projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Make l2cap_conless_channel return void
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
434 chan->sec_level = BT_SECURITY_LOW;
435
436 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
437}
438
14a28491 439static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 440{
af05b30b 441 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 442 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 443
9f5a0d7b 444 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 445
8c1d787b 446 chan->conn = conn;
0139418c 447
5491120e
AE		 448 switch (chan->chan_type) {
449 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 450 if (conn->hcon->type == LE_LINK) {
451 /* LE connection */
0c1bc5c6 452 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 453 chan->scid = L2CAP_CID_LE_DATA;
454 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 455 } else {
456 /* Alloc CID for connection-oriented socket */
fe4128e0 457 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 458 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 459 }
5491120e
AE		 460 break;
461
462 case L2CAP_CHAN_CONN_LESS:
0139418c 463 /* Connectionless socket */
fe4128e0
GP		 464 chan->scid = L2CAP_CID_CONN_LESS;
465 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 466 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 467 break;
468
416fa752
AE		 469 case L2CAP_CHAN_CONN_FIX_A2MP:
470 chan->scid = L2CAP_CID_A2MP;
471 chan->dcid = L2CAP_CID_A2MP;
472 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
473 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
474 break;
475
5491120e 476 default:
0139418c 477 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 478 chan->scid = L2CAP_CID_SIGNALING;
479 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 480 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 481 }
482
8f7975b1
AE		 483 chan->local_id = L2CAP_BESTEFFORT_ID;
484 chan->local_stype = L2CAP_SERV_BESTEFFORT;
485 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
486 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
487 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
488 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
489
371fd835 490 l2cap_chan_hold(chan);
baa7e1fa 491
3df91ea2 492 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 493}
494
466f8004 495void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 496{
497 mutex_lock(&conn->chan_lock);
498 __l2cap_chan_add(conn, chan);
3df91ea2 499 mutex_unlock(&conn->chan_lock);
0139418c
MH		 500}
501
466f8004 502void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 503{
8c1d787b 504 struct l2cap_conn *conn = chan->conn;
0139418c 505
c9b66675 506 __clear_chan_timer(chan);
0139418c 507
49208c9c 508 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 509
8e87d142 510 if (conn) {
baa7e1fa 511 /* Delete from channel list */
3df91ea2 512 list_del(&chan->list);
3d57dc68 513
371fd835 514 l2cap_chan_put(chan);
baa7e1fa 515
8c1d787b 516 chan->conn = NULL;
3cabbfda
AE		 517
518 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
519 hci_conn_put(conn->hcon);
0139418c
MH		 520 }
521
c0df7f6e
AE		 522 if (chan->ops->teardown)
523 chan->ops->teardown(chan, err);
6be36555 524
2827011f 525 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 526 return;
2ead70b8 527
ee556f66
GP		 528 switch(chan->mode) {
529 case L2CAP_MODE_BASIC:
530 break;
c13ffa62 531
ee556f66 532 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 533 __clear_retrans_timer(chan);
534 __clear_monitor_timer(chan);
535 __clear_ack_timer(chan);
c13ffa62 536
f1c6775b 537 skb_queue_purge(&chan->srej_q);
c13ffa62 538
3c588192
MM		 539 l2cap_seq_list_free(&chan->srej_list);
540 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 541
542 /* fall through */
543
544 case L2CAP_MODE_STREAMING:
545 skb_queue_purge(&chan->tx_q);
546 break;
c13ffa62 547 }
ee556f66
GP		 548
549 return;
0139418c
MH		 550}
551
0f852724 552void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 553{
554 struct l2cap_conn *conn = chan->conn;
555 struct sock *sk = chan->sk;
556
e05dcc32
AE		 557 BT_DBG("chan %p state %s sk %p", chan,
558 state_to_string(chan->state), sk);
4519de9a 559
89bc500e 560 switch (chan->state) {
4519de9a 561 case BT_LISTEN:
c0df7f6e
AE		 562 if (chan->ops->teardown)
563 chan->ops->teardown(chan, 0);
4519de9a
GP		 564 break;
565
566 case BT_CONNECTED:
567 case BT_CONFIG:
715ec005 568 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 569 conn->hcon->type == ACL_LINK) {
c9b66675 570 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 571 l2cap_send_disconn_req(conn, chan, reason);
572 } else
573 l2cap_chan_del(chan, reason);
574 break;
575
576 case BT_CONNECT2:
715ec005 577 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 578 conn->hcon->type == ACL_LINK) {
579 struct l2cap_conn_rsp rsp;
580 __u16 result;
581
c5daa683 582 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 583 result = L2CAP_CR_SEC_BLOCK;
584 else
585 result = L2CAP_CR_BAD_PSM;
89bc500e 586 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 587
588 rsp.scid = cpu_to_le16(chan->dcid);
589 rsp.dcid = cpu_to_le16(chan->scid);
590 rsp.result = cpu_to_le16(result);
ac73498c 591 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 592 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
593 sizeof(rsp), &rsp);
594 }
595
596 l2cap_chan_del(chan, reason);
597 break;
598
599 case BT_CONNECT:
600 case BT_DISCONN:
601 l2cap_chan_del(chan, reason);
602 break;
603
604 default:
c0df7f6e
AE		 605 if (chan->ops->teardown)
606 chan->ops->teardown(chan, 0);
4519de9a
GP		 607 break;
608 }
609}
610
4343478f 611static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 612{
715ec005 613 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 614 switch (chan->sec_level) {
8556edd3
JH		 615 case BT_SECURITY_HIGH:
616 return HCI_AT_DEDICATED_BONDING_MITM;
617 case BT_SECURITY_MEDIUM:
618 return HCI_AT_DEDICATED_BONDING;
619 default:
620 return HCI_AT_NO_BONDING;
621 }
2983fd68 622 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 623 if (chan->sec_level == BT_SECURITY_LOW)
624 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 625
4343478f 626 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 627 return HCI_AT_NO_BONDING_MITM;
00ae4af9 628 else
8556edd3 629 return HCI_AT_NO_BONDING;
00ae4af9 630 } else {
4343478f 631 switch (chan->sec_level) {
00ae4af9 632 case BT_SECURITY_HIGH:
8556edd3 633 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 634 case BT_SECURITY_MEDIUM:
8556edd3 635 return HCI_AT_GENERAL_BONDING;
00ae4af9 636 default:
8556edd3 637 return HCI_AT_NO_BONDING;
00ae4af9 638 }
0684e5f9 639 }
8556edd3
JH		 640}
641
642/* Service level security */
d45fc423 643int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 644{
8c1d787b 645 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 646 __u8 auth_type;
647
4343478f 648 auth_type = l2cap_get_auth_type(chan);
79d554a6 649
4343478f 650 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 651}
652
b5ad8b7f 653static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 654{
655 u8 id;
656
657 /* Get next available identificator.
658 * 1 - 128 are used by kernel.
659 * 129 - 199 are reserved.
660 * 200 - 254 are used by utilities like l2ping, etc.
661 */
662
333055f2 663 spin_lock(&conn->lock);
4e8402a3
MH		 664
665 if (++conn->tx_ident > 128)
666 conn->tx_ident = 1;
667
668 id = conn->tx_ident;
669
333055f2 670 spin_unlock(&conn->lock);
4e8402a3
MH		 671
672 return id;
673}
674
4519de9a 675static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 676{
677 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 678 u8 flags;
4e8402a3
MH		 679
680 BT_DBG("code 0x%2.2x", code);
681
682 if (!skb)
9a9c6a34 683 return;
4e8402a3 684
e702112f
AE		 685 if (lmp_no_flush_capable(conn->hcon->hdev))
686 flags = ACL_START_NO_FLUSH;
687 else
688 flags = ACL_START;
689
14b12d0b 690 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 691 skb->priority = HCI_PRIO_MAX;
14b12d0b 692
73d80deb
LAD		 693 hci_send_acl(conn->hchan, skb, flags);
694}
695
696static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
697{
698 struct hci_conn *hcon = chan->conn->hcon;
699 u16 flags;
700
701 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
702 skb->priority);
703
704 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
705 lmp_no_flush_capable(hcon->hdev))
706 flags = ACL_START_NO_FLUSH;
707 else
708 flags = ACL_START;
14b12d0b 709
73d80deb
LAD		 710 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
711 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 712}
713
b76bbd66
MM		 714static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
715{
716 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
717 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
718
719 if (enh & L2CAP_CTRL_FRAME_TYPE) {
720 /* S-Frame */
721 control->sframe = 1;
722 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
723 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
724
725 control->sar = 0;
726 control->txseq = 0;
727 } else {
728 /* I-Frame */
729 control->sframe = 0;
730 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
731 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
732
733 control->poll = 0;
734 control->super = 0;
735 }
736}
737
b76bbd66
MM		 738static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
739{
740 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
741 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
742
743 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
744 /* S-Frame */
745 control->sframe = 1;
746 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
747 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
748
749 control->sar = 0;
750 control->txseq = 0;
751 } else {
752 /* I-Frame */
753 control->sframe = 0;
754 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
755 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
756
757 control->poll = 0;
758 control->super = 0;
759 }
760}
761
762static inline void __unpack_control(struct l2cap_chan *chan,
763 struct sk_buff *skb)
764{
765 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
766 __unpack_extended_control(get_unaligned_le32(skb->data),
767 &bt_cb(skb)->control);
cec8ab6e 768 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 769 } else {
770 __unpack_enhanced_control(get_unaligned_le16(skb->data),
771 &bt_cb(skb)->control);
cec8ab6e 772 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 773 }
774}
775
b5c6aaed
MM		 776static u32 __pack_extended_control(struct l2cap_ctrl *control)
777{
778 u32 packed;
779
780 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
781 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
782
783 if (control->sframe) {
784 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
785 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
786 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
787 } else {
788 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
789 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
790 }
791
792 return packed;
793}
794
795static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
796{
797 u16 packed;
798
799 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
800 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
801
802 if (control->sframe) {
803 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
804 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
805 packed |= L2CAP_CTRL_FRAME_TYPE;
806 } else {
807 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
808 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
809 }
810
811 return packed;
812}
813
b76bbd66
MM		 814static inline void __pack_control(struct l2cap_chan *chan,
815 struct l2cap_ctrl *control,
816 struct sk_buff *skb)
817{
818 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
819 put_unaligned_le32(__pack_extended_control(control),
820 skb->data + L2CAP_HDR_SIZE);
821 } else {
822 put_unaligned_le16(__pack_enhanced_control(control),
823 skb->data + L2CAP_HDR_SIZE);
824 }
825}
826
a67d7f6f
MM		 827static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
828 u32 control)
b5c6aaed
MM		 829{
830 struct sk_buff *skb;
831 struct l2cap_hdr *lh;
a67d7f6f 832 int hlen;
b5c6aaed
MM		 833
834 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
835 hlen = L2CAP_EXT_HDR_SIZE;
836 else
837 hlen = L2CAP_ENH_HDR_SIZE;
838
839 if (chan->fcs == L2CAP_FCS_CRC16)
840 hlen += L2CAP_FCS_SIZE;
841
a67d7f6f 842 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 843
b5c6aaed 844 if (!skb)
a67d7f6f 845 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 846
847 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
848 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
849 lh->cid = cpu_to_le16(chan->dcid);
850
a67d7f6f
MM		 851 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
852 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
853 else
854 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 855
856 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 857 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 858 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
859 }
860
861 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 862 return skb;
863}
864
865static void l2cap_send_sframe(struct l2cap_chan *chan,
866 struct l2cap_ctrl *control)
867{
868 struct sk_buff *skb;
869 u32 control_field;
870
871 BT_DBG("chan %p, control %p", chan, control);
872
873 if (!control->sframe)
874 return;
875
876 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
877 !control->poll)
878 control->final = 1;
879
880 if (control->super == L2CAP_SUPER_RR)
881 clear_bit(CONN_RNR_SENT, &chan->conn_state);
882 else if (control->super == L2CAP_SUPER_RNR)
883 set_bit(CONN_RNR_SENT, &chan->conn_state);
884
885 if (control->super != L2CAP_SUPER_SREJ) {
886 chan->last_acked_seq = control->reqseq;
887 __clear_ack_timer(chan);
888 }
889
890 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
891 control->final, control->poll, control->super);
892
893 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
894 control_field = __pack_extended_control(control);
895 else
896 control_field = __pack_enhanced_control(control);
897
898 skb = l2cap_create_sframe_pdu(chan, control_field);
899 if (!IS_ERR(skb))
900 l2cap_do_send(chan, skb);
b5c6aaed
MM		 901}
902
c9e3d5e0 903static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 904{
c9e3d5e0
MM		 905 struct l2cap_ctrl control;
906
907 BT_DBG("chan %p, poll %d", chan, poll);
908
909 memset(&control, 0, sizeof(control));
910 control.sframe = 1;
911 control.poll = poll;
912
913 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
914 control.super = L2CAP_SUPER_RNR;
915 else
916 control.super = L2CAP_SUPER_RR;
b5c6aaed 917
c9e3d5e0
MM		 918 control.reqseq = chan->buffer_seq;
919 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 920}
921
b4450035 922static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 923{
c1360a1c 924 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 925}
926
9b27f350
AE		 927static void l2cap_send_conn_req(struct l2cap_chan *chan)
928{
929 struct l2cap_conn *conn = chan->conn;
930 struct l2cap_conn_req req;
931
932 req.scid = cpu_to_le16(chan->scid);
933 req.psm = chan->psm;
934
935 chan->ident = l2cap_get_ident(conn);
936
937 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
938
939 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
940}
941
9f0caeb1
VCG		 942static void l2cap_chan_ready(struct l2cap_chan *chan)
943{
2827011f 944 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 945 chan->conf_state = 0;
946 __clear_chan_timer(chan);
947
54a59aa2 948 chan->state = BT_CONNECTED;
9f0caeb1 949
fd83e2c2 950 chan->ops->ready(chan);
9f0caeb1
VCG		 951}
952
fc7f8a7e 953static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 954{
8c1d787b 955 struct l2cap_conn *conn = chan->conn;
79d554a6 956
9f0caeb1
VCG		 957 if (conn->hcon->type == LE_LINK) {
958 l2cap_chan_ready(chan);
959 return;
960 }
961
79d554a6 962 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 963 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
964 return;
965
d45fc423 966 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 967 __l2cap_no_conn_pending(chan))
968 l2cap_send_conn_req(chan);
79d554a6
MH		 969 } else {
970 struct l2cap_info_req req;
ac73498c 971 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 972
973 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
974 conn->info_ident = l2cap_get_ident(conn);
975
ba13ccd9 976 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 977
978 l2cap_send_cmd(conn, conn->info_ident,
979 L2CAP_INFO_REQ, sizeof(req), &req);
980 }
981}
982
cf6c2c0b
GP		 983static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
984{
985 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 986 if (!disable_ertm)
cf6c2c0b
GP		 987 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
988
989 switch (mode) {
990 case L2CAP_MODE_ERTM:
991 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
992 case L2CAP_MODE_STREAMING:
993 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
994 default:
995 return 0x00;
996 }
997}
998
4519de9a 999static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1000{
6be36555 1001 struct sock *sk = chan->sk;
22121fc9
GP		 1002 struct l2cap_disconn_req req;
1003
c13ffa62
GP		 1004 if (!conn)
1005 return;
1006
0c1bc5c6 1007 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1008 __clear_retrans_timer(chan);
1009 __clear_monitor_timer(chan);
1010 __clear_ack_timer(chan);
c13ffa62
GP		 1011 }
1012
416fa752
AE		 1013 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1014 __l2cap_state_change(chan, BT_DISCONN);
1015 return;
1016 }
1017
fe4128e0
GP		 1018 req.dcid = cpu_to_le16(chan->dcid);
1019 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1020 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1021 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1022
6be36555 1023 lock_sock(sk);
0e587be7 1024 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1025 __l2cap_chan_set_err(chan, err);
6be36555 1026 release_sock(sk);
22121fc9
GP		 1027}
1028
1da177e4 1029/* ---- L2CAP connections ---- */
4e8402a3
MH		 1030static void l2cap_conn_start(struct l2cap_conn *conn)
1031{
3df91ea2 1032 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1033
1034 BT_DBG("conn %p", conn);
1035
3df91ea2 1036 mutex_lock(&conn->chan_lock);
4e8402a3 1037
3df91ea2 1038 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1039 struct sock *sk = chan->sk;
baa7e1fa 1040
6be36555 1041 l2cap_chan_lock(chan);
4e8402a3 1042
715ec005 1043 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1044 l2cap_chan_unlock(chan);
79d554a6
MH		 1045 continue;
1046 }
1047
89bc500e 1048 if (chan->state == BT_CONNECT) {
d45fc423 1049 if (!l2cap_chan_check_security(chan) ||
b4450035 1050 !__l2cap_no_conn_pending(chan)) {
6be36555 1051 l2cap_chan_unlock(chan);
47731de7
GP		 1052 continue;
1053 }
79d554a6 1054
c1360a1c
GP		 1055 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1056 && test_bit(CONF_STATE2_DEVICE,
1057 &chan->conf_state)) {
89bc500e 1058 l2cap_chan_close(chan, ECONNRESET);
6be36555 1059 l2cap_chan_unlock(chan);
47731de7 1060 continue;
b1235d79 1061 }
47731de7 1062
9b27f350 1063 l2cap_send_conn_req(chan);
47731de7 1064
89bc500e 1065 } else if (chan->state == BT_CONNECT2) {
79d554a6 1066 struct l2cap_conn_rsp rsp;
e9aeb2dd 1067 char buf[128];
fe4128e0
GP		 1068 rsp.scid = cpu_to_le16(chan->dcid);
1069 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1070
d45fc423 1071 if (l2cap_chan_check_security(chan)) {
6be36555 1072 lock_sock(sk);
c5daa683
GP		 1073 if (test_bit(BT_SK_DEFER_SETUP,
1074 &bt_sk(sk)->flags)) {
f66dc81f 1075 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1076 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1077 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1078 if (parent)
1079 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1080
1081 } else {
0e587be7 1082 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1083 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1084 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1085 }
6be36555 1086 release_sock(sk);
79d554a6 1087 } else {
ac73498c
AE		 1088 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1089 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1090 }
1091
fc7f8a7e
GP		 1092 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1093 sizeof(rsp), &rsp);
e9aeb2dd 1094
c1360a1c 1095 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1096 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1097 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1098 continue;
1099 }
1100
c1360a1c 1101 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1102 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1103 l2cap_build_conf_req(chan, buf), buf);
1104 chan->num_conf_req++;
4e8402a3
MH		 1105 }
1106
6be36555 1107 l2cap_chan_unlock(chan);
4e8402a3
MH		 1108 }
1109
3df91ea2 1110 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1111}
1112
c2287681 1113/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1114 * Returns closest match, locked.
1115 */
d9b88702 1116static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1117 bdaddr_t *src,
1118 bdaddr_t *dst)
b62f328b 1119{
23691d75 1120 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1121
23691d75 1122 read_lock(&chan_list_lock);
b62f328b 1123
23691d75
GP		 1124 list_for_each_entry(c, &chan_list, global_l) {
1125 struct sock *sk = c->sk;
fe4128e0 1126
89bc500e 1127 if (state && c->state != state)
b62f328b
VT		 1128 continue;
1129
23691d75 1130 if (c->scid == cid) {
c2287681
IY		 1131 int src_match, dst_match;
1132 int src_any, dst_any;
1133
b62f328b 1134 /* Exact match. */
c2287681
IY		 1135 src_match = !bacmp(&bt_sk(sk)->src, src);
1136 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1137 if (src_match && dst_match) {
23691d75
GP		 1138 read_unlock(&chan_list_lock);
1139 return c;
1140 }
b62f328b
VT		 1141
1142 /* Closest match */
c2287681
IY		 1143 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1144 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1145 if ((src_match && dst_any) || (src_any && dst_match) ||
1146 (src_any && dst_any))
23691d75 1147 c1 = c;
b62f328b
VT		 1148 }
1149 }
280f294f 1150
23691d75 1151 read_unlock(&chan_list_lock);
b62f328b 1152
23691d75 1153 return c1;
b62f328b
VT		 1154}
1155
1156static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1157{
c916fbe4 1158 struct sock *parent, *sk;
23691d75 1159 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1160
1161 BT_DBG("");
1162
1163 /* Check if we have socket listening on cid */
23691d75 1164 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1165 conn->src, conn->dst);
23691d75 1166 if (!pchan)
b62f328b
VT		 1167 return;
1168
23691d75
GP		 1169 parent = pchan->sk;
1170
aa2ac881 1171 lock_sock(parent);
62f3a2cf 1172
80b98027 1173 chan = pchan->ops->new_connection(pchan);
80808e43 1174 if (!chan)
b62f328b
VT		 1175 goto clean;
1176
80808e43 1177 sk = chan->sk;
5d41ce1d 1178
b62f328b
VT		 1179 hci_conn_hold(conn->hcon);
1180
b62f328b
VT		 1181 bacpy(&bt_sk(sk)->src, conn->src);
1182 bacpy(&bt_sk(sk)->dst, conn->dst);
1183
d1010240
GP		 1184 bt_accept_enqueue(parent, sk);
1185
3d57dc68 1186 l2cap_chan_add(conn, chan);
48454079 1187
6754e0df 1188 l2cap_chan_ready(chan);
b62f328b 1189
b62f328b 1190clean:
aa2ac881 1191 release_sock(parent);
b62f328b
VT		 1192}
1193
4e8402a3
MH		 1194static void l2cap_conn_ready(struct l2cap_conn *conn)
1195{
48454079 1196 struct l2cap_chan *chan;
4e8402a3 1197
79d554a6 1198 BT_DBG("conn %p", conn);
4e8402a3 1199
b62f328b
VT		 1200 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1201 l2cap_le_conn_ready(conn);
1202
160dc6ac
VCG		 1203 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1204 smp_conn_security(conn, conn->hcon->pending_sec_level);
1205
3df91ea2 1206 mutex_lock(&conn->chan_lock);
4e8402a3 1207
3df91ea2 1208 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1209
6be36555 1210 l2cap_chan_lock(chan);
4e8402a3 1211
416fa752
AE		 1212 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1213 l2cap_chan_unlock(chan);
1214 continue;
1215 }
1216
63128451 1217 if (conn->hcon->type == LE_LINK) {
b501d6a1 1218 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1219 l2cap_chan_ready(chan);
acd7d370 1220
63128451 1221 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1222 struct sock *sk = chan->sk;
c9b66675 1223 __clear_chan_timer(chan);
6be36555 1224 lock_sock(sk);
0e587be7 1225 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1226 sk->sk_state_change(sk);
6be36555 1227 release_sock(sk);
b501d6a1 1228
89bc500e 1229 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1230 l2cap_do_start(chan);
4e8402a3 1231
6be36555 1232 l2cap_chan_unlock(chan);
4e8402a3 1233 }
79d554a6 1234
3df91ea2 1235 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1236}
1237
1238/* Notify sockets that we cannot guaranty reliability anymore */
1239static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1240{
48454079 1241 struct l2cap_chan *chan;
4e8402a3
MH		 1242
1243 BT_DBG("conn %p", conn);
1244
3df91ea2 1245 mutex_lock(&conn->chan_lock);
4e8402a3 1246
3df91ea2 1247 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1248 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1249 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1250 }
1251
3df91ea2 1252 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1253}
1254
f878fcad 1255static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1256{
f878fcad 1257 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1258 info_timer.work);
4e8402a3 1259
984947dc 1260 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1261 conn->info_ident = 0;
984947dc 1262
4e8402a3
MH		 1263 l2cap_conn_start(conn);
1264}
1265
5d3de7df
VCG		 1266static void l2cap_conn_del(struct hci_conn *hcon, int err)
1267{
1268 struct l2cap_conn *conn = hcon->l2cap_data;
1269 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1270
1271 if (!conn)
1272 return;
1273
1274 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1275
1276 kfree_skb(conn->rx_skb);
1277
3df91ea2
AE		 1278 mutex_lock(&conn->chan_lock);
1279
5d3de7df
VCG		 1280 /* Kill channels */
1281 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1282 l2cap_chan_hold(chan);
6be36555
AE		 1283 l2cap_chan_lock(chan);
1284
5d3de7df 1285 l2cap_chan_del(chan, err);
6be36555
AE		 1286
1287 l2cap_chan_unlock(chan);
1288
80b98027 1289 chan->ops->close(chan);
61d6ef3e 1290 l2cap_chan_put(chan);
5d3de7df
VCG		 1291 }
1292
3df91ea2
AE		 1293 mutex_unlock(&conn->chan_lock);
1294
73d80deb
LAD		 1295 hci_chan_del(conn->hchan);
1296
5d3de7df 1297 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1298 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1299
51a8efd7 1300 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1301 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1302 smp_chan_destroy(conn);
d26a2345 1303 }
5d3de7df
VCG		 1304
1305 hcon->l2cap_data = NULL;
1306 kfree(conn);
1307}
1308
6c9d42a1 1309static void security_timeout(struct work_struct *work)
5d3de7df 1310{
6c9d42a1
GP		 1311 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1312 security_timer.work);
5d3de7df
VCG		 1313
1314 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1315}
1316
1da177e4
LT		 1317static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1318{
0139418c 1319 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1320 struct hci_chan *hchan;
1da177e4 1321
0139418c 1322 if (conn || status)
1da177e4
LT		 1323 return conn;
1324
73d80deb
LAD		 1325 hchan = hci_chan_create(hcon);
1326 if (!hchan)
1327 return NULL;
1328
0139418c 1329 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1330 if (!conn) {
1331 hci_chan_del(hchan);
1da177e4 1332 return NULL;
73d80deb 1333 }
1da177e4
LT		 1334
1335 hcon->l2cap_data = conn;
1336 conn->hcon = hcon;
73d80deb 1337 conn->hchan = hchan;
1da177e4 1338
73d80deb 1339 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1340
acd7d370
VT		 1341 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1342 conn->mtu = hcon->hdev->le_mtu;
1343 else
1344 conn->mtu = hcon->hdev->acl_mtu;
1345
1da177e4
LT		 1346 conn->src = &hcon->hdev->bdaddr;
1347 conn->dst = &hcon->dst;
1348
4e8402a3
MH		 1349 conn->feat_mask = 0;
1350
1da177e4 1351 spin_lock_init(&conn->lock);
3df91ea2 1352 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1353
1354 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1355
5d3de7df 1356 if (hcon->type == LE_LINK)
6c9d42a1 1357 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1358 else
030013d8 1359 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1360
9f5a0d7b 1361 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1362
1da177e4
LT		 1363 return conn;
1364}
1365
1da177e4 1366/* ---- Socket interface ---- */
1da177e4 1367
c2287681 1368/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1369 * Returns closest match.
1370 */
c2287681
IY		 1371static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1372 bdaddr_t *src,
1373 bdaddr_t *dst)
1da177e4 1374{
23691d75 1375 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1376
23691d75 1377 read_lock(&chan_list_lock);
e0f0cb56 1378
23691d75
GP		 1379 list_for_each_entry(c, &chan_list, global_l) {
1380 struct sock *sk = c->sk;
fe4128e0 1381
89bc500e 1382 if (state && c->state != state)
1da177e4
LT		 1383 continue;
1384
23691d75 1385 if (c->psm == psm) {
c2287681
IY		 1386 int src_match, dst_match;
1387 int src_any, dst_any;
1388
1da177e4 1389 /* Exact match. */
c2287681
IY		 1390 src_match = !bacmp(&bt_sk(sk)->src, src);
1391 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1392 if (src_match && dst_match) {
a7567b20 1393 read_unlock(&chan_list_lock);
23691d75
GP		 1394 return c;
1395 }
1da177e4
LT		 1396
1397 /* Closest match */
c2287681
IY		 1398 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1399 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1400 if ((src_match && dst_any) || (src_any && dst_match) ||
1401 (src_any && dst_any))
23691d75 1402 c1 = c;
1da177e4
LT		 1403 }
1404 }
1da177e4 1405
23691d75 1406 read_unlock(&chan_list_lock);
e0f0cb56 1407
23691d75 1408 return c1;
1da177e4
LT		 1409}
1410
8e9f9892
AG		 1411int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1412 bdaddr_t *dst, u8 dst_type)
1da177e4 1413{
5d41ce1d 1414 struct sock *sk = chan->sk;
1da177e4 1415 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1416 struct l2cap_conn *conn;
1417 struct hci_conn *hcon;
1418 struct hci_dev *hdev;
09ab6f4c 1419 __u8 auth_type;
44d0e48e 1420 int err;
1da177e4 1421
8e9f9892
AG		 1422 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1423 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1424
af05b30b
GP		 1425 hdev = hci_get_route(dst, src);
1426 if (!hdev)
1da177e4
LT		 1427 return -EHOSTUNREACH;
1428
09fd0de5 1429 hci_dev_lock(hdev);
1da177e4 1430
6be36555 1431 l2cap_chan_lock(chan);
03a00194
GP		 1432
1433 /* PSM must be odd and lsb of upper byte must be 0 */
1434 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1435 chan->chan_type != L2CAP_CHAN_RAW) {
1436 err = -EINVAL;
1437 goto done;
1438 }
1439
1440 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1441 err = -EINVAL;
1442 goto done;
1443 }
1444
1445 switch (chan->mode) {
1446 case L2CAP_MODE_BASIC:
1447 break;
1448 case L2CAP_MODE_ERTM:
1449 case L2CAP_MODE_STREAMING:
1450 if (!disable_ertm)
1451 break;
1452 /* fall through */
1453 default:
1454 err = -ENOTSUPP;
1455 goto done;
1456 }
1457
0797e01d 1458 switch (chan->state) {
03a00194
GP		 1459 case BT_CONNECT:
1460 case BT_CONNECT2:
1461 case BT_CONFIG:
1462 /* Already connecting */
1463 err = 0;
1464 goto done;
1465
1466 case BT_CONNECTED:
1467 /* Already connected */
1468 err = -EISCONN;
1469 goto done;
1470
1471 case BT_OPEN:
1472 case BT_BOUND:
1473 /* Can connect */
1474 break;
1475
1476 default:
1477 err = -EBADFD;
1478 goto done;
1479 }
1480
1481 /* Set destination address and psm */
0797e01d 1482 lock_sock(sk);
9219b2a0 1483 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1484 release_sock(sk);
1485
03a00194
GP		 1486 chan->psm = psm;
1487 chan->dcid = cid;
1da177e4 1488
4343478f 1489 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1490
fe4128e0 1491 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1492 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1493 chan->sec_level, auth_type);
acd7d370 1494 else
8e9f9892 1495 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1496 chan->sec_level, auth_type);
acd7d370 1497
30e76272
VT		 1498 if (IS_ERR(hcon)) {
1499 err = PTR_ERR(hcon);
1da177e4 1500 goto done;
30e76272 1501 }
1da177e4
LT		 1502
1503 conn = l2cap_conn_add(hcon, 0);
1504 if (!conn) {
1505 hci_conn_put(hcon);
30e76272 1506 err = -ENOMEM;
1da177e4
LT		 1507 goto done;
1508 }
1509
9f0caeb1
VCG		 1510 if (hcon->type == LE_LINK) {
1511 err = 0;
1512
1513 if (!list_empty(&conn->chan_l)) {
1514 err = -EBUSY;
1515 hci_conn_put(hcon);
1516 }
1517
1518 if (err)
1519 goto done;
1520 }
1521
1da177e4
LT		 1522 /* Update source addr of the socket */
1523 bacpy(src, conn->src);
1524
6be36555 1525 l2cap_chan_unlock(chan);
48454079 1526 l2cap_chan_add(conn, chan);
6be36555 1527 l2cap_chan_lock(chan);
48454079 1528
6be36555 1529 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1530 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1531
1532 if (hcon->state == BT_CONNECTED) {
715ec005 1533 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1534 __clear_chan_timer(chan);
d45fc423 1535 if (l2cap_chan_check_security(chan))
6be36555 1536 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1537 } else
fc7f8a7e 1538 l2cap_do_start(chan);
1da177e4
LT		 1539 }
1540
30e76272
VT		 1541 err = 0;
1542
1da177e4 1543done:
6be36555 1544 l2cap_chan_unlock(chan);
09fd0de5 1545 hci_dev_unlock(hdev);
1da177e4
LT		 1546 hci_dev_put(hdev);
1547 return err;
1548}
1549
dcba0dba 1550int __l2cap_wait_ack(struct sock *sk)
6161c038 1551{
8c1d787b 1552 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1553 DECLARE_WAITQUEUE(wait, current);
1554 int err = 0;
1555 int timeo = HZ/5;
1556
2b0b05dd 1557 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1558 set_current_state(TASK_INTERRUPTIBLE);
1559 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1560 if (!timeo)
1561 timeo = HZ/5;
1562
1563 if (signal_pending(current)) {
1564 err = sock_intr_errno(timeo);
1565 break;
1566 }
1567
1568 release_sock(sk);
1569 timeo = schedule_timeout(timeo);
1570 lock_sock(sk);
a71a0cf4 1571 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1572
1573 err = sock_error(sk);
1574 if (err)
1575 break;
1576 }
1577 set_current_state(TASK_RUNNING);
2b0b05dd 1578 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1579 return err;
1580}
1581
721c4181 1582static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1583{
721c4181 1584 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1585 monitor_timer.work);
e90bac06 1586
525cd185 1587 BT_DBG("chan %p", chan);
0e98958d 1588
6be36555
AE		 1589 l2cap_chan_lock(chan);
1590
80909e04 1591 if (!chan->conn) {
6be36555 1592 l2cap_chan_unlock(chan);
8d7e1c7f 1593 l2cap_chan_put(chan);
e90bac06
GP		 1594 return;
1595 }
1596
401bb1f7 1597 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1598
6be36555 1599 l2cap_chan_unlock(chan);
8d7e1c7f 1600 l2cap_chan_put(chan);
e90bac06
GP		 1601}
1602
721c4181 1603static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1604{
721c4181 1605 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1606 retrans_timer.work);
e90bac06 1607
49208c9c 1608 BT_DBG("chan %p", chan);
0e98958d 1609
6be36555
AE		 1610 l2cap_chan_lock(chan);
1611
80909e04
MM		 1612 if (!chan->conn) {
1613 l2cap_chan_unlock(chan);
1614 l2cap_chan_put(chan);
1615 return;
1616 }
6be36555 1617
401bb1f7 1618 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1619 l2cap_chan_unlock(chan);
8d7e1c7f 1620 l2cap_chan_put(chan);
e90bac06
GP		 1621}
1622
d660366d
GP		 1623static void l2cap_streaming_send(struct l2cap_chan *chan,
1624 struct sk_buff_head *skbs)
6840ed07 1625{
ccbb84af 1626 struct sk_buff *skb;
3733937d 1627 struct l2cap_ctrl *control;
6840ed07 1628
3733937d
MM		 1629 BT_DBG("chan %p, skbs %p", chan, skbs);
1630
3733937d
MM		 1631 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1632
1633 while (!skb_queue_empty(&chan->tx_q)) {
1634
1635 skb = skb_dequeue(&chan->tx_q);
1636
1637 bt_cb(skb)->control.retries = 1;
1638 control = &bt_cb(skb)->control;
1639
1640 control->reqseq = 0;
1641 control->txseq = chan->next_tx_seq;
1642
1643 __pack_control(chan, control, skb);
6840ed07 1644
47d1ec61 1645 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1646 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1647 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1648 }
1649
4343478f 1650 l2cap_do_send(chan, skb);
6840ed07 1651
3733937d
MM		 1652 BT_DBG("Sent txseq %d", (int)control->txseq);
1653
836be934 1654 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1655 chan->frames_sent++;
6840ed07 1656 }
6840ed07
GP		 1657}
1658
67c9e840 1659static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1660{
1661 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1662 struct l2cap_ctrl *control;
1663 int sent = 0;
1664
1665 BT_DBG("chan %p", chan);
1c2acffb 1666
89bc500e 1667 if (chan->state != BT_CONNECTED)
c13ffa62 1668 return -ENOTCONN;
e90bac06 1669
94122bbe
MM		 1670 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1671 return 0;
1672
18a48e76
MM		 1673 while (chan->tx_send_head &&
1674 chan->unacked_frames < chan->remote_tx_win &&
1675 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1676
18a48e76 1677 skb = chan->tx_send_head;
e90bac06 1678
18a48e76
MM		 1679 bt_cb(skb)->control.retries = 1;
1680 control = &bt_cb(skb)->control;
95ffa978 1681
e2ab4353 1682 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1683 control->final = 1;
e2ab4353 1684
18a48e76
MM		 1685 control->reqseq = chan->buffer_seq;
1686 chan->last_acked_seq = chan->buffer_seq;
1687 control->txseq = chan->next_tx_seq;
1c2acffb 1688
18a48e76 1689 __pack_control(chan, control, skb);
e90bac06 1690
47d1ec61 1691 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1692 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1693 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1694 }
1695
18a48e76
MM		 1696 /* Clone after data has been modified. Data is assumed to be
1697 read-only (for locking purposes) on cloned sk_buffs.
1698 */
1699 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1700
18a48e76
MM		 1701 if (!tx_skb)
1702 break;
1c2acffb 1703
18a48e76 1704 __set_retrans_timer(chan);
836be934
AE		 1705
1706 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1707 chan->unacked_frames++;
6a026610 1708 chan->frames_sent++;
18a48e76 1709 sent++;
1c2acffb 1710
58d35f87
GP		 1711 if (skb_queue_is_last(&chan->tx_q, skb))
1712 chan->tx_send_head = NULL;
1c2acffb 1713 else
58d35f87 1714 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1715
1716 l2cap_do_send(chan, tx_skb);
1717 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1718 }
1719
18a48e76
MM		 1720 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1721 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1722
1723 return sent;
9e917af1
GP		 1724}
1725
e1fbd4c1
MM		 1726static void l2cap_ertm_resend(struct l2cap_chan *chan)
1727{
1728 struct l2cap_ctrl control;
1729 struct sk_buff *skb;
1730 struct sk_buff *tx_skb;
1731 u16 seq;
1732
1733 BT_DBG("chan %p", chan);
1734
1735 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1736 return;
1737
1738 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1739 seq = l2cap_seq_list_pop(&chan->retrans_list);
1740
1741 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1742 if (!skb) {
1743 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1744 seq);
1745 continue;
1746 }
1747
1748 bt_cb(skb)->control.retries++;
1749 control = bt_cb(skb)->control;
1750
1751 if (chan->max_tx != 0 &&
1752 bt_cb(skb)->control.retries > chan->max_tx) {
1753 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1754 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1755 l2cap_seq_list_clear(&chan->retrans_list);
1756 break;
1757 }
1758
1759 control.reqseq = chan->buffer_seq;
1760 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1761 control.final = 1;
1762 else
1763 control.final = 0;
1764
1765 if (skb_cloned(skb)) {
1766 /* Cloned sk_buffs are read-only, so we need a
1767 * writeable copy
1768 */
1769 tx_skb = skb_copy(skb, GFP_ATOMIC);
1770 } else {
1771 tx_skb = skb_clone(skb, GFP_ATOMIC);
1772 }
1773
1774 if (!tx_skb) {
1775 l2cap_seq_list_clear(&chan->retrans_list);
1776 break;
1777 }
1778
1779 /* Update skb contents */
1780 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1781 put_unaligned_le32(__pack_extended_control(&control),
1782 tx_skb->data + L2CAP_HDR_SIZE);
1783 } else {
1784 put_unaligned_le16(__pack_enhanced_control(&control),
1785 tx_skb->data + L2CAP_HDR_SIZE);
1786 }
1787
1788 if (chan->fcs == L2CAP_FCS_CRC16) {
1789 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1790 put_unaligned_le16(fcs, skb_put(tx_skb,
1791 L2CAP_FCS_SIZE));
1792 }
1793
1794 l2cap_do_send(chan, tx_skb);
1795
1796 BT_DBG("Resent txseq %d", control.txseq);
1797
1798 chan->last_acked_seq = chan->buffer_seq;
1799 }
1800}
1801
f80842a8
MM		 1802static void l2cap_retransmit(struct l2cap_chan *chan,
1803 struct l2cap_ctrl *control)
1804{
1805 BT_DBG("chan %p, control %p", chan, control);
1806
1807 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1808 l2cap_ertm_resend(chan);
1809}
1810
d2a7ac5d
MM		 1811static void l2cap_retransmit_all(struct l2cap_chan *chan,
1812 struct l2cap_ctrl *control)
1813{
e1fbd4c1
MM		 1814 struct sk_buff *skb;
1815
1816 BT_DBG("chan %p, control %p", chan, control);
1817
1818 if (control->poll)
1819 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1820
1821 l2cap_seq_list_clear(&chan->retrans_list);
1822
1823 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1824 return;
1825
1826 if (chan->unacked_frames) {
1827 skb_queue_walk(&chan->tx_q, skb) {
1828 if (bt_cb(skb)->control.txseq == control->reqseq ||
1829 skb == chan->tx_send_head)
1830 break;
1831 }
1832
1833 skb_queue_walk_from(&chan->tx_q, skb) {
1834 if (skb == chan->tx_send_head)
1835 break;
1836
1837 l2cap_seq_list_append(&chan->retrans_list,
1838 bt_cb(skb)->control.txseq);
1839 }
1840
1841 l2cap_ertm_resend(chan);
1842 }
d2a7ac5d
MM		 1843}
1844
0a0aba42 1845static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1846{
0a0aba42
MM		 1847 struct l2cap_ctrl control;
1848 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1849 chan->last_acked_seq);
1850 int threshold;
9e917af1 1851
0a0aba42
MM		 1852 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1853 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1854
0a0aba42
MM		 1855 memset(&control, 0, sizeof(control));
1856 control.sframe = 1;
dfc909be 1857
0a0aba42
MM		 1858 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1859 chan->rx_state == L2CAP_RX_STATE_RECV) {
1860 __clear_ack_timer(chan);
1861 control.super = L2CAP_SUPER_RNR;
1862 control.reqseq = chan->buffer_seq;
1863 l2cap_send_sframe(chan, &control);
1864 } else {
1865 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1866 l2cap_ertm_send(chan);
1867 /* If any i-frames were sent, they included an ack */
1868 if (chan->buffer_seq == chan->last_acked_seq)
1869 frames_to_ack = 0;
1870 }
dfc909be 1871
0a0aba42
MM		 1872 /* Ack now if the tx window is 3/4ths full.
1873 * Calculate without mul or div
1874 */
1875 threshold = chan->tx_win;
1876 threshold += threshold << 1;
1877 threshold >>= 2;
1878
1879 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1880 threshold);
1881
1882 if (frames_to_ack >= threshold) {
1883 __clear_ack_timer(chan);
1884 control.super = L2CAP_SUPER_RR;
1885 control.reqseq = chan->buffer_seq;
1886 l2cap_send_sframe(chan, &control);
1887 frames_to_ack = 0;
1888 }
1c2acffb 1889
0a0aba42
MM		 1890 if (frames_to_ack)
1891 __set_ack_timer(chan);
1892 }
b17e73bb
SJ		 1893}
1894
04124681
GP		 1895static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1896 struct msghdr *msg, int len,
1897 int count, struct sk_buff *skb)
1c2acffb 1898{
0952a57a 1899 struct l2cap_conn *conn = chan->conn;
1c2acffb 1900 struct sk_buff **frag;
90338947 1901 int sent = 0;
1da177e4 1902
59203a21 1903 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1904 return -EFAULT;
1da177e4
LT		 1905
1906 sent += count;
1907 len -= count;
1908
1909 /* Continuation fragments (no L2CAP header) */
1910 frag = &skb_shinfo(skb)->frag_list;
1911 while (len) {
fbe00700
GP		 1912 struct sk_buff *tmp;
1913
1da177e4
LT		 1914 count = min_t(unsigned int, conn->mtu, len);
1915
fbe00700
GP		 1916 tmp = chan->ops->alloc_skb(chan, count,
1917 msg->msg_flags & MSG_DONTWAIT);
1918 if (IS_ERR(tmp))
1919 return PTR_ERR(tmp);
1920
1921 *frag = tmp;
2f7719ce 1922
1c2acffb
GP		 1923 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1924 return -EFAULT;
1da177e4 1925
5e59b791
LAD		 1926 (*frag)->priority = skb->priority;
1927
1da177e4
LT		 1928 sent += count;
1929 len -= count;
1930
2d0ed3d5
GP		 1931 skb->len += (*frag)->len;
1932 skb->data_len += (*frag)->len;
1933
1da177e4
LT		 1934 frag = &(*frag)->next;
1935 }
1da177e4
LT		 1936
1937 return sent;
1c2acffb 1938}
1da177e4 1939
5e59b791
LAD		 1940static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1941 struct msghdr *msg, size_t len,
1942 u32 priority)
1c2acffb 1943{
8c1d787b 1944 struct l2cap_conn *conn = chan->conn;
1c2acffb 1945 struct sk_buff *skb;
03a51213 1946 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1947 struct l2cap_hdr *lh;
1948
6d5922b0 1949 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1950
1951 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1952
1953 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1954 msg->msg_flags & MSG_DONTWAIT);
1955 if (IS_ERR(skb))
1956 return skb;
1c2acffb 1957
5e59b791
LAD		 1958 skb->priority = priority;
1959
1c2acffb
GP		 1960 /* Create L2CAP header */
1961 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1962 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1963 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1964 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1965
0952a57a 1966 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1967 if (unlikely(err < 0)) {
1968 kfree_skb(skb);
1969 return ERR_PTR(err);
1970 }
1971 return skb;
1972}
1973
5e59b791
LAD		 1974static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1975 struct msghdr *msg, size_t len,
1976 u32 priority)
1c2acffb 1977{
8c1d787b 1978 struct l2cap_conn *conn = chan->conn;
1c2acffb 1979 struct sk_buff *skb;
f2ba7fae 1980 int err, count;
1c2acffb
GP		 1981 struct l2cap_hdr *lh;
1982
6d5922b0 1983 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1984
f2ba7fae 1985 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1986
f2ba7fae 1987 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1988 msg->msg_flags & MSG_DONTWAIT);
1989 if (IS_ERR(skb))
1990 return skb;
1c2acffb 1991
5e59b791
LAD		 1992 skb->priority = priority;
1993
1c2acffb
GP		 1994 /* Create L2CAP header */
1995 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1996 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1997 lh->len = cpu_to_le16(len);
1c2acffb 1998
0952a57a 1999 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2000 if (unlikely(err < 0)) {
2001 kfree_skb(skb);
2002 return ERR_PTR(err);
2003 }
2004 return skb;
2005}
2006
ab0ff76d
LAD		 2007static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2008 struct msghdr *msg, size_t len,
94122bbe 2009 u16 sdulen)
1c2acffb 2010{
8c1d787b 2011 struct l2cap_conn *conn = chan->conn;
1c2acffb 2012 struct sk_buff *skb;
e4ca6d98 2013 int err, count, hlen;
1c2acffb
GP		 2014 struct l2cap_hdr *lh;
2015
6d5922b0 2016 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2017
0ee0d208
GP		 2018 if (!conn)
2019 return ERR_PTR(-ENOTCONN);
2020
e4ca6d98
AE		 2021 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2022 hlen = L2CAP_EXT_HDR_SIZE;
2023 else
2024 hlen = L2CAP_ENH_HDR_SIZE;
2025
c74e560c 2026 if (sdulen)
03a51213 2027 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2028
47d1ec61 2029 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2030 hlen += L2CAP_FCS_SIZE;
fcc203c3 2031
1c2acffb 2032 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2033
2034 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2035 msg->msg_flags & MSG_DONTWAIT);
2036 if (IS_ERR(skb))
2037 return skb;
1c2acffb
GP		 2038
2039 /* Create L2CAP header */
2040 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2041 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2042 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2043
18a48e76
MM		 2044 /* Control header is populated later */
2045 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2046 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2047 else
2048 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2049
c74e560c 2050 if (sdulen)
03a51213 2051 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2052
0952a57a 2053 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2054 if (unlikely(err < 0)) {
2055 kfree_skb(skb);
2056 return ERR_PTR(err);
2057 }
e90bac06 2058
18a48e76 2059 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2060 bt_cb(skb)->control.retries = 0;
1c2acffb 2061 return skb;
1da177e4
LT		 2062}
2063
94122bbe
MM		 2064static int l2cap_segment_sdu(struct l2cap_chan *chan,
2065 struct sk_buff_head *seg_queue,
2066 struct msghdr *msg, size_t len)
c74e560c 2067{
c74e560c 2068 struct sk_buff *skb;
94122bbe
MM		 2069 u16 sdu_len;
2070 size_t pdu_len;
2071 int err = 0;
2072 u8 sar;
c74e560c 2073
94122bbe 2074 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2075
94122bbe
MM		 2076 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2077 * so fragmented skbs are not used. The HCI layer's handling
2078 * of fragmented skbs is not compatible with ERTM's queueing.
2079 */
c74e560c 2080
94122bbe
MM		 2081 /* PDU size is derived from the HCI MTU */
2082 pdu_len = chan->conn->mtu;
c74e560c 2083
94122bbe
MM		 2084 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2085
2086 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2087 if (chan->fcs)
2088 pdu_len -= L2CAP_FCS_SIZE;
2089
2090 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2091 pdu_len -= L2CAP_EXT_HDR_SIZE;
2092 else
2093 pdu_len -= L2CAP_ENH_HDR_SIZE;
94122bbe
MM		 2094
2095 /* Remote device may have requested smaller PDUs */
2096 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2097
2098 if (len <= pdu_len) {
2099 sar = L2CAP_SAR_UNSEGMENTED;
2100 sdu_len = 0;
2101 pdu_len = len;
2102 } else {
2103 sar = L2CAP_SAR_START;
2104 sdu_len = len;
2105 pdu_len -= L2CAP_SDULEN_SIZE;
2106 }
2107
2108 while (len > 0) {
2109 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2110
c74e560c 2111 if (IS_ERR(skb)) {
94122bbe 2112 __skb_queue_purge(seg_queue);
c74e560c
GP		 2113 return PTR_ERR(skb);
2114 }
2115
94122bbe
MM		 2116 bt_cb(skb)->control.sar = sar;
2117 __skb_queue_tail(seg_queue, skb);
2118
2119 len -= pdu_len;
2120 if (sdu_len) {
2121 sdu_len = 0;
2122 pdu_len += L2CAP_SDULEN_SIZE;
2123 }
2124
2125 if (len <= pdu_len) {
2126 sar = L2CAP_SAR_END;
2127 pdu_len = len;
2128 } else {
2129 sar = L2CAP_SAR_CONTINUE;
2130 }
c74e560c 2131 }
c74e560c 2132
94122bbe 2133 return err;
c74e560c
GP		 2134}
2135
5e59b791
LAD		 2136int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2137 u32 priority)
9a91a04a 2138{
9a91a04a 2139 struct sk_buff *skb;
9a91a04a 2140 int err;
94122bbe 2141 struct sk_buff_head seg_queue;
9a91a04a
GP		 2142
2143 /* Connectionless channel */
715ec005 2144 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2145 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2146 if (IS_ERR(skb))
2147 return PTR_ERR(skb);
2148
2149 l2cap_do_send(chan, skb);
2150 return len;
2151 }
2152
2153 switch (chan->mode) {
2154 case L2CAP_MODE_BASIC:
2155 /* Check outgoing MTU */
2156 if (len > chan->omtu)
2157 return -EMSGSIZE;
2158
2159 /* Create a basic PDU */
5e59b791 2160 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2161 if (IS_ERR(skb))
2162 return PTR_ERR(skb);
2163
2164 l2cap_do_send(chan, skb);
2165 err = len;
2166 break;
2167
2168 case L2CAP_MODE_ERTM:
2169 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2170 /* Check outgoing MTU */
2171 if (len > chan->omtu) {
2172 err = -EMSGSIZE;
2173 break;
2174 }
9a91a04a 2175
94122bbe 2176 __skb_queue_head_init(&seg_queue);
9a91a04a 2177
94122bbe
MM		 2178 /* Do segmentation before calling in to the state machine,
2179 * since it's possible to block while waiting for memory
2180 * allocation.
2181 */
2182 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2183
94122bbe
MM		 2184 /* The channel could have been closed while segmenting,
2185 * check that it is still connected.
2186 */
2187 if (chan->state != BT_CONNECTED) {
2188 __skb_queue_purge(&seg_queue);
2189 err = -ENOTCONN;
9a91a04a
GP		 2190 }
2191
94122bbe 2192 if (err)
9a91a04a 2193 break;
9a91a04a 2194
3733937d 2195 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2196 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2197 else
d660366d 2198 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2199
d660366d 2200 err = len;
9a91a04a 2201
94122bbe
MM		 2202 /* If the skbs were not queued for sending, they'll still be in
2203 * seg_queue and need to be purged.
2204 */
2205 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2206 break;
2207
2208 default:
2209 BT_DBG("bad state %1.1x", chan->mode);
2210 err = -EBADFD;
2211 }
2212
2213 return err;
2214}
2215
d2a7ac5d
MM		 2216static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2217{
bed68bde
MM		 2218 struct l2cap_ctrl control;
2219 u16 seq;
2220
2221 BT_DBG("chan %p, txseq %d", chan, txseq);
2222
2223 memset(&control, 0, sizeof(control));
2224 control.sframe = 1;
2225 control.super = L2CAP_SUPER_SREJ;
2226
2227 for (seq = chan->expected_tx_seq; seq != txseq;
2228 seq = __next_seq(chan, seq)) {
2229 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2230 control.reqseq = seq;
2231 l2cap_send_sframe(chan, &control);
2232 l2cap_seq_list_append(&chan->srej_list, seq);
2233 }
2234 }
2235
2236 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2237}
2238
2239static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2240{
bed68bde
MM		 2241 struct l2cap_ctrl control;
2242
2243 BT_DBG("chan %p", chan);
2244
2245 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2246 return;
2247
2248 memset(&control, 0, sizeof(control));
2249 control.sframe = 1;
2250 control.super = L2CAP_SUPER_SREJ;
2251 control.reqseq = chan->srej_list.tail;
2252 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2253}
2254
2255static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2256{
bed68bde
MM		 2257 struct l2cap_ctrl control;
2258 u16 initial_head;
2259 u16 seq;
2260
2261 BT_DBG("chan %p, txseq %d", chan, txseq);
2262
2263 memset(&control, 0, sizeof(control));
2264 control.sframe = 1;
2265 control.super = L2CAP_SUPER_SREJ;
2266
2267 /* Capture initial list head to allow only one pass through the list. */
2268 initial_head = chan->srej_list.head;
2269
2270 do {
2271 seq = l2cap_seq_list_pop(&chan->srej_list);
2272 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2273 break;
2274
2275 control.reqseq = seq;
2276 l2cap_send_sframe(chan, &control);
2277 l2cap_seq_list_append(&chan->srej_list, seq);
2278 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2279}
2280
608bcc6d
MM		 2281static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2282{
2283 struct sk_buff *acked_skb;
2284 u16 ackseq;
2285
2286 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2287
2288 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2289 return;
2290
2291 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2292 chan->expected_ack_seq, chan->unacked_frames);
2293
2294 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2295 ackseq = __next_seq(chan, ackseq)) {
2296
2297 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2298 if (acked_skb) {
2299 skb_unlink(acked_skb, &chan->tx_q);
2300 kfree_skb(acked_skb);
2301 chan->unacked_frames--;
2302 }
2303 }
2304
2305 chan->expected_ack_seq = reqseq;
2306
2307 if (chan->unacked_frames == 0)
2308 __clear_retrans_timer(chan);
2309
2310 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2311}
2312
2313static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2314{
2315 BT_DBG("chan %p", chan);
2316
2317 chan->expected_tx_seq = chan->buffer_seq;
2318 l2cap_seq_list_clear(&chan->srej_list);
2319 skb_queue_purge(&chan->srej_q);
2320 chan->rx_state = L2CAP_RX_STATE_RECV;
2321}
2322
d660366d
GP		 2323static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2324 struct l2cap_ctrl *control,
2325 struct sk_buff_head *skbs, u8 event)
608bcc6d 2326{
608bcc6d
MM		 2327 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2328 event);
2329
2330 switch (event) {
2331 case L2CAP_EV_DATA_REQUEST:
2332 if (chan->tx_send_head == NULL)
2333 chan->tx_send_head = skb_peek(skbs);
2334
2335 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2336 l2cap_ertm_send(chan);
2337 break;
2338 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2339 BT_DBG("Enter LOCAL_BUSY");
2340 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2341
2342 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2343 /* The SREJ_SENT state must be aborted if we are to
2344 * enter the LOCAL_BUSY state.
2345 */
2346 l2cap_abort_rx_srej_sent(chan);
2347 }
2348
2349 l2cap_send_ack(chan);
2350
2351 break;
2352 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2353 BT_DBG("Exit LOCAL_BUSY");
2354 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2355
2356 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2357 struct l2cap_ctrl local_control;
2358
2359 memset(&local_control, 0, sizeof(local_control));
2360 local_control.sframe = 1;
2361 local_control.super = L2CAP_SUPER_RR;
2362 local_control.poll = 1;
2363 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2364 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2365
2366 chan->retry_count = 1;
2367 __set_monitor_timer(chan);
2368 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2369 }
2370 break;
2371 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2372 l2cap_process_reqseq(chan, control->reqseq);
2373 break;
2374 case L2CAP_EV_EXPLICIT_POLL:
2375 l2cap_send_rr_or_rnr(chan, 1);
2376 chan->retry_count = 1;
2377 __set_monitor_timer(chan);
2378 __clear_ack_timer(chan);
2379 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2380 break;
2381 case L2CAP_EV_RETRANS_TO:
2382 l2cap_send_rr_or_rnr(chan, 1);
2383 chan->retry_count = 1;
2384 __set_monitor_timer(chan);
2385 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2386 break;
2387 case L2CAP_EV_RECV_FBIT:
2388 /* Nothing to process */
2389 break;
2390 default:
2391 break;
2392 }
608bcc6d
MM		 2393}
2394
d660366d
GP		 2395static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2396 struct l2cap_ctrl *control,
2397 struct sk_buff_head *skbs, u8 event)
608bcc6d 2398{
608bcc6d
MM		 2399 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2400 event);
2401
2402 switch (event) {
2403 case L2CAP_EV_DATA_REQUEST:
2404 if (chan->tx_send_head == NULL)
2405 chan->tx_send_head = skb_peek(skbs);
2406 /* Queue data, but don't send. */
2407 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2408 break;
2409 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2410 BT_DBG("Enter LOCAL_BUSY");
2411 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2412
2413 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2414 /* The SREJ_SENT state must be aborted if we are to
2415 * enter the LOCAL_BUSY state.
2416 */
2417 l2cap_abort_rx_srej_sent(chan);
2418 }
2419
2420 l2cap_send_ack(chan);
2421
2422 break;
2423 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2424 BT_DBG("Exit LOCAL_BUSY");
2425 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2426
2427 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2428 struct l2cap_ctrl local_control;
2429 memset(&local_control, 0, sizeof(local_control));
2430 local_control.sframe = 1;
2431 local_control.super = L2CAP_SUPER_RR;
2432 local_control.poll = 1;
2433 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2434 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2435
2436 chan->retry_count = 1;
2437 __set_monitor_timer(chan);
2438 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2439 }
2440 break;
2441 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2442 l2cap_process_reqseq(chan, control->reqseq);
2443
2444 /* Fall through */
2445
2446 case L2CAP_EV_RECV_FBIT:
2447 if (control && control->final) {
2448 __clear_monitor_timer(chan);
2449 if (chan->unacked_frames > 0)
2450 __set_retrans_timer(chan);
2451 chan->retry_count = 0;
2452 chan->tx_state = L2CAP_TX_STATE_XMIT;
2453 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2454 }
2455 break;
2456 case L2CAP_EV_EXPLICIT_POLL:
2457 /* Ignore */
2458 break;
2459 case L2CAP_EV_MONITOR_TO:
2460 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2461 l2cap_send_rr_or_rnr(chan, 1);
2462 __set_monitor_timer(chan);
2463 chan->retry_count++;
2464 } else {
2465 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2466 }
2467 break;
2468 default:
2469 break;
2470 }
608bcc6d
MM		 2471}
2472
d660366d
GP		 2473static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2474 struct sk_buff_head *skbs, u8 event)
608bcc6d 2475{
608bcc6d
MM		 2476 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2477 chan, control, skbs, event, chan->tx_state);
2478
2479 switch (chan->tx_state) {
2480 case L2CAP_TX_STATE_XMIT:
d660366d 2481 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2482 break;
2483 case L2CAP_TX_STATE_WAIT_F:
d660366d 2484 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2485 break;
2486 default:
2487 /* Ignore event */
2488 break;
2489 }
608bcc6d
MM		 2490}
2491
4b51dae9
MM		 2492static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2493 struct l2cap_ctrl *control)
2494{
2495 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2496 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2497}
2498
f80842a8
MM		 2499static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2500 struct l2cap_ctrl *control)
2501{
2502 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2503 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2504}
2505
1da177e4
LT		 2506/* Copy frame to all raw sockets on that connection */
2507static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2508{
1da177e4 2509 struct sk_buff *nskb;
48454079 2510 struct l2cap_chan *chan;
1da177e4
LT		 2511
2512 BT_DBG("conn %p", conn);
2513
3df91ea2 2514 mutex_lock(&conn->chan_lock);
3d57dc68 2515
3df91ea2 2516 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2517 struct sock *sk = chan->sk;
715ec005 2518 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2519 continue;
2520
2521 /* Don't send frame to the socket it came from */
2522 if (skb->sk == sk)
2523 continue;
af05b30b
GP		 2524 nskb = skb_clone(skb, GFP_ATOMIC);
2525 if (!nskb)
1da177e4
LT		 2526 continue;
2527
80b98027 2528 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2529 kfree_skb(nskb);
2530 }
3d57dc68 2531
3df91ea2 2532 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2533}
2534
2535/* ---- L2CAP signalling commands ---- */
2536static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2537 u8 code, u8 ident, u16 dlen, void *data)
2538{
2539 struct sk_buff *skb, **frag;
2540 struct l2cap_cmd_hdr *cmd;
2541 struct l2cap_hdr *lh;
2542 int len, count;
2543
af05b30b
GP		 2544 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2545 conn, code, ident, dlen);
1da177e4
LT		 2546
2547 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2548 count = min_t(unsigned int, conn->mtu, len);
2549
2550 skb = bt_skb_alloc(count, GFP_ATOMIC);
2551 if (!skb)
2552 return NULL;
2553
2554 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2555 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2556
2557 if (conn->hcon->type == LE_LINK)
ac73498c 2558 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2559 else
ac73498c 2560 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2561
2562 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2563 cmd->code = code;
2564 cmd->ident = ident;
aca3192c 2565 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2566
2567 if (dlen) {
2568 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2569 memcpy(skb_put(skb, count), data, count);
2570 data += count;
2571 }
2572
2573 len -= skb->len;
2574
2575 /* Continuation fragments (no L2CAP header) */
2576 frag = &skb_shinfo(skb)->frag_list;
2577 while (len) {
2578 count = min_t(unsigned int, conn->mtu, len);
2579
2580 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2581 if (!*frag)
2582 goto fail;
2583
2584 memcpy(skb_put(*frag, count), data, count);
2585
2586 len -= count;
2587 data += count;
2588
2589 frag = &(*frag)->next;
2590 }
2591
2592 return skb;
2593
2594fail:
2595 kfree_skb(skb);
2596 return NULL;
2597}
2598
2599static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2600{
2601 struct l2cap_conf_opt *opt = *ptr;
2602 int len;
2603
2604 len = L2CAP_CONF_OPT_SIZE + opt->len;
2605 *ptr += len;
2606
2607 *type = opt->type;
2608 *olen = opt->len;
2609
2610 switch (opt->len) {
2611 case 1:
2612 *val = *((u8 *) opt->val);
2613 break;
2614
2615 case 2:
bfaaeb3e 2616 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2617 break;
2618
2619 case 4:
bfaaeb3e 2620 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2621 break;
2622
2623 default:
2624 *val = (unsigned long) opt->val;
2625 break;
2626 }
2627
2628 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2629 return len;
2630}
2631
1da177e4
LT		 2632static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2633{
2634 struct l2cap_conf_opt *opt = *ptr;
2635
2636 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2637
2638 opt->type = type;
2639 opt->len = len;
2640
2641 switch (len) {
2642 case 1:
2643 *((u8 *) opt->val) = val;
2644 break;
2645
2646 case 2:
4f8b691c 2647 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2648 break;
2649
2650 case 4:
4f8b691c 2651 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2652 break;
2653
2654 default:
2655 memcpy(opt->val, (void *) val, len);
2656 break;
2657 }
2658
2659 *ptr += L2CAP_CONF_OPT_SIZE + len;
2660}
2661
f89cef09
AE		 2662static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2663{
2664 struct l2cap_conf_efs efs;
2665
1ec918ce 2666 switch (chan->mode) {
f89cef09
AE		 2667 case L2CAP_MODE_ERTM:
2668 efs.id = chan->local_id;
2669 efs.stype = chan->local_stype;
2670 efs.msdu = cpu_to_le16(chan->local_msdu);
2671 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2672 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2673 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2674 break;
2675
2676 case L2CAP_MODE_STREAMING:
2677 efs.id = 1;
2678 efs.stype = L2CAP_SERV_BESTEFFORT;
2679 efs.msdu = cpu_to_le16(chan->local_msdu);
2680 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2681 efs.acc_lat = 0;
2682 efs.flush_to = 0;
2683 break;
2684
2685 default:
2686 return;
2687 }
2688
2689 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2690 (unsigned long) &efs);
2691}
2692
721c4181 2693static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2694{
721c4181 2695 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2696 ack_timer.work);
2697 u16 frames_to_ack;
c1b4f43b 2698
2fb9b3d4
GP		 2699 BT_DBG("chan %p", chan);
2700
6be36555
AE		 2701 l2cap_chan_lock(chan);
2702
0362520b
MM		 2703 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2704 chan->last_acked_seq);
6be36555 2705
0362520b
MM		 2706 if (frames_to_ack)
2707 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2708
0362520b 2709 l2cap_chan_unlock(chan);
09bfb2ee 2710 l2cap_chan_put(chan);
c1b4f43b
GP		 2711}
2712
466f8004 2713int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2714{
3c588192
MM		 2715 int err;
2716
105bdf9e
MM		 2717 chan->next_tx_seq = 0;
2718 chan->expected_tx_seq = 0;
42e5c802 2719 chan->expected_ack_seq = 0;
6a026610 2720 chan->unacked_frames = 0;
42e5c802 2721 chan->buffer_seq = 0;
6a026610 2722 chan->frames_sent = 0;
105bdf9e
MM		 2723 chan->last_acked_seq = 0;
2724 chan->sdu = NULL;
2725 chan->sdu_last_frag = NULL;
2726 chan->sdu_len = 0;
2727
d34c34fb
MM		 2728 skb_queue_head_init(&chan->tx_q);
2729
105bdf9e
MM		 2730 if (chan->mode != L2CAP_MODE_ERTM)
2731 return 0;
2732
2733 chan->rx_state = L2CAP_RX_STATE_RECV;
2734 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2735
721c4181
GP		 2736 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2737 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2738 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2739
f1c6775b 2740 skb_queue_head_init(&chan->srej_q);
1890d36b 2741
3c588192
MM		 2742 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2743 if (err < 0)
2744 return err;
2745
9dc9affc
MM		 2746 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2747 if (err < 0)
2748 l2cap_seq_list_free(&chan->srej_list);
2749
2750 return err;
0565c1c2
GP		 2751}
2752
f2fcfcd6
GP		 2753static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2754{
2755 switch (mode) {
2756 case L2CAP_MODE_STREAMING:
2757 case L2CAP_MODE_ERTM:
2758 if (l2cap_mode_supported(mode, remote_feat_mask))
2759 return mode;
2760 /* fall through */
2761 default:
2762 return L2CAP_MODE_BASIC;
2763 }
2764}
2765
6327eb98
AE		 2766static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2767{
2768 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2769}
2770
f89cef09
AE		 2771static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2772{
2773 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2774}
2775
6327eb98
AE		 2776static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2777{
2778 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2779 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2780 /* use extended control field */
2781 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2782 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2783 } else {
6327eb98
AE		 2784 chan->tx_win = min_t(u16, chan->tx_win,
2785 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2786 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2787 }
6327eb98
AE		 2788}
2789
710f9b0a 2790static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2791{
1da177e4 2792 struct l2cap_conf_req *req = data;
0c1bc5c6 2793 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2794 void *ptr = req->data;
c8f79162 2795 u16 size;
1da177e4 2796
49208c9c 2797 BT_DBG("chan %p", chan);
1da177e4 2798
73ffa904 2799 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2800 goto done;
2801
0c1bc5c6 2802 switch (chan->mode) {
f2fcfcd6
GP		 2803 case L2CAP_MODE_STREAMING:
2804 case L2CAP_MODE_ERTM:
c1360a1c 2805 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2806 break;
85eb53c6 2807
f89cef09
AE		 2808 if (__l2cap_efs_supported(chan))
2809 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2810
2ba13ed6 2811 /* fall through */
f2fcfcd6 2812 default:
8c1d787b 2813 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2814 break;
2815 }
2816
2817done:
0c1bc5c6
GP		 2818 if (chan->imtu != L2CAP_DEFAULT_MTU)
2819 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2820
0c1bc5c6 2821 switch (chan->mode) {
65c7c491 2822 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2823 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2824 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2825 break;
2826
62547752
GP		 2827 rfc.mode = L2CAP_MODE_BASIC;
2828 rfc.txwin_size = 0;
2829 rfc.max_transmit = 0;
2830 rfc.retrans_timeout = 0;
2831 rfc.monitor_timeout = 0;
2832 rfc.max_pdu_size = 0;
2833
63406504
GP		 2834 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2835 (unsigned long) &rfc);
65c7c491
MH		 2836 break;
2837
2838 case L2CAP_MODE_ERTM:
2839 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2840 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2841 rfc.retrans_timeout = 0;
2842 rfc.monitor_timeout = 0;
c8f79162
AE		 2843
2844 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2845 L2CAP_EXT_HDR_SIZE -
2846 L2CAP_SDULEN_SIZE -
2847 L2CAP_FCS_SIZE);
2848 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2849
6327eb98
AE		 2850 l2cap_txwin_setup(chan);
2851
2852 rfc.txwin_size = min_t(u16, chan->tx_win,
2853 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2854
63406504
GP		 2855 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2856 (unsigned long) &rfc);
2857
f89cef09
AE		 2858 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2859 l2cap_add_opt_efs(&ptr, chan);
2860
8c1d787b 2861 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2862 break;
2863
47d1ec61 2864 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2865 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2866 chan->fcs = L2CAP_FCS_NONE;
2867 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2868 }
6327eb98
AE		 2869
2870 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2871 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2872 chan->tx_win);
f2fcfcd6
GP		 2873 break;
2874
2875 case L2CAP_MODE_STREAMING:
273759e2 2876 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2877 rfc.mode = L2CAP_MODE_STREAMING;
2878 rfc.txwin_size = 0;
2879 rfc.max_transmit = 0;
2880 rfc.retrans_timeout = 0;
2881 rfc.monitor_timeout = 0;
c8f79162
AE		 2882
2883 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2884 L2CAP_EXT_HDR_SIZE -
2885 L2CAP_SDULEN_SIZE -
2886 L2CAP_FCS_SIZE);
2887 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2888
63406504
GP		 2889 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2890 (unsigned long) &rfc);
2891
f89cef09
AE		 2892 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2893 l2cap_add_opt_efs(&ptr, chan);
2894
8c1d787b 2895 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2896 break;
2897
47d1ec61 2898 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2899 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2900 chan->fcs = L2CAP_FCS_NONE;
2901 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2902 }
65c7c491
MH		 2903 break;
2904 }
1da177e4 2905
fe4128e0 2906 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2907 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2908
2909 return ptr - data;
2910}
2911
73ffa904 2912static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2913{
5dee9e7c
MH		 2914 struct l2cap_conf_rsp *rsp = data;
2915 void *ptr = rsp->data;
73ffa904
GP		 2916 void *req = chan->conf_req;
2917 int len = chan->conf_len;
5dee9e7c
MH		 2918 int type, hint, olen;
2919 unsigned long val;
6464f35f 2920 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2921 struct l2cap_conf_efs efs;
2922 u8 remote_efs = 0;
861d6882 2923 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2924 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2925 u16 size;
1da177e4 2926
73ffa904 2927 BT_DBG("chan %p", chan);
820ae1b8 2928
5dee9e7c
MH		 2929 while (len >= L2CAP_CONF_OPT_SIZE) {
2930 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2931
589d2746 2932 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2933 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2934
2935 switch (type) {
2936 case L2CAP_CONF_MTU:
861d6882 2937 mtu = val;
5dee9e7c
MH		 2938 break;
2939
2940 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2941 chan->flush_to = val;
5dee9e7c
MH		 2942 break;
2943
2944 case L2CAP_CONF_QOS:
2945 break;
2946
6464f35f
MH		 2947 case L2CAP_CONF_RFC:
2948 if (olen == sizeof(rfc))
2949 memcpy(&rfc, (void *) val, olen);
2950 break;
2951
fcc203c3
GP		 2952 case L2CAP_CONF_FCS:
2953 if (val == L2CAP_FCS_NONE)
c1360a1c 2954 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2955 break;
fcc203c3 2956
42dceae2
AE		 2957 case L2CAP_CONF_EFS:
2958 remote_efs = 1;
2959 if (olen == sizeof(efs))
2960 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2961 break;
2962
6327eb98
AE		 2963 case L2CAP_CONF_EWS:
2964 if (!enable_hs)
2965 return -ECONNREFUSED;
fcc203c3 2966
6327eb98
AE		 2967 set_bit(FLAG_EXT_CTRL, &chan->flags);
2968 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2969 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2970 chan->remote_tx_win = val;
fcc203c3
GP		 2971 break;
2972
5dee9e7c
MH		 2973 default:
2974 if (hint)
2975 break;
2976
2977 result = L2CAP_CONF_UNKNOWN;
2978 *((u8 *) ptr++) = type;
2979 break;
2980 }
2981 }
2982
73ffa904 2983 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2984 goto done;
2985
0c1bc5c6 2986 switch (chan->mode) {
f2fcfcd6
GP		 2987 case L2CAP_MODE_STREAMING:
2988 case L2CAP_MODE_ERTM:
c1360a1c 2989 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2990 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2991 chan->conn->feat_mask);
85eb53c6
GP		 2992 break;
2993 }
2994
42dceae2
AE		 2995 if (remote_efs) {
2996 if (__l2cap_efs_supported(chan))
2997 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2998 else
2999 return -ECONNREFUSED;
3000 }
3001
0c1bc5c6 3002 if (chan->mode != rfc.mode)
f2fcfcd6 3003 return -ECONNREFUSED;
742e519b 3004
f2fcfcd6 3005 break;
f2fcfcd6
GP		 3006 }
3007
3008done:
0c1bc5c6 3009 if (chan->mode != rfc.mode) {
f2fcfcd6 3010 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3011 rfc.mode = chan->mode;
f2fcfcd6 3012
73ffa904 3013 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3014 return -ECONNREFUSED;
3015
3016 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3017 sizeof(rfc), (unsigned long) &rfc);
3018 }
3019
5dee9e7c
MH		 3020 if (result == L2CAP_CONF_SUCCESS) {
3021 /* Configure output options and let the other side know
3022 * which ones we don't like. */
3023
f2fcfcd6
GP		 3024 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3025 result = L2CAP_CONF_UNACCEPT;
3026 else {
0c1bc5c6 3027 chan->omtu = mtu;
c1360a1c 3028 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3029 }
0c1bc5c6 3030 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3031
42dceae2
AE		 3032 if (remote_efs) {
3033 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3034 efs.stype != L2CAP_SERV_NOTRAFIC &&
3035 efs.stype != chan->local_stype) {
3036
3037 result = L2CAP_CONF_UNACCEPT;
3038
3039 if (chan->num_conf_req >= 1)
3040 return -ECONNREFUSED;
3041
3042 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3043 sizeof(efs),
42dceae2 3044 (unsigned long) &efs);
0e8b207e 3045 } else {
3e6b3b95 3046 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3047 result = L2CAP_CONF_PENDING;
3048 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3049 }
3050 }
3051
f2fcfcd6
GP		 3052 switch (rfc.mode) {
3053 case L2CAP_MODE_BASIC:
47d1ec61 3054 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3055 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3056 break;
3057
3058 case L2CAP_MODE_ERTM:
6327eb98
AE		 3059 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3060 chan->remote_tx_win = rfc.txwin_size;
3061 else
3062 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3063
2c03a7a4 3064 chan->remote_max_tx = rfc.max_transmit;
1c762159 3065
c8f79162
AE		 3066 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3067 chan->conn->mtu -
3068 L2CAP_EXT_HDR_SIZE -
3069 L2CAP_SDULEN_SIZE -
3070 L2CAP_FCS_SIZE);
3071 rfc.max_pdu_size = cpu_to_le16(size);
3072 chan->remote_mps = size;
f2fcfcd6 3073
10467e9e 3074 rfc.retrans_timeout =
4fd21a88 3075 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3076 rfc.monitor_timeout =
4fd21a88 3077 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3078
c1360a1c 3079 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3080
3081 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3082 sizeof(rfc), (unsigned long) &rfc);
3083
42dceae2
AE		 3084 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3085 chan->remote_id = efs.id;
3086 chan->remote_stype = efs.stype;
3087 chan->remote_msdu = le16_to_cpu(efs.msdu);
3088 chan->remote_flush_to =
3089 le32_to_cpu(efs.flush_to);
3090 chan->remote_acc_lat =
3091 le32_to_cpu(efs.acc_lat);
3092 chan->remote_sdu_itime =
3093 le32_to_cpu(efs.sdu_itime);
3094 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3095 sizeof(efs), (unsigned long) &efs);
3096 }
f2fcfcd6
GP		 3097 break;
3098
3099 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3100 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3101 chan->conn->mtu -
3102 L2CAP_EXT_HDR_SIZE -
3103 L2CAP_SDULEN_SIZE -
3104 L2CAP_FCS_SIZE);
3105 rfc.max_pdu_size = cpu_to_le16(size);
3106 chan->remote_mps = size;
f2fcfcd6 3107
c1360a1c 3108 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3109
3110 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3111 sizeof(rfc), (unsigned long) &rfc);
3112
f2fcfcd6
GP		 3113 break;
3114
3115 default:
5dee9e7c 3116 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3117
6464f35f 3118 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3119 rfc.mode = chan->mode;
f2fcfcd6 3120 }
6464f35f 3121
f2fcfcd6 3122 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3123 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3124 }
fe4128e0 3125 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3126 rsp->result = cpu_to_le16(result);
59e54bd1 3127 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3128
3129 return ptr - data;
1da177e4
LT		 3130}
3131
b4450035 3132static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3133{
f2fcfcd6
GP		 3134 struct l2cap_conf_req *req = data;
3135 void *ptr = req->data;
3136 int type, olen;
3137 unsigned long val;
36e999a8 3138 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3139 struct l2cap_conf_efs efs;
f2fcfcd6 3140
fe4128e0 3141 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3142
3143 while (len >= L2CAP_CONF_OPT_SIZE) {
3144 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3145
3146 switch (type) {
3147 case L2CAP_CONF_MTU:
3148 if (val < L2CAP_DEFAULT_MIN_MTU) {
3149 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3150 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3151 } else
0c1bc5c6
GP		 3152 chan->imtu = val;
3153 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3154 break;
3155
3156 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3157 chan->flush_to = val;
f2fcfcd6 3158 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3159 2, chan->flush_to);
f2fcfcd6
GP		 3160 break;
3161
3162 case L2CAP_CONF_RFC:
3163 if (olen == sizeof(rfc))
3164 memcpy(&rfc, (void *)val, olen);
3165
c1360a1c 3166 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3167 rfc.mode != chan->mode)
f2fcfcd6
GP		 3168 return -ECONNREFUSED;
3169
47d1ec61 3170 chan->fcs = 0;
f2fcfcd6
GP		 3171
3172 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3173 sizeof(rfc), (unsigned long) &rfc);
3174 break;
6327eb98
AE		 3175
3176 case L2CAP_CONF_EWS:
3177 chan->tx_win = min_t(u16, val,
3178 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3179 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3180 chan->tx_win);
6327eb98 3181 break;
66af7aaf
AE		 3182
3183 case L2CAP_CONF_EFS:
3184 if (olen == sizeof(efs))
3185 memcpy(&efs, (void *)val, olen);
3186
3187 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3188 efs.stype != L2CAP_SERV_NOTRAFIC &&
3189 efs.stype != chan->local_stype)
3190 return -ECONNREFUSED;
3191
3192 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3193 sizeof(efs), (unsigned long) &efs);
3194 break;
f2fcfcd6
GP		 3195 }
3196 }
3197
0c1bc5c6 3198 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3199 return -ECONNREFUSED;
3200
0c1bc5c6 3201 chan->mode = rfc.mode;
6c2ea7a8 3202
0e8b207e 3203 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3204 switch (rfc.mode) {
3205 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3206 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3207 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3208 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3209
3210 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3211 chan->local_msdu = le16_to_cpu(efs.msdu);
3212 chan->local_sdu_itime =
3213 le32_to_cpu(efs.sdu_itime);
3214 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3215 chan->local_flush_to =
3216 le32_to_cpu(efs.flush_to);
3217 }
f2fcfcd6 3218 break;
66af7aaf 3219
f2fcfcd6 3220 case L2CAP_MODE_STREAMING:
47d1ec61 3221 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3222 }
3223 }
3224
fe4128e0 3225 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3226 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3227
3228 return ptr - data;
3229}
3230
fe4128e0 3231static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3232{
3233 struct l2cap_conf_rsp *rsp = data;
3234 void *ptr = rsp->data;
1da177e4 3235
fe4128e0 3236 BT_DBG("chan %p", chan);
1da177e4 3237
fe4128e0 3238 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3239 rsp->result = cpu_to_le16(result);
aca3192c 3240 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3241
3242 return ptr - data;
3243}
3244
8c1d787b 3245void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3246{
3247 struct l2cap_conn_rsp rsp;
8c1d787b 3248 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3249 u8 buf[128];
3250
fe4128e0
GP		 3251 rsp.scid = cpu_to_le16(chan->dcid);
3252 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3253 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3254 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3255 l2cap_send_cmd(conn, chan->ident,
3256 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3257
c1360a1c 3258 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3259 return;
3260
710f9b0a
GP		 3261 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3262 l2cap_build_conf_req(chan, buf), buf);
3263 chan->num_conf_req++;
3264}
3265
47d1ec61 3266static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3267{
7b1c0049
GP		 3268 int type, olen;
3269 unsigned long val;
3270 struct l2cap_conf_rfc rfc;
3271
47d1ec61 3272 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3273
0c1bc5c6 3274 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3275 return;
3276
3277 while (len >= L2CAP_CONF_OPT_SIZE) {
3278 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3279
3280 switch (type) {
3281 case L2CAP_CONF_RFC:
3282 if (olen == sizeof(rfc))
3283 memcpy(&rfc, (void *)val, olen);
3284 goto done;
3285 }
3286 }
3287
36e999a8
MM		 3288 /* Use sane default values in case a misbehaving remote device
3289 * did not send an RFC option.
3290 */
3291 rfc.mode = chan->mode;
ac73498c
AE		 3292 rfc.retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3293 rfc.monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36e999a8
MM		 3294 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3295
3296 BT_ERR("Expected RFC option was not found, using defaults");
3297
7b1c0049
GP		 3298done:
3299 switch (rfc.mode) {
3300 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3301 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3302 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3303 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3304 break;
3305 case L2CAP_MODE_STREAMING:
47d1ec61 3306 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3307 }
3308}
3309
4e8402a3
MH		 3310static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3311{
e2fd318e 3312 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3313
e2fd318e 3314 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3315 return 0;
3316
3317 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3318 cmd->ident == conn->info_ident) {
17cd3f37 3319 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3320
3321 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3322 conn->info_ident = 0;
984947dc 3323
4e8402a3
MH		 3324 l2cap_conn_start(conn);
3325 }
3326
3327 return 0;
3328}
3329
1da177e4
LT		 3330static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3331{
1da177e4
LT		 3332 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3333 struct l2cap_conn_rsp rsp;
23691d75 3334 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3335 struct sock *parent, *sk = NULL;
e7c29cb1 3336 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3337
3338 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3339 __le16 psm = req->psm;
1da177e4 3340
097db76c 3341 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3342
3343 /* Check if we have socket listening on psm */
c2287681 3344 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3345 if (!pchan) {
1da177e4
LT		 3346 result = L2CAP_CR_BAD_PSM;
3347 goto sendresp;
3348 }
3349
23691d75
GP		 3350 parent = pchan->sk;
3351
3df91ea2 3352 mutex_lock(&conn->chan_lock);
aa2ac881 3353 lock_sock(parent);
e0f0cb56 3354
e7c29cb1 3355 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3356 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3357 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3358 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3359 result = L2CAP_CR_SEC_BLOCK;
3360 goto response;
3361 }
3362
1da177e4
LT		 3363 result = L2CAP_CR_NO_MEM;
3364
2dfa1003
GP		 3365 /* Check if we already have channel with that dcid */
3366 if (__l2cap_get_chan_by_dcid(conn, scid))
3367 goto response;
3368
80b98027 3369 chan = pchan->ops->new_connection(pchan);
80808e43 3370 if (!chan)
1da177e4
LT		 3371 goto response;
3372
80808e43
GP		 3373 sk = chan->sk;
3374
1da177e4
LT		 3375 hci_conn_hold(conn->hcon);
3376
1da177e4
LT		 3377 bacpy(&bt_sk(sk)->src, conn->src);
3378 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3379 chan->psm = psm;
3380 chan->dcid = scid;
1da177e4 3381
d1010240
GP		 3382 bt_accept_enqueue(parent, sk);
3383
6be36555 3384 __l2cap_chan_add(conn, chan);
48454079 3385
fe4128e0 3386 dcid = chan->scid;
1da177e4 3387
c9b66675 3388 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3389
fc7f8a7e 3390 chan->ident = cmd->ident;
1da177e4 3391
984947dc 3392 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3393 if (l2cap_chan_check_security(chan)) {
c5daa683 3394 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3395 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3396 result = L2CAP_CR_PEND;
3397 status = L2CAP_CS_AUTHOR_PEND;
3398 parent->sk_data_ready(parent, 0);
3399 } else {
0e587be7 3400 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3401 result = L2CAP_CR_SUCCESS;
3402 status = L2CAP_CS_NO_INFO;
3403 }
79d554a6 3404 } else {
0e587be7 3405 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3406 result = L2CAP_CR_PEND;
3407 status = L2CAP_CS_AUTHEN_PEND;
3408 }
3409 } else {
0e587be7 3410 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3411 result = L2CAP_CR_PEND;
3412 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3413 }
3414
1da177e4 3415response:
aa2ac881 3416 release_sock(parent);
3df91ea2 3417 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3418
3419sendresp:
aca3192c
YH		 3420 rsp.scid = cpu_to_le16(scid);
3421 rsp.dcid = cpu_to_le16(dcid);
3422 rsp.result = cpu_to_le16(result);
3423 rsp.status = cpu_to_le16(status);
1da177e4 3424 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3425
3426 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3427 struct l2cap_info_req info;
ac73498c 3428 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3429
3430 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3431 conn->info_ident = l2cap_get_ident(conn);
3432
ba13ccd9 3433 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3434
3435 l2cap_send_cmd(conn, conn->info_ident,
3436 L2CAP_INFO_REQ, sizeof(info), &info);
3437 }
3438
c1360a1c 3439 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3440 result == L2CAP_CR_SUCCESS) {
3441 u8 buf[128];
c1360a1c 3442 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3443 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3444 l2cap_build_conf_req(chan, buf), buf);
3445 chan->num_conf_req++;
e9aeb2dd
GP		 3446 }
3447
1da177e4
LT		 3448 return 0;
3449}
3450
3451static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3452{
3453 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3454 u16 scid, dcid, result, status;
48454079 3455 struct l2cap_chan *chan;
1da177e4 3456 u8 req[128];
3df91ea2 3457 int err;
1da177e4
LT		 3458
3459 scid = __le16_to_cpu(rsp->scid);
3460 dcid = __le16_to_cpu(rsp->dcid);
3461 result = __le16_to_cpu(rsp->result);
3462 status = __le16_to_cpu(rsp->status);
3463
1b009c98
AE		 3464 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3465 dcid, scid, result, status);
1da177e4 3466
3df91ea2
AE		 3467 mutex_lock(&conn->chan_lock);
3468
1da177e4 3469 if (scid) {
3df91ea2
AE		 3470 chan = __l2cap_get_chan_by_scid(conn, scid);
3471 if (!chan) {
3472 err = -EFAULT;
3473 goto unlock;
3474 }
1da177e4 3475 } else {
3df91ea2
AE		 3476 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3477 if (!chan) {
3478 err = -EFAULT;
3479 goto unlock;
3480 }
1da177e4
LT		 3481 }
3482
3df91ea2
AE		 3483 err = 0;
3484
6be36555 3485 l2cap_chan_lock(chan);
48454079 3486
1da177e4
LT		 3487 switch (result) {
3488 case L2CAP_CR_SUCCESS:
89bc500e 3489 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3490 chan->ident = 0;
fe4128e0 3491 chan->dcid = dcid;
c1360a1c 3492 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3493
c1360a1c 3494 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3495 break;
3496
1da177e4 3497 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3498 l2cap_build_conf_req(chan, req), req);
3499 chan->num_conf_req++;
1da177e4
LT		 3500 break;
3501
3502 case L2CAP_CR_PEND:
c1360a1c 3503 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3504 break;
3505
3506 default:
48454079 3507 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3508 break;
3509 }
3510
6be36555 3511 l2cap_chan_unlock(chan);
3df91ea2
AE		 3512
3513unlock:
3514 mutex_unlock(&conn->chan_lock);
3515
3516 return err;
1da177e4
LT		 3517}
3518
47d1ec61 3519static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3520{
3521 /* FCS is enabled only in ERTM or streaming mode, if one or both
3522 * sides request it.
3523 */
0c1bc5c6 3524 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3525 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3526 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3527 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3528}
3529
88219a0f 3530static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3531{
3532 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3533 u16 dcid, flags;
3534 u8 rsp[64];
48454079 3535 struct l2cap_chan *chan;
3c588192 3536 int len, err = 0;
1da177e4
LT		 3537
3538 dcid = __le16_to_cpu(req->dcid);
3539 flags = __le16_to_cpu(req->flags);
3540
3541 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3542
baa7e1fa 3543 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3544 if (!chan)
1da177e4
LT		 3545 return -ENOENT;
3546
033b1142 3547 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3548 struct l2cap_cmd_rej_cid rej;
3549
ac73498c 3550 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3551 rej.scid = cpu_to_le16(chan->scid);
3552 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3553
df6bd743
GP		 3554 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3555 sizeof(rej), &rej);
354f60a9 3556 goto unlock;
df6bd743 3557 }
354f60a9 3558
5dee9e7c 3559 /* Reject if config buffer is too small. */
88219a0f 3560 len = cmd_len - sizeof(*req);
7ac28817 3561 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3562 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3563 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3564 L2CAP_CONF_REJECT, flags), rsp);
3565 goto unlock;
3566 }
3567
3568 /* Store config. */
73ffa904
GP		 3569 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3570 chan->conf_len += len;
1da177e4 3571
59e54bd1 3572 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3573 /* Incomplete config. Send empty response. */
3574 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3575 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3576 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3577 goto unlock;
3578 }
3579
3580 /* Complete config. */
73ffa904 3581 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3582 if (len < 0) {
e92c8e70 3583 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3584 goto unlock;
f2fcfcd6 3585 }
1da177e4 3586
5dee9e7c 3587 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3588 chan->num_conf_rsp++;
5dee9e7c 3589
5dee9e7c 3590 /* Reset config buffer. */
73ffa904 3591 chan->conf_len = 0;
5dee9e7c 3592
c1360a1c 3593 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3594 goto unlock;
3595
c1360a1c 3596 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3597 set_default_fcs(chan);
fcc203c3 3598
105bdf9e
MM		 3599 if (chan->mode == L2CAP_MODE_ERTM ||
3600 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3601 err = l2cap_ertm_init(chan);
3602
3603 if (err < 0)
3604 l2cap_send_disconn_req(chan->conn, chan, -err);
3605 else
3606 l2cap_chan_ready(chan);
0565c1c2 3607
876d9484
MH		 3608 goto unlock;
3609 }
3610
c1360a1c 3611 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3612 u8 buf[64];
1da177e4 3613 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3614 l2cap_build_conf_req(chan, buf), buf);
3615 chan->num_conf_req++;
1da177e4
LT		 3616 }
3617
0e8b207e
AE		 3618 /* Got Conf Rsp PENDING from remote side and asume we sent
3619 Conf Rsp PENDING in the code above */
3620 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3621 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3622
3623 /* check compatibility */
3624
3625 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3626 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3627
3628 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3629 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3630 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3631 }
3632
1da177e4 3633unlock:
6be36555 3634 l2cap_chan_unlock(chan);
3c588192 3635 return err;
1da177e4
LT		 3636}
3637
3638static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3639{
3640 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3641 u16 scid, flags, result;
48454079 3642 struct l2cap_chan *chan;
61386cba 3643 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3644 int err = 0;
1da177e4
LT		 3645
3646 scid = __le16_to_cpu(rsp->scid);
3647 flags = __le16_to_cpu(rsp->flags);
3648 result = __le16_to_cpu(rsp->result);
3649
61386cba
AE		 3650 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3651 result, len);
1da177e4 3652
baa7e1fa 3653 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3654 if (!chan)
1da177e4
LT		 3655 return 0;
3656
3657 switch (result) {
3658 case L2CAP_CONF_SUCCESS:
47d1ec61 3659 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3660 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3661 break;
3662
0e8b207e
AE		 3663 case L2CAP_CONF_PENDING:
3664 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3665
3666 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3667 char buf[64];
3668
3669 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3670 buf, &result);
3671 if (len < 0) {
3672 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3673 goto done;
3674 }
3675
3676 /* check compatibility */
3677
3678 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3679 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3680
3681 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3682 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3683 L2CAP_CONF_SUCCESS, 0x0000), buf);
3684 }
3685 goto done;
3686
1da177e4 3687 case L2CAP_CONF_UNACCEPT:
73ffa904 3688 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3689 char req[64];
3690
c2c77ec8 3691 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3692 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3693 goto done;
3694 }
3695
f2fcfcd6
GP		 3696 /* throw out any old stored conf requests */
3697 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3698 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3699 req, &result);
f2fcfcd6 3700 if (len < 0) {
e92c8e70 3701 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3702 goto done;
3703 }
3704
3705 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3706 L2CAP_CONF_REQ, len, req);
73ffa904 3707 chan->num_conf_req++;
f2fcfcd6
GP		 3708 if (result != L2CAP_CONF_SUCCESS)
3709 goto done;
3710 break;
1da177e4
LT		 3711 }
3712
8e87d142 3713 default:
6be36555 3714 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3715
ba13ccd9 3716 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3717 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3718 goto done;
3719 }
3720
59e54bd1 3721 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3722 goto done;
3723
c1360a1c 3724 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3725
c1360a1c 3726 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3727 set_default_fcs(chan);
fcc203c3 3728
105bdf9e
MM		 3729 if (chan->mode == L2CAP_MODE_ERTM ||
3730 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3731 err = l2cap_ertm_init(chan);
0565c1c2 3732
3c588192
MM		 3733 if (err < 0)
3734 l2cap_send_disconn_req(chan->conn, chan, -err);
3735 else
3736 l2cap_chan_ready(chan);
1da177e4
LT		 3737 }
3738
3739done:
6be36555 3740 l2cap_chan_unlock(chan);
3c588192 3741 return err;
1da177e4
LT		 3742}
3743
3744static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3745{
3746 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3747 struct l2cap_disconn_rsp rsp;
3748 u16 dcid, scid;
48454079 3749 struct l2cap_chan *chan;
1da177e4
LT		 3750 struct sock *sk;
3751
3752 scid = __le16_to_cpu(req->scid);
3753 dcid = __le16_to_cpu(req->dcid);
3754
3755 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3756
3df91ea2
AE		 3757 mutex_lock(&conn->chan_lock);
3758
3759 chan = __l2cap_get_chan_by_scid(conn, dcid);
3760 if (!chan) {
3761 mutex_unlock(&conn->chan_lock);
1da177e4 3762 return 0;
3df91ea2 3763 }
1da177e4 3764
6be36555
AE		 3765 l2cap_chan_lock(chan);
3766
48454079
GP		 3767 sk = chan->sk;
3768
fe4128e0
GP		 3769 rsp.dcid = cpu_to_le16(chan->scid);
3770 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3771 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3772
6be36555 3773 lock_sock(sk);
1da177e4 3774 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3775 release_sock(sk);
1da177e4 3776
61d6ef3e 3777 l2cap_chan_hold(chan);
48454079 3778 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3779
3780 l2cap_chan_unlock(chan);
1da177e4 3781
80b98027 3782 chan->ops->close(chan);
61d6ef3e 3783 l2cap_chan_put(chan);
3df91ea2
AE		 3784
3785 mutex_unlock(&conn->chan_lock);
3786
1da177e4
LT		 3787 return 0;
3788}
3789
3790static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3791{
3792 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3793 u16 dcid, scid;
48454079 3794 struct l2cap_chan *chan;
1da177e4
LT		 3795
3796 scid = __le16_to_cpu(rsp->scid);
3797 dcid = __le16_to_cpu(rsp->dcid);
3798
3799 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3800
3df91ea2
AE		 3801 mutex_lock(&conn->chan_lock);
3802
3803 chan = __l2cap_get_chan_by_scid(conn, scid);
3804 if (!chan) {
3805 mutex_unlock(&conn->chan_lock);
1da177e4 3806 return 0;
3df91ea2 3807 }
1da177e4 3808
6be36555 3809 l2cap_chan_lock(chan);
48454079 3810
61d6ef3e 3811 l2cap_chan_hold(chan);
48454079 3812 l2cap_chan_del(chan, 0);
6be36555
AE		 3813
3814 l2cap_chan_unlock(chan);
1da177e4 3815
80b98027 3816 chan->ops->close(chan);
61d6ef3e 3817 l2cap_chan_put(chan);
3df91ea2
AE		 3818
3819 mutex_unlock(&conn->chan_lock);
3820
1da177e4
LT		 3821 return 0;
3822}
3823
3824static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3825{
3826 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3827 u16 type;
3828
3829 type = __le16_to_cpu(req->type);
3830
3831 BT_DBG("type 0x%4.4x", type);
3832
f0709e03
MH		 3833 if (type == L2CAP_IT_FEAT_MASK) {
3834 u8 buf[8];
44dd46de 3835 u32 feat_mask = l2cap_feat_mask;
f0709e03 3836 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3837 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3838 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3839 if (!disable_ertm)
fcc203c3
GP		 3840 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3841 | L2CAP_FEAT_FCS;
a5fd6f30 3842 if (enable_hs)
6327eb98
AE		 3843 feat_mask |= L2CAP_FEAT_EXT_FLOW
3844 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3845
1b7bf4ed 3846 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3847 l2cap_send_cmd(conn, cmd->ident,
3848 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3849 } else if (type == L2CAP_IT_FIXED_CHAN) {
3850 u8 buf[12];
3851 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3852
3853 if (enable_hs)
3854 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3855 else
3856 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3857
ac73498c
AE		 3858 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3859 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3860 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3861 l2cap_send_cmd(conn, cmd->ident,
3862 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3863 } else {
3864 struct l2cap_info_rsp rsp;
3865 rsp.type = cpu_to_le16(type);
ac73498c 3866 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3867 l2cap_send_cmd(conn, cmd->ident,
3868 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3869 }
1da177e4
LT		 3870
3871 return 0;
3872}
3873
3874static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3875{
3876 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3877 u16 type, result;
3878
3879 type = __le16_to_cpu(rsp->type);
3880 result = __le16_to_cpu(rsp->result);
3881
3882 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3883
e90165be
AE		 3884 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3885 if (cmd->ident != conn->info_ident ||
3886 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3887 return 0;
3888
17cd3f37 3889 cancel_delayed_work(&conn->info_timer);
4e8402a3 3890
adb08ede
VT		 3891 if (result != L2CAP_IR_SUCCESS) {
3892 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3893 conn->info_ident = 0;
3894
3895 l2cap_conn_start(conn);
3896
3897 return 0;
3898 }
3899
978c93b9
AE		 3900 switch (type) {
3901 case L2CAP_IT_FEAT_MASK:
83985319 3902 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3903
47ec1dcd 3904 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3905 struct l2cap_info_req req;
ac73498c 3906 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3907
3908 conn->info_ident = l2cap_get_ident(conn);
3909
3910 l2cap_send_cmd(conn, conn->info_ident,
3911 L2CAP_INFO_REQ, sizeof(req), &req);
3912 } else {
3913 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3914 conn->info_ident = 0;
3915
3916 l2cap_conn_start(conn);
3917 }
978c93b9
AE		 3918 break;
3919
3920 case L2CAP_IT_FIXED_CHAN:
3921 conn->fixed_chan_mask = rsp->data[0];
984947dc 3922 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3923 conn->info_ident = 0;
984947dc
MH		 3924
3925 l2cap_conn_start(conn);
978c93b9 3926 break;
984947dc 3927 }
4e8402a3 3928
1da177e4
LT		 3929 return 0;
3930}
3931
f94ff6ff
MM		 3932static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3933 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3934 void *data)
3935{
3936 struct l2cap_create_chan_req *req = data;
3937 struct l2cap_create_chan_rsp rsp;
3938 u16 psm, scid;
3939
3940 if (cmd_len != sizeof(*req))
3941 return -EPROTO;
3942
3943 if (!enable_hs)
3944 return -EINVAL;
3945
3946 psm = le16_to_cpu(req->psm);
3947 scid = le16_to_cpu(req->scid);
3948
3949 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3950
3951 /* Placeholder: Always reject */
3952 rsp.dcid = 0;
3953 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3954 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3955 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3956
3957 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3958 sizeof(rsp), &rsp);
3959
3960 return 0;
3961}
3962
3963static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3964 struct l2cap_cmd_hdr *cmd, void *data)
3965{
3966 BT_DBG("conn %p", conn);
3967
3968 return l2cap_connect_rsp(conn, cmd, data);
3969}
3970
8d5a04a1
MM		 3971static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3972 u16 icid, u16 result)
3973{
3974 struct l2cap_move_chan_rsp rsp;
3975
3976 BT_DBG("icid %d, result %d", icid, result);
3977
3978 rsp.icid = cpu_to_le16(icid);
3979 rsp.result = cpu_to_le16(result);
3980
3981 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3982}
3983
3984static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3985 struct l2cap_chan *chan, u16 icid, u16 result)
3986{
3987 struct l2cap_move_chan_cfm cfm;
3988 u8 ident;
3989
3990 BT_DBG("icid %d, result %d", icid, result);
3991
3992 ident = l2cap_get_ident(conn);
3993 if (chan)
3994 chan->ident = ident;
3995
3996 cfm.icid = cpu_to_le16(icid);
3997 cfm.result = cpu_to_le16(result);
3998
3999 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4000}
4001
4002static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4003 u16 icid)
4004{
4005 struct l2cap_move_chan_cfm_rsp rsp;
4006
4007 BT_DBG("icid %d", icid);
4008
4009 rsp.icid = cpu_to_le16(icid);
4010 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4011}
4012
4013static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4014 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4015{
4016 struct l2cap_move_chan_req *req = data;
4017 u16 icid = 0;
4018 u16 result = L2CAP_MR_NOT_ALLOWED;
4019
4020 if (cmd_len != sizeof(*req))
4021 return -EPROTO;
4022
4023 icid = le16_to_cpu(req->icid);
4024
4025 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4026
4027 if (!enable_hs)
4028 return -EINVAL;
4029
4030 /* Placeholder: Always refuse */
4031 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4032
4033 return 0;
4034}
4035
4036static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4037 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4038{
4039 struct l2cap_move_chan_rsp *rsp = data;
4040 u16 icid, result;
4041
4042 if (cmd_len != sizeof(*rsp))
4043 return -EPROTO;
4044
4045 icid = le16_to_cpu(rsp->icid);
4046 result = le16_to_cpu(rsp->result);
4047
4048 BT_DBG("icid %d, result %d", icid, result);
4049
4050 /* Placeholder: Always unconfirmed */
4051 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4052
4053 return 0;
4054}
4055
4056static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4057 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4058{
4059 struct l2cap_move_chan_cfm *cfm = data;
4060 u16 icid, result;
4061
4062 if (cmd_len != sizeof(*cfm))
4063 return -EPROTO;
4064
4065 icid = le16_to_cpu(cfm->icid);
4066 result = le16_to_cpu(cfm->result);
4067
4068 BT_DBG("icid %d, result %d", icid, result);
4069
4070 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4071
4072 return 0;
4073}
4074
4075static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4076 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4077{
4078 struct l2cap_move_chan_cfm_rsp *rsp = data;
4079 u16 icid;
4080
4081 if (cmd_len != sizeof(*rsp))
4082 return -EPROTO;
4083
4084 icid = le16_to_cpu(rsp->icid);
4085
4086 BT_DBG("icid %d", icid);
4087
4088 return 0;
4089}
4090
e2174ca4 4091static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4092 u16 to_multiplier)
4093{
4094 u16 max_latency;
4095
4096 if (min > max || min < 6 || max > 3200)
4097 return -EINVAL;
4098
4099 if (to_multiplier < 10 || to_multiplier > 3200)
4100 return -EINVAL;
4101
4102 if (max >= to_multiplier * 8)
4103 return -EINVAL;
4104
4105 max_latency = (to_multiplier * 8 / max) - 1;
4106 if (latency > 499 || latency > max_latency)
4107 return -EINVAL;
4108
4109 return 0;
4110}
4111
4112static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4113 struct l2cap_cmd_hdr *cmd, u8 *data)
4114{
4115 struct hci_conn *hcon = conn->hcon;
4116 struct l2cap_conn_param_update_req *req;
4117 struct l2cap_conn_param_update_rsp rsp;
4118 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4119 int err;
de73115a
CT		 4120
4121 if (!(hcon->link_mode & HCI_LM_MASTER))
4122 return -EINVAL;
4123
4124 cmd_len = __le16_to_cpu(cmd->len);
4125 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4126 return -EPROTO;
4127
4128 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4129 min = __le16_to_cpu(req->min);
4130 max = __le16_to_cpu(req->max);
de73115a
CT		 4131 latency = __le16_to_cpu(req->latency);
4132 to_multiplier = __le16_to_cpu(req->to_multiplier);
4133
4134 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4135 min, max, latency, to_multiplier);
4136
4137 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4138
4139 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4140 if (err)
ac73498c 4141 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4142 else
ac73498c 4143 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4144
4145 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4146 sizeof(rsp), &rsp);
4147
2ce603eb
CT		 4148 if (!err)
4149 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4150
de73115a
CT		 4151 return 0;
4152}
4153
3300d9a9
CT		 4154static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4155 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4156{
4157 int err = 0;
4158
4159 switch (cmd->code) {
4160 case L2CAP_COMMAND_REJ:
4161 l2cap_command_rej(conn, cmd, data);
4162 break;
4163
4164 case L2CAP_CONN_REQ:
4165 err = l2cap_connect_req(conn, cmd, data);
4166 break;
4167
4168 case L2CAP_CONN_RSP:
4169 err = l2cap_connect_rsp(conn, cmd, data);
4170 break;
4171
4172 case L2CAP_CONF_REQ:
4173 err = l2cap_config_req(conn, cmd, cmd_len, data);
4174 break;
4175
4176 case L2CAP_CONF_RSP:
4177 err = l2cap_config_rsp(conn, cmd, data);
4178 break;
4179
4180 case L2CAP_DISCONN_REQ:
4181 err = l2cap_disconnect_req(conn, cmd, data);
4182 break;
4183
4184 case L2CAP_DISCONN_RSP:
4185 err = l2cap_disconnect_rsp(conn, cmd, data);
4186 break;
4187
4188 case L2CAP_ECHO_REQ:
4189 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4190 break;
4191
4192 case L2CAP_ECHO_RSP:
4193 break;
4194
4195 case L2CAP_INFO_REQ:
4196 err = l2cap_information_req(conn, cmd, data);
4197 break;
4198
4199 case L2CAP_INFO_RSP:
4200 err = l2cap_information_rsp(conn, cmd, data);
4201 break;
4202
f94ff6ff
MM		 4203 case L2CAP_CREATE_CHAN_REQ:
4204 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4205 break;
4206
4207 case L2CAP_CREATE_CHAN_RSP:
4208 err = l2cap_create_channel_rsp(conn, cmd, data);
4209 break;
4210
8d5a04a1
MM		 4211 case L2CAP_MOVE_CHAN_REQ:
4212 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4213 break;
4214
4215 case L2CAP_MOVE_CHAN_RSP:
4216 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4217 break;
4218
4219 case L2CAP_MOVE_CHAN_CFM:
4220 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4221 break;
4222
4223 case L2CAP_MOVE_CHAN_CFM_RSP:
4224 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4225 break;
4226
3300d9a9
CT		 4227 default:
4228 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4229 err = -EINVAL;
4230 break;
4231 }
4232
4233 return err;
4234}
4235
4236static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4237 struct l2cap_cmd_hdr *cmd, u8 *data)
4238{
4239 switch (cmd->code) {
4240 case L2CAP_COMMAND_REJ:
4241 return 0;
4242
4243 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4244 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4245
4246 case L2CAP_CONN_PARAM_UPDATE_RSP:
4247 return 0;
4248
4249 default:
4250 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4251 return -EINVAL;
4252 }
4253}
4254
4255static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4256 struct sk_buff *skb)
1da177e4
LT		 4257{
4258 u8 *data = skb->data;
4259 int len = skb->len;
4260 struct l2cap_cmd_hdr cmd;
3300d9a9 4261 int err;
1da177e4
LT		 4262
4263 l2cap_raw_recv(conn, skb);
4264
4265 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4266 u16 cmd_len;
1da177e4
LT		 4267 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4268 data += L2CAP_CMD_HDR_SIZE;
4269 len -= L2CAP_CMD_HDR_SIZE;
4270
88219a0f 4271 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4272
88219a0f 4273 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4274
88219a0f 4275 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4276 BT_DBG("corrupted command");
4277 break;
4278 }
4279
3300d9a9
CT		 4280 if (conn->hcon->type == LE_LINK)
4281 err = l2cap_le_sig_cmd(conn, &cmd, data);
4282 else
4283 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4284
4285 if (err) {
e2fd318e 4286 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4287
4288 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4289
4290 /* FIXME: Map err to a valid reason */
ac73498c 4291 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4292 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4293 }
4294
88219a0f
AV		 4295 data += cmd_len;
4296 len -= cmd_len;
1da177e4
LT		 4297 }
4298
4299 kfree_skb(skb);
4300}
4301
47d1ec61 4302static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4303{
4304 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4305 int hdr_size;
4306
4307 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4308 hdr_size = L2CAP_EXT_HDR_SIZE;
4309 else
4310 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4311
47d1ec61 4312 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4313 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4314 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4315 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4316
4317 if (our_fcs != rcv_fcs)
7a560e5c 4318 return -EBADMSG;
fcc203c3
GP		 4319 }
4320 return 0;
4321}
4322
6ea00485 4323static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4324{
e31f7633 4325 struct l2cap_ctrl control;
d5392c8f 4326
e31f7633 4327 BT_DBG("chan %p", chan);
d5392c8f 4328
e31f7633
MM		 4329 memset(&control, 0, sizeof(control));
4330 control.sframe = 1;
4331 control.final = 1;
4332 control.reqseq = chan->buffer_seq;
4333 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4334
e2ab4353 4335 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4336 control.super = L2CAP_SUPER_RNR;
4337 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4338 }
4339
e31f7633
MM		 4340 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4341 chan->unacked_frames > 0)
4342 __set_retrans_timer(chan);
d5392c8f 4343
e31f7633 4344 /* Send pending iframes */
525cd185 4345 l2cap_ertm_send(chan);
d5392c8f 4346
e2ab4353 4347 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4348 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4349 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4350 * send it now.
4351 */
4352 control.super = L2CAP_SUPER_RR;
4353 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4354 }
4355}
4356
84084a31
MM		 4357static void append_skb_frag(struct sk_buff *skb,
4358 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4359{
84084a31
MM		 4360 /* skb->len reflects data in skb as well as all fragments
4361 * skb->data_len reflects only data in fragments
4362 */
4363 if (!skb_has_frag_list(skb))
4364 skb_shinfo(skb)->frag_list = new_frag;
4365
4366 new_frag->next = NULL;
4367
4368 (*last_frag)->next = new_frag;
4369 *last_frag = new_frag;
4370
4371 skb->len += new_frag->len;
4372 skb->data_len += new_frag->len;
4373 skb->truesize += new_frag->truesize;
4374}
4375
4b51dae9
MM		 4376static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4377 struct l2cap_ctrl *control)
84084a31
MM		 4378{
4379 int err = -EINVAL;
18778a63 4380
4b51dae9 4381 switch (control->sar) {
7e0ef6ee 4382 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4383 if (chan->sdu)
4384 break;
18778a63 4385
80b98027 4386 err = chan->ops->recv(chan, skb);
84084a31 4387 break;
18778a63 4388
7e0ef6ee 4389 case L2CAP_SAR_START:
84084a31
MM		 4390 if (chan->sdu)
4391 break;
18778a63 4392
6f61fd47 4393 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4394 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4395
84084a31
MM		 4396 if (chan->sdu_len > chan->imtu) {
4397 err = -EMSGSIZE;
4398 break;
4399 }
1890d36b 4400
84084a31
MM		 4401 if (skb->len >= chan->sdu_len)
4402 break;
18778a63 4403
84084a31
MM		 4404 chan->sdu = skb;
4405 chan->sdu_last_frag = skb;
18778a63 4406
84084a31
MM		 4407 skb = NULL;
4408 err = 0;
18778a63
GP		 4409 break;
4410
7e0ef6ee 4411 case L2CAP_SAR_CONTINUE:
6f61fd47 4412 if (!chan->sdu)
84084a31 4413 break;
18778a63 4414
84084a31
MM		 4415 append_skb_frag(chan->sdu, skb,
4416 &chan->sdu_last_frag);
4417 skb = NULL;
18778a63 4418
84084a31
MM		 4419 if (chan->sdu->len >= chan->sdu_len)
4420 break;
4178ba46 4421
84084a31 4422 err = 0;
18778a63
GP		 4423 break;
4424
7e0ef6ee 4425 case L2CAP_SAR_END:
6f61fd47 4426 if (!chan->sdu)
84084a31 4427 break;
18778a63 4428
84084a31
MM		 4429 append_skb_frag(chan->sdu, skb,
4430 &chan->sdu_last_frag);
4431 skb = NULL;
4178ba46 4432
84084a31
MM		 4433 if (chan->sdu->len != chan->sdu_len)
4434 break;
18778a63 4435
80b98027 4436 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4437
84084a31
MM		 4438 if (!err) {
4439 /* Reassembly complete */
4440 chan->sdu = NULL;
4441 chan->sdu_last_frag = NULL;
4442 chan->sdu_len = 0;
1890d36b 4443 }
18778a63
GP		 4444 break;
4445 }
4446
84084a31
MM		 4447 if (err) {
4448 kfree_skb(skb);
4449 kfree_skb(chan->sdu);
4450 chan->sdu = NULL;
4451 chan->sdu_last_frag = NULL;
4452 chan->sdu_len = 0;
4453 }
18778a63 4454
84084a31 4455 return err;
18778a63
GP		 4456}
4457
61aa4f5b 4458void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4459{
61aa4f5b 4460 u8 event;
712132eb 4461
61aa4f5b
MM		 4462 if (chan->mode != L2CAP_MODE_ERTM)
4463 return;
712132eb 4464
61aa4f5b 4465 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4466 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4467}
4468
d2a7ac5d
MM		 4469static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4470{
63838725
MM		 4471 int err = 0;
4472 /* Pass sequential frames to l2cap_reassemble_sdu()
4473 * until a gap is encountered.
4474 */
4475
4476 BT_DBG("chan %p", chan);
4477
4478 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4479 struct sk_buff *skb;
4480 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4481 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4482
4483 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4484
4485 if (!skb)
4486 break;
4487
4488 skb_unlink(skb, &chan->srej_q);
4489 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4490 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4491 if (err)
4492 break;
4493 }
4494
4495 if (skb_queue_empty(&chan->srej_q)) {
4496 chan->rx_state = L2CAP_RX_STATE_RECV;
4497 l2cap_send_ack(chan);
4498 }
4499
4500 return err;
d2a7ac5d
MM		 4501}
4502
4503static void l2cap_handle_srej(struct l2cap_chan *chan,
4504 struct l2cap_ctrl *control)
4505{
f80842a8
MM		 4506 struct sk_buff *skb;
4507
4508 BT_DBG("chan %p, control %p", chan, control);
4509
4510 if (control->reqseq == chan->next_tx_seq) {
4511 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4512 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4513 return;
4514 }
4515
4516 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4517
4518 if (skb == NULL) {
4519 BT_DBG("Seq %d not available for retransmission",
4520 control->reqseq);
4521 return;
4522 }
4523
4524 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4525 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4526 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4527 return;
4528 }
4529
4530 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4531
4532 if (control->poll) {
4533 l2cap_pass_to_tx(chan, control);
4534
4535 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4536 l2cap_retransmit(chan, control);
4537 l2cap_ertm_send(chan);
4538
4539 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4540 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4541 chan->srej_save_reqseq = control->reqseq;
4542 }
4543 } else {
4544 l2cap_pass_to_tx_fbit(chan, control);
4545
4546 if (control->final) {
4547 if (chan->srej_save_reqseq != control->reqseq ||
4548 !test_and_clear_bit(CONN_SREJ_ACT,
4549 &chan->conn_state))
4550 l2cap_retransmit(chan, control);
4551 } else {
4552 l2cap_retransmit(chan, control);
4553 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4554 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4555 chan->srej_save_reqseq = control->reqseq;
4556 }
4557 }
4558 }
d2a7ac5d
MM		 4559}
4560
4561static void l2cap_handle_rej(struct l2cap_chan *chan,
4562 struct l2cap_ctrl *control)
4563{
fcd289df
MM		 4564 struct sk_buff *skb;
4565
4566 BT_DBG("chan %p, control %p", chan, control);
4567
4568 if (control->reqseq == chan->next_tx_seq) {
4569 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4570 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4571 return;
4572 }
4573
4574 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4575
4576 if (chan->max_tx && skb &&
4577 bt_cb(skb)->control.retries >= chan->max_tx) {
4578 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4579 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4580 return;
4581 }
4582
4583 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4584
4585 l2cap_pass_to_tx(chan, control);
4586
4587 if (control->final) {
4588 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4589 l2cap_retransmit_all(chan, control);
4590 } else {
4591 l2cap_retransmit_all(chan, control);
4592 l2cap_ertm_send(chan);
4593 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4594 set_bit(CONN_REJ_ACT, &chan->conn_state);
4595 }
d2a7ac5d
MM		 4596}
4597
4b51dae9
MM		 4598static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4599{
4600 BT_DBG("chan %p, txseq %d", chan, txseq);
4601
4602 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4603 chan->expected_tx_seq);
4604
4605 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4606 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4607 chan->tx_win) {
4608 /* See notes below regarding "double poll" and
4609 * invalid packets.
4610 */
4611 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4612 BT_DBG("Invalid/Ignore - after SREJ");
4613 return L2CAP_TXSEQ_INVALID_IGNORE;
4614 } else {
4615 BT_DBG("Invalid - in window after SREJ sent");
4616 return L2CAP_TXSEQ_INVALID;
4617 }
4618 }
4619
4620 if (chan->srej_list.head == txseq) {
4621 BT_DBG("Expected SREJ");
4622 return L2CAP_TXSEQ_EXPECTED_SREJ;
4623 }
4624
4625 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4626 BT_DBG("Duplicate SREJ - txseq already stored");
4627 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4628 }
4629
4630 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4631 BT_DBG("Unexpected SREJ - not requested");
4632 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4633 }
4634 }
4635
4636 if (chan->expected_tx_seq == txseq) {
4637 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4638 chan->tx_win) {
4639 BT_DBG("Invalid - txseq outside tx window");
4640 return L2CAP_TXSEQ_INVALID;
4641 } else {
4642 BT_DBG("Expected");
4643 return L2CAP_TXSEQ_EXPECTED;
4644 }
4645 }
4646
4647 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4648 __seq_offset(chan, chan->expected_tx_seq,
4649 chan->last_acked_seq)){
4650 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4651 return L2CAP_TXSEQ_DUPLICATE;
4652 }
4653
4654 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4655 /* A source of invalid packets is a "double poll" condition,
4656 * where delays cause us to send multiple poll packets. If
4657 * the remote stack receives and processes both polls,
4658 * sequence numbers can wrap around in such a way that a
4659 * resent frame has a sequence number that looks like new data
4660 * with a sequence gap. This would trigger an erroneous SREJ
4661 * request.
4662 *
4663 * Fortunately, this is impossible with a tx window that's
4664 * less than half of the maximum sequence number, which allows
4665 * invalid frames to be safely ignored.
4666 *
4667 * With tx window sizes greater than half of the tx window
4668 * maximum, the frame is invalid and cannot be ignored. This
4669 * causes a disconnect.
4670 */
4671
4672 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4673 BT_DBG("Invalid/Ignore - txseq outside tx window");
4674 return L2CAP_TXSEQ_INVALID_IGNORE;
4675 } else {
4676 BT_DBG("Invalid - txseq outside tx window");
4677 return L2CAP_TXSEQ_INVALID;
4678 }
4679 } else {
4680 BT_DBG("Unexpected - txseq indicates missing frames");
4681 return L2CAP_TXSEQ_UNEXPECTED;
4682 }
4683}
4684
d2a7ac5d
MM		 4685static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4686 struct l2cap_ctrl *control,
4687 struct sk_buff *skb, u8 event)
4688{
4689 int err = 0;
4690 bool skb_in_use = 0;
4691
4692 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4693 event);
4694
4695 switch (event) {
4696 case L2CAP_EV_RECV_IFRAME:
4697 switch (l2cap_classify_txseq(chan, control->txseq)) {
4698 case L2CAP_TXSEQ_EXPECTED:
4699 l2cap_pass_to_tx(chan, control);
4700
4701 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4702 BT_DBG("Busy, discarding expected seq %d",
4703 control->txseq);
4704 break;
4705 }
4706
4707 chan->expected_tx_seq = __next_seq(chan,
4708 control->txseq);
4709
4710 chan->buffer_seq = chan->expected_tx_seq;
4711 skb_in_use = 1;
4712
4713 err = l2cap_reassemble_sdu(chan, skb, control);
4714 if (err)
4715 break;
4716
4717 if (control->final) {
4718 if (!test_and_clear_bit(CONN_REJ_ACT,
4719 &chan->conn_state)) {
4720 control->final = 0;
4721 l2cap_retransmit_all(chan, control);
4722 l2cap_ertm_send(chan);
4723 }
4724 }
4725
4726 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4727 l2cap_send_ack(chan);
4728 break;
4729 case L2CAP_TXSEQ_UNEXPECTED:
4730 l2cap_pass_to_tx(chan, control);
4731
4732 /* Can't issue SREJ frames in the local busy state.
4733 * Drop this frame, it will be seen as missing
4734 * when local busy is exited.
4735 */
4736 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4737 BT_DBG("Busy, discarding unexpected seq %d",
4738 control->txseq);
4739 break;
4740 }
4741
4742 /* There was a gap in the sequence, so an SREJ
4743 * must be sent for each missing frame. The
4744 * current frame is stored for later use.
4745 */
4746 skb_queue_tail(&chan->srej_q, skb);
4747 skb_in_use = 1;
4748 BT_DBG("Queued %p (queue len %d)", skb,
4749 skb_queue_len(&chan->srej_q));
4750
4751 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4752 l2cap_seq_list_clear(&chan->srej_list);
4753 l2cap_send_srej(chan, control->txseq);
4754
4755 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4756 break;
4757 case L2CAP_TXSEQ_DUPLICATE:
4758 l2cap_pass_to_tx(chan, control);
4759 break;
4760 case L2CAP_TXSEQ_INVALID_IGNORE:
4761 break;
4762 case L2CAP_TXSEQ_INVALID:
4763 default:
4764 l2cap_send_disconn_req(chan->conn, chan,
4765 ECONNRESET);
4766 break;
4767 }
4768 break;
4769 case L2CAP_EV_RECV_RR:
4770 l2cap_pass_to_tx(chan, control);
4771 if (control->final) {
4772 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4773
4774 if (!test_and_clear_bit(CONN_REJ_ACT,
4775 &chan->conn_state)) {
4776 control->final = 0;
4777 l2cap_retransmit_all(chan, control);
4778 }
4779
4780 l2cap_ertm_send(chan);
4781 } else if (control->poll) {
4782 l2cap_send_i_or_rr_or_rnr(chan);
4783 } else {
4784 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4785 &chan->conn_state) &&
4786 chan->unacked_frames)
4787 __set_retrans_timer(chan);
4788
4789 l2cap_ertm_send(chan);
4790 }
4791 break;
4792 case L2CAP_EV_RECV_RNR:
4793 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4794 l2cap_pass_to_tx(chan, control);
4795 if (control && control->poll) {
4796 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4797 l2cap_send_rr_or_rnr(chan, 0);
4798 }
4799 __clear_retrans_timer(chan);
4800 l2cap_seq_list_clear(&chan->retrans_list);
4801 break;
4802 case L2CAP_EV_RECV_REJ:
4803 l2cap_handle_rej(chan, control);
4804 break;
4805 case L2CAP_EV_RECV_SREJ:
4806 l2cap_handle_srej(chan, control);
4807 break;
4808 default:
4809 break;
4810 }
4811
4812 if (skb && !skb_in_use) {
4813 BT_DBG("Freeing %p", skb);
4814 kfree_skb(skb);
4815 }
4816
4817 return err;
4818}
4819
4820static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4821 struct l2cap_ctrl *control,
4822 struct sk_buff *skb, u8 event)
4823{
4824 int err = 0;
4825 u16 txseq = control->txseq;
4826 bool skb_in_use = 0;
4827
4828 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4829 event);
4830
4831 switch (event) {
4832 case L2CAP_EV_RECV_IFRAME:
4833 switch (l2cap_classify_txseq(chan, txseq)) {
4834 case L2CAP_TXSEQ_EXPECTED:
4835 /* Keep frame for reassembly later */
4836 l2cap_pass_to_tx(chan, control);
4837 skb_queue_tail(&chan->srej_q, skb);
4838 skb_in_use = 1;
4839 BT_DBG("Queued %p (queue len %d)", skb,
4840 skb_queue_len(&chan->srej_q));
4841
4842 chan->expected_tx_seq = __next_seq(chan, txseq);
4843 break;
4844 case L2CAP_TXSEQ_EXPECTED_SREJ:
4845 l2cap_seq_list_pop(&chan->srej_list);
4846
4847 l2cap_pass_to_tx(chan, control);
4848 skb_queue_tail(&chan->srej_q, skb);
4849 skb_in_use = 1;
4850 BT_DBG("Queued %p (queue len %d)", skb,
4851 skb_queue_len(&chan->srej_q));
4852
4853 err = l2cap_rx_queued_iframes(chan);
4854 if (err)
4855 break;
4856
4857 break;
4858 case L2CAP_TXSEQ_UNEXPECTED:
4859 /* Got a frame that can't be reassembled yet.
4860 * Save it for later, and send SREJs to cover
4861 * the missing frames.
4862 */
4863 skb_queue_tail(&chan->srej_q, skb);
4864 skb_in_use = 1;
4865 BT_DBG("Queued %p (queue len %d)", skb,
4866 skb_queue_len(&chan->srej_q));
4867
4868 l2cap_pass_to_tx(chan, control);
4869 l2cap_send_srej(chan, control->txseq);
4870 break;
4871 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4872 /* This frame was requested with an SREJ, but
4873 * some expected retransmitted frames are
4874 * missing. Request retransmission of missing
4875 * SREJ'd frames.
4876 */
4877 skb_queue_tail(&chan->srej_q, skb);
4878 skb_in_use = 1;
4879 BT_DBG("Queued %p (queue len %d)", skb,
4880 skb_queue_len(&chan->srej_q));
4881
4882 l2cap_pass_to_tx(chan, control);
4883 l2cap_send_srej_list(chan, control->txseq);
4884 break;
4885 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4886 /* We've already queued this frame. Drop this copy. */
4887 l2cap_pass_to_tx(chan, control);
4888 break;
4889 case L2CAP_TXSEQ_DUPLICATE:
4890 /* Expecting a later sequence number, so this frame
4891 * was already received. Ignore it completely.
4892 */
4893 break;
4894 case L2CAP_TXSEQ_INVALID_IGNORE:
4895 break;
4896 case L2CAP_TXSEQ_INVALID:
4897 default:
4898 l2cap_send_disconn_req(chan->conn, chan,
4899 ECONNRESET);
4900 break;
4901 }
4902 break;
4903 case L2CAP_EV_RECV_RR:
4904 l2cap_pass_to_tx(chan, control);
4905 if (control->final) {
4906 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4907
4908 if (!test_and_clear_bit(CONN_REJ_ACT,
4909 &chan->conn_state)) {
4910 control->final = 0;
4911 l2cap_retransmit_all(chan, control);
4912 }
4913
4914 l2cap_ertm_send(chan);
4915 } else if (control->poll) {
4916 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4917 &chan->conn_state) &&
4918 chan->unacked_frames) {
4919 __set_retrans_timer(chan);
4920 }
4921
4922 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4923 l2cap_send_srej_tail(chan);
4924 } else {
4925 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4926 &chan->conn_state) &&
4927 chan->unacked_frames)
4928 __set_retrans_timer(chan);
4929
4930 l2cap_send_ack(chan);
4931 }
4932 break;
4933 case L2CAP_EV_RECV_RNR:
4934 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4935 l2cap_pass_to_tx(chan, control);
4936 if (control->poll) {
4937 l2cap_send_srej_tail(chan);
4938 } else {
4939 struct l2cap_ctrl rr_control;
4940 memset(&rr_control, 0, sizeof(rr_control));
4941 rr_control.sframe = 1;
4942 rr_control.super = L2CAP_SUPER_RR;
4943 rr_control.reqseq = chan->buffer_seq;
4944 l2cap_send_sframe(chan, &rr_control);
4945 }
4946
4947 break;
4948 case L2CAP_EV_RECV_REJ:
4949 l2cap_handle_rej(chan, control);
4950 break;
4951 case L2CAP_EV_RECV_SREJ:
4952 l2cap_handle_srej(chan, control);
4953 break;
4954 }
4955
4956 if (skb && !skb_in_use) {
4957 BT_DBG("Freeing %p", skb);
4958 kfree_skb(skb);
4959 }
4960
4961 return err;
4962}
4963
4964static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4965{
4966 /* Make sure reqseq is for a packet that has been sent but not acked */
4967 u16 unacked;
4968
4969 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4970 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4971}
4972
cec8ab6e
MM		 4973static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4974 struct sk_buff *skb, u8 event)
218bb9df 4975{
d2a7ac5d
MM		 4976 int err = 0;
4977
4978 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4979 control, skb, event, chan->rx_state);
4980
4981 if (__valid_reqseq(chan, control->reqseq)) {
4982 switch (chan->rx_state) {
4983 case L2CAP_RX_STATE_RECV:
4984 err = l2cap_rx_state_recv(chan, control, skb, event);
4985 break;
4986 case L2CAP_RX_STATE_SREJ_SENT:
4987 err = l2cap_rx_state_srej_sent(chan, control, skb,
4988 event);
4989 break;
4990 default:
4991 /* shut it down */
4992 break;
4993 }
4994 } else {
4995 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
4996 control->reqseq, chan->next_tx_seq,
4997 chan->expected_ack_seq);
4998 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4999 }
5000
5001 return err;
cec8ab6e
MM		 5002}
5003
5004static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5005 struct sk_buff *skb)
5006{
4b51dae9
MM		 5007 int err = 0;
5008
5009 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5010 chan->rx_state);
5011
5012 if (l2cap_classify_txseq(chan, control->txseq) ==
5013 L2CAP_TXSEQ_EXPECTED) {
5014 l2cap_pass_to_tx(chan, control);
5015
5016 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5017 __next_seq(chan, chan->buffer_seq));
5018
5019 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5020
5021 l2cap_reassemble_sdu(chan, skb, control);
5022 } else {
5023 if (chan->sdu) {
5024 kfree_skb(chan->sdu);
5025 chan->sdu = NULL;
5026 }
5027 chan->sdu_last_frag = NULL;
5028 chan->sdu_len = 0;
5029
5030 if (skb) {
5031 BT_DBG("Freeing %p", skb);
5032 kfree_skb(skb);
5033 }
5034 }
5035
5036 chan->last_acked_seq = control->txseq;
5037 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5038
5039 return err;
cec8ab6e
MM		 5040}
5041
5042static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5043{
5044 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5045 u16 len;
5046 u8 event;
218bb9df 5047
b76bbd66
MM		 5048 __unpack_control(chan, skb);
5049
218bb9df
GP		 5050 len = skb->len;
5051
5052 /*
5053 * We can just drop the corrupted I-frame here.
5054 * Receiver will miss it and start proper recovery
cec8ab6e 5055 * procedures and ask for retransmission.
218bb9df 5056 */
47d1ec61 5057 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5058 goto drop;
5059
cec8ab6e 5060 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5061 len -= L2CAP_SDULEN_SIZE;
218bb9df 5062
47d1ec61 5063 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5064 len -= L2CAP_FCS_SIZE;
218bb9df 5065
47d1ec61 5066 if (len > chan->mps) {
8c1d787b 5067 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5068 goto drop;
5069 }
5070
cec8ab6e
MM		 5071 if (!control->sframe) {
5072 int err;
218bb9df 5073
cec8ab6e
MM		 5074 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5075 control->sar, control->reqseq, control->final,
5076 control->txseq);
218bb9df 5077
cec8ab6e
MM		 5078 /* Validate F-bit - F=0 always valid, F=1 only
5079 * valid in TX WAIT_F
5080 */
5081 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5082 goto drop;
cec8ab6e
MM		 5083
5084 if (chan->mode != L2CAP_MODE_STREAMING) {
5085 event = L2CAP_EV_RECV_IFRAME;
5086 err = l2cap_rx(chan, control, skb, event);
5087 } else {
5088 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5089 }
5090
cec8ab6e
MM		 5091 if (err)
5092 l2cap_send_disconn_req(chan->conn, chan,
5093 ECONNRESET);
218bb9df 5094 } else {
cec8ab6e
MM		 5095 const u8 rx_func_to_event[4] = {
5096 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5097 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5098 };
5099
5100 /* Only I-frames are expected in streaming mode */
5101 if (chan->mode == L2CAP_MODE_STREAMING)
5102 goto drop;
5103
5104 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5105 control->reqseq, control->final, control->poll,
5106 control->super);
5107
218bb9df
GP		 5108 if (len != 0) {
5109 BT_ERR("%d", len);
8c1d787b 5110 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5111 goto drop;
5112 }
5113
cec8ab6e
MM		 5114 /* Validate F and P bits */
5115 if (control->final && (control->poll ||
5116 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5117 goto drop;
5118
5119 event = rx_func_to_event[control->super];
5120 if (l2cap_rx(chan, control, skb, event))
5121 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5122 }
5123
5124 return 0;
5125
5126drop:
5127 kfree_skb(skb);
5128 return 0;
5129}
5130
13ca56e0
AE		 5131static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5132 struct sk_buff *skb)
1da177e4 5133{
48454079 5134 struct l2cap_chan *chan;
1da177e4 5135
baa7e1fa 5136 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5137 if (!chan) {
97e8e89d
AE		 5138 if (cid == L2CAP_CID_A2MP) {
5139 chan = a2mp_channel_create(conn, skb);
5140 if (!chan) {
5141 kfree_skb(skb);
13ca56e0 5142 return;
97e8e89d
AE		 5143 }
5144
5145 l2cap_chan_lock(chan);
5146 } else {
5147 BT_DBG("unknown cid 0x%4.4x", cid);
5148 /* Drop packet and return */
5149 kfree_skb(skb);
13ca56e0 5150 return;
97e8e89d 5151 }
1da177e4
LT		 5152 }
5153
49208c9c 5154 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5155
89bc500e 5156 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5157 goto drop;
5158
0c1bc5c6 5159 switch (chan->mode) {
1c2acffb
GP		 5160 case L2CAP_MODE_BASIC:
5161 /* If socket recv buffers overflows we drop data here
5162 * which is *bad* because L2CAP has to be reliable.
5163 * But we don't have any other choice. L2CAP doesn't
5164 * provide flow control mechanism. */
1da177e4 5165
0c1bc5c6 5166 if (chan->imtu < skb->len)
1c2acffb 5167 goto drop;
1da177e4 5168
80b98027 5169 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5170 goto done;
5171 break;
5172
5173 case L2CAP_MODE_ERTM:
6840ed07 5174 case L2CAP_MODE_STREAMING:
cec8ab6e 5175 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5176 goto done;
5177
1c2acffb 5178 default:
0c1bc5c6 5179 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5180 break;
5181 }
1da177e4
LT		 5182
5183drop:
5184 kfree_skb(skb);
5185
5186done:
6be36555 5187 l2cap_chan_unlock(chan);
1da177e4
LT		 5188}
5189
84104b24
AE		 5190static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5191 struct sk_buff *skb)
1da177e4 5192{
23691d75 5193 struct l2cap_chan *chan;
1da177e4 5194
c2287681 5195 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5196 if (!chan)
1da177e4
LT		 5197 goto drop;
5198
5b4cedaa 5199 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5200
89bc500e 5201 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5202 goto drop;
5203
e13e21dc 5204 if (chan->imtu < skb->len)
1da177e4
LT		 5205 goto drop;
5206
80b98027 5207 if (!chan->ops->recv(chan, skb))
84104b24 5208 return;
1da177e4
LT		 5209
5210drop:
5211 kfree_skb(skb);
1da177e4
LT		 5212}
5213
d9b88702
AE		 5214static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5215 struct sk_buff *skb)
9f69bda6 5216{
23691d75 5217 struct l2cap_chan *chan;
9f69bda6 5218
c2287681 5219 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5220 if (!chan)
9f69bda6
GP		 5221 goto drop;
5222
5b4cedaa 5223 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5224
89bc500e 5225 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5226 goto drop;
5227
e13e21dc 5228 if (chan->imtu < skb->len)
9f69bda6
GP		 5229 goto drop;
5230
80b98027 5231 if (!chan->ops->recv(chan, skb))
5b4cedaa 5232 return 0;
9f69bda6
GP		 5233
5234drop:
5235 kfree_skb(skb);
5236
9f69bda6
GP		 5237 return 0;
5238}
5239
1da177e4
LT		 5240static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5241{
5242 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5243 u16 cid, len;
5244 __le16 psm;
1da177e4
LT		 5245
5246 skb_pull(skb, L2CAP_HDR_SIZE);
5247 cid = __le16_to_cpu(lh->cid);
5248 len = __le16_to_cpu(lh->len);
5249
1c2acffb
GP		 5250 if (len != skb->len) {
5251 kfree_skb(skb);
5252 return;
5253 }
5254
1da177e4
LT		 5255 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5256
5257 switch (cid) {
3300d9a9 5258 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5259 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5260 l2cap_sig_channel(conn, skb);
5261 break;
5262
8db4dc46 5263 case L2CAP_CID_CONN_LESS:
097db76c 5264 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5265 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5266 l2cap_conless_channel(conn, psm, skb);
5267 break;
5268
9f69bda6
GP		 5269 case L2CAP_CID_LE_DATA:
5270 l2cap_att_channel(conn, cid, skb);
5271 break;
5272
b501d6a1
AB		 5273 case L2CAP_CID_SMP:
5274 if (smp_sig_channel(conn, skb))
5275 l2cap_conn_del(conn->hcon, EACCES);
5276 break;
5277
1da177e4
LT		 5278 default:
5279 l2cap_data_channel(conn, cid, skb);
5280 break;
5281 }
5282}
5283
5284/* ---- L2CAP interface with lower layer (HCI) ---- */
5285
686ebf28 5286int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5287{
5288 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5289 struct l2cap_chan *c;
1da177e4 5290
1da177e4
LT		 5291 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5292
5293 /* Find listening sockets and check their link_mode */
23691d75
GP		 5294 read_lock(&chan_list_lock);
5295 list_for_each_entry(c, &chan_list, global_l) {
5296 struct sock *sk = c->sk;
4343478f 5297
89bc500e 5298 if (c->state != BT_LISTEN)
1da177e4
LT		 5299 continue;
5300
5301 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5302 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5303 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5304 lm1 |= HCI_LM_MASTER;
1da177e4 5305 exact++;
2af6b9d5
MH		 5306 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5307 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5308 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5309 lm2 |= HCI_LM_MASTER;
5310 }
1da177e4 5311 }
23691d75 5312 read_unlock(&chan_list_lock);
1da177e4
LT		 5313
5314 return exact ? lm1 : lm2;
5315}
5316
686ebf28 5317int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5318{
0139418c
MH		 5319 struct l2cap_conn *conn;
5320
1da177e4
LT		 5321 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5322
1da177e4 5323 if (!status) {
1da177e4
LT		 5324 conn = l2cap_conn_add(hcon, status);
5325 if (conn)
5326 l2cap_conn_ready(conn);
0139418c 5327 } else
e175072f 5328 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5329
5330 return 0;
5331}
5332
686ebf28 5333int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5334{
5335 struct l2cap_conn *conn = hcon->l2cap_data;
5336
5337 BT_DBG("hcon %p", hcon);
5338
686ebf28 5339 if (!conn)
9f5a0d7b 5340 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5341 return conn->disc_reason;
5342}
5343
686ebf28 5344int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5345{
5346 BT_DBG("hcon %p reason %d", hcon, reason);
5347
e175072f 5348 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5349 return 0;
5350}
5351
4343478f 5352static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5353{
715ec005 5354 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5355 return;
5356
f62e4323 5357 if (encrypt == 0x00) {
4343478f 5358 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5359 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5360 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5361 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5362 } else {
4343478f 5363 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5364 __clear_chan_timer(chan);
f62e4323
MH		 5365 }
5366}
5367
686ebf28 5368int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5369{
0139418c 5370 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5371 struct l2cap_chan *chan;
1da177e4 5372
0139418c 5373 if (!conn)
1da177e4 5374 return 0;
0139418c 5375
1da177e4
LT		 5376 BT_DBG("conn %p", conn);
5377
160dc6ac 5378 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5379 if (!status && encrypt)
5380 smp_distribute_keys(conn, 0);
17cd3f37 5381 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5382 }
5383
3df91ea2 5384 mutex_lock(&conn->chan_lock);
1da177e4 5385
3df91ea2 5386 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5387 l2cap_chan_lock(chan);
1da177e4 5388
f1cb9af5
VCG		 5389 BT_DBG("chan->scid %d", chan->scid);
5390
5391 if (chan->scid == L2CAP_CID_LE_DATA) {
5392 if (!status && encrypt) {
5393 chan->sec_level = hcon->sec_level;
cf4cd009 5394 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5395 }
5396
6be36555 5397 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5398 continue;
5399 }
5400
c1360a1c 5401 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5402 l2cap_chan_unlock(chan);
6a8d3010
MH		 5403 continue;
5404 }
5405
89bc500e
GP		 5406 if (!status && (chan->state == BT_CONNECTED ||
5407 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5408 struct sock *sk = chan->sk;
5409
c5daa683 5410 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5411 sk->sk_state_change(sk);
5412
4343478f 5413 l2cap_check_encryption(chan, encrypt);
6be36555 5414 l2cap_chan_unlock(chan);
9719f8af
MH		 5415 continue;
5416 }
5417
89bc500e 5418 if (chan->state == BT_CONNECT) {
b1235d79 5419 if (!status) {
9b27f350 5420 l2cap_send_conn_req(chan);
b1235d79 5421 } else {
ba13ccd9 5422 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5423 }
89bc500e 5424 } else if (chan->state == BT_CONNECT2) {
6be36555 5425 struct sock *sk = chan->sk;
b1235d79 5426 struct l2cap_conn_rsp rsp;
df3c3931 5427 __u16 res, stat;
1da177e4 5428
6be36555
AE		 5429 lock_sock(sk);
5430
b1235d79 5431 if (!status) {
c5daa683
GP		 5432 if (test_bit(BT_SK_DEFER_SETUP,
5433 &bt_sk(sk)->flags)) {
df3c3931
JH		 5434 struct sock *parent = bt_sk(sk)->parent;
5435 res = L2CAP_CR_PEND;
5436 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5437 if (parent)
5438 parent->sk_data_ready(parent, 0);
df3c3931 5439 } else {
0e587be7 5440 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5441 res = L2CAP_CR_SUCCESS;
5442 stat = L2CAP_CS_NO_INFO;
5443 }
b1235d79 5444 } else {
0e587be7 5445 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5446 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5447 res = L2CAP_CR_SEC_BLOCK;
5448 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5449 }
5450
6be36555
AE		 5451 release_sock(sk);
5452
fe4128e0
GP		 5453 rsp.scid = cpu_to_le16(chan->dcid);
5454 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5455 rsp.result = cpu_to_le16(res);
5456 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5457 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5458 sizeof(rsp), &rsp);
2d369359
MM		 5459
5460 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5461 res == L2CAP_CR_SUCCESS) {
5462 char buf[128];
5463 set_bit(CONF_REQ_SENT, &chan->conf_state);
5464 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5465 L2CAP_CONF_REQ,
5466 l2cap_build_conf_req(chan, buf),
5467 buf);
5468 chan->num_conf_req++;
5469 }
b1235d79 5470 }
1da177e4 5471
6be36555 5472 l2cap_chan_unlock(chan);
1da177e4
LT		 5473 }
5474
3df91ea2 5475 mutex_unlock(&conn->chan_lock);
b1235d79 5476
1da177e4
LT		 5477 return 0;
5478}
5479
686ebf28 5480int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5481{
5482 struct l2cap_conn *conn = hcon->l2cap_data;
5483
5a08ecce
AE		 5484 if (!conn)
5485 conn = l2cap_conn_add(hcon, 0);
5486
5487 if (!conn)
1da177e4
LT		 5488 goto drop;
5489
5490 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5491
e702112f 5492 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5493 struct l2cap_hdr *hdr;
5494 int len;
5495
5496 if (conn->rx_len) {
5497 BT_ERR("Unexpected start frame (len %d)", skb->len);
5498 kfree_skb(conn->rx_skb);
5499 conn->rx_skb = NULL;
5500 conn->rx_len = 0;
5501 l2cap_conn_unreliable(conn, ECOMM);
5502 }
5503
aae7fe22
AE		 5504 /* Start fragment always begin with Basic L2CAP header */
5505 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5506 BT_ERR("Frame is too short (len %d)", skb->len);
5507 l2cap_conn_unreliable(conn, ECOMM);
5508 goto drop;
5509 }
5510
5511 hdr = (struct l2cap_hdr *) skb->data;
5512 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5513
5514 if (len == skb->len) {
5515 /* Complete frame received */
5516 l2cap_recv_frame(conn, skb);
5517 return 0;
5518 }
5519
5520 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5521
5522 if (skb->len > len) {
5523 BT_ERR("Frame is too long (len %d, expected len %d)",
5524 skb->len, len);
5525 l2cap_conn_unreliable(conn, ECOMM);
5526 goto drop;
5527 }
5528
5529 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5530 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5531 if (!conn->rx_skb)
1da177e4
LT		 5532 goto drop;
5533
d626f62b 5534 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5535 skb->len);
1da177e4
LT		 5536 conn->rx_len = len - skb->len;
5537 } else {
5538 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5539
5540 if (!conn->rx_len) {
5541 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5542 l2cap_conn_unreliable(conn, ECOMM);
5543 goto drop;
5544 }
5545
5546 if (skb->len > conn->rx_len) {
5547 BT_ERR("Fragment is too long (len %d, expected %d)",
5548 skb->len, conn->rx_len);
5549 kfree_skb(conn->rx_skb);
5550 conn->rx_skb = NULL;
5551 conn->rx_len = 0;
5552 l2cap_conn_unreliable(conn, ECOMM);
5553 goto drop;
5554 }
5555
d626f62b 5556 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5557 skb->len);
1da177e4
LT		 5558 conn->rx_len -= skb->len;
5559
5560 if (!conn->rx_len) {
5561 /* Complete frame received */
5562 l2cap_recv_frame(conn, conn->rx_skb);
5563 conn->rx_skb = NULL;
5564 }
5565 }
5566
5567drop:
5568 kfree_skb(skb);
5569 return 0;
5570}
5571
aef7d97c 5572static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5573{
23691d75 5574 struct l2cap_chan *c;
1da177e4 5575
333055f2 5576 read_lock(&chan_list_lock);
1da177e4 5577
23691d75
GP		 5578 list_for_each_entry(c, &chan_list, global_l) {
5579 struct sock *sk = c->sk;
101545f6 5580
903d343e 5581 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5582 batostr(&bt_sk(sk)->src),
5583 batostr(&bt_sk(sk)->dst),
89bc500e 5584 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5585 c->scid, c->dcid, c->imtu, c->omtu,
5586 c->sec_level, c->mode);
61e1b4b7 5587 }
1da177e4 5588
333055f2 5589 read_unlock(&chan_list_lock);
1da177e4 5590
aef7d97c 5591 return 0;
1da177e4
LT		 5592}
5593
aef7d97c
MH		 5594static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5595{
5596 return single_open(file, l2cap_debugfs_show, inode->i_private);
5597}
5598
5599static const struct file_operations l2cap_debugfs_fops = {
5600 .open = l2cap_debugfs_open,
5601 .read = seq_read,
5602 .llseek = seq_lseek,
5603 .release = single_release,
5604};
5605
5606static struct dentry *l2cap_debugfs;
1da177e4 5607
64274518 5608int __init l2cap_init(void)
1da177e4
LT		 5609{
5610 int err;
be9d1227 5611
bb58f747 5612 err = l2cap_init_sockets();
1da177e4
LT		 5613 if (err < 0)
5614 return err;
5615
aef7d97c
MH		 5616 if (bt_debugfs) {
5617 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5618 bt_debugfs, NULL, &l2cap_debugfs_fops);
5619 if (!l2cap_debugfs)
5620 BT_ERR("Failed to create L2CAP debug file");
5621 }
1da177e4 5622
1da177e4 5623 return 0;
1da177e4
LT		 5624}
5625
64274518 5626void l2cap_exit(void)
1da177e4 5627{
aef7d97c 5628 debugfs_remove(l2cap_debugfs);
bb58f747 5629 l2cap_cleanup_sockets();
1da177e4
LT		 5630}
5631
d1c4a17d
GP		 5632module_param(disable_ertm, bool, 0644);
5633MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)