projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Use the transmit state machine for busy state changes
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
b191e031 60bool disable_ertm = 1;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 74 struct l2cap_chan *chan, int err);
1da177e4 75
608bcc6d
MM		 76static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
77 struct sk_buff_head *skbs, u8 event);
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
baa7e1fa 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 93{
3df91ea2 94 struct l2cap_chan *c;
3d57dc68 95
3df91ea2
AE		 96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->scid == cid)
98 return c;
0139418c 99 }
3df91ea2 100 return NULL;
0139418c
MH		 101}
102
103/* Find channel with given SCID.
ef191ade 104 * Returns locked channel. */
baa7e1fa 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa 108
3df91ea2 109 mutex_lock(&conn->chan_lock);
baa7e1fa 110 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 111 if (c)
112 l2cap_chan_lock(c);
3df91ea2
AE		 113 mutex_unlock(&conn->chan_lock);
114
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
3df91ea2 120 struct l2cap_chan *c;
3d57dc68 121
3df91ea2
AE		 122 list_for_each_entry(c, &conn->chan_l, list) {
123 if (c->ident == ident)
124 return c;
0139418c 125 }
3df91ea2 126 return NULL;
0139418c
MH		 127}
128
23691d75 129static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 130{
23691d75 131 struct l2cap_chan *c;
9e4425ff 132
23691d75
GP		 133 list_for_each_entry(c, &chan_list, global_l) {
134 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 135 return c;
9e4425ff 136 }
250938cb 137 return NULL;
9e4425ff
GP		 138}
139
140int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
141{
73b2ec18
GP		 142 int err;
143
333055f2 144 write_lock(&chan_list_lock);
9e4425ff 145
23691d75 146 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 147 err = -EADDRINUSE;
148 goto done;
9e4425ff
GP		 149 }
150
73b2ec18
GP		 151 if (psm) {
152 chan->psm = psm;
153 chan->sport = psm;
154 err = 0;
155 } else {
156 u16 p;
157
158 err = -EINVAL;
159 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 160 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 161 chan->psm = cpu_to_le16(p);
162 chan->sport = cpu_to_le16(p);
163 err = 0;
164 break;
165 }
166 }
9e4425ff 167
73b2ec18 168done:
333055f2 169 write_unlock(&chan_list_lock);
73b2ec18 170 return err;
9e4425ff
GP		 171}
172
173int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
174{
333055f2 175 write_lock(&chan_list_lock);
9e4425ff
GP		 176
177 chan->scid = scid;
178
333055f2 179 write_unlock(&chan_list_lock);
9e4425ff
GP		 180
181 return 0;
182}
183
baa7e1fa 184static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 185{
8db4dc46 186 u16 cid = L2CAP_CID_DYN_START;
0139418c 187
8db4dc46 188 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 189 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 190 return cid;
191 }
192
193 return 0;
194}
195
0e587be7 196static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 197{
42d2d87c 198 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 199 state_to_string(state));
200
89bc500e
GP		 201 chan->state = state;
202 chan->ops->state_change(chan->data, state);
203}
204
0e587be7
AE		 205static void l2cap_state_change(struct l2cap_chan *chan, int state)
206{
207 struct sock *sk = chan->sk;
208
209 lock_sock(sk);
210 __l2cap_state_change(chan, state);
211 release_sock(sk);
212}
213
2e0052e4
AE		 214static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
215{
216 struct sock *sk = chan->sk;
217
218 sk->sk_err = err;
219}
220
221static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
222{
223 struct sock *sk = chan->sk;
224
225 lock_sock(sk);
226 __l2cap_chan_set_err(chan, err);
227 release_sock(sk);
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
ba3bd0ee 385 chan->ops->close(chan->data);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
434 chan->sec_level = BT_SECURITY_LOW;
435
436 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
437}
438
14a28491 439static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 440{
af05b30b 441 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 442 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 443
9f5a0d7b 444 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 445
8c1d787b 446 chan->conn = conn;
0139418c 447
5491120e
AE		 448 switch (chan->chan_type) {
449 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 450 if (conn->hcon->type == LE_LINK) {
451 /* LE connection */
0c1bc5c6 452 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 453 chan->scid = L2CAP_CID_LE_DATA;
454 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 455 } else {
456 /* Alloc CID for connection-oriented socket */
fe4128e0 457 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 458 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 459 }
5491120e
AE		 460 break;
461
462 case L2CAP_CHAN_CONN_LESS:
0139418c 463 /* Connectionless socket */
fe4128e0
GP		 464 chan->scid = L2CAP_CID_CONN_LESS;
465 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 466 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 467 break;
468
469 default:
0139418c 470 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 471 chan->scid = L2CAP_CID_SIGNALING;
472 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 473 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 474 }
475
8f7975b1
AE		 476 chan->local_id = L2CAP_BESTEFFORT_ID;
477 chan->local_stype = L2CAP_SERV_BESTEFFORT;
478 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
479 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
480 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
481 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
482
371fd835 483 l2cap_chan_hold(chan);
baa7e1fa 484
3df91ea2 485 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 486}
487
14a28491 488static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 489{
490 mutex_lock(&conn->chan_lock);
491 __l2cap_chan_add(conn, chan);
3df91ea2 492 mutex_unlock(&conn->chan_lock);
0139418c
MH		 493}
494
4519de9a 495static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 496{
48454079 497 struct sock *sk = chan->sk;
8c1d787b 498 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 499 struct sock *parent = bt_sk(sk)->parent;
500
c9b66675 501 __clear_chan_timer(chan);
0139418c 502
49208c9c 503 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 504
8e87d142 505 if (conn) {
baa7e1fa 506 /* Delete from channel list */
3df91ea2 507 list_del(&chan->list);
3d57dc68 508
371fd835 509 l2cap_chan_put(chan);
baa7e1fa 510
8c1d787b 511 chan->conn = NULL;
0139418c
MH		 512 hci_conn_put(conn->hcon);
513 }
514
6be36555
AE		 515 lock_sock(sk);
516
0e587be7 517 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 518 sock_set_flag(sk, SOCK_ZAPPED);
519
520 if (err)
2e0052e4 521 __l2cap_chan_set_err(chan, err);
0139418c
MH		 522
523 if (parent) {
524 bt_accept_unlink(sk);
525 parent->sk_data_ready(parent, 0);
526 } else
527 sk->sk_state_change(sk);
c13ffa62 528
6be36555
AE		 529 release_sock(sk);
530
2827011f 531 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 532 return;
2ead70b8 533
58d35f87 534 skb_queue_purge(&chan->tx_q);
c13ffa62 535
0c1bc5c6 536 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 537 __clear_retrans_timer(chan);
538 __clear_monitor_timer(chan);
539 __clear_ack_timer(chan);
c13ffa62 540
f1c6775b 541 skb_queue_purge(&chan->srej_q);
c13ffa62 542
3c588192
MM		 543 l2cap_seq_list_free(&chan->srej_list);
544 l2cap_seq_list_free(&chan->retrans_list);
c13ffa62 545 }
0139418c
MH		 546}
547
4519de9a
GP		 548static void l2cap_chan_cleanup_listen(struct sock *parent)
549{
550 struct sock *sk;
551
552 BT_DBG("parent %p", parent);
553
554 /* Close not yet accepted channels */
0f852724 555 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 556 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 557
6be36555 558 l2cap_chan_lock(chan);
c9b66675 559 __clear_chan_timer(chan);
ba3bd0ee 560 l2cap_chan_close(chan, ECONNRESET);
6be36555 561 l2cap_chan_unlock(chan);
3df91ea2 562
ba3bd0ee 563 chan->ops->close(chan->data);
0f852724 564 }
4519de9a
GP		 565}
566
0f852724 567void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 568{
569 struct l2cap_conn *conn = chan->conn;
570 struct sock *sk = chan->sk;
571
e05dcc32
AE		 572 BT_DBG("chan %p state %s sk %p", chan,
573 state_to_string(chan->state), sk);
4519de9a 574
89bc500e 575 switch (chan->state) {
4519de9a 576 case BT_LISTEN:
6be36555 577 lock_sock(sk);
4519de9a 578 l2cap_chan_cleanup_listen(sk);
89bc500e 579
0e587be7 580 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 581 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 582 release_sock(sk);
4519de9a
GP		 583 break;
584
585 case BT_CONNECTED:
586 case BT_CONFIG:
715ec005 587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 588 conn->hcon->type == ACL_LINK) {
c9b66675 589 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 590 l2cap_send_disconn_req(conn, chan, reason);
591 } else
592 l2cap_chan_del(chan, reason);
593 break;
594
595 case BT_CONNECT2:
715ec005 596 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 597 conn->hcon->type == ACL_LINK) {
598 struct l2cap_conn_rsp rsp;
599 __u16 result;
600
c5daa683 601 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 602 result = L2CAP_CR_SEC_BLOCK;
603 else
604 result = L2CAP_CR_BAD_PSM;
89bc500e 605 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 606
607 rsp.scid = cpu_to_le16(chan->dcid);
608 rsp.dcid = cpu_to_le16(chan->scid);
609 rsp.result = cpu_to_le16(result);
610 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
611 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
612 sizeof(rsp), &rsp);
613 }
614
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT:
619 case BT_DISCONN:
620 l2cap_chan_del(chan, reason);
621 break;
622
623 default:
6be36555 624 lock_sock(sk);
4519de9a 625 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 626 release_sock(sk);
4519de9a
GP		 627 break;
628 }
629}
630
4343478f 631static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 632{
715ec005 633 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 634 switch (chan->sec_level) {
8556edd3
JH		 635 case BT_SECURITY_HIGH:
636 return HCI_AT_DEDICATED_BONDING_MITM;
637 case BT_SECURITY_MEDIUM:
638 return HCI_AT_DEDICATED_BONDING;
639 default:
640 return HCI_AT_NO_BONDING;
641 }
fe4128e0 642 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 643 if (chan->sec_level == BT_SECURITY_LOW)
644 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 645
4343478f 646 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 647 return HCI_AT_NO_BONDING_MITM;
00ae4af9 648 else
8556edd3 649 return HCI_AT_NO_BONDING;
00ae4af9 650 } else {
4343478f 651 switch (chan->sec_level) {
00ae4af9 652 case BT_SECURITY_HIGH:
8556edd3 653 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 654 case BT_SECURITY_MEDIUM:
8556edd3 655 return HCI_AT_GENERAL_BONDING;
00ae4af9 656 default:
8556edd3 657 return HCI_AT_NO_BONDING;
00ae4af9 658 }
0684e5f9 659 }
8556edd3
JH		 660}
661
662/* Service level security */
d45fc423 663int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 664{
8c1d787b 665 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 666 __u8 auth_type;
667
4343478f 668 auth_type = l2cap_get_auth_type(chan);
79d554a6 669
4343478f 670 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 671}
672
b5ad8b7f 673static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 674{
675 u8 id;
676
677 /* Get next available identificator.
678 * 1 - 128 are used by kernel.
679 * 129 - 199 are reserved.
680 * 200 - 254 are used by utilities like l2ping, etc.
681 */
682
333055f2 683 spin_lock(&conn->lock);
4e8402a3
MH		 684
685 if (++conn->tx_ident > 128)
686 conn->tx_ident = 1;
687
688 id = conn->tx_ident;
689
333055f2 690 spin_unlock(&conn->lock);
4e8402a3
MH		 691
692 return id;
693}
694
4519de9a 695static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 696{
697 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 698 u8 flags;
4e8402a3
MH		 699
700 BT_DBG("code 0x%2.2x", code);
701
702 if (!skb)
9a9c6a34 703 return;
4e8402a3 704
e702112f
AE		 705 if (lmp_no_flush_capable(conn->hcon->hdev))
706 flags = ACL_START_NO_FLUSH;
707 else
708 flags = ACL_START;
709
14b12d0b 710 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 711 skb->priority = HCI_PRIO_MAX;
14b12d0b 712
73d80deb
LAD		 713 hci_send_acl(conn->hchan, skb, flags);
714}
715
716static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
717{
718 struct hci_conn *hcon = chan->conn->hcon;
719 u16 flags;
720
721 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
722 skb->priority);
723
724 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
725 lmp_no_flush_capable(hcon->hdev))
726 flags = ACL_START_NO_FLUSH;
727 else
728 flags = ACL_START;
14b12d0b 729
73d80deb
LAD		 730 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
731 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 732}
733
b76bbd66
MM		 734static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
735{
736 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
737 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
738
739 if (enh & L2CAP_CTRL_FRAME_TYPE) {
740 /* S-Frame */
741 control->sframe = 1;
742 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
743 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
744
745 control->sar = 0;
746 control->txseq = 0;
747 } else {
748 /* I-Frame */
749 control->sframe = 0;
750 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
751 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
752
753 control->poll = 0;
754 control->super = 0;
755 }
756}
757
b76bbd66
MM		 758static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
759{
760 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
761 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
762
763 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
764 /* S-Frame */
765 control->sframe = 1;
766 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
767 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
768
769 control->sar = 0;
770 control->txseq = 0;
771 } else {
772 /* I-Frame */
773 control->sframe = 0;
774 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
775 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
776
777 control->poll = 0;
778 control->super = 0;
779 }
780}
781
782static inline void __unpack_control(struct l2cap_chan *chan,
783 struct sk_buff *skb)
784{
785 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
786 __unpack_extended_control(get_unaligned_le32(skb->data),
787 &bt_cb(skb)->control);
cec8ab6e 788 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 789 } else {
790 __unpack_enhanced_control(get_unaligned_le16(skb->data),
791 &bt_cb(skb)->control);
cec8ab6e 792 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 793 }
794}
795
b5c6aaed
MM		 796static u32 __pack_extended_control(struct l2cap_ctrl *control)
797{
798 u32 packed;
799
800 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
801 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
802
803 if (control->sframe) {
804 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
805 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
806 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
807 } else {
808 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
809 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
810 }
811
812 return packed;
813}
814
815static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
816{
817 u16 packed;
818
819 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
820 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
821
822 if (control->sframe) {
823 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
824 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
825 packed |= L2CAP_CTRL_FRAME_TYPE;
826 } else {
827 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
828 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
829 }
830
831 return packed;
832}
833
b76bbd66
MM		 834static inline void __pack_control(struct l2cap_chan *chan,
835 struct l2cap_ctrl *control,
836 struct sk_buff *skb)
837{
838 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
839 put_unaligned_le32(__pack_extended_control(control),
840 skb->data + L2CAP_HDR_SIZE);
841 } else {
842 put_unaligned_le16(__pack_enhanced_control(control),
843 skb->data + L2CAP_HDR_SIZE);
844 }
845}
846
a67d7f6f
MM		 847static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
848 u32 control)
b5c6aaed
MM		 849{
850 struct sk_buff *skb;
851 struct l2cap_hdr *lh;
a67d7f6f 852 int hlen;
b5c6aaed
MM		 853
854 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
855 hlen = L2CAP_EXT_HDR_SIZE;
856 else
857 hlen = L2CAP_ENH_HDR_SIZE;
858
859 if (chan->fcs == L2CAP_FCS_CRC16)
860 hlen += L2CAP_FCS_SIZE;
861
a67d7f6f 862 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 863
b5c6aaed 864 if (!skb)
a67d7f6f 865 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 866
867 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
868 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
869 lh->cid = cpu_to_le16(chan->dcid);
870
a67d7f6f
MM		 871 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
872 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
873 else
874 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 875
876 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 877 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 878 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
879 }
880
881 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 882 return skb;
883}
884
885static void l2cap_send_sframe(struct l2cap_chan *chan,
886 struct l2cap_ctrl *control)
887{
888 struct sk_buff *skb;
889 u32 control_field;
890
891 BT_DBG("chan %p, control %p", chan, control);
892
893 if (!control->sframe)
894 return;
895
896 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
897 !control->poll)
898 control->final = 1;
899
900 if (control->super == L2CAP_SUPER_RR)
901 clear_bit(CONN_RNR_SENT, &chan->conn_state);
902 else if (control->super == L2CAP_SUPER_RNR)
903 set_bit(CONN_RNR_SENT, &chan->conn_state);
904
905 if (control->super != L2CAP_SUPER_SREJ) {
906 chan->last_acked_seq = control->reqseq;
907 __clear_ack_timer(chan);
908 }
909
910 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
911 control->final, control->poll, control->super);
912
913 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
914 control_field = __pack_extended_control(control);
915 else
916 control_field = __pack_enhanced_control(control);
917
918 skb = l2cap_create_sframe_pdu(chan, control_field);
919 if (!IS_ERR(skb))
920 l2cap_do_send(chan, skb);
b5c6aaed
MM		 921}
922
923static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
924{
925 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
926 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
927 set_bit(CONN_RNR_SENT, &chan->conn_state);
928 } else
929 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
930
931 control |= __set_reqseq(chan, chan->buffer_seq);
b5c6aaed
MM		 932}
933
b4450035 934static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 935{
c1360a1c 936 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 937}
938
9b27f350
AE		 939static void l2cap_send_conn_req(struct l2cap_chan *chan)
940{
941 struct l2cap_conn *conn = chan->conn;
942 struct l2cap_conn_req req;
943
944 req.scid = cpu_to_le16(chan->scid);
945 req.psm = chan->psm;
946
947 chan->ident = l2cap_get_ident(conn);
948
949 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
950
951 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
952}
953
9f0caeb1
VCG		 954static void l2cap_chan_ready(struct l2cap_chan *chan)
955{
956 struct sock *sk = chan->sk;
957 struct sock *parent;
958
959 lock_sock(sk);
960
961 parent = bt_sk(sk)->parent;
962
963 BT_DBG("sk %p, parent %p", sk, parent);
964
2827011f 965 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 966 chan->conf_state = 0;
967 __clear_chan_timer(chan);
968
969 __l2cap_state_change(chan, BT_CONNECTED);
970 sk->sk_state_change(sk);
971
972 if (parent)
973 parent->sk_data_ready(parent, 0);
974
975 release_sock(sk);
976}
977
fc7f8a7e 978static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 979{
8c1d787b 980 struct l2cap_conn *conn = chan->conn;
79d554a6 981
9f0caeb1
VCG		 982 if (conn->hcon->type == LE_LINK) {
983 l2cap_chan_ready(chan);
984 return;
985 }
986
79d554a6 987 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 988 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
989 return;
990
d45fc423 991 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 992 __l2cap_no_conn_pending(chan))
993 l2cap_send_conn_req(chan);
79d554a6
MH		 994 } else {
995 struct l2cap_info_req req;
996 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
997
998 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
999 conn->info_ident = l2cap_get_ident(conn);
1000
ba13ccd9 1001 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1002
1003 l2cap_send_cmd(conn, conn->info_ident,
1004 L2CAP_INFO_REQ, sizeof(req), &req);
1005 }
1006}
1007
cf6c2c0b
GP		 1008static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1009{
1010 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1011 if (!disable_ertm)
cf6c2c0b
GP		 1012 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1013
1014 switch (mode) {
1015 case L2CAP_MODE_ERTM:
1016 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1017 case L2CAP_MODE_STREAMING:
1018 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1019 default:
1020 return 0x00;
1021 }
1022}
1023
4519de9a 1024static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1025{
6be36555 1026 struct sock *sk = chan->sk;
22121fc9
GP		 1027 struct l2cap_disconn_req req;
1028
c13ffa62
GP		 1029 if (!conn)
1030 return;
1031
0c1bc5c6 1032 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1033 __clear_retrans_timer(chan);
1034 __clear_monitor_timer(chan);
1035 __clear_ack_timer(chan);
c13ffa62
GP		 1036 }
1037
fe4128e0
GP		 1038 req.dcid = cpu_to_le16(chan->dcid);
1039 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1040 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1041 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1042
6be36555 1043 lock_sock(sk);
0e587be7 1044 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1045 __l2cap_chan_set_err(chan, err);
6be36555 1046 release_sock(sk);
22121fc9
GP		 1047}
1048
1da177e4 1049/* ---- L2CAP connections ---- */
4e8402a3
MH		 1050static void l2cap_conn_start(struct l2cap_conn *conn)
1051{
3df91ea2 1052 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1053
1054 BT_DBG("conn %p", conn);
1055
3df91ea2 1056 mutex_lock(&conn->chan_lock);
4e8402a3 1057
3df91ea2 1058 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1059 struct sock *sk = chan->sk;
baa7e1fa 1060
6be36555 1061 l2cap_chan_lock(chan);
4e8402a3 1062
715ec005 1063 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1064 l2cap_chan_unlock(chan);
79d554a6
MH		 1065 continue;
1066 }
1067
89bc500e 1068 if (chan->state == BT_CONNECT) {
d45fc423 1069 if (!l2cap_chan_check_security(chan) ||
b4450035 1070 !__l2cap_no_conn_pending(chan)) {
6be36555 1071 l2cap_chan_unlock(chan);
47731de7
GP		 1072 continue;
1073 }
79d554a6 1074
c1360a1c
GP		 1075 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1076 && test_bit(CONF_STATE2_DEVICE,
1077 &chan->conf_state)) {
89bc500e 1078 l2cap_chan_close(chan, ECONNRESET);
6be36555 1079 l2cap_chan_unlock(chan);
47731de7 1080 continue;
b1235d79 1081 }
47731de7 1082
9b27f350 1083 l2cap_send_conn_req(chan);
47731de7 1084
89bc500e 1085 } else if (chan->state == BT_CONNECT2) {
79d554a6 1086 struct l2cap_conn_rsp rsp;
e9aeb2dd 1087 char buf[128];
fe4128e0
GP		 1088 rsp.scid = cpu_to_le16(chan->dcid);
1089 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1090
d45fc423 1091 if (l2cap_chan_check_security(chan)) {
6be36555 1092 lock_sock(sk);
c5daa683
GP		 1093 if (test_bit(BT_SK_DEFER_SETUP,
1094 &bt_sk(sk)->flags)) {
f66dc81f
MH		 1095 struct sock *parent = bt_sk(sk)->parent;
1096 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1097 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1098 if (parent)
1099 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1100
1101 } else {
0e587be7 1102 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1103 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1104 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1105 }
6be36555 1106 release_sock(sk);
79d554a6
MH		 1107 } else {
1108 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1109 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1110 }
1111
fc7f8a7e
GP		 1112 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1113 sizeof(rsp), &rsp);
e9aeb2dd 1114
c1360a1c 1115 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1116 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1117 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1118 continue;
1119 }
1120
c1360a1c 1121 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1122 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1123 l2cap_build_conf_req(chan, buf), buf);
1124 chan->num_conf_req++;
4e8402a3
MH		 1125 }
1126
6be36555 1127 l2cap_chan_unlock(chan);
4e8402a3
MH		 1128 }
1129
3df91ea2 1130 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1131}
1132
c2287681 1133/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1134 * Returns closest match, locked.
1135 */
d9b88702 1136static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1137 bdaddr_t *src,
1138 bdaddr_t *dst)
b62f328b 1139{
23691d75 1140 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1141
23691d75 1142 read_lock(&chan_list_lock);
b62f328b 1143
23691d75
GP		 1144 list_for_each_entry(c, &chan_list, global_l) {
1145 struct sock *sk = c->sk;
fe4128e0 1146
89bc500e 1147 if (state && c->state != state)
b62f328b
VT		 1148 continue;
1149
23691d75 1150 if (c->scid == cid) {
c2287681
IY		 1151 int src_match, dst_match;
1152 int src_any, dst_any;
1153
b62f328b 1154 /* Exact match. */
c2287681
IY		 1155 src_match = !bacmp(&bt_sk(sk)->src, src);
1156 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1157 if (src_match && dst_match) {
23691d75
GP		 1158 read_unlock(&chan_list_lock);
1159 return c;
1160 }
b62f328b
VT		 1161
1162 /* Closest match */
c2287681
IY		 1163 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1164 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1165 if ((src_match && dst_any) || (src_any && dst_match) ||
1166 (src_any && dst_any))
23691d75 1167 c1 = c;
b62f328b
VT		 1168 }
1169 }
280f294f 1170
23691d75 1171 read_unlock(&chan_list_lock);
b62f328b 1172
23691d75 1173 return c1;
b62f328b
VT		 1174}
1175
1176static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1177{
c916fbe4 1178 struct sock *parent, *sk;
23691d75 1179 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1180
1181 BT_DBG("");
1182
1183 /* Check if we have socket listening on cid */
23691d75 1184 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1185 conn->src, conn->dst);
23691d75 1186 if (!pchan)
b62f328b
VT		 1187 return;
1188
23691d75
GP		 1189 parent = pchan->sk;
1190
aa2ac881 1191 lock_sock(parent);
62f3a2cf 1192
b62f328b
VT		 1193 /* Check for backlog size */
1194 if (sk_acceptq_is_full(parent)) {
1195 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1196 goto clean;
1197 }
1198
80808e43
GP		 1199 chan = pchan->ops->new_connection(pchan->data);
1200 if (!chan)
b62f328b
VT		 1201 goto clean;
1202
80808e43 1203 sk = chan->sk;
5d41ce1d 1204
b62f328b
VT		 1205 hci_conn_hold(conn->hcon);
1206
b62f328b
VT		 1207 bacpy(&bt_sk(sk)->src, conn->src);
1208 bacpy(&bt_sk(sk)->dst, conn->dst);
1209
d1010240
GP		 1210 bt_accept_enqueue(parent, sk);
1211
3d57dc68 1212 l2cap_chan_add(conn, chan);
48454079 1213
c9b66675 1214 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1215
0e587be7 1216 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1217 parent->sk_data_ready(parent, 0);
1218
b62f328b 1219clean:
aa2ac881 1220 release_sock(parent);
b62f328b
VT		 1221}
1222
4e8402a3
MH		 1223static void l2cap_conn_ready(struct l2cap_conn *conn)
1224{
48454079 1225 struct l2cap_chan *chan;
4e8402a3 1226
79d554a6 1227 BT_DBG("conn %p", conn);
4e8402a3 1228
b62f328b
VT		 1229 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1230 l2cap_le_conn_ready(conn);
1231
160dc6ac
VCG		 1232 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1233 smp_conn_security(conn, conn->hcon->pending_sec_level);
1234
3df91ea2 1235 mutex_lock(&conn->chan_lock);
4e8402a3 1236
3df91ea2 1237 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1238
6be36555 1239 l2cap_chan_lock(chan);
4e8402a3 1240
63128451 1241 if (conn->hcon->type == LE_LINK) {
b501d6a1 1242 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1243 l2cap_chan_ready(chan);
acd7d370 1244
63128451 1245 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1246 struct sock *sk = chan->sk;
c9b66675 1247 __clear_chan_timer(chan);
6be36555 1248 lock_sock(sk);
0e587be7 1249 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1250 sk->sk_state_change(sk);
6be36555 1251 release_sock(sk);
b501d6a1 1252
89bc500e 1253 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1254 l2cap_do_start(chan);
4e8402a3 1255
6be36555 1256 l2cap_chan_unlock(chan);
4e8402a3 1257 }
79d554a6 1258
3df91ea2 1259 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1260}
1261
1262/* Notify sockets that we cannot guaranty reliability anymore */
1263static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1264{
48454079 1265 struct l2cap_chan *chan;
4e8402a3
MH		 1266
1267 BT_DBG("conn %p", conn);
1268
3df91ea2 1269 mutex_lock(&conn->chan_lock);
4e8402a3 1270
3df91ea2 1271 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1272 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1273 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1274 }
1275
3df91ea2 1276 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1277}
1278
f878fcad 1279static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1280{
f878fcad 1281 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1282 info_timer.work);
4e8402a3 1283
984947dc 1284 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1285 conn->info_ident = 0;
984947dc 1286
4e8402a3
MH		 1287 l2cap_conn_start(conn);
1288}
1289
5d3de7df
VCG		 1290static void l2cap_conn_del(struct hci_conn *hcon, int err)
1291{
1292 struct l2cap_conn *conn = hcon->l2cap_data;
1293 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1294
1295 if (!conn)
1296 return;
1297
1298 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1299
1300 kfree_skb(conn->rx_skb);
1301
3df91ea2
AE		 1302 mutex_lock(&conn->chan_lock);
1303
5d3de7df
VCG		 1304 /* Kill channels */
1305 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1306 l2cap_chan_hold(chan);
6be36555
AE		 1307 l2cap_chan_lock(chan);
1308
5d3de7df 1309 l2cap_chan_del(chan, err);
6be36555
AE		 1310
1311 l2cap_chan_unlock(chan);
1312
5d3de7df 1313 chan->ops->close(chan->data);
61d6ef3e 1314 l2cap_chan_put(chan);
5d3de7df
VCG		 1315 }
1316
3df91ea2
AE		 1317 mutex_unlock(&conn->chan_lock);
1318
73d80deb
LAD		 1319 hci_chan_del(conn->hchan);
1320
5d3de7df 1321 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1322 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1323
51a8efd7 1324 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1325 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1326 smp_chan_destroy(conn);
d26a2345 1327 }
5d3de7df
VCG		 1328
1329 hcon->l2cap_data = NULL;
1330 kfree(conn);
1331}
1332
6c9d42a1 1333static void security_timeout(struct work_struct *work)
5d3de7df 1334{
6c9d42a1
GP		 1335 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1336 security_timer.work);
5d3de7df
VCG		 1337
1338 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1339}
1340
1da177e4
LT		 1341static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1342{
0139418c 1343 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1344 struct hci_chan *hchan;
1da177e4 1345
0139418c 1346 if (conn || status)
1da177e4
LT		 1347 return conn;
1348
73d80deb
LAD		 1349 hchan = hci_chan_create(hcon);
1350 if (!hchan)
1351 return NULL;
1352
0139418c 1353 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1354 if (!conn) {
1355 hci_chan_del(hchan);
1da177e4 1356 return NULL;
73d80deb 1357 }
1da177e4
LT		 1358
1359 hcon->l2cap_data = conn;
1360 conn->hcon = hcon;
73d80deb 1361 conn->hchan = hchan;
1da177e4 1362
73d80deb 1363 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1364
acd7d370
VT		 1365 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1366 conn->mtu = hcon->hdev->le_mtu;
1367 else
1368 conn->mtu = hcon->hdev->acl_mtu;
1369
1da177e4
LT		 1370 conn->src = &hcon->hdev->bdaddr;
1371 conn->dst = &hcon->dst;
1372
4e8402a3
MH		 1373 conn->feat_mask = 0;
1374
1da177e4 1375 spin_lock_init(&conn->lock);
3df91ea2 1376 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1377
1378 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1379
5d3de7df 1380 if (hcon->type == LE_LINK)
6c9d42a1 1381 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1382 else
030013d8 1383 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1384
9f5a0d7b 1385 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1386
1da177e4
LT		 1387 return conn;
1388}
1389
1da177e4 1390/* ---- Socket interface ---- */
1da177e4 1391
c2287681 1392/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1393 * Returns closest match.
1394 */
c2287681
IY		 1395static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1396 bdaddr_t *src,
1397 bdaddr_t *dst)
1da177e4 1398{
23691d75 1399 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1400
23691d75 1401 read_lock(&chan_list_lock);
e0f0cb56 1402
23691d75
GP		 1403 list_for_each_entry(c, &chan_list, global_l) {
1404 struct sock *sk = c->sk;
fe4128e0 1405
89bc500e 1406 if (state && c->state != state)
1da177e4
LT		 1407 continue;
1408
23691d75 1409 if (c->psm == psm) {
c2287681
IY		 1410 int src_match, dst_match;
1411 int src_any, dst_any;
1412
1da177e4 1413 /* Exact match. */
c2287681
IY		 1414 src_match = !bacmp(&bt_sk(sk)->src, src);
1415 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1416 if (src_match && dst_match) {
a7567b20 1417 read_unlock(&chan_list_lock);
23691d75
GP		 1418 return c;
1419 }
1da177e4
LT		 1420
1421 /* Closest match */
c2287681
IY		 1422 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1423 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1424 if ((src_match && dst_any) || (src_any && dst_match) ||
1425 (src_any && dst_any))
23691d75 1426 c1 = c;
1da177e4
LT		 1427 }
1428 }
1da177e4 1429
23691d75 1430 read_unlock(&chan_list_lock);
e0f0cb56 1431
23691d75 1432 return c1;
1da177e4
LT		 1433}
1434
8e9f9892
AG		 1435int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1436 bdaddr_t *dst, u8 dst_type)
1da177e4 1437{
5d41ce1d 1438 struct sock *sk = chan->sk;
1da177e4 1439 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1440 struct l2cap_conn *conn;
1441 struct hci_conn *hcon;
1442 struct hci_dev *hdev;
09ab6f4c 1443 __u8 auth_type;
44d0e48e 1444 int err;
1da177e4 1445
8e9f9892
AG		 1446 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1447 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1448
af05b30b
GP		 1449 hdev = hci_get_route(dst, src);
1450 if (!hdev)
1da177e4
LT		 1451 return -EHOSTUNREACH;
1452
09fd0de5 1453 hci_dev_lock(hdev);
1da177e4 1454
6be36555 1455 l2cap_chan_lock(chan);
03a00194
GP		 1456
1457 /* PSM must be odd and lsb of upper byte must be 0 */
1458 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1459 chan->chan_type != L2CAP_CHAN_RAW) {
1460 err = -EINVAL;
1461 goto done;
1462 }
1463
1464 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1465 err = -EINVAL;
1466 goto done;
1467 }
1468
1469 switch (chan->mode) {
1470 case L2CAP_MODE_BASIC:
1471 break;
1472 case L2CAP_MODE_ERTM:
1473 case L2CAP_MODE_STREAMING:
1474 if (!disable_ertm)
1475 break;
1476 /* fall through */
1477 default:
1478 err = -ENOTSUPP;
1479 goto done;
1480 }
1481
6be36555
AE		 1482 lock_sock(sk);
1483
03a00194
GP		 1484 switch (sk->sk_state) {
1485 case BT_CONNECT:
1486 case BT_CONNECT2:
1487 case BT_CONFIG:
1488 /* Already connecting */
1489 err = 0;
6be36555 1490 release_sock(sk);
03a00194
GP		 1491 goto done;
1492
1493 case BT_CONNECTED:
1494 /* Already connected */
1495 err = -EISCONN;
6be36555 1496 release_sock(sk);
03a00194
GP		 1497 goto done;
1498
1499 case BT_OPEN:
1500 case BT_BOUND:
1501 /* Can connect */
1502 break;
1503
1504 default:
1505 err = -EBADFD;
6be36555 1506 release_sock(sk);
03a00194
GP		 1507 goto done;
1508 }
1509
1510 /* Set destination address and psm */
9219b2a0 1511 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1512
1513 release_sock(sk);
1514
03a00194
GP		 1515 chan->psm = psm;
1516 chan->dcid = cid;
1da177e4 1517
4343478f 1518 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1519
fe4128e0 1520 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1521 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1522 chan->sec_level, auth_type);
acd7d370 1523 else
8e9f9892 1524 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1525 chan->sec_level, auth_type);
acd7d370 1526
30e76272
VT		 1527 if (IS_ERR(hcon)) {
1528 err = PTR_ERR(hcon);
1da177e4 1529 goto done;
30e76272 1530 }
1da177e4
LT		 1531
1532 conn = l2cap_conn_add(hcon, 0);
1533 if (!conn) {
1534 hci_conn_put(hcon);
30e76272 1535 err = -ENOMEM;
1da177e4
LT		 1536 goto done;
1537 }
1538
9f0caeb1
VCG		 1539 if (hcon->type == LE_LINK) {
1540 err = 0;
1541
1542 if (!list_empty(&conn->chan_l)) {
1543 err = -EBUSY;
1544 hci_conn_put(hcon);
1545 }
1546
1547 if (err)
1548 goto done;
1549 }
1550
1da177e4
LT		 1551 /* Update source addr of the socket */
1552 bacpy(src, conn->src);
1553
6be36555 1554 l2cap_chan_unlock(chan);
48454079 1555 l2cap_chan_add(conn, chan);
6be36555 1556 l2cap_chan_lock(chan);
48454079 1557
6be36555 1558 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1559 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1560
1561 if (hcon->state == BT_CONNECTED) {
715ec005 1562 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1563 __clear_chan_timer(chan);
d45fc423 1564 if (l2cap_chan_check_security(chan))
6be36555 1565 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1566 } else
fc7f8a7e 1567 l2cap_do_start(chan);
1da177e4
LT		 1568 }
1569
30e76272
VT		 1570 err = 0;
1571
1da177e4 1572done:
6be36555 1573 l2cap_chan_unlock(chan);
09fd0de5 1574 hci_dev_unlock(hdev);
1da177e4
LT		 1575 hci_dev_put(hdev);
1576 return err;
1577}
1578
dcba0dba 1579int __l2cap_wait_ack(struct sock *sk)
6161c038 1580{
8c1d787b 1581 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1582 DECLARE_WAITQUEUE(wait, current);
1583 int err = 0;
1584 int timeo = HZ/5;
1585
2b0b05dd 1586 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1587 set_current_state(TASK_INTERRUPTIBLE);
1588 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1589 if (!timeo)
1590 timeo = HZ/5;
1591
1592 if (signal_pending(current)) {
1593 err = sock_intr_errno(timeo);
1594 break;
1595 }
1596
1597 release_sock(sk);
1598 timeo = schedule_timeout(timeo);
1599 lock_sock(sk);
a71a0cf4 1600 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1601
1602 err = sock_error(sk);
1603 if (err)
1604 break;
1605 }
1606 set_current_state(TASK_RUNNING);
2b0b05dd 1607 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1608 return err;
1609}
1610
721c4181 1611static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1612{
721c4181
GP		 1613 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1614 monitor_timer.work);
e90bac06 1615
525cd185 1616 BT_DBG("chan %p", chan);
0e98958d 1617
6be36555
AE		 1618 l2cap_chan_lock(chan);
1619
2c03a7a4 1620 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1621 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1622 l2cap_chan_unlock(chan);
8d7e1c7f 1623 l2cap_chan_put(chan);
e90bac06
GP		 1624 return;
1625 }
1626
6a026610 1627 chan->retry_count++;
1a09bcb9 1628 __set_monitor_timer(chan);
e90bac06 1629
525cd185 1630 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1631 l2cap_chan_unlock(chan);
8d7e1c7f 1632 l2cap_chan_put(chan);
e90bac06
GP		 1633}
1634
721c4181 1635static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1636{
721c4181
GP		 1637 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1638 retrans_timer.work);
e90bac06 1639
49208c9c 1640 BT_DBG("chan %p", chan);
0e98958d 1641
6be36555
AE		 1642 l2cap_chan_lock(chan);
1643
6a026610 1644 chan->retry_count = 1;
1a09bcb9 1645 __set_monitor_timer(chan);
e90bac06 1646
e2ab4353 1647 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1648
525cd185 1649 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1650
1651 l2cap_chan_unlock(chan);
8d7e1c7f 1652 l2cap_chan_put(chan);
e90bac06
GP		 1653}
1654
3733937d
MM		 1655static int l2cap_streaming_send(struct l2cap_chan *chan,
1656 struct sk_buff_head *skbs)
6840ed07 1657{
ccbb84af 1658 struct sk_buff *skb;
3733937d 1659 struct l2cap_ctrl *control;
6840ed07 1660
3733937d
MM		 1661 BT_DBG("chan %p, skbs %p", chan, skbs);
1662
1663 if (chan->state != BT_CONNECTED)
1664 return -ENOTCONN;
1665
1666 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1667
1668 while (!skb_queue_empty(&chan->tx_q)) {
1669
1670 skb = skb_dequeue(&chan->tx_q);
1671
1672 bt_cb(skb)->control.retries = 1;
1673 control = &bt_cb(skb)->control;
1674
1675 control->reqseq = 0;
1676 control->txseq = chan->next_tx_seq;
1677
1678 __pack_control(chan, control, skb);
6840ed07 1679
47d1ec61 1680 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1681 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1682 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1683 }
1684
4343478f 1685 l2cap_do_send(chan, skb);
6840ed07 1686
3733937d
MM		 1687 BT_DBG("Sent txseq %d", (int)control->txseq);
1688
836be934 1689 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1690 chan->frames_sent++;
6840ed07 1691 }
3733937d
MM		 1692
1693 return 0;
6840ed07
GP		 1694}
1695
67c9e840 1696static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1697{
1698 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1699 struct l2cap_ctrl *control;
1700 int sent = 0;
1701
1702 BT_DBG("chan %p", chan);
1c2acffb 1703
89bc500e 1704 if (chan->state != BT_CONNECTED)
c13ffa62 1705 return -ENOTCONN;
e90bac06 1706
94122bbe
MM		 1707 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1708 return 0;
1709
18a48e76
MM		 1710 while (chan->tx_send_head &&
1711 chan->unacked_frames < chan->remote_tx_win &&
1712 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1713
18a48e76 1714 skb = chan->tx_send_head;
e90bac06 1715
18a48e76
MM		 1716 bt_cb(skb)->control.retries = 1;
1717 control = &bt_cb(skb)->control;
95ffa978 1718
e2ab4353 1719 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1720 control->final = 1;
e2ab4353 1721
18a48e76
MM		 1722 control->reqseq = chan->buffer_seq;
1723 chan->last_acked_seq = chan->buffer_seq;
1724 control->txseq = chan->next_tx_seq;
1c2acffb 1725
18a48e76 1726 __pack_control(chan, control, skb);
e90bac06 1727
47d1ec61 1728 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1729 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1730 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1731 }
1732
18a48e76
MM		 1733 /* Clone after data has been modified. Data is assumed to be
1734 read-only (for locking purposes) on cloned sk_buffs.
1735 */
1736 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1737
18a48e76
MM		 1738 if (!tx_skb)
1739 break;
1c2acffb 1740
18a48e76 1741 __set_retrans_timer(chan);
836be934
AE		 1742
1743 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1744 chan->unacked_frames++;
6a026610 1745 chan->frames_sent++;
18a48e76 1746 sent++;
1c2acffb 1747
58d35f87
GP		 1748 if (skb_queue_is_last(&chan->tx_q, skb))
1749 chan->tx_send_head = NULL;
1c2acffb 1750 else
58d35f87 1751 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1752
1753 l2cap_do_send(chan, tx_skb);
1754 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1755 }
1756
18a48e76
MM		 1757 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1758 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1759
1760 return sent;
9e917af1
GP		 1761}
1762
525cd185 1763static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1764{
dfc909be
GP		 1765 int ret;
1766
58d35f87
GP		 1767 if (!skb_queue_empty(&chan->tx_q))
1768 chan->tx_send_head = chan->tx_q.next;
dfc909be 1769
42e5c802 1770 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1771 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1772 return ret;
1773}
1774
0a0aba42 1775static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1776{
0a0aba42
MM		 1777 struct l2cap_ctrl control;
1778 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1779 chan->last_acked_seq);
1780 int threshold;
9e917af1 1781
0a0aba42
MM		 1782 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1783 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1784
0a0aba42
MM		 1785 memset(&control, 0, sizeof(control));
1786 control.sframe = 1;
dfc909be 1787
0a0aba42
MM		 1788 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1789 chan->rx_state == L2CAP_RX_STATE_RECV) {
1790 __clear_ack_timer(chan);
1791 control.super = L2CAP_SUPER_RNR;
1792 control.reqseq = chan->buffer_seq;
1793 l2cap_send_sframe(chan, &control);
1794 } else {
1795 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1796 l2cap_ertm_send(chan);
1797 /* If any i-frames were sent, they included an ack */
1798 if (chan->buffer_seq == chan->last_acked_seq)
1799 frames_to_ack = 0;
1800 }
dfc909be 1801
0a0aba42
MM		 1802 /* Ack now if the tx window is 3/4ths full.
1803 * Calculate without mul or div
1804 */
1805 threshold = chan->tx_win;
1806 threshold += threshold << 1;
1807 threshold >>= 2;
1808
1809 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1810 threshold);
1811
1812 if (frames_to_ack >= threshold) {
1813 __clear_ack_timer(chan);
1814 control.super = L2CAP_SUPER_RR;
1815 control.reqseq = chan->buffer_seq;
1816 l2cap_send_sframe(chan, &control);
1817 frames_to_ack = 0;
1818 }
1c2acffb 1819
0a0aba42
MM		 1820 if (frames_to_ack)
1821 __set_ack_timer(chan);
1822 }
b17e73bb
SJ		 1823}
1824
04124681
GP		 1825static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1826 struct msghdr *msg, int len,
1827 int count, struct sk_buff *skb)
1c2acffb 1828{
0952a57a 1829 struct l2cap_conn *conn = chan->conn;
1c2acffb 1830 struct sk_buff **frag;
90338947 1831 int sent = 0;
1da177e4 1832
59203a21 1833 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1834 return -EFAULT;
1da177e4
LT		 1835
1836 sent += count;
1837 len -= count;
1838
1839 /* Continuation fragments (no L2CAP header) */
1840 frag = &skb_shinfo(skb)->frag_list;
1841 while (len) {
fbe00700
GP		 1842 struct sk_buff *tmp;
1843
1da177e4
LT		 1844 count = min_t(unsigned int, conn->mtu, len);
1845
fbe00700
GP		 1846 tmp = chan->ops->alloc_skb(chan, count,
1847 msg->msg_flags & MSG_DONTWAIT);
1848 if (IS_ERR(tmp))
1849 return PTR_ERR(tmp);
1850
1851 *frag = tmp;
2f7719ce 1852
1c2acffb
GP		 1853 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1854 return -EFAULT;
1da177e4 1855
5e59b791
LAD		 1856 (*frag)->priority = skb->priority;
1857
1da177e4
LT		 1858 sent += count;
1859 len -= count;
1860
2d0ed3d5
GP		 1861 skb->len += (*frag)->len;
1862 skb->data_len += (*frag)->len;
1863
1da177e4
LT		 1864 frag = &(*frag)->next;
1865 }
1da177e4
LT		 1866
1867 return sent;
1c2acffb 1868}
1da177e4 1869
5e59b791
LAD		 1870static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1871 struct msghdr *msg, size_t len,
1872 u32 priority)
1c2acffb 1873{
8c1d787b 1874 struct l2cap_conn *conn = chan->conn;
1c2acffb 1875 struct sk_buff *skb;
03a51213 1876 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1877 struct l2cap_hdr *lh;
1878
6d5922b0 1879 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1880
1881 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1882
1883 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1884 msg->msg_flags & MSG_DONTWAIT);
1885 if (IS_ERR(skb))
1886 return skb;
1c2acffb 1887
5e59b791
LAD		 1888 skb->priority = priority;
1889
1c2acffb
GP		 1890 /* Create L2CAP header */
1891 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1892 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1893 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1894 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1895
0952a57a 1896 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1897 if (unlikely(err < 0)) {
1898 kfree_skb(skb);
1899 return ERR_PTR(err);
1900 }
1901 return skb;
1902}
1903
5e59b791
LAD		 1904static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1905 struct msghdr *msg, size_t len,
1906 u32 priority)
1c2acffb 1907{
8c1d787b 1908 struct l2cap_conn *conn = chan->conn;
1c2acffb 1909 struct sk_buff *skb;
f2ba7fae 1910 int err, count;
1c2acffb
GP		 1911 struct l2cap_hdr *lh;
1912
6d5922b0 1913 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1914
f2ba7fae 1915 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1916
f2ba7fae 1917 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1918 msg->msg_flags & MSG_DONTWAIT);
1919 if (IS_ERR(skb))
1920 return skb;
1c2acffb 1921
5e59b791
LAD		 1922 skb->priority = priority;
1923
1c2acffb
GP		 1924 /* Create L2CAP header */
1925 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1926 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1927 lh->len = cpu_to_le16(len);
1c2acffb 1928
0952a57a 1929 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1930 if (unlikely(err < 0)) {
1931 kfree_skb(skb);
1932 return ERR_PTR(err);
1933 }
1934 return skb;
1935}
1936
ab0ff76d
LAD		 1937static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1938 struct msghdr *msg, size_t len,
94122bbe 1939 u16 sdulen)
1c2acffb 1940{
8c1d787b 1941 struct l2cap_conn *conn = chan->conn;
1c2acffb 1942 struct sk_buff *skb;
e4ca6d98 1943 int err, count, hlen;
1c2acffb
GP		 1944 struct l2cap_hdr *lh;
1945
6d5922b0 1946 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1947
0ee0d208
GP		 1948 if (!conn)
1949 return ERR_PTR(-ENOTCONN);
1950
e4ca6d98
AE		 1951 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1952 hlen = L2CAP_EXT_HDR_SIZE;
1953 else
1954 hlen = L2CAP_ENH_HDR_SIZE;
1955
c74e560c 1956 if (sdulen)
03a51213 1957 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1958
47d1ec61 1959 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1960 hlen += L2CAP_FCS_SIZE;
fcc203c3 1961
1c2acffb 1962 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1963
1964 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1965 msg->msg_flags & MSG_DONTWAIT);
1966 if (IS_ERR(skb))
1967 return skb;
1c2acffb
GP		 1968
1969 /* Create L2CAP header */
1970 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1971 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1972 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 1973
18a48e76
MM		 1974 /* Control header is populated later */
1975 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1976 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1977 else
1978 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 1979
c74e560c 1980 if (sdulen)
03a51213 1981 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1982
0952a57a 1983 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1984 if (unlikely(err < 0)) {
1985 kfree_skb(skb);
1986 return ERR_PTR(err);
1987 }
e90bac06 1988
18a48e76 1989 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 1990 bt_cb(skb)->control.retries = 0;
1c2acffb 1991 return skb;
1da177e4
LT		 1992}
1993
94122bbe
MM		 1994static int l2cap_segment_sdu(struct l2cap_chan *chan,
1995 struct sk_buff_head *seg_queue,
1996 struct msghdr *msg, size_t len)
c74e560c 1997{
c74e560c 1998 struct sk_buff *skb;
94122bbe
MM		 1999 u16 sdu_len;
2000 size_t pdu_len;
2001 int err = 0;
2002 u8 sar;
c74e560c 2003
94122bbe 2004 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2005
94122bbe
MM		 2006 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2007 * so fragmented skbs are not used. The HCI layer's handling
2008 * of fragmented skbs is not compatible with ERTM's queueing.
2009 */
c74e560c 2010
94122bbe
MM		 2011 /* PDU size is derived from the HCI MTU */
2012 pdu_len = chan->conn->mtu;
c74e560c 2013
94122bbe
MM		 2014 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2015
2016 /* Adjust for largest possible L2CAP overhead. */
2017 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2018
2019 /* Remote device may have requested smaller PDUs */
2020 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2021
2022 if (len <= pdu_len) {
2023 sar = L2CAP_SAR_UNSEGMENTED;
2024 sdu_len = 0;
2025 pdu_len = len;
2026 } else {
2027 sar = L2CAP_SAR_START;
2028 sdu_len = len;
2029 pdu_len -= L2CAP_SDULEN_SIZE;
2030 }
2031
2032 while (len > 0) {
2033 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2034
c74e560c 2035 if (IS_ERR(skb)) {
94122bbe 2036 __skb_queue_purge(seg_queue);
c74e560c
GP		 2037 return PTR_ERR(skb);
2038 }
2039
94122bbe
MM		 2040 bt_cb(skb)->control.sar = sar;
2041 __skb_queue_tail(seg_queue, skb);
2042
2043 len -= pdu_len;
2044 if (sdu_len) {
2045 sdu_len = 0;
2046 pdu_len += L2CAP_SDULEN_SIZE;
2047 }
2048
2049 if (len <= pdu_len) {
2050 sar = L2CAP_SAR_END;
2051 pdu_len = len;
2052 } else {
2053 sar = L2CAP_SAR_CONTINUE;
2054 }
c74e560c 2055 }
c74e560c 2056
94122bbe 2057 return err;
c74e560c
GP		 2058}
2059
5e59b791
LAD		 2060int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2061 u32 priority)
9a91a04a 2062{
9a91a04a 2063 struct sk_buff *skb;
9a91a04a 2064 int err;
94122bbe 2065 struct sk_buff_head seg_queue;
9a91a04a
GP		 2066
2067 /* Connectionless channel */
715ec005 2068 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2069 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2070 if (IS_ERR(skb))
2071 return PTR_ERR(skb);
2072
2073 l2cap_do_send(chan, skb);
2074 return len;
2075 }
2076
2077 switch (chan->mode) {
2078 case L2CAP_MODE_BASIC:
2079 /* Check outgoing MTU */
2080 if (len > chan->omtu)
2081 return -EMSGSIZE;
2082
2083 /* Create a basic PDU */
5e59b791 2084 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2085 if (IS_ERR(skb))
2086 return PTR_ERR(skb);
2087
2088 l2cap_do_send(chan, skb);
2089 err = len;
2090 break;
2091
2092 case L2CAP_MODE_ERTM:
2093 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2094 /* Check outgoing MTU */
2095 if (len > chan->omtu) {
2096 err = -EMSGSIZE;
2097 break;
2098 }
9a91a04a 2099
94122bbe 2100 __skb_queue_head_init(&seg_queue);
9a91a04a 2101
94122bbe
MM		 2102 /* Do segmentation before calling in to the state machine,
2103 * since it's possible to block while waiting for memory
2104 * allocation.
2105 */
2106 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2107
94122bbe
MM		 2108 /* The channel could have been closed while segmenting,
2109 * check that it is still connected.
2110 */
2111 if (chan->state != BT_CONNECTED) {
2112 __skb_queue_purge(&seg_queue);
2113 err = -ENOTCONN;
9a91a04a
GP		 2114 }
2115
94122bbe 2116 if (err)
9a91a04a 2117 break;
9a91a04a 2118
3733937d 2119 if (chan->mode == L2CAP_MODE_ERTM)
608bcc6d
MM		 2120 err = l2cap_tx(chan, 0, &seg_queue,
2121 L2CAP_EV_DATA_REQUEST);
3733937d
MM		 2122 else
2123 err = l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2124
608bcc6d 2125 if (!err)
9a91a04a
GP		 2126 err = len;
2127
94122bbe
MM		 2128 /* If the skbs were not queued for sending, they'll still be in
2129 * seg_queue and need to be purged.
2130 */
2131 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2132 break;
2133
2134 default:
2135 BT_DBG("bad state %1.1x", chan->mode);
2136 err = -EBADFD;
2137 }
2138
2139 return err;
2140}
2141
608bcc6d
MM		 2142static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2143{
2144 struct sk_buff *acked_skb;
2145 u16 ackseq;
2146
2147 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2148
2149 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2150 return;
2151
2152 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2153 chan->expected_ack_seq, chan->unacked_frames);
2154
2155 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2156 ackseq = __next_seq(chan, ackseq)) {
2157
2158 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2159 if (acked_skb) {
2160 skb_unlink(acked_skb, &chan->tx_q);
2161 kfree_skb(acked_skb);
2162 chan->unacked_frames--;
2163 }
2164 }
2165
2166 chan->expected_ack_seq = reqseq;
2167
2168 if (chan->unacked_frames == 0)
2169 __clear_retrans_timer(chan);
2170
2171 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2172}
2173
2174static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2175{
2176 BT_DBG("chan %p", chan);
2177
2178 chan->expected_tx_seq = chan->buffer_seq;
2179 l2cap_seq_list_clear(&chan->srej_list);
2180 skb_queue_purge(&chan->srej_q);
2181 chan->rx_state = L2CAP_RX_STATE_RECV;
2182}
2183
2184static int l2cap_tx_state_xmit(struct l2cap_chan *chan,
2185 struct l2cap_ctrl *control,
2186 struct sk_buff_head *skbs, u8 event)
2187{
2188 int err = 0;
2189
2190 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2191 event);
2192
2193 switch (event) {
2194 case L2CAP_EV_DATA_REQUEST:
2195 if (chan->tx_send_head == NULL)
2196 chan->tx_send_head = skb_peek(skbs);
2197
2198 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2199 l2cap_ertm_send(chan);
2200 break;
2201 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2202 BT_DBG("Enter LOCAL_BUSY");
2203 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2204
2205 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2206 /* The SREJ_SENT state must be aborted if we are to
2207 * enter the LOCAL_BUSY state.
2208 */
2209 l2cap_abort_rx_srej_sent(chan);
2210 }
2211
2212 l2cap_send_ack(chan);
2213
2214 break;
2215 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2216 BT_DBG("Exit LOCAL_BUSY");
2217 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2218
2219 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2220 struct l2cap_ctrl local_control;
2221
2222 memset(&local_control, 0, sizeof(local_control));
2223 local_control.sframe = 1;
2224 local_control.super = L2CAP_SUPER_RR;
2225 local_control.poll = 1;
2226 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2227 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2228
2229 chan->retry_count = 1;
2230 __set_monitor_timer(chan);
2231 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2232 }
2233 break;
2234 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2235 l2cap_process_reqseq(chan, control->reqseq);
2236 break;
2237 case L2CAP_EV_EXPLICIT_POLL:
2238 l2cap_send_rr_or_rnr(chan, 1);
2239 chan->retry_count = 1;
2240 __set_monitor_timer(chan);
2241 __clear_ack_timer(chan);
2242 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2243 break;
2244 case L2CAP_EV_RETRANS_TO:
2245 l2cap_send_rr_or_rnr(chan, 1);
2246 chan->retry_count = 1;
2247 __set_monitor_timer(chan);
2248 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2249 break;
2250 case L2CAP_EV_RECV_FBIT:
2251 /* Nothing to process */
2252 break;
2253 default:
2254 break;
2255 }
2256
2257 return err;
2258}
2259
2260static int l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2261 struct l2cap_ctrl *control,
2262 struct sk_buff_head *skbs, u8 event)
2263{
2264 int err = 0;
2265
2266 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2267 event);
2268
2269 switch (event) {
2270 case L2CAP_EV_DATA_REQUEST:
2271 if (chan->tx_send_head == NULL)
2272 chan->tx_send_head = skb_peek(skbs);
2273 /* Queue data, but don't send. */
2274 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2275 break;
2276 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2277 BT_DBG("Enter LOCAL_BUSY");
2278 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2279
2280 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2281 /* The SREJ_SENT state must be aborted if we are to
2282 * enter the LOCAL_BUSY state.
2283 */
2284 l2cap_abort_rx_srej_sent(chan);
2285 }
2286
2287 l2cap_send_ack(chan);
2288
2289 break;
2290 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2291 BT_DBG("Exit LOCAL_BUSY");
2292 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2293
2294 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2295 struct l2cap_ctrl local_control;
2296 memset(&local_control, 0, sizeof(local_control));
2297 local_control.sframe = 1;
2298 local_control.super = L2CAP_SUPER_RR;
2299 local_control.poll = 1;
2300 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2301 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2302
2303 chan->retry_count = 1;
2304 __set_monitor_timer(chan);
2305 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2306 }
2307 break;
2308 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2309 l2cap_process_reqseq(chan, control->reqseq);
2310
2311 /* Fall through */
2312
2313 case L2CAP_EV_RECV_FBIT:
2314 if (control && control->final) {
2315 __clear_monitor_timer(chan);
2316 if (chan->unacked_frames > 0)
2317 __set_retrans_timer(chan);
2318 chan->retry_count = 0;
2319 chan->tx_state = L2CAP_TX_STATE_XMIT;
2320 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2321 }
2322 break;
2323 case L2CAP_EV_EXPLICIT_POLL:
2324 /* Ignore */
2325 break;
2326 case L2CAP_EV_MONITOR_TO:
2327 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2328 l2cap_send_rr_or_rnr(chan, 1);
2329 __set_monitor_timer(chan);
2330 chan->retry_count++;
2331 } else {
2332 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2333 }
2334 break;
2335 default:
2336 break;
2337 }
2338
2339 return err;
2340}
2341
2342static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2343 struct sk_buff_head *skbs, u8 event)
2344{
2345 int err = 0;
2346
2347 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2348 chan, control, skbs, event, chan->tx_state);
2349
2350 switch (chan->tx_state) {
2351 case L2CAP_TX_STATE_XMIT:
2352 err = l2cap_tx_state_xmit(chan, control, skbs, event);
2353 break;
2354 case L2CAP_TX_STATE_WAIT_F:
2355 err = l2cap_tx_state_wait_f(chan, control, skbs, event);
2356 break;
2357 default:
2358 /* Ignore event */
2359 break;
2360 }
2361
2362 return err;
2363}
2364
4b51dae9
MM		 2365static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2366 struct l2cap_ctrl *control)
2367{
2368 BT_DBG("chan %p, control %p", chan, control);
2369 l2cap_tx(chan, control, 0, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2370}
2371
1da177e4
LT		 2372/* Copy frame to all raw sockets on that connection */
2373static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2374{
1da177e4 2375 struct sk_buff *nskb;
48454079 2376 struct l2cap_chan *chan;
1da177e4
LT		 2377
2378 BT_DBG("conn %p", conn);
2379
3df91ea2 2380 mutex_lock(&conn->chan_lock);
3d57dc68 2381
3df91ea2 2382 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2383 struct sock *sk = chan->sk;
715ec005 2384 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2385 continue;
2386
2387 /* Don't send frame to the socket it came from */
2388 if (skb->sk == sk)
2389 continue;
af05b30b
GP		 2390 nskb = skb_clone(skb, GFP_ATOMIC);
2391 if (!nskb)
1da177e4
LT		 2392 continue;
2393
23070494 2394 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2395 kfree_skb(nskb);
2396 }
3d57dc68 2397
3df91ea2 2398 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2399}
2400
2401/* ---- L2CAP signalling commands ---- */
2402static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2403 u8 code, u8 ident, u16 dlen, void *data)
2404{
2405 struct sk_buff *skb, **frag;
2406 struct l2cap_cmd_hdr *cmd;
2407 struct l2cap_hdr *lh;
2408 int len, count;
2409
af05b30b
GP		 2410 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2411 conn, code, ident, dlen);
1da177e4
LT		 2412
2413 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2414 count = min_t(unsigned int, conn->mtu, len);
2415
2416 skb = bt_skb_alloc(count, GFP_ATOMIC);
2417 if (!skb)
2418 return NULL;
2419
2420 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2421 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2422
2423 if (conn->hcon->type == LE_LINK)
2424 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2425 else
2426 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2427
2428 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2429 cmd->code = code;
2430 cmd->ident = ident;
aca3192c 2431 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2432
2433 if (dlen) {
2434 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2435 memcpy(skb_put(skb, count), data, count);
2436 data += count;
2437 }
2438
2439 len -= skb->len;
2440
2441 /* Continuation fragments (no L2CAP header) */
2442 frag = &skb_shinfo(skb)->frag_list;
2443 while (len) {
2444 count = min_t(unsigned int, conn->mtu, len);
2445
2446 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2447 if (!*frag)
2448 goto fail;
2449
2450 memcpy(skb_put(*frag, count), data, count);
2451
2452 len -= count;
2453 data += count;
2454
2455 frag = &(*frag)->next;
2456 }
2457
2458 return skb;
2459
2460fail:
2461 kfree_skb(skb);
2462 return NULL;
2463}
2464
2465static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2466{
2467 struct l2cap_conf_opt *opt = *ptr;
2468 int len;
2469
2470 len = L2CAP_CONF_OPT_SIZE + opt->len;
2471 *ptr += len;
2472
2473 *type = opt->type;
2474 *olen = opt->len;
2475
2476 switch (opt->len) {
2477 case 1:
2478 *val = *((u8 *) opt->val);
2479 break;
2480
2481 case 2:
bfaaeb3e 2482 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2483 break;
2484
2485 case 4:
bfaaeb3e 2486 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2487 break;
2488
2489 default:
2490 *val = (unsigned long) opt->val;
2491 break;
2492 }
2493
2494 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2495 return len;
2496}
2497
1da177e4
LT		 2498static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2499{
2500 struct l2cap_conf_opt *opt = *ptr;
2501
2502 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2503
2504 opt->type = type;
2505 opt->len = len;
2506
2507 switch (len) {
2508 case 1:
2509 *((u8 *) opt->val) = val;
2510 break;
2511
2512 case 2:
4f8b691c 2513 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2514 break;
2515
2516 case 4:
4f8b691c 2517 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2518 break;
2519
2520 default:
2521 memcpy(opt->val, (void *) val, len);
2522 break;
2523 }
2524
2525 *ptr += L2CAP_CONF_OPT_SIZE + len;
2526}
2527
f89cef09
AE		 2528static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2529{
2530 struct l2cap_conf_efs efs;
2531
1ec918ce 2532 switch (chan->mode) {
f89cef09
AE		 2533 case L2CAP_MODE_ERTM:
2534 efs.id = chan->local_id;
2535 efs.stype = chan->local_stype;
2536 efs.msdu = cpu_to_le16(chan->local_msdu);
2537 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2538 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2539 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2540 break;
2541
2542 case L2CAP_MODE_STREAMING:
2543 efs.id = 1;
2544 efs.stype = L2CAP_SERV_BESTEFFORT;
2545 efs.msdu = cpu_to_le16(chan->local_msdu);
2546 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2547 efs.acc_lat = 0;
2548 efs.flush_to = 0;
2549 break;
2550
2551 default:
2552 return;
2553 }
2554
2555 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2556 (unsigned long) &efs);
2557}
2558
721c4181 2559static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2560{
721c4181
GP		 2561 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2562 ack_timer.work);
c1b4f43b 2563
2fb9b3d4
GP		 2564 BT_DBG("chan %p", chan);
2565
6be36555
AE		 2566 l2cap_chan_lock(chan);
2567
0a0aba42 2568 l2cap_send_ack(chan);
6be36555
AE		 2569
2570 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2571
2572 l2cap_chan_put(chan);
c1b4f43b
GP		 2573}
2574
3c588192 2575static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2576{
3c588192
MM		 2577 int err;
2578
105bdf9e
MM		 2579 chan->next_tx_seq = 0;
2580 chan->expected_tx_seq = 0;
42e5c802 2581 chan->expected_ack_seq = 0;
6a026610 2582 chan->unacked_frames = 0;
42e5c802 2583 chan->buffer_seq = 0;
6a026610 2584 chan->frames_sent = 0;
105bdf9e
MM		 2585 chan->last_acked_seq = 0;
2586 chan->sdu = NULL;
2587 chan->sdu_last_frag = NULL;
2588 chan->sdu_len = 0;
2589
d34c34fb
MM		 2590 skb_queue_head_init(&chan->tx_q);
2591
105bdf9e
MM		 2592 if (chan->mode != L2CAP_MODE_ERTM)
2593 return 0;
2594
2595 chan->rx_state = L2CAP_RX_STATE_RECV;
2596 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2597
721c4181
GP		 2598 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2599 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2600 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2601
f1c6775b 2602 skb_queue_head_init(&chan->srej_q);
1890d36b 2603
3c588192
MM		 2604 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2605 if (err < 0)
2606 return err;
2607
9dc9affc
MM		 2608 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2609 if (err < 0)
2610 l2cap_seq_list_free(&chan->srej_list);
2611
2612 return err;
0565c1c2
GP		 2613}
2614
f2fcfcd6
GP		 2615static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2616{
2617 switch (mode) {
2618 case L2CAP_MODE_STREAMING:
2619 case L2CAP_MODE_ERTM:
2620 if (l2cap_mode_supported(mode, remote_feat_mask))
2621 return mode;
2622 /* fall through */
2623 default:
2624 return L2CAP_MODE_BASIC;
2625 }
2626}
2627
6327eb98
AE		 2628static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2629{
2630 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2631}
2632
f89cef09
AE		 2633static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2634{
2635 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2636}
2637
6327eb98
AE		 2638static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2639{
2640 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2641 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2642 /* use extended control field */
2643 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2644 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2645 } else {
6327eb98
AE		 2646 chan->tx_win = min_t(u16, chan->tx_win,
2647 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2648 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2649 }
6327eb98
AE		 2650}
2651
710f9b0a 2652static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2653{
1da177e4 2654 struct l2cap_conf_req *req = data;
0c1bc5c6 2655 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2656 void *ptr = req->data;
c8f79162 2657 u16 size;
1da177e4 2658
49208c9c 2659 BT_DBG("chan %p", chan);
1da177e4 2660
73ffa904 2661 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2662 goto done;
2663
0c1bc5c6 2664 switch (chan->mode) {
f2fcfcd6
GP		 2665 case L2CAP_MODE_STREAMING:
2666 case L2CAP_MODE_ERTM:
c1360a1c 2667 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2668 break;
85eb53c6 2669
f89cef09
AE		 2670 if (__l2cap_efs_supported(chan))
2671 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2672
2ba13ed6 2673 /* fall through */
f2fcfcd6 2674 default:
8c1d787b 2675 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2676 break;
2677 }
2678
2679done:
0c1bc5c6
GP		 2680 if (chan->imtu != L2CAP_DEFAULT_MTU)
2681 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2682
0c1bc5c6 2683 switch (chan->mode) {
65c7c491 2684 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2685 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2686 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2687 break;
2688
62547752
GP		 2689 rfc.mode = L2CAP_MODE_BASIC;
2690 rfc.txwin_size = 0;
2691 rfc.max_transmit = 0;
2692 rfc.retrans_timeout = 0;
2693 rfc.monitor_timeout = 0;
2694 rfc.max_pdu_size = 0;
2695
63406504
GP		 2696 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2697 (unsigned long) &rfc);
65c7c491
MH		 2698 break;
2699
2700 case L2CAP_MODE_ERTM:
2701 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2702 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2703 rfc.retrans_timeout = 0;
2704 rfc.monitor_timeout = 0;
c8f79162
AE		 2705
2706 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2707 L2CAP_EXT_HDR_SIZE -
2708 L2CAP_SDULEN_SIZE -
2709 L2CAP_FCS_SIZE);
2710 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2711
6327eb98
AE		 2712 l2cap_txwin_setup(chan);
2713
2714 rfc.txwin_size = min_t(u16, chan->tx_win,
2715 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2716
63406504
GP		 2717 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2718 (unsigned long) &rfc);
2719
f89cef09
AE		 2720 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2721 l2cap_add_opt_efs(&ptr, chan);
2722
8c1d787b 2723 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2724 break;
2725
47d1ec61 2726 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2727 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2728 chan->fcs = L2CAP_FCS_NONE;
2729 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2730 }
6327eb98
AE		 2731
2732 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2733 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2734 chan->tx_win);
f2fcfcd6
GP		 2735 break;
2736
2737 case L2CAP_MODE_STREAMING:
2738 rfc.mode = L2CAP_MODE_STREAMING;
2739 rfc.txwin_size = 0;
2740 rfc.max_transmit = 0;
2741 rfc.retrans_timeout = 0;
2742 rfc.monitor_timeout = 0;
c8f79162
AE		 2743
2744 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2745 L2CAP_EXT_HDR_SIZE -
2746 L2CAP_SDULEN_SIZE -
2747 L2CAP_FCS_SIZE);
2748 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2749
63406504
GP		 2750 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2751 (unsigned long) &rfc);
2752
f89cef09
AE		 2753 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2754 l2cap_add_opt_efs(&ptr, chan);
2755
8c1d787b 2756 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2757 break;
2758
47d1ec61 2759 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2760 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2761 chan->fcs = L2CAP_FCS_NONE;
2762 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2763 }
65c7c491
MH		 2764 break;
2765 }
1da177e4 2766
fe4128e0 2767 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2768 req->flags = cpu_to_le16(0);
1da177e4
LT		 2769
2770 return ptr - data;
2771}
2772
73ffa904 2773static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2774{
5dee9e7c
MH		 2775 struct l2cap_conf_rsp *rsp = data;
2776 void *ptr = rsp->data;
73ffa904
GP		 2777 void *req = chan->conf_req;
2778 int len = chan->conf_len;
5dee9e7c
MH		 2779 int type, hint, olen;
2780 unsigned long val;
6464f35f 2781 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2782 struct l2cap_conf_efs efs;
2783 u8 remote_efs = 0;
861d6882 2784 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2785 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2786 u16 size;
1da177e4 2787
73ffa904 2788 BT_DBG("chan %p", chan);
820ae1b8 2789
5dee9e7c
MH		 2790 while (len >= L2CAP_CONF_OPT_SIZE) {
2791 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2792
589d2746 2793 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2794 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2795
2796 switch (type) {
2797 case L2CAP_CONF_MTU:
861d6882 2798 mtu = val;
5dee9e7c
MH		 2799 break;
2800
2801 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2802 chan->flush_to = val;
5dee9e7c
MH		 2803 break;
2804
2805 case L2CAP_CONF_QOS:
2806 break;
2807
6464f35f
MH		 2808 case L2CAP_CONF_RFC:
2809 if (olen == sizeof(rfc))
2810 memcpy(&rfc, (void *) val, olen);
2811 break;
2812
fcc203c3
GP		 2813 case L2CAP_CONF_FCS:
2814 if (val == L2CAP_FCS_NONE)
c1360a1c 2815 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2816 break;
fcc203c3 2817
42dceae2
AE		 2818 case L2CAP_CONF_EFS:
2819 remote_efs = 1;
2820 if (olen == sizeof(efs))
2821 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2822 break;
2823
6327eb98
AE		 2824 case L2CAP_CONF_EWS:
2825 if (!enable_hs)
2826 return -ECONNREFUSED;
fcc203c3 2827
6327eb98
AE		 2828 set_bit(FLAG_EXT_CTRL, &chan->flags);
2829 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2830 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2831 chan->remote_tx_win = val;
fcc203c3
GP		 2832 break;
2833
5dee9e7c
MH		 2834 default:
2835 if (hint)
2836 break;
2837
2838 result = L2CAP_CONF_UNKNOWN;
2839 *((u8 *) ptr++) = type;
2840 break;
2841 }
2842 }
2843
73ffa904 2844 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2845 goto done;
2846
0c1bc5c6 2847 switch (chan->mode) {
f2fcfcd6
GP		 2848 case L2CAP_MODE_STREAMING:
2849 case L2CAP_MODE_ERTM:
c1360a1c 2850 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2851 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2852 chan->conn->feat_mask);
85eb53c6
GP		 2853 break;
2854 }
2855
42dceae2
AE		 2856 if (remote_efs) {
2857 if (__l2cap_efs_supported(chan))
2858 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2859 else
2860 return -ECONNREFUSED;
2861 }
2862
0c1bc5c6 2863 if (chan->mode != rfc.mode)
f2fcfcd6 2864 return -ECONNREFUSED;
742e519b 2865
f2fcfcd6 2866 break;
f2fcfcd6
GP		 2867 }
2868
2869done:
0c1bc5c6 2870 if (chan->mode != rfc.mode) {
f2fcfcd6 2871 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2872 rfc.mode = chan->mode;
f2fcfcd6 2873
73ffa904 2874 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2875 return -ECONNREFUSED;
2876
2877 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2878 sizeof(rfc), (unsigned long) &rfc);
2879 }
2880
5dee9e7c
MH		 2881 if (result == L2CAP_CONF_SUCCESS) {
2882 /* Configure output options and let the other side know
2883 * which ones we don't like. */
2884
f2fcfcd6
GP		 2885 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2886 result = L2CAP_CONF_UNACCEPT;
2887 else {
0c1bc5c6 2888 chan->omtu = mtu;
c1360a1c 2889 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2890 }
0c1bc5c6 2891 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2892
42dceae2
AE		 2893 if (remote_efs) {
2894 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2895 efs.stype != L2CAP_SERV_NOTRAFIC &&
2896 efs.stype != chan->local_stype) {
2897
2898 result = L2CAP_CONF_UNACCEPT;
2899
2900 if (chan->num_conf_req >= 1)
2901 return -ECONNREFUSED;
2902
2903 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2904 sizeof(efs),
42dceae2 2905 (unsigned long) &efs);
0e8b207e 2906 } else {
3e6b3b95 2907 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2908 result = L2CAP_CONF_PENDING;
2909 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2910 }
2911 }
2912
f2fcfcd6
GP		 2913 switch (rfc.mode) {
2914 case L2CAP_MODE_BASIC:
47d1ec61 2915 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2916 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2917 break;
2918
2919 case L2CAP_MODE_ERTM:
6327eb98
AE		 2920 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2921 chan->remote_tx_win = rfc.txwin_size;
2922 else
2923 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2924
2c03a7a4 2925 chan->remote_max_tx = rfc.max_transmit;
1c762159 2926
c8f79162
AE		 2927 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2928 chan->conn->mtu -
2929 L2CAP_EXT_HDR_SIZE -
2930 L2CAP_SDULEN_SIZE -
2931 L2CAP_FCS_SIZE);
2932 rfc.max_pdu_size = cpu_to_le16(size);
2933 chan->remote_mps = size;
f2fcfcd6 2934
10467e9e 2935 rfc.retrans_timeout =
4fd21a88 2936 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2937 rfc.monitor_timeout =
4fd21a88 2938 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2939
c1360a1c 2940 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2941
2942 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2943 sizeof(rfc), (unsigned long) &rfc);
2944
42dceae2
AE		 2945 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2946 chan->remote_id = efs.id;
2947 chan->remote_stype = efs.stype;
2948 chan->remote_msdu = le16_to_cpu(efs.msdu);
2949 chan->remote_flush_to =
2950 le32_to_cpu(efs.flush_to);
2951 chan->remote_acc_lat =
2952 le32_to_cpu(efs.acc_lat);
2953 chan->remote_sdu_itime =
2954 le32_to_cpu(efs.sdu_itime);
2955 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2956 sizeof(efs), (unsigned long) &efs);
2957 }
f2fcfcd6
GP		 2958 break;
2959
2960 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2961 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2962 chan->conn->mtu -
2963 L2CAP_EXT_HDR_SIZE -
2964 L2CAP_SDULEN_SIZE -
2965 L2CAP_FCS_SIZE);
2966 rfc.max_pdu_size = cpu_to_le16(size);
2967 chan->remote_mps = size;
f2fcfcd6 2968
c1360a1c 2969 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2970
2971 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2972 sizeof(rfc), (unsigned long) &rfc);
2973
f2fcfcd6
GP		 2974 break;
2975
2976 default:
5dee9e7c 2977 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2978
6464f35f 2979 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2980 rfc.mode = chan->mode;
f2fcfcd6 2981 }
6464f35f 2982
f2fcfcd6 2983 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2984 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2985 }
fe4128e0 2986 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2987 rsp->result = cpu_to_le16(result);
2988 rsp->flags = cpu_to_le16(0x0000);
2989
2990 return ptr - data;
1da177e4
LT		 2991}
2992
b4450035 2993static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2994{
f2fcfcd6
GP		 2995 struct l2cap_conf_req *req = data;
2996 void *ptr = req->data;
2997 int type, olen;
2998 unsigned long val;
36e999a8 2999 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3000 struct l2cap_conf_efs efs;
f2fcfcd6 3001
fe4128e0 3002 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3003
3004 while (len >= L2CAP_CONF_OPT_SIZE) {
3005 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3006
3007 switch (type) {
3008 case L2CAP_CONF_MTU:
3009 if (val < L2CAP_DEFAULT_MIN_MTU) {
3010 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3011 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3012 } else
0c1bc5c6
GP		 3013 chan->imtu = val;
3014 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3015 break;
3016
3017 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3018 chan->flush_to = val;
f2fcfcd6 3019 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3020 2, chan->flush_to);
f2fcfcd6
GP		 3021 break;
3022
3023 case L2CAP_CONF_RFC:
3024 if (olen == sizeof(rfc))
3025 memcpy(&rfc, (void *)val, olen);
3026
c1360a1c 3027 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3028 rfc.mode != chan->mode)
f2fcfcd6
GP		 3029 return -ECONNREFUSED;
3030
47d1ec61 3031 chan->fcs = 0;
f2fcfcd6
GP		 3032
3033 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3034 sizeof(rfc), (unsigned long) &rfc);
3035 break;
6327eb98
AE		 3036
3037 case L2CAP_CONF_EWS:
3038 chan->tx_win = min_t(u16, val,
3039 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3040 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3041 chan->tx_win);
6327eb98 3042 break;
66af7aaf
AE		 3043
3044 case L2CAP_CONF_EFS:
3045 if (olen == sizeof(efs))
3046 memcpy(&efs, (void *)val, olen);
3047
3048 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3049 efs.stype != L2CAP_SERV_NOTRAFIC &&
3050 efs.stype != chan->local_stype)
3051 return -ECONNREFUSED;
3052
3053 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3054 sizeof(efs), (unsigned long) &efs);
3055 break;
f2fcfcd6
GP		 3056 }
3057 }
3058
0c1bc5c6 3059 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3060 return -ECONNREFUSED;
3061
0c1bc5c6 3062 chan->mode = rfc.mode;
6c2ea7a8 3063
0e8b207e 3064 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3065 switch (rfc.mode) {
3066 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3067 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3068 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3069 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3070
3071 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3072 chan->local_msdu = le16_to_cpu(efs.msdu);
3073 chan->local_sdu_itime =
3074 le32_to_cpu(efs.sdu_itime);
3075 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3076 chan->local_flush_to =
3077 le32_to_cpu(efs.flush_to);
3078 }
f2fcfcd6 3079 break;
66af7aaf 3080
f2fcfcd6 3081 case L2CAP_MODE_STREAMING:
47d1ec61 3082 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3083 }
3084 }
3085
fe4128e0 3086 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 3087 req->flags = cpu_to_le16(0x0000);
3088
3089 return ptr - data;
3090}
3091
fe4128e0 3092static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3093{
3094 struct l2cap_conf_rsp *rsp = data;
3095 void *ptr = rsp->data;
1da177e4 3096
fe4128e0 3097 BT_DBG("chan %p", chan);
1da177e4 3098
fe4128e0 3099 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3100 rsp->result = cpu_to_le16(result);
aca3192c 3101 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3102
3103 return ptr - data;
3104}
3105
8c1d787b 3106void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3107{
3108 struct l2cap_conn_rsp rsp;
8c1d787b 3109 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3110 u8 buf[128];
3111
fe4128e0
GP		 3112 rsp.scid = cpu_to_le16(chan->dcid);
3113 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 3114 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3115 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3116 l2cap_send_cmd(conn, chan->ident,
3117 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3118
c1360a1c 3119 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3120 return;
3121
710f9b0a
GP		 3122 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3123 l2cap_build_conf_req(chan, buf), buf);
3124 chan->num_conf_req++;
3125}
3126
47d1ec61 3127static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3128{
7b1c0049
GP		 3129 int type, olen;
3130 unsigned long val;
3131 struct l2cap_conf_rfc rfc;
3132
47d1ec61 3133 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3134
0c1bc5c6 3135 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3136 return;
3137
3138 while (len >= L2CAP_CONF_OPT_SIZE) {
3139 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3140
3141 switch (type) {
3142 case L2CAP_CONF_RFC:
3143 if (olen == sizeof(rfc))
3144 memcpy(&rfc, (void *)val, olen);
3145 goto done;
3146 }
3147 }
3148
36e999a8
MM		 3149 /* Use sane default values in case a misbehaving remote device
3150 * did not send an RFC option.
3151 */
3152 rfc.mode = chan->mode;
3153 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3154 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3155 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3156
3157 BT_ERR("Expected RFC option was not found, using defaults");
3158
7b1c0049
GP		 3159done:
3160 switch (rfc.mode) {
3161 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3162 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3163 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3164 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3165 break;
3166 case L2CAP_MODE_STREAMING:
47d1ec61 3167 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3168 }
3169}
3170
4e8402a3
MH		 3171static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3172{
e2fd318e 3173 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3174
e2fd318e 3175 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3176 return 0;
3177
3178 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3179 cmd->ident == conn->info_ident) {
17cd3f37 3180 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3181
3182 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3183 conn->info_ident = 0;
984947dc 3184
4e8402a3
MH		 3185 l2cap_conn_start(conn);
3186 }
3187
3188 return 0;
3189}
3190
1da177e4
LT		 3191static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3192{
1da177e4
LT		 3193 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3194 struct l2cap_conn_rsp rsp;
23691d75 3195 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3196 struct sock *parent, *sk = NULL;
e7c29cb1 3197 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3198
3199 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3200 __le16 psm = req->psm;
1da177e4 3201
097db76c 3202 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3203
3204 /* Check if we have socket listening on psm */
c2287681 3205 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3206 if (!pchan) {
1da177e4
LT		 3207 result = L2CAP_CR_BAD_PSM;
3208 goto sendresp;
3209 }
3210
23691d75
GP		 3211 parent = pchan->sk;
3212
3df91ea2 3213 mutex_lock(&conn->chan_lock);
aa2ac881 3214 lock_sock(parent);
e0f0cb56 3215
e7c29cb1
MH		 3216 /* Check if the ACL is secure enough (if not SDP) */
3217 if (psm != cpu_to_le16(0x0001) &&
3218 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3219 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3220 result = L2CAP_CR_SEC_BLOCK;
3221 goto response;
3222 }
3223
1da177e4
LT		 3224 result = L2CAP_CR_NO_MEM;
3225
3226 /* Check for backlog size */
3227 if (sk_acceptq_is_full(parent)) {
8e87d142 3228 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3229 goto response;
3230 }
3231
80808e43
GP		 3232 chan = pchan->ops->new_connection(pchan->data);
3233 if (!chan)
1da177e4
LT		 3234 goto response;
3235
80808e43
GP		 3236 sk = chan->sk;
3237
1da177e4 3238 /* Check if we already have channel with that dcid */
baa7e1fa 3239 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3240 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3241 chan->ops->close(chan->data);
1da177e4
LT		 3242 goto response;
3243 }
3244
3245 hci_conn_hold(conn->hcon);
3246
1da177e4
LT		 3247 bacpy(&bt_sk(sk)->src, conn->src);
3248 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3249 chan->psm = psm;
3250 chan->dcid = scid;
1da177e4 3251
d1010240
GP		 3252 bt_accept_enqueue(parent, sk);
3253
6be36555 3254 __l2cap_chan_add(conn, chan);
48454079 3255
fe4128e0 3256 dcid = chan->scid;
1da177e4 3257
c9b66675 3258 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3259
fc7f8a7e 3260 chan->ident = cmd->ident;
1da177e4 3261
984947dc 3262 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3263 if (l2cap_chan_check_security(chan)) {
c5daa683 3264 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3265 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3266 result = L2CAP_CR_PEND;
3267 status = L2CAP_CS_AUTHOR_PEND;
3268 parent->sk_data_ready(parent, 0);
3269 } else {
0e587be7 3270 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3271 result = L2CAP_CR_SUCCESS;
3272 status = L2CAP_CS_NO_INFO;
3273 }
79d554a6 3274 } else {
0e587be7 3275 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3276 result = L2CAP_CR_PEND;
3277 status = L2CAP_CS_AUTHEN_PEND;
3278 }
3279 } else {
0e587be7 3280 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3281 result = L2CAP_CR_PEND;
3282 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3283 }
3284
1da177e4 3285response:
aa2ac881 3286 release_sock(parent);
3df91ea2 3287 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3288
3289sendresp:
aca3192c
YH		 3290 rsp.scid = cpu_to_le16(scid);
3291 rsp.dcid = cpu_to_le16(dcid);
3292 rsp.result = cpu_to_le16(result);
3293 rsp.status = cpu_to_le16(status);
1da177e4 3294 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3295
3296 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3297 struct l2cap_info_req info;
3298 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3299
3300 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3301 conn->info_ident = l2cap_get_ident(conn);
3302
ba13ccd9 3303 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3304
3305 l2cap_send_cmd(conn, conn->info_ident,
3306 L2CAP_INFO_REQ, sizeof(info), &info);
3307 }
3308
c1360a1c 3309 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3310 result == L2CAP_CR_SUCCESS) {
3311 u8 buf[128];
c1360a1c 3312 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3313 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3314 l2cap_build_conf_req(chan, buf), buf);
3315 chan->num_conf_req++;
e9aeb2dd
GP		 3316 }
3317
1da177e4
LT		 3318 return 0;
3319}
3320
3321static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3322{
3323 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3324 u16 scid, dcid, result, status;
48454079 3325 struct l2cap_chan *chan;
1da177e4 3326 u8 req[128];
3df91ea2 3327 int err;
1da177e4
LT		 3328
3329 scid = __le16_to_cpu(rsp->scid);
3330 dcid = __le16_to_cpu(rsp->dcid);
3331 result = __le16_to_cpu(rsp->result);
3332 status = __le16_to_cpu(rsp->status);
3333
1b009c98
AE		 3334 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3335 dcid, scid, result, status);
1da177e4 3336
3df91ea2
AE		 3337 mutex_lock(&conn->chan_lock);
3338
1da177e4 3339 if (scid) {
3df91ea2
AE		 3340 chan = __l2cap_get_chan_by_scid(conn, scid);
3341 if (!chan) {
3342 err = -EFAULT;
3343 goto unlock;
3344 }
1da177e4 3345 } else {
3df91ea2
AE		 3346 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3347 if (!chan) {
3348 err = -EFAULT;
3349 goto unlock;
3350 }
1da177e4
LT		 3351 }
3352
3df91ea2
AE		 3353 err = 0;
3354
6be36555 3355 l2cap_chan_lock(chan);
48454079 3356
1da177e4
LT		 3357 switch (result) {
3358 case L2CAP_CR_SUCCESS:
89bc500e 3359 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3360 chan->ident = 0;
fe4128e0 3361 chan->dcid = dcid;
c1360a1c 3362 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3363
c1360a1c 3364 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3365 break;
3366
1da177e4 3367 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3368 l2cap_build_conf_req(chan, req), req);
3369 chan->num_conf_req++;
1da177e4
LT		 3370 break;
3371
3372 case L2CAP_CR_PEND:
c1360a1c 3373 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3374 break;
3375
3376 default:
48454079 3377 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3378 break;
3379 }
3380
6be36555 3381 l2cap_chan_unlock(chan);
3df91ea2
AE		 3382
3383unlock:
3384 mutex_unlock(&conn->chan_lock);
3385
3386 return err;
1da177e4
LT		 3387}
3388
47d1ec61 3389static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3390{
3391 /* FCS is enabled only in ERTM or streaming mode, if one or both
3392 * sides request it.
3393 */
0c1bc5c6 3394 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3395 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3396 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3397 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3398}
3399
88219a0f 3400static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3401{
3402 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3403 u16 dcid, flags;
3404 u8 rsp[64];
48454079 3405 struct l2cap_chan *chan;
3c588192 3406 int len, err = 0;
1da177e4
LT		 3407
3408 dcid = __le16_to_cpu(req->dcid);
3409 flags = __le16_to_cpu(req->flags);
3410
3411 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3412
baa7e1fa 3413 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3414 if (!chan)
1da177e4
LT		 3415 return -ENOENT;
3416
033b1142 3417 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3418 struct l2cap_cmd_rej_cid rej;
3419
3420 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3421 rej.scid = cpu_to_le16(chan->scid);
3422 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3423
df6bd743
GP		 3424 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3425 sizeof(rej), &rej);
354f60a9 3426 goto unlock;
df6bd743 3427 }
354f60a9 3428
5dee9e7c 3429 /* Reject if config buffer is too small. */
88219a0f 3430 len = cmd_len - sizeof(*req);
7ac28817 3431 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3432 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3433 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3434 L2CAP_CONF_REJECT, flags), rsp);
3435 goto unlock;
3436 }
3437
3438 /* Store config. */
73ffa904
GP		 3439 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3440 chan->conf_len += len;
1da177e4
LT		 3441
3442 if (flags & 0x0001) {
3443 /* Incomplete config. Send empty response. */
3444 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3445 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3446 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3447 goto unlock;
3448 }
3449
3450 /* Complete config. */
73ffa904 3451 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3452 if (len < 0) {
e92c8e70 3453 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3454 goto unlock;
f2fcfcd6 3455 }
1da177e4 3456
5dee9e7c 3457 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3458 chan->num_conf_rsp++;
5dee9e7c 3459
5dee9e7c 3460 /* Reset config buffer. */
73ffa904 3461 chan->conf_len = 0;
5dee9e7c 3462
c1360a1c 3463 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3464 goto unlock;
3465
c1360a1c 3466 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3467 set_default_fcs(chan);
fcc203c3 3468
89bc500e 3469 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3470
105bdf9e
MM		 3471 if (chan->mode == L2CAP_MODE_ERTM ||
3472 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3473 err = l2cap_ertm_init(chan);
3474
3475 if (err < 0)
3476 l2cap_send_disconn_req(chan->conn, chan, -err);
3477 else
3478 l2cap_chan_ready(chan);
0565c1c2 3479
876d9484
MH		 3480 goto unlock;
3481 }
3482
c1360a1c 3483 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3484 u8 buf[64];
1da177e4 3485 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3486 l2cap_build_conf_req(chan, buf), buf);
3487 chan->num_conf_req++;
1da177e4
LT		 3488 }
3489
0e8b207e
AE		 3490 /* Got Conf Rsp PENDING from remote side and asume we sent
3491 Conf Rsp PENDING in the code above */
3492 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3493 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3494
3495 /* check compatibility */
3496
3497 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3498 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3499
3500 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3501 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3502 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3503 }
3504
1da177e4 3505unlock:
6be36555 3506 l2cap_chan_unlock(chan);
3c588192 3507 return err;
1da177e4
LT		 3508}
3509
3510static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3511{
3512 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3513 u16 scid, flags, result;
48454079 3514 struct l2cap_chan *chan;
61386cba 3515 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3516 int err = 0;
1da177e4
LT		 3517
3518 scid = __le16_to_cpu(rsp->scid);
3519 flags = __le16_to_cpu(rsp->flags);
3520 result = __le16_to_cpu(rsp->result);
3521
61386cba
AE		 3522 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3523 result, len);
1da177e4 3524
baa7e1fa 3525 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3526 if (!chan)
1da177e4
LT		 3527 return 0;
3528
3529 switch (result) {
3530 case L2CAP_CONF_SUCCESS:
47d1ec61 3531 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3532 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3533 break;
3534
0e8b207e
AE		 3535 case L2CAP_CONF_PENDING:
3536 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3537
3538 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3539 char buf[64];
3540
3541 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3542 buf, &result);
3543 if (len < 0) {
3544 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3545 goto done;
3546 }
3547
3548 /* check compatibility */
3549
3550 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3551 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3552
3553 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3554 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3555 L2CAP_CONF_SUCCESS, 0x0000), buf);
3556 }
3557 goto done;
3558
1da177e4 3559 case L2CAP_CONF_UNACCEPT:
73ffa904 3560 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3561 char req[64];
3562
c2c77ec8 3563 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3564 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3565 goto done;
3566 }
3567
f2fcfcd6
GP		 3568 /* throw out any old stored conf requests */
3569 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3570 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3571 req, &result);
f2fcfcd6 3572 if (len < 0) {
e92c8e70 3573 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3574 goto done;
3575 }
3576
3577 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3578 L2CAP_CONF_REQ, len, req);
73ffa904 3579 chan->num_conf_req++;
f2fcfcd6
GP		 3580 if (result != L2CAP_CONF_SUCCESS)
3581 goto done;
3582 break;
1da177e4
LT		 3583 }
3584
8e87d142 3585 default:
6be36555 3586 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3587
ba13ccd9 3588 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3589 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3590 goto done;
3591 }
3592
3593 if (flags & 0x01)
3594 goto done;
3595
c1360a1c 3596 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3597
c1360a1c 3598 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3599 set_default_fcs(chan);
fcc203c3 3600
89bc500e 3601 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3602 if (chan->mode == L2CAP_MODE_ERTM ||
3603 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3604 err = l2cap_ertm_init(chan);
0565c1c2 3605
3c588192
MM		 3606 if (err < 0)
3607 l2cap_send_disconn_req(chan->conn, chan, -err);
3608 else
3609 l2cap_chan_ready(chan);
1da177e4
LT		 3610 }
3611
3612done:
6be36555 3613 l2cap_chan_unlock(chan);
3c588192 3614 return err;
1da177e4
LT		 3615}
3616
3617static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3618{
3619 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3620 struct l2cap_disconn_rsp rsp;
3621 u16 dcid, scid;
48454079 3622 struct l2cap_chan *chan;
1da177e4
LT		 3623 struct sock *sk;
3624
3625 scid = __le16_to_cpu(req->scid);
3626 dcid = __le16_to_cpu(req->dcid);
3627
3628 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3629
3df91ea2
AE		 3630 mutex_lock(&conn->chan_lock);
3631
3632 chan = __l2cap_get_chan_by_scid(conn, dcid);
3633 if (!chan) {
3634 mutex_unlock(&conn->chan_lock);
1da177e4 3635 return 0;
3df91ea2 3636 }
1da177e4 3637
6be36555
AE		 3638 l2cap_chan_lock(chan);
3639
48454079
GP		 3640 sk = chan->sk;
3641
fe4128e0
GP		 3642 rsp.dcid = cpu_to_le16(chan->scid);
3643 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3644 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3645
6be36555 3646 lock_sock(sk);
1da177e4 3647 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3648 release_sock(sk);
1da177e4 3649
61d6ef3e 3650 l2cap_chan_hold(chan);
48454079 3651 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3652
3653 l2cap_chan_unlock(chan);
1da177e4 3654
ba3bd0ee 3655 chan->ops->close(chan->data);
61d6ef3e 3656 l2cap_chan_put(chan);
3df91ea2
AE		 3657
3658 mutex_unlock(&conn->chan_lock);
3659
1da177e4
LT		 3660 return 0;
3661}
3662
3663static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3664{
3665 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3666 u16 dcid, scid;
48454079 3667 struct l2cap_chan *chan;
1da177e4
LT		 3668
3669 scid = __le16_to_cpu(rsp->scid);
3670 dcid = __le16_to_cpu(rsp->dcid);
3671
3672 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3673
3df91ea2
AE		 3674 mutex_lock(&conn->chan_lock);
3675
3676 chan = __l2cap_get_chan_by_scid(conn, scid);
3677 if (!chan) {
3678 mutex_unlock(&conn->chan_lock);
1da177e4 3679 return 0;
3df91ea2 3680 }
1da177e4 3681
6be36555 3682 l2cap_chan_lock(chan);
48454079 3683
61d6ef3e 3684 l2cap_chan_hold(chan);
48454079 3685 l2cap_chan_del(chan, 0);
6be36555
AE		 3686
3687 l2cap_chan_unlock(chan);
1da177e4 3688
ba3bd0ee 3689 chan->ops->close(chan->data);
61d6ef3e 3690 l2cap_chan_put(chan);
3df91ea2
AE		 3691
3692 mutex_unlock(&conn->chan_lock);
3693
1da177e4
LT		 3694 return 0;
3695}
3696
3697static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3698{
3699 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3700 u16 type;
3701
3702 type = __le16_to_cpu(req->type);
3703
3704 BT_DBG("type 0x%4.4x", type);
3705
f0709e03
MH		 3706 if (type == L2CAP_IT_FEAT_MASK) {
3707 u8 buf[8];
44dd46de 3708 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3709 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3710 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3711 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3712 if (!disable_ertm)
fcc203c3
GP		 3713 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3714 | L2CAP_FEAT_FCS;
a5fd6f30 3715 if (enable_hs)
6327eb98
AE		 3716 feat_mask |= L2CAP_FEAT_EXT_FLOW
3717 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3718
1b7bf4ed 3719 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3720 l2cap_send_cmd(conn, cmd->ident,
3721 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3722 } else if (type == L2CAP_IT_FIXED_CHAN) {
3723 u8 buf[12];
3724 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3725
3726 if (enable_hs)
3727 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3728 else
3729 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3730
e1027a7c
MH		 3731 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3732 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3733 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3734 l2cap_send_cmd(conn, cmd->ident,
3735 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3736 } else {
3737 struct l2cap_info_rsp rsp;
3738 rsp.type = cpu_to_le16(type);
3739 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3740 l2cap_send_cmd(conn, cmd->ident,
3741 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3742 }
1da177e4
LT		 3743
3744 return 0;
3745}
3746
3747static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3748{
3749 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3750 u16 type, result;
3751
3752 type = __le16_to_cpu(rsp->type);
3753 result = __le16_to_cpu(rsp->result);
3754
3755 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3756
e90165be
AE		 3757 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3758 if (cmd->ident != conn->info_ident ||
3759 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3760 return 0;
3761
17cd3f37 3762 cancel_delayed_work(&conn->info_timer);
4e8402a3 3763
adb08ede
VT		 3764 if (result != L2CAP_IR_SUCCESS) {
3765 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3766 conn->info_ident = 0;
3767
3768 l2cap_conn_start(conn);
3769
3770 return 0;
3771 }
3772
978c93b9
AE		 3773 switch (type) {
3774 case L2CAP_IT_FEAT_MASK:
83985319 3775 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3776
47ec1dcd 3777 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3778 struct l2cap_info_req req;
3779 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3780
3781 conn->info_ident = l2cap_get_ident(conn);
3782
3783 l2cap_send_cmd(conn, conn->info_ident,
3784 L2CAP_INFO_REQ, sizeof(req), &req);
3785 } else {
3786 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3787 conn->info_ident = 0;
3788
3789 l2cap_conn_start(conn);
3790 }
978c93b9
AE		 3791 break;
3792
3793 case L2CAP_IT_FIXED_CHAN:
3794 conn->fixed_chan_mask = rsp->data[0];
984947dc 3795 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3796 conn->info_ident = 0;
984947dc
MH		 3797
3798 l2cap_conn_start(conn);
978c93b9 3799 break;
984947dc 3800 }
4e8402a3 3801
1da177e4
LT		 3802 return 0;
3803}
3804
f94ff6ff
MM		 3805static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3806 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3807 void *data)
3808{
3809 struct l2cap_create_chan_req *req = data;
3810 struct l2cap_create_chan_rsp rsp;
3811 u16 psm, scid;
3812
3813 if (cmd_len != sizeof(*req))
3814 return -EPROTO;
3815
3816 if (!enable_hs)
3817 return -EINVAL;
3818
3819 psm = le16_to_cpu(req->psm);
3820 scid = le16_to_cpu(req->scid);
3821
3822 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3823
3824 /* Placeholder: Always reject */
3825 rsp.dcid = 0;
3826 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3827 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3828 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3829
3830 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3831 sizeof(rsp), &rsp);
3832
3833 return 0;
3834}
3835
3836static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3837 struct l2cap_cmd_hdr *cmd, void *data)
3838{
3839 BT_DBG("conn %p", conn);
3840
3841 return l2cap_connect_rsp(conn, cmd, data);
3842}
3843
8d5a04a1
MM		 3844static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3845 u16 icid, u16 result)
3846{
3847 struct l2cap_move_chan_rsp rsp;
3848
3849 BT_DBG("icid %d, result %d", icid, result);
3850
3851 rsp.icid = cpu_to_le16(icid);
3852 rsp.result = cpu_to_le16(result);
3853
3854 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3855}
3856
3857static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3858 struct l2cap_chan *chan, u16 icid, u16 result)
3859{
3860 struct l2cap_move_chan_cfm cfm;
3861 u8 ident;
3862
3863 BT_DBG("icid %d, result %d", icid, result);
3864
3865 ident = l2cap_get_ident(conn);
3866 if (chan)
3867 chan->ident = ident;
3868
3869 cfm.icid = cpu_to_le16(icid);
3870 cfm.result = cpu_to_le16(result);
3871
3872 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3873}
3874
3875static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3876 u16 icid)
3877{
3878 struct l2cap_move_chan_cfm_rsp rsp;
3879
3880 BT_DBG("icid %d", icid);
3881
3882 rsp.icid = cpu_to_le16(icid);
3883 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3884}
3885
3886static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3887 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3888{
3889 struct l2cap_move_chan_req *req = data;
3890 u16 icid = 0;
3891 u16 result = L2CAP_MR_NOT_ALLOWED;
3892
3893 if (cmd_len != sizeof(*req))
3894 return -EPROTO;
3895
3896 icid = le16_to_cpu(req->icid);
3897
3898 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3899
3900 if (!enable_hs)
3901 return -EINVAL;
3902
3903 /* Placeholder: Always refuse */
3904 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3905
3906 return 0;
3907}
3908
3909static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3910 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3911{
3912 struct l2cap_move_chan_rsp *rsp = data;
3913 u16 icid, result;
3914
3915 if (cmd_len != sizeof(*rsp))
3916 return -EPROTO;
3917
3918 icid = le16_to_cpu(rsp->icid);
3919 result = le16_to_cpu(rsp->result);
3920
3921 BT_DBG("icid %d, result %d", icid, result);
3922
3923 /* Placeholder: Always unconfirmed */
3924 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3925
3926 return 0;
3927}
3928
3929static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3930 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3931{
3932 struct l2cap_move_chan_cfm *cfm = data;
3933 u16 icid, result;
3934
3935 if (cmd_len != sizeof(*cfm))
3936 return -EPROTO;
3937
3938 icid = le16_to_cpu(cfm->icid);
3939 result = le16_to_cpu(cfm->result);
3940
3941 BT_DBG("icid %d, result %d", icid, result);
3942
3943 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3944
3945 return 0;
3946}
3947
3948static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3949 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3950{
3951 struct l2cap_move_chan_cfm_rsp *rsp = data;
3952 u16 icid;
3953
3954 if (cmd_len != sizeof(*rsp))
3955 return -EPROTO;
3956
3957 icid = le16_to_cpu(rsp->icid);
3958
3959 BT_DBG("icid %d", icid);
3960
3961 return 0;
3962}
3963
e2174ca4 3964static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3965 u16 to_multiplier)
3966{
3967 u16 max_latency;
3968
3969 if (min > max || min < 6 || max > 3200)
3970 return -EINVAL;
3971
3972 if (to_multiplier < 10 || to_multiplier > 3200)
3973 return -EINVAL;
3974
3975 if (max >= to_multiplier * 8)
3976 return -EINVAL;
3977
3978 max_latency = (to_multiplier * 8 / max) - 1;
3979 if (latency > 499 || latency > max_latency)
3980 return -EINVAL;
3981
3982 return 0;
3983}
3984
3985static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3986 struct l2cap_cmd_hdr *cmd, u8 *data)
3987{
3988 struct hci_conn *hcon = conn->hcon;
3989 struct l2cap_conn_param_update_req *req;
3990 struct l2cap_conn_param_update_rsp rsp;
3991 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3992 int err;
de73115a
CT		 3993
3994 if (!(hcon->link_mode & HCI_LM_MASTER))
3995 return -EINVAL;
3996
3997 cmd_len = __le16_to_cpu(cmd->len);
3998 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3999 return -EPROTO;
4000
4001 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4002 min = __le16_to_cpu(req->min);
4003 max = __le16_to_cpu(req->max);
de73115a
CT		 4004 latency = __le16_to_cpu(req->latency);
4005 to_multiplier = __le16_to_cpu(req->to_multiplier);
4006
4007 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4008 min, max, latency, to_multiplier);
4009
4010 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4011
4012 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4013 if (err)
de73115a
CT		 4014 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4015 else
4016 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4017
4018 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4019 sizeof(rsp), &rsp);
4020
2ce603eb
CT		 4021 if (!err)
4022 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4023
de73115a
CT		 4024 return 0;
4025}
4026
3300d9a9
CT		 4027static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4028 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4029{
4030 int err = 0;
4031
4032 switch (cmd->code) {
4033 case L2CAP_COMMAND_REJ:
4034 l2cap_command_rej(conn, cmd, data);
4035 break;
4036
4037 case L2CAP_CONN_REQ:
4038 err = l2cap_connect_req(conn, cmd, data);
4039 break;
4040
4041 case L2CAP_CONN_RSP:
4042 err = l2cap_connect_rsp(conn, cmd, data);
4043 break;
4044
4045 case L2CAP_CONF_REQ:
4046 err = l2cap_config_req(conn, cmd, cmd_len, data);
4047 break;
4048
4049 case L2CAP_CONF_RSP:
4050 err = l2cap_config_rsp(conn, cmd, data);
4051 break;
4052
4053 case L2CAP_DISCONN_REQ:
4054 err = l2cap_disconnect_req(conn, cmd, data);
4055 break;
4056
4057 case L2CAP_DISCONN_RSP:
4058 err = l2cap_disconnect_rsp(conn, cmd, data);
4059 break;
4060
4061 case L2CAP_ECHO_REQ:
4062 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4063 break;
4064
4065 case L2CAP_ECHO_RSP:
4066 break;
4067
4068 case L2CAP_INFO_REQ:
4069 err = l2cap_information_req(conn, cmd, data);
4070 break;
4071
4072 case L2CAP_INFO_RSP:
4073 err = l2cap_information_rsp(conn, cmd, data);
4074 break;
4075
f94ff6ff
MM		 4076 case L2CAP_CREATE_CHAN_REQ:
4077 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4078 break;
4079
4080 case L2CAP_CREATE_CHAN_RSP:
4081 err = l2cap_create_channel_rsp(conn, cmd, data);
4082 break;
4083
8d5a04a1
MM		 4084 case L2CAP_MOVE_CHAN_REQ:
4085 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4086 break;
4087
4088 case L2CAP_MOVE_CHAN_RSP:
4089 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4090 break;
4091
4092 case L2CAP_MOVE_CHAN_CFM:
4093 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4094 break;
4095
4096 case L2CAP_MOVE_CHAN_CFM_RSP:
4097 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4098 break;
4099
3300d9a9
CT		 4100 default:
4101 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4102 err = -EINVAL;
4103 break;
4104 }
4105
4106 return err;
4107}
4108
4109static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4110 struct l2cap_cmd_hdr *cmd, u8 *data)
4111{
4112 switch (cmd->code) {
4113 case L2CAP_COMMAND_REJ:
4114 return 0;
4115
4116 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4117 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4118
4119 case L2CAP_CONN_PARAM_UPDATE_RSP:
4120 return 0;
4121
4122 default:
4123 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4124 return -EINVAL;
4125 }
4126}
4127
4128static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4129 struct sk_buff *skb)
1da177e4
LT		 4130{
4131 u8 *data = skb->data;
4132 int len = skb->len;
4133 struct l2cap_cmd_hdr cmd;
3300d9a9 4134 int err;
1da177e4
LT		 4135
4136 l2cap_raw_recv(conn, skb);
4137
4138 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4139 u16 cmd_len;
1da177e4
LT		 4140 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4141 data += L2CAP_CMD_HDR_SIZE;
4142 len -= L2CAP_CMD_HDR_SIZE;
4143
88219a0f 4144 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4145
88219a0f 4146 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4147
88219a0f 4148 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4149 BT_DBG("corrupted command");
4150 break;
4151 }
4152
3300d9a9
CT		 4153 if (conn->hcon->type == LE_LINK)
4154 err = l2cap_le_sig_cmd(conn, &cmd, data);
4155 else
4156 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4157
4158 if (err) {
e2fd318e 4159 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4160
4161 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4162
4163 /* FIXME: Map err to a valid reason */
e2fd318e 4164 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4165 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4166 }
4167
88219a0f
AV		 4168 data += cmd_len;
4169 len -= cmd_len;
1da177e4
LT		 4170 }
4171
4172 kfree_skb(skb);
4173}
4174
47d1ec61 4175static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4176{
4177 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4178 int hdr_size;
4179
4180 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4181 hdr_size = L2CAP_EXT_HDR_SIZE;
4182 else
4183 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4184
47d1ec61 4185 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4186 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4187 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4188 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4189
4190 if (our_fcs != rcv_fcs)
7a560e5c 4191 return -EBADMSG;
fcc203c3
GP		 4192 }
4193 return 0;
4194}
4195
525cd185 4196static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4197{
88843ab0 4198 u32 control = 0;
d5392c8f 4199
6a026610 4200 chan->frames_sent = 0;
d5392c8f 4201
0b209fae 4202 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 4203
e2ab4353 4204 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 4205 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 4206 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 4207 }
4208
e2ab4353 4209 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 4210 l2cap_retransmit_frames(chan);
d5392c8f 4211
525cd185 4212 l2cap_ertm_send(chan);
d5392c8f 4213
e2ab4353 4214 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 4215 chan->frames_sent == 0) {
ab784b73 4216 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
d5392c8f
GP		 4217 }
4218}
4219
84084a31
MM		 4220static void append_skb_frag(struct sk_buff *skb,
4221 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4222{
84084a31
MM		 4223 /* skb->len reflects data in skb as well as all fragments
4224 * skb->data_len reflects only data in fragments
4225 */
4226 if (!skb_has_frag_list(skb))
4227 skb_shinfo(skb)->frag_list = new_frag;
4228
4229 new_frag->next = NULL;
4230
4231 (*last_frag)->next = new_frag;
4232 *last_frag = new_frag;
4233
4234 skb->len += new_frag->len;
4235 skb->data_len += new_frag->len;
4236 skb->truesize += new_frag->truesize;
4237}
4238
4b51dae9
MM		 4239static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4240 struct l2cap_ctrl *control)
84084a31
MM		 4241{
4242 int err = -EINVAL;
18778a63 4243
4b51dae9 4244 switch (control->sar) {
7e0ef6ee 4245 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4246 if (chan->sdu)
4247 break;
18778a63 4248
84084a31
MM		 4249 err = chan->ops->recv(chan->data, skb);
4250 break;
18778a63 4251
7e0ef6ee 4252 case L2CAP_SAR_START:
84084a31
MM		 4253 if (chan->sdu)
4254 break;
18778a63 4255
6f61fd47 4256 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4257 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4258
84084a31
MM		 4259 if (chan->sdu_len > chan->imtu) {
4260 err = -EMSGSIZE;
4261 break;
4262 }
1890d36b 4263
84084a31
MM		 4264 if (skb->len >= chan->sdu_len)
4265 break;
18778a63 4266
84084a31
MM		 4267 chan->sdu = skb;
4268 chan->sdu_last_frag = skb;
18778a63 4269
84084a31
MM		 4270 skb = NULL;
4271 err = 0;
18778a63
GP		 4272 break;
4273
7e0ef6ee 4274 case L2CAP_SAR_CONTINUE:
6f61fd47 4275 if (!chan->sdu)
84084a31 4276 break;
18778a63 4277
84084a31
MM		 4278 append_skb_frag(chan->sdu, skb,
4279 &chan->sdu_last_frag);
4280 skb = NULL;
18778a63 4281
84084a31
MM		 4282 if (chan->sdu->len >= chan->sdu_len)
4283 break;
4178ba46 4284
84084a31 4285 err = 0;
18778a63
GP		 4286 break;
4287
7e0ef6ee 4288 case L2CAP_SAR_END:
6f61fd47 4289 if (!chan->sdu)
84084a31 4290 break;
18778a63 4291
84084a31
MM		 4292 append_skb_frag(chan->sdu, skb,
4293 &chan->sdu_last_frag);
4294 skb = NULL;
4178ba46 4295
84084a31
MM		 4296 if (chan->sdu->len != chan->sdu_len)
4297 break;
18778a63 4298
84084a31 4299 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4300
84084a31
MM		 4301 if (!err) {
4302 /* Reassembly complete */
4303 chan->sdu = NULL;
4304 chan->sdu_last_frag = NULL;
4305 chan->sdu_len = 0;
1890d36b 4306 }
18778a63
GP		 4307 break;
4308 }
4309
84084a31
MM		 4310 if (err) {
4311 kfree_skb(skb);
4312 kfree_skb(chan->sdu);
4313 chan->sdu = NULL;
4314 chan->sdu_last_frag = NULL;
4315 chan->sdu_len = 0;
4316 }
18778a63 4317
84084a31 4318 return err;
18778a63
GP		 4319}
4320
61aa4f5b 4321void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4322{
61aa4f5b 4323 u8 event;
712132eb 4324
61aa4f5b
MM		 4325 if (chan->mode != L2CAP_MODE_ERTM)
4326 return;
712132eb 4327
61aa4f5b
MM		 4328 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
4329 l2cap_tx(chan, 0, 0, event);
1890d36b
GP		 4330}
4331
4b51dae9
MM		 4332static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4333{
4334 BT_DBG("chan %p, txseq %d", chan, txseq);
4335
4336 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4337 chan->expected_tx_seq);
4338
4339 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4340 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4341 chan->tx_win) {
4342 /* See notes below regarding "double poll" and
4343 * invalid packets.
4344 */
4345 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4346 BT_DBG("Invalid/Ignore - after SREJ");
4347 return L2CAP_TXSEQ_INVALID_IGNORE;
4348 } else {
4349 BT_DBG("Invalid - in window after SREJ sent");
4350 return L2CAP_TXSEQ_INVALID;
4351 }
4352 }
4353
4354 if (chan->srej_list.head == txseq) {
4355 BT_DBG("Expected SREJ");
4356 return L2CAP_TXSEQ_EXPECTED_SREJ;
4357 }
4358
4359 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4360 BT_DBG("Duplicate SREJ - txseq already stored");
4361 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4362 }
4363
4364 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4365 BT_DBG("Unexpected SREJ - not requested");
4366 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4367 }
4368 }
4369
4370 if (chan->expected_tx_seq == txseq) {
4371 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4372 chan->tx_win) {
4373 BT_DBG("Invalid - txseq outside tx window");
4374 return L2CAP_TXSEQ_INVALID;
4375 } else {
4376 BT_DBG("Expected");
4377 return L2CAP_TXSEQ_EXPECTED;
4378 }
4379 }
4380
4381 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4382 __seq_offset(chan, chan->expected_tx_seq,
4383 chan->last_acked_seq)){
4384 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4385 return L2CAP_TXSEQ_DUPLICATE;
4386 }
4387
4388 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4389 /* A source of invalid packets is a "double poll" condition,
4390 * where delays cause us to send multiple poll packets. If
4391 * the remote stack receives and processes both polls,
4392 * sequence numbers can wrap around in such a way that a
4393 * resent frame has a sequence number that looks like new data
4394 * with a sequence gap. This would trigger an erroneous SREJ
4395 * request.
4396 *
4397 * Fortunately, this is impossible with a tx window that's
4398 * less than half of the maximum sequence number, which allows
4399 * invalid frames to be safely ignored.
4400 *
4401 * With tx window sizes greater than half of the tx window
4402 * maximum, the frame is invalid and cannot be ignored. This
4403 * causes a disconnect.
4404 */
4405
4406 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4407 BT_DBG("Invalid/Ignore - txseq outside tx window");
4408 return L2CAP_TXSEQ_INVALID_IGNORE;
4409 } else {
4410 BT_DBG("Invalid - txseq outside tx window");
4411 return L2CAP_TXSEQ_INVALID;
4412 }
4413 } else {
4414 BT_DBG("Unexpected - txseq indicates missing frames");
4415 return L2CAP_TXSEQ_UNEXPECTED;
4416 }
4417}
4418
cec8ab6e
MM		 4419static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4420 struct sk_buff *skb, u8 event)
218bb9df 4421{
cec8ab6e
MM		 4422 /* Placeholder */
4423 return -ENOTSUPP;
4424}
4425
4426static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4427 struct sk_buff *skb)
4428{
4b51dae9
MM		 4429 int err = 0;
4430
4431 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
4432 chan->rx_state);
4433
4434 if (l2cap_classify_txseq(chan, control->txseq) ==
4435 L2CAP_TXSEQ_EXPECTED) {
4436 l2cap_pass_to_tx(chan, control);
4437
4438 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
4439 __next_seq(chan, chan->buffer_seq));
4440
4441 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4442
4443 l2cap_reassemble_sdu(chan, skb, control);
4444 } else {
4445 if (chan->sdu) {
4446 kfree_skb(chan->sdu);
4447 chan->sdu = NULL;
4448 }
4449 chan->sdu_last_frag = NULL;
4450 chan->sdu_len = 0;
4451
4452 if (skb) {
4453 BT_DBG("Freeing %p", skb);
4454 kfree_skb(skb);
4455 }
4456 }
4457
4458 chan->last_acked_seq = control->txseq;
4459 chan->expected_tx_seq = __next_seq(chan, control->txseq);
4460
4461 return err;
cec8ab6e
MM		 4462}
4463
4464static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4465{
4466 struct l2cap_ctrl *control = &bt_cb(skb)->control;
4467 u16 len;
4468 u8 event;
218bb9df 4469
b76bbd66
MM		 4470 __unpack_control(chan, skb);
4471
218bb9df
GP		 4472 len = skb->len;
4473
4474 /*
4475 * We can just drop the corrupted I-frame here.
4476 * Receiver will miss it and start proper recovery
cec8ab6e 4477 * procedures and ask for retransmission.
218bb9df 4478 */
47d1ec61 4479 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4480 goto drop;
4481
cec8ab6e 4482 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 4483 len -= L2CAP_SDULEN_SIZE;
218bb9df 4484
47d1ec61 4485 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4486 len -= L2CAP_FCS_SIZE;
218bb9df 4487
47d1ec61 4488 if (len > chan->mps) {
8c1d787b 4489 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4490 goto drop;
4491 }
4492
cec8ab6e
MM		 4493 if (!control->sframe) {
4494 int err;
218bb9df 4495
cec8ab6e
MM		 4496 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
4497 control->sar, control->reqseq, control->final,
4498 control->txseq);
218bb9df 4499
cec8ab6e
MM		 4500 /* Validate F-bit - F=0 always valid, F=1 only
4501 * valid in TX WAIT_F
4502 */
4503 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 4504 goto drop;
cec8ab6e
MM		 4505
4506 if (chan->mode != L2CAP_MODE_STREAMING) {
4507 event = L2CAP_EV_RECV_IFRAME;
4508 err = l2cap_rx(chan, control, skb, event);
4509 } else {
4510 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 4511 }
4512
cec8ab6e
MM		 4513 if (err)
4514 l2cap_send_disconn_req(chan->conn, chan,
4515 ECONNRESET);
218bb9df 4516 } else {
cec8ab6e
MM		 4517 const u8 rx_func_to_event[4] = {
4518 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
4519 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
4520 };
4521
4522 /* Only I-frames are expected in streaming mode */
4523 if (chan->mode == L2CAP_MODE_STREAMING)
4524 goto drop;
4525
4526 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
4527 control->reqseq, control->final, control->poll,
4528 control->super);
4529
218bb9df
GP		 4530 if (len != 0) {
4531 BT_ERR("%d", len);
8c1d787b 4532 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4533 goto drop;
4534 }
4535
cec8ab6e
MM		 4536 /* Validate F and P bits */
4537 if (control->final && (control->poll ||
4538 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
4539 goto drop;
4540
4541 event = rx_func_to_event[control->super];
4542 if (l2cap_rx(chan, control, skb, event))
4543 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4544 }
4545
4546 return 0;
4547
4548drop:
4549 kfree_skb(skb);
4550 return 0;
4551}
4552
1da177e4
LT		 4553static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4554{
48454079 4555 struct l2cap_chan *chan;
1da177e4 4556
baa7e1fa 4557 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4558 if (!chan) {
1da177e4 4559 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4560 /* Drop packet and return */
3379013b 4561 kfree_skb(skb);
6be36555 4562 return 0;
1da177e4
LT		 4563 }
4564
49208c9c 4565 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4566
89bc500e 4567 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4568 goto drop;
4569
0c1bc5c6 4570 switch (chan->mode) {
1c2acffb
GP		 4571 case L2CAP_MODE_BASIC:
4572 /* If socket recv buffers overflows we drop data here
4573 * which is *bad* because L2CAP has to be reliable.
4574 * But we don't have any other choice. L2CAP doesn't
4575 * provide flow control mechanism. */
1da177e4 4576
0c1bc5c6 4577 if (chan->imtu < skb->len)
1c2acffb 4578 goto drop;
1da177e4 4579
23070494 4580 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4581 goto done;
4582 break;
4583
4584 case L2CAP_MODE_ERTM:
6840ed07 4585 case L2CAP_MODE_STREAMING:
cec8ab6e 4586 l2cap_data_rcv(chan, skb);
6840ed07
GP		 4587 goto done;
4588
1c2acffb 4589 default:
0c1bc5c6 4590 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4591 break;
4592 }
1da177e4
LT		 4593
4594drop:
4595 kfree_skb(skb);
4596
4597done:
6be36555 4598 l2cap_chan_unlock(chan);
0139418c 4599
1da177e4
LT		 4600 return 0;
4601}
4602
8e036fc3 4603static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4604{
23691d75 4605 struct l2cap_chan *chan;
1da177e4 4606
c2287681 4607 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4608 if (!chan)
1da177e4
LT		 4609 goto drop;
4610
5b4cedaa 4611 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4612
89bc500e 4613 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4614 goto drop;
4615
e13e21dc 4616 if (chan->imtu < skb->len)
1da177e4
LT		 4617 goto drop;
4618
23070494 4619 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4620 return 0;
1da177e4
LT		 4621
4622drop:
4623 kfree_skb(skb);
4624
1da177e4
LT		 4625 return 0;
4626}
4627
d9b88702
AE		 4628static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4629 struct sk_buff *skb)
9f69bda6 4630{
23691d75 4631 struct l2cap_chan *chan;
9f69bda6 4632
c2287681 4633 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4634 if (!chan)
9f69bda6
GP		 4635 goto drop;
4636
5b4cedaa 4637 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4638
89bc500e 4639 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4640 goto drop;
4641
e13e21dc 4642 if (chan->imtu < skb->len)
9f69bda6
GP		 4643 goto drop;
4644
23070494 4645 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4646 return 0;
9f69bda6
GP		 4647
4648drop:
4649 kfree_skb(skb);
4650
9f69bda6
GP		 4651 return 0;
4652}
4653
1da177e4
LT		 4654static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4655{
4656 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4657 u16 cid, len;
4658 __le16 psm;
1da177e4
LT		 4659
4660 skb_pull(skb, L2CAP_HDR_SIZE);
4661 cid = __le16_to_cpu(lh->cid);
4662 len = __le16_to_cpu(lh->len);
4663
1c2acffb
GP		 4664 if (len != skb->len) {
4665 kfree_skb(skb);
4666 return;
4667 }
4668
1da177e4
LT		 4669 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4670
4671 switch (cid) {
3300d9a9 4672 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4673 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4674 l2cap_sig_channel(conn, skb);
4675 break;
4676
8db4dc46 4677 case L2CAP_CID_CONN_LESS:
097db76c 4678 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4679 skb_pull(skb, 2);
4680 l2cap_conless_channel(conn, psm, skb);
4681 break;
4682
9f69bda6
GP		 4683 case L2CAP_CID_LE_DATA:
4684 l2cap_att_channel(conn, cid, skb);
4685 break;
4686
b501d6a1
AB		 4687 case L2CAP_CID_SMP:
4688 if (smp_sig_channel(conn, skb))
4689 l2cap_conn_del(conn->hcon, EACCES);
4690 break;
4691
1da177e4
LT		 4692 default:
4693 l2cap_data_channel(conn, cid, skb);
4694 break;
4695 }
4696}
4697
4698/* ---- L2CAP interface with lower layer (HCI) ---- */
4699
686ebf28 4700int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4701{
4702 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4703 struct l2cap_chan *c;
1da177e4 4704
1da177e4
LT		 4705 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4706
4707 /* Find listening sockets and check their link_mode */
23691d75
GP		 4708 read_lock(&chan_list_lock);
4709 list_for_each_entry(c, &chan_list, global_l) {
4710 struct sock *sk = c->sk;
4343478f 4711
89bc500e 4712 if (c->state != BT_LISTEN)
1da177e4
LT		 4713 continue;
4714
4715 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4716 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4717 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4718 lm1 |= HCI_LM_MASTER;
1da177e4 4719 exact++;
2af6b9d5
MH		 4720 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4721 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4722 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4723 lm2 |= HCI_LM_MASTER;
4724 }
1da177e4 4725 }
23691d75 4726 read_unlock(&chan_list_lock);
1da177e4
LT		 4727
4728 return exact ? lm1 : lm2;
4729}
4730
686ebf28 4731int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4732{
0139418c
MH		 4733 struct l2cap_conn *conn;
4734
1da177e4
LT		 4735 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4736
1da177e4 4737 if (!status) {
1da177e4
LT		 4738 conn = l2cap_conn_add(hcon, status);
4739 if (conn)
4740 l2cap_conn_ready(conn);
0139418c 4741 } else
e175072f 4742 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4743
4744 return 0;
4745}
4746
686ebf28 4747int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4748{
4749 struct l2cap_conn *conn = hcon->l2cap_data;
4750
4751 BT_DBG("hcon %p", hcon);
4752
686ebf28 4753 if (!conn)
9f5a0d7b 4754 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4755 return conn->disc_reason;
4756}
4757
686ebf28 4758int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4759{
4760 BT_DBG("hcon %p reason %d", hcon, reason);
4761
e175072f 4762 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4763 return 0;
4764}
4765
4343478f 4766static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4767{
715ec005 4768 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4769 return;
4770
f62e4323 4771 if (encrypt == 0x00) {
4343478f 4772 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4773 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4774 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4775 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4776 } else {
4343478f 4777 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4778 __clear_chan_timer(chan);
f62e4323
MH		 4779 }
4780}
4781
686ebf28 4782int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4783{
0139418c 4784 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4785 struct l2cap_chan *chan;
1da177e4 4786
0139418c 4787 if (!conn)
1da177e4 4788 return 0;
0139418c 4789
1da177e4
LT		 4790 BT_DBG("conn %p", conn);
4791
160dc6ac 4792 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4793 if (!status && encrypt)
4794 smp_distribute_keys(conn, 0);
17cd3f37 4795 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4796 }
4797
3df91ea2 4798 mutex_lock(&conn->chan_lock);
1da177e4 4799
3df91ea2 4800 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4801 l2cap_chan_lock(chan);
1da177e4 4802
f1cb9af5
VCG		 4803 BT_DBG("chan->scid %d", chan->scid);
4804
4805 if (chan->scid == L2CAP_CID_LE_DATA) {
4806 if (!status && encrypt) {
4807 chan->sec_level = hcon->sec_level;
cf4cd009 4808 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4809 }
4810
6be36555 4811 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4812 continue;
4813 }
4814
c1360a1c 4815 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4816 l2cap_chan_unlock(chan);
6a8d3010
MH		 4817 continue;
4818 }
4819
89bc500e
GP		 4820 if (!status && (chan->state == BT_CONNECTED ||
4821 chan->state == BT_CONFIG)) {
a7d7723a
GP		 4822 struct sock *sk = chan->sk;
4823
c5daa683 4824 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 4825 sk->sk_state_change(sk);
4826
4343478f 4827 l2cap_check_encryption(chan, encrypt);
6be36555 4828 l2cap_chan_unlock(chan);
9719f8af
MH		 4829 continue;
4830 }
4831
89bc500e 4832 if (chan->state == BT_CONNECT) {
b1235d79 4833 if (!status) {
9b27f350 4834 l2cap_send_conn_req(chan);
b1235d79 4835 } else {
ba13ccd9 4836 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4837 }
89bc500e 4838 } else if (chan->state == BT_CONNECT2) {
6be36555 4839 struct sock *sk = chan->sk;
b1235d79 4840 struct l2cap_conn_rsp rsp;
df3c3931 4841 __u16 res, stat;
1da177e4 4842
6be36555
AE		 4843 lock_sock(sk);
4844
b1235d79 4845 if (!status) {
c5daa683
GP		 4846 if (test_bit(BT_SK_DEFER_SETUP,
4847 &bt_sk(sk)->flags)) {
df3c3931
JH		 4848 struct sock *parent = bt_sk(sk)->parent;
4849 res = L2CAP_CR_PEND;
4850 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4851 if (parent)
4852 parent->sk_data_ready(parent, 0);
df3c3931 4853 } else {
0e587be7 4854 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4855 res = L2CAP_CR_SUCCESS;
4856 stat = L2CAP_CS_NO_INFO;
4857 }
b1235d79 4858 } else {
0e587be7 4859 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4860 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4861 res = L2CAP_CR_SEC_BLOCK;
4862 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4863 }
4864
6be36555
AE		 4865 release_sock(sk);
4866
fe4128e0
GP		 4867 rsp.scid = cpu_to_le16(chan->dcid);
4868 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4869 rsp.result = cpu_to_le16(res);
4870 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4871 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4872 sizeof(rsp), &rsp);
b1235d79 4873 }
1da177e4 4874
6be36555 4875 l2cap_chan_unlock(chan);
1da177e4
LT		 4876 }
4877
3df91ea2 4878 mutex_unlock(&conn->chan_lock);
b1235d79 4879
1da177e4
LT		 4880 return 0;
4881}
4882
686ebf28 4883int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4884{
4885 struct l2cap_conn *conn = hcon->l2cap_data;
4886
5a08ecce
AE		 4887 if (!conn)
4888 conn = l2cap_conn_add(hcon, 0);
4889
4890 if (!conn)
1da177e4
LT		 4891 goto drop;
4892
4893 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4894
e702112f 4895 if (!(flags & ACL_CONT)) {
1da177e4
LT		 4896 struct l2cap_hdr *hdr;
4897 int len;
4898
4899 if (conn->rx_len) {
4900 BT_ERR("Unexpected start frame (len %d)", skb->len);
4901 kfree_skb(conn->rx_skb);
4902 conn->rx_skb = NULL;
4903 conn->rx_len = 0;
4904 l2cap_conn_unreliable(conn, ECOMM);
4905 }
4906
aae7fe22
AE		 4907 /* Start fragment always begin with Basic L2CAP header */
4908 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4909 BT_ERR("Frame is too short (len %d)", skb->len);
4910 l2cap_conn_unreliable(conn, ECOMM);
4911 goto drop;
4912 }
4913
4914 hdr = (struct l2cap_hdr *) skb->data;
4915 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4916
4917 if (len == skb->len) {
4918 /* Complete frame received */
4919 l2cap_recv_frame(conn, skb);
4920 return 0;
4921 }
4922
4923 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4924
4925 if (skb->len > len) {
4926 BT_ERR("Frame is too long (len %d, expected len %d)",
4927 skb->len, len);
4928 l2cap_conn_unreliable(conn, ECOMM);
4929 goto drop;
4930 }
4931
4932 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4933 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4934 if (!conn->rx_skb)
1da177e4
LT		 4935 goto drop;
4936
d626f62b 4937 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4938 skb->len);
1da177e4
LT		 4939 conn->rx_len = len - skb->len;
4940 } else {
4941 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4942
4943 if (!conn->rx_len) {
4944 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4945 l2cap_conn_unreliable(conn, ECOMM);
4946 goto drop;
4947 }
4948
4949 if (skb->len > conn->rx_len) {
4950 BT_ERR("Fragment is too long (len %d, expected %d)",
4951 skb->len, conn->rx_len);
4952 kfree_skb(conn->rx_skb);
4953 conn->rx_skb = NULL;
4954 conn->rx_len = 0;
4955 l2cap_conn_unreliable(conn, ECOMM);
4956 goto drop;
4957 }
4958
d626f62b 4959 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4960 skb->len);
1da177e4
LT		 4961 conn->rx_len -= skb->len;
4962
4963 if (!conn->rx_len) {
4964 /* Complete frame received */
4965 l2cap_recv_frame(conn, conn->rx_skb);
4966 conn->rx_skb = NULL;
4967 }
4968 }
4969
4970drop:
4971 kfree_skb(skb);
4972 return 0;
4973}
4974
aef7d97c 4975static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4976{
23691d75 4977 struct l2cap_chan *c;
1da177e4 4978
333055f2 4979 read_lock(&chan_list_lock);
1da177e4 4980
23691d75
GP		 4981 list_for_each_entry(c, &chan_list, global_l) {
4982 struct sock *sk = c->sk;
101545f6 4983
903d343e 4984 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4985 batostr(&bt_sk(sk)->src),
4986 batostr(&bt_sk(sk)->dst),
89bc500e 4987 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4988 c->scid, c->dcid, c->imtu, c->omtu,
4989 c->sec_level, c->mode);
61e1b4b7 4990 }
1da177e4 4991
333055f2 4992 read_unlock(&chan_list_lock);
1da177e4 4993
aef7d97c 4994 return 0;
1da177e4
LT		 4995}
4996
aef7d97c
MH		 4997static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4998{
4999 return single_open(file, l2cap_debugfs_show, inode->i_private);
5000}
5001
5002static const struct file_operations l2cap_debugfs_fops = {
5003 .open = l2cap_debugfs_open,
5004 .read = seq_read,
5005 .llseek = seq_lseek,
5006 .release = single_release,
5007};
5008
5009static struct dentry *l2cap_debugfs;
1da177e4 5010
64274518 5011int __init l2cap_init(void)
1da177e4
LT		 5012{
5013 int err;
be9d1227 5014
bb58f747 5015 err = l2cap_init_sockets();
1da177e4
LT		 5016 if (err < 0)
5017 return err;
5018
aef7d97c
MH		 5019 if (bt_debugfs) {
5020 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5021 bt_debugfs, NULL, &l2cap_debugfs_fops);
5022 if (!l2cap_debugfs)
5023 BT_ERR("Failed to create L2CAP debug file");
5024 }
1da177e4 5025
1da177e4 5026 return 0;
1da177e4
LT		 5027}
5028
64274518 5029void l2cap_exit(void)
1da177e4 5030{
aef7d97c 5031 debugfs_remove(l2cap_debugfs);
bb58f747 5032 l2cap_cleanup_sockets();
1da177e4
LT		 5033}
5034
d1c4a17d
GP		 5035module_param(disable_ertm, bool, 0644);
5036MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)