ffa904 3567 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3568 if (len < 0) {
e92c8e70 3569 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3570 goto unlock;
f2fcfcd6 3571 }
1da177e4 3572
5dee9e7c 3573 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3574 chan->num_conf_rsp++;
5dee9e7c 3575
5dee9e7c 3576 /* Reset config buffer. */
73ffa904 3577 chan->conf_len = 0;
5dee9e7c 3578
c1360a1c 3579 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3580 goto unlock;
3581
c1360a1c 3582 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3583 set_default_fcs(chan);
fcc203c3 3584
105bdf9e
MM		 3585 if (chan->mode == L2CAP_MODE_ERTM ||
3586 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3587 err = l2cap_ertm_init(chan);
3588
3589 if (err < 0)
3590 l2cap_send_disconn_req(chan->conn, chan, -err);
3591 else
3592 l2cap_chan_ready(chan);
0565c1c2 3593
876d9484
MH		 3594 goto unlock;
3595 }
3596
c1360a1c 3597 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3598 u8 buf[64];
1da177e4 3599 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3600 l2cap_build_conf_req(chan, buf), buf);
3601 chan->num_conf_req++;
1da177e4
LT		 3602 }
3603
0e8b207e
AE		 3604 /* Got Conf Rsp PENDING from remote side and asume we sent
3605 Conf Rsp PENDING in the code above */
3606 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3607 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3608
3609 /* check compatibility */
3610
3611 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3612 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3613
3614 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3615 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3616 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3617 }
3618
1da177e4 3619unlock:
6be36555 3620 l2cap_chan_unlock(chan);
3c588192 3621 return err;
1da177e4
LT		 3622}
3623
3624static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3625{
3626 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3627 u16 scid, flags, result;
48454079 3628 struct l2cap_chan *chan;
61386cba 3629 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3630 int err = 0;
1da177e4
LT		 3631
3632 scid = __le16_to_cpu(rsp->scid);
3633 flags = __le16_to_cpu(rsp->flags);
3634 result = __le16_to_cpu(rsp->result);
3635
61386cba
AE		 3636 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3637 result, len);
1da177e4 3638
baa7e1fa 3639 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3640 if (!chan)
1da177e4
LT		 3641 return 0;
3642
3643 switch (result) {
3644 case L2CAP_CONF_SUCCESS:
47d1ec61 3645 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3646 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3647 break;
3648
0e8b207e
AE		 3649 case L2CAP_CONF_PENDING:
3650 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3651
3652 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3653 char buf[64];
3654
3655 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3656 buf, &result);
3657 if (len < 0) {
3658 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3659 goto done;
3660 }
3661
3662 /* check compatibility */
3663
3664 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3665 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3666
3667 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3668 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3669 L2CAP_CONF_SUCCESS, 0x0000), buf);
3670 }
3671 goto done;
3672
1da177e4 3673 case L2CAP_CONF_UNACCEPT:
73ffa904 3674 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3675 char req[64];
3676
c2c77ec8 3677 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3678 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3679 goto done;
3680 }
3681
f2fcfcd6
GP		 3682 /* throw out any old stored conf requests */
3683 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3684 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3685 req, &result);
f2fcfcd6 3686 if (len < 0) {
e92c8e70 3687 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3688 goto done;
3689 }
3690
3691 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3692 L2CAP_CONF_REQ, len, req);
73ffa904 3693 chan->num_conf_req++;
f2fcfcd6
GP		 3694 if (result != L2CAP_CONF_SUCCESS)
3695 goto done;
3696 break;
1da177e4
LT		 3697 }
3698
8e87d142 3699 default:
6be36555 3700 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3701
ba13ccd9 3702 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3703 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3704 goto done;
3705 }
3706
59e54bd1 3707 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3708 goto done;
3709
c1360a1c 3710 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3711
c1360a1c 3712 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3713 set_default_fcs(chan);
fcc203c3 3714
105bdf9e
MM		 3715 if (chan->mode == L2CAP_MODE_ERTM ||
3716 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3717 err = l2cap_ertm_init(chan);
0565c1c2 3718
3c588192
MM		 3719 if (err < 0)
3720 l2cap_send_disconn_req(chan->conn, chan, -err);
3721 else
3722 l2cap_chan_ready(chan);
1da177e4
LT		 3723 }
3724
3725done:
6be36555 3726 l2cap_chan_unlock(chan);
3c588192 3727 return err;
1da177e4
LT		 3728}
3729
3730static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3731{
3732 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3733 struct l2cap_disconn_rsp rsp;
3734 u16 dcid, scid;
48454079 3735 struct l2cap_chan *chan;
1da177e4
LT		 3736 struct sock *sk;
3737
3738 scid = __le16_to_cpu(req->scid);
3739 dcid = __le16_to_cpu(req->dcid);
3740
3741 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3742
3df91ea2
AE		 3743 mutex_lock(&conn->chan_lock);
3744
3745 chan = __l2cap_get_chan_by_scid(conn, dcid);
3746 if (!chan) {
3747 mutex_unlock(&conn->chan_lock);
1da177e4 3748 return 0;
3df91ea2 3749 }
1da177e4 3750
6be36555
AE		 3751 l2cap_chan_lock(chan);
3752
48454079
GP		 3753 sk = chan->sk;
3754
fe4128e0
GP		 3755 rsp.dcid = cpu_to_le16(chan->scid);
3756 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3757 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3758
6be36555 3759 lock_sock(sk);
1da177e4 3760 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3761 release_sock(sk);
1da177e4 3762
61d6ef3e 3763 l2cap_chan_hold(chan);
48454079 3764 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3765
3766 l2cap_chan_unlock(chan);
1da177e4 3767
80b98027 3768 chan->ops->close(chan);
61d6ef3e 3769 l2cap_chan_put(chan);
3df91ea2
AE		 3770
3771 mutex_unlock(&conn->chan_lock);
3772
1da177e4
LT		 3773 return 0;
3774}
3775
3776static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3777{
3778 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3779 u16 dcid, scid;
48454079 3780 struct l2cap_chan *chan;
1da177e4
LT		 3781
3782 scid = __le16_to_cpu(rsp->scid);
3783 dcid = __le16_to_cpu(rsp->dcid);
3784
3785 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3786
3df91ea2
AE		 3787 mutex_lock(&conn->chan_lock);
3788
3789 chan = __l2cap_get_chan_by_scid(conn, scid);
3790 if (!chan) {
3791 mutex_unlock(&conn->chan_lock);
1da177e4 3792 return 0;
3df91ea2 3793 }
1da177e4 3794
6be36555 3795 l2cap_chan_lock(chan);
48454079 3796
61d6ef3e 3797 l2cap_chan_hold(chan);
48454079 3798 l2cap_chan_del(chan, 0);
6be36555
AE		 3799
3800 l2cap_chan_unlock(chan);
1da177e4 3801
80b98027 3802 chan->ops->close(chan);
61d6ef3e 3803 l2cap_chan_put(chan);
3df91ea2
AE		 3804
3805 mutex_unlock(&conn->chan_lock);
3806
1da177e4
LT		 3807 return 0;
3808}
3809
3810static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3811{
3812 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3813 u16 type;
3814
3815 type = __le16_to_cpu(req->type);
3816
3817 BT_DBG("type 0x%4.4x", type);
3818
f0709e03
MH		 3819 if (type == L2CAP_IT_FEAT_MASK) {
3820 u8 buf[8];
44dd46de 3821 u32 feat_mask = l2cap_feat_mask;
f0709e03 3822 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3823 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3824 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3825 if (!disable_ertm)
fcc203c3
GP		 3826 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3827 | L2CAP_FEAT_FCS;
a5fd6f30 3828 if (enable_hs)
6327eb98
AE		 3829 feat_mask |= L2CAP_FEAT_EXT_FLOW
3830 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3831
1b7bf4ed 3832 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3833 l2cap_send_cmd(conn, cmd->ident,
3834 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3835 } else if (type == L2CAP_IT_FIXED_CHAN) {
3836 u8 buf[12];
3837 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3838
3839 if (enable_hs)
3840 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3841 else
3842 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3843
ac73498c
AE		 3844 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3845 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3846 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3847 l2cap_send_cmd(conn, cmd->ident,
3848 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3849 } else {
3850 struct l2cap_info_rsp rsp;
3851 rsp.type = cpu_to_le16(type);
ac73498c 3852 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3853 l2cap_send_cmd(conn, cmd->ident,
3854 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3855 }
1da177e4
LT		 3856
3857 return 0;
3858}
3859
3860static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3861{
3862 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3863 u16 type, result;
3864
3865 type = __le16_to_cpu(rsp->type);
3866 result = __le16_to_cpu(rsp->result);
3867
3868 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3869
e90165be
AE		 3870 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3871 if (cmd->ident != conn->info_ident ||
3872 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3873 return 0;
3874
17cd3f37 3875 cancel_delayed_work(&conn->info_timer);
4e8402a3 3876
adb08ede
VT		 3877 if (result != L2CAP_IR_SUCCESS) {
3878 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3879 conn->info_ident = 0;
3880
3881 l2cap_conn_start(conn);
3882
3883 return 0;
3884 }
3885
978c93b9
AE		 3886 switch (type) {
3887 case L2CAP_IT_FEAT_MASK:
83985319 3888 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3889
47ec1dcd 3890 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3891 struct l2cap_info_req req;
ac73498c 3892 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3893
3894 conn->info_ident = l2cap_get_ident(conn);
3895
3896 l2cap_send_cmd(conn, conn->info_ident,
3897 L2CAP_INFO_REQ, sizeof(req), &req);
3898 } else {
3899 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3900 conn->info_ident = 0;
3901
3902 l2cap_conn_start(conn);
3903 }
978c93b9
AE		 3904 break;
3905
3906 case L2CAP_IT_FIXED_CHAN:
3907 conn->fixed_chan_mask = rsp->data[0];
984947dc 3908 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3909 conn->info_ident = 0;
984947dc
MH		 3910
3911 l2cap_conn_start(conn);
978c93b9 3912 break;
984947dc 3913 }
4e8402a3 3914
1da177e4
LT		 3915 return 0;
3916}
3917
f94ff6ff
MM		 3918static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3919 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3920 void *data)
3921{
3922 struct l2cap_create_chan_req *req = data;
3923 struct l2cap_create_chan_rsp rsp;
3924 u16 psm, scid;
3925
3926 if (cmd_len != sizeof(*req))
3927 return -EPROTO;
3928
3929 if (!enable_hs)
3930 return -EINVAL;
3931
3932 psm = le16_to_cpu(req->psm);
3933 scid = le16_to_cpu(req->scid);
3934
3935 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3936
3937 /* Placeholder: Always reject */
3938 rsp.dcid = 0;
3939 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3940 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3941 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3942
3943 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3944 sizeof(rsp), &rsp);
3945
3946 return 0;
3947}
3948
3949static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3950 struct l2cap_cmd_hdr *cmd, void *data)
3951{
3952 BT_DBG("conn %p", conn);
3953
3954 return l2cap_connect_rsp(conn, cmd, data);
3955}
3956
8d5a04a1
MM		 3957static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3958 u16 icid, u16 result)
3959{
3960 struct l2cap_move_chan_rsp rsp;
3961
3962 BT_DBG("icid %d, result %d", icid, result);
3963
3964 rsp.icid = cpu_to_le16(icid);
3965 rsp.result = cpu_to_le16(result);
3966
3967 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3968}
3969
3970static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3971 struct l2cap_chan *chan, u16 icid, u16 result)
3972{
3973 struct l2cap_move_chan_cfm cfm;
3974 u8 ident;
3975
3976 BT_DBG("icid %d, result %d", icid, result);
3977
3978 ident = l2cap_get_ident(conn);
3979 if (chan)
3980 chan->ident = ident;
3981
3982 cfm.icid = cpu_to_le16(icid);
3983 cfm.result = cpu_to_le16(result);
3984
3985 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3986}
3987
3988static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3989 u16 icid)
3990{
3991 struct l2cap_move_chan_cfm_rsp rsp;
3992
3993 BT_DBG("icid %d", icid);
3994
3995 rsp.icid = cpu_to_le16(icid);
3996 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3997}
3998
3999static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4000 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4001{
4002 struct l2cap_move_chan_req *req = data;
4003 u16 icid = 0;
4004 u16 result = L2CAP_MR_NOT_ALLOWED;
4005
4006 if (cmd_len != sizeof(*req))
4007 return -EPROTO;
4008
4009 icid = le16_to_cpu(req->icid);
4010
4011 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4012
4013 if (!enable_hs)
4014 return -EINVAL;
4015
4016 /* Placeholder: Always refuse */
4017 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4018
4019 return 0;
4020}
4021
4022static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4023 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4024{
4025 struct l2cap_move_chan_rsp *rsp = data;
4026 u16 icid, result;
4027
4028 if (cmd_len != sizeof(*rsp))
4029 return -EPROTO;
4030
4031 icid = le16_to_cpu(rsp->icid);
4032 result = le16_to_cpu(rsp->result);
4033
4034 BT_DBG("icid %d, result %d", icid, result);
4035
4036 /* Placeholder: Always unconfirmed */
4037 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4038
4039 return 0;
4040}
4041
4042static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4043 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4044{
4045 struct l2cap_move_chan_cfm *cfm = data;
4046 u16 icid, result;
4047
4048 if (cmd_len != sizeof(*cfm))
4049 return -EPROTO;
4050
4051 icid = le16_to_cpu(cfm->icid);
4052 result = le16_to_cpu(cfm->result);
4053
4054 BT_DBG("icid %d, result %d", icid, result);
4055
4056 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4057
4058 return 0;
4059}
4060
4061static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4062 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4063{
4064 struct l2cap_move_chan_cfm_rsp *rsp = data;
4065 u16 icid;
4066
4067 if (cmd_len != sizeof(*rsp))
4068 return -EPROTO;
4069
4070 icid = le16_to_cpu(rsp->icid);
4071
4072 BT_DBG("icid %d", icid);
4073
4074 return 0;
4075}
4076
e2174ca4 4077static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4078 u16 to_multiplier)
4079{
4080 u16 max_latency;
4081
4082 if (min > max || min < 6 || max > 3200)
4083 return -EINVAL;
4084
4085 if (to_multiplier < 10 || to_multiplier > 3200)
4086 return -EINVAL;
4087
4088 if (max >= to_multiplier * 8)
4089 return -EINVAL;
4090
4091 max_latency = (to_multiplier * 8 / max) - 1;
4092 if (latency > 499 || latency > max_latency)
4093 return -EINVAL;
4094
4095 return 0;
4096}
4097
4098static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4099 struct l2cap_cmd_hdr *cmd, u8 *data)
4100{
4101 struct hci_conn *hcon = conn->hcon;
4102 struct l2cap_conn_param_update_req *req;
4103 struct l2cap_conn_param_update_rsp rsp;
4104 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4105 int err;
de73115a
CT		 4106
4107 if (!(hcon->link_mode & HCI_LM_MASTER))
4108 return -EINVAL;
4109
4110 cmd_len = __le16_to_cpu(cmd->len);
4111 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4112 return -EPROTO;
4113
4114 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4115 min = __le16_to_cpu(req->min);
4116 max = __le16_to_cpu(req->max);
de73115a
CT		 4117 latency = __le16_to_cpu(req->latency);
4118 to_multiplier = __le16_to_cpu(req->to_multiplier);
4119
4120 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4121 min, max, latency, to_multiplier);
4122
4123 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4124
4125 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4126 if (err)
ac73498c 4127 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4128 else
ac73498c 4129 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4130
4131 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4132 sizeof(rsp), &rsp);
4133
2ce603eb
CT		 4134 if (!err)
4135 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4136
de73115a
CT		 4137 return 0;
4138}
4139
3300d9a9
CT		 4140static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4141 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4142{
4143 int err = 0;
4144
4145 switch (cmd->code) {
4146 case L2CAP_COMMAND_REJ:
4147 l2cap_command_rej(conn, cmd, data);
4148 break;
4149
4150 case L2CAP_CONN_REQ:
4151 err = l2cap_connect_req(conn, cmd, data);
4152 break;
4153
4154 case L2CAP_CONN_RSP:
4155 err = l2cap_connect_rsp(conn, cmd, data);
4156 break;
4157
4158 case L2CAP_CONF_REQ:
4159 err = l2cap_config_req(conn, cmd, cmd_len, data);
4160 break;
4161
4162 case L2CAP_CONF_RSP:
4163 err = l2cap_config_rsp(conn, cmd, data);
4164 break;
4165
4166 case L2CAP_DISCONN_REQ:
4167 err = l2cap_disconnect_req(conn, cmd, data);
4168 break;
4169
4170 case L2CAP_DISCONN_RSP:
4171 err = l2cap_disconnect_rsp(conn, cmd, data);
4172 break;
4173
4174 case L2CAP_ECHO_REQ:
4175 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4176 break;
4177
4178 case L2CAP_ECHO_RSP:
4179 break;
4180
4181 case L2CAP_INFO_REQ:
4182 err = l2cap_information_req(conn, cmd, data);
4183 break;
4184
4185 case L2CAP_INFO_RSP:
4186 err = l2cap_information_rsp(conn, cmd, data);
4187 break;
4188
f94ff6ff
MM		 4189 case L2CAP_CREATE_CHAN_REQ:
4190 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4191 break;
4192
4193 case L2CAP_CREATE_CHAN_RSP:
4194 err = l2cap_create_channel_rsp(conn, cmd, data);
4195 break;
4196
8d5a04a1
MM		 4197 case L2CAP_MOVE_CHAN_REQ:
4198 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4199 break;
4200
4201 case L2CAP_MOVE_CHAN_RSP:
4202 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4203 break;
4204
4205 case L2CAP_MOVE_CHAN_CFM:
4206 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4207 break;
4208
4209 case L2CAP_MOVE_CHAN_CFM_RSP:
4210 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4211 break;
4212
3300d9a9
CT		 4213 default:
4214 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4215 err = -EINVAL;
4216 break;
4217 }
4218
4219 return err;
4220}
4221
4222static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4223 struct l2cap_cmd_hdr *cmd, u8 *data)
4224{
4225 switch (cmd->code) {
4226 case L2CAP_COMMAND_REJ:
4227 return 0;
4228
4229 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4230 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4231
4232 case L2CAP_CONN_PARAM_UPDATE_RSP:
4233 return 0;
4234
4235 default:
4236 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4237 return -EINVAL;
4238 }
4239}
4240
4241static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4242 struct sk_buff *skb)
1da177e4
LT		 4243{
4244 u8 *data = skb->data;
4245 int len = skb->len;
4246 struct l2cap_cmd_hdr cmd;
3300d9a9 4247 int err;
1da177e4
LT		 4248
4249 l2cap_raw_recv(conn, skb);
4250
4251 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4252 u16 cmd_len;
1da177e4
LT		 4253 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4254 data += L2CAP_CMD_HDR_SIZE;
4255 len -= L2CAP_CMD_HDR_SIZE;
4256
88219a0f 4257 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4258
88219a0f 4259 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4260
88219a0f 4261 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4262 BT_DBG("corrupted command");
4263 break;
4264 }
4265
3300d9a9
CT		 4266 if (conn->hcon->type == LE_LINK)
4267 err = l2cap_le_sig_cmd(conn, &cmd, data);
4268 else
4269 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4270
4271 if (err) {
e2fd318e 4272 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4273
4274 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4275
4276 /* FIXME: Map err to a valid reason */
ac73498c 4277 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4278 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4279 }
4280
88219a0f
AV		 4281 data += cmd_len;
4282 len -= cmd_len;
1da177e4
LT		 4283 }
4284
4285 kfree_skb(skb);
4286}
4287
47d1ec61 4288static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4289{
4290 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4291 int hdr_size;
4292
4293 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4294 hdr_size = L2CAP_EXT_HDR_SIZE;
4295 else
4296 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4297
47d1ec61 4298 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4299 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4300 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4301 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4302
4303 if (our_fcs != rcv_fcs)
7a560e5c 4304 return -EBADMSG;
fcc203c3
GP		 4305 }
4306 return 0;
4307}
4308
6ea00485 4309static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4310{
e31f7633 4311 struct l2cap_ctrl control;
d5392c8f 4312
e31f7633 4313 BT_DBG("chan %p", chan);
d5392c8f 4314
e31f7633
MM		 4315 memset(&control, 0, sizeof(control));
4316 control.sframe = 1;
4317 control.final = 1;
4318 control.reqseq = chan->buffer_seq;
4319 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4320
e2ab4353 4321 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4322 control.super = L2CAP_SUPER_RNR;
4323 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4324 }
4325
e31f7633
MM		 4326 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4327 chan->unacked_frames > 0)
4328 __set_retrans_timer(chan);
d5392c8f 4329
e31f7633 4330 /* Send pending iframes */
525cd185 4331 l2cap_ertm_send(chan);
d5392c8f 4332
e2ab4353 4333 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4334 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4335 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4336 * send it now.
4337 */
4338 control.super = L2CAP_SUPER_RR;
4339 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4340 }
4341}
4342
84084a31
MM		 4343static void append_skb_frag(struct sk_buff *skb,
4344 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4345{
84084a31
MM		 4346 /* skb->len reflects data in skb as well as all fragments
4347 * skb->data_len reflects only data in fragments
4348 */
4349 if (!skb_has_frag_list(skb))
4350 skb_shinfo(skb)->frag_list = new_frag;
4351
4352 new_frag->next = NULL;
4353
4354 (*last_frag)->next = new_frag;
4355 *last_frag = new_frag;
4356
4357 skb->len += new_frag->len;
4358 skb->data_len += new_frag->len;
4359 skb->truesize += new_frag->truesize;
4360}
4361
4b51dae9
MM		 4362static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4363 struct l2cap_ctrl *control)
84084a31
MM		 4364{
4365 int err = -EINVAL;
18778a63 4366
4b51dae9 4367 switch (control->sar) {
7e0ef6ee 4368 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4369 if (chan->sdu)
4370 break;
18778a63 4371
80b98027 4372 err = chan->ops->recv(chan, skb);
84084a31 4373 break;
18778a63 4374
7e0ef6ee 4375 case L2CAP_SAR_START:
84084a31
MM		 4376 if (chan->sdu)
4377 break;
18778a63 4378
6f61fd47 4379 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4380 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4381
84084a31
MM		 4382 if (chan->sdu_len > chan->imtu) {
4383 err = -EMSGSIZE;
4384 break;
4385 }
1890d36b 4386
84084a31
MM		 4387 if (skb->len >= chan->sdu_len)
4388 break;
18778a63 4389
84084a31
MM		 4390 chan->sdu = skb;
4391 chan->sdu_last_frag = skb;
18778a63 4392
84084a31
MM		 4393 skb = NULL;
4394 err = 0;
18778a63
GP		 4395 break;
4396
7e0ef6ee 4397 case L2CAP_SAR_CONTINUE:
6f61fd47 4398 if (!chan->sdu)
84084a31 4399 break;
18778a63 4400
84084a31
MM		 4401 append_skb_frag(chan->sdu, skb,
4402 &chan->sdu_last_frag);
4403 skb = NULL;
18778a63 4404
84084a31
MM		 4405 if (chan->sdu->len >= chan->sdu_len)
4406 break;
4178ba46 4407
84084a31 4408 err = 0;
18778a63
GP		 4409 break;
4410
7e0ef6ee 4411 case L2CAP_SAR_END:
6f61fd47 4412 if (!chan->sdu)
84084a31 4413 break;
18778a63 4414
84084a31
MM		 4415 append_skb_frag(chan->sdu, skb,
4416 &chan->sdu_last_frag);
4417 skb = NULL;
4178ba46 4418
84084a31
MM		 4419 if (chan->sdu->len != chan->sdu_len)
4420 break;
18778a63 4421
80b98027 4422 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4423
84084a31
MM		 4424 if (!err) {
4425 /* Reassembly complete */
4426 chan->sdu = NULL;
4427 chan->sdu_last_frag = NULL;
4428 chan->sdu_len = 0;
1890d36b 4429 }
18778a63
GP		 4430 break;
4431 }
4432
84084a31
MM		 4433 if (err) {
4434 kfree_skb(skb);
4435 kfree_skb(chan->sdu);
4436 chan->sdu = NULL;
4437 chan->sdu_last_frag = NULL;
4438 chan->sdu_len = 0;
4439 }
18778a63 4440
84084a31 4441 return err;
18778a63
GP		 4442}
4443
61aa4f5b 4444void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4445{
61aa4f5b 4446 u8 event;
712132eb 4447
61aa4f5b
MM		 4448 if (chan->mode != L2CAP_MODE_ERTM)
4449 return;
712132eb 4450
61aa4f5b 4451 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4452 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4453}
4454
d2a7ac5d
MM		 4455static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4456{
63838725
MM		 4457 int err = 0;
4458 /* Pass sequential frames to l2cap_reassemble_sdu()
4459 * until a gap is encountered.
4460 */
4461
4462 BT_DBG("chan %p", chan);
4463
4464 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4465 struct sk_buff *skb;
4466 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4467 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4468
4469 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4470
4471 if (!skb)
4472 break;
4473
4474 skb_unlink(skb, &chan->srej_q);
4475 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4476 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4477 if (err)
4478 break;
4479 }
4480
4481 if (skb_queue_empty(&chan->srej_q)) {
4482 chan->rx_state = L2CAP_RX_STATE_RECV;
4483 l2cap_send_ack(chan);
4484 }
4485
4486 return err;
d2a7ac5d
MM		 4487}
4488
4489static void l2cap_handle_srej(struct l2cap_chan *chan,
4490 struct l2cap_ctrl *control)
4491{
f80842a8
MM		 4492 struct sk_buff *skb;
4493
4494 BT_DBG("chan %p, control %p", chan, control);
4495
4496 if (control->reqseq == chan->next_tx_seq) {
4497 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4498 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4499 return;
4500 }
4501
4502 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4503
4504 if (skb == NULL) {
4505 BT_DBG("Seq %d not available for retransmission",
4506 control->reqseq);
4507 return;
4508 }
4509
4510 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4511 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4512 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4513 return;
4514 }
4515
4516 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4517
4518 if (control->poll) {
4519 l2cap_pass_to_tx(chan, control);
4520
4521 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4522 l2cap_retransmit(chan, control);
4523 l2cap_ertm_send(chan);
4524
4525 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4526 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4527 chan->srej_save_reqseq = control->reqseq;
4528 }
4529 } else {
4530 l2cap_pass_to_tx_fbit(chan, control);
4531
4532 if (control->final) {
4533 if (chan->srej_save_reqseq != control->reqseq ||
4534 !test_and_clear_bit(CONN_SREJ_ACT,
4535 &chan->conn_state))
4536 l2cap_retransmit(chan, control);
4537 } else {
4538 l2cap_retransmit(chan, control);
4539 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4540 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4541 chan->srej_save_reqseq = control->reqseq;
4542 }
4543 }
4544 }
d2a7ac5d
MM		 4545}
4546
4547static void l2cap_handle_rej(struct l2cap_chan *chan,
4548 struct l2cap_ctrl *control)
4549{
fcd289df
MM		 4550 struct sk_buff *skb;
4551
4552 BT_DBG("chan %p, control %p", chan, control);
4553
4554 if (control->reqseq == chan->next_tx_seq) {
4555 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4556 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4557 return;
4558 }
4559
4560 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4561
4562 if (chan->max_tx && skb &&
4563 bt_cb(skb)->control.retries >= chan->max_tx) {
4564 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4565 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4566 return;
4567 }
4568
4569 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4570
4571 l2cap_pass_to_tx(chan, control);
4572
4573 if (control->final) {
4574 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4575 l2cap_retransmit_all(chan, control);
4576 } else {
4577 l2cap_retransmit_all(chan, control);
4578 l2cap_ertm_send(chan);
4579 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4580 set_bit(CONN_REJ_ACT, &chan->conn_state);
4581 }
d2a7ac5d
MM		 4582}
4583
4b51dae9
MM		 4584static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4585{
4586 BT_DBG("chan %p, txseq %d", chan, txseq);
4587
4588 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4589 chan->expected_tx_seq);
4590
4591 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4592 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4593 chan->tx_win) {
4594 /* See notes below regarding "double poll" and
4595 * invalid packets.
4596 */
4597 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4598 BT_DBG("Invalid/Ignore - after SREJ");
4599 return L2CAP_TXSEQ_INVALID_IGNORE;
4600 } else {
4601 BT_DBG("Invalid - in window after SREJ sent");
4602 return L2CAP_TXSEQ_INVALID;
4603 }
4604 }
4605
4606 if (chan->srej_list.head == txseq) {
4607 BT_DBG("Expected SREJ");
4608 return L2CAP_TXSEQ_EXPECTED_SREJ;
4609 }
4610
4611 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4612 BT_DBG("Duplicate SREJ - txseq already stored");
4613 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4614 }
4615
4616 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4617 BT_DBG("Unexpected SREJ - not requested");
4618 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4619 }
4620 }
4621
4622 if (chan->expected_tx_seq == txseq) {
4623 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4624 chan->tx_win) {
4625 BT_DBG("Invalid - txseq outside tx window");
4626 return L2CAP_TXSEQ_INVALID;
4627 } else {
4628 BT_DBG("Expected");
4629 return L2CAP_TXSEQ_EXPECTED;
4630 }
4631 }
4632
4633 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4634 __seq_offset(chan, chan->expected_tx_seq,
4635 chan->last_acked_seq)){
4636 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4637 return L2CAP_TXSEQ_DUPLICATE;
4638 }
4639
4640 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4641 /* A source of invalid packets is a "double poll" condition,
4642 * where delays cause us to send multiple poll packets. If
4643 * the remote stack receives and processes both polls,
4644 * sequence numbers can wrap around in such a way that a
4645 * resent frame has a sequence number that looks like new data
4646 * with a sequence gap. This would trigger an erroneous SREJ
4647 * request.
4648 *
4649 * Fortunately, this is impossible with a tx window that's
4650 * less than half of the maximum sequence number, which allows
4651 * invalid frames to be safely ignored.
4652 *
4653 * With tx window sizes greater than half of the tx window
4654 * maximum, the frame is invalid and cannot be ignored. This
4655 * causes a disconnect.
4656 */
4657
4658 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4659 BT_DBG("Invalid/Ignore - txseq outside tx window");
4660 return L2CAP_TXSEQ_INVALID_IGNORE;
4661 } else {
4662 BT_DBG("Invalid - txseq outside tx window");
4663 return L2CAP_TXSEQ_INVALID;
4664 }
4665 } else {
4666 BT_DBG("Unexpected - txseq indicates missing frames");
4667 return L2CAP_TXSEQ_UNEXPECTED;
4668 }
4669}
4670
d2a7ac5d
MM		 4671static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4672 struct l2cap_ctrl *control,
4673 struct sk_buff *skb, u8 event)
4674{
4675 int err = 0;
4676 bool skb_in_use = 0;
4677
4678 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4679 event);
4680
4681 switch (event) {
4682 case L2CAP_EV_RECV_IFRAME:
4683 switch (l2cap_classify_txseq(chan, control->txseq)) {
4684 case L2CAP_TXSEQ_EXPECTED:
4685 l2cap_pass_to_tx(chan, control);
4686
4687 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4688 BT_DBG("Busy, discarding expected seq %d",
4689 control->txseq);
4690 break;
4691 }
4692
4693 chan->expected_tx_seq = __next_seq(chan,
4694 control->txseq);
4695
4696 chan->buffer_seq = chan->expected_tx_seq;
4697 skb_in_use = 1;
4698
4699 err = l2cap_reassemble_sdu(chan, skb, control);
4700 if (err)
4701 break;
4702
4703 if (control->final) {
4704 if (!test_and_clear_bit(CONN_REJ_ACT,
4705 &chan->conn_state)) {
4706 control->final = 0;
4707 l2cap_retransmit_all(chan, control);
4708 l2cap_ertm_send(chan);
4709 }
4710 }
4711
4712 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4713 l2cap_send_ack(chan);
4714 break;
4715 case L2CAP_TXSEQ_UNEXPECTED:
4716 l2cap_pass_to_tx(chan, control);
4717
4718 /* Can't issue SREJ frames in the local busy state.
4719 * Drop this frame, it will be seen as missing
4720 * when local busy is exited.
4721 */
4722 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4723 BT_DBG("Busy, discarding unexpected seq %d",
4724 control->txseq);
4725 break;
4726 }
4727
4728 /* There was a gap in the sequence, so an SREJ
4729 * must be sent for each missing frame. The
4730 * current frame is stored for later use.
4731 */
4732 skb_queue_tail(&chan->srej_q, skb);
4733 skb_in_use = 1;
4734 BT_DBG("Queued %p (queue len %d)", skb,
4735 skb_queue_len(&chan->srej_q));
4736
4737 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4738 l2cap_seq_list_clear(&chan->srej_list);
4739 l2cap_send_srej(chan, control->txseq);
4740
4741 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4742 break;
4743 case L2CAP_TXSEQ_DUPLICATE:
4744 l2cap_pass_to_tx(chan, control);
4745 break;
4746 case L2CAP_TXSEQ_INVALID_IGNORE:
4747 break;
4748 case L2CAP_TXSEQ_INVALID:
4749 default:
4750 l2cap_send_disconn_req(chan->conn, chan,
4751 ECONNRESET);
4752 break;
4753 }
4754 break;
4755 case L2CAP_EV_RECV_RR:
4756 l2cap_pass_to_tx(chan, control);
4757 if (control->final) {
4758 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4759
4760 if (!test_and_clear_bit(CONN_REJ_ACT,
4761 &chan->conn_state)) {
4762 control->final = 0;
4763 l2cap_retransmit_all(chan, control);
4764 }
4765
4766 l2cap_ertm_send(chan);
4767 } else if (control->poll) {
4768 l2cap_send_i_or_rr_or_rnr(chan);
4769 } else {
4770 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4771 &chan->conn_state) &&
4772 chan->unacked_frames)
4773 __set_retrans_timer(chan);
4774
4775 l2cap_ertm_send(chan);
4776 }
4777 break;
4778 case L2CAP_EV_RECV_RNR:
4779 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4780 l2cap_pass_to_tx(chan, control);
4781 if (control && control->poll) {
4782 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4783 l2cap_send_rr_or_rnr(chan, 0);
4784 }
4785 __clear_retrans_timer(chan);
4786 l2cap_seq_list_clear(&chan->retrans_list);
4787 break;
4788 case L2CAP_EV_RECV_REJ:
4789 l2cap_handle_rej(chan, control);
4790 break;
4791 case L2CAP_EV_RECV_SREJ:
4792 l2cap_handle_srej(chan, control);
4793 break;
4794 default:
4795 break;
4796 }
4797
4798 if (skb && !skb_in_use) {
4799 BT_DBG("Freeing %p", skb);
4800 kfree_skb(skb);
4801 }
4802
4803 return err;
4804}
4805
4806static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4807 struct l2cap_ctrl *control,
4808 struct sk_buff *skb, u8 event)
4809{
4810 int err = 0;
4811 u16 txseq = control->txseq;
4812 bool skb_in_use = 0;
4813
4814 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4815 event);
4816
4817 switch (event) {
4818 case L2CAP_EV_RECV_IFRAME:
4819 switch (l2cap_classify_txseq(chan, txseq)) {
4820 case L2CAP_TXSEQ_EXPECTED:
4821 /* Keep frame for reassembly later */
4822 l2cap_pass_to_tx(chan, control);
4823 skb_queue_tail(&chan->srej_q, skb);
4824 skb_in_use = 1;
4825 BT_DBG("Queued %p (queue len %d)", skb,
4826 skb_queue_len(&chan->srej_q));
4827
4828 chan->expected_tx_seq = __next_seq(chan, txseq);
4829 break;
4830 case L2CAP_TXSEQ_EXPECTED_SREJ:
4831 l2cap_seq_list_pop(&chan->srej_list);
4832
4833 l2cap_pass_to_tx(chan, control);
4834 skb_queue_tail(&chan->srej_q, skb);
4835 skb_in_use = 1;
4836 BT_DBG("Queued %p (queue len %d)", skb,
4837 skb_queue_len(&chan->srej_q));
4838
4839 err = l2cap_rx_queued_iframes(chan);
4840 if (err)
4841 break;
4842
4843 break;
4844 case L2CAP_TXSEQ_UNEXPECTED:
4845 /* Got a frame that can't be reassembled yet.
4846 * Save it for later, and send SREJs to cover
4847 * the missing frames.
4848 */
4849 skb_queue_tail(&chan->srej_q, skb);
4850 skb_in_use = 1;
4851 BT_DBG("Queued %p (queue len %d)", skb,
4852 skb_queue_len(&chan->srej_q));
4853
4854 l2cap_pass_to_tx(chan, control);
4855 l2cap_send_srej(chan, control->txseq);
4856 break;
4857 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4858 /* This frame was requested with an SREJ, but
4859 * some expected retransmitted frames are
4860 * missing. Request retransmission of missing
4861 * SREJ'd frames.
4862 */
4863 skb_queue_tail(&chan->srej_q, skb);
4864 skb_in_use = 1;
4865 BT_DBG("Queued %p (queue len %d)", skb,
4866 skb_queue_len(&chan->srej_q));
4867
4868 l2cap_pass_to_tx(chan, control);
4869 l2cap_send_srej_list(chan, control->txseq);
4870 break;
4871 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4872 /* We've already queued this frame. Drop this copy. */
4873 l2cap_pass_to_tx(chan, control);
4874 break;
4875 case L2CAP_TXSEQ_DUPLICATE:
4876 /* Expecting a later sequence number, so this frame
4877 * was already received. Ignore it completely.
4878 */
4879 break;
4880 case L2CAP_TXSEQ_INVALID_IGNORE:
4881 break;
4882 case L2CAP_TXSEQ_INVALID:
4883 default:
4884 l2cap_send_disconn_req(chan->conn, chan,
4885 ECONNRESET);
4886 break;
4887 }
4888 break;
4889 case L2CAP_EV_RECV_RR:
4890 l2cap_pass_to_tx(chan, control);
4891 if (control->final) {
4892 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4893
4894 if (!test_and_clear_bit(CONN_REJ_ACT,
4895 &chan->conn_state)) {
4896 control->final = 0;
4897 l2cap_retransmit_all(chan, control);
4898 }
4899
4900 l2cap_ertm_send(chan);
4901 } else if (control->poll) {
4902 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4903 &chan->conn_state) &&
4904 chan->unacked_frames) {
4905 __set_retrans_timer(chan);
4906 }
4907
4908 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4909 l2cap_send_srej_tail(chan);
4910 } else {
4911 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4912 &chan->conn_state) &&
4913 chan->unacked_frames)
4914 __set_retrans_timer(chan);
4915
4916 l2cap_send_ack(chan);
4917 }
4918 break;
4919 case L2CAP_EV_RECV_RNR:
4920 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4921 l2cap_pass_to_tx(chan, control);
4922 if (control->poll) {
4923 l2cap_send_srej_tail(chan);
4924 } else {
4925 struct l2cap_ctrl rr_control;
4926 memset(&rr_control, 0, sizeof(rr_control));
4927 rr_control.sframe = 1;
4928 rr_control.super = L2CAP_SUPER_RR;
4929 rr_control.reqseq = chan->buffer_seq;
4930 l2cap_send_sframe(chan, &rr_control);
4931 }
4932
4933 break;
4934 case L2CAP_EV_RECV_REJ:
4935 l2cap_handle_rej(chan, control);
4936 break;
4937 case L2CAP_EV_RECV_SREJ:
4938 l2cap_handle_srej(chan, control);
4939 break;
4940 }
4941
4942 if (skb && !skb_in_use) {
4943 BT_DBG("Freeing %p", skb);
4944 kfree_skb(skb);
4945 }
4946
4947 return err;
4948}
4949
4950static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4951{
4952 /* Make sure reqseq is for a packet that has been sent but not acked */
4953 u16 unacked;
4954
4955 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4956 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4957}
4958
cec8ab6e
MM		 4959static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4960 struct sk_buff *skb, u8 event)
218bb9df 4961{
d2a7ac5d
MM		 4962 int err = 0;
4963
4964 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4965 control, skb, event, chan->rx_state);
4966
4967 if (__valid_reqseq(chan, control->reqseq)) {
4968 switch (chan->rx_state) {
4969 case L2CAP_RX_STATE_RECV:
4970 err = l2cap_rx_state_recv(chan, control, skb, event);
4971 break;
4972 case L2CAP_RX_STATE_SREJ_SENT:
4973 err = l2cap_rx_state_srej_sent(chan, control, skb,
4974 event);
4975 break;
4976 default:
4977 /* shut it down */
4978 break;
4979 }
4980 } else {
4981 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
4982 control->reqseq, chan->next_tx_seq,
4983 chan->expected_ack_seq);
4984 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4985 }
4986
4987 return err;
cec8ab6e
MM		 4988}
4989
4990static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4991 struct sk_buff *skb)
4992{
4b51dae9
MM		 4993 int err = 0;
4994
4995 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
4996 chan->rx_state);
4997
4998 if (l2cap_classify_txseq(chan, control->txseq) ==
4999 L2CAP_TXSEQ_EXPECTED) {
5000 l2cap_pass_to_tx(chan, control);
5001
5002 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5003 __next_seq(chan, chan->buffer_seq));
5004
5005 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5006
5007 l2cap_reassemble_sdu(chan, skb, control);
5008 } else {
5009 if (chan->sdu) {
5010 kfree_skb(chan->sdu);
5011 chan->sdu = NULL;
5012 }
5013 chan->sdu_last_frag = NULL;
5014 chan->sdu_len = 0;
5015
5016 if (skb) {
5017 BT_DBG("Freeing %p", skb);
5018 kfree_skb(skb);
5019 }
5020 }
5021
5022 chan->last_acked_seq = control->txseq;
5023 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5024
5025 return err;
cec8ab6e
MM		 5026}
5027
5028static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5029{
5030 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5031 u16 len;
5032 u8 event;
218bb9df 5033
b76bbd66
MM		 5034 __unpack_control(chan, skb);
5035
218bb9df
GP		 5036 len = skb->len;
5037
5038 /*
5039 * We can just drop the corrupted I-frame here.
5040 * Receiver will miss it and start proper recovery
cec8ab6e 5041 * procedures and ask for retransmission.
218bb9df 5042 */
47d1ec61 5043 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5044 goto drop;
5045
cec8ab6e 5046 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5047 len -= L2CAP_SDULEN_SIZE;
218bb9df 5048
47d1ec61 5049 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5050 len -= L2CAP_FCS_SIZE;
218bb9df 5051
47d1ec61 5052 if (len > chan->mps) {
8c1d787b 5053 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5054 goto drop;
5055 }
5056
cec8ab6e
MM		 5057 if (!control->sframe) {
5058 int err;
218bb9df 5059
cec8ab6e
MM		 5060 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5061 control->sar, control->reqseq, control->final,
5062 control->txseq);
218bb9df 5063
cec8ab6e
MM		 5064 /* Validate F-bit - F=0 always valid, F=1 only
5065 * valid in TX WAIT_F
5066 */
5067 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5068 goto drop;
cec8ab6e
MM		 5069
5070 if (chan->mode != L2CAP_MODE_STREAMING) {
5071 event = L2CAP_EV_RECV_IFRAME;
5072 err = l2cap_rx(chan, control, skb, event);
5073 } else {
5074 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5075 }
5076
cec8ab6e
MM		 5077 if (err)
5078 l2cap_send_disconn_req(chan->conn, chan,
5079 ECONNRESET);
218bb9df 5080 } else {
cec8ab6e
MM		 5081 const u8 rx_func_to_event[4] = {
5082 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5083 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5084 };
5085
5086 /* Only I-frames are expected in streaming mode */
5087 if (chan->mode == L2CAP_MODE_STREAMING)
5088 goto drop;
5089
5090 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5091 control->reqseq, control->final, control->poll,
5092 control->super);
5093
218bb9df
GP		 5094 if (len != 0) {
5095 BT_ERR("%d", len);
8c1d787b 5096 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5097 goto drop;
5098 }
5099
cec8ab6e
MM		 5100 /* Validate F and P bits */
5101 if (control->final && (control->poll ||
5102 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5103 goto drop;
5104
5105 event = rx_func_to_event[control->super];
5106 if (l2cap_rx(chan, control, skb, event))
5107 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5108 }
5109
5110 return 0;
5111
5112drop:
5113 kfree_skb(skb);
5114 return 0;
5115}
5116
1da177e4
LT		 5117static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
5118{
48454079 5119 struct l2cap_chan *chan;
1da177e4 5120
baa7e1fa 5121 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5122 if (!chan) {
1da177e4 5123 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 5124 /* Drop packet and return */
3379013b 5125 kfree_skb(skb);
6be36555 5126 return 0;
1da177e4
LT		 5127 }
5128
49208c9c 5129 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5130
89bc500e 5131 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5132 goto drop;
5133
0c1bc5c6 5134 switch (chan->mode) {
1c2acffb
GP		 5135 case L2CAP_MODE_BASIC:
5136 /* If socket recv buffers overflows we drop data here
5137 * which is *bad* because L2CAP has to be reliable.
5138 * But we don't have any other choice. L2CAP doesn't
5139 * provide flow control mechanism. */
1da177e4 5140
0c1bc5c6 5141 if (chan->imtu < skb->len)
1c2acffb 5142 goto drop;
1da177e4 5143
80b98027 5144 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5145 goto done;
5146 break;
5147
5148 case L2CAP_MODE_ERTM:
6840ed07 5149 case L2CAP_MODE_STREAMING:
cec8ab6e 5150 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5151 goto done;
5152
1c2acffb 5153 default:
0c1bc5c6 5154 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5155 break;
5156 }
1da177e4
LT		 5157
5158drop:
5159 kfree_skb(skb);
5160
5161done:
6be36555 5162 l2cap_chan_unlock(chan);
0139418c 5163
1da177e4
LT		 5164 return 0;
5165}
5166
8e036fc3 5167static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 5168{
23691d75 5169 struct l2cap_chan *chan;
1da177e4 5170
c2287681 5171 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5172 if (!chan)
1da177e4
LT		 5173 goto drop;
5174
5b4cedaa 5175 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5176
89bc500e 5177 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5178 goto drop;
5179
e13e21dc 5180 if (chan->imtu < skb->len)
1da177e4
LT		 5181 goto drop;
5182
80b98027 5183 if (!chan->ops->recv(chan, skb))
5b4cedaa 5184 return 0;
1da177e4
LT		 5185
5186drop:
5187 kfree_skb(skb);
5188
1da177e4
LT		 5189 return 0;
5190}
5191
d9b88702
AE		 5192static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5193 struct sk_buff *skb)
9f69bda6 5194{
23691d75 5195 struct l2cap_chan *chan;
9f69bda6 5196
c2287681 5197 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5198 if (!chan)
9f69bda6
GP		 5199 goto drop;
5200
5b4cedaa 5201 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5202
89bc500e 5203 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5204 goto drop;
5205
e13e21dc 5206 if (chan->imtu < skb->len)
9f69bda6
GP		 5207 goto drop;
5208
80b98027 5209 if (!chan->ops->recv(chan, skb))
5b4cedaa 5210 return 0;
9f69bda6
GP		 5211
5212drop:
5213 kfree_skb(skb);
5214
9f69bda6
GP		 5215 return 0;
5216}
5217
1da177e4
LT		 5218static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5219{
5220 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5221 u16 cid, len;
5222 __le16 psm;
1da177e4
LT		 5223
5224 skb_pull(skb, L2CAP_HDR_SIZE);
5225 cid = __le16_to_cpu(lh->cid);
5226 len = __le16_to_cpu(lh->len);
5227
1c2acffb
GP		 5228 if (len != skb->len) {
5229 kfree_skb(skb);
5230 return;
5231 }
5232
1da177e4
LT		 5233 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5234
5235 switch (cid) {
3300d9a9 5236 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5237 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5238 l2cap_sig_channel(conn, skb);
5239 break;
5240
8db4dc46 5241 case L2CAP_CID_CONN_LESS:
097db76c 5242 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 5243 skb_pull(skb, 2);
5244 l2cap_conless_channel(conn, psm, skb);
5245 break;
5246
9f69bda6
GP		 5247 case L2CAP_CID_LE_DATA:
5248 l2cap_att_channel(conn, cid, skb);
5249 break;
5250
b501d6a1
AB		 5251 case L2CAP_CID_SMP:
5252 if (smp_sig_channel(conn, skb))
5253 l2cap_conn_del(conn->hcon, EACCES);
5254 break;
5255
1da177e4
LT		 5256 default:
5257 l2cap_data_channel(conn, cid, skb);
5258 break;
5259 }
5260}
5261
5262/* ---- L2CAP interface with lower layer (HCI) ---- */
5263
686ebf28 5264int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5265{
5266 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5267 struct l2cap_chan *c;
1da177e4 5268
1da177e4
LT		 5269 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5270
5271 /* Find listening sockets and check their link_mode */
23691d75
GP		 5272 read_lock(&chan_list_lock);
5273 list_for_each_entry(c, &chan_list, global_l) {
5274 struct sock *sk = c->sk;
4343478f 5275
89bc500e 5276 if (c->state != BT_LISTEN)
1da177e4
LT		 5277 continue;
5278
5279 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5280 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5281 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5282 lm1 |= HCI_LM_MASTER;
1da177e4 5283 exact++;
2af6b9d5
MH		 5284 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5285 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5286 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5287 lm2 |= HCI_LM_MASTER;
5288 }
1da177e4 5289 }
23691d75 5290 read_unlock(&chan_list_lock);
1da177e4
LT		 5291
5292 return exact ? lm1 : lm2;
5293}
5294
686ebf28 5295int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5296{
0139418c
MH		 5297 struct l2cap_conn *conn;
5298
1da177e4
LT		 5299 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5300
1da177e4 5301 if (!status) {
1da177e4
LT		 5302 conn = l2cap_conn_add(hcon, status);
5303 if (conn)
5304 l2cap_conn_ready(conn);
0139418c 5305 } else
e175072f 5306 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5307
5308 return 0;
5309}
5310
686ebf28 5311int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5312{
5313 struct l2cap_conn *conn = hcon->l2cap_data;
5314
5315 BT_DBG("hcon %p", hcon);
5316
686ebf28 5317 if (!conn)
9f5a0d7b 5318 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5319 return conn->disc_reason;
5320}
5321
686ebf28 5322int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5323{
5324 BT_DBG("hcon %p reason %d", hcon, reason);
5325
e175072f 5326 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5327 return 0;
5328}
5329
4343478f 5330static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5331{
715ec005 5332 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5333 return;
5334
f62e4323 5335 if (encrypt == 0x00) {
4343478f 5336 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5337 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5338 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5339 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5340 } else {
4343478f 5341 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5342 __clear_chan_timer(chan);
f62e4323
MH		 5343 }
5344}
5345
686ebf28 5346int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5347{
0139418c 5348 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5349 struct l2cap_chan *chan;
1da177e4 5350
0139418c 5351 if (!conn)
1da177e4 5352 return 0;
0139418c 5353
1da177e4
LT		 5354 BT_DBG("conn %p", conn);
5355
160dc6ac 5356 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5357 if (!status && encrypt)
5358 smp_distribute_keys(conn, 0);
17cd3f37 5359 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5360 }
5361
3df91ea2 5362 mutex_lock(&conn->chan_lock);
1da177e4 5363
3df91ea2 5364 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5365 l2cap_chan_lock(chan);
1da177e4 5366
f1cb9af5
VCG		 5367 BT_DBG("chan->scid %d", chan->scid);
5368
5369 if (chan->scid == L2CAP_CID_LE_DATA) {
5370 if (!status && encrypt) {
5371 chan->sec_level = hcon->sec_level;
cf4cd009 5372 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5373 }
5374
6be36555 5375 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5376 continue;
5377 }
5378
c1360a1c 5379 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5380 l2cap_chan_unlock(chan);
6a8d3010
MH		 5381 continue;
5382 }
5383
89bc500e
GP		 5384 if (!status && (chan->state == BT_CONNECTED ||
5385 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5386 struct sock *sk = chan->sk;
5387
c5daa683 5388 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5389 sk->sk_state_change(sk);
5390
4343478f 5391 l2cap_check_encryption(chan, encrypt);
6be36555 5392 l2cap_chan_unlock(chan);
9719f8af
MH		 5393 continue;
5394 }
5395
89bc500e 5396 if (chan->state == BT_CONNECT) {
b1235d79 5397 if (!status) {
9b27f350 5398 l2cap_send_conn_req(chan);
b1235d79 5399 } else {
ba13ccd9 5400 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5401 }
89bc500e 5402 } else if (chan->state == BT_CONNECT2) {
6be36555 5403 struct sock *sk = chan->sk;
b1235d79 5404 struct l2cap_conn_rsp rsp;
df3c3931 5405 __u16 res, stat;
1da177e4 5406
6be36555
AE		 5407 lock_sock(sk);
5408
b1235d79 5409 if (!status) {
c5daa683
GP		 5410 if (test_bit(BT_SK_DEFER_SETUP,
5411 &bt_sk(sk)->flags)) {
df3c3931
JH		 5412 struct sock *parent = bt_sk(sk)->parent;
5413 res = L2CAP_CR_PEND;
5414 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5415 if (parent)
5416 parent->sk_data_ready(parent, 0);
df3c3931 5417 } else {
0e587be7 5418 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5419 res = L2CAP_CR_SUCCESS;
5420 stat = L2CAP_CS_NO_INFO;
5421 }
b1235d79 5422 } else {
0e587be7 5423 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5424 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5425 res = L2CAP_CR_SEC_BLOCK;
5426 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5427 }
5428
6be36555
AE		 5429 release_sock(sk);
5430
fe4128e0
GP		 5431 rsp.scid = cpu_to_le16(chan->dcid);
5432 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5433 rsp.result = cpu_to_le16(res);
5434 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5435 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5436 sizeof(rsp), &rsp);
2d369359
MM		 5437
5438 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5439 res == L2CAP_CR_SUCCESS) {
5440 char buf[128];
5441 set_bit(CONF_REQ_SENT, &chan->conf_state);
5442 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5443 L2CAP_CONF_REQ,
5444 l2cap_build_conf_req(chan, buf),
5445 buf);
5446 chan->num_conf_req++;
5447 }
b1235d79 5448 }
1da177e4 5449
6be36555 5450 l2cap_chan_unlock(chan);
1da177e4
LT		 5451 }
5452
3df91ea2 5453 mutex_unlock(&conn->chan_lock);
b1235d79 5454
1da177e4
LT		 5455 return 0;
5456}
5457
686ebf28 5458int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5459{
5460 struct l2cap_conn *conn = hcon->l2cap_data;
5461
5a08ecce
AE		 5462 if (!conn)
5463 conn = l2cap_conn_add(hcon, 0);
5464
5465 if (!conn)
1da177e4
LT		 5466 goto drop;
5467
5468 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5469
e702112f 5470 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5471 struct l2cap_hdr *hdr;
5472 int len;
5473
5474 if (conn->rx_len) {
5475 BT_ERR("Unexpected start frame (len %d)", skb->len);
5476 kfree_skb(conn->rx_skb);
5477 conn->rx_skb = NULL;
5478 conn->rx_len = 0;
5479 l2cap_conn_unreliable(conn, ECOMM);
5480 }
5481
aae7fe22
AE		 5482 /* Start fragment always begin with Basic L2CAP header */
5483 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5484 BT_ERR("Frame is too short (len %d)", skb->len);
5485 l2cap_conn_unreliable(conn, ECOMM);
5486 goto drop;
5487 }
5488
5489 hdr = (struct l2cap_hdr *) skb->data;
5490 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5491
5492 if (len == skb->len) {
5493 /* Complete frame received */
5494 l2cap_recv_frame(conn, skb);
5495 return 0;
5496 }
5497
5498 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5499
5500 if (skb->len > len) {
5501 BT_ERR("Frame is too long (len %d, expected len %d)",
5502 skb->len, len);
5503 l2cap_conn_unreliable(conn, ECOMM);
5504 goto drop;
5505 }
5506
5507 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5508 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5509 if (!conn->rx_skb)
1da177e4
LT		 5510 goto drop;
5511
d626f62b 5512 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5513 skb->len);
1da177e4
LT		 5514 conn->rx_len = len - skb->len;
5515 } else {
5516 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5517
5518 if (!conn->rx_len) {
5519 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5520 l2cap_conn_unreliable(conn, ECOMM);
5521 goto drop;
5522 }
5523
5524 if (skb->len > conn->rx_len) {
5525 BT_ERR("Fragment is too long (len %d, expected %d)",
5526 skb->len, conn->rx_len);
5527 kfree_skb(conn->rx_skb);
5528 conn->rx_skb = NULL;
5529 conn->rx_len = 0;
5530 l2cap_conn_unreliable(conn, ECOMM);
5531 goto drop;
5532 }
5533
d626f62b 5534 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5535 skb->len);
1da177e4
LT		 5536 conn->rx_len -= skb->len;
5537
5538 if (!conn->rx_len) {
5539 /* Complete frame received */
5540 l2cap_recv_frame(conn, conn->rx_skb);
5541 conn->rx_skb = NULL;
5542 }
5543 }
5544
5545drop:
5546 kfree_skb(skb);
5547 return 0;
5548}
5549
aef7d97c 5550static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5551{
23691d75 5552 struct l2cap_chan *c;
1da177e4 5553
333055f2 5554 read_lock(&chan_list_lock);
1da177e4 5555
23691d75
GP		 5556 list_for_each_entry(c, &chan_list, global_l) {
5557 struct sock *sk = c->sk;
101545f6 5558
903d343e 5559 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5560 batostr(&bt_sk(sk)->src),
5561 batostr(&bt_sk(sk)->dst),
89bc500e 5562 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5563 c->scid, c->dcid, c->imtu, c->omtu,
5564 c->sec_level, c->mode);
61e1b4b7 5565 }
1da177e4 5566
333055f2 5567 read_unlock(&chan_list_lock);
1da177e4 5568
aef7d97c 5569 return 0;
1da177e4
LT		 5570}
5571
aef7d97c
MH		 5572static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5573{
5574 return single_open(file, l2cap_debugfs_show, inode->i_private);
5575}
5576
5577static const struct file_operations l2cap_debugfs_fops = {
5578 .open = l2cap_debugfs_open,
5579 .read = seq_read,
5580 .llseek = seq_lseek,
5581 .release = single_release,
5582};
5583
5584static struct dentry *l2cap_debugfs;
1da177e4 5585
64274518 5586int __init l2cap_init(void)
1da177e4
LT		 5587{
5588 int err;
be9d1227 5589
bb58f747 5590 err = l2cap_init_sockets();
1da177e4
LT		 5591 if (err < 0)
5592 return err;
5593
aef7d97c
MH		 5594 if (bt_debugfs) {
5595 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5596 bt_debugfs, NULL, &l2cap_debugfs_fops);
5597 if (!l2cap_debugfs)
5598 BT_ERR("Failed to create L2CAP debug file");
5599 }
1da177e4 5600
1da177e4 5601 return 0;
1da177e4
LT		 5602}
5603
64274518 5604void l2cap_exit(void)
1da177e4 5605{
aef7d97c 5606 debugfs_remove(l2cap_debugfs);
bb58f747 5607 l2cap_cleanup_sockets();
1da177e4
LT		 5608}
5609
d1c4a17d
GP		 5610module_param(disable_ertm, bool, 0644);
5611MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)