projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove double check for BT_CONNECTED
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
d1de6d46 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 74 struct l2cap_chan *chan, int err);
1da177e4 75
608bcc6d
MM		 76static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
77 struct sk_buff_head *skbs, u8 event);
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
baa7e1fa 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 93{
3df91ea2 94 struct l2cap_chan *c;
3d57dc68 95
3df91ea2
AE		 96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->scid == cid)
98 return c;
0139418c 99 }
3df91ea2 100 return NULL;
0139418c
MH		 101}
102
103/* Find channel with given SCID.
ef191ade 104 * Returns locked channel. */
baa7e1fa 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa 108
3df91ea2 109 mutex_lock(&conn->chan_lock);
baa7e1fa 110 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 111 if (c)
112 l2cap_chan_lock(c);
3df91ea2
AE		 113 mutex_unlock(&conn->chan_lock);
114
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
3df91ea2 120 struct l2cap_chan *c;
3d57dc68 121
3df91ea2
AE		 122 list_for_each_entry(c, &conn->chan_l, list) {
123 if (c->ident == ident)
124 return c;
0139418c 125 }
3df91ea2 126 return NULL;
0139418c
MH		 127}
128
23691d75 129static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 130{
23691d75 131 struct l2cap_chan *c;
9e4425ff 132
23691d75
GP		 133 list_for_each_entry(c, &chan_list, global_l) {
134 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 135 return c;
9e4425ff 136 }
250938cb 137 return NULL;
9e4425ff
GP		 138}
139
140int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
141{
73b2ec18
GP		 142 int err;
143
333055f2 144 write_lock(&chan_list_lock);
9e4425ff 145
23691d75 146 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 147 err = -EADDRINUSE;
148 goto done;
9e4425ff
GP		 149 }
150
73b2ec18
GP		 151 if (psm) {
152 chan->psm = psm;
153 chan->sport = psm;
154 err = 0;
155 } else {
156 u16 p;
157
158 err = -EINVAL;
159 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 160 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 161 chan->psm = cpu_to_le16(p);
162 chan->sport = cpu_to_le16(p);
163 err = 0;
164 break;
165 }
166 }
9e4425ff 167
73b2ec18 168done:
333055f2 169 write_unlock(&chan_list_lock);
73b2ec18 170 return err;
9e4425ff
GP		 171}
172
173int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
174{
333055f2 175 write_lock(&chan_list_lock);
9e4425ff
GP		 176
177 chan->scid = scid;
178
333055f2 179 write_unlock(&chan_list_lock);
9e4425ff
GP		 180
181 return 0;
182}
183
baa7e1fa 184static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 185{
8db4dc46 186 u16 cid = L2CAP_CID_DYN_START;
0139418c 187
8db4dc46 188 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 189 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 190 return cid;
191 }
192
193 return 0;
194}
195
0e587be7 196static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 197{
42d2d87c 198 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 199 state_to_string(state));
200
89bc500e
GP		 201 chan->state = state;
202 chan->ops->state_change(chan->data, state);
203}
204
0e587be7
AE		 205static void l2cap_state_change(struct l2cap_chan *chan, int state)
206{
207 struct sock *sk = chan->sk;
208
209 lock_sock(sk);
210 __l2cap_state_change(chan, state);
211 release_sock(sk);
212}
213
2e0052e4
AE		 214static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
215{
216 struct sock *sk = chan->sk;
217
218 sk->sk_err = err;
219}
220
221static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
222{
223 struct sock *sk = chan->sk;
224
225 lock_sock(sk);
226 __l2cap_chan_set_err(chan, err);
227 release_sock(sk);
228}
229
4239d16f
MM		 230static void __set_retrans_timer(struct l2cap_chan *chan)
231{
232 if (!delayed_work_pending(&chan->monitor_timer) &&
233 chan->retrans_timeout) {
234 l2cap_set_timer(chan, &chan->retrans_timer,
235 msecs_to_jiffies(chan->retrans_timeout));
236 }
237}
238
239static void __set_monitor_timer(struct l2cap_chan *chan)
240{
241 __clear_retrans_timer(chan);
242 if (chan->monitor_timeout) {
243 l2cap_set_timer(chan, &chan->monitor_timer,
244 msecs_to_jiffies(chan->monitor_timeout));
245 }
246}
247
608bcc6d
MM		 248static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
249 u16 seq)
250{
251 struct sk_buff *skb;
252
253 skb_queue_walk(head, skb) {
254 if (bt_cb(skb)->control.txseq == seq)
255 return skb;
256 }
257
258 return NULL;
259}
260
3c588192
MM		 261/* ---- L2CAP sequence number lists ---- */
262
263/* For ERTM, ordered lists of sequence numbers must be tracked for
264 * SREJ requests that are received and for frames that are to be
265 * retransmitted. These seq_list functions implement a singly-linked
266 * list in an array, where membership in the list can also be checked
267 * in constant time. Items can also be added to the tail of the list
268 * and removed from the head in constant time, without further memory
269 * allocs or frees.
270 */
271
272static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
273{
274 size_t alloc_size, i;
275
276 /* Allocated size is a power of 2 to map sequence numbers
277 * (which may be up to 14 bits) in to a smaller array that is
278 * sized for the negotiated ERTM transmit windows.
279 */
280 alloc_size = roundup_pow_of_two(size);
281
282 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
283 if (!seq_list->list)
284 return -ENOMEM;
285
286 seq_list->mask = alloc_size - 1;
287 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
288 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
289 for (i = 0; i < alloc_size; i++)
290 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
291
292 return 0;
293}
294
295static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
296{
297 kfree(seq_list->list);
298}
299
300static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
301 u16 seq)
302{
303 /* Constant-time check for list membership */
304 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
305}
306
307static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
308{
309 u16 mask = seq_list->mask;
310
311 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
312 /* In case someone tries to pop the head of an empty list */
313 return L2CAP_SEQ_LIST_CLEAR;
314 } else if (seq_list->head == seq) {
315 /* Head can be removed in constant time */
316 seq_list->head = seq_list->list[seq & mask];
317 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
318
319 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
320 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
321 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
322 }
323 } else {
324 /* Walk the list to find the sequence number */
325 u16 prev = seq_list->head;
326 while (seq_list->list[prev & mask] != seq) {
327 prev = seq_list->list[prev & mask];
328 if (prev == L2CAP_SEQ_LIST_TAIL)
329 return L2CAP_SEQ_LIST_CLEAR;
330 }
331
332 /* Unlink the number from the list and clear it */
333 seq_list->list[prev & mask] = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335 if (seq_list->tail == seq)
336 seq_list->tail = prev;
337 }
338 return seq;
339}
340
341static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
342{
343 /* Remove the head in constant time */
344 return l2cap_seq_list_remove(seq_list, seq_list->head);
345}
346
347static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
348{
f522ae36 349 u16 i;
3c588192 350
f522ae36
GP		 351 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
352 return;
353
354 for (i = 0; i <= seq_list->mask; i++)
355 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
356
357 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
358 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 359}
360
361static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
362{
363 u16 mask = seq_list->mask;
364
365 /* All appends happen in constant time */
366
f522ae36
GP		 367 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
368 return;
3c588192 369
f522ae36
GP		 370 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
371 seq_list->head = seq;
372 else
373 seq_list->list[seq_list->tail & mask] = seq;
374
375 seq_list->tail = seq;
376 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 377}
378
721c4181 379static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 380{
721c4181
GP		 381 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
382 chan_timer.work);
3df91ea2 383 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 384 int reason;
385
e05dcc32 386 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 387
3df91ea2 388 mutex_lock(&conn->chan_lock);
6be36555 389 l2cap_chan_lock(chan);
ab07801d 390
89bc500e 391 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 392 reason = ECONNREFUSED;
89bc500e 393 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 394 chan->sec_level != BT_SECURITY_SDP)
395 reason = ECONNREFUSED;
396 else
397 reason = ETIMEDOUT;
398
0f852724 399 l2cap_chan_close(chan, reason);
ab07801d 400
6be36555 401 l2cap_chan_unlock(chan);
ab07801d 402
ba3bd0ee 403 chan->ops->close(chan->data);
3df91ea2
AE		 404 mutex_unlock(&conn->chan_lock);
405
371fd835 406 l2cap_chan_put(chan);
ab07801d
GP		 407}
408
eef1d9b6 409struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 410{
411 struct l2cap_chan *chan;
412
413 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
414 if (!chan)
415 return NULL;
416
c03b355e
AE		 417 mutex_init(&chan->lock);
418
333055f2 419 write_lock(&chan_list_lock);
23691d75 420 list_add(&chan->global_l, &chan_list);
333055f2 421 write_unlock(&chan_list_lock);
23691d75 422
721c4181 423 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 424
89bc500e
GP		 425 chan->state = BT_OPEN;
426
71ba0e56
GP		 427 atomic_set(&chan->refcnt, 1);
428
2827011f
MM		 429 /* This flag is cleared in l2cap_chan_ready() */
430 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
431
eef1d9b6 432 BT_DBG("chan %p", chan);
abc545b8 433
48454079
GP		 434 return chan;
435}
436
23691d75 437void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 438{
333055f2 439 write_lock(&chan_list_lock);
23691d75 440 list_del(&chan->global_l);
333055f2 441 write_unlock(&chan_list_lock);
23691d75 442
371fd835 443 l2cap_chan_put(chan);
6ff5abbf
GP		 444}
445
bd4b1653
AE		 446void l2cap_chan_set_defaults(struct l2cap_chan *chan)
447{
448 chan->fcs = L2CAP_FCS_CRC16;
449 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
450 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
451 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
452 chan->sec_level = BT_SECURITY_LOW;
453
454 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
455}
456
14a28491 457static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 458{
af05b30b 459 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 460 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 461
9f5a0d7b 462 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 463
8c1d787b 464 chan->conn = conn;
0139418c 465
5491120e
AE		 466 switch (chan->chan_type) {
467 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 468 if (conn->hcon->type == LE_LINK) {
469 /* LE connection */
0c1bc5c6 470 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 471 chan->scid = L2CAP_CID_LE_DATA;
472 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 473 } else {
474 /* Alloc CID for connection-oriented socket */
fe4128e0 475 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 476 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 477 }
5491120e
AE		 478 break;
479
480 case L2CAP_CHAN_CONN_LESS:
0139418c 481 /* Connectionless socket */
fe4128e0
GP		 482 chan->scid = L2CAP_CID_CONN_LESS;
483 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 484 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 485 break;
486
487 default:
0139418c 488 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 489 chan->scid = L2CAP_CID_SIGNALING;
490 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 491 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 492 }
493
8f7975b1
AE		 494 chan->local_id = L2CAP_BESTEFFORT_ID;
495 chan->local_stype = L2CAP_SERV_BESTEFFORT;
496 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
497 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
498 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
499 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
500
371fd835 501 l2cap_chan_hold(chan);
baa7e1fa 502
3df91ea2 503 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 504}
505
14a28491 506static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 507{
508 mutex_lock(&conn->chan_lock);
509 __l2cap_chan_add(conn, chan);
3df91ea2 510 mutex_unlock(&conn->chan_lock);
0139418c
MH		 511}
512
4519de9a 513static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 514{
48454079 515 struct sock *sk = chan->sk;
8c1d787b 516 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 517 struct sock *parent = bt_sk(sk)->parent;
518
c9b66675 519 __clear_chan_timer(chan);
0139418c 520
49208c9c 521 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 522
8e87d142 523 if (conn) {
baa7e1fa 524 /* Delete from channel list */
3df91ea2 525 list_del(&chan->list);
3d57dc68 526
371fd835 527 l2cap_chan_put(chan);
baa7e1fa 528
8c1d787b 529 chan->conn = NULL;
0139418c
MH		 530 hci_conn_put(conn->hcon);
531 }
532
6be36555
AE		 533 lock_sock(sk);
534
0e587be7 535 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 536 sock_set_flag(sk, SOCK_ZAPPED);
537
538 if (err)
2e0052e4 539 __l2cap_chan_set_err(chan, err);
0139418c
MH		 540
541 if (parent) {
542 bt_accept_unlink(sk);
543 parent->sk_data_ready(parent, 0);
544 } else
545 sk->sk_state_change(sk);
c13ffa62 546
6be36555
AE		 547 release_sock(sk);
548
2827011f 549 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 550 return;
2ead70b8 551
ee556f66
GP		 552 switch(chan->mode) {
553 case L2CAP_MODE_BASIC:
554 break;
c13ffa62 555
ee556f66 556 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 557 __clear_retrans_timer(chan);
558 __clear_monitor_timer(chan);
559 __clear_ack_timer(chan);
c13ffa62 560
f1c6775b 561 skb_queue_purge(&chan->srej_q);
c13ffa62 562
3c588192
MM		 563 l2cap_seq_list_free(&chan->srej_list);
564 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 565
566 /* fall through */
567
568 case L2CAP_MODE_STREAMING:
569 skb_queue_purge(&chan->tx_q);
570 break;
c13ffa62 571 }
ee556f66
GP		 572
573 return;
0139418c
MH		 574}
575
4519de9a
GP		 576static void l2cap_chan_cleanup_listen(struct sock *parent)
577{
578 struct sock *sk;
579
580 BT_DBG("parent %p", parent);
581
582 /* Close not yet accepted channels */
0f852724 583 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 584 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 585
6be36555 586 l2cap_chan_lock(chan);
c9b66675 587 __clear_chan_timer(chan);
ba3bd0ee 588 l2cap_chan_close(chan, ECONNRESET);
6be36555 589 l2cap_chan_unlock(chan);
3df91ea2 590
ba3bd0ee 591 chan->ops->close(chan->data);
0f852724 592 }
4519de9a
GP		 593}
594
0f852724 595void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 596{
597 struct l2cap_conn *conn = chan->conn;
598 struct sock *sk = chan->sk;
599
e05dcc32
AE		 600 BT_DBG("chan %p state %s sk %p", chan,
601 state_to_string(chan->state), sk);
4519de9a 602
89bc500e 603 switch (chan->state) {
4519de9a 604 case BT_LISTEN:
6be36555 605 lock_sock(sk);
4519de9a 606 l2cap_chan_cleanup_listen(sk);
89bc500e 607
0e587be7 608 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 609 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 610 release_sock(sk);
4519de9a
GP		 611 break;
612
613 case BT_CONNECTED:
614 case BT_CONFIG:
715ec005 615 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 616 conn->hcon->type == ACL_LINK) {
c9b66675 617 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 618 l2cap_send_disconn_req(conn, chan, reason);
619 } else
620 l2cap_chan_del(chan, reason);
621 break;
622
623 case BT_CONNECT2:
715ec005 624 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 625 conn->hcon->type == ACL_LINK) {
626 struct l2cap_conn_rsp rsp;
627 __u16 result;
628
c5daa683 629 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 630 result = L2CAP_CR_SEC_BLOCK;
631 else
632 result = L2CAP_CR_BAD_PSM;
89bc500e 633 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 634
635 rsp.scid = cpu_to_le16(chan->dcid);
636 rsp.dcid = cpu_to_le16(chan->scid);
637 rsp.result = cpu_to_le16(result);
638 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
639 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
640 sizeof(rsp), &rsp);
641 }
642
643 l2cap_chan_del(chan, reason);
644 break;
645
646 case BT_CONNECT:
647 case BT_DISCONN:
648 l2cap_chan_del(chan, reason);
649 break;
650
651 default:
6be36555 652 lock_sock(sk);
4519de9a 653 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 654 release_sock(sk);
4519de9a
GP		 655 break;
656 }
657}
658
4343478f 659static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 660{
715ec005 661 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 662 switch (chan->sec_level) {
8556edd3
JH		 663 case BT_SECURITY_HIGH:
664 return HCI_AT_DEDICATED_BONDING_MITM;
665 case BT_SECURITY_MEDIUM:
666 return HCI_AT_DEDICATED_BONDING;
667 default:
668 return HCI_AT_NO_BONDING;
669 }
fe4128e0 670 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 671 if (chan->sec_level == BT_SECURITY_LOW)
672 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 673
4343478f 674 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 675 return HCI_AT_NO_BONDING_MITM;
00ae4af9 676 else
8556edd3 677 return HCI_AT_NO_BONDING;
00ae4af9 678 } else {
4343478f 679 switch (chan->sec_level) {
00ae4af9 680 case BT_SECURITY_HIGH:
8556edd3 681 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 682 case BT_SECURITY_MEDIUM:
8556edd3 683 return HCI_AT_GENERAL_BONDING;
00ae4af9 684 default:
8556edd3 685 return HCI_AT_NO_BONDING;
00ae4af9 686 }
0684e5f9 687 }
8556edd3
JH		 688}
689
690/* Service level security */
d45fc423 691int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 692{
8c1d787b 693 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 694 __u8 auth_type;
695
4343478f 696 auth_type = l2cap_get_auth_type(chan);
79d554a6 697
4343478f 698 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 699}
700
b5ad8b7f 701static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 702{
703 u8 id;
704
705 /* Get next available identificator.
706 * 1 - 128 are used by kernel.
707 * 129 - 199 are reserved.
708 * 200 - 254 are used by utilities like l2ping, etc.
709 */
710
333055f2 711 spin_lock(&conn->lock);
4e8402a3
MH		 712
713 if (++conn->tx_ident > 128)
714 conn->tx_ident = 1;
715
716 id = conn->tx_ident;
717
333055f2 718 spin_unlock(&conn->lock);
4e8402a3
MH		 719
720 return id;
721}
722
4519de9a 723static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 724{
725 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 726 u8 flags;
4e8402a3
MH		 727
728 BT_DBG("code 0x%2.2x", code);
729
730 if (!skb)
9a9c6a34 731 return;
4e8402a3 732
e702112f
AE		 733 if (lmp_no_flush_capable(conn->hcon->hdev))
734 flags = ACL_START_NO_FLUSH;
735 else
736 flags = ACL_START;
737
14b12d0b 738 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 739 skb->priority = HCI_PRIO_MAX;
14b12d0b 740
73d80deb
LAD		 741 hci_send_acl(conn->hchan, skb, flags);
742}
743
744static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
745{
746 struct hci_conn *hcon = chan->conn->hcon;
747 u16 flags;
748
749 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
750 skb->priority);
751
752 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
753 lmp_no_flush_capable(hcon->hdev))
754 flags = ACL_START_NO_FLUSH;
755 else
756 flags = ACL_START;
14b12d0b 757
73d80deb
LAD		 758 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
759 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 760}
761
b76bbd66
MM		 762static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
763{
764 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
765 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
766
767 if (enh & L2CAP_CTRL_FRAME_TYPE) {
768 /* S-Frame */
769 control->sframe = 1;
770 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
771 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
772
773 control->sar = 0;
774 control->txseq = 0;
775 } else {
776 /* I-Frame */
777 control->sframe = 0;
778 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
779 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
780
781 control->poll = 0;
782 control->super = 0;
783 }
784}
785
b76bbd66
MM		 786static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
787{
788 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
789 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
790
791 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
792 /* S-Frame */
793 control->sframe = 1;
794 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
795 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
796
797 control->sar = 0;
798 control->txseq = 0;
799 } else {
800 /* I-Frame */
801 control->sframe = 0;
802 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
803 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
804
805 control->poll = 0;
806 control->super = 0;
807 }
808}
809
810static inline void __unpack_control(struct l2cap_chan *chan,
811 struct sk_buff *skb)
812{
813 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
814 __unpack_extended_control(get_unaligned_le32(skb->data),
815 &bt_cb(skb)->control);
cec8ab6e 816 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 817 } else {
818 __unpack_enhanced_control(get_unaligned_le16(skb->data),
819 &bt_cb(skb)->control);
cec8ab6e 820 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 821 }
822}
823
b5c6aaed
MM		 824static u32 __pack_extended_control(struct l2cap_ctrl *control)
825{
826 u32 packed;
827
828 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
829 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
830
831 if (control->sframe) {
832 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
833 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
834 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
835 } else {
836 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
837 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
838 }
839
840 return packed;
841}
842
843static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
844{
845 u16 packed;
846
847 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
848 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
849
850 if (control->sframe) {
851 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
852 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
853 packed |= L2CAP_CTRL_FRAME_TYPE;
854 } else {
855 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
856 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
857 }
858
859 return packed;
860}
861
b76bbd66
MM		 862static inline void __pack_control(struct l2cap_chan *chan,
863 struct l2cap_ctrl *control,
864 struct sk_buff *skb)
865{
866 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
867 put_unaligned_le32(__pack_extended_control(control),
868 skb->data + L2CAP_HDR_SIZE);
869 } else {
870 put_unaligned_le16(__pack_enhanced_control(control),
871 skb->data + L2CAP_HDR_SIZE);
872 }
873}
874
a67d7f6f
MM		 875static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
876 u32 control)
b5c6aaed
MM		 877{
878 struct sk_buff *skb;
879 struct l2cap_hdr *lh;
a67d7f6f 880 int hlen;
b5c6aaed
MM		 881
882 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
883 hlen = L2CAP_EXT_HDR_SIZE;
884 else
885 hlen = L2CAP_ENH_HDR_SIZE;
886
887 if (chan->fcs == L2CAP_FCS_CRC16)
888 hlen += L2CAP_FCS_SIZE;
889
a67d7f6f 890 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 891
b5c6aaed 892 if (!skb)
a67d7f6f 893 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 894
895 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
896 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
897 lh->cid = cpu_to_le16(chan->dcid);
898
a67d7f6f
MM		 899 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
900 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
901 else
902 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 903
904 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 905 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 906 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
907 }
908
909 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 910 return skb;
911}
912
913static void l2cap_send_sframe(struct l2cap_chan *chan,
914 struct l2cap_ctrl *control)
915{
916 struct sk_buff *skb;
917 u32 control_field;
918
919 BT_DBG("chan %p, control %p", chan, control);
920
921 if (!control->sframe)
922 return;
923
924 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
925 !control->poll)
926 control->final = 1;
927
928 if (control->super == L2CAP_SUPER_RR)
929 clear_bit(CONN_RNR_SENT, &chan->conn_state);
930 else if (control->super == L2CAP_SUPER_RNR)
931 set_bit(CONN_RNR_SENT, &chan->conn_state);
932
933 if (control->super != L2CAP_SUPER_SREJ) {
934 chan->last_acked_seq = control->reqseq;
935 __clear_ack_timer(chan);
936 }
937
938 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
939 control->final, control->poll, control->super);
940
941 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
942 control_field = __pack_extended_control(control);
943 else
944 control_field = __pack_enhanced_control(control);
945
946 skb = l2cap_create_sframe_pdu(chan, control_field);
947 if (!IS_ERR(skb))
948 l2cap_do_send(chan, skb);
b5c6aaed
MM		 949}
950
c9e3d5e0 951static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 952{
c9e3d5e0
MM		 953 struct l2cap_ctrl control;
954
955 BT_DBG("chan %p, poll %d", chan, poll);
956
957 memset(&control, 0, sizeof(control));
958 control.sframe = 1;
959 control.poll = poll;
960
961 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
962 control.super = L2CAP_SUPER_RNR;
963 else
964 control.super = L2CAP_SUPER_RR;
b5c6aaed 965
c9e3d5e0
MM		 966 control.reqseq = chan->buffer_seq;
967 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 968}
969
b4450035 970static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 971{
c1360a1c 972 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 973}
974
9b27f350
AE		 975static void l2cap_send_conn_req(struct l2cap_chan *chan)
976{
977 struct l2cap_conn *conn = chan->conn;
978 struct l2cap_conn_req req;
979
980 req.scid = cpu_to_le16(chan->scid);
981 req.psm = chan->psm;
982
983 chan->ident = l2cap_get_ident(conn);
984
985 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
986
987 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
988}
989
9f0caeb1
VCG		 990static void l2cap_chan_ready(struct l2cap_chan *chan)
991{
992 struct sock *sk = chan->sk;
993 struct sock *parent;
994
995 lock_sock(sk);
996
997 parent = bt_sk(sk)->parent;
998
999 BT_DBG("sk %p, parent %p", sk, parent);
1000
2827011f 1001 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1002 chan->conf_state = 0;
1003 __clear_chan_timer(chan);
1004
1005 __l2cap_state_change(chan, BT_CONNECTED);
1006 sk->sk_state_change(sk);
1007
1008 if (parent)
1009 parent->sk_data_ready(parent, 0);
1010
1011 release_sock(sk);
1012}
1013
fc7f8a7e 1014static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1015{
8c1d787b 1016 struct l2cap_conn *conn = chan->conn;
79d554a6 1017
9f0caeb1
VCG		 1018 if (conn->hcon->type == LE_LINK) {
1019 l2cap_chan_ready(chan);
1020 return;
1021 }
1022
79d554a6 1023 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1024 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1025 return;
1026
d45fc423 1027 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 1028 __l2cap_no_conn_pending(chan))
1029 l2cap_send_conn_req(chan);
79d554a6
MH		 1030 } else {
1031 struct l2cap_info_req req;
1032 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1033
1034 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1035 conn->info_ident = l2cap_get_ident(conn);
1036
ba13ccd9 1037 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1038
1039 l2cap_send_cmd(conn, conn->info_ident,
1040 L2CAP_INFO_REQ, sizeof(req), &req);
1041 }
1042}
1043
cf6c2c0b
GP		 1044static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1045{
1046 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1047 if (!disable_ertm)
cf6c2c0b
GP		 1048 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1049
1050 switch (mode) {
1051 case L2CAP_MODE_ERTM:
1052 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1053 case L2CAP_MODE_STREAMING:
1054 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1055 default:
1056 return 0x00;
1057 }
1058}
1059
4519de9a 1060static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1061{
6be36555 1062 struct sock *sk = chan->sk;
22121fc9
GP		 1063 struct l2cap_disconn_req req;
1064
c13ffa62
GP		 1065 if (!conn)
1066 return;
1067
0c1bc5c6 1068 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1069 __clear_retrans_timer(chan);
1070 __clear_monitor_timer(chan);
1071 __clear_ack_timer(chan);
c13ffa62
GP		 1072 }
1073
fe4128e0
GP		 1074 req.dcid = cpu_to_le16(chan->dcid);
1075 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1076 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1077 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1078
6be36555 1079 lock_sock(sk);
0e587be7 1080 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1081 __l2cap_chan_set_err(chan, err);
6be36555 1082 release_sock(sk);
22121fc9
GP		 1083}
1084
1da177e4 1085/* ---- L2CAP connections ---- */
4e8402a3
MH		 1086static void l2cap_conn_start(struct l2cap_conn *conn)
1087{
3df91ea2 1088 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1089
1090 BT_DBG("conn %p", conn);
1091
3df91ea2 1092 mutex_lock(&conn->chan_lock);
4e8402a3 1093
3df91ea2 1094 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1095 struct sock *sk = chan->sk;
baa7e1fa 1096
6be36555 1097 l2cap_chan_lock(chan);
4e8402a3 1098
715ec005 1099 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1100 l2cap_chan_unlock(chan);
79d554a6
MH		 1101 continue;
1102 }
1103
89bc500e 1104 if (chan->state == BT_CONNECT) {
d45fc423 1105 if (!l2cap_chan_check_security(chan) ||
b4450035 1106 !__l2cap_no_conn_pending(chan)) {
6be36555 1107 l2cap_chan_unlock(chan);
47731de7
GP		 1108 continue;
1109 }
79d554a6 1110
c1360a1c
GP		 1111 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1112 && test_bit(CONF_STATE2_DEVICE,
1113 &chan->conf_state)) {
89bc500e 1114 l2cap_chan_close(chan, ECONNRESET);
6be36555 1115 l2cap_chan_unlock(chan);
47731de7 1116 continue;
b1235d79 1117 }
47731de7 1118
9b27f350 1119 l2cap_send_conn_req(chan);
47731de7 1120
89bc500e 1121 } else if (chan->state == BT_CONNECT2) {
79d554a6 1122 struct l2cap_conn_rsp rsp;
e9aeb2dd 1123 char buf[128];
fe4128e0
GP		 1124 rsp.scid = cpu_to_le16(chan->dcid);
1125 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1126
d45fc423 1127 if (l2cap_chan_check_security(chan)) {
6be36555 1128 lock_sock(sk);
c5daa683
GP		 1129 if (test_bit(BT_SK_DEFER_SETUP,
1130 &bt_sk(sk)->flags)) {
f66dc81f
MH		 1131 struct sock *parent = bt_sk(sk)->parent;
1132 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1133 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1134 if (parent)
1135 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1136
1137 } else {
0e587be7 1138 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1139 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1140 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1141 }
6be36555 1142 release_sock(sk);
79d554a6
MH		 1143 } else {
1144 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1145 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1146 }
1147
fc7f8a7e
GP		 1148 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1149 sizeof(rsp), &rsp);
e9aeb2dd 1150
c1360a1c 1151 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1152 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1153 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1154 continue;
1155 }
1156
c1360a1c 1157 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1158 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1159 l2cap_build_conf_req(chan, buf), buf);
1160 chan->num_conf_req++;
4e8402a3
MH		 1161 }
1162
6be36555 1163 l2cap_chan_unlock(chan);
4e8402a3
MH		 1164 }
1165
3df91ea2 1166 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1167}
1168
c2287681 1169/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1170 * Returns closest match, locked.
1171 */
d9b88702 1172static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1173 bdaddr_t *src,
1174 bdaddr_t *dst)
b62f328b 1175{
23691d75 1176 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1177
23691d75 1178 read_lock(&chan_list_lock);
b62f328b 1179
23691d75
GP		 1180 list_for_each_entry(c, &chan_list, global_l) {
1181 struct sock *sk = c->sk;
fe4128e0 1182
89bc500e 1183 if (state && c->state != state)
b62f328b
VT		 1184 continue;
1185
23691d75 1186 if (c->scid == cid) {
c2287681
IY		 1187 int src_match, dst_match;
1188 int src_any, dst_any;
1189
b62f328b 1190 /* Exact match. */
c2287681
IY		 1191 src_match = !bacmp(&bt_sk(sk)->src, src);
1192 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1193 if (src_match && dst_match) {
23691d75
GP		 1194 read_unlock(&chan_list_lock);
1195 return c;
1196 }
b62f328b
VT		 1197
1198 /* Closest match */
c2287681
IY		 1199 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1200 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1201 if ((src_match && dst_any) || (src_any && dst_match) ||
1202 (src_any && dst_any))
23691d75 1203 c1 = c;
b62f328b
VT		 1204 }
1205 }
280f294f 1206
23691d75 1207 read_unlock(&chan_list_lock);
b62f328b 1208
23691d75 1209 return c1;
b62f328b
VT		 1210}
1211
1212static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1213{
c916fbe4 1214 struct sock *parent, *sk;
23691d75 1215 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1216
1217 BT_DBG("");
1218
1219 /* Check if we have socket listening on cid */
23691d75 1220 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1221 conn->src, conn->dst);
23691d75 1222 if (!pchan)
b62f328b
VT		 1223 return;
1224
23691d75
GP		 1225 parent = pchan->sk;
1226
aa2ac881 1227 lock_sock(parent);
62f3a2cf 1228
b62f328b
VT		 1229 /* Check for backlog size */
1230 if (sk_acceptq_is_full(parent)) {
1231 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1232 goto clean;
1233 }
1234
80808e43
GP		 1235 chan = pchan->ops->new_connection(pchan->data);
1236 if (!chan)
b62f328b
VT		 1237 goto clean;
1238
80808e43 1239 sk = chan->sk;
5d41ce1d 1240
b62f328b
VT		 1241 hci_conn_hold(conn->hcon);
1242
b62f328b
VT		 1243 bacpy(&bt_sk(sk)->src, conn->src);
1244 bacpy(&bt_sk(sk)->dst, conn->dst);
1245
d1010240
GP		 1246 bt_accept_enqueue(parent, sk);
1247
3d57dc68 1248 l2cap_chan_add(conn, chan);
48454079 1249
c9b66675 1250 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1251
0e587be7 1252 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1253 parent->sk_data_ready(parent, 0);
1254
b62f328b 1255clean:
aa2ac881 1256 release_sock(parent);
b62f328b
VT		 1257}
1258
4e8402a3
MH		 1259static void l2cap_conn_ready(struct l2cap_conn *conn)
1260{
48454079 1261 struct l2cap_chan *chan;
4e8402a3 1262
79d554a6 1263 BT_DBG("conn %p", conn);
4e8402a3 1264
b62f328b
VT		 1265 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1266 l2cap_le_conn_ready(conn);
1267
160dc6ac
VCG		 1268 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1269 smp_conn_security(conn, conn->hcon->pending_sec_level);
1270
3df91ea2 1271 mutex_lock(&conn->chan_lock);
4e8402a3 1272
3df91ea2 1273 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1274
6be36555 1275 l2cap_chan_lock(chan);
4e8402a3 1276
63128451 1277 if (conn->hcon->type == LE_LINK) {
b501d6a1 1278 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1279 l2cap_chan_ready(chan);
acd7d370 1280
63128451 1281 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1282 struct sock *sk = chan->sk;
c9b66675 1283 __clear_chan_timer(chan);
6be36555 1284 lock_sock(sk);
0e587be7 1285 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1286 sk->sk_state_change(sk);
6be36555 1287 release_sock(sk);
b501d6a1 1288
89bc500e 1289 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1290 l2cap_do_start(chan);
4e8402a3 1291
6be36555 1292 l2cap_chan_unlock(chan);
4e8402a3 1293 }
79d554a6 1294
3df91ea2 1295 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1296}
1297
1298/* Notify sockets that we cannot guaranty reliability anymore */
1299static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1300{
48454079 1301 struct l2cap_chan *chan;
4e8402a3
MH		 1302
1303 BT_DBG("conn %p", conn);
1304
3df91ea2 1305 mutex_lock(&conn->chan_lock);
4e8402a3 1306
3df91ea2 1307 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1308 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1309 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1310 }
1311
3df91ea2 1312 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1313}
1314
f878fcad 1315static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1316{
f878fcad 1317 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1318 info_timer.work);
4e8402a3 1319
984947dc 1320 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1321 conn->info_ident = 0;
984947dc 1322
4e8402a3
MH		 1323 l2cap_conn_start(conn);
1324}
1325
5d3de7df
VCG		 1326static void l2cap_conn_del(struct hci_conn *hcon, int err)
1327{
1328 struct l2cap_conn *conn = hcon->l2cap_data;
1329 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1330
1331 if (!conn)
1332 return;
1333
1334 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1335
1336 kfree_skb(conn->rx_skb);
1337
3df91ea2
AE		 1338 mutex_lock(&conn->chan_lock);
1339
5d3de7df
VCG		 1340 /* Kill channels */
1341 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1342 l2cap_chan_hold(chan);
6be36555
AE		 1343 l2cap_chan_lock(chan);
1344
5d3de7df 1345 l2cap_chan_del(chan, err);
6be36555
AE		 1346
1347 l2cap_chan_unlock(chan);
1348
5d3de7df 1349 chan->ops->close(chan->data);
61d6ef3e 1350 l2cap_chan_put(chan);
5d3de7df
VCG		 1351 }
1352
3df91ea2
AE		 1353 mutex_unlock(&conn->chan_lock);
1354
73d80deb
LAD		 1355 hci_chan_del(conn->hchan);
1356
5d3de7df 1357 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1358 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1359
51a8efd7 1360 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1361 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1362 smp_chan_destroy(conn);
d26a2345 1363 }
5d3de7df
VCG		 1364
1365 hcon->l2cap_data = NULL;
1366 kfree(conn);
1367}
1368
6c9d42a1 1369static void security_timeout(struct work_struct *work)
5d3de7df 1370{
6c9d42a1
GP		 1371 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1372 security_timer.work);
5d3de7df
VCG		 1373
1374 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1375}
1376
1da177e4
LT		 1377static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1378{
0139418c 1379 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1380 struct hci_chan *hchan;
1da177e4 1381
0139418c 1382 if (conn || status)
1da177e4
LT		 1383 return conn;
1384
73d80deb
LAD		 1385 hchan = hci_chan_create(hcon);
1386 if (!hchan)
1387 return NULL;
1388
0139418c 1389 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1390 if (!conn) {
1391 hci_chan_del(hchan);
1da177e4 1392 return NULL;
73d80deb 1393 }
1da177e4
LT		 1394
1395 hcon->l2cap_data = conn;
1396 conn->hcon = hcon;
73d80deb 1397 conn->hchan = hchan;
1da177e4 1398
73d80deb 1399 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1400
acd7d370
VT		 1401 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1402 conn->mtu = hcon->hdev->le_mtu;
1403 else
1404 conn->mtu = hcon->hdev->acl_mtu;
1405
1da177e4
LT		 1406 conn->src = &hcon->hdev->bdaddr;
1407 conn->dst = &hcon->dst;
1408
4e8402a3
MH		 1409 conn->feat_mask = 0;
1410
1da177e4 1411 spin_lock_init(&conn->lock);
3df91ea2 1412 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1413
1414 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1415
5d3de7df 1416 if (hcon->type == LE_LINK)
6c9d42a1 1417 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1418 else
030013d8 1419 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1420
9f5a0d7b 1421 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1422
1da177e4
LT		 1423 return conn;
1424}
1425
1da177e4 1426/* ---- Socket interface ---- */
1da177e4 1427
c2287681 1428/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1429 * Returns closest match.
1430 */
c2287681
IY		 1431static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1432 bdaddr_t *src,
1433 bdaddr_t *dst)
1da177e4 1434{
23691d75 1435 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1436
23691d75 1437 read_lock(&chan_list_lock);
e0f0cb56 1438
23691d75
GP		 1439 list_for_each_entry(c, &chan_list, global_l) {
1440 struct sock *sk = c->sk;
fe4128e0 1441
89bc500e 1442 if (state && c->state != state)
1da177e4
LT		 1443 continue;
1444
23691d75 1445 if (c->psm == psm) {
c2287681
IY		 1446 int src_match, dst_match;
1447 int src_any, dst_any;
1448
1da177e4 1449 /* Exact match. */
c2287681
IY		 1450 src_match = !bacmp(&bt_sk(sk)->src, src);
1451 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1452 if (src_match && dst_match) {
a7567b20 1453 read_unlock(&chan_list_lock);
23691d75
GP		 1454 return c;
1455 }
1da177e4
LT		 1456
1457 /* Closest match */
c2287681
IY		 1458 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1459 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1460 if ((src_match && dst_any) || (src_any && dst_match) ||
1461 (src_any && dst_any))
23691d75 1462 c1 = c;
1da177e4
LT		 1463 }
1464 }
1da177e4 1465
23691d75 1466 read_unlock(&chan_list_lock);
e0f0cb56 1467
23691d75 1468 return c1;
1da177e4
LT		 1469}
1470
8e9f9892
AG		 1471int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1472 bdaddr_t *dst, u8 dst_type)
1da177e4 1473{
5d41ce1d 1474 struct sock *sk = chan->sk;
1da177e4 1475 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1476 struct l2cap_conn *conn;
1477 struct hci_conn *hcon;
1478 struct hci_dev *hdev;
09ab6f4c 1479 __u8 auth_type;
44d0e48e 1480 int err;
1da177e4 1481
8e9f9892
AG		 1482 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1483 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1484
af05b30b
GP		 1485 hdev = hci_get_route(dst, src);
1486 if (!hdev)
1da177e4
LT		 1487 return -EHOSTUNREACH;
1488
09fd0de5 1489 hci_dev_lock(hdev);
1da177e4 1490
6be36555 1491 l2cap_chan_lock(chan);
03a00194
GP		 1492
1493 /* PSM must be odd and lsb of upper byte must be 0 */
1494 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1495 chan->chan_type != L2CAP_CHAN_RAW) {
1496 err = -EINVAL;
1497 goto done;
1498 }
1499
1500 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1501 err = -EINVAL;
1502 goto done;
1503 }
1504
1505 switch (chan->mode) {
1506 case L2CAP_MODE_BASIC:
1507 break;
1508 case L2CAP_MODE_ERTM:
1509 case L2CAP_MODE_STREAMING:
1510 if (!disable_ertm)
1511 break;
1512 /* fall through */
1513 default:
1514 err = -ENOTSUPP;
1515 goto done;
1516 }
1517
6be36555
AE		 1518 lock_sock(sk);
1519
03a00194
GP		 1520 switch (sk->sk_state) {
1521 case BT_CONNECT:
1522 case BT_CONNECT2:
1523 case BT_CONFIG:
1524 /* Already connecting */
1525 err = 0;
6be36555 1526 release_sock(sk);
03a00194
GP		 1527 goto done;
1528
1529 case BT_CONNECTED:
1530 /* Already connected */
1531 err = -EISCONN;
6be36555 1532 release_sock(sk);
03a00194
GP		 1533 goto done;
1534
1535 case BT_OPEN:
1536 case BT_BOUND:
1537 /* Can connect */
1538 break;
1539
1540 default:
1541 err = -EBADFD;
6be36555 1542 release_sock(sk);
03a00194
GP		 1543 goto done;
1544 }
1545
1546 /* Set destination address and psm */
9219b2a0 1547 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1548
1549 release_sock(sk);
1550
03a00194
GP		 1551 chan->psm = psm;
1552 chan->dcid = cid;
1da177e4 1553
4343478f 1554 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1555
fe4128e0 1556 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1557 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1558 chan->sec_level, auth_type);
acd7d370 1559 else
8e9f9892 1560 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1561 chan->sec_level, auth_type);
acd7d370 1562
30e76272
VT		 1563 if (IS_ERR(hcon)) {
1564 err = PTR_ERR(hcon);
1da177e4 1565 goto done;
30e76272 1566 }
1da177e4
LT		 1567
1568 conn = l2cap_conn_add(hcon, 0);
1569 if (!conn) {
1570 hci_conn_put(hcon);
30e76272 1571 err = -ENOMEM;
1da177e4
LT		 1572 goto done;
1573 }
1574
9f0caeb1
VCG		 1575 if (hcon->type == LE_LINK) {
1576 err = 0;
1577
1578 if (!list_empty(&conn->chan_l)) {
1579 err = -EBUSY;
1580 hci_conn_put(hcon);
1581 }
1582
1583 if (err)
1584 goto done;
1585 }
1586
1da177e4
LT		 1587 /* Update source addr of the socket */
1588 bacpy(src, conn->src);
1589
6be36555 1590 l2cap_chan_unlock(chan);
48454079 1591 l2cap_chan_add(conn, chan);
6be36555 1592 l2cap_chan_lock(chan);
48454079 1593
6be36555 1594 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1595 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1596
1597 if (hcon->state == BT_CONNECTED) {
715ec005 1598 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1599 __clear_chan_timer(chan);
d45fc423 1600 if (l2cap_chan_check_security(chan))
6be36555 1601 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1602 } else
fc7f8a7e 1603 l2cap_do_start(chan);
1da177e4
LT		 1604 }
1605
30e76272
VT		 1606 err = 0;
1607
1da177e4 1608done:
6be36555 1609 l2cap_chan_unlock(chan);
09fd0de5 1610 hci_dev_unlock(hdev);
1da177e4
LT		 1611 hci_dev_put(hdev);
1612 return err;
1613}
1614
dcba0dba 1615int __l2cap_wait_ack(struct sock *sk)
6161c038 1616{
8c1d787b 1617 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1618 DECLARE_WAITQUEUE(wait, current);
1619 int err = 0;
1620 int timeo = HZ/5;
1621
2b0b05dd 1622 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1623 set_current_state(TASK_INTERRUPTIBLE);
1624 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1625 if (!timeo)
1626 timeo = HZ/5;
1627
1628 if (signal_pending(current)) {
1629 err = sock_intr_errno(timeo);
1630 break;
1631 }
1632
1633 release_sock(sk);
1634 timeo = schedule_timeout(timeo);
1635 lock_sock(sk);
a71a0cf4 1636 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1637
1638 err = sock_error(sk);
1639 if (err)
1640 break;
1641 }
1642 set_current_state(TASK_RUNNING);
2b0b05dd 1643 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1644 return err;
1645}
1646
721c4181 1647static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1648{
721c4181 1649 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1650 monitor_timer.work);
e90bac06 1651
525cd185 1652 BT_DBG("chan %p", chan);
0e98958d 1653
6be36555
AE		 1654 l2cap_chan_lock(chan);
1655
80909e04 1656 if (!chan->conn) {
6be36555 1657 l2cap_chan_unlock(chan);
8d7e1c7f 1658 l2cap_chan_put(chan);
e90bac06
GP		 1659 return;
1660 }
1661
401bb1f7 1662 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1663
6be36555 1664 l2cap_chan_unlock(chan);
8d7e1c7f 1665 l2cap_chan_put(chan);
e90bac06
GP		 1666}
1667
721c4181 1668static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1669{
721c4181 1670 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1671 retrans_timer.work);
e90bac06 1672
49208c9c 1673 BT_DBG("chan %p", chan);
0e98958d 1674
6be36555
AE		 1675 l2cap_chan_lock(chan);
1676
80909e04
MM		 1677 if (!chan->conn) {
1678 l2cap_chan_unlock(chan);
1679 l2cap_chan_put(chan);
1680 return;
1681 }
6be36555 1682
401bb1f7 1683 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1684 l2cap_chan_unlock(chan);
8d7e1c7f 1685 l2cap_chan_put(chan);
e90bac06
GP		 1686}
1687
3733937d
MM		 1688static int l2cap_streaming_send(struct l2cap_chan *chan,
1689 struct sk_buff_head *skbs)
6840ed07 1690{
ccbb84af 1691 struct sk_buff *skb;
3733937d 1692 struct l2cap_ctrl *control;
6840ed07 1693
3733937d
MM		 1694 BT_DBG("chan %p, skbs %p", chan, skbs);
1695
3733937d
MM		 1696 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1697
1698 while (!skb_queue_empty(&chan->tx_q)) {
1699
1700 skb = skb_dequeue(&chan->tx_q);
1701
1702 bt_cb(skb)->control.retries = 1;
1703 control = &bt_cb(skb)->control;
1704
1705 control->reqseq = 0;
1706 control->txseq = chan->next_tx_seq;
1707
1708 __pack_control(chan, control, skb);
6840ed07 1709
47d1ec61 1710 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1711 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1712 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1713 }
1714
4343478f 1715 l2cap_do_send(chan, skb);
6840ed07 1716
3733937d
MM		 1717 BT_DBG("Sent txseq %d", (int)control->txseq);
1718
836be934 1719 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1720 chan->frames_sent++;
6840ed07 1721 }
3733937d
MM		 1722
1723 return 0;
6840ed07
GP		 1724}
1725
67c9e840 1726static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1727{
1728 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1729 struct l2cap_ctrl *control;
1730 int sent = 0;
1731
1732 BT_DBG("chan %p", chan);
1c2acffb 1733
89bc500e 1734 if (chan->state != BT_CONNECTED)
c13ffa62 1735 return -ENOTCONN;
e90bac06 1736
94122bbe
MM		 1737 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1738 return 0;
1739
18a48e76
MM		 1740 while (chan->tx_send_head &&
1741 chan->unacked_frames < chan->remote_tx_win &&
1742 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1743
18a48e76 1744 skb = chan->tx_send_head;
e90bac06 1745
18a48e76
MM		 1746 bt_cb(skb)->control.retries = 1;
1747 control = &bt_cb(skb)->control;
95ffa978 1748
e2ab4353 1749 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1750 control->final = 1;
e2ab4353 1751
18a48e76
MM		 1752 control->reqseq = chan->buffer_seq;
1753 chan->last_acked_seq = chan->buffer_seq;
1754 control->txseq = chan->next_tx_seq;
1c2acffb 1755
18a48e76 1756 __pack_control(chan, control, skb);
e90bac06 1757
47d1ec61 1758 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1759 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1760 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1761 }
1762
18a48e76
MM		 1763 /* Clone after data has been modified. Data is assumed to be
1764 read-only (for locking purposes) on cloned sk_buffs.
1765 */
1766 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1767
18a48e76
MM		 1768 if (!tx_skb)
1769 break;
1c2acffb 1770
18a48e76 1771 __set_retrans_timer(chan);
836be934
AE		 1772
1773 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1774 chan->unacked_frames++;
6a026610 1775 chan->frames_sent++;
18a48e76 1776 sent++;
1c2acffb 1777
58d35f87
GP		 1778 if (skb_queue_is_last(&chan->tx_q, skb))
1779 chan->tx_send_head = NULL;
1c2acffb 1780 else
58d35f87 1781 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1782
1783 l2cap_do_send(chan, tx_skb);
1784 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1785 }
1786
18a48e76
MM		 1787 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1788 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1789
1790 return sent;
9e917af1
GP		 1791}
1792
e1fbd4c1
MM		 1793static void l2cap_ertm_resend(struct l2cap_chan *chan)
1794{
1795 struct l2cap_ctrl control;
1796 struct sk_buff *skb;
1797 struct sk_buff *tx_skb;
1798 u16 seq;
1799
1800 BT_DBG("chan %p", chan);
1801
1802 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1803 return;
1804
1805 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1806 seq = l2cap_seq_list_pop(&chan->retrans_list);
1807
1808 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1809 if (!skb) {
1810 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1811 seq);
1812 continue;
1813 }
1814
1815 bt_cb(skb)->control.retries++;
1816 control = bt_cb(skb)->control;
1817
1818 if (chan->max_tx != 0 &&
1819 bt_cb(skb)->control.retries > chan->max_tx) {
1820 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1821 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1822 l2cap_seq_list_clear(&chan->retrans_list);
1823 break;
1824 }
1825
1826 control.reqseq = chan->buffer_seq;
1827 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1828 control.final = 1;
1829 else
1830 control.final = 0;
1831
1832 if (skb_cloned(skb)) {
1833 /* Cloned sk_buffs are read-only, so we need a
1834 * writeable copy
1835 */
1836 tx_skb = skb_copy(skb, GFP_ATOMIC);
1837 } else {
1838 tx_skb = skb_clone(skb, GFP_ATOMIC);
1839 }
1840
1841 if (!tx_skb) {
1842 l2cap_seq_list_clear(&chan->retrans_list);
1843 break;
1844 }
1845
1846 /* Update skb contents */
1847 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1848 put_unaligned_le32(__pack_extended_control(&control),
1849 tx_skb->data + L2CAP_HDR_SIZE);
1850 } else {
1851 put_unaligned_le16(__pack_enhanced_control(&control),
1852 tx_skb->data + L2CAP_HDR_SIZE);
1853 }
1854
1855 if (chan->fcs == L2CAP_FCS_CRC16) {
1856 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1857 put_unaligned_le16(fcs, skb_put(tx_skb,
1858 L2CAP_FCS_SIZE));
1859 }
1860
1861 l2cap_do_send(chan, tx_skb);
1862
1863 BT_DBG("Resent txseq %d", control.txseq);
1864
1865 chan->last_acked_seq = chan->buffer_seq;
1866 }
1867}
1868
f80842a8
MM		 1869static void l2cap_retransmit(struct l2cap_chan *chan,
1870 struct l2cap_ctrl *control)
1871{
1872 BT_DBG("chan %p, control %p", chan, control);
1873
1874 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1875 l2cap_ertm_resend(chan);
1876}
1877
d2a7ac5d
MM		 1878static void l2cap_retransmit_all(struct l2cap_chan *chan,
1879 struct l2cap_ctrl *control)
1880{
e1fbd4c1
MM		 1881 struct sk_buff *skb;
1882
1883 BT_DBG("chan %p, control %p", chan, control);
1884
1885 if (control->poll)
1886 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1887
1888 l2cap_seq_list_clear(&chan->retrans_list);
1889
1890 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1891 return;
1892
1893 if (chan->unacked_frames) {
1894 skb_queue_walk(&chan->tx_q, skb) {
1895 if (bt_cb(skb)->control.txseq == control->reqseq ||
1896 skb == chan->tx_send_head)
1897 break;
1898 }
1899
1900 skb_queue_walk_from(&chan->tx_q, skb) {
1901 if (skb == chan->tx_send_head)
1902 break;
1903
1904 l2cap_seq_list_append(&chan->retrans_list,
1905 bt_cb(skb)->control.txseq);
1906 }
1907
1908 l2cap_ertm_resend(chan);
1909 }
d2a7ac5d
MM		 1910}
1911
0a0aba42 1912static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1913{
0a0aba42
MM		 1914 struct l2cap_ctrl control;
1915 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1916 chan->last_acked_seq);
1917 int threshold;
9e917af1 1918
0a0aba42
MM		 1919 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1920 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1921
0a0aba42
MM		 1922 memset(&control, 0, sizeof(control));
1923 control.sframe = 1;
dfc909be 1924
0a0aba42
MM		 1925 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1926 chan->rx_state == L2CAP_RX_STATE_RECV) {
1927 __clear_ack_timer(chan);
1928 control.super = L2CAP_SUPER_RNR;
1929 control.reqseq = chan->buffer_seq;
1930 l2cap_send_sframe(chan, &control);
1931 } else {
1932 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1933 l2cap_ertm_send(chan);
1934 /* If any i-frames were sent, they included an ack */
1935 if (chan->buffer_seq == chan->last_acked_seq)
1936 frames_to_ack = 0;
1937 }
dfc909be 1938
0a0aba42
MM		 1939 /* Ack now if the tx window is 3/4ths full.
1940 * Calculate without mul or div
1941 */
1942 threshold = chan->tx_win;
1943 threshold += threshold << 1;
1944 threshold >>= 2;
1945
1946 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1947 threshold);
1948
1949 if (frames_to_ack >= threshold) {
1950 __clear_ack_timer(chan);
1951 control.super = L2CAP_SUPER_RR;
1952 control.reqseq = chan->buffer_seq;
1953 l2cap_send_sframe(chan, &control);
1954 frames_to_ack = 0;
1955 }
1c2acffb 1956
0a0aba42
MM		 1957 if (frames_to_ack)
1958 __set_ack_timer(chan);
1959 }
b17e73bb
SJ		 1960}
1961
04124681
GP		 1962static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1963 struct msghdr *msg, int len,
1964 int count, struct sk_buff *skb)
1c2acffb 1965{
0952a57a 1966 struct l2cap_conn *conn = chan->conn;
1c2acffb 1967 struct sk_buff **frag;
90338947 1968 int sent = 0;
1da177e4 1969
59203a21 1970 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1971 return -EFAULT;
1da177e4
LT		 1972
1973 sent += count;
1974 len -= count;
1975
1976 /* Continuation fragments (no L2CAP header) */
1977 frag = &skb_shinfo(skb)->frag_list;
1978 while (len) {
fbe00700
GP		 1979 struct sk_buff *tmp;
1980
1da177e4
LT		 1981 count = min_t(unsigned int, conn->mtu, len);
1982
fbe00700
GP		 1983 tmp = chan->ops->alloc_skb(chan, count,
1984 msg->msg_flags & MSG_DONTWAIT);
1985 if (IS_ERR(tmp))
1986 return PTR_ERR(tmp);
1987
1988 *frag = tmp;
2f7719ce 1989
1c2acffb
GP		 1990 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1991 return -EFAULT;
1da177e4 1992
5e59b791
LAD		 1993 (*frag)->priority = skb->priority;
1994
1da177e4
LT		 1995 sent += count;
1996 len -= count;
1997
2d0ed3d5
GP		 1998 skb->len += (*frag)->len;
1999 skb->data_len += (*frag)->len;
2000
1da177e4
LT		 2001 frag = &(*frag)->next;
2002 }
1da177e4
LT		 2003
2004 return sent;
1c2acffb 2005}
1da177e4 2006
5e59b791
LAD		 2007static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2008 struct msghdr *msg, size_t len,
2009 u32 priority)
1c2acffb 2010{
8c1d787b 2011 struct l2cap_conn *conn = chan->conn;
1c2acffb 2012 struct sk_buff *skb;
03a51213 2013 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2014 struct l2cap_hdr *lh;
2015
6d5922b0 2016 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 2017
2018 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2019
2020 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2021 msg->msg_flags & MSG_DONTWAIT);
2022 if (IS_ERR(skb))
2023 return skb;
1c2acffb 2024
5e59b791
LAD		 2025 skb->priority = priority;
2026
1c2acffb
GP		 2027 /* Create L2CAP header */
2028 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2029 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2030 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2031 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2032
0952a57a 2033 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2034 if (unlikely(err < 0)) {
2035 kfree_skb(skb);
2036 return ERR_PTR(err);
2037 }
2038 return skb;
2039}
2040
5e59b791
LAD		 2041static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2042 struct msghdr *msg, size_t len,
2043 u32 priority)
1c2acffb 2044{
8c1d787b 2045 struct l2cap_conn *conn = chan->conn;
1c2acffb 2046 struct sk_buff *skb;
f2ba7fae 2047 int err, count;
1c2acffb
GP		 2048 struct l2cap_hdr *lh;
2049
6d5922b0 2050 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2051
f2ba7fae 2052 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2053
f2ba7fae 2054 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2055 msg->msg_flags & MSG_DONTWAIT);
2056 if (IS_ERR(skb))
2057 return skb;
1c2acffb 2058
5e59b791
LAD		 2059 skb->priority = priority;
2060
1c2acffb
GP		 2061 /* Create L2CAP header */
2062 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2063 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2064 lh->len = cpu_to_le16(len);
1c2acffb 2065
0952a57a 2066 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2067 if (unlikely(err < 0)) {
2068 kfree_skb(skb);
2069 return ERR_PTR(err);
2070 }
2071 return skb;
2072}
2073
ab0ff76d
LAD		 2074static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2075 struct msghdr *msg, size_t len,
94122bbe 2076 u16 sdulen)
1c2acffb 2077{
8c1d787b 2078 struct l2cap_conn *conn = chan->conn;
1c2acffb 2079 struct sk_buff *skb;
e4ca6d98 2080 int err, count, hlen;
1c2acffb
GP		 2081 struct l2cap_hdr *lh;
2082
6d5922b0 2083 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2084
0ee0d208
GP		 2085 if (!conn)
2086 return ERR_PTR(-ENOTCONN);
2087
e4ca6d98
AE		 2088 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2089 hlen = L2CAP_EXT_HDR_SIZE;
2090 else
2091 hlen = L2CAP_ENH_HDR_SIZE;
2092
c74e560c 2093 if (sdulen)
03a51213 2094 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2095
47d1ec61 2096 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2097 hlen += L2CAP_FCS_SIZE;
fcc203c3 2098
1c2acffb 2099 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2100
2101 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2102 msg->msg_flags & MSG_DONTWAIT);
2103 if (IS_ERR(skb))
2104 return skb;
1c2acffb
GP		 2105
2106 /* Create L2CAP header */
2107 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2108 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2109 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2110
18a48e76
MM		 2111 /* Control header is populated later */
2112 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2113 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2114 else
2115 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2116
c74e560c 2117 if (sdulen)
03a51213 2118 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2119
0952a57a 2120 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2121 if (unlikely(err < 0)) {
2122 kfree_skb(skb);
2123 return ERR_PTR(err);
2124 }
e90bac06 2125
18a48e76 2126 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2127 bt_cb(skb)->control.retries = 0;
1c2acffb 2128 return skb;
1da177e4
LT		 2129}
2130
94122bbe
MM		 2131static int l2cap_segment_sdu(struct l2cap_chan *chan,
2132 struct sk_buff_head *seg_queue,
2133 struct msghdr *msg, size_t len)
c74e560c 2134{
c74e560c 2135 struct sk_buff *skb;
94122bbe
MM		 2136 u16 sdu_len;
2137 size_t pdu_len;
2138 int err = 0;
2139 u8 sar;
c74e560c 2140
94122bbe 2141 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2142
94122bbe
MM		 2143 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2144 * so fragmented skbs are not used. The HCI layer's handling
2145 * of fragmented skbs is not compatible with ERTM's queueing.
2146 */
c74e560c 2147
94122bbe
MM		 2148 /* PDU size is derived from the HCI MTU */
2149 pdu_len = chan->conn->mtu;
c74e560c 2150
94122bbe
MM		 2151 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2152
2153 /* Adjust for largest possible L2CAP overhead. */
2154 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2155
2156 /* Remote device may have requested smaller PDUs */
2157 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2158
2159 if (len <= pdu_len) {
2160 sar = L2CAP_SAR_UNSEGMENTED;
2161 sdu_len = 0;
2162 pdu_len = len;
2163 } else {
2164 sar = L2CAP_SAR_START;
2165 sdu_len = len;
2166 pdu_len -= L2CAP_SDULEN_SIZE;
2167 }
2168
2169 while (len > 0) {
2170 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2171
c74e560c 2172 if (IS_ERR(skb)) {
94122bbe 2173 __skb_queue_purge(seg_queue);
c74e560c
GP		 2174 return PTR_ERR(skb);
2175 }
2176
94122bbe
MM		 2177 bt_cb(skb)->control.sar = sar;
2178 __skb_queue_tail(seg_queue, skb);
2179
2180 len -= pdu_len;
2181 if (sdu_len) {
2182 sdu_len = 0;
2183 pdu_len += L2CAP_SDULEN_SIZE;
2184 }
2185
2186 if (len <= pdu_len) {
2187 sar = L2CAP_SAR_END;
2188 pdu_len = len;
2189 } else {
2190 sar = L2CAP_SAR_CONTINUE;
2191 }
c74e560c 2192 }
c74e560c 2193
94122bbe 2194 return err;
c74e560c
GP		 2195}
2196
5e59b791
LAD		 2197int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2198 u32 priority)
9a91a04a 2199{
9a91a04a 2200 struct sk_buff *skb;
9a91a04a 2201 int err;
94122bbe 2202 struct sk_buff_head seg_queue;
9a91a04a
GP		 2203
2204 /* Connectionless channel */
715ec005 2205 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2206 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2207 if (IS_ERR(skb))
2208 return PTR_ERR(skb);
2209
2210 l2cap_do_send(chan, skb);
2211 return len;
2212 }
2213
2214 switch (chan->mode) {
2215 case L2CAP_MODE_BASIC:
2216 /* Check outgoing MTU */
2217 if (len > chan->omtu)
2218 return -EMSGSIZE;
2219
2220 /* Create a basic PDU */
5e59b791 2221 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2222 if (IS_ERR(skb))
2223 return PTR_ERR(skb);
2224
2225 l2cap_do_send(chan, skb);
2226 err = len;
2227 break;
2228
2229 case L2CAP_MODE_ERTM:
2230 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2231 /* Check outgoing MTU */
2232 if (len > chan->omtu) {
2233 err = -EMSGSIZE;
2234 break;
2235 }
9a91a04a 2236
94122bbe 2237 __skb_queue_head_init(&seg_queue);
9a91a04a 2238
94122bbe
MM		 2239 /* Do segmentation before calling in to the state machine,
2240 * since it's possible to block while waiting for memory
2241 * allocation.
2242 */
2243 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2244
94122bbe
MM		 2245 /* The channel could have been closed while segmenting,
2246 * check that it is still connected.
2247 */
2248 if (chan->state != BT_CONNECTED) {
2249 __skb_queue_purge(&seg_queue);
2250 err = -ENOTCONN;
9a91a04a
GP		 2251 }
2252
94122bbe 2253 if (err)
9a91a04a 2254 break;
9a91a04a 2255
3733937d 2256 if (chan->mode == L2CAP_MODE_ERTM)
401bb1f7 2257 err = l2cap_tx(chan, NULL, &seg_queue,
608bcc6d 2258 L2CAP_EV_DATA_REQUEST);
3733937d
MM		 2259 else
2260 err = l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2261
608bcc6d 2262 if (!err)
9a91a04a
GP		 2263 err = len;
2264
94122bbe
MM		 2265 /* If the skbs were not queued for sending, they'll still be in
2266 * seg_queue and need to be purged.
2267 */
2268 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2269 break;
2270
2271 default:
2272 BT_DBG("bad state %1.1x", chan->mode);
2273 err = -EBADFD;
2274 }
2275
2276 return err;
2277}
2278
d2a7ac5d
MM		 2279static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2280{
bed68bde
MM		 2281 struct l2cap_ctrl control;
2282 u16 seq;
2283
2284 BT_DBG("chan %p, txseq %d", chan, txseq);
2285
2286 memset(&control, 0, sizeof(control));
2287 control.sframe = 1;
2288 control.super = L2CAP_SUPER_SREJ;
2289
2290 for (seq = chan->expected_tx_seq; seq != txseq;
2291 seq = __next_seq(chan, seq)) {
2292 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2293 control.reqseq = seq;
2294 l2cap_send_sframe(chan, &control);
2295 l2cap_seq_list_append(&chan->srej_list, seq);
2296 }
2297 }
2298
2299 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2300}
2301
2302static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2303{
bed68bde
MM		 2304 struct l2cap_ctrl control;
2305
2306 BT_DBG("chan %p", chan);
2307
2308 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2309 return;
2310
2311 memset(&control, 0, sizeof(control));
2312 control.sframe = 1;
2313 control.super = L2CAP_SUPER_SREJ;
2314 control.reqseq = chan->srej_list.tail;
2315 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2316}
2317
2318static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2319{
bed68bde
MM		 2320 struct l2cap_ctrl control;
2321 u16 initial_head;
2322 u16 seq;
2323
2324 BT_DBG("chan %p, txseq %d", chan, txseq);
2325
2326 memset(&control, 0, sizeof(control));
2327 control.sframe = 1;
2328 control.super = L2CAP_SUPER_SREJ;
2329
2330 /* Capture initial list head to allow only one pass through the list. */
2331 initial_head = chan->srej_list.head;
2332
2333 do {
2334 seq = l2cap_seq_list_pop(&chan->srej_list);
2335 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2336 break;
2337
2338 control.reqseq = seq;
2339 l2cap_send_sframe(chan, &control);
2340 l2cap_seq_list_append(&chan->srej_list, seq);
2341 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2342}
2343
608bcc6d
MM		 2344static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2345{
2346 struct sk_buff *acked_skb;
2347 u16 ackseq;
2348
2349 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2350
2351 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2352 return;
2353
2354 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2355 chan->expected_ack_seq, chan->unacked_frames);
2356
2357 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2358 ackseq = __next_seq(chan, ackseq)) {
2359
2360 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2361 if (acked_skb) {
2362 skb_unlink(acked_skb, &chan->tx_q);
2363 kfree_skb(acked_skb);
2364 chan->unacked_frames--;
2365 }
2366 }
2367
2368 chan->expected_ack_seq = reqseq;
2369
2370 if (chan->unacked_frames == 0)
2371 __clear_retrans_timer(chan);
2372
2373 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2374}
2375
2376static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2377{
2378 BT_DBG("chan %p", chan);
2379
2380 chan->expected_tx_seq = chan->buffer_seq;
2381 l2cap_seq_list_clear(&chan->srej_list);
2382 skb_queue_purge(&chan->srej_q);
2383 chan->rx_state = L2CAP_RX_STATE_RECV;
2384}
2385
2386static int l2cap_tx_state_xmit(struct l2cap_chan *chan,
2387 struct l2cap_ctrl *control,
2388 struct sk_buff_head *skbs, u8 event)
2389{
2390 int err = 0;
2391
2392 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2393 event);
2394
2395 switch (event) {
2396 case L2CAP_EV_DATA_REQUEST:
2397 if (chan->tx_send_head == NULL)
2398 chan->tx_send_head = skb_peek(skbs);
2399
2400 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2401 l2cap_ertm_send(chan);
2402 break;
2403 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2404 BT_DBG("Enter LOCAL_BUSY");
2405 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2406
2407 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2408 /* The SREJ_SENT state must be aborted if we are to
2409 * enter the LOCAL_BUSY state.
2410 */
2411 l2cap_abort_rx_srej_sent(chan);
2412 }
2413
2414 l2cap_send_ack(chan);
2415
2416 break;
2417 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2418 BT_DBG("Exit LOCAL_BUSY");
2419 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2420
2421 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2422 struct l2cap_ctrl local_control;
2423
2424 memset(&local_control, 0, sizeof(local_control));
2425 local_control.sframe = 1;
2426 local_control.super = L2CAP_SUPER_RR;
2427 local_control.poll = 1;
2428 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2429 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2430
2431 chan->retry_count = 1;
2432 __set_monitor_timer(chan);
2433 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2434 }
2435 break;
2436 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2437 l2cap_process_reqseq(chan, control->reqseq);
2438 break;
2439 case L2CAP_EV_EXPLICIT_POLL:
2440 l2cap_send_rr_or_rnr(chan, 1);
2441 chan->retry_count = 1;
2442 __set_monitor_timer(chan);
2443 __clear_ack_timer(chan);
2444 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2445 break;
2446 case L2CAP_EV_RETRANS_TO:
2447 l2cap_send_rr_or_rnr(chan, 1);
2448 chan->retry_count = 1;
2449 __set_monitor_timer(chan);
2450 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2451 break;
2452 case L2CAP_EV_RECV_FBIT:
2453 /* Nothing to process */
2454 break;
2455 default:
2456 break;
2457 }
2458
2459 return err;
2460}
2461
2462static int l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2463 struct l2cap_ctrl *control,
2464 struct sk_buff_head *skbs, u8 event)
2465{
2466 int err = 0;
2467
2468 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2469 event);
2470
2471 switch (event) {
2472 case L2CAP_EV_DATA_REQUEST:
2473 if (chan->tx_send_head == NULL)
2474 chan->tx_send_head = skb_peek(skbs);
2475 /* Queue data, but don't send. */
2476 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2477 break;
2478 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2479 BT_DBG("Enter LOCAL_BUSY");
2480 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2481
2482 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2483 /* The SREJ_SENT state must be aborted if we are to
2484 * enter the LOCAL_BUSY state.
2485 */
2486 l2cap_abort_rx_srej_sent(chan);
2487 }
2488
2489 l2cap_send_ack(chan);
2490
2491 break;
2492 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2493 BT_DBG("Exit LOCAL_BUSY");
2494 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2495
2496 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2497 struct l2cap_ctrl local_control;
2498 memset(&local_control, 0, sizeof(local_control));
2499 local_control.sframe = 1;
2500 local_control.super = L2CAP_SUPER_RR;
2501 local_control.poll = 1;
2502 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2503 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2504
2505 chan->retry_count = 1;
2506 __set_monitor_timer(chan);
2507 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2508 }
2509 break;
2510 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2511 l2cap_process_reqseq(chan, control->reqseq);
2512
2513 /* Fall through */
2514
2515 case L2CAP_EV_RECV_FBIT:
2516 if (control && control->final) {
2517 __clear_monitor_timer(chan);
2518 if (chan->unacked_frames > 0)
2519 __set_retrans_timer(chan);
2520 chan->retry_count = 0;
2521 chan->tx_state = L2CAP_TX_STATE_XMIT;
2522 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2523 }
2524 break;
2525 case L2CAP_EV_EXPLICIT_POLL:
2526 /* Ignore */
2527 break;
2528 case L2CAP_EV_MONITOR_TO:
2529 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2530 l2cap_send_rr_or_rnr(chan, 1);
2531 __set_monitor_timer(chan);
2532 chan->retry_count++;
2533 } else {
2534 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2535 }
2536 break;
2537 default:
2538 break;
2539 }
2540
2541 return err;
2542}
2543
2544static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2545 struct sk_buff_head *skbs, u8 event)
2546{
2547 int err = 0;
2548
2549 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2550 chan, control, skbs, event, chan->tx_state);
2551
2552 switch (chan->tx_state) {
2553 case L2CAP_TX_STATE_XMIT:
2554 err = l2cap_tx_state_xmit(chan, control, skbs, event);
2555 break;
2556 case L2CAP_TX_STATE_WAIT_F:
2557 err = l2cap_tx_state_wait_f(chan, control, skbs, event);
2558 break;
2559 default:
2560 /* Ignore event */
2561 break;
2562 }
2563
2564 return err;
2565}
2566
4b51dae9
MM		 2567static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2568 struct l2cap_ctrl *control)
2569{
2570 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2571 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2572}
2573
f80842a8
MM		 2574static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2575 struct l2cap_ctrl *control)
2576{
2577 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2578 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2579}
2580
1da177e4
LT		 2581/* Copy frame to all raw sockets on that connection */
2582static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2583{
1da177e4 2584 struct sk_buff *nskb;
48454079 2585 struct l2cap_chan *chan;
1da177e4
LT		 2586
2587 BT_DBG("conn %p", conn);
2588
3df91ea2 2589 mutex_lock(&conn->chan_lock);
3d57dc68 2590
3df91ea2 2591 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2592 struct sock *sk = chan->sk;
715ec005 2593 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2594 continue;
2595
2596 /* Don't send frame to the socket it came from */
2597 if (skb->sk == sk)
2598 continue;
af05b30b
GP		 2599 nskb = skb_clone(skb, GFP_ATOMIC);
2600 if (!nskb)
1da177e4
LT		 2601 continue;
2602
23070494 2603 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2604 kfree_skb(nskb);
2605 }
3d57dc68 2606
3df91ea2 2607 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2608}
2609
2610/* ---- L2CAP signalling commands ---- */
2611static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2612 u8 code, u8 ident, u16 dlen, void *data)
2613{
2614 struct sk_buff *skb, **frag;
2615 struct l2cap_cmd_hdr *cmd;
2616 struct l2cap_hdr *lh;
2617 int len, count;
2618
af05b30b
GP		 2619 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2620 conn, code, ident, dlen);
1da177e4
LT		 2621
2622 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2623 count = min_t(unsigned int, conn->mtu, len);
2624
2625 skb = bt_skb_alloc(count, GFP_ATOMIC);
2626 if (!skb)
2627 return NULL;
2628
2629 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2630 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2631
2632 if (conn->hcon->type == LE_LINK)
2633 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2634 else
2635 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2636
2637 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2638 cmd->code = code;
2639 cmd->ident = ident;
aca3192c 2640 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2641
2642 if (dlen) {
2643 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2644 memcpy(skb_put(skb, count), data, count);
2645 data += count;
2646 }
2647
2648 len -= skb->len;
2649
2650 /* Continuation fragments (no L2CAP header) */
2651 frag = &skb_shinfo(skb)->frag_list;
2652 while (len) {
2653 count = min_t(unsigned int, conn->mtu, len);
2654
2655 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2656 if (!*frag)
2657 goto fail;
2658
2659 memcpy(skb_put(*frag, count), data, count);
2660
2661 len -= count;
2662 data += count;
2663
2664 frag = &(*frag)->next;
2665 }
2666
2667 return skb;
2668
2669fail:
2670 kfree_skb(skb);
2671 return NULL;
2672}
2673
2674static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2675{
2676 struct l2cap_conf_opt *opt = *ptr;
2677 int len;
2678
2679 len = L2CAP_CONF_OPT_SIZE + opt->len;
2680 *ptr += len;
2681
2682 *type = opt->type;
2683 *olen = opt->len;
2684
2685 switch (opt->len) {
2686 case 1:
2687 *val = *((u8 *) opt->val);
2688 break;
2689
2690 case 2:
bfaaeb3e 2691 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2692 break;
2693
2694 case 4:
bfaaeb3e 2695 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2696 break;
2697
2698 default:
2699 *val = (unsigned long) opt->val;
2700 break;
2701 }
2702
2703 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2704 return len;
2705}
2706
1da177e4
LT		 2707static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2708{
2709 struct l2cap_conf_opt *opt = *ptr;
2710
2711 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2712
2713 opt->type = type;
2714 opt->len = len;
2715
2716 switch (len) {
2717 case 1:
2718 *((u8 *) opt->val) = val;
2719 break;
2720
2721 case 2:
4f8b691c 2722 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2723 break;
2724
2725 case 4:
4f8b691c 2726 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2727 break;
2728
2729 default:
2730 memcpy(opt->val, (void *) val, len);
2731 break;
2732 }
2733
2734 *ptr += L2CAP_CONF_OPT_SIZE + len;
2735}
2736
f89cef09
AE		 2737static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2738{
2739 struct l2cap_conf_efs efs;
2740
1ec918ce 2741 switch (chan->mode) {
f89cef09
AE		 2742 case L2CAP_MODE_ERTM:
2743 efs.id = chan->local_id;
2744 efs.stype = chan->local_stype;
2745 efs.msdu = cpu_to_le16(chan->local_msdu);
2746 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2747 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2748 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2749 break;
2750
2751 case L2CAP_MODE_STREAMING:
2752 efs.id = 1;
2753 efs.stype = L2CAP_SERV_BESTEFFORT;
2754 efs.msdu = cpu_to_le16(chan->local_msdu);
2755 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2756 efs.acc_lat = 0;
2757 efs.flush_to = 0;
2758 break;
2759
2760 default:
2761 return;
2762 }
2763
2764 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2765 (unsigned long) &efs);
2766}
2767
721c4181 2768static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2769{
721c4181 2770 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2771 ack_timer.work);
2772 u16 frames_to_ack;
c1b4f43b 2773
2fb9b3d4
GP		 2774 BT_DBG("chan %p", chan);
2775
6be36555
AE		 2776 l2cap_chan_lock(chan);
2777
0362520b
MM		 2778 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2779 chan->last_acked_seq);
6be36555 2780
0362520b
MM		 2781 if (frames_to_ack)
2782 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2783
0362520b 2784 l2cap_chan_unlock(chan);
09bfb2ee 2785 l2cap_chan_put(chan);
c1b4f43b
GP		 2786}
2787
3c588192 2788static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2789{
3c588192
MM		 2790 int err;
2791
105bdf9e
MM		 2792 chan->next_tx_seq = 0;
2793 chan->expected_tx_seq = 0;
42e5c802 2794 chan->expected_ack_seq = 0;
6a026610 2795 chan->unacked_frames = 0;
42e5c802 2796 chan->buffer_seq = 0;
6a026610 2797 chan->frames_sent = 0;
105bdf9e
MM		 2798 chan->last_acked_seq = 0;
2799 chan->sdu = NULL;
2800 chan->sdu_last_frag = NULL;
2801 chan->sdu_len = 0;
2802
d34c34fb
MM		 2803 skb_queue_head_init(&chan->tx_q);
2804
105bdf9e
MM		 2805 if (chan->mode != L2CAP_MODE_ERTM)
2806 return 0;
2807
2808 chan->rx_state = L2CAP_RX_STATE_RECV;
2809 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2810
721c4181
GP		 2811 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2812 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2813 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2814
f1c6775b 2815 skb_queue_head_init(&chan->srej_q);
1890d36b 2816
3c588192
MM		 2817 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2818 if (err < 0)
2819 return err;
2820
9dc9affc
MM		 2821 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2822 if (err < 0)
2823 l2cap_seq_list_free(&chan->srej_list);
2824
2825 return err;
0565c1c2
GP		 2826}
2827
f2fcfcd6
GP		 2828static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2829{
2830 switch (mode) {
2831 case L2CAP_MODE_STREAMING:
2832 case L2CAP_MODE_ERTM:
2833 if (l2cap_mode_supported(mode, remote_feat_mask))
2834 return mode;
2835 /* fall through */
2836 default:
2837 return L2CAP_MODE_BASIC;
2838 }
2839}
2840
6327eb98
AE		 2841static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2842{
2843 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2844}
2845
f89cef09
AE		 2846static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2847{
2848 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2849}
2850
6327eb98
AE		 2851static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2852{
2853 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2854 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2855 /* use extended control field */
2856 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2857 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2858 } else {
6327eb98
AE		 2859 chan->tx_win = min_t(u16, chan->tx_win,
2860 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2861 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2862 }
6327eb98
AE		 2863}
2864
710f9b0a 2865static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2866{
1da177e4 2867 struct l2cap_conf_req *req = data;
0c1bc5c6 2868 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2869 void *ptr = req->data;
c8f79162 2870 u16 size;
1da177e4 2871
49208c9c 2872 BT_DBG("chan %p", chan);
1da177e4 2873
73ffa904 2874 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2875 goto done;
2876
0c1bc5c6 2877 switch (chan->mode) {
f2fcfcd6
GP		 2878 case L2CAP_MODE_STREAMING:
2879 case L2CAP_MODE_ERTM:
c1360a1c 2880 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2881 break;
85eb53c6 2882
f89cef09
AE		 2883 if (__l2cap_efs_supported(chan))
2884 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2885
2ba13ed6 2886 /* fall through */
f2fcfcd6 2887 default:
8c1d787b 2888 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2889 break;
2890 }
2891
2892done:
0c1bc5c6
GP		 2893 if (chan->imtu != L2CAP_DEFAULT_MTU)
2894 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2895
0c1bc5c6 2896 switch (chan->mode) {
65c7c491 2897 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2898 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2899 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2900 break;
2901
62547752
GP		 2902 rfc.mode = L2CAP_MODE_BASIC;
2903 rfc.txwin_size = 0;
2904 rfc.max_transmit = 0;
2905 rfc.retrans_timeout = 0;
2906 rfc.monitor_timeout = 0;
2907 rfc.max_pdu_size = 0;
2908
63406504
GP		 2909 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2910 (unsigned long) &rfc);
65c7c491
MH		 2911 break;
2912
2913 case L2CAP_MODE_ERTM:
2914 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2915 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2916 rfc.retrans_timeout = 0;
2917 rfc.monitor_timeout = 0;
c8f79162
AE		 2918
2919 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2920 L2CAP_EXT_HDR_SIZE -
2921 L2CAP_SDULEN_SIZE -
2922 L2CAP_FCS_SIZE);
2923 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2924
6327eb98
AE		 2925 l2cap_txwin_setup(chan);
2926
2927 rfc.txwin_size = min_t(u16, chan->tx_win,
2928 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2929
63406504
GP		 2930 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2931 (unsigned long) &rfc);
2932
f89cef09
AE		 2933 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2934 l2cap_add_opt_efs(&ptr, chan);
2935
8c1d787b 2936 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2937 break;
2938
47d1ec61 2939 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2940 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2941 chan->fcs = L2CAP_FCS_NONE;
2942 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2943 }
6327eb98
AE		 2944
2945 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2946 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2947 chan->tx_win);
f2fcfcd6
GP		 2948 break;
2949
2950 case L2CAP_MODE_STREAMING:
273759e2 2951 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2952 rfc.mode = L2CAP_MODE_STREAMING;
2953 rfc.txwin_size = 0;
2954 rfc.max_transmit = 0;
2955 rfc.retrans_timeout = 0;
2956 rfc.monitor_timeout = 0;
c8f79162
AE		 2957
2958 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2959 L2CAP_EXT_HDR_SIZE -
2960 L2CAP_SDULEN_SIZE -
2961 L2CAP_FCS_SIZE);
2962 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2963
63406504
GP		 2964 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2965 (unsigned long) &rfc);
2966
f89cef09
AE		 2967 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2968 l2cap_add_opt_efs(&ptr, chan);
2969
8c1d787b 2970 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2971 break;
2972
47d1ec61 2973 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2974 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2975 chan->fcs = L2CAP_FCS_NONE;
2976 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2977 }
65c7c491
MH		 2978 break;
2979 }
1da177e4 2980
fe4128e0 2981 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2982 req->flags = cpu_to_le16(0);
1da177e4
LT		 2983
2984 return ptr - data;
2985}
2986
73ffa904 2987static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2988{
5dee9e7c
MH		 2989 struct l2cap_conf_rsp *rsp = data;
2990 void *ptr = rsp->data;
73ffa904
GP		 2991 void *req = chan->conf_req;
2992 int len = chan->conf_len;
5dee9e7c
MH		 2993 int type, hint, olen;
2994 unsigned long val;
6464f35f 2995 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2996 struct l2cap_conf_efs efs;
2997 u8 remote_efs = 0;
861d6882 2998 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2999 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3000 u16 size;
1da177e4 3001
73ffa904 3002 BT_DBG("chan %p", chan);
820ae1b8 3003
5dee9e7c
MH		 3004 while (len >= L2CAP_CONF_OPT_SIZE) {
3005 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3006
589d2746 3007 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3008 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3009
3010 switch (type) {
3011 case L2CAP_CONF_MTU:
861d6882 3012 mtu = val;
5dee9e7c
MH		 3013 break;
3014
3015 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3016 chan->flush_to = val;
5dee9e7c
MH		 3017 break;
3018
3019 case L2CAP_CONF_QOS:
3020 break;
3021
6464f35f
MH		 3022 case L2CAP_CONF_RFC:
3023 if (olen == sizeof(rfc))
3024 memcpy(&rfc, (void *) val, olen);
3025 break;
3026
fcc203c3
GP		 3027 case L2CAP_CONF_FCS:
3028 if (val == L2CAP_FCS_NONE)
c1360a1c 3029 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3030 break;
fcc203c3 3031
42dceae2
AE		 3032 case L2CAP_CONF_EFS:
3033 remote_efs = 1;
3034 if (olen == sizeof(efs))
3035 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3036 break;
3037
6327eb98
AE		 3038 case L2CAP_CONF_EWS:
3039 if (!enable_hs)
3040 return -ECONNREFUSED;
fcc203c3 3041
6327eb98
AE		 3042 set_bit(FLAG_EXT_CTRL, &chan->flags);
3043 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3044 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3045 chan->remote_tx_win = val;
fcc203c3
GP		 3046 break;
3047
5dee9e7c
MH		 3048 default:
3049 if (hint)
3050 break;
3051
3052 result = L2CAP_CONF_UNKNOWN;
3053 *((u8 *) ptr++) = type;
3054 break;
3055 }
3056 }
3057
73ffa904 3058 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3059 goto done;
3060
0c1bc5c6 3061 switch (chan->mode) {
f2fcfcd6
GP		 3062 case L2CAP_MODE_STREAMING:
3063 case L2CAP_MODE_ERTM:
c1360a1c 3064 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3065 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 3066 chan->conn->feat_mask);
85eb53c6
GP		 3067 break;
3068 }
3069
42dceae2
AE		 3070 if (remote_efs) {
3071 if (__l2cap_efs_supported(chan))
3072 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3073 else
3074 return -ECONNREFUSED;
3075 }
3076
0c1bc5c6 3077 if (chan->mode != rfc.mode)
f2fcfcd6 3078 return -ECONNREFUSED;
742e519b 3079
f2fcfcd6 3080 break;
f2fcfcd6
GP		 3081 }
3082
3083done:
0c1bc5c6 3084 if (chan->mode != rfc.mode) {
f2fcfcd6 3085 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3086 rfc.mode = chan->mode;
f2fcfcd6 3087
73ffa904 3088 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3089 return -ECONNREFUSED;
3090
3091 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3092 sizeof(rfc), (unsigned long) &rfc);
3093 }
3094
5dee9e7c
MH		 3095 if (result == L2CAP_CONF_SUCCESS) {
3096 /* Configure output options and let the other side know
3097 * which ones we don't like. */
3098
f2fcfcd6
GP		 3099 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3100 result = L2CAP_CONF_UNACCEPT;
3101 else {
0c1bc5c6 3102 chan->omtu = mtu;
c1360a1c 3103 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3104 }
0c1bc5c6 3105 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3106
42dceae2
AE		 3107 if (remote_efs) {
3108 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3109 efs.stype != L2CAP_SERV_NOTRAFIC &&
3110 efs.stype != chan->local_stype) {
3111
3112 result = L2CAP_CONF_UNACCEPT;
3113
3114 if (chan->num_conf_req >= 1)
3115 return -ECONNREFUSED;
3116
3117 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3118 sizeof(efs),
42dceae2 3119 (unsigned long) &efs);
0e8b207e 3120 } else {
3e6b3b95 3121 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3122 result = L2CAP_CONF_PENDING;
3123 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3124 }
3125 }
3126
f2fcfcd6
GP		 3127 switch (rfc.mode) {
3128 case L2CAP_MODE_BASIC:
47d1ec61 3129 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3130 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3131 break;
3132
3133 case L2CAP_MODE_ERTM:
6327eb98
AE		 3134 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3135 chan->remote_tx_win = rfc.txwin_size;
3136 else
3137 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3138
2c03a7a4 3139 chan->remote_max_tx = rfc.max_transmit;
1c762159 3140
c8f79162
AE		 3141 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3142 chan->conn->mtu -
3143 L2CAP_EXT_HDR_SIZE -
3144 L2CAP_SDULEN_SIZE -
3145 L2CAP_FCS_SIZE);
3146 rfc.max_pdu_size = cpu_to_le16(size);
3147 chan->remote_mps = size;
f2fcfcd6 3148
10467e9e 3149 rfc.retrans_timeout =
4fd21a88 3150 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3151 rfc.monitor_timeout =
4fd21a88 3152 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3153
c1360a1c 3154 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3155
3156 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3157 sizeof(rfc), (unsigned long) &rfc);
3158
42dceae2
AE		 3159 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3160 chan->remote_id = efs.id;
3161 chan->remote_stype = efs.stype;
3162 chan->remote_msdu = le16_to_cpu(efs.msdu);
3163 chan->remote_flush_to =
3164 le32_to_cpu(efs.flush_to);
3165 chan->remote_acc_lat =
3166 le32_to_cpu(efs.acc_lat);
3167 chan->remote_sdu_itime =
3168 le32_to_cpu(efs.sdu_itime);
3169 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3170 sizeof(efs), (unsigned long) &efs);
3171 }
f2fcfcd6
GP		 3172 break;
3173
3174 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3175 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3176 chan->conn->mtu -
3177 L2CAP_EXT_HDR_SIZE -
3178 L2CAP_SDULEN_SIZE -
3179 L2CAP_FCS_SIZE);
3180 rfc.max_pdu_size = cpu_to_le16(size);
3181 chan->remote_mps = size;
f2fcfcd6 3182
c1360a1c 3183 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3184
3185 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3186 sizeof(rfc), (unsigned long) &rfc);
3187
f2fcfcd6
GP		 3188 break;
3189
3190 default:
5dee9e7c 3191 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3192
6464f35f 3193 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3194 rfc.mode = chan->mode;
f2fcfcd6 3195 }
6464f35f 3196
f2fcfcd6 3197 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3198 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3199 }
fe4128e0 3200 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 3201 rsp->result = cpu_to_le16(result);
3202 rsp->flags = cpu_to_le16(0x0000);
3203
3204 return ptr - data;
1da177e4
LT		 3205}
3206
b4450035 3207static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3208{
f2fcfcd6
GP		 3209 struct l2cap_conf_req *req = data;
3210 void *ptr = req->data;
3211 int type, olen;
3212 unsigned long val;
36e999a8 3213 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3214 struct l2cap_conf_efs efs;
f2fcfcd6 3215
fe4128e0 3216 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3217
3218 while (len >= L2CAP_CONF_OPT_SIZE) {
3219 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3220
3221 switch (type) {
3222 case L2CAP_CONF_MTU:
3223 if (val < L2CAP_DEFAULT_MIN_MTU) {
3224 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3225 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3226 } else
0c1bc5c6
GP		 3227 chan->imtu = val;
3228 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3229 break;
3230
3231 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3232 chan->flush_to = val;
f2fcfcd6 3233 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3234 2, chan->flush_to);
f2fcfcd6
GP		 3235 break;
3236
3237 case L2CAP_CONF_RFC:
3238 if (olen == sizeof(rfc))
3239 memcpy(&rfc, (void *)val, olen);
3240
c1360a1c 3241 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3242 rfc.mode != chan->mode)
f2fcfcd6
GP		 3243 return -ECONNREFUSED;
3244
47d1ec61 3245 chan->fcs = 0;
f2fcfcd6
GP		 3246
3247 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3248 sizeof(rfc), (unsigned long) &rfc);
3249 break;
6327eb98
AE		 3250
3251 case L2CAP_CONF_EWS:
3252 chan->tx_win = min_t(u16, val,
3253 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3254 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3255 chan->tx_win);
6327eb98 3256 break;
66af7aaf
AE		 3257
3258 case L2CAP_CONF_EFS:
3259 if (olen == sizeof(efs))
3260 memcpy(&efs, (void *)val, olen);
3261
3262 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3263 efs.stype != L2CAP_SERV_NOTRAFIC &&
3264 efs.stype != chan->local_stype)
3265 return -ECONNREFUSED;
3266
3267 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3268 sizeof(efs), (unsigned long) &efs);
3269 break;
f2fcfcd6
GP		 3270 }
3271 }
3272
0c1bc5c6 3273 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3274 return -ECONNREFUSED;
3275
0c1bc5c6 3276 chan->mode = rfc.mode;
6c2ea7a8 3277
0e8b207e 3278 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3279 switch (rfc.mode) {
3280 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3281 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3282 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3283 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3284
3285 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3286 chan->local_msdu = le16_to_cpu(efs.msdu);
3287 chan->local_sdu_itime =
3288 le32_to_cpu(efs.sdu_itime);
3289 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3290 chan->local_flush_to =
3291 le32_to_cpu(efs.flush_to);
3292 }
f2fcfcd6 3293 break;
66af7aaf 3294
f2fcfcd6 3295 case L2CAP_MODE_STREAMING:
47d1ec61 3296 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3297 }
3298 }
3299
fe4128e0 3300 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 3301 req->flags = cpu_to_le16(0x0000);
3302
3303 return ptr - data;
3304}
3305
fe4128e0 3306static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3307{
3308 struct l2cap_conf_rsp *rsp = data;
3309 void *ptr = rsp->data;
1da177e4 3310
fe4128e0 3311 BT_DBG("chan %p", chan);
1da177e4 3312
fe4128e0 3313 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3314 rsp->result = cpu_to_le16(result);
aca3192c 3315 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3316
3317 return ptr - data;
3318}
3319
8c1d787b 3320void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3321{
3322 struct l2cap_conn_rsp rsp;
8c1d787b 3323 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3324 u8 buf[128];
3325
fe4128e0
GP		 3326 rsp.scid = cpu_to_le16(chan->dcid);
3327 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 3328 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3329 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3330 l2cap_send_cmd(conn, chan->ident,
3331 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3332
c1360a1c 3333 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3334 return;
3335
710f9b0a
GP		 3336 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3337 l2cap_build_conf_req(chan, buf), buf);
3338 chan->num_conf_req++;
3339}
3340
47d1ec61 3341static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3342{
7b1c0049
GP		 3343 int type, olen;
3344 unsigned long val;
3345 struct l2cap_conf_rfc rfc;
3346
47d1ec61 3347 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3348
0c1bc5c6 3349 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3350 return;
3351
3352 while (len >= L2CAP_CONF_OPT_SIZE) {
3353 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3354
3355 switch (type) {
3356 case L2CAP_CONF_RFC:
3357 if (olen == sizeof(rfc))
3358 memcpy(&rfc, (void *)val, olen);
3359 goto done;
3360 }
3361 }
3362
36e999a8
MM		 3363 /* Use sane default values in case a misbehaving remote device
3364 * did not send an RFC option.
3365 */
3366 rfc.mode = chan->mode;
3367 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3368 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3369 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3370
3371 BT_ERR("Expected RFC option was not found, using defaults");
3372
7b1c0049
GP		 3373done:
3374 switch (rfc.mode) {
3375 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3376 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3377 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3378 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3379 break;
3380 case L2CAP_MODE_STREAMING:
47d1ec61 3381 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3382 }
3383}
3384
4e8402a3
MH		 3385static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3386{
e2fd318e 3387 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3388
e2fd318e 3389 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3390 return 0;
3391
3392 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3393 cmd->ident == conn->info_ident) {
17cd3f37 3394 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3395
3396 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3397 conn->info_ident = 0;
984947dc 3398
4e8402a3
MH		 3399 l2cap_conn_start(conn);
3400 }
3401
3402 return 0;
3403}
3404
1da177e4
LT		 3405static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3406{
1da177e4
LT		 3407 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3408 struct l2cap_conn_rsp rsp;
23691d75 3409 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3410 struct sock *parent, *sk = NULL;
e7c29cb1 3411 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3412
3413 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3414 __le16 psm = req->psm;
1da177e4 3415
097db76c 3416 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3417
3418 /* Check if we have socket listening on psm */
c2287681 3419 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3420 if (!pchan) {
1da177e4
LT		 3421 result = L2CAP_CR_BAD_PSM;
3422 goto sendresp;
3423 }
3424
23691d75
GP		 3425 parent = pchan->sk;
3426
3df91ea2 3427 mutex_lock(&conn->chan_lock);
aa2ac881 3428 lock_sock(parent);
e0f0cb56 3429
e7c29cb1
MH		 3430 /* Check if the ACL is secure enough (if not SDP) */
3431 if (psm != cpu_to_le16(0x0001) &&
3432 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3433 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3434 result = L2CAP_CR_SEC_BLOCK;
3435 goto response;
3436 }
3437
1da177e4
LT		 3438 result = L2CAP_CR_NO_MEM;
3439
3440 /* Check for backlog size */
3441 if (sk_acceptq_is_full(parent)) {
8e87d142 3442 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3443 goto response;
3444 }
3445
80808e43
GP		 3446 chan = pchan->ops->new_connection(pchan->data);
3447 if (!chan)
1da177e4
LT		 3448 goto response;
3449
80808e43
GP		 3450 sk = chan->sk;
3451
1da177e4 3452 /* Check if we already have channel with that dcid */
baa7e1fa 3453 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3454 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3455 chan->ops->close(chan->data);
1da177e4
LT		 3456 goto response;
3457 }
3458
3459 hci_conn_hold(conn->hcon);
3460
1da177e4
LT		 3461 bacpy(&bt_sk(sk)->src, conn->src);
3462 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3463 chan->psm = psm;
3464 chan->dcid = scid;
1da177e4 3465
d1010240
GP		 3466 bt_accept_enqueue(parent, sk);
3467
6be36555 3468 __l2cap_chan_add(conn, chan);
48454079 3469
fe4128e0 3470 dcid = chan->scid;
1da177e4 3471
c9b66675 3472 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3473
fc7f8a7e 3474 chan->ident = cmd->ident;
1da177e4 3475
984947dc 3476 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3477 if (l2cap_chan_check_security(chan)) {
c5daa683 3478 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3479 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3480 result = L2CAP_CR_PEND;
3481 status = L2CAP_CS_AUTHOR_PEND;
3482 parent->sk_data_ready(parent, 0);
3483 } else {
0e587be7 3484 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3485 result = L2CAP_CR_SUCCESS;
3486 status = L2CAP_CS_NO_INFO;
3487 }
79d554a6 3488 } else {
0e587be7 3489 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3490 result = L2CAP_CR_PEND;
3491 status = L2CAP_CS_AUTHEN_PEND;
3492 }
3493 } else {
0e587be7 3494 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3495 result = L2CAP_CR_PEND;
3496 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3497 }
3498
1da177e4 3499response:
aa2ac881 3500 release_sock(parent);
3df91ea2 3501 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3502
3503sendresp:
aca3192c
YH		 3504 rsp.scid = cpu_to_le16(scid);
3505 rsp.dcid = cpu_to_le16(dcid);
3506 rsp.result = cpu_to_le16(result);
3507 rsp.status = cpu_to_le16(status);
1da177e4 3508 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3509
3510 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3511 struct l2cap_info_req info;
3512 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3513
3514 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3515 conn->info_ident = l2cap_get_ident(conn);
3516
ba13ccd9 3517 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3518
3519 l2cap_send_cmd(conn, conn->info_ident,
3520 L2CAP_INFO_REQ, sizeof(info), &info);
3521 }
3522
c1360a1c 3523 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3524 result == L2CAP_CR_SUCCESS) {
3525 u8 buf[128];
c1360a1c 3526 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3527 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3528 l2cap_build_conf_req(chan, buf), buf);
3529 chan->num_conf_req++;
e9aeb2dd
GP		 3530 }
3531
1da177e4
LT		 3532 return 0;
3533}
3534
3535static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3536{
3537 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3538 u16 scid, dcid, result, status;
48454079 3539 struct l2cap_chan *chan;
1da177e4 3540 u8 req[128];
3df91ea2 3541 int err;
1da177e4
LT		 3542
3543 scid = __le16_to_cpu(rsp->scid);
3544 dcid = __le16_to_cpu(rsp->dcid);
3545 result = __le16_to_cpu(rsp->result);
3546 status = __le16_to_cpu(rsp->status);
3547
1b009c98
AE		 3548 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3549 dcid, scid, result, status);
1da177e4 3550
3df91ea2
AE		 3551 mutex_lock(&conn->chan_lock);
3552
1da177e4 3553 if (scid) {
3df91ea2
AE		 3554 chan = __l2cap_get_chan_by_scid(conn, scid);
3555 if (!chan) {
3556 err = -EFAULT;
3557 goto unlock;
3558 }
1da177e4 3559 } else {
3df91ea2
AE		 3560 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3561 if (!chan) {
3562 err = -EFAULT;
3563 goto unlock;
3564 }
1da177e4
LT		 3565 }
3566
3df91ea2
AE		 3567 err = 0;
3568
6be36555 3569 l2cap_chan_lock(chan);
48454079 3570
1da177e4
LT		 3571 switch (result) {
3572 case L2CAP_CR_SUCCESS:
89bc500e 3573 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3574 chan->ident = 0;
fe4128e0 3575 chan->dcid = dcid;
c1360a1c 3576 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3577
c1360a1c 3578 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3579 break;
3580
1da177e4 3581 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3582 l2cap_build_conf_req(chan, req), req);
3583 chan->num_conf_req++;
1da177e4
LT		 3584 break;
3585
3586 case L2CAP_CR_PEND:
c1360a1c 3587 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3588 break;
3589
3590 default:
48454079 3591 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3592 break;
3593 }
3594
6be36555 3595 l2cap_chan_unlock(chan);
3df91ea2
AE		 3596
3597unlock:
3598 mutex_unlock(&conn->chan_lock);
3599
3600 return err;
1da177e4
LT		 3601}
3602
47d1ec61 3603static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3604{
3605 /* FCS is enabled only in ERTM or streaming mode, if one or both
3606 * sides request it.
3607 */
0c1bc5c6 3608 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3609 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3610 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3611 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3612}
3613
88219a0f 3614static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3615{
3616 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3617 u16 dcid, flags;
3618 u8 rsp[64];
48454079 3619 struct l2cap_chan *chan;
3c588192 3620 int len, err = 0;
1da177e4
LT		 3621
3622 dcid = __le16_to_cpu(req->dcid);
3623 flags = __le16_to_cpu(req->flags);
3624
3625 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3626
baa7e1fa 3627 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3628 if (!chan)
1da177e4
LT		 3629 return -ENOENT;
3630
033b1142 3631 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3632 struct l2cap_cmd_rej_cid rej;
3633
3634 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3635 rej.scid = cpu_to_le16(chan->scid);
3636 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3637
df6bd743
GP		 3638 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3639 sizeof(rej), &rej);
354f60a9 3640 goto unlock;
df6bd743 3641 }
354f60a9 3642
5dee9e7c 3643 /* Reject if config buffer is too small. */
88219a0f 3644 len = cmd_len - sizeof(*req);
7ac28817 3645 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3646 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3647 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3648 L2CAP_CONF_REJECT, flags), rsp);
3649 goto unlock;
3650 }
3651
3652 /* Store config. */
73ffa904
GP		 3653 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3654 chan->conf_len += len;
1da177e4
LT		 3655
3656 if (flags & 0x0001) {
3657 /* Incomplete config. Send empty response. */
3658 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3659 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3660 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3661 goto unlock;
3662 }
3663
3664 /* Complete config. */
73ffa904 3665 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3666 if (len < 0) {
e92c8e70 3667 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3668 goto unlock;
f2fcfcd6 3669 }
1da177e4 3670
5dee9e7c 3671 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3672 chan->num_conf_rsp++;
5dee9e7c 3673
5dee9e7c 3674 /* Reset config buffer. */
73ffa904 3675 chan->conf_len = 0;
5dee9e7c 3676
c1360a1c 3677 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3678 goto unlock;
3679
c1360a1c 3680 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3681 set_default_fcs(chan);
fcc203c3 3682
89bc500e 3683 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3684
105bdf9e
MM		 3685 if (chan->mode == L2CAP_MODE_ERTM ||
3686 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3687 err = l2cap_ertm_init(chan);
3688
3689 if (err < 0)
3690 l2cap_send_disconn_req(chan->conn, chan, -err);
3691 else
3692 l2cap_chan_ready(chan);
0565c1c2 3693
876d9484
MH		 3694 goto unlock;
3695 }
3696
c1360a1c 3697 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3698 u8 buf[64];
1da177e4 3699 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3700 l2cap_build_conf_req(chan, buf), buf);
3701 chan->num_conf_req++;
1da177e4
LT		 3702 }
3703
0e8b207e
AE		 3704 /* Got Conf Rsp PENDING from remote side and asume we sent
3705 Conf Rsp PENDING in the code above */
3706 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3707 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3708
3709 /* check compatibility */
3710
3711 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3712 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3713
3714 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3715 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3716 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3717 }
3718
1da177e4 3719unlock:
6be36555 3720 l2cap_chan_unlock(chan);
3c588192 3721 return err;
1da177e4
LT		 3722}
3723
3724static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3725{
3726 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3727 u16 scid, flags, result;
48454079 3728 struct l2cap_chan *chan;
61386cba 3729 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3730 int err = 0;
1da177e4
LT		 3731
3732 scid = __le16_to_cpu(rsp->scid);
3733 flags = __le16_to_cpu(rsp->flags);
3734 result = __le16_to_cpu(rsp->result);
3735
61386cba
AE		 3736 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3737 result, len);
1da177e4 3738
baa7e1fa 3739 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3740 if (!chan)
1da177e4
LT		 3741 return 0;
3742
3743 switch (result) {
3744 case L2CAP_CONF_SUCCESS:
47d1ec61 3745 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3746 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3747 break;
3748
0e8b207e
AE		 3749 case L2CAP_CONF_PENDING:
3750 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3751
3752 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3753 char buf[64];
3754
3755 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3756 buf, &result);
3757 if (len < 0) {
3758 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3759 goto done;
3760 }
3761
3762 /* check compatibility */
3763
3764 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3765 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3766
3767 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3768 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3769 L2CAP_CONF_SUCCESS, 0x0000), buf);
3770 }
3771 goto done;
3772
1da177e4 3773 case L2CAP_CONF_UNACCEPT:
73ffa904 3774 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3775 char req[64];
3776
c2c77ec8 3777 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3778 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3779 goto done;
3780 }
3781
f2fcfcd6
GP		 3782 /* throw out any old stored conf requests */
3783 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3784 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3785 req, &result);
f2fcfcd6 3786 if (len < 0) {
e92c8e70 3787 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3788 goto done;
3789 }
3790
3791 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3792 L2CAP_CONF_REQ, len, req);
73ffa904 3793 chan->num_conf_req++;
f2fcfcd6
GP		 3794 if (result != L2CAP_CONF_SUCCESS)
3795 goto done;
3796 break;
1da177e4
LT		 3797 }
3798
8e87d142 3799 default:
6be36555 3800 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3801
ba13ccd9 3802 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3803 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3804 goto done;
3805 }
3806
3807 if (flags & 0x01)
3808 goto done;
3809
c1360a1c 3810 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3811
c1360a1c 3812 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3813 set_default_fcs(chan);
fcc203c3 3814
89bc500e 3815 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3816 if (chan->mode == L2CAP_MODE_ERTM ||
3817 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3818 err = l2cap_ertm_init(chan);
0565c1c2 3819
3c588192
MM		 3820 if (err < 0)
3821 l2cap_send_disconn_req(chan->conn, chan, -err);
3822 else
3823 l2cap_chan_ready(chan);
1da177e4
LT		 3824 }
3825
3826done:
6be36555 3827 l2cap_chan_unlock(chan);
3c588192 3828 return err;
1da177e4
LT		 3829}
3830
3831static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3832{
3833 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3834 struct l2cap_disconn_rsp rsp;
3835 u16 dcid, scid;
48454079 3836 struct l2cap_chan *chan;
1da177e4
LT		 3837 struct sock *sk;
3838
3839 scid = __le16_to_cpu(req->scid);
3840 dcid = __le16_to_cpu(req->dcid);
3841
3842 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3843
3df91ea2
AE		 3844 mutex_lock(&conn->chan_lock);
3845
3846 chan = __l2cap_get_chan_by_scid(conn, dcid);
3847 if (!chan) {
3848 mutex_unlock(&conn->chan_lock);
1da177e4 3849 return 0;
3df91ea2 3850 }
1da177e4 3851
6be36555
AE		 3852 l2cap_chan_lock(chan);
3853
48454079
GP		 3854 sk = chan->sk;
3855
fe4128e0
GP		 3856 rsp.dcid = cpu_to_le16(chan->scid);
3857 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3858 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3859
6be36555 3860 lock_sock(sk);
1da177e4 3861 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3862 release_sock(sk);
1da177e4 3863
61d6ef3e 3864 l2cap_chan_hold(chan);
48454079 3865 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3866
3867 l2cap_chan_unlock(chan);
1da177e4 3868
ba3bd0ee 3869 chan->ops->close(chan->data);
61d6ef3e 3870 l2cap_chan_put(chan);
3df91ea2
AE		 3871
3872 mutex_unlock(&conn->chan_lock);
3873
1da177e4
LT		 3874 return 0;
3875}
3876
3877static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3878{
3879 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3880 u16 dcid, scid;
48454079 3881 struct l2cap_chan *chan;
1da177e4
LT		 3882
3883 scid = __le16_to_cpu(rsp->scid);
3884 dcid = __le16_to_cpu(rsp->dcid);
3885
3886 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3887
3df91ea2
AE		 3888 mutex_lock(&conn->chan_lock);
3889
3890 chan = __l2cap_get_chan_by_scid(conn, scid);
3891 if (!chan) {
3892 mutex_unlock(&conn->chan_lock);
1da177e4 3893 return 0;
3df91ea2 3894 }
1da177e4 3895
6be36555 3896 l2cap_chan_lock(chan);
48454079 3897
61d6ef3e 3898 l2cap_chan_hold(chan);
48454079 3899 l2cap_chan_del(chan, 0);
6be36555
AE		 3900
3901 l2cap_chan_unlock(chan);
1da177e4 3902
ba3bd0ee 3903 chan->ops->close(chan->data);
61d6ef3e 3904 l2cap_chan_put(chan);
3df91ea2
AE		 3905
3906 mutex_unlock(&conn->chan_lock);
3907
1da177e4
LT		 3908 return 0;
3909}
3910
3911static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3912{
3913 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3914 u16 type;
3915
3916 type = __le16_to_cpu(req->type);
3917
3918 BT_DBG("type 0x%4.4x", type);
3919
f0709e03
MH		 3920 if (type == L2CAP_IT_FEAT_MASK) {
3921 u8 buf[8];
44dd46de 3922 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3923 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3924 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3925 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3926 if (!disable_ertm)
fcc203c3
GP		 3927 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3928 | L2CAP_FEAT_FCS;
a5fd6f30 3929 if (enable_hs)
6327eb98
AE		 3930 feat_mask |= L2CAP_FEAT_EXT_FLOW
3931 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3932
1b7bf4ed 3933 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3934 l2cap_send_cmd(conn, cmd->ident,
3935 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3936 } else if (type == L2CAP_IT_FIXED_CHAN) {
3937 u8 buf[12];
3938 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3939
3940 if (enable_hs)
3941 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3942 else
3943 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3944
e1027a7c
MH		 3945 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3946 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3947 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3948 l2cap_send_cmd(conn, cmd->ident,
3949 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3950 } else {
3951 struct l2cap_info_rsp rsp;
3952 rsp.type = cpu_to_le16(type);
3953 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3954 l2cap_send_cmd(conn, cmd->ident,
3955 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3956 }
1da177e4
LT		 3957
3958 return 0;
3959}
3960
3961static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3962{
3963 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3964 u16 type, result;
3965
3966 type = __le16_to_cpu(rsp->type);
3967 result = __le16_to_cpu(rsp->result);
3968
3969 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3970
e90165be
AE		 3971 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3972 if (cmd->ident != conn->info_ident ||
3973 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3974 return 0;
3975
17cd3f37 3976 cancel_delayed_work(&conn->info_timer);
4e8402a3 3977
adb08ede
VT		 3978 if (result != L2CAP_IR_SUCCESS) {
3979 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3980 conn->info_ident = 0;
3981
3982 l2cap_conn_start(conn);
3983
3984 return 0;
3985 }
3986
978c93b9
AE		 3987 switch (type) {
3988 case L2CAP_IT_FEAT_MASK:
83985319 3989 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3990
47ec1dcd 3991 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3992 struct l2cap_info_req req;
3993 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3994
3995 conn->info_ident = l2cap_get_ident(conn);
3996
3997 l2cap_send_cmd(conn, conn->info_ident,
3998 L2CAP_INFO_REQ, sizeof(req), &req);
3999 } else {
4000 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4001 conn->info_ident = 0;
4002
4003 l2cap_conn_start(conn);
4004 }
978c93b9
AE		 4005 break;
4006
4007 case L2CAP_IT_FIXED_CHAN:
4008 conn->fixed_chan_mask = rsp->data[0];
984947dc 4009 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4010 conn->info_ident = 0;
984947dc
MH		 4011
4012 l2cap_conn_start(conn);
978c93b9 4013 break;
984947dc 4014 }
4e8402a3 4015
1da177e4
LT		 4016 return 0;
4017}
4018
f94ff6ff
MM		 4019static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
4020 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4021 void *data)
4022{
4023 struct l2cap_create_chan_req *req = data;
4024 struct l2cap_create_chan_rsp rsp;
4025 u16 psm, scid;
4026
4027 if (cmd_len != sizeof(*req))
4028 return -EPROTO;
4029
4030 if (!enable_hs)
4031 return -EINVAL;
4032
4033 psm = le16_to_cpu(req->psm);
4034 scid = le16_to_cpu(req->scid);
4035
4036 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
4037
4038 /* Placeholder: Always reject */
4039 rsp.dcid = 0;
4040 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 4041 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4042 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 4043
4044 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4045 sizeof(rsp), &rsp);
4046
4047 return 0;
4048}
4049
4050static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
4051 struct l2cap_cmd_hdr *cmd, void *data)
4052{
4053 BT_DBG("conn %p", conn);
4054
4055 return l2cap_connect_rsp(conn, cmd, data);
4056}
4057
8d5a04a1
MM		 4058static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
4059 u16 icid, u16 result)
4060{
4061 struct l2cap_move_chan_rsp rsp;
4062
4063 BT_DBG("icid %d, result %d", icid, result);
4064
4065 rsp.icid = cpu_to_le16(icid);
4066 rsp.result = cpu_to_le16(result);
4067
4068 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4069}
4070
4071static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
4072 struct l2cap_chan *chan, u16 icid, u16 result)
4073{
4074 struct l2cap_move_chan_cfm cfm;
4075 u8 ident;
4076
4077 BT_DBG("icid %d, result %d", icid, result);
4078
4079 ident = l2cap_get_ident(conn);
4080 if (chan)
4081 chan->ident = ident;
4082
4083 cfm.icid = cpu_to_le16(icid);
4084 cfm.result = cpu_to_le16(result);
4085
4086 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4087}
4088
4089static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4090 u16 icid)
4091{
4092 struct l2cap_move_chan_cfm_rsp rsp;
4093
4094 BT_DBG("icid %d", icid);
4095
4096 rsp.icid = cpu_to_le16(icid);
4097 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4098}
4099
4100static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4101 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4102{
4103 struct l2cap_move_chan_req *req = data;
4104 u16 icid = 0;
4105 u16 result = L2CAP_MR_NOT_ALLOWED;
4106
4107 if (cmd_len != sizeof(*req))
4108 return -EPROTO;
4109
4110 icid = le16_to_cpu(req->icid);
4111
4112 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4113
4114 if (!enable_hs)
4115 return -EINVAL;
4116
4117 /* Placeholder: Always refuse */
4118 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4119
4120 return 0;
4121}
4122
4123static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4124 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4125{
4126 struct l2cap_move_chan_rsp *rsp = data;
4127 u16 icid, result;
4128
4129 if (cmd_len != sizeof(*rsp))
4130 return -EPROTO;
4131
4132 icid = le16_to_cpu(rsp->icid);
4133 result = le16_to_cpu(rsp->result);
4134
4135 BT_DBG("icid %d, result %d", icid, result);
4136
4137 /* Placeholder: Always unconfirmed */
4138 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4139
4140 return 0;
4141}
4142
4143static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4144 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4145{
4146 struct l2cap_move_chan_cfm *cfm = data;
4147 u16 icid, result;
4148
4149 if (cmd_len != sizeof(*cfm))
4150 return -EPROTO;
4151
4152 icid = le16_to_cpu(cfm->icid);
4153 result = le16_to_cpu(cfm->result);
4154
4155 BT_DBG("icid %d, result %d", icid, result);
4156
4157 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4158
4159 return 0;
4160}
4161
4162static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4163 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4164{
4165 struct l2cap_move_chan_cfm_rsp *rsp = data;
4166 u16 icid;
4167
4168 if (cmd_len != sizeof(*rsp))
4169 return -EPROTO;
4170
4171 icid = le16_to_cpu(rsp->icid);
4172
4173 BT_DBG("icid %d", icid);
4174
4175 return 0;
4176}
4177
e2174ca4 4178static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4179 u16 to_multiplier)
4180{
4181 u16 max_latency;
4182
4183 if (min > max || min < 6 || max > 3200)
4184 return -EINVAL;
4185
4186 if (to_multiplier < 10 || to_multiplier > 3200)
4187 return -EINVAL;
4188
4189 if (max >= to_multiplier * 8)
4190 return -EINVAL;
4191
4192 max_latency = (to_multiplier * 8 / max) - 1;
4193 if (latency > 499 || latency > max_latency)
4194 return -EINVAL;
4195
4196 return 0;
4197}
4198
4199static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4200 struct l2cap_cmd_hdr *cmd, u8 *data)
4201{
4202 struct hci_conn *hcon = conn->hcon;
4203 struct l2cap_conn_param_update_req *req;
4204 struct l2cap_conn_param_update_rsp rsp;
4205 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4206 int err;
de73115a
CT		 4207
4208 if (!(hcon->link_mode & HCI_LM_MASTER))
4209 return -EINVAL;
4210
4211 cmd_len = __le16_to_cpu(cmd->len);
4212 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4213 return -EPROTO;
4214
4215 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4216 min = __le16_to_cpu(req->min);
4217 max = __le16_to_cpu(req->max);
de73115a
CT		 4218 latency = __le16_to_cpu(req->latency);
4219 to_multiplier = __le16_to_cpu(req->to_multiplier);
4220
4221 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4222 min, max, latency, to_multiplier);
4223
4224 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4225
4226 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4227 if (err)
de73115a
CT		 4228 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4229 else
4230 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4231
4232 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4233 sizeof(rsp), &rsp);
4234
2ce603eb
CT		 4235 if (!err)
4236 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4237
de73115a
CT		 4238 return 0;
4239}
4240
3300d9a9
CT		 4241static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4242 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4243{
4244 int err = 0;
4245
4246 switch (cmd->code) {
4247 case L2CAP_COMMAND_REJ:
4248 l2cap_command_rej(conn, cmd, data);
4249 break;
4250
4251 case L2CAP_CONN_REQ:
4252 err = l2cap_connect_req(conn, cmd, data);
4253 break;
4254
4255 case L2CAP_CONN_RSP:
4256 err = l2cap_connect_rsp(conn, cmd, data);
4257 break;
4258
4259 case L2CAP_CONF_REQ:
4260 err = l2cap_config_req(conn, cmd, cmd_len, data);
4261 break;
4262
4263 case L2CAP_CONF_RSP:
4264 err = l2cap_config_rsp(conn, cmd, data);
4265 break;
4266
4267 case L2CAP_DISCONN_REQ:
4268 err = l2cap_disconnect_req(conn, cmd, data);
4269 break;
4270
4271 case L2CAP_DISCONN_RSP:
4272 err = l2cap_disconnect_rsp(conn, cmd, data);
4273 break;
4274
4275 case L2CAP_ECHO_REQ:
4276 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4277 break;
4278
4279 case L2CAP_ECHO_RSP:
4280 break;
4281
4282 case L2CAP_INFO_REQ:
4283 err = l2cap_information_req(conn, cmd, data);
4284 break;
4285
4286 case L2CAP_INFO_RSP:
4287 err = l2cap_information_rsp(conn, cmd, data);
4288 break;
4289
f94ff6ff
MM		 4290 case L2CAP_CREATE_CHAN_REQ:
4291 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4292 break;
4293
4294 case L2CAP_CREATE_CHAN_RSP:
4295 err = l2cap_create_channel_rsp(conn, cmd, data);
4296 break;
4297
8d5a04a1
MM		 4298 case L2CAP_MOVE_CHAN_REQ:
4299 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4300 break;
4301
4302 case L2CAP_MOVE_CHAN_RSP:
4303 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4304 break;
4305
4306 case L2CAP_MOVE_CHAN_CFM:
4307 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4308 break;
4309
4310 case L2CAP_MOVE_CHAN_CFM_RSP:
4311 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4312 break;
4313
3300d9a9
CT		 4314 default:
4315 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4316 err = -EINVAL;
4317 break;
4318 }
4319
4320 return err;
4321}
4322
4323static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4324 struct l2cap_cmd_hdr *cmd, u8 *data)
4325{
4326 switch (cmd->code) {
4327 case L2CAP_COMMAND_REJ:
4328 return 0;
4329
4330 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4331 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4332
4333 case L2CAP_CONN_PARAM_UPDATE_RSP:
4334 return 0;
4335
4336 default:
4337 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4338 return -EINVAL;
4339 }
4340}
4341
4342static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4343 struct sk_buff *skb)
1da177e4
LT		 4344{
4345 u8 *data = skb->data;
4346 int len = skb->len;
4347 struct l2cap_cmd_hdr cmd;
3300d9a9 4348 int err;
1da177e4
LT		 4349
4350 l2cap_raw_recv(conn, skb);
4351
4352 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4353 u16 cmd_len;
1da177e4
LT		 4354 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4355 data += L2CAP_CMD_HDR_SIZE;
4356 len -= L2CAP_CMD_HDR_SIZE;
4357
88219a0f 4358 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4359
88219a0f 4360 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4361
88219a0f 4362 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4363 BT_DBG("corrupted command");
4364 break;
4365 }
4366
3300d9a9
CT		 4367 if (conn->hcon->type == LE_LINK)
4368 err = l2cap_le_sig_cmd(conn, &cmd, data);
4369 else
4370 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4371
4372 if (err) {
e2fd318e 4373 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4374
4375 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4376
4377 /* FIXME: Map err to a valid reason */
e2fd318e 4378 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4379 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4380 }
4381
88219a0f
AV		 4382 data += cmd_len;
4383 len -= cmd_len;
1da177e4
LT		 4384 }
4385
4386 kfree_skb(skb);
4387}
4388
47d1ec61 4389static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4390{
4391 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4392 int hdr_size;
4393
4394 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4395 hdr_size = L2CAP_EXT_HDR_SIZE;
4396 else
4397 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4398
47d1ec61 4399 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4400 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4401 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4402 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4403
4404 if (our_fcs != rcv_fcs)
7a560e5c 4405 return -EBADMSG;
fcc203c3
GP		 4406 }
4407 return 0;
4408}
4409
6ea00485 4410static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4411{
e31f7633 4412 struct l2cap_ctrl control;
d5392c8f 4413
e31f7633 4414 BT_DBG("chan %p", chan);
d5392c8f 4415
e31f7633
MM		 4416 memset(&control, 0, sizeof(control));
4417 control.sframe = 1;
4418 control.final = 1;
4419 control.reqseq = chan->buffer_seq;
4420 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4421
e2ab4353 4422 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4423 control.super = L2CAP_SUPER_RNR;
4424 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4425 }
4426
e31f7633
MM		 4427 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4428 chan->unacked_frames > 0)
4429 __set_retrans_timer(chan);
d5392c8f 4430
e31f7633 4431 /* Send pending iframes */
525cd185 4432 l2cap_ertm_send(chan);
d5392c8f 4433
e2ab4353 4434 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4435 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4436 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4437 * send it now.
4438 */
4439 control.super = L2CAP_SUPER_RR;
4440 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4441 }
4442}
4443
84084a31
MM		 4444static void append_skb_frag(struct sk_buff *skb,
4445 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4446{
84084a31
MM		 4447 /* skb->len reflects data in skb as well as all fragments
4448 * skb->data_len reflects only data in fragments
4449 */
4450 if (!skb_has_frag_list(skb))
4451 skb_shinfo(skb)->frag_list = new_frag;
4452
4453 new_frag->next = NULL;
4454
4455 (*last_frag)->next = new_frag;
4456 *last_frag = new_frag;
4457
4458 skb->len += new_frag->len;
4459 skb->data_len += new_frag->len;
4460 skb->truesize += new_frag->truesize;
4461}
4462
4b51dae9
MM		 4463static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4464 struct l2cap_ctrl *control)
84084a31
MM		 4465{
4466 int err = -EINVAL;
18778a63 4467
4b51dae9 4468 switch (control->sar) {
7e0ef6ee 4469 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4470 if (chan->sdu)
4471 break;
18778a63 4472
84084a31
MM		 4473 err = chan->ops->recv(chan->data, skb);
4474 break;
18778a63 4475
7e0ef6ee 4476 case L2CAP_SAR_START:
84084a31
MM		 4477 if (chan->sdu)
4478 break;
18778a63 4479
6f61fd47 4480 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4481 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4482
84084a31
MM		 4483 if (chan->sdu_len > chan->imtu) {
4484 err = -EMSGSIZE;
4485 break;
4486 }
1890d36b 4487
84084a31
MM		 4488 if (skb->len >= chan->sdu_len)
4489 break;
18778a63 4490
84084a31
MM		 4491 chan->sdu = skb;
4492 chan->sdu_last_frag = skb;
18778a63 4493
84084a31
MM		 4494 skb = NULL;
4495 err = 0;
18778a63
GP		 4496 break;
4497
7e0ef6ee 4498 case L2CAP_SAR_CONTINUE:
6f61fd47 4499 if (!chan->sdu)
84084a31 4500 break;
18778a63 4501
84084a31
MM		 4502 append_skb_frag(chan->sdu, skb,
4503 &chan->sdu_last_frag);
4504 skb = NULL;
18778a63 4505
84084a31
MM		 4506 if (chan->sdu->len >= chan->sdu_len)
4507 break;
4178ba46 4508
84084a31 4509 err = 0;
18778a63
GP		 4510 break;
4511
7e0ef6ee 4512 case L2CAP_SAR_END:
6f61fd47 4513 if (!chan->sdu)
84084a31 4514 break;
18778a63 4515
84084a31
MM		 4516 append_skb_frag(chan->sdu, skb,
4517 &chan->sdu_last_frag);
4518 skb = NULL;
4178ba46 4519
84084a31
MM		 4520 if (chan->sdu->len != chan->sdu_len)
4521 break;
18778a63 4522
84084a31 4523 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4524
84084a31
MM		 4525 if (!err) {
4526 /* Reassembly complete */
4527 chan->sdu = NULL;
4528 chan->sdu_last_frag = NULL;
4529 chan->sdu_len = 0;
1890d36b 4530 }
18778a63
GP		 4531 break;
4532 }
4533
84084a31
MM		 4534 if (err) {
4535 kfree_skb(skb);
4536 kfree_skb(chan->sdu);
4537 chan->sdu = NULL;
4538 chan->sdu_last_frag = NULL;
4539 chan->sdu_len = 0;
4540 }
18778a63 4541
84084a31 4542 return err;
18778a63
GP		 4543}
4544
61aa4f5b 4545void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4546{
61aa4f5b 4547 u8 event;
712132eb 4548
61aa4f5b
MM		 4549 if (chan->mode != L2CAP_MODE_ERTM)
4550 return;
712132eb 4551
61aa4f5b 4552 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4553 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4554}
4555
d2a7ac5d
MM		 4556static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4557{
63838725
MM		 4558 int err = 0;
4559 /* Pass sequential frames to l2cap_reassemble_sdu()
4560 * until a gap is encountered.
4561 */
4562
4563 BT_DBG("chan %p", chan);
4564
4565 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4566 struct sk_buff *skb;
4567 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4568 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4569
4570 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4571
4572 if (!skb)
4573 break;
4574
4575 skb_unlink(skb, &chan->srej_q);
4576 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4577 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4578 if (err)
4579 break;
4580 }
4581
4582 if (skb_queue_empty(&chan->srej_q)) {
4583 chan->rx_state = L2CAP_RX_STATE_RECV;
4584 l2cap_send_ack(chan);
4585 }
4586
4587 return err;
d2a7ac5d
MM		 4588}
4589
4590static void l2cap_handle_srej(struct l2cap_chan *chan,
4591 struct l2cap_ctrl *control)
4592{
f80842a8
MM		 4593 struct sk_buff *skb;
4594
4595 BT_DBG("chan %p, control %p", chan, control);
4596
4597 if (control->reqseq == chan->next_tx_seq) {
4598 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4599 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4600 return;
4601 }
4602
4603 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4604
4605 if (skb == NULL) {
4606 BT_DBG("Seq %d not available for retransmission",
4607 control->reqseq);
4608 return;
4609 }
4610
4611 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4612 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4613 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4614 return;
4615 }
4616
4617 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4618
4619 if (control->poll) {
4620 l2cap_pass_to_tx(chan, control);
4621
4622 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4623 l2cap_retransmit(chan, control);
4624 l2cap_ertm_send(chan);
4625
4626 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4627 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4628 chan->srej_save_reqseq = control->reqseq;
4629 }
4630 } else {
4631 l2cap_pass_to_tx_fbit(chan, control);
4632
4633 if (control->final) {
4634 if (chan->srej_save_reqseq != control->reqseq ||
4635 !test_and_clear_bit(CONN_SREJ_ACT,
4636 &chan->conn_state))
4637 l2cap_retransmit(chan, control);
4638 } else {
4639 l2cap_retransmit(chan, control);
4640 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4641 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4642 chan->srej_save_reqseq = control->reqseq;
4643 }
4644 }
4645 }
d2a7ac5d
MM		 4646}
4647
4648static void l2cap_handle_rej(struct l2cap_chan *chan,
4649 struct l2cap_ctrl *control)
4650{
fcd289df
MM		 4651 struct sk_buff *skb;
4652
4653 BT_DBG("chan %p, control %p", chan, control);
4654
4655 if (control->reqseq == chan->next_tx_seq) {
4656 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4657 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4658 return;
4659 }
4660
4661 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4662
4663 if (chan->max_tx && skb &&
4664 bt_cb(skb)->control.retries >= chan->max_tx) {
4665 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4666 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4667 return;
4668 }
4669
4670 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4671
4672 l2cap_pass_to_tx(chan, control);
4673
4674 if (control->final) {
4675 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4676 l2cap_retransmit_all(chan, control);
4677 } else {
4678 l2cap_retransmit_all(chan, control);
4679 l2cap_ertm_send(chan);
4680 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4681 set_bit(CONN_REJ_ACT, &chan->conn_state);
4682 }
d2a7ac5d
MM		 4683}
4684
4b51dae9
MM		 4685static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4686{
4687 BT_DBG("chan %p, txseq %d", chan, txseq);
4688
4689 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4690 chan->expected_tx_seq);
4691
4692 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4693 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4694 chan->tx_win) {
4695 /* See notes below regarding "double poll" and
4696 * invalid packets.
4697 */
4698 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4699 BT_DBG("Invalid/Ignore - after SREJ");
4700 return L2CAP_TXSEQ_INVALID_IGNORE;
4701 } else {
4702 BT_DBG("Invalid - in window after SREJ sent");
4703 return L2CAP_TXSEQ_INVALID;
4704 }
4705 }
4706
4707 if (chan->srej_list.head == txseq) {
4708 BT_DBG("Expected SREJ");
4709 return L2CAP_TXSEQ_EXPECTED_SREJ;
4710 }
4711
4712 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4713 BT_DBG("Duplicate SREJ - txseq already stored");
4714 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4715 }
4716
4717 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4718 BT_DBG("Unexpected SREJ - not requested");
4719 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4720 }
4721 }
4722
4723 if (chan->expected_tx_seq == txseq) {
4724 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4725 chan->tx_win) {
4726 BT_DBG("Invalid - txseq outside tx window");
4727 return L2CAP_TXSEQ_INVALID;
4728 } else {
4729 BT_DBG("Expected");
4730 return L2CAP_TXSEQ_EXPECTED;
4731 }
4732 }
4733
4734 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4735 __seq_offset(chan, chan->expected_tx_seq,
4736 chan->last_acked_seq)){
4737 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4738 return L2CAP_TXSEQ_DUPLICATE;
4739 }
4740
4741 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4742 /* A source of invalid packets is a "double poll" condition,
4743 * where delays cause us to send multiple poll packets. If
4744 * the remote stack receives and processes both polls,
4745 * sequence numbers can wrap around in such a way that a
4746 * resent frame has a sequence number that looks like new data
4747 * with a sequence gap. This would trigger an erroneous SREJ
4748 * request.
4749 *
4750 * Fortunately, this is impossible with a tx window that's
4751 * less than half of the maximum sequence number, which allows
4752 * invalid frames to be safely ignored.
4753 *
4754 * With tx window sizes greater than half of the tx window
4755 * maximum, the frame is invalid and cannot be ignored. This
4756 * causes a disconnect.
4757 */
4758
4759 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4760 BT_DBG("Invalid/Ignore - txseq outside tx window");
4761 return L2CAP_TXSEQ_INVALID_IGNORE;
4762 } else {
4763 BT_DBG("Invalid - txseq outside tx window");
4764 return L2CAP_TXSEQ_INVALID;
4765 }
4766 } else {
4767 BT_DBG("Unexpected - txseq indicates missing frames");
4768 return L2CAP_TXSEQ_UNEXPECTED;
4769 }
4770}
4771
d2a7ac5d
MM		 4772static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4773 struct l2cap_ctrl *control,
4774 struct sk_buff *skb, u8 event)
4775{
4776 int err = 0;
4777 bool skb_in_use = 0;
4778
4779 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4780 event);
4781
4782 switch (event) {
4783 case L2CAP_EV_RECV_IFRAME:
4784 switch (l2cap_classify_txseq(chan, control->txseq)) {
4785 case L2CAP_TXSEQ_EXPECTED:
4786 l2cap_pass_to_tx(chan, control);
4787
4788 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4789 BT_DBG("Busy, discarding expected seq %d",
4790 control->txseq);
4791 break;
4792 }
4793
4794 chan->expected_tx_seq = __next_seq(chan,
4795 control->txseq);
4796
4797 chan->buffer_seq = chan->expected_tx_seq;
4798 skb_in_use = 1;
4799
4800 err = l2cap_reassemble_sdu(chan, skb, control);
4801 if (err)
4802 break;
4803
4804 if (control->final) {
4805 if (!test_and_clear_bit(CONN_REJ_ACT,
4806 &chan->conn_state)) {
4807 control->final = 0;
4808 l2cap_retransmit_all(chan, control);
4809 l2cap_ertm_send(chan);
4810 }
4811 }
4812
4813 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4814 l2cap_send_ack(chan);
4815 break;
4816 case L2CAP_TXSEQ_UNEXPECTED:
4817 l2cap_pass_to_tx(chan, control);
4818
4819 /* Can't issue SREJ frames in the local busy state.
4820 * Drop this frame, it will be seen as missing
4821 * when local busy is exited.
4822 */
4823 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4824 BT_DBG("Busy, discarding unexpected seq %d",
4825 control->txseq);
4826 break;
4827 }
4828
4829 /* There was a gap in the sequence, so an SREJ
4830 * must be sent for each missing frame. The
4831 * current frame is stored for later use.
4832 */
4833 skb_queue_tail(&chan->srej_q, skb);
4834 skb_in_use = 1;
4835 BT_DBG("Queued %p (queue len %d)", skb,
4836 skb_queue_len(&chan->srej_q));
4837
4838 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4839 l2cap_seq_list_clear(&chan->srej_list);
4840 l2cap_send_srej(chan, control->txseq);
4841
4842 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4843 break;
4844 case L2CAP_TXSEQ_DUPLICATE:
4845 l2cap_pass_to_tx(chan, control);
4846 break;
4847 case L2CAP_TXSEQ_INVALID_IGNORE:
4848 break;
4849 case L2CAP_TXSEQ_INVALID:
4850 default:
4851 l2cap_send_disconn_req(chan->conn, chan,
4852 ECONNRESET);
4853 break;
4854 }
4855 break;
4856 case L2CAP_EV_RECV_RR:
4857 l2cap_pass_to_tx(chan, control);
4858 if (control->final) {
4859 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4860
4861 if (!test_and_clear_bit(CONN_REJ_ACT,
4862 &chan->conn_state)) {
4863 control->final = 0;
4864 l2cap_retransmit_all(chan, control);
4865 }
4866
4867 l2cap_ertm_send(chan);
4868 } else if (control->poll) {
4869 l2cap_send_i_or_rr_or_rnr(chan);
4870 } else {
4871 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4872 &chan->conn_state) &&
4873 chan->unacked_frames)
4874 __set_retrans_timer(chan);
4875
4876 l2cap_ertm_send(chan);
4877 }
4878 break;
4879 case L2CAP_EV_RECV_RNR:
4880 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4881 l2cap_pass_to_tx(chan, control);
4882 if (control && control->poll) {
4883 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4884 l2cap_send_rr_or_rnr(chan, 0);
4885 }
4886 __clear_retrans_timer(chan);
4887 l2cap_seq_list_clear(&chan->retrans_list);
4888 break;
4889 case L2CAP_EV_RECV_REJ:
4890 l2cap_handle_rej(chan, control);
4891 break;
4892 case L2CAP_EV_RECV_SREJ:
4893 l2cap_handle_srej(chan, control);
4894 break;
4895 default:
4896 break;
4897 }
4898
4899 if (skb && !skb_in_use) {
4900 BT_DBG("Freeing %p", skb);
4901 kfree_skb(skb);
4902 }
4903
4904 return err;
4905}
4906
4907static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4908 struct l2cap_ctrl *control,
4909 struct sk_buff *skb, u8 event)
4910{
4911 int err = 0;
4912 u16 txseq = control->txseq;
4913 bool skb_in_use = 0;
4914
4915 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4916 event);
4917
4918 switch (event) {
4919 case L2CAP_EV_RECV_IFRAME:
4920 switch (l2cap_classify_txseq(chan, txseq)) {
4921 case L2CAP_TXSEQ_EXPECTED:
4922 /* Keep frame for reassembly later */
4923 l2cap_pass_to_tx(chan, control);
4924 skb_queue_tail(&chan->srej_q, skb);
4925 skb_in_use = 1;
4926 BT_DBG("Queued %p (queue len %d)", skb,
4927 skb_queue_len(&chan->srej_q));
4928
4929 chan->expected_tx_seq = __next_seq(chan, txseq);
4930 break;
4931 case L2CAP_TXSEQ_EXPECTED_SREJ:
4932 l2cap_seq_list_pop(&chan->srej_list);
4933
4934 l2cap_pass_to_tx(chan, control);
4935 skb_queue_tail(&chan->srej_q, skb);
4936 skb_in_use = 1;
4937 BT_DBG("Queued %p (queue len %d)", skb,
4938 skb_queue_len(&chan->srej_q));
4939
4940 err = l2cap_rx_queued_iframes(chan);
4941 if (err)
4942 break;
4943
4944 break;
4945 case L2CAP_TXSEQ_UNEXPECTED:
4946 /* Got a frame that can't be reassembled yet.
4947 * Save it for later, and send SREJs to cover
4948 * the missing frames.
4949 */
4950 skb_queue_tail(&chan->srej_q, skb);
4951 skb_in_use = 1;
4952 BT_DBG("Queued %p (queue len %d)", skb,
4953 skb_queue_len(&chan->srej_q));
4954
4955 l2cap_pass_to_tx(chan, control);
4956 l2cap_send_srej(chan, control->txseq);
4957 break;
4958 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4959 /* This frame was requested with an SREJ, but
4960 * some expected retransmitted frames are
4961 * missing. Request retransmission of missing
4962 * SREJ'd frames.
4963 */
4964 skb_queue_tail(&chan->srej_q, skb);
4965 skb_in_use = 1;
4966 BT_DBG("Queued %p (queue len %d)", skb,
4967 skb_queue_len(&chan->srej_q));
4968
4969 l2cap_pass_to_tx(chan, control);
4970 l2cap_send_srej_list(chan, control->txseq);
4971 break;
4972 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4973 /* We've already queued this frame. Drop this copy. */
4974 l2cap_pass_to_tx(chan, control);
4975 break;
4976 case L2CAP_TXSEQ_DUPLICATE:
4977 /* Expecting a later sequence number, so this frame
4978 * was already received. Ignore it completely.
4979 */
4980 break;
4981 case L2CAP_TXSEQ_INVALID_IGNORE:
4982 break;
4983 case L2CAP_TXSEQ_INVALID:
4984 default:
4985 l2cap_send_disconn_req(chan->conn, chan,
4986 ECONNRESET);
4987 break;
4988 }
4989 break;
4990 case L2CAP_EV_RECV_RR:
4991 l2cap_pass_to_tx(chan, control);
4992 if (control->final) {
4993 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4994
4995 if (!test_and_clear_bit(CONN_REJ_ACT,
4996 &chan->conn_state)) {
4997 control->final = 0;
4998 l2cap_retransmit_all(chan, control);
4999 }
5000
5001 l2cap_ertm_send(chan);
5002 } else if (control->poll) {
5003 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5004 &chan->conn_state) &&
5005 chan->unacked_frames) {
5006 __set_retrans_timer(chan);
5007 }
5008
5009 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5010 l2cap_send_srej_tail(chan);
5011 } else {
5012 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5013 &chan->conn_state) &&
5014 chan->unacked_frames)
5015 __set_retrans_timer(chan);
5016
5017 l2cap_send_ack(chan);
5018 }
5019 break;
5020 case L2CAP_EV_RECV_RNR:
5021 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5022 l2cap_pass_to_tx(chan, control);
5023 if (control->poll) {
5024 l2cap_send_srej_tail(chan);
5025 } else {
5026 struct l2cap_ctrl rr_control;
5027 memset(&rr_control, 0, sizeof(rr_control));
5028 rr_control.sframe = 1;
5029 rr_control.super = L2CAP_SUPER_RR;
5030 rr_control.reqseq = chan->buffer_seq;
5031 l2cap_send_sframe(chan, &rr_control);
5032 }
5033
5034 break;
5035 case L2CAP_EV_RECV_REJ:
5036 l2cap_handle_rej(chan, control);
5037 break;
5038 case L2CAP_EV_RECV_SREJ:
5039 l2cap_handle_srej(chan, control);
5040 break;
5041 }
5042
5043 if (skb && !skb_in_use) {
5044 BT_DBG("Freeing %p", skb);
5045 kfree_skb(skb);
5046 }
5047
5048 return err;
5049}
5050
5051static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5052{
5053 /* Make sure reqseq is for a packet that has been sent but not acked */
5054 u16 unacked;
5055
5056 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5057 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5058}
5059
cec8ab6e
MM		 5060static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5061 struct sk_buff *skb, u8 event)
218bb9df 5062{
d2a7ac5d
MM		 5063 int err = 0;
5064
5065 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5066 control, skb, event, chan->rx_state);
5067
5068 if (__valid_reqseq(chan, control->reqseq)) {
5069 switch (chan->rx_state) {
5070 case L2CAP_RX_STATE_RECV:
5071 err = l2cap_rx_state_recv(chan, control, skb, event);
5072 break;
5073 case L2CAP_RX_STATE_SREJ_SENT:
5074 err = l2cap_rx_state_srej_sent(chan, control, skb,
5075 event);
5076 break;
5077 default:
5078 /* shut it down */
5079 break;
5080 }
5081 } else {
5082 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5083 control->reqseq, chan->next_tx_seq,
5084 chan->expected_ack_seq);
5085 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5086 }
5087
5088 return err;
cec8ab6e
MM		 5089}
5090
5091static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5092 struct sk_buff *skb)
5093{
4b51dae9
MM		 5094 int err = 0;
5095
5096 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5097 chan->rx_state);
5098
5099 if (l2cap_classify_txseq(chan, control->txseq) ==
5100 L2CAP_TXSEQ_EXPECTED) {
5101 l2cap_pass_to_tx(chan, control);
5102
5103 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5104 __next_seq(chan, chan->buffer_seq));
5105
5106 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5107
5108 l2cap_reassemble_sdu(chan, skb, control);
5109 } else {
5110 if (chan->sdu) {
5111 kfree_skb(chan->sdu);
5112 chan->sdu = NULL;
5113 }
5114 chan->sdu_last_frag = NULL;
5115 chan->sdu_len = 0;
5116
5117 if (skb) {
5118 BT_DBG("Freeing %p", skb);
5119 kfree_skb(skb);
5120 }
5121 }
5122
5123 chan->last_acked_seq = control->txseq;
5124 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5125
5126 return err;
cec8ab6e
MM		 5127}
5128
5129static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5130{
5131 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5132 u16 len;
5133 u8 event;
218bb9df 5134
b76bbd66
MM		 5135 __unpack_control(chan, skb);
5136
218bb9df
GP		 5137 len = skb->len;
5138
5139 /*
5140 * We can just drop the corrupted I-frame here.
5141 * Receiver will miss it and start proper recovery
cec8ab6e 5142 * procedures and ask for retransmission.
218bb9df 5143 */
47d1ec61 5144 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5145 goto drop;
5146
cec8ab6e 5147 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5148 len -= L2CAP_SDULEN_SIZE;
218bb9df 5149
47d1ec61 5150 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5151 len -= L2CAP_FCS_SIZE;
218bb9df 5152
47d1ec61 5153 if (len > chan->mps) {
8c1d787b 5154 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5155 goto drop;
5156 }
5157
cec8ab6e
MM		 5158 if (!control->sframe) {
5159 int err;
218bb9df 5160
cec8ab6e
MM		 5161 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5162 control->sar, control->reqseq, control->final,
5163 control->txseq);
218bb9df 5164
cec8ab6e
MM		 5165 /* Validate F-bit - F=0 always valid, F=1 only
5166 * valid in TX WAIT_F
5167 */
5168 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5169 goto drop;
cec8ab6e
MM		 5170
5171 if (chan->mode != L2CAP_MODE_STREAMING) {
5172 event = L2CAP_EV_RECV_IFRAME;
5173 err = l2cap_rx(chan, control, skb, event);
5174 } else {
5175 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5176 }
5177
cec8ab6e
MM		 5178 if (err)
5179 l2cap_send_disconn_req(chan->conn, chan,
5180 ECONNRESET);
218bb9df 5181 } else {
cec8ab6e
MM		 5182 const u8 rx_func_to_event[4] = {
5183 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5184 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5185 };
5186
5187 /* Only I-frames are expected in streaming mode */
5188 if (chan->mode == L2CAP_MODE_STREAMING)
5189 goto drop;
5190
5191 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5192 control->reqseq, control->final, control->poll,
5193 control->super);
5194
218bb9df
GP		 5195 if (len != 0) {
5196 BT_ERR("%d", len);
8c1d787b 5197 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5198 goto drop;
5199 }
5200
cec8ab6e
MM		 5201 /* Validate F and P bits */
5202 if (control->final && (control->poll ||
5203 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5204 goto drop;
5205
5206 event = rx_func_to_event[control->super];
5207 if (l2cap_rx(chan, control, skb, event))
5208 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5209 }
5210
5211 return 0;
5212
5213drop:
5214 kfree_skb(skb);
5215 return 0;
5216}
5217
1da177e4
LT		 5218static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
5219{
48454079 5220 struct l2cap_chan *chan;
1da177e4 5221
baa7e1fa 5222 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5223 if (!chan) {
1da177e4 5224 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 5225 /* Drop packet and return */
3379013b 5226 kfree_skb(skb);
6be36555 5227 return 0;
1da177e4
LT		 5228 }
5229
49208c9c 5230 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5231
89bc500e 5232 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5233 goto drop;
5234
0c1bc5c6 5235 switch (chan->mode) {
1c2acffb
GP		 5236 case L2CAP_MODE_BASIC:
5237 /* If socket recv buffers overflows we drop data here
5238 * which is *bad* because L2CAP has to be reliable.
5239 * But we don't have any other choice. L2CAP doesn't
5240 * provide flow control mechanism. */
1da177e4 5241
0c1bc5c6 5242 if (chan->imtu < skb->len)
1c2acffb 5243 goto drop;
1da177e4 5244
23070494 5245 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 5246 goto done;
5247 break;
5248
5249 case L2CAP_MODE_ERTM:
6840ed07 5250 case L2CAP_MODE_STREAMING:
cec8ab6e 5251 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5252 goto done;
5253
1c2acffb 5254 default:
0c1bc5c6 5255 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5256 break;
5257 }
1da177e4
LT		 5258
5259drop:
5260 kfree_skb(skb);
5261
5262done:
6be36555 5263 l2cap_chan_unlock(chan);
0139418c 5264
1da177e4
LT		 5265 return 0;
5266}
5267
8e036fc3 5268static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 5269{
23691d75 5270 struct l2cap_chan *chan;
1da177e4 5271
c2287681 5272 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5273 if (!chan)
1da177e4
LT		 5274 goto drop;
5275
5b4cedaa 5276 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5277
89bc500e 5278 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5279 goto drop;
5280
e13e21dc 5281 if (chan->imtu < skb->len)
1da177e4
LT		 5282 goto drop;
5283
23070494 5284 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 5285 return 0;
1da177e4
LT		 5286
5287drop:
5288 kfree_skb(skb);
5289
1da177e4
LT		 5290 return 0;
5291}
5292
d9b88702
AE		 5293static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5294 struct sk_buff *skb)
9f69bda6 5295{
23691d75 5296 struct l2cap_chan *chan;
9f69bda6 5297
c2287681 5298 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5299 if (!chan)
9f69bda6
GP		 5300 goto drop;
5301
5b4cedaa 5302 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5303
89bc500e 5304 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5305 goto drop;
5306
e13e21dc 5307 if (chan->imtu < skb->len)
9f69bda6
GP		 5308 goto drop;
5309
23070494 5310 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 5311 return 0;
9f69bda6
GP		 5312
5313drop:
5314 kfree_skb(skb);
5315
9f69bda6
GP		 5316 return 0;
5317}
5318
1da177e4
LT		 5319static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5320{
5321 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5322 u16 cid, len;
5323 __le16 psm;
1da177e4
LT		 5324
5325 skb_pull(skb, L2CAP_HDR_SIZE);
5326 cid = __le16_to_cpu(lh->cid);
5327 len = __le16_to_cpu(lh->len);
5328
1c2acffb
GP		 5329 if (len != skb->len) {
5330 kfree_skb(skb);
5331 return;
5332 }
5333
1da177e4
LT		 5334 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5335
5336 switch (cid) {
3300d9a9 5337 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5338 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5339 l2cap_sig_channel(conn, skb);
5340 break;
5341
8db4dc46 5342 case L2CAP_CID_CONN_LESS:
097db76c 5343 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 5344 skb_pull(skb, 2);
5345 l2cap_conless_channel(conn, psm, skb);
5346 break;
5347
9f69bda6
GP		 5348 case L2CAP_CID_LE_DATA:
5349 l2cap_att_channel(conn, cid, skb);
5350 break;
5351
b501d6a1
AB		 5352 case L2CAP_CID_SMP:
5353 if (smp_sig_channel(conn, skb))
5354 l2cap_conn_del(conn->hcon, EACCES);
5355 break;
5356
1da177e4
LT		 5357 default:
5358 l2cap_data_channel(conn, cid, skb);
5359 break;
5360 }
5361}
5362
5363/* ---- L2CAP interface with lower layer (HCI) ---- */
5364
686ebf28 5365int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5366{
5367 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5368 struct l2cap_chan *c;
1da177e4 5369
1da177e4
LT		 5370 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5371
5372 /* Find listening sockets and check their link_mode */
23691d75
GP		 5373 read_lock(&chan_list_lock);
5374 list_for_each_entry(c, &chan_list, global_l) {
5375 struct sock *sk = c->sk;
4343478f 5376
89bc500e 5377 if (c->state != BT_LISTEN)
1da177e4
LT		 5378 continue;
5379
5380 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5381 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5382 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5383 lm1 |= HCI_LM_MASTER;
1da177e4 5384 exact++;
2af6b9d5
MH		 5385 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5386 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5387 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5388 lm2 |= HCI_LM_MASTER;
5389 }
1da177e4 5390 }
23691d75 5391 read_unlock(&chan_list_lock);
1da177e4
LT		 5392
5393 return exact ? lm1 : lm2;
5394}
5395
686ebf28 5396int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5397{
0139418c
MH		 5398 struct l2cap_conn *conn;
5399
1da177e4
LT		 5400 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5401
1da177e4 5402 if (!status) {
1da177e4
LT		 5403 conn = l2cap_conn_add(hcon, status);
5404 if (conn)
5405 l2cap_conn_ready(conn);
0139418c 5406 } else
e175072f 5407 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5408
5409 return 0;
5410}
5411
686ebf28 5412int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5413{
5414 struct l2cap_conn *conn = hcon->l2cap_data;
5415
5416 BT_DBG("hcon %p", hcon);
5417
686ebf28 5418 if (!conn)
9f5a0d7b 5419 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5420 return conn->disc_reason;
5421}
5422
686ebf28 5423int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5424{
5425 BT_DBG("hcon %p reason %d", hcon, reason);
5426
e175072f 5427 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5428 return 0;
5429}
5430
4343478f 5431static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5432{
715ec005 5433 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5434 return;
5435
f62e4323 5436 if (encrypt == 0x00) {
4343478f 5437 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5438 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5439 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5440 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5441 } else {
4343478f 5442 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5443 __clear_chan_timer(chan);
f62e4323
MH		 5444 }
5445}
5446
686ebf28 5447int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5448{
0139418c 5449 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5450 struct l2cap_chan *chan;
1da177e4 5451
0139418c 5452 if (!conn)
1da177e4 5453 return 0;
0139418c 5454
1da177e4
LT		 5455 BT_DBG("conn %p", conn);
5456
160dc6ac 5457 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5458 if (!status && encrypt)
5459 smp_distribute_keys(conn, 0);
17cd3f37 5460 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5461 }
5462
3df91ea2 5463 mutex_lock(&conn->chan_lock);
1da177e4 5464
3df91ea2 5465 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5466 l2cap_chan_lock(chan);
1da177e4 5467
f1cb9af5
VCG		 5468 BT_DBG("chan->scid %d", chan->scid);
5469
5470 if (chan->scid == L2CAP_CID_LE_DATA) {
5471 if (!status && encrypt) {
5472 chan->sec_level = hcon->sec_level;
cf4cd009 5473 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5474 }
5475
6be36555 5476 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5477 continue;
5478 }
5479
c1360a1c 5480 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5481 l2cap_chan_unlock(chan);
6a8d3010
MH		 5482 continue;
5483 }
5484
89bc500e
GP		 5485 if (!status && (chan->state == BT_CONNECTED ||
5486 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5487 struct sock *sk = chan->sk;
5488
c5daa683 5489 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5490 sk->sk_state_change(sk);
5491
4343478f 5492 l2cap_check_encryption(chan, encrypt);
6be36555 5493 l2cap_chan_unlock(chan);
9719f8af
MH		 5494 continue;
5495 }
5496
89bc500e 5497 if (chan->state == BT_CONNECT) {
b1235d79 5498 if (!status) {
9b27f350 5499 l2cap_send_conn_req(chan);
b1235d79 5500 } else {
ba13ccd9 5501 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5502 }
89bc500e 5503 } else if (chan->state == BT_CONNECT2) {
6be36555 5504 struct sock *sk = chan->sk;
b1235d79 5505 struct l2cap_conn_rsp rsp;
df3c3931 5506 __u16 res, stat;
1da177e4 5507
6be36555
AE		 5508 lock_sock(sk);
5509
b1235d79 5510 if (!status) {
c5daa683
GP		 5511 if (test_bit(BT_SK_DEFER_SETUP,
5512 &bt_sk(sk)->flags)) {
df3c3931
JH		 5513 struct sock *parent = bt_sk(sk)->parent;
5514 res = L2CAP_CR_PEND;
5515 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5516 if (parent)
5517 parent->sk_data_ready(parent, 0);
df3c3931 5518 } else {
0e587be7 5519 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5520 res = L2CAP_CR_SUCCESS;
5521 stat = L2CAP_CS_NO_INFO;
5522 }
b1235d79 5523 } else {
0e587be7 5524 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5525 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5526 res = L2CAP_CR_SEC_BLOCK;
5527 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5528 }
5529
6be36555
AE		 5530 release_sock(sk);
5531
fe4128e0
GP		 5532 rsp.scid = cpu_to_le16(chan->dcid);
5533 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5534 rsp.result = cpu_to_le16(res);
5535 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5536 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5537 sizeof(rsp), &rsp);
b1235d79 5538 }
1da177e4 5539
6be36555 5540 l2cap_chan_unlock(chan);
1da177e4
LT		 5541 }
5542
3df91ea2 5543 mutex_unlock(&conn->chan_lock);
b1235d79 5544
1da177e4
LT		 5545 return 0;
5546}
5547
686ebf28 5548int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5549{
5550 struct l2cap_conn *conn = hcon->l2cap_data;
5551
5a08ecce
AE		 5552 if (!conn)
5553 conn = l2cap_conn_add(hcon, 0);
5554
5555 if (!conn)
1da177e4
LT		 5556 goto drop;
5557
5558 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5559
e702112f 5560 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5561 struct l2cap_hdr *hdr;
5562 int len;
5563
5564 if (conn->rx_len) {
5565 BT_ERR("Unexpected start frame (len %d)", skb->len);
5566 kfree_skb(conn->rx_skb);
5567 conn->rx_skb = NULL;
5568 conn->rx_len = 0;
5569 l2cap_conn_unreliable(conn, ECOMM);
5570 }
5571
aae7fe22
AE		 5572 /* Start fragment always begin with Basic L2CAP header */
5573 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5574 BT_ERR("Frame is too short (len %d)", skb->len);
5575 l2cap_conn_unreliable(conn, ECOMM);
5576 goto drop;
5577 }
5578
5579 hdr = (struct l2cap_hdr *) skb->data;
5580 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5581
5582 if (len == skb->len) {
5583 /* Complete frame received */
5584 l2cap_recv_frame(conn, skb);
5585 return 0;
5586 }
5587
5588 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5589
5590 if (skb->len > len) {
5591 BT_ERR("Frame is too long (len %d, expected len %d)",
5592 skb->len, len);
5593 l2cap_conn_unreliable(conn, ECOMM);
5594 goto drop;
5595 }
5596
5597 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5598 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5599 if (!conn->rx_skb)
1da177e4
LT		 5600 goto drop;
5601
d626f62b 5602 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5603 skb->len);
1da177e4
LT		 5604 conn->rx_len = len - skb->len;
5605 } else {
5606 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5607
5608 if (!conn->rx_len) {
5609 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5610 l2cap_conn_unreliable(conn, ECOMM);
5611 goto drop;
5612 }
5613
5614 if (skb->len > conn->rx_len) {
5615 BT_ERR("Fragment is too long (len %d, expected %d)",
5616 skb->len, conn->rx_len);
5617 kfree_skb(conn->rx_skb);
5618 conn->rx_skb = NULL;
5619 conn->rx_len = 0;
5620 l2cap_conn_unreliable(conn, ECOMM);
5621 goto drop;
5622 }
5623
d626f62b 5624 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5625 skb->len);
1da177e4
LT		 5626 conn->rx_len -= skb->len;
5627
5628 if (!conn->rx_len) {
5629 /* Complete frame received */
5630 l2cap_recv_frame(conn, conn->rx_skb);
5631 conn->rx_skb = NULL;
5632 }
5633 }
5634
5635drop:
5636 kfree_skb(skb);
5637 return 0;
5638}
5639
aef7d97c 5640static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5641{
23691d75 5642 struct l2cap_chan *c;
1da177e4 5643
333055f2 5644 read_lock(&chan_list_lock);
1da177e4 5645
23691d75
GP		 5646 list_for_each_entry(c, &chan_list, global_l) {
5647 struct sock *sk = c->sk;
101545f6 5648
903d343e 5649 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5650 batostr(&bt_sk(sk)->src),
5651 batostr(&bt_sk(sk)->dst),
89bc500e 5652 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5653 c->scid, c->dcid, c->imtu, c->omtu,
5654 c->sec_level, c->mode);
61e1b4b7 5655 }
1da177e4 5656
333055f2 5657 read_unlock(&chan_list_lock);
1da177e4 5658
aef7d97c 5659 return 0;
1da177e4
LT		 5660}
5661
aef7d97c
MH		 5662static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5663{
5664 return single_open(file, l2cap_debugfs_show, inode->i_private);
5665}
5666
5667static const struct file_operations l2cap_debugfs_fops = {
5668 .open = l2cap_debugfs_open,
5669 .read = seq_read,
5670 .llseek = seq_lseek,
5671 .release = single_release,
5672};
5673
5674static struct dentry *l2cap_debugfs;
1da177e4 5675
64274518 5676int __init l2cap_init(void)
1da177e4
LT		 5677{
5678 int err;
be9d1227 5679
bb58f747 5680 err = l2cap_init_sockets();
1da177e4
LT		 5681 if (err < 0)
5682 return err;
5683
aef7d97c
MH		 5684 if (bt_debugfs) {
5685 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5686 bt_debugfs, NULL, &l2cap_debugfs_fops);
5687 if (!l2cap_debugfs)
5688 BT_ERR("Failed to create L2CAP debug file");
5689 }
1da177e4 5690
1da177e4 5691 return 0;
1da177e4
LT		 5692}
5693
64274518 5694void l2cap_exit(void)
1da177e4 5695{
aef7d97c 5696 debugfs_remove(l2cap_debugfs);
bb58f747 5697 l2cap_cleanup_sockets();
1da177e4
LT		 5698}
5699
d1c4a17d
GP		 5700module_param(disable_ertm, bool, 0644);
5701MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)