projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Move clean up code and set of SOCK_ZAPPED to l2cap_sock.c
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
1da177e4 40
d1de6d46 41bool disable_ertm;
f0709e03 42
47ec1dcd 43static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 44static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 45
b5ad8b7f
JB		 46static LIST_HEAD(chan_list);
47static DEFINE_RWLOCK(chan_list_lock);
1da177e4 48
1da177e4
LT		 49static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
50 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 51static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
52 void *data);
710f9b0a 53static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 54static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 55 struct l2cap_chan *chan, int err);
1da177e4 56
d660366d 57static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 58 struct sk_buff_head *skbs, u8 event);
59
0139418c 60/* ---- L2CAP channels ---- */
71ba0e56 61
baa7e1fa 62static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 63{
3df91ea2 64 struct l2cap_chan *c;
3d57dc68 65
3df91ea2
AE		 66 list_for_each_entry(c, &conn->chan_l, list) {
67 if (c->dcid == cid)
68 return c;
0139418c 69 }
3df91ea2 70 return NULL;
0139418c
MH		 71}
72
baa7e1fa 73static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 74{
3df91ea2 75 struct l2cap_chan *c;
3d57dc68 76
3df91ea2
AE		 77 list_for_each_entry(c, &conn->chan_l, list) {
78 if (c->scid == cid)
79 return c;
0139418c 80 }
3df91ea2 81 return NULL;
0139418c
MH		 82}
83
84/* Find channel with given SCID.
ef191ade 85 * Returns locked channel. */
baa7e1fa 86static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 87{
48454079 88 struct l2cap_chan *c;
baa7e1fa 89
3df91ea2 90 mutex_lock(&conn->chan_lock);
baa7e1fa 91 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 92 if (c)
93 l2cap_chan_lock(c);
3df91ea2
AE		 94 mutex_unlock(&conn->chan_lock);
95
48454079 96 return c;
0139418c
MH		 97}
98
baa7e1fa 99static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 100{
3df91ea2 101 struct l2cap_chan *c;
3d57dc68 102
3df91ea2
AE		 103 list_for_each_entry(c, &conn->chan_l, list) {
104 if (c->ident == ident)
105 return c;
0139418c 106 }
3df91ea2 107 return NULL;
0139418c
MH		 108}
109
23691d75 110static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 111{
23691d75 112 struct l2cap_chan *c;
9e4425ff 113
23691d75
GP		 114 list_for_each_entry(c, &chan_list, global_l) {
115 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 116 return c;
9e4425ff 117 }
250938cb 118 return NULL;
9e4425ff
GP		 119}
120
121int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
122{
73b2ec18
GP		 123 int err;
124
333055f2 125 write_lock(&chan_list_lock);
9e4425ff 126
23691d75 127 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 128 err = -EADDRINUSE;
129 goto done;
9e4425ff
GP		 130 }
131
73b2ec18
GP		 132 if (psm) {
133 chan->psm = psm;
134 chan->sport = psm;
135 err = 0;
136 } else {
137 u16 p;
138
139 err = -EINVAL;
140 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 141 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 142 chan->psm = cpu_to_le16(p);
143 chan->sport = cpu_to_le16(p);
144 err = 0;
145 break;
146 }
147 }
9e4425ff 148
73b2ec18 149done:
333055f2 150 write_unlock(&chan_list_lock);
73b2ec18 151 return err;
9e4425ff
GP		 152}
153
154int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
155{
333055f2 156 write_lock(&chan_list_lock);
9e4425ff
GP		 157
158 chan->scid = scid;
159
333055f2 160 write_unlock(&chan_list_lock);
9e4425ff
GP		 161
162 return 0;
163}
164
baa7e1fa 165static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 166{
8db4dc46 167 u16 cid = L2CAP_CID_DYN_START;
0139418c 168
8db4dc46 169 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 170 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 171 return cid;
172 }
173
174 return 0;
175}
176
0e587be7 177static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 178{
42d2d87c 179 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 180 state_to_string(state));
181
89bc500e 182 chan->state = state;
80b98027 183 chan->ops->state_change(chan, state);
89bc500e
GP		 184}
185
0e587be7
AE		 186static void l2cap_state_change(struct l2cap_chan *chan, int state)
187{
188 struct sock *sk = chan->sk;
189
190 lock_sock(sk);
191 __l2cap_state_change(chan, state);
192 release_sock(sk);
193}
194
2e0052e4
AE		 195static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
196{
197 struct sock *sk = chan->sk;
198
199 sk->sk_err = err;
200}
201
202static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
203{
204 struct sock *sk = chan->sk;
205
206 lock_sock(sk);
207 __l2cap_chan_set_err(chan, err);
208 release_sock(sk);
209}
210
4239d16f
MM		 211static void __set_retrans_timer(struct l2cap_chan *chan)
212{
213 if (!delayed_work_pending(&chan->monitor_timer) &&
214 chan->retrans_timeout) {
215 l2cap_set_timer(chan, &chan->retrans_timer,
216 msecs_to_jiffies(chan->retrans_timeout));
217 }
218}
219
220static void __set_monitor_timer(struct l2cap_chan *chan)
221{
222 __clear_retrans_timer(chan);
223 if (chan->monitor_timeout) {
224 l2cap_set_timer(chan, &chan->monitor_timer,
225 msecs_to_jiffies(chan->monitor_timeout));
226 }
227}
228
608bcc6d
MM		 229static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
230 u16 seq)
231{
232 struct sk_buff *skb;
233
234 skb_queue_walk(head, skb) {
235 if (bt_cb(skb)->control.txseq == seq)
236 return skb;
237 }
238
239 return NULL;
240}
241
3c588192
MM		 242/* ---- L2CAP sequence number lists ---- */
243
244/* For ERTM, ordered lists of sequence numbers must be tracked for
245 * SREJ requests that are received and for frames that are to be
246 * retransmitted. These seq_list functions implement a singly-linked
247 * list in an array, where membership in the list can also be checked
248 * in constant time. Items can also be added to the tail of the list
249 * and removed from the head in constant time, without further memory
250 * allocs or frees.
251 */
252
253static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
254{
255 size_t alloc_size, i;
256
257 /* Allocated size is a power of 2 to map sequence numbers
258 * (which may be up to 14 bits) in to a smaller array that is
259 * sized for the negotiated ERTM transmit windows.
260 */
261 alloc_size = roundup_pow_of_two(size);
262
263 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
264 if (!seq_list->list)
265 return -ENOMEM;
266
267 seq_list->mask = alloc_size - 1;
268 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
269 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
270 for (i = 0; i < alloc_size; i++)
271 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
272
273 return 0;
274}
275
276static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
277{
278 kfree(seq_list->list);
279}
280
281static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
282 u16 seq)
283{
284 /* Constant-time check for list membership */
285 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
286}
287
288static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
289{
290 u16 mask = seq_list->mask;
291
292 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
293 /* In case someone tries to pop the head of an empty list */
294 return L2CAP_SEQ_LIST_CLEAR;
295 } else if (seq_list->head == seq) {
296 /* Head can be removed in constant time */
297 seq_list->head = seq_list->list[seq & mask];
298 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
299
300 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
301 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
302 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
303 }
304 } else {
305 /* Walk the list to find the sequence number */
306 u16 prev = seq_list->head;
307 while (seq_list->list[prev & mask] != seq) {
308 prev = seq_list->list[prev & mask];
309 if (prev == L2CAP_SEQ_LIST_TAIL)
310 return L2CAP_SEQ_LIST_CLEAR;
311 }
312
313 /* Unlink the number from the list and clear it */
314 seq_list->list[prev & mask] = seq_list->list[seq & mask];
315 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
316 if (seq_list->tail == seq)
317 seq_list->tail = prev;
318 }
319 return seq;
320}
321
322static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
323{
324 /* Remove the head in constant time */
325 return l2cap_seq_list_remove(seq_list, seq_list->head);
326}
327
328static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
329{
f522ae36 330 u16 i;
3c588192 331
f522ae36
GP		 332 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
333 return;
334
335 for (i = 0; i <= seq_list->mask; i++)
336 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
337
338 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
339 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 340}
341
342static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
343{
344 u16 mask = seq_list->mask;
345
346 /* All appends happen in constant time */
347
f522ae36
GP		 348 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
349 return;
3c588192 350
f522ae36
GP		 351 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
352 seq_list->head = seq;
353 else
354 seq_list->list[seq_list->tail & mask] = seq;
355
356 seq_list->tail = seq;
357 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 358}
359
721c4181 360static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 361{
721c4181
GP		 362 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
363 chan_timer.work);
3df91ea2 364 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 365 int reason;
366
e05dcc32 367 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 368
3df91ea2 369 mutex_lock(&conn->chan_lock);
6be36555 370 l2cap_chan_lock(chan);
ab07801d 371
89bc500e 372 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 373 reason = ECONNREFUSED;
89bc500e 374 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 375 chan->sec_level != BT_SECURITY_SDP)
376 reason = ECONNREFUSED;
377 else
378 reason = ETIMEDOUT;
379
0f852724 380 l2cap_chan_close(chan, reason);
ab07801d 381
6be36555 382 l2cap_chan_unlock(chan);
ab07801d 383
80b98027 384 chan->ops->close(chan);
3df91ea2
AE		 385 mutex_unlock(&conn->chan_lock);
386
371fd835 387 l2cap_chan_put(chan);
ab07801d
GP		 388}
389
eef1d9b6 390struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 391{
392 struct l2cap_chan *chan;
393
394 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
395 if (!chan)
396 return NULL;
397
c03b355e
AE		 398 mutex_init(&chan->lock);
399
333055f2 400 write_lock(&chan_list_lock);
23691d75 401 list_add(&chan->global_l, &chan_list);
333055f2 402 write_unlock(&chan_list_lock);
23691d75 403
721c4181 404 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 405
89bc500e
GP		 406 chan->state = BT_OPEN;
407
71ba0e56
GP		 408 atomic_set(&chan->refcnt, 1);
409
2827011f
MM		 410 /* This flag is cleared in l2cap_chan_ready() */
411 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
412
eef1d9b6 413 BT_DBG("chan %p", chan);
abc545b8 414
48454079
GP		 415 return chan;
416}
417
23691d75 418void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 419{
333055f2 420 write_lock(&chan_list_lock);
23691d75 421 list_del(&chan->global_l);
333055f2 422 write_unlock(&chan_list_lock);
23691d75 423
371fd835 424 l2cap_chan_put(chan);
6ff5abbf
GP		 425}
426
bd4b1653
AE		 427void l2cap_chan_set_defaults(struct l2cap_chan *chan)
428{
429 chan->fcs = L2CAP_FCS_CRC16;
430 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
431 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
432 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
433 chan->sec_level = BT_SECURITY_LOW;
434
435 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
436}
437
14a28491 438static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 439{
af05b30b 440 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 441 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 442
9f5a0d7b 443 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 444
8c1d787b 445 chan->conn = conn;
0139418c 446
5491120e
AE		 447 switch (chan->chan_type) {
448 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 449 if (conn->hcon->type == LE_LINK) {
450 /* LE connection */
0c1bc5c6 451 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 452 chan->scid = L2CAP_CID_LE_DATA;
453 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 454 } else {
455 /* Alloc CID for connection-oriented socket */
fe4128e0 456 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 457 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 458 }
5491120e
AE		 459 break;
460
461 case L2CAP_CHAN_CONN_LESS:
0139418c 462 /* Connectionless socket */
fe4128e0
GP		 463 chan->scid = L2CAP_CID_CONN_LESS;
464 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 465 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 466 break;
467
468 default:
0139418c 469 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 470 chan->scid = L2CAP_CID_SIGNALING;
471 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 472 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 473 }
474
8f7975b1
AE		 475 chan->local_id = L2CAP_BESTEFFORT_ID;
476 chan->local_stype = L2CAP_SERV_BESTEFFORT;
477 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
478 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
479 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
480 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
481
371fd835 482 l2cap_chan_hold(chan);
baa7e1fa 483
3df91ea2 484 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 485}
486
14a28491 487static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 488{
489 mutex_lock(&conn->chan_lock);
490 __l2cap_chan_add(conn, chan);
3df91ea2 491 mutex_unlock(&conn->chan_lock);
0139418c
MH		 492}
493
4519de9a 494static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 495{
8c1d787b 496 struct l2cap_conn *conn = chan->conn;
0139418c 497
c9b66675 498 __clear_chan_timer(chan);
0139418c 499
49208c9c 500 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 501
8e87d142 502 if (conn) {
baa7e1fa 503 /* Delete from channel list */
3df91ea2 504 list_del(&chan->list);
3d57dc68 505
371fd835 506 l2cap_chan_put(chan);
baa7e1fa 507
8c1d787b 508 chan->conn = NULL;
0139418c
MH		 509 hci_conn_put(conn->hcon);
510 }
511
c0df7f6e
AE		 512 if (chan->ops->teardown)
513 chan->ops->teardown(chan, err);
6be36555 514
2827011f 515 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 516 return;
2ead70b8 517
ee556f66
GP		 518 switch(chan->mode) {
519 case L2CAP_MODE_BASIC:
520 break;
c13ffa62 521
ee556f66 522 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 523 __clear_retrans_timer(chan);
524 __clear_monitor_timer(chan);
525 __clear_ack_timer(chan);
c13ffa62 526
f1c6775b 527 skb_queue_purge(&chan->srej_q);
c13ffa62 528
3c588192
MM		 529 l2cap_seq_list_free(&chan->srej_list);
530 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 531
532 /* fall through */
533
534 case L2CAP_MODE_STREAMING:
535 skb_queue_purge(&chan->tx_q);
536 break;
c13ffa62 537 }
ee556f66
GP		 538
539 return;
0139418c
MH		 540}
541
0f852724 542void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 543{
544 struct l2cap_conn *conn = chan->conn;
545 struct sock *sk = chan->sk;
546
e05dcc32
AE		 547 BT_DBG("chan %p state %s sk %p", chan,
548 state_to_string(chan->state), sk);
4519de9a 549
89bc500e 550 switch (chan->state) {
4519de9a 551 case BT_LISTEN:
c0df7f6e
AE		 552 if (chan->ops->teardown)
553 chan->ops->teardown(chan, 0);
4519de9a
GP		 554 break;
555
556 case BT_CONNECTED:
557 case BT_CONFIG:
715ec005 558 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 559 conn->hcon->type == ACL_LINK) {
c9b66675 560 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 561 l2cap_send_disconn_req(conn, chan, reason);
562 } else
563 l2cap_chan_del(chan, reason);
564 break;
565
566 case BT_CONNECT2:
715ec005 567 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 568 conn->hcon->type == ACL_LINK) {
569 struct l2cap_conn_rsp rsp;
570 __u16 result;
571
c5daa683 572 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 573 result = L2CAP_CR_SEC_BLOCK;
574 else
575 result = L2CAP_CR_BAD_PSM;
89bc500e 576 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 577
578 rsp.scid = cpu_to_le16(chan->dcid);
579 rsp.dcid = cpu_to_le16(chan->scid);
580 rsp.result = cpu_to_le16(result);
ac73498c 581 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 582 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
583 sizeof(rsp), &rsp);
584 }
585
586 l2cap_chan_del(chan, reason);
587 break;
588
589 case BT_CONNECT:
590 case BT_DISCONN:
591 l2cap_chan_del(chan, reason);
592 break;
593
594 default:
c0df7f6e
AE		 595 if (chan->ops->teardown)
596 chan->ops->teardown(chan, 0);
4519de9a
GP		 597 break;
598 }
599}
600
4343478f 601static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 602{
715ec005 603 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 604 switch (chan->sec_level) {
8556edd3
JH		 605 case BT_SECURITY_HIGH:
606 return HCI_AT_DEDICATED_BONDING_MITM;
607 case BT_SECURITY_MEDIUM:
608 return HCI_AT_DEDICATED_BONDING;
609 default:
610 return HCI_AT_NO_BONDING;
611 }
2983fd68 612 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 613 if (chan->sec_level == BT_SECURITY_LOW)
614 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 615
4343478f 616 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 617 return HCI_AT_NO_BONDING_MITM;
00ae4af9 618 else
8556edd3 619 return HCI_AT_NO_BONDING;
00ae4af9 620 } else {
4343478f 621 switch (chan->sec_level) {
00ae4af9 622 case BT_SECURITY_HIGH:
8556edd3 623 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 624 case BT_SECURITY_MEDIUM:
8556edd3 625 return HCI_AT_GENERAL_BONDING;
00ae4af9 626 default:
8556edd3 627 return HCI_AT_NO_BONDING;
00ae4af9 628 }
0684e5f9 629 }
8556edd3
JH		 630}
631
632/* Service level security */
d45fc423 633int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 634{
8c1d787b 635 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 636 __u8 auth_type;
637
4343478f 638 auth_type = l2cap_get_auth_type(chan);
79d554a6 639
4343478f 640 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 641}
642
b5ad8b7f 643static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 644{
645 u8 id;
646
647 /* Get next available identificator.
648 * 1 - 128 are used by kernel.
649 * 129 - 199 are reserved.
650 * 200 - 254 are used by utilities like l2ping, etc.
651 */
652
333055f2 653 spin_lock(&conn->lock);
4e8402a3
MH		 654
655 if (++conn->tx_ident > 128)
656 conn->tx_ident = 1;
657
658 id = conn->tx_ident;
659
333055f2 660 spin_unlock(&conn->lock);
4e8402a3
MH		 661
662 return id;
663}
664
4519de9a 665static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 666{
667 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 668 u8 flags;
4e8402a3
MH		 669
670 BT_DBG("code 0x%2.2x", code);
671
672 if (!skb)
9a9c6a34 673 return;
4e8402a3 674
e702112f
AE		 675 if (lmp_no_flush_capable(conn->hcon->hdev))
676 flags = ACL_START_NO_FLUSH;
677 else
678 flags = ACL_START;
679
14b12d0b 680 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 681 skb->priority = HCI_PRIO_MAX;
14b12d0b 682
73d80deb
LAD		 683 hci_send_acl(conn->hchan, skb, flags);
684}
685
686static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
687{
688 struct hci_conn *hcon = chan->conn->hcon;
689 u16 flags;
690
691 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
692 skb->priority);
693
694 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
695 lmp_no_flush_capable(hcon->hdev))
696 flags = ACL_START_NO_FLUSH;
697 else
698 flags = ACL_START;
14b12d0b 699
73d80deb
LAD		 700 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
701 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 702}
703
b76bbd66
MM		 704static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
705{
706 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
707 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
708
709 if (enh & L2CAP_CTRL_FRAME_TYPE) {
710 /* S-Frame */
711 control->sframe = 1;
712 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
713 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
714
715 control->sar = 0;
716 control->txseq = 0;
717 } else {
718 /* I-Frame */
719 control->sframe = 0;
720 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
721 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
722
723 control->poll = 0;
724 control->super = 0;
725 }
726}
727
b76bbd66
MM		 728static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
729{
730 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
731 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
732
733 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
734 /* S-Frame */
735 control->sframe = 1;
736 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
737 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
738
739 control->sar = 0;
740 control->txseq = 0;
741 } else {
742 /* I-Frame */
743 control->sframe = 0;
744 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
745 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
746
747 control->poll = 0;
748 control->super = 0;
749 }
750}
751
752static inline void __unpack_control(struct l2cap_chan *chan,
753 struct sk_buff *skb)
754{
755 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
756 __unpack_extended_control(get_unaligned_le32(skb->data),
757 &bt_cb(skb)->control);
cec8ab6e 758 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 759 } else {
760 __unpack_enhanced_control(get_unaligned_le16(skb->data),
761 &bt_cb(skb)->control);
cec8ab6e 762 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 763 }
764}
765
b5c6aaed
MM		 766static u32 __pack_extended_control(struct l2cap_ctrl *control)
767{
768 u32 packed;
769
770 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
771 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
772
773 if (control->sframe) {
774 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
775 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
776 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
777 } else {
778 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
779 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
780 }
781
782 return packed;
783}
784
785static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
786{
787 u16 packed;
788
789 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
790 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
791
792 if (control->sframe) {
793 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
794 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
795 packed |= L2CAP_CTRL_FRAME_TYPE;
796 } else {
797 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
798 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
799 }
800
801 return packed;
802}
803
b76bbd66
MM		 804static inline void __pack_control(struct l2cap_chan *chan,
805 struct l2cap_ctrl *control,
806 struct sk_buff *skb)
807{
808 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
809 put_unaligned_le32(__pack_extended_control(control),
810 skb->data + L2CAP_HDR_SIZE);
811 } else {
812 put_unaligned_le16(__pack_enhanced_control(control),
813 skb->data + L2CAP_HDR_SIZE);
814 }
815}
816
a67d7f6f
MM		 817static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
818 u32 control)
b5c6aaed
MM		 819{
820 struct sk_buff *skb;
821 struct l2cap_hdr *lh;
a67d7f6f 822 int hlen;
b5c6aaed
MM		 823
824 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
825 hlen = L2CAP_EXT_HDR_SIZE;
826 else
827 hlen = L2CAP_ENH_HDR_SIZE;
828
829 if (chan->fcs == L2CAP_FCS_CRC16)
830 hlen += L2CAP_FCS_SIZE;
831
a67d7f6f 832 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 833
b5c6aaed 834 if (!skb)
a67d7f6f 835 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 836
837 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
838 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
839 lh->cid = cpu_to_le16(chan->dcid);
840
a67d7f6f
MM		 841 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
842 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
843 else
844 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 845
846 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 847 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 848 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
849 }
850
851 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 852 return skb;
853}
854
855static void l2cap_send_sframe(struct l2cap_chan *chan,
856 struct l2cap_ctrl *control)
857{
858 struct sk_buff *skb;
859 u32 control_field;
860
861 BT_DBG("chan %p, control %p", chan, control);
862
863 if (!control->sframe)
864 return;
865
866 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
867 !control->poll)
868 control->final = 1;
869
870 if (control->super == L2CAP_SUPER_RR)
871 clear_bit(CONN_RNR_SENT, &chan->conn_state);
872 else if (control->super == L2CAP_SUPER_RNR)
873 set_bit(CONN_RNR_SENT, &chan->conn_state);
874
875 if (control->super != L2CAP_SUPER_SREJ) {
876 chan->last_acked_seq = control->reqseq;
877 __clear_ack_timer(chan);
878 }
879
880 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
881 control->final, control->poll, control->super);
882
883 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
884 control_field = __pack_extended_control(control);
885 else
886 control_field = __pack_enhanced_control(control);
887
888 skb = l2cap_create_sframe_pdu(chan, control_field);
889 if (!IS_ERR(skb))
890 l2cap_do_send(chan, skb);
b5c6aaed
MM		 891}
892
c9e3d5e0 893static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 894{
c9e3d5e0
MM		 895 struct l2cap_ctrl control;
896
897 BT_DBG("chan %p, poll %d", chan, poll);
898
899 memset(&control, 0, sizeof(control));
900 control.sframe = 1;
901 control.poll = poll;
902
903 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
904 control.super = L2CAP_SUPER_RNR;
905 else
906 control.super = L2CAP_SUPER_RR;
b5c6aaed 907
c9e3d5e0
MM		 908 control.reqseq = chan->buffer_seq;
909 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 910}
911
b4450035 912static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 913{
c1360a1c 914 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 915}
916
9b27f350
AE		 917static void l2cap_send_conn_req(struct l2cap_chan *chan)
918{
919 struct l2cap_conn *conn = chan->conn;
920 struct l2cap_conn_req req;
921
922 req.scid = cpu_to_le16(chan->scid);
923 req.psm = chan->psm;
924
925 chan->ident = l2cap_get_ident(conn);
926
927 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
928
929 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
930}
931
9f0caeb1
VCG		 932static void l2cap_chan_ready(struct l2cap_chan *chan)
933{
934 struct sock *sk = chan->sk;
935 struct sock *parent;
936
937 lock_sock(sk);
938
939 parent = bt_sk(sk)->parent;
940
941 BT_DBG("sk %p, parent %p", sk, parent);
942
2827011f 943 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 944 chan->conf_state = 0;
945 __clear_chan_timer(chan);
946
947 __l2cap_state_change(chan, BT_CONNECTED);
948 sk->sk_state_change(sk);
949
950 if (parent)
951 parent->sk_data_ready(parent, 0);
952
953 release_sock(sk);
954}
955
fc7f8a7e 956static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 957{
8c1d787b 958 struct l2cap_conn *conn = chan->conn;
79d554a6 959
9f0caeb1
VCG		 960 if (conn->hcon->type == LE_LINK) {
961 l2cap_chan_ready(chan);
962 return;
963 }
964
79d554a6 965 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 966 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
967 return;
968
d45fc423 969 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 970 __l2cap_no_conn_pending(chan))
971 l2cap_send_conn_req(chan);
79d554a6
MH		 972 } else {
973 struct l2cap_info_req req;
ac73498c 974 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 975
976 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
977 conn->info_ident = l2cap_get_ident(conn);
978
ba13ccd9 979 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 980
981 l2cap_send_cmd(conn, conn->info_ident,
982 L2CAP_INFO_REQ, sizeof(req), &req);
983 }
984}
985
cf6c2c0b
GP		 986static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
987{
988 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 989 if (!disable_ertm)
cf6c2c0b
GP		 990 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
991
992 switch (mode) {
993 case L2CAP_MODE_ERTM:
994 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
995 case L2CAP_MODE_STREAMING:
996 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
997 default:
998 return 0x00;
999 }
1000}
1001
4519de9a 1002static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1003{
6be36555 1004 struct sock *sk = chan->sk;
22121fc9
GP		 1005 struct l2cap_disconn_req req;
1006
c13ffa62
GP		 1007 if (!conn)
1008 return;
1009
0c1bc5c6 1010 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1011 __clear_retrans_timer(chan);
1012 __clear_monitor_timer(chan);
1013 __clear_ack_timer(chan);
c13ffa62
GP		 1014 }
1015
fe4128e0
GP		 1016 req.dcid = cpu_to_le16(chan->dcid);
1017 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1018 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1019 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1020
6be36555 1021 lock_sock(sk);
0e587be7 1022 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1023 __l2cap_chan_set_err(chan, err);
6be36555 1024 release_sock(sk);
22121fc9
GP		 1025}
1026
1da177e4 1027/* ---- L2CAP connections ---- */
4e8402a3
MH		 1028static void l2cap_conn_start(struct l2cap_conn *conn)
1029{
3df91ea2 1030 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1031
1032 BT_DBG("conn %p", conn);
1033
3df91ea2 1034 mutex_lock(&conn->chan_lock);
4e8402a3 1035
3df91ea2 1036 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1037 struct sock *sk = chan->sk;
baa7e1fa 1038
6be36555 1039 l2cap_chan_lock(chan);
4e8402a3 1040
715ec005 1041 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1042 l2cap_chan_unlock(chan);
79d554a6
MH		 1043 continue;
1044 }
1045
89bc500e 1046 if (chan->state == BT_CONNECT) {
d45fc423 1047 if (!l2cap_chan_check_security(chan) ||
b4450035 1048 !__l2cap_no_conn_pending(chan)) {
6be36555 1049 l2cap_chan_unlock(chan);
47731de7
GP		 1050 continue;
1051 }
79d554a6 1052
c1360a1c
GP		 1053 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1054 && test_bit(CONF_STATE2_DEVICE,
1055 &chan->conf_state)) {
89bc500e 1056 l2cap_chan_close(chan, ECONNRESET);
6be36555 1057 l2cap_chan_unlock(chan);
47731de7 1058 continue;
b1235d79 1059 }
47731de7 1060
9b27f350 1061 l2cap_send_conn_req(chan);
47731de7 1062
89bc500e 1063 } else if (chan->state == BT_CONNECT2) {
79d554a6 1064 struct l2cap_conn_rsp rsp;
e9aeb2dd 1065 char buf[128];
fe4128e0
GP		 1066 rsp.scid = cpu_to_le16(chan->dcid);
1067 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1068
d45fc423 1069 if (l2cap_chan_check_security(chan)) {
6be36555 1070 lock_sock(sk);
c5daa683
GP		 1071 if (test_bit(BT_SK_DEFER_SETUP,
1072 &bt_sk(sk)->flags)) {
f66dc81f 1073 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1074 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1075 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1076 if (parent)
1077 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1078
1079 } else {
0e587be7 1080 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1081 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1082 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1083 }
6be36555 1084 release_sock(sk);
79d554a6 1085 } else {
ac73498c
AE		 1086 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1087 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1088 }
1089
fc7f8a7e
GP		 1090 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1091 sizeof(rsp), &rsp);
e9aeb2dd 1092
c1360a1c 1093 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1094 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1095 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1096 continue;
1097 }
1098
c1360a1c 1099 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1100 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1101 l2cap_build_conf_req(chan, buf), buf);
1102 chan->num_conf_req++;
4e8402a3
MH		 1103 }
1104
6be36555 1105 l2cap_chan_unlock(chan);
4e8402a3
MH		 1106 }
1107
3df91ea2 1108 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1109}
1110
c2287681 1111/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1112 * Returns closest match, locked.
1113 */
d9b88702 1114static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1115 bdaddr_t *src,
1116 bdaddr_t *dst)
b62f328b 1117{
23691d75 1118 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1119
23691d75 1120 read_lock(&chan_list_lock);
b62f328b 1121
23691d75
GP		 1122 list_for_each_entry(c, &chan_list, global_l) {
1123 struct sock *sk = c->sk;
fe4128e0 1124
89bc500e 1125 if (state && c->state != state)
b62f328b
VT		 1126 continue;
1127
23691d75 1128 if (c->scid == cid) {
c2287681
IY		 1129 int src_match, dst_match;
1130 int src_any, dst_any;
1131
b62f328b 1132 /* Exact match. */
c2287681
IY		 1133 src_match = !bacmp(&bt_sk(sk)->src, src);
1134 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1135 if (src_match && dst_match) {
23691d75
GP		 1136 read_unlock(&chan_list_lock);
1137 return c;
1138 }
b62f328b
VT		 1139
1140 /* Closest match */
c2287681
IY		 1141 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1142 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1143 if ((src_match && dst_any) || (src_any && dst_match) ||
1144 (src_any && dst_any))
23691d75 1145 c1 = c;
b62f328b
VT		 1146 }
1147 }
280f294f 1148
23691d75 1149 read_unlock(&chan_list_lock);
b62f328b 1150
23691d75 1151 return c1;
b62f328b
VT		 1152}
1153
1154static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1155{
c916fbe4 1156 struct sock *parent, *sk;
23691d75 1157 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1158
1159 BT_DBG("");
1160
1161 /* Check if we have socket listening on cid */
23691d75 1162 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1163 conn->src, conn->dst);
23691d75 1164 if (!pchan)
b62f328b
VT		 1165 return;
1166
23691d75
GP		 1167 parent = pchan->sk;
1168
aa2ac881 1169 lock_sock(parent);
62f3a2cf 1170
b62f328b
VT		 1171 /* Check for backlog size */
1172 if (sk_acceptq_is_full(parent)) {
1173 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1174 goto clean;
1175 }
1176
80b98027 1177 chan = pchan->ops->new_connection(pchan);
80808e43 1178 if (!chan)
b62f328b
VT		 1179 goto clean;
1180
80808e43 1181 sk = chan->sk;
5d41ce1d 1182
b62f328b
VT		 1183 hci_conn_hold(conn->hcon);
1184
b62f328b
VT		 1185 bacpy(&bt_sk(sk)->src, conn->src);
1186 bacpy(&bt_sk(sk)->dst, conn->dst);
1187
d1010240
GP		 1188 bt_accept_enqueue(parent, sk);
1189
3d57dc68 1190 l2cap_chan_add(conn, chan);
48454079 1191
6754e0df 1192 l2cap_chan_ready(chan);
b62f328b 1193
b62f328b 1194clean:
aa2ac881 1195 release_sock(parent);
b62f328b
VT		 1196}
1197
4e8402a3
MH		 1198static void l2cap_conn_ready(struct l2cap_conn *conn)
1199{
48454079 1200 struct l2cap_chan *chan;
4e8402a3 1201
79d554a6 1202 BT_DBG("conn %p", conn);
4e8402a3 1203
b62f328b
VT		 1204 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1205 l2cap_le_conn_ready(conn);
1206
160dc6ac
VCG		 1207 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1208 smp_conn_security(conn, conn->hcon->pending_sec_level);
1209
3df91ea2 1210 mutex_lock(&conn->chan_lock);
4e8402a3 1211
3df91ea2 1212 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1213
6be36555 1214 l2cap_chan_lock(chan);
4e8402a3 1215
63128451 1216 if (conn->hcon->type == LE_LINK) {
b501d6a1 1217 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1218 l2cap_chan_ready(chan);
acd7d370 1219
63128451 1220 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1221 struct sock *sk = chan->sk;
c9b66675 1222 __clear_chan_timer(chan);
6be36555 1223 lock_sock(sk);
0e587be7 1224 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1225 sk->sk_state_change(sk);
6be36555 1226 release_sock(sk);
b501d6a1 1227
89bc500e 1228 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1229 l2cap_do_start(chan);
4e8402a3 1230
6be36555 1231 l2cap_chan_unlock(chan);
4e8402a3 1232 }
79d554a6 1233
3df91ea2 1234 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1235}
1236
1237/* Notify sockets that we cannot guaranty reliability anymore */
1238static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1239{
48454079 1240 struct l2cap_chan *chan;
4e8402a3
MH		 1241
1242 BT_DBG("conn %p", conn);
1243
3df91ea2 1244 mutex_lock(&conn->chan_lock);
4e8402a3 1245
3df91ea2 1246 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1247 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1248 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1249 }
1250
3df91ea2 1251 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1252}
1253
f878fcad 1254static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1255{
f878fcad 1256 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1257 info_timer.work);
4e8402a3 1258
984947dc 1259 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1260 conn->info_ident = 0;
984947dc 1261
4e8402a3
MH		 1262 l2cap_conn_start(conn);
1263}
1264
5d3de7df
VCG		 1265static void l2cap_conn_del(struct hci_conn *hcon, int err)
1266{
1267 struct l2cap_conn *conn = hcon->l2cap_data;
1268 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1269
1270 if (!conn)
1271 return;
1272
1273 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1274
1275 kfree_skb(conn->rx_skb);
1276
3df91ea2
AE		 1277 mutex_lock(&conn->chan_lock);
1278
5d3de7df
VCG		 1279 /* Kill channels */
1280 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1281 l2cap_chan_hold(chan);
6be36555
AE		 1282 l2cap_chan_lock(chan);
1283
5d3de7df 1284 l2cap_chan_del(chan, err);
6be36555
AE		 1285
1286 l2cap_chan_unlock(chan);
1287
80b98027 1288 chan->ops->close(chan);
61d6ef3e 1289 l2cap_chan_put(chan);
5d3de7df
VCG		 1290 }
1291
3df91ea2
AE		 1292 mutex_unlock(&conn->chan_lock);
1293
73d80deb
LAD		 1294 hci_chan_del(conn->hchan);
1295
5d3de7df 1296 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1297 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1298
51a8efd7 1299 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1300 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1301 smp_chan_destroy(conn);
d26a2345 1302 }
5d3de7df
VCG		 1303
1304 hcon->l2cap_data = NULL;
1305 kfree(conn);
1306}
1307
6c9d42a1 1308static void security_timeout(struct work_struct *work)
5d3de7df 1309{
6c9d42a1
GP		 1310 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1311 security_timer.work);
5d3de7df
VCG		 1312
1313 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1314}
1315
1da177e4
LT		 1316static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1317{
0139418c 1318 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1319 struct hci_chan *hchan;
1da177e4 1320
0139418c 1321 if (conn || status)
1da177e4
LT		 1322 return conn;
1323
73d80deb
LAD		 1324 hchan = hci_chan_create(hcon);
1325 if (!hchan)
1326 return NULL;
1327
0139418c 1328 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1329 if (!conn) {
1330 hci_chan_del(hchan);
1da177e4 1331 return NULL;
73d80deb 1332 }
1da177e4
LT		 1333
1334 hcon->l2cap_data = conn;
1335 conn->hcon = hcon;
73d80deb 1336 conn->hchan = hchan;
1da177e4 1337
73d80deb 1338 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1339
acd7d370
VT		 1340 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1341 conn->mtu = hcon->hdev->le_mtu;
1342 else
1343 conn->mtu = hcon->hdev->acl_mtu;
1344
1da177e4
LT		 1345 conn->src = &hcon->hdev->bdaddr;
1346 conn->dst = &hcon->dst;
1347
4e8402a3
MH		 1348 conn->feat_mask = 0;
1349
1da177e4 1350 spin_lock_init(&conn->lock);
3df91ea2 1351 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1352
1353 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1354
5d3de7df 1355 if (hcon->type == LE_LINK)
6c9d42a1 1356 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1357 else
030013d8 1358 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1359
9f5a0d7b 1360 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1361
1da177e4
LT		 1362 return conn;
1363}
1364
1da177e4 1365/* ---- Socket interface ---- */
1da177e4 1366
c2287681 1367/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1368 * Returns closest match.
1369 */
c2287681
IY		 1370static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1371 bdaddr_t *src,
1372 bdaddr_t *dst)
1da177e4 1373{
23691d75 1374 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1375
23691d75 1376 read_lock(&chan_list_lock);
e0f0cb56 1377
23691d75
GP		 1378 list_for_each_entry(c, &chan_list, global_l) {
1379 struct sock *sk = c->sk;
fe4128e0 1380
89bc500e 1381 if (state && c->state != state)
1da177e4
LT		 1382 continue;
1383
23691d75 1384 if (c->psm == psm) {
c2287681
IY		 1385 int src_match, dst_match;
1386 int src_any, dst_any;
1387
1da177e4 1388 /* Exact match. */
c2287681
IY		 1389 src_match = !bacmp(&bt_sk(sk)->src, src);
1390 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1391 if (src_match && dst_match) {
a7567b20 1392 read_unlock(&chan_list_lock);
23691d75
GP		 1393 return c;
1394 }
1da177e4
LT		 1395
1396 /* Closest match */
c2287681
IY		 1397 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1398 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1399 if ((src_match && dst_any) || (src_any && dst_match) ||
1400 (src_any && dst_any))
23691d75 1401 c1 = c;
1da177e4
LT		 1402 }
1403 }
1da177e4 1404
23691d75 1405 read_unlock(&chan_list_lock);
e0f0cb56 1406
23691d75 1407 return c1;
1da177e4
LT		 1408}
1409
8e9f9892
AG		 1410int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1411 bdaddr_t *dst, u8 dst_type)
1da177e4 1412{
5d41ce1d 1413 struct sock *sk = chan->sk;
1da177e4 1414 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1415 struct l2cap_conn *conn;
1416 struct hci_conn *hcon;
1417 struct hci_dev *hdev;
09ab6f4c 1418 __u8 auth_type;
44d0e48e 1419 int err;
1da177e4 1420
8e9f9892
AG		 1421 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1422 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1423
af05b30b
GP		 1424 hdev = hci_get_route(dst, src);
1425 if (!hdev)
1da177e4
LT		 1426 return -EHOSTUNREACH;
1427
09fd0de5 1428 hci_dev_lock(hdev);
1da177e4 1429
6be36555 1430 l2cap_chan_lock(chan);
03a00194
GP		 1431
1432 /* PSM must be odd and lsb of upper byte must be 0 */
1433 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1434 chan->chan_type != L2CAP_CHAN_RAW) {
1435 err = -EINVAL;
1436 goto done;
1437 }
1438
1439 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1440 err = -EINVAL;
1441 goto done;
1442 }
1443
1444 switch (chan->mode) {
1445 case L2CAP_MODE_BASIC:
1446 break;
1447 case L2CAP_MODE_ERTM:
1448 case L2CAP_MODE_STREAMING:
1449 if (!disable_ertm)
1450 break;
1451 /* fall through */
1452 default:
1453 err = -ENOTSUPP;
1454 goto done;
1455 }
1456
6be36555
AE		 1457 lock_sock(sk);
1458
03a00194
GP		 1459 switch (sk->sk_state) {
1460 case BT_CONNECT:
1461 case BT_CONNECT2:
1462 case BT_CONFIG:
1463 /* Already connecting */
1464 err = 0;
6be36555 1465 release_sock(sk);
03a00194
GP		 1466 goto done;
1467
1468 case BT_CONNECTED:
1469 /* Already connected */
1470 err = -EISCONN;
6be36555 1471 release_sock(sk);
03a00194
GP		 1472 goto done;
1473
1474 case BT_OPEN:
1475 case BT_BOUND:
1476 /* Can connect */
1477 break;
1478
1479 default:
1480 err = -EBADFD;
6be36555 1481 release_sock(sk);
03a00194
GP		 1482 goto done;
1483 }
1484
1485 /* Set destination address and psm */
9219b2a0 1486 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1487
1488 release_sock(sk);
1489
03a00194
GP		 1490 chan->psm = psm;
1491 chan->dcid = cid;
1da177e4 1492
4343478f 1493 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1494
fe4128e0 1495 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1496 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1497 chan->sec_level, auth_type);
acd7d370 1498 else
8e9f9892 1499 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1500 chan->sec_level, auth_type);
acd7d370 1501
30e76272
VT		 1502 if (IS_ERR(hcon)) {
1503 err = PTR_ERR(hcon);
1da177e4 1504 goto done;
30e76272 1505 }
1da177e4
LT		 1506
1507 conn = l2cap_conn_add(hcon, 0);
1508 if (!conn) {
1509 hci_conn_put(hcon);
30e76272 1510 err = -ENOMEM;
1da177e4
LT		 1511 goto done;
1512 }
1513
9f0caeb1
VCG		 1514 if (hcon->type == LE_LINK) {
1515 err = 0;
1516
1517 if (!list_empty(&conn->chan_l)) {
1518 err = -EBUSY;
1519 hci_conn_put(hcon);
1520 }
1521
1522 if (err)
1523 goto done;
1524 }
1525
1da177e4
LT		 1526 /* Update source addr of the socket */
1527 bacpy(src, conn->src);
1528
6be36555 1529 l2cap_chan_unlock(chan);
48454079 1530 l2cap_chan_add(conn, chan);
6be36555 1531 l2cap_chan_lock(chan);
48454079 1532
6be36555 1533 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1534 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1535
1536 if (hcon->state == BT_CONNECTED) {
715ec005 1537 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1538 __clear_chan_timer(chan);
d45fc423 1539 if (l2cap_chan_check_security(chan))
6be36555 1540 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1541 } else
fc7f8a7e 1542 l2cap_do_start(chan);
1da177e4
LT		 1543 }
1544
30e76272
VT		 1545 err = 0;
1546
1da177e4 1547done:
6be36555 1548 l2cap_chan_unlock(chan);
09fd0de5 1549 hci_dev_unlock(hdev);
1da177e4
LT		 1550 hci_dev_put(hdev);
1551 return err;
1552}
1553
dcba0dba 1554int __l2cap_wait_ack(struct sock *sk)
6161c038 1555{
8c1d787b 1556 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1557 DECLARE_WAITQUEUE(wait, current);
1558 int err = 0;
1559 int timeo = HZ/5;
1560
2b0b05dd 1561 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1562 set_current_state(TASK_INTERRUPTIBLE);
1563 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1564 if (!timeo)
1565 timeo = HZ/5;
1566
1567 if (signal_pending(current)) {
1568 err = sock_intr_errno(timeo);
1569 break;
1570 }
1571
1572 release_sock(sk);
1573 timeo = schedule_timeout(timeo);
1574 lock_sock(sk);
a71a0cf4 1575 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1576
1577 err = sock_error(sk);
1578 if (err)
1579 break;
1580 }
1581 set_current_state(TASK_RUNNING);
2b0b05dd 1582 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1583 return err;
1584}
1585
721c4181 1586static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1587{
721c4181 1588 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1589 monitor_timer.work);
e90bac06 1590
525cd185 1591 BT_DBG("chan %p", chan);
0e98958d 1592
6be36555
AE		 1593 l2cap_chan_lock(chan);
1594
80909e04 1595 if (!chan->conn) {
6be36555 1596 l2cap_chan_unlock(chan);
8d7e1c7f 1597 l2cap_chan_put(chan);
e90bac06
GP		 1598 return;
1599 }
1600
401bb1f7 1601 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1602
6be36555 1603 l2cap_chan_unlock(chan);
8d7e1c7f 1604 l2cap_chan_put(chan);
e90bac06
GP		 1605}
1606
721c4181 1607static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1608{
721c4181 1609 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1610 retrans_timer.work);
e90bac06 1611
49208c9c 1612 BT_DBG("chan %p", chan);
0e98958d 1613
6be36555
AE		 1614 l2cap_chan_lock(chan);
1615
80909e04
MM		 1616 if (!chan->conn) {
1617 l2cap_chan_unlock(chan);
1618 l2cap_chan_put(chan);
1619 return;
1620 }
6be36555 1621
401bb1f7 1622 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1623 l2cap_chan_unlock(chan);
8d7e1c7f 1624 l2cap_chan_put(chan);
e90bac06
GP		 1625}
1626
d660366d
GP		 1627static void l2cap_streaming_send(struct l2cap_chan *chan,
1628 struct sk_buff_head *skbs)
6840ed07 1629{
ccbb84af 1630 struct sk_buff *skb;
3733937d 1631 struct l2cap_ctrl *control;
6840ed07 1632
3733937d
MM		 1633 BT_DBG("chan %p, skbs %p", chan, skbs);
1634
3733937d
MM		 1635 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1636
1637 while (!skb_queue_empty(&chan->tx_q)) {
1638
1639 skb = skb_dequeue(&chan->tx_q);
1640
1641 bt_cb(skb)->control.retries = 1;
1642 control = &bt_cb(skb)->control;
1643
1644 control->reqseq = 0;
1645 control->txseq = chan->next_tx_seq;
1646
1647 __pack_control(chan, control, skb);
6840ed07 1648
47d1ec61 1649 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1650 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1651 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1652 }
1653
4343478f 1654 l2cap_do_send(chan, skb);
6840ed07 1655
3733937d
MM		 1656 BT_DBG("Sent txseq %d", (int)control->txseq);
1657
836be934 1658 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1659 chan->frames_sent++;
6840ed07 1660 }
6840ed07
GP		 1661}
1662
67c9e840 1663static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1664{
1665 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1666 struct l2cap_ctrl *control;
1667 int sent = 0;
1668
1669 BT_DBG("chan %p", chan);
1c2acffb 1670
89bc500e 1671 if (chan->state != BT_CONNECTED)
c13ffa62 1672 return -ENOTCONN;
e90bac06 1673
94122bbe
MM		 1674 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1675 return 0;
1676
18a48e76
MM		 1677 while (chan->tx_send_head &&
1678 chan->unacked_frames < chan->remote_tx_win &&
1679 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1680
18a48e76 1681 skb = chan->tx_send_head;
e90bac06 1682
18a48e76
MM		 1683 bt_cb(skb)->control.retries = 1;
1684 control = &bt_cb(skb)->control;
95ffa978 1685
e2ab4353 1686 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1687 control->final = 1;
e2ab4353 1688
18a48e76
MM		 1689 control->reqseq = chan->buffer_seq;
1690 chan->last_acked_seq = chan->buffer_seq;
1691 control->txseq = chan->next_tx_seq;
1c2acffb 1692
18a48e76 1693 __pack_control(chan, control, skb);
e90bac06 1694
47d1ec61 1695 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1696 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1697 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1698 }
1699
18a48e76
MM		 1700 /* Clone after data has been modified. Data is assumed to be
1701 read-only (for locking purposes) on cloned sk_buffs.
1702 */
1703 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1704
18a48e76
MM		 1705 if (!tx_skb)
1706 break;
1c2acffb 1707
18a48e76 1708 __set_retrans_timer(chan);
836be934
AE		 1709
1710 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1711 chan->unacked_frames++;
6a026610 1712 chan->frames_sent++;
18a48e76 1713 sent++;
1c2acffb 1714
58d35f87
GP		 1715 if (skb_queue_is_last(&chan->tx_q, skb))
1716 chan->tx_send_head = NULL;
1c2acffb 1717 else
58d35f87 1718 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1719
1720 l2cap_do_send(chan, tx_skb);
1721 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1722 }
1723
18a48e76
MM		 1724 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1725 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1726
1727 return sent;
9e917af1
GP		 1728}
1729
e1fbd4c1
MM		 1730static void l2cap_ertm_resend(struct l2cap_chan *chan)
1731{
1732 struct l2cap_ctrl control;
1733 struct sk_buff *skb;
1734 struct sk_buff *tx_skb;
1735 u16 seq;
1736
1737 BT_DBG("chan %p", chan);
1738
1739 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1740 return;
1741
1742 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1743 seq = l2cap_seq_list_pop(&chan->retrans_list);
1744
1745 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1746 if (!skb) {
1747 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1748 seq);
1749 continue;
1750 }
1751
1752 bt_cb(skb)->control.retries++;
1753 control = bt_cb(skb)->control;
1754
1755 if (chan->max_tx != 0 &&
1756 bt_cb(skb)->control.retries > chan->max_tx) {
1757 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1758 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1759 l2cap_seq_list_clear(&chan->retrans_list);
1760 break;
1761 }
1762
1763 control.reqseq = chan->buffer_seq;
1764 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1765 control.final = 1;
1766 else
1767 control.final = 0;
1768
1769 if (skb_cloned(skb)) {
1770 /* Cloned sk_buffs are read-only, so we need a
1771 * writeable copy
1772 */
1773 tx_skb = skb_copy(skb, GFP_ATOMIC);
1774 } else {
1775 tx_skb = skb_clone(skb, GFP_ATOMIC);
1776 }
1777
1778 if (!tx_skb) {
1779 l2cap_seq_list_clear(&chan->retrans_list);
1780 break;
1781 }
1782
1783 /* Update skb contents */
1784 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1785 put_unaligned_le32(__pack_extended_control(&control),
1786 tx_skb->data + L2CAP_HDR_SIZE);
1787 } else {
1788 put_unaligned_le16(__pack_enhanced_control(&control),
1789 tx_skb->data + L2CAP_HDR_SIZE);
1790 }
1791
1792 if (chan->fcs == L2CAP_FCS_CRC16) {
1793 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1794 put_unaligned_le16(fcs, skb_put(tx_skb,
1795 L2CAP_FCS_SIZE));
1796 }
1797
1798 l2cap_do_send(chan, tx_skb);
1799
1800 BT_DBG("Resent txseq %d", control.txseq);
1801
1802 chan->last_acked_seq = chan->buffer_seq;
1803 }
1804}
1805
f80842a8
MM		 1806static void l2cap_retransmit(struct l2cap_chan *chan,
1807 struct l2cap_ctrl *control)
1808{
1809 BT_DBG("chan %p, control %p", chan, control);
1810
1811 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1812 l2cap_ertm_resend(chan);
1813}
1814
d2a7ac5d
MM		 1815static void l2cap_retransmit_all(struct l2cap_chan *chan,
1816 struct l2cap_ctrl *control)
1817{
e1fbd4c1
MM		 1818 struct sk_buff *skb;
1819
1820 BT_DBG("chan %p, control %p", chan, control);
1821
1822 if (control->poll)
1823 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1824
1825 l2cap_seq_list_clear(&chan->retrans_list);
1826
1827 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1828 return;
1829
1830 if (chan->unacked_frames) {
1831 skb_queue_walk(&chan->tx_q, skb) {
1832 if (bt_cb(skb)->control.txseq == control->reqseq ||
1833 skb == chan->tx_send_head)
1834 break;
1835 }
1836
1837 skb_queue_walk_from(&chan->tx_q, skb) {
1838 if (skb == chan->tx_send_head)
1839 break;
1840
1841 l2cap_seq_list_append(&chan->retrans_list,
1842 bt_cb(skb)->control.txseq);
1843 }
1844
1845 l2cap_ertm_resend(chan);
1846 }
d2a7ac5d
MM		 1847}
1848
0a0aba42 1849static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1850{
0a0aba42
MM		 1851 struct l2cap_ctrl control;
1852 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1853 chan->last_acked_seq);
1854 int threshold;
9e917af1 1855
0a0aba42
MM		 1856 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1857 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1858
0a0aba42
MM		 1859 memset(&control, 0, sizeof(control));
1860 control.sframe = 1;
dfc909be 1861
0a0aba42
MM		 1862 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1863 chan->rx_state == L2CAP_RX_STATE_RECV) {
1864 __clear_ack_timer(chan);
1865 control.super = L2CAP_SUPER_RNR;
1866 control.reqseq = chan->buffer_seq;
1867 l2cap_send_sframe(chan, &control);
1868 } else {
1869 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1870 l2cap_ertm_send(chan);
1871 /* If any i-frames were sent, they included an ack */
1872 if (chan->buffer_seq == chan->last_acked_seq)
1873 frames_to_ack = 0;
1874 }
dfc909be 1875
0a0aba42
MM		 1876 /* Ack now if the tx window is 3/4ths full.
1877 * Calculate without mul or div
1878 */
1879 threshold = chan->tx_win;
1880 threshold += threshold << 1;
1881 threshold >>= 2;
1882
1883 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1884 threshold);
1885
1886 if (frames_to_ack >= threshold) {
1887 __clear_ack_timer(chan);
1888 control.super = L2CAP_SUPER_RR;
1889 control.reqseq = chan->buffer_seq;
1890 l2cap_send_sframe(chan, &control);
1891 frames_to_ack = 0;
1892 }
1c2acffb 1893
0a0aba42
MM		 1894 if (frames_to_ack)
1895 __set_ack_timer(chan);
1896 }
b17e73bb
SJ		 1897}
1898
04124681
GP		 1899static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1900 struct msghdr *msg, int len,
1901 int count, struct sk_buff *skb)
1c2acffb 1902{
0952a57a 1903 struct l2cap_conn *conn = chan->conn;
1c2acffb 1904 struct sk_buff **frag;
90338947 1905 int sent = 0;
1da177e4 1906
59203a21 1907 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1908 return -EFAULT;
1da177e4
LT		 1909
1910 sent += count;
1911 len -= count;
1912
1913 /* Continuation fragments (no L2CAP header) */
1914 frag = &skb_shinfo(skb)->frag_list;
1915 while (len) {
fbe00700
GP		 1916 struct sk_buff *tmp;
1917
1da177e4
LT		 1918 count = min_t(unsigned int, conn->mtu, len);
1919
fbe00700
GP		 1920 tmp = chan->ops->alloc_skb(chan, count,
1921 msg->msg_flags & MSG_DONTWAIT);
1922 if (IS_ERR(tmp))
1923 return PTR_ERR(tmp);
1924
1925 *frag = tmp;
2f7719ce 1926
1c2acffb
GP		 1927 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1928 return -EFAULT;
1da177e4 1929
5e59b791
LAD		 1930 (*frag)->priority = skb->priority;
1931
1da177e4
LT		 1932 sent += count;
1933 len -= count;
1934
2d0ed3d5
GP		 1935 skb->len += (*frag)->len;
1936 skb->data_len += (*frag)->len;
1937
1da177e4
LT		 1938 frag = &(*frag)->next;
1939 }
1da177e4
LT		 1940
1941 return sent;
1c2acffb 1942}
1da177e4 1943
5e59b791
LAD		 1944static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1945 struct msghdr *msg, size_t len,
1946 u32 priority)
1c2acffb 1947{
8c1d787b 1948 struct l2cap_conn *conn = chan->conn;
1c2acffb 1949 struct sk_buff *skb;
03a51213 1950 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1951 struct l2cap_hdr *lh;
1952
6d5922b0 1953 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1954
1955 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1956
1957 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1958 msg->msg_flags & MSG_DONTWAIT);
1959 if (IS_ERR(skb))
1960 return skb;
1c2acffb 1961
5e59b791
LAD		 1962 skb->priority = priority;
1963
1c2acffb
GP		 1964 /* Create L2CAP header */
1965 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1966 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1967 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1968 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1969
0952a57a 1970 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1971 if (unlikely(err < 0)) {
1972 kfree_skb(skb);
1973 return ERR_PTR(err);
1974 }
1975 return skb;
1976}
1977
5e59b791
LAD		 1978static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1979 struct msghdr *msg, size_t len,
1980 u32 priority)
1c2acffb 1981{
8c1d787b 1982 struct l2cap_conn *conn = chan->conn;
1c2acffb 1983 struct sk_buff *skb;
f2ba7fae 1984 int err, count;
1c2acffb
GP		 1985 struct l2cap_hdr *lh;
1986
6d5922b0 1987 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1988
f2ba7fae 1989 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1990
f2ba7fae 1991 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1992 msg->msg_flags & MSG_DONTWAIT);
1993 if (IS_ERR(skb))
1994 return skb;
1c2acffb 1995
5e59b791
LAD		 1996 skb->priority = priority;
1997
1c2acffb
GP		 1998 /* Create L2CAP header */
1999 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2000 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2001 lh->len = cpu_to_le16(len);
1c2acffb 2002
0952a57a 2003 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2004 if (unlikely(err < 0)) {
2005 kfree_skb(skb);
2006 return ERR_PTR(err);
2007 }
2008 return skb;
2009}
2010
ab0ff76d
LAD		 2011static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2012 struct msghdr *msg, size_t len,
94122bbe 2013 u16 sdulen)
1c2acffb 2014{
8c1d787b 2015 struct l2cap_conn *conn = chan->conn;
1c2acffb 2016 struct sk_buff *skb;
e4ca6d98 2017 int err, count, hlen;
1c2acffb
GP		 2018 struct l2cap_hdr *lh;
2019
6d5922b0 2020 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2021
0ee0d208
GP		 2022 if (!conn)
2023 return ERR_PTR(-ENOTCONN);
2024
e4ca6d98
AE		 2025 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2026 hlen = L2CAP_EXT_HDR_SIZE;
2027 else
2028 hlen = L2CAP_ENH_HDR_SIZE;
2029
c74e560c 2030 if (sdulen)
03a51213 2031 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2032
47d1ec61 2033 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2034 hlen += L2CAP_FCS_SIZE;
fcc203c3 2035
1c2acffb 2036 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2037
2038 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2039 msg->msg_flags & MSG_DONTWAIT);
2040 if (IS_ERR(skb))
2041 return skb;
1c2acffb
GP		 2042
2043 /* Create L2CAP header */
2044 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2045 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2046 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2047
18a48e76
MM		 2048 /* Control header is populated later */
2049 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2050 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2051 else
2052 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2053
c74e560c 2054 if (sdulen)
03a51213 2055 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2056
0952a57a 2057 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2058 if (unlikely(err < 0)) {
2059 kfree_skb(skb);
2060 return ERR_PTR(err);
2061 }
e90bac06 2062
18a48e76 2063 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2064 bt_cb(skb)->control.retries = 0;
1c2acffb 2065 return skb;
1da177e4
LT		 2066}
2067
94122bbe
MM		 2068static int l2cap_segment_sdu(struct l2cap_chan *chan,
2069 struct sk_buff_head *seg_queue,
2070 struct msghdr *msg, size_t len)
c74e560c 2071{
c74e560c 2072 struct sk_buff *skb;
94122bbe
MM		 2073 u16 sdu_len;
2074 size_t pdu_len;
2075 int err = 0;
2076 u8 sar;
c74e560c 2077
94122bbe 2078 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2079
94122bbe
MM		 2080 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2081 * so fragmented skbs are not used. The HCI layer's handling
2082 * of fragmented skbs is not compatible with ERTM's queueing.
2083 */
c74e560c 2084
94122bbe
MM		 2085 /* PDU size is derived from the HCI MTU */
2086 pdu_len = chan->conn->mtu;
c74e560c 2087
94122bbe
MM		 2088 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2089
2090 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2091 if (chan->fcs)
2092 pdu_len -= L2CAP_FCS_SIZE;
2093
2094 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2095 pdu_len -= L2CAP_EXT_HDR_SIZE;
2096 else
2097 pdu_len -= L2CAP_ENH_HDR_SIZE;
94122bbe
MM		 2098
2099 /* Remote device may have requested smaller PDUs */
2100 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2101
2102 if (len <= pdu_len) {
2103 sar = L2CAP_SAR_UNSEGMENTED;
2104 sdu_len = 0;
2105 pdu_len = len;
2106 } else {
2107 sar = L2CAP_SAR_START;
2108 sdu_len = len;
2109 pdu_len -= L2CAP_SDULEN_SIZE;
2110 }
2111
2112 while (len > 0) {
2113 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2114
c74e560c 2115 if (IS_ERR(skb)) {
94122bbe 2116 __skb_queue_purge(seg_queue);
c74e560c
GP		 2117 return PTR_ERR(skb);
2118 }
2119
94122bbe
MM		 2120 bt_cb(skb)->control.sar = sar;
2121 __skb_queue_tail(seg_queue, skb);
2122
2123 len -= pdu_len;
2124 if (sdu_len) {
2125 sdu_len = 0;
2126 pdu_len += L2CAP_SDULEN_SIZE;
2127 }
2128
2129 if (len <= pdu_len) {
2130 sar = L2CAP_SAR_END;
2131 pdu_len = len;
2132 } else {
2133 sar = L2CAP_SAR_CONTINUE;
2134 }
c74e560c 2135 }
c74e560c 2136
94122bbe 2137 return err;
c74e560c
GP		 2138}
2139
5e59b791
LAD		 2140int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2141 u32 priority)
9a91a04a 2142{
9a91a04a 2143 struct sk_buff *skb;
9a91a04a 2144 int err;
94122bbe 2145 struct sk_buff_head seg_queue;
9a91a04a
GP		 2146
2147 /* Connectionless channel */
715ec005 2148 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2149 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2150 if (IS_ERR(skb))
2151 return PTR_ERR(skb);
2152
2153 l2cap_do_send(chan, skb);
2154 return len;
2155 }
2156
2157 switch (chan->mode) {
2158 case L2CAP_MODE_BASIC:
2159 /* Check outgoing MTU */
2160 if (len > chan->omtu)
2161 return -EMSGSIZE;
2162
2163 /* Create a basic PDU */
5e59b791 2164 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2165 if (IS_ERR(skb))
2166 return PTR_ERR(skb);
2167
2168 l2cap_do_send(chan, skb);
2169 err = len;
2170 break;
2171
2172 case L2CAP_MODE_ERTM:
2173 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2174 /* Check outgoing MTU */
2175 if (len > chan->omtu) {
2176 err = -EMSGSIZE;
2177 break;
2178 }
9a91a04a 2179
94122bbe 2180 __skb_queue_head_init(&seg_queue);
9a91a04a 2181
94122bbe
MM		 2182 /* Do segmentation before calling in to the state machine,
2183 * since it's possible to block while waiting for memory
2184 * allocation.
2185 */
2186 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2187
94122bbe
MM		 2188 /* The channel could have been closed while segmenting,
2189 * check that it is still connected.
2190 */
2191 if (chan->state != BT_CONNECTED) {
2192 __skb_queue_purge(&seg_queue);
2193 err = -ENOTCONN;
9a91a04a
GP		 2194 }
2195
94122bbe 2196 if (err)
9a91a04a 2197 break;
9a91a04a 2198
3733937d 2199 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2200 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2201 else
d660366d 2202 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2203
d660366d 2204 err = len;
9a91a04a 2205
94122bbe
MM		 2206 /* If the skbs were not queued for sending, they'll still be in
2207 * seg_queue and need to be purged.
2208 */
2209 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2210 break;
2211
2212 default:
2213 BT_DBG("bad state %1.1x", chan->mode);
2214 err = -EBADFD;
2215 }
2216
2217 return err;
2218}
2219
d2a7ac5d
MM		 2220static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2221{
bed68bde
MM		 2222 struct l2cap_ctrl control;
2223 u16 seq;
2224
2225 BT_DBG("chan %p, txseq %d", chan, txseq);
2226
2227 memset(&control, 0, sizeof(control));
2228 control.sframe = 1;
2229 control.super = L2CAP_SUPER_SREJ;
2230
2231 for (seq = chan->expected_tx_seq; seq != txseq;
2232 seq = __next_seq(chan, seq)) {
2233 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2234 control.reqseq = seq;
2235 l2cap_send_sframe(chan, &control);
2236 l2cap_seq_list_append(&chan->srej_list, seq);
2237 }
2238 }
2239
2240 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2241}
2242
2243static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2244{
bed68bde
MM		 2245 struct l2cap_ctrl control;
2246
2247 BT_DBG("chan %p", chan);
2248
2249 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2250 return;
2251
2252 memset(&control, 0, sizeof(control));
2253 control.sframe = 1;
2254 control.super = L2CAP_SUPER_SREJ;
2255 control.reqseq = chan->srej_list.tail;
2256 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2257}
2258
2259static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2260{
bed68bde
MM		 2261 struct l2cap_ctrl control;
2262 u16 initial_head;
2263 u16 seq;
2264
2265 BT_DBG("chan %p, txseq %d", chan, txseq);
2266
2267 memset(&control, 0, sizeof(control));
2268 control.sframe = 1;
2269 control.super = L2CAP_SUPER_SREJ;
2270
2271 /* Capture initial list head to allow only one pass through the list. */
2272 initial_head = chan->srej_list.head;
2273
2274 do {
2275 seq = l2cap_seq_list_pop(&chan->srej_list);
2276 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2277 break;
2278
2279 control.reqseq = seq;
2280 l2cap_send_sframe(chan, &control);
2281 l2cap_seq_list_append(&chan->srej_list, seq);
2282 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2283}
2284
608bcc6d
MM		 2285static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2286{
2287 struct sk_buff *acked_skb;
2288 u16 ackseq;
2289
2290 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2291
2292 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2293 return;
2294
2295 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2296 chan->expected_ack_seq, chan->unacked_frames);
2297
2298 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2299 ackseq = __next_seq(chan, ackseq)) {
2300
2301 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2302 if (acked_skb) {
2303 skb_unlink(acked_skb, &chan->tx_q);
2304 kfree_skb(acked_skb);
2305 chan->unacked_frames--;
2306 }
2307 }
2308
2309 chan->expected_ack_seq = reqseq;
2310
2311 if (chan->unacked_frames == 0)
2312 __clear_retrans_timer(chan);
2313
2314 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2315}
2316
2317static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2318{
2319 BT_DBG("chan %p", chan);
2320
2321 chan->expected_tx_seq = chan->buffer_seq;
2322 l2cap_seq_list_clear(&chan->srej_list);
2323 skb_queue_purge(&chan->srej_q);
2324 chan->rx_state = L2CAP_RX_STATE_RECV;
2325}
2326
d660366d
GP		 2327static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2328 struct l2cap_ctrl *control,
2329 struct sk_buff_head *skbs, u8 event)
608bcc6d 2330{
608bcc6d
MM		 2331 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2332 event);
2333
2334 switch (event) {
2335 case L2CAP_EV_DATA_REQUEST:
2336 if (chan->tx_send_head == NULL)
2337 chan->tx_send_head = skb_peek(skbs);
2338
2339 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2340 l2cap_ertm_send(chan);
2341 break;
2342 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2343 BT_DBG("Enter LOCAL_BUSY");
2344 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2345
2346 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2347 /* The SREJ_SENT state must be aborted if we are to
2348 * enter the LOCAL_BUSY state.
2349 */
2350 l2cap_abort_rx_srej_sent(chan);
2351 }
2352
2353 l2cap_send_ack(chan);
2354
2355 break;
2356 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2357 BT_DBG("Exit LOCAL_BUSY");
2358 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2359
2360 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2361 struct l2cap_ctrl local_control;
2362
2363 memset(&local_control, 0, sizeof(local_control));
2364 local_control.sframe = 1;
2365 local_control.super = L2CAP_SUPER_RR;
2366 local_control.poll = 1;
2367 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2368 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2369
2370 chan->retry_count = 1;
2371 __set_monitor_timer(chan);
2372 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2373 }
2374 break;
2375 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2376 l2cap_process_reqseq(chan, control->reqseq);
2377 break;
2378 case L2CAP_EV_EXPLICIT_POLL:
2379 l2cap_send_rr_or_rnr(chan, 1);
2380 chan->retry_count = 1;
2381 __set_monitor_timer(chan);
2382 __clear_ack_timer(chan);
2383 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2384 break;
2385 case L2CAP_EV_RETRANS_TO:
2386 l2cap_send_rr_or_rnr(chan, 1);
2387 chan->retry_count = 1;
2388 __set_monitor_timer(chan);
2389 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2390 break;
2391 case L2CAP_EV_RECV_FBIT:
2392 /* Nothing to process */
2393 break;
2394 default:
2395 break;
2396 }
608bcc6d
MM		 2397}
2398
d660366d
GP		 2399static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2400 struct l2cap_ctrl *control,
2401 struct sk_buff_head *skbs, u8 event)
608bcc6d 2402{
608bcc6d
MM		 2403 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2404 event);
2405
2406 switch (event) {
2407 case L2CAP_EV_DATA_REQUEST:
2408 if (chan->tx_send_head == NULL)
2409 chan->tx_send_head = skb_peek(skbs);
2410 /* Queue data, but don't send. */
2411 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2412 break;
2413 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2414 BT_DBG("Enter LOCAL_BUSY");
2415 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2416
2417 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2418 /* The SREJ_SENT state must be aborted if we are to
2419 * enter the LOCAL_BUSY state.
2420 */
2421 l2cap_abort_rx_srej_sent(chan);
2422 }
2423
2424 l2cap_send_ack(chan);
2425
2426 break;
2427 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2428 BT_DBG("Exit LOCAL_BUSY");
2429 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2430
2431 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2432 struct l2cap_ctrl local_control;
2433 memset(&local_control, 0, sizeof(local_control));
2434 local_control.sframe = 1;
2435 local_control.super = L2CAP_SUPER_RR;
2436 local_control.poll = 1;
2437 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2438 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2439
2440 chan->retry_count = 1;
2441 __set_monitor_timer(chan);
2442 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2443 }
2444 break;
2445 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2446 l2cap_process_reqseq(chan, control->reqseq);
2447
2448 /* Fall through */
2449
2450 case L2CAP_EV_RECV_FBIT:
2451 if (control && control->final) {
2452 __clear_monitor_timer(chan);
2453 if (chan->unacked_frames > 0)
2454 __set_retrans_timer(chan);
2455 chan->retry_count = 0;
2456 chan->tx_state = L2CAP_TX_STATE_XMIT;
2457 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2458 }
2459 break;
2460 case L2CAP_EV_EXPLICIT_POLL:
2461 /* Ignore */
2462 break;
2463 case L2CAP_EV_MONITOR_TO:
2464 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2465 l2cap_send_rr_or_rnr(chan, 1);
2466 __set_monitor_timer(chan);
2467 chan->retry_count++;
2468 } else {
2469 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2470 }
2471 break;
2472 default:
2473 break;
2474 }
608bcc6d
MM		 2475}
2476
d660366d
GP		 2477static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2478 struct sk_buff_head *skbs, u8 event)
608bcc6d 2479{
608bcc6d
MM		 2480 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2481 chan, control, skbs, event, chan->tx_state);
2482
2483 switch (chan->tx_state) {
2484 case L2CAP_TX_STATE_XMIT:
d660366d 2485 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2486 break;
2487 case L2CAP_TX_STATE_WAIT_F:
d660366d 2488 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2489 break;
2490 default:
2491 /* Ignore event */
2492 break;
2493 }
608bcc6d
MM		 2494}
2495
4b51dae9
MM		 2496static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2497 struct l2cap_ctrl *control)
2498{
2499 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2500 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2501}
2502
f80842a8
MM		 2503static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2504 struct l2cap_ctrl *control)
2505{
2506 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2507 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2508}
2509
1da177e4
LT		 2510/* Copy frame to all raw sockets on that connection */
2511static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2512{
1da177e4 2513 struct sk_buff *nskb;
48454079 2514 struct l2cap_chan *chan;
1da177e4
LT		 2515
2516 BT_DBG("conn %p", conn);
2517
3df91ea2 2518 mutex_lock(&conn->chan_lock);
3d57dc68 2519
3df91ea2 2520 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2521 struct sock *sk = chan->sk;
715ec005 2522 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2523 continue;
2524
2525 /* Don't send frame to the socket it came from */
2526 if (skb->sk == sk)
2527 continue;
af05b30b
GP		 2528 nskb = skb_clone(skb, GFP_ATOMIC);
2529 if (!nskb)
1da177e4
LT		 2530 continue;
2531
80b98027 2532 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2533 kfree_skb(nskb);
2534 }
3d57dc68 2535
3df91ea2 2536 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2537}
2538
2539/* ---- L2CAP signalling commands ---- */
2540static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2541 u8 code, u8 ident, u16 dlen, void *data)
2542{
2543 struct sk_buff *skb, **frag;
2544 struct l2cap_cmd_hdr *cmd;
2545 struct l2cap_hdr *lh;
2546 int len, count;
2547
af05b30b
GP		 2548 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2549 conn, code, ident, dlen);
1da177e4
LT		 2550
2551 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2552 count = min_t(unsigned int, conn->mtu, len);
2553
2554 skb = bt_skb_alloc(count, GFP_ATOMIC);
2555 if (!skb)
2556 return NULL;
2557
2558 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2559 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2560
2561 if (conn->hcon->type == LE_LINK)
ac73498c 2562 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2563 else
ac73498c 2564 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2565
2566 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2567 cmd->code = code;
2568 cmd->ident = ident;
aca3192c 2569 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2570
2571 if (dlen) {
2572 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2573 memcpy(skb_put(skb, count), data, count);
2574 data += count;
2575 }
2576
2577 len -= skb->len;
2578
2579 /* Continuation fragments (no L2CAP header) */
2580 frag = &skb_shinfo(skb)->frag_list;
2581 while (len) {
2582 count = min_t(unsigned int, conn->mtu, len);
2583
2584 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2585 if (!*frag)
2586 goto fail;
2587
2588 memcpy(skb_put(*frag, count), data, count);
2589
2590 len -= count;
2591 data += count;
2592
2593 frag = &(*frag)->next;
2594 }
2595
2596 return skb;
2597
2598fail:
2599 kfree_skb(skb);
2600 return NULL;
2601}
2602
2603static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2604{
2605 struct l2cap_conf_opt *opt = *ptr;
2606 int len;
2607
2608 len = L2CAP_CONF_OPT_SIZE + opt->len;
2609 *ptr += len;
2610
2611 *type = opt->type;
2612 *olen = opt->len;
2613
2614 switch (opt->len) {
2615 case 1:
2616 *val = *((u8 *) opt->val);
2617 break;
2618
2619 case 2:
bfaaeb3e 2620 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2621 break;
2622
2623 case 4:
bfaaeb3e 2624 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2625 break;
2626
2627 default:
2628 *val = (unsigned long) opt->val;
2629 break;
2630 }
2631
2632 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2633 return len;
2634}
2635
1da177e4
LT		 2636static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2637{
2638 struct l2cap_conf_opt *opt = *ptr;
2639
2640 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2641
2642 opt->type = type;
2643 opt->len = len;
2644
2645 switch (len) {
2646 case 1:
2647 *((u8 *) opt->val) = val;
2648 break;
2649
2650 case 2:
4f8b691c 2651 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2652 break;
2653
2654 case 4:
4f8b691c 2655 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2656 break;
2657
2658 default:
2659 memcpy(opt->val, (void *) val, len);
2660 break;
2661 }
2662
2663 *ptr += L2CAP_CONF_OPT_SIZE + len;
2664}
2665
f89cef09
AE		 2666static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2667{
2668 struct l2cap_conf_efs efs;
2669
1ec918ce 2670 switch (chan->mode) {
f89cef09
AE		 2671 case L2CAP_MODE_ERTM:
2672 efs.id = chan->local_id;
2673 efs.stype = chan->local_stype;
2674 efs.msdu = cpu_to_le16(chan->local_msdu);
2675 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2676 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2677 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2678 break;
2679
2680 case L2CAP_MODE_STREAMING:
2681 efs.id = 1;
2682 efs.stype = L2CAP_SERV_BESTEFFORT;
2683 efs.msdu = cpu_to_le16(chan->local_msdu);
2684 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2685 efs.acc_lat = 0;
2686 efs.flush_to = 0;
2687 break;
2688
2689 default:
2690 return;
2691 }
2692
2693 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2694 (unsigned long) &efs);
2695}
2696
721c4181 2697static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2698{
721c4181 2699 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2700 ack_timer.work);
2701 u16 frames_to_ack;
c1b4f43b 2702
2fb9b3d4
GP		 2703 BT_DBG("chan %p", chan);
2704
6be36555
AE		 2705 l2cap_chan_lock(chan);
2706
0362520b
MM		 2707 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2708 chan->last_acked_seq);
6be36555 2709
0362520b
MM		 2710 if (frames_to_ack)
2711 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2712
0362520b 2713 l2cap_chan_unlock(chan);
09bfb2ee 2714 l2cap_chan_put(chan);
c1b4f43b
GP		 2715}
2716
3c588192 2717static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2718{
3c588192
MM		 2719 int err;
2720
105bdf9e
MM		 2721 chan->next_tx_seq = 0;
2722 chan->expected_tx_seq = 0;
42e5c802 2723 chan->expected_ack_seq = 0;
6a026610 2724 chan->unacked_frames = 0;
42e5c802 2725 chan->buffer_seq = 0;
6a026610 2726 chan->frames_sent = 0;
105bdf9e
MM		 2727 chan->last_acked_seq = 0;
2728 chan->sdu = NULL;
2729 chan->sdu_last_frag = NULL;
2730 chan->sdu_len = 0;
2731
d34c34fb
MM		 2732 skb_queue_head_init(&chan->tx_q);
2733
105bdf9e
MM		 2734 if (chan->mode != L2CAP_MODE_ERTM)
2735 return 0;
2736
2737 chan->rx_state = L2CAP_RX_STATE_RECV;
2738 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2739
721c4181
GP		 2740 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2741 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2742 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2743
f1c6775b 2744 skb_queue_head_init(&chan->srej_q);
1890d36b 2745
3c588192
MM		 2746 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2747 if (err < 0)
2748 return err;
2749
9dc9affc
MM		 2750 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2751 if (err < 0)
2752 l2cap_seq_list_free(&chan->srej_list);
2753
2754 return err;
0565c1c2
GP		 2755}
2756
f2fcfcd6
GP		 2757static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2758{
2759 switch (mode) {
2760 case L2CAP_MODE_STREAMING:
2761 case L2CAP_MODE_ERTM:
2762 if (l2cap_mode_supported(mode, remote_feat_mask))
2763 return mode;
2764 /* fall through */
2765 default:
2766 return L2CAP_MODE_BASIC;
2767 }
2768}
2769
6327eb98
AE		 2770static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2771{
2772 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2773}
2774
f89cef09
AE		 2775static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2776{
2777 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2778}
2779
6327eb98
AE		 2780static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2781{
2782 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2783 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2784 /* use extended control field */
2785 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2786 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2787 } else {
6327eb98
AE		 2788 chan->tx_win = min_t(u16, chan->tx_win,
2789 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2790 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2791 }
6327eb98
AE		 2792}
2793
710f9b0a 2794static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2795{
1da177e4 2796 struct l2cap_conf_req *req = data;
0c1bc5c6 2797 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2798 void *ptr = req->data;
c8f79162 2799 u16 size;
1da177e4 2800
49208c9c 2801 BT_DBG("chan %p", chan);
1da177e4 2802
73ffa904 2803 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2804 goto done;
2805
0c1bc5c6 2806 switch (chan->mode) {
f2fcfcd6
GP		 2807 case L2CAP_MODE_STREAMING:
2808 case L2CAP_MODE_ERTM:
c1360a1c 2809 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2810 break;
85eb53c6 2811
f89cef09
AE		 2812 if (__l2cap_efs_supported(chan))
2813 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2814
2ba13ed6 2815 /* fall through */
f2fcfcd6 2816 default:
8c1d787b 2817 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2818 break;
2819 }
2820
2821done:
0c1bc5c6
GP		 2822 if (chan->imtu != L2CAP_DEFAULT_MTU)
2823 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2824
0c1bc5c6 2825 switch (chan->mode) {
65c7c491 2826 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2827 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2828 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2829 break;
2830
62547752
GP		 2831 rfc.mode = L2CAP_MODE_BASIC;
2832 rfc.txwin_size = 0;
2833 rfc.max_transmit = 0;
2834 rfc.retrans_timeout = 0;
2835 rfc.monitor_timeout = 0;
2836 rfc.max_pdu_size = 0;
2837
63406504
GP		 2838 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2839 (unsigned long) &rfc);
65c7c491
MH		 2840 break;
2841
2842 case L2CAP_MODE_ERTM:
2843 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2844 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2845 rfc.retrans_timeout = 0;
2846 rfc.monitor_timeout = 0;
c8f79162
AE		 2847
2848 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2849 L2CAP_EXT_HDR_SIZE -
2850 L2CAP_SDULEN_SIZE -
2851 L2CAP_FCS_SIZE);
2852 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2853
6327eb98
AE		 2854 l2cap_txwin_setup(chan);
2855
2856 rfc.txwin_size = min_t(u16, chan->tx_win,
2857 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2858
63406504
GP		 2859 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2860 (unsigned long) &rfc);
2861
f89cef09
AE		 2862 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2863 l2cap_add_opt_efs(&ptr, chan);
2864
8c1d787b 2865 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2866 break;
2867
47d1ec61 2868 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2869 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2870 chan->fcs = L2CAP_FCS_NONE;
2871 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2872 }
6327eb98
AE		 2873
2874 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2875 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2876 chan->tx_win);
f2fcfcd6
GP		 2877 break;
2878
2879 case L2CAP_MODE_STREAMING:
273759e2 2880 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2881 rfc.mode = L2CAP_MODE_STREAMING;
2882 rfc.txwin_size = 0;
2883 rfc.max_transmit = 0;
2884 rfc.retrans_timeout = 0;
2885 rfc.monitor_timeout = 0;
c8f79162
AE		 2886
2887 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2888 L2CAP_EXT_HDR_SIZE -
2889 L2CAP_SDULEN_SIZE -
2890 L2CAP_FCS_SIZE);
2891 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2892
63406504
GP		 2893 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2894 (unsigned long) &rfc);
2895
f89cef09
AE		 2896 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2897 l2cap_add_opt_efs(&ptr, chan);
2898
8c1d787b 2899 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2900 break;
2901
47d1ec61 2902 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2903 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2904 chan->fcs = L2CAP_FCS_NONE;
2905 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2906 }
65c7c491
MH		 2907 break;
2908 }
1da177e4 2909
fe4128e0 2910 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2911 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2912
2913 return ptr - data;
2914}
2915
73ffa904 2916static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2917{
5dee9e7c
MH		 2918 struct l2cap_conf_rsp *rsp = data;
2919 void *ptr = rsp->data;
73ffa904
GP		 2920 void *req = chan->conf_req;
2921 int len = chan->conf_len;
5dee9e7c
MH		 2922 int type, hint, olen;
2923 unsigned long val;
6464f35f 2924 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2925 struct l2cap_conf_efs efs;
2926 u8 remote_efs = 0;
861d6882 2927 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2928 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2929 u16 size;
1da177e4 2930
73ffa904 2931 BT_DBG("chan %p", chan);
820ae1b8 2932
5dee9e7c
MH		 2933 while (len >= L2CAP_CONF_OPT_SIZE) {
2934 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2935
589d2746 2936 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2937 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2938
2939 switch (type) {
2940 case L2CAP_CONF_MTU:
861d6882 2941 mtu = val;
5dee9e7c
MH		 2942 break;
2943
2944 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2945 chan->flush_to = val;
5dee9e7c
MH		 2946 break;
2947
2948 case L2CAP_CONF_QOS:
2949 break;
2950
6464f35f
MH		 2951 case L2CAP_CONF_RFC:
2952 if (olen == sizeof(rfc))
2953 memcpy(&rfc, (void *) val, olen);
2954 break;
2955
fcc203c3
GP		 2956 case L2CAP_CONF_FCS:
2957 if (val == L2CAP_FCS_NONE)
c1360a1c 2958 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2959 break;
fcc203c3 2960
42dceae2
AE		 2961 case L2CAP_CONF_EFS:
2962 remote_efs = 1;
2963 if (olen == sizeof(efs))
2964 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2965 break;
2966
6327eb98
AE		 2967 case L2CAP_CONF_EWS:
2968 if (!enable_hs)
2969 return -ECONNREFUSED;
fcc203c3 2970
6327eb98
AE		 2971 set_bit(FLAG_EXT_CTRL, &chan->flags);
2972 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2973 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2974 chan->remote_tx_win = val;
fcc203c3
GP		 2975 break;
2976
5dee9e7c
MH		 2977 default:
2978 if (hint)
2979 break;
2980
2981 result = L2CAP_CONF_UNKNOWN;
2982 *((u8 *) ptr++) = type;
2983 break;
2984 }
2985 }
2986
73ffa904 2987 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2988 goto done;
2989
0c1bc5c6 2990 switch (chan->mode) {
f2fcfcd6
GP		 2991 case L2CAP_MODE_STREAMING:
2992 case L2CAP_MODE_ERTM:
c1360a1c 2993 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2994 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2995 chan->conn->feat_mask);
85eb53c6
GP		 2996 break;
2997 }
2998
42dceae2
AE		 2999 if (remote_efs) {
3000 if (__l2cap_efs_supported(chan))
3001 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3002 else
3003 return -ECONNREFUSED;
3004 }
3005
0c1bc5c6 3006 if (chan->mode != rfc.mode)
f2fcfcd6 3007 return -ECONNREFUSED;
742e519b 3008
f2fcfcd6 3009 break;
f2fcfcd6
GP		 3010 }
3011
3012done:
0c1bc5c6 3013 if (chan->mode != rfc.mode) {
f2fcfcd6 3014 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3015 rfc.mode = chan->mode;
f2fcfcd6 3016
73ffa904 3017 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3018 return -ECONNREFUSED;
3019
3020 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3021 sizeof(rfc), (unsigned long) &rfc);
3022 }
3023
5dee9e7c
MH		 3024 if (result == L2CAP_CONF_SUCCESS) {
3025 /* Configure output options and let the other side know
3026 * which ones we don't like. */
3027
f2fcfcd6
GP		 3028 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3029 result = L2CAP_CONF_UNACCEPT;
3030 else {
0c1bc5c6 3031 chan->omtu = mtu;
c1360a1c 3032 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3033 }
0c1bc5c6 3034 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3035
42dceae2
AE		 3036 if (remote_efs) {
3037 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3038 efs.stype != L2CAP_SERV_NOTRAFIC &&
3039 efs.stype != chan->local_stype) {
3040
3041 result = L2CAP_CONF_UNACCEPT;
3042
3043 if (chan->num_conf_req >= 1)
3044 return -ECONNREFUSED;
3045
3046 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3047 sizeof(efs),
42dceae2 3048 (unsigned long) &efs);
0e8b207e 3049 } else {
3e6b3b95 3050 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3051 result = L2CAP_CONF_PENDING;
3052 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3053 }
3054 }
3055
f2fcfcd6
GP		 3056 switch (rfc.mode) {
3057 case L2CAP_MODE_BASIC:
47d1ec61 3058 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3059 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3060 break;
3061
3062 case L2CAP_MODE_ERTM:
6327eb98
AE		 3063 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3064 chan->remote_tx_win = rfc.txwin_size;
3065 else
3066 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3067
2c03a7a4 3068 chan->remote_max_tx = rfc.max_transmit;
1c762159 3069
c8f79162
AE		 3070 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3071 chan->conn->mtu -
3072 L2CAP_EXT_HDR_SIZE -
3073 L2CAP_SDULEN_SIZE -
3074 L2CAP_FCS_SIZE);
3075 rfc.max_pdu_size = cpu_to_le16(size);
3076 chan->remote_mps = size;
f2fcfcd6 3077
10467e9e 3078 rfc.retrans_timeout =
4fd21a88 3079 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3080 rfc.monitor_timeout =
4fd21a88 3081 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3082
c1360a1c 3083 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3084
3085 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3086 sizeof(rfc), (unsigned long) &rfc);
3087
42dceae2
AE		 3088 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3089 chan->remote_id = efs.id;
3090 chan->remote_stype = efs.stype;
3091 chan->remote_msdu = le16_to_cpu(efs.msdu);
3092 chan->remote_flush_to =
3093 le32_to_cpu(efs.flush_to);
3094 chan->remote_acc_lat =
3095 le32_to_cpu(efs.acc_lat);
3096 chan->remote_sdu_itime =
3097 le32_to_cpu(efs.sdu_itime);
3098 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3099 sizeof(efs), (unsigned long) &efs);
3100 }
f2fcfcd6
GP		 3101 break;
3102
3103 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3104 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3105 chan->conn->mtu -
3106 L2CAP_EXT_HDR_SIZE -
3107 L2CAP_SDULEN_SIZE -
3108 L2CAP_FCS_SIZE);
3109 rfc.max_pdu_size = cpu_to_le16(size);
3110 chan->remote_mps = size;
f2fcfcd6 3111
c1360a1c 3112 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3113
3114 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3115 sizeof(rfc), (unsigned long) &rfc);
3116
f2fcfcd6
GP		 3117 break;
3118
3119 default:
5dee9e7c 3120 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3121
6464f35f 3122 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3123 rfc.mode = chan->mode;
f2fcfcd6 3124 }
6464f35f 3125
f2fcfcd6 3126 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3127 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3128 }
fe4128e0 3129 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3130 rsp->result = cpu_to_le16(result);
59e54bd1 3131 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3132
3133 return ptr - data;
1da177e4
LT		 3134}
3135
b4450035 3136static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3137{
f2fcfcd6
GP		 3138 struct l2cap_conf_req *req = data;
3139 void *ptr = req->data;
3140 int type, olen;
3141 unsigned long val;
36e999a8 3142 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3143 struct l2cap_conf_efs efs;
f2fcfcd6 3144
fe4128e0 3145 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3146
3147 while (len >= L2CAP_CONF_OPT_SIZE) {
3148 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3149
3150 switch (type) {
3151 case L2CAP_CONF_MTU:
3152 if (val < L2CAP_DEFAULT_MIN_MTU) {
3153 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3154 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3155 } else
0c1bc5c6
GP		 3156 chan->imtu = val;
3157 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3158 break;
3159
3160 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3161 chan->flush_to = val;
f2fcfcd6 3162 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3163 2, chan->flush_to);
f2fcfcd6
GP		 3164 break;
3165
3166 case L2CAP_CONF_RFC:
3167 if (olen == sizeof(rfc))
3168 memcpy(&rfc, (void *)val, olen);
3169
c1360a1c 3170 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3171 rfc.mode != chan->mode)
f2fcfcd6
GP		 3172 return -ECONNREFUSED;
3173
47d1ec61 3174 chan->fcs = 0;
f2fcfcd6
GP		 3175
3176 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3177 sizeof(rfc), (unsigned long) &rfc);
3178 break;
6327eb98
AE		 3179
3180 case L2CAP_CONF_EWS:
3181 chan->tx_win = min_t(u16, val,
3182 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3183 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3184 chan->tx_win);
6327eb98 3185 break;
66af7aaf
AE		 3186
3187 case L2CAP_CONF_EFS:
3188 if (olen == sizeof(efs))
3189 memcpy(&efs, (void *)val, olen);
3190
3191 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3192 efs.stype != L2CAP_SERV_NOTRAFIC &&
3193 efs.stype != chan->local_stype)
3194 return -ECONNREFUSED;
3195
3196 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3197 sizeof(efs), (unsigned long) &efs);
3198 break;
f2fcfcd6
GP		 3199 }
3200 }
3201
0c1bc5c6 3202 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3203 return -ECONNREFUSED;
3204
0c1bc5c6 3205 chan->mode = rfc.mode;
6c2ea7a8 3206
0e8b207e 3207 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3208 switch (rfc.mode) {
3209 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3210 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3211 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3212 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3213
3214 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3215 chan->local_msdu = le16_to_cpu(efs.msdu);
3216 chan->local_sdu_itime =
3217 le32_to_cpu(efs.sdu_itime);
3218 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3219 chan->local_flush_to =
3220 le32_to_cpu(efs.flush_to);
3221 }
f2fcfcd6 3222 break;
66af7aaf 3223
f2fcfcd6 3224 case L2CAP_MODE_STREAMING:
47d1ec61 3225 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3226 }
3227 }
3228
fe4128e0 3229 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3230 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3231
3232 return ptr - data;
3233}
3234
fe4128e0 3235static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3236{
3237 struct l2cap_conf_rsp *rsp = data;
3238 void *ptr = rsp->data;
1da177e4 3239
fe4128e0 3240 BT_DBG("chan %p", chan);
1da177e4 3241
fe4128e0 3242 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3243 rsp->result = cpu_to_le16(result);
aca3192c 3244 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3245
3246 return ptr - data;
3247}
3248
8c1d787b 3249void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3250{
3251 struct l2cap_conn_rsp rsp;
8c1d787b 3252 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3253 u8 buf[128];
3254
fe4128e0
GP		 3255 rsp.scid = cpu_to_le16(chan->dcid);
3256 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3257 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3258 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3259 l2cap_send_cmd(conn, chan->ident,
3260 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3261
c1360a1c 3262 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3263 return;
3264
710f9b0a
GP		 3265 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3266 l2cap_build_conf_req(chan, buf), buf);
3267 chan->num_conf_req++;
3268}
3269
47d1ec61 3270static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3271{
7b1c0049
GP		 3272 int type, olen;
3273 unsigned long val;
3274 struct l2cap_conf_rfc rfc;
3275
47d1ec61 3276 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3277
0c1bc5c6 3278 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3279 return;
3280
3281 while (len >= L2CAP_CONF_OPT_SIZE) {
3282 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3283
3284 switch (type) {
3285 case L2CAP_CONF_RFC:
3286 if (olen == sizeof(rfc))
3287 memcpy(&rfc, (void *)val, olen);
3288 goto done;
3289 }
3290 }
3291
36e999a8
MM		 3292 /* Use sane default values in case a misbehaving remote device
3293 * did not send an RFC option.
3294 */
3295 rfc.mode = chan->mode;
ac73498c
AE		 3296 rfc.retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3297 rfc.monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36e999a8
MM		 3298 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3299
3300 BT_ERR("Expected RFC option was not found, using defaults");
3301
7b1c0049
GP		 3302done:
3303 switch (rfc.mode) {
3304 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3305 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3306 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3307 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3308 break;
3309 case L2CAP_MODE_STREAMING:
47d1ec61 3310 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3311 }
3312}
3313
4e8402a3
MH		 3314static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3315{
e2fd318e 3316 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3317
e2fd318e 3318 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3319 return 0;
3320
3321 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3322 cmd->ident == conn->info_ident) {
17cd3f37 3323 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3324
3325 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3326 conn->info_ident = 0;
984947dc 3327
4e8402a3
MH		 3328 l2cap_conn_start(conn);
3329 }
3330
3331 return 0;
3332}
3333
1da177e4
LT		 3334static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3335{
1da177e4
LT		 3336 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3337 struct l2cap_conn_rsp rsp;
23691d75 3338 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3339 struct sock *parent, *sk = NULL;
e7c29cb1 3340 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3341
3342 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3343 __le16 psm = req->psm;
1da177e4 3344
097db76c 3345 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3346
3347 /* Check if we have socket listening on psm */
c2287681 3348 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3349 if (!pchan) {
1da177e4
LT		 3350 result = L2CAP_CR_BAD_PSM;
3351 goto sendresp;
3352 }
3353
23691d75
GP		 3354 parent = pchan->sk;
3355
3df91ea2 3356 mutex_lock(&conn->chan_lock);
aa2ac881 3357 lock_sock(parent);
e0f0cb56 3358
e7c29cb1 3359 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3360 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3361 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3362 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3363 result = L2CAP_CR_SEC_BLOCK;
3364 goto response;
3365 }
3366
1da177e4
LT		 3367 result = L2CAP_CR_NO_MEM;
3368
3369 /* Check for backlog size */
3370 if (sk_acceptq_is_full(parent)) {
8e87d142 3371 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3372 goto response;
3373 }
3374
80b98027 3375 chan = pchan->ops->new_connection(pchan);
80808e43 3376 if (!chan)
1da177e4
LT		 3377 goto response;
3378
80808e43
GP		 3379 sk = chan->sk;
3380
1da177e4 3381 /* Check if we already have channel with that dcid */
baa7e1fa 3382 if (__l2cap_get_chan_by_dcid(conn, scid)) {
c0df7f6e
AE		 3383 if (chan->ops->teardown)
3384 chan->ops->teardown(chan, 0);
3385
80b98027 3386 chan->ops->close(chan);
1da177e4
LT		 3387 goto response;
3388 }
3389
3390 hci_conn_hold(conn->hcon);
3391
1da177e4
LT		 3392 bacpy(&bt_sk(sk)->src, conn->src);
3393 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3394 chan->psm = psm;
3395 chan->dcid = scid;
1da177e4 3396
d1010240
GP		 3397 bt_accept_enqueue(parent, sk);
3398
6be36555 3399 __l2cap_chan_add(conn, chan);
48454079 3400
fe4128e0 3401 dcid = chan->scid;
1da177e4 3402
c9b66675 3403 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3404
fc7f8a7e 3405 chan->ident = cmd->ident;
1da177e4 3406
984947dc 3407 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3408 if (l2cap_chan_check_security(chan)) {
c5daa683 3409 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3410 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3411 result = L2CAP_CR_PEND;
3412 status = L2CAP_CS_AUTHOR_PEND;
3413 parent->sk_data_ready(parent, 0);
3414 } else {
0e587be7 3415 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3416 result = L2CAP_CR_SUCCESS;
3417 status = L2CAP_CS_NO_INFO;
3418 }
79d554a6 3419 } else {
0e587be7 3420 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3421 result = L2CAP_CR_PEND;
3422 status = L2CAP_CS_AUTHEN_PEND;
3423 }
3424 } else {
0e587be7 3425 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3426 result = L2CAP_CR_PEND;
3427 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3428 }
3429
1da177e4 3430response:
aa2ac881 3431 release_sock(parent);
3df91ea2 3432 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3433
3434sendresp:
aca3192c
YH		 3435 rsp.scid = cpu_to_le16(scid);
3436 rsp.dcid = cpu_to_le16(dcid);
3437 rsp.result = cpu_to_le16(result);
3438 rsp.status = cpu_to_le16(status);
1da177e4 3439 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3440
3441 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3442 struct l2cap_info_req info;
ac73498c 3443 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3444
3445 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3446 conn->info_ident = l2cap_get_ident(conn);
3447
ba13ccd9 3448 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3449
3450 l2cap_send_cmd(conn, conn->info_ident,
3451 L2CAP_INFO_REQ, sizeof(info), &info);
3452 }
3453
c1360a1c 3454 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3455 result == L2CAP_CR_SUCCESS) {
3456 u8 buf[128];
c1360a1c 3457 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3458 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3459 l2cap_build_conf_req(chan, buf), buf);
3460 chan->num_conf_req++;
e9aeb2dd
GP		 3461 }
3462
1da177e4
LT		 3463 return 0;
3464}
3465
3466static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3467{
3468 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3469 u16 scid, dcid, result, status;
48454079 3470 struct l2cap_chan *chan;
1da177e4 3471 u8 req[128];
3df91ea2 3472 int err;
1da177e4
LT		 3473
3474 scid = __le16_to_cpu(rsp->scid);
3475 dcid = __le16_to_cpu(rsp->dcid);
3476 result = __le16_to_cpu(rsp->result);
3477 status = __le16_to_cpu(rsp->status);
3478
1b009c98
AE		 3479 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3480 dcid, scid, result, status);
1da177e4 3481
3df91ea2
AE		 3482 mutex_lock(&conn->chan_lock);
3483
1da177e4 3484 if (scid) {
3df91ea2
AE		 3485 chan = __l2cap_get_chan_by_scid(conn, scid);
3486 if (!chan) {
3487 err = -EFAULT;
3488 goto unlock;
3489 }
1da177e4 3490 } else {
3df91ea2
AE		 3491 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3492 if (!chan) {
3493 err = -EFAULT;
3494 goto unlock;
3495 }
1da177e4
LT		 3496 }
3497
3df91ea2
AE		 3498 err = 0;
3499
6be36555 3500 l2cap_chan_lock(chan);
48454079 3501
1da177e4
LT		 3502 switch (result) {
3503 case L2CAP_CR_SUCCESS:
89bc500e 3504 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3505 chan->ident = 0;
fe4128e0 3506 chan->dcid = dcid;
c1360a1c 3507 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3508
c1360a1c 3509 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3510 break;
3511
1da177e4 3512 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3513 l2cap_build_conf_req(chan, req), req);
3514 chan->num_conf_req++;
1da177e4
LT		 3515 break;
3516
3517 case L2CAP_CR_PEND:
c1360a1c 3518 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3519 break;
3520
3521 default:
48454079 3522 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3523 break;
3524 }
3525
6be36555 3526 l2cap_chan_unlock(chan);
3df91ea2
AE		 3527
3528unlock:
3529 mutex_unlock(&conn->chan_lock);
3530
3531 return err;
1da177e4
LT		 3532}
3533
47d1ec61 3534static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3535{
3536 /* FCS is enabled only in ERTM or streaming mode, if one or both
3537 * sides request it.
3538 */
0c1bc5c6 3539 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3540 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3541 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3542 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3543}
3544
88219a0f 3545static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3546{
3547 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3548 u16 dcid, flags;
3549 u8 rsp[64];
48454079 3550 struct l2cap_chan *chan;
3c588192 3551 int len, err = 0;
1da177e4
LT		 3552
3553 dcid = __le16_to_cpu(req->dcid);
3554 flags = __le16_to_cpu(req->flags);
3555
3556 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3557
baa7e1fa 3558 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3559 if (!chan)
1da177e4
LT		 3560 return -ENOENT;
3561
033b1142 3562 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3563 struct l2cap_cmd_rej_cid rej;
3564
ac73498c 3565 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3566 rej.scid = cpu_to_le16(chan->scid);
3567 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3568
df6bd743
GP		 3569 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3570 sizeof(rej), &rej);
354f60a9 3571 goto unlock;
df6bd743 3572 }
354f60a9 3573
5dee9e7c 3574 /* Reject if config buffer is too small. */
88219a0f 3575 len = cmd_len - sizeof(*req);
7ac28817 3576 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3577 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3578 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3579 L2CAP_CONF_REJECT, flags), rsp);
3580 goto unlock;
3581 }
3582
3583 /* Store config. */
73ffa904
GP		 3584 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3585 chan->conf_len += len;
1da177e4 3586
59e54bd1 3587 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3588 /* Incomplete config. Send empty response. */
3589 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3590 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3591 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3592 goto unlock;
3593 }
3594
3595 /* Complete config. */
73ffa904 3596 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3597 if (len < 0) {
e92c8e70 3598 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3599 goto unlock;
f2fcfcd6 3600 }
1da177e4 3601
5dee9e7c 3602 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3603 chan->num_conf_rsp++;
5dee9e7c 3604
5dee9e7c 3605 /* Reset config buffer. */
73ffa904 3606 chan->conf_len = 0;
5dee9e7c 3607
c1360a1c 3608 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3609 goto unlock;
3610
c1360a1c 3611 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3612 set_default_fcs(chan);
fcc203c3 3613
105bdf9e
MM		 3614 if (chan->mode == L2CAP_MODE_ERTM ||
3615 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3616 err = l2cap_ertm_init(chan);
3617
3618 if (err < 0)
3619 l2cap_send_disconn_req(chan->conn, chan, -err);
3620 else
3621 l2cap_chan_ready(chan);
0565c1c2 3622
876d9484
MH		 3623 goto unlock;
3624 }
3625
c1360a1c 3626 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3627 u8 buf[64];
1da177e4 3628 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3629 l2cap_build_conf_req(chan, buf), buf);
3630 chan->num_conf_req++;
1da177e4
LT		 3631 }
3632
0e8b207e
AE		 3633 /* Got Conf Rsp PENDING from remote side and asume we sent
3634 Conf Rsp PENDING in the code above */
3635 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3636 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3637
3638 /* check compatibility */
3639
3640 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3641 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3642
3643 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3644 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3645 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3646 }
3647
1da177e4 3648unlock:
6be36555 3649 l2cap_chan_unlock(chan);
3c588192 3650 return err;
1da177e4
LT		 3651}
3652
3653static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3654{
3655 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3656 u16 scid, flags, result;
48454079 3657 struct l2cap_chan *chan;
61386cba 3658 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3659 int err = 0;
1da177e4
LT		 3660
3661 scid = __le16_to_cpu(rsp->scid);
3662 flags = __le16_to_cpu(rsp->flags);
3663 result = __le16_to_cpu(rsp->result);
3664
61386cba
AE		 3665 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3666 result, len);
1da177e4 3667
baa7e1fa 3668 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3669 if (!chan)
1da177e4
LT		 3670 return 0;
3671
3672 switch (result) {
3673 case L2CAP_CONF_SUCCESS:
47d1ec61 3674 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3675 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3676 break;
3677
0e8b207e
AE		 3678 case L2CAP_CONF_PENDING:
3679 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3680
3681 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3682 char buf[64];
3683
3684 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3685 buf, &result);
3686 if (len < 0) {
3687 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3688 goto done;
3689 }
3690
3691 /* check compatibility */
3692
3693 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3694 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3695
3696 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3697 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3698 L2CAP_CONF_SUCCESS, 0x0000), buf);
3699 }
3700 goto done;
3701
1da177e4 3702 case L2CAP_CONF_UNACCEPT:
73ffa904 3703 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3704 char req[64];
3705
c2c77ec8 3706 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3707 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3708 goto done;
3709 }
3710
f2fcfcd6
GP		 3711 /* throw out any old stored conf requests */
3712 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3713 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3714 req, &result);
f2fcfcd6 3715 if (len < 0) {
e92c8e70 3716 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3717 goto done;
3718 }
3719
3720 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3721 L2CAP_CONF_REQ, len, req);
73ffa904 3722 chan->num_conf_req++;
f2fcfcd6
GP		 3723 if (result != L2CAP_CONF_SUCCESS)
3724 goto done;
3725 break;
1da177e4
LT		 3726 }
3727
8e87d142 3728 default:
6be36555 3729 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3730
ba13ccd9 3731 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3732 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3733 goto done;
3734 }
3735
59e54bd1 3736 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3737 goto done;
3738
c1360a1c 3739 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3740
c1360a1c 3741 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3742 set_default_fcs(chan);
fcc203c3 3743
105bdf9e
MM		 3744 if (chan->mode == L2CAP_MODE_ERTM ||
3745 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3746 err = l2cap_ertm_init(chan);
0565c1c2 3747
3c588192
MM		 3748 if (err < 0)
3749 l2cap_send_disconn_req(chan->conn, chan, -err);
3750 else
3751 l2cap_chan_ready(chan);
1da177e4
LT		 3752 }
3753
3754done:
6be36555 3755 l2cap_chan_unlock(chan);
3c588192 3756 return err;
1da177e4
LT		 3757}
3758
3759static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3760{
3761 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3762 struct l2cap_disconn_rsp rsp;
3763 u16 dcid, scid;
48454079 3764 struct l2cap_chan *chan;
1da177e4
LT		 3765 struct sock *sk;
3766
3767 scid = __le16_to_cpu(req->scid);
3768 dcid = __le16_to_cpu(req->dcid);
3769
3770 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3771
3df91ea2
AE		 3772 mutex_lock(&conn->chan_lock);
3773
3774 chan = __l2cap_get_chan_by_scid(conn, dcid);
3775 if (!chan) {
3776 mutex_unlock(&conn->chan_lock);
1da177e4 3777 return 0;
3df91ea2 3778 }
1da177e4 3779
6be36555
AE		 3780 l2cap_chan_lock(chan);
3781
48454079
GP		 3782 sk = chan->sk;
3783
fe4128e0
GP		 3784 rsp.dcid = cpu_to_le16(chan->scid);
3785 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3786 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3787
6be36555 3788 lock_sock(sk);
1da177e4 3789 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3790 release_sock(sk);
1da177e4 3791
61d6ef3e 3792 l2cap_chan_hold(chan);
48454079 3793 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3794
3795 l2cap_chan_unlock(chan);
1da177e4 3796
80b98027 3797 chan->ops->close(chan);
61d6ef3e 3798 l2cap_chan_put(chan);
3df91ea2
AE		 3799
3800 mutex_unlock(&conn->chan_lock);
3801
1da177e4
LT		 3802 return 0;
3803}
3804
3805static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3806{
3807 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3808 u16 dcid, scid;
48454079 3809 struct l2cap_chan *chan;
1da177e4
LT		 3810
3811 scid = __le16_to_cpu(rsp->scid);
3812 dcid = __le16_to_cpu(rsp->dcid);
3813
3814 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3815
3df91ea2
AE		 3816 mutex_lock(&conn->chan_lock);
3817
3818 chan = __l2cap_get_chan_by_scid(conn, scid);
3819 if (!chan) {
3820 mutex_unlock(&conn->chan_lock);
1da177e4 3821 return 0;
3df91ea2 3822 }
1da177e4 3823
6be36555 3824 l2cap_chan_lock(chan);
48454079 3825
61d6ef3e 3826 l2cap_chan_hold(chan);
48454079 3827 l2cap_chan_del(chan, 0);
6be36555
AE		 3828
3829 l2cap_chan_unlock(chan);
1da177e4 3830
80b98027 3831 chan->ops->close(chan);
61d6ef3e 3832 l2cap_chan_put(chan);
3df91ea2
AE		 3833
3834 mutex_unlock(&conn->chan_lock);
3835
1da177e4
LT		 3836 return 0;
3837}
3838
3839static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3840{
3841 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3842 u16 type;
3843
3844 type = __le16_to_cpu(req->type);
3845
3846 BT_DBG("type 0x%4.4x", type);
3847
f0709e03
MH		 3848 if (type == L2CAP_IT_FEAT_MASK) {
3849 u8 buf[8];
44dd46de 3850 u32 feat_mask = l2cap_feat_mask;
f0709e03 3851 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3852 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3853 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3854 if (!disable_ertm)
fcc203c3
GP		 3855 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3856 | L2CAP_FEAT_FCS;
a5fd6f30 3857 if (enable_hs)
6327eb98
AE		 3858 feat_mask |= L2CAP_FEAT_EXT_FLOW
3859 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3860
1b7bf4ed 3861 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3862 l2cap_send_cmd(conn, cmd->ident,
3863 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3864 } else if (type == L2CAP_IT_FIXED_CHAN) {
3865 u8 buf[12];
3866 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3867
3868 if (enable_hs)
3869 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3870 else
3871 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3872
ac73498c
AE		 3873 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3874 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3875 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3876 l2cap_send_cmd(conn, cmd->ident,
3877 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3878 } else {
3879 struct l2cap_info_rsp rsp;
3880 rsp.type = cpu_to_le16(type);
ac73498c 3881 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3882 l2cap_send_cmd(conn, cmd->ident,
3883 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3884 }
1da177e4
LT		 3885
3886 return 0;
3887}
3888
3889static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3890{
3891 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3892 u16 type, result;
3893
3894 type = __le16_to_cpu(rsp->type);
3895 result = __le16_to_cpu(rsp->result);
3896
3897 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3898
e90165be
AE		 3899 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3900 if (cmd->ident != conn->info_ident ||
3901 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3902 return 0;
3903
17cd3f37 3904 cancel_delayed_work(&conn->info_timer);
4e8402a3 3905
adb08ede
VT		 3906 if (result != L2CAP_IR_SUCCESS) {
3907 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3908 conn->info_ident = 0;
3909
3910 l2cap_conn_start(conn);
3911
3912 return 0;
3913 }
3914
978c93b9
AE		 3915 switch (type) {
3916 case L2CAP_IT_FEAT_MASK:
83985319 3917 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3918
47ec1dcd 3919 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3920 struct l2cap_info_req req;
ac73498c 3921 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3922
3923 conn->info_ident = l2cap_get_ident(conn);
3924
3925 l2cap_send_cmd(conn, conn->info_ident,
3926 L2CAP_INFO_REQ, sizeof(req), &req);
3927 } else {
3928 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3929 conn->info_ident = 0;
3930
3931 l2cap_conn_start(conn);
3932 }
978c93b9
AE		 3933 break;
3934
3935 case L2CAP_IT_FIXED_CHAN:
3936 conn->fixed_chan_mask = rsp->data[0];
984947dc 3937 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3938 conn->info_ident = 0;
984947dc
MH		 3939
3940 l2cap_conn_start(conn);
978c93b9 3941 break;
984947dc 3942 }
4e8402a3 3943
1da177e4
LT		 3944 return 0;
3945}
3946
f94ff6ff
MM		 3947static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3948 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3949 void *data)
3950{
3951 struct l2cap_create_chan_req *req = data;
3952 struct l2cap_create_chan_rsp rsp;
3953 u16 psm, scid;
3954
3955 if (cmd_len != sizeof(*req))
3956 return -EPROTO;
3957
3958 if (!enable_hs)
3959 return -EINVAL;
3960
3961 psm = le16_to_cpu(req->psm);
3962 scid = le16_to_cpu(req->scid);
3963
3964 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3965
3966 /* Placeholder: Always reject */
3967 rsp.dcid = 0;
3968 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3969 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3970 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3971
3972 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3973 sizeof(rsp), &rsp);
3974
3975 return 0;
3976}
3977
3978static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3979 struct l2cap_cmd_hdr *cmd, void *data)
3980{
3981 BT_DBG("conn %p", conn);
3982
3983 return l2cap_connect_rsp(conn, cmd, data);
3984}
3985
8d5a04a1
MM		 3986static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3987 u16 icid, u16 result)
3988{
3989 struct l2cap_move_chan_rsp rsp;
3990
3991 BT_DBG("icid %d, result %d", icid, result);
3992
3993 rsp.icid = cpu_to_le16(icid);
3994 rsp.result = cpu_to_le16(result);
3995
3996 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3997}
3998
3999static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
4000 struct l2cap_chan *chan, u16 icid, u16 result)
4001{
4002 struct l2cap_move_chan_cfm cfm;
4003 u8 ident;
4004
4005 BT_DBG("icid %d, result %d", icid, result);
4006
4007 ident = l2cap_get_ident(conn);
4008 if (chan)
4009 chan->ident = ident;
4010
4011 cfm.icid = cpu_to_le16(icid);
4012 cfm.result = cpu_to_le16(result);
4013
4014 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4015}
4016
4017static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4018 u16 icid)
4019{
4020 struct l2cap_move_chan_cfm_rsp rsp;
4021
4022 BT_DBG("icid %d", icid);
4023
4024 rsp.icid = cpu_to_le16(icid);
4025 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4026}
4027
4028static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4029 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4030{
4031 struct l2cap_move_chan_req *req = data;
4032 u16 icid = 0;
4033 u16 result = L2CAP_MR_NOT_ALLOWED;
4034
4035 if (cmd_len != sizeof(*req))
4036 return -EPROTO;
4037
4038 icid = le16_to_cpu(req->icid);
4039
4040 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4041
4042 if (!enable_hs)
4043 return -EINVAL;
4044
4045 /* Placeholder: Always refuse */
4046 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4047
4048 return 0;
4049}
4050
4051static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4052 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4053{
4054 struct l2cap_move_chan_rsp *rsp = data;
4055 u16 icid, result;
4056
4057 if (cmd_len != sizeof(*rsp))
4058 return -EPROTO;
4059
4060 icid = le16_to_cpu(rsp->icid);
4061 result = le16_to_cpu(rsp->result);
4062
4063 BT_DBG("icid %d, result %d", icid, result);
4064
4065 /* Placeholder: Always unconfirmed */
4066 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4067
4068 return 0;
4069}
4070
4071static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4072 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4073{
4074 struct l2cap_move_chan_cfm *cfm = data;
4075 u16 icid, result;
4076
4077 if (cmd_len != sizeof(*cfm))
4078 return -EPROTO;
4079
4080 icid = le16_to_cpu(cfm->icid);
4081 result = le16_to_cpu(cfm->result);
4082
4083 BT_DBG("icid %d, result %d", icid, result);
4084
4085 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4086
4087 return 0;
4088}
4089
4090static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4091 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4092{
4093 struct l2cap_move_chan_cfm_rsp *rsp = data;
4094 u16 icid;
4095
4096 if (cmd_len != sizeof(*rsp))
4097 return -EPROTO;
4098
4099 icid = le16_to_cpu(rsp->icid);
4100
4101 BT_DBG("icid %d", icid);
4102
4103 return 0;
4104}
4105
e2174ca4 4106static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4107 u16 to_multiplier)
4108{
4109 u16 max_latency;
4110
4111 if (min > max || min < 6 || max > 3200)
4112 return -EINVAL;
4113
4114 if (to_multiplier < 10 || to_multiplier > 3200)
4115 return -EINVAL;
4116
4117 if (max >= to_multiplier * 8)
4118 return -EINVAL;
4119
4120 max_latency = (to_multiplier * 8 / max) - 1;
4121 if (latency > 499 || latency > max_latency)
4122 return -EINVAL;
4123
4124 return 0;
4125}
4126
4127static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4128 struct l2cap_cmd_hdr *cmd, u8 *data)
4129{
4130 struct hci_conn *hcon = conn->hcon;
4131 struct l2cap_conn_param_update_req *req;
4132 struct l2cap_conn_param_update_rsp rsp;
4133 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4134 int err;
de73115a
CT		 4135
4136 if (!(hcon->link_mode & HCI_LM_MASTER))
4137 return -EINVAL;
4138
4139 cmd_len = __le16_to_cpu(cmd->len);
4140 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4141 return -EPROTO;
4142
4143 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4144 min = __le16_to_cpu(req->min);
4145 max = __le16_to_cpu(req->max);
de73115a
CT		 4146 latency = __le16_to_cpu(req->latency);
4147 to_multiplier = __le16_to_cpu(req->to_multiplier);
4148
4149 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4150 min, max, latency, to_multiplier);
4151
4152 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4153
4154 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4155 if (err)
ac73498c 4156 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4157 else
ac73498c 4158 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4159
4160 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4161 sizeof(rsp), &rsp);
4162
2ce603eb
CT		 4163 if (!err)
4164 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4165
de73115a
CT		 4166 return 0;
4167}
4168
3300d9a9
CT		 4169static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4170 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4171{
4172 int err = 0;
4173
4174 switch (cmd->code) {
4175 case L2CAP_COMMAND_REJ:
4176 l2cap_command_rej(conn, cmd, data);
4177 break;
4178
4179 case L2CAP_CONN_REQ:
4180 err = l2cap_connect_req(conn, cmd, data);
4181 break;
4182
4183 case L2CAP_CONN_RSP:
4184 err = l2cap_connect_rsp(conn, cmd, data);
4185 break;
4186
4187 case L2CAP_CONF_REQ:
4188 err = l2cap_config_req(conn, cmd, cmd_len, data);
4189 break;
4190
4191 case L2CAP_CONF_RSP:
4192 err = l2cap_config_rsp(conn, cmd, data);
4193 break;
4194
4195 case L2CAP_DISCONN_REQ:
4196 err = l2cap_disconnect_req(conn, cmd, data);
4197 break;
4198
4199 case L2CAP_DISCONN_RSP:
4200 err = l2cap_disconnect_rsp(conn, cmd, data);
4201 break;
4202
4203 case L2CAP_ECHO_REQ:
4204 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4205 break;
4206
4207 case L2CAP_ECHO_RSP:
4208 break;
4209
4210 case L2CAP_INFO_REQ:
4211 err = l2cap_information_req(conn, cmd, data);
4212 break;
4213
4214 case L2CAP_INFO_RSP:
4215 err = l2cap_information_rsp(conn, cmd, data);
4216 break;
4217
f94ff6ff
MM		 4218 case L2CAP_CREATE_CHAN_REQ:
4219 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4220 break;
4221
4222 case L2CAP_CREATE_CHAN_RSP:
4223 err = l2cap_create_channel_rsp(conn, cmd, data);
4224 break;
4225
8d5a04a1
MM		 4226 case L2CAP_MOVE_CHAN_REQ:
4227 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4228 break;
4229
4230 case L2CAP_MOVE_CHAN_RSP:
4231 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4232 break;
4233
4234 case L2CAP_MOVE_CHAN_CFM:
4235 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4236 break;
4237
4238 case L2CAP_MOVE_CHAN_CFM_RSP:
4239 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4240 break;
4241
3300d9a9
CT		 4242 default:
4243 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4244 err = -EINVAL;
4245 break;
4246 }
4247
4248 return err;
4249}
4250
4251static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4252 struct l2cap_cmd_hdr *cmd, u8 *data)
4253{
4254 switch (cmd->code) {
4255 case L2CAP_COMMAND_REJ:
4256 return 0;
4257
4258 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4259 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4260
4261 case L2CAP_CONN_PARAM_UPDATE_RSP:
4262 return 0;
4263
4264 default:
4265 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4266 return -EINVAL;
4267 }
4268}
4269
4270static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4271 struct sk_buff *skb)
1da177e4
LT		 4272{
4273 u8 *data = skb->data;
4274 int len = skb->len;
4275 struct l2cap_cmd_hdr cmd;
3300d9a9 4276 int err;
1da177e4
LT		 4277
4278 l2cap_raw_recv(conn, skb);
4279
4280 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4281 u16 cmd_len;
1da177e4
LT		 4282 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4283 data += L2CAP_CMD_HDR_SIZE;
4284 len -= L2CAP_CMD_HDR_SIZE;
4285
88219a0f 4286 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4287
88219a0f 4288 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4289
88219a0f 4290 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4291 BT_DBG("corrupted command");
4292 break;
4293 }
4294
3300d9a9
CT		 4295 if (conn->hcon->type == LE_LINK)
4296 err = l2cap_le_sig_cmd(conn, &cmd, data);
4297 else
4298 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4299
4300 if (err) {
e2fd318e 4301 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4302
4303 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4304
4305 /* FIXME: Map err to a valid reason */
ac73498c 4306 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4307 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4308 }
4309
88219a0f
AV		 4310 data += cmd_len;
4311 len -= cmd_len;
1da177e4
LT		 4312 }
4313
4314 kfree_skb(skb);
4315}
4316
47d1ec61 4317static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4318{
4319 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4320 int hdr_size;
4321
4322 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4323 hdr_size = L2CAP_EXT_HDR_SIZE;
4324 else
4325 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4326
47d1ec61 4327 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4328 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4329 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4330 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4331
4332 if (our_fcs != rcv_fcs)
7a560e5c 4333 return -EBADMSG;
fcc203c3
GP		 4334 }
4335 return 0;
4336}
4337
6ea00485 4338static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4339{
e31f7633 4340 struct l2cap_ctrl control;
d5392c8f 4341
e31f7633 4342 BT_DBG("chan %p", chan);
d5392c8f 4343
e31f7633
MM		 4344 memset(&control, 0, sizeof(control));
4345 control.sframe = 1;
4346 control.final = 1;
4347 control.reqseq = chan->buffer_seq;
4348 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4349
e2ab4353 4350 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4351 control.super = L2CAP_SUPER_RNR;
4352 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4353 }
4354
e31f7633
MM		 4355 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4356 chan->unacked_frames > 0)
4357 __set_retrans_timer(chan);
d5392c8f 4358
e31f7633 4359 /* Send pending iframes */
525cd185 4360 l2cap_ertm_send(chan);
d5392c8f 4361
e2ab4353 4362 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4363 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4364 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4365 * send it now.
4366 */
4367 control.super = L2CAP_SUPER_RR;
4368 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4369 }
4370}
4371
84084a31
MM		 4372static void append_skb_frag(struct sk_buff *skb,
4373 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4374{
84084a31
MM		 4375 /* skb->len reflects data in skb as well as all fragments
4376 * skb->data_len reflects only data in fragments
4377 */
4378 if (!skb_has_frag_list(skb))
4379 skb_shinfo(skb)->frag_list = new_frag;
4380
4381 new_frag->next = NULL;
4382
4383 (*last_frag)->next = new_frag;
4384 *last_frag = new_frag;
4385
4386 skb->len += new_frag->len;
4387 skb->data_len += new_frag->len;
4388 skb->truesize += new_frag->truesize;
4389}
4390
4b51dae9
MM		 4391static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4392 struct l2cap_ctrl *control)
84084a31
MM		 4393{
4394 int err = -EINVAL;
18778a63 4395
4b51dae9 4396 switch (control->sar) {
7e0ef6ee 4397 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4398 if (chan->sdu)
4399 break;
18778a63 4400
80b98027 4401 err = chan->ops->recv(chan, skb);
84084a31 4402 break;
18778a63 4403
7e0ef6ee 4404 case L2CAP_SAR_START:
84084a31
MM		 4405 if (chan->sdu)
4406 break;
18778a63 4407
6f61fd47 4408 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4409 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4410
84084a31
MM		 4411 if (chan->sdu_len > chan->imtu) {
4412 err = -EMSGSIZE;
4413 break;
4414 }
1890d36b 4415
84084a31
MM		 4416 if (skb->len >= chan->sdu_len)
4417 break;
18778a63 4418
84084a31
MM		 4419 chan->sdu = skb;
4420 chan->sdu_last_frag = skb;
18778a63 4421
84084a31
MM		 4422 skb = NULL;
4423 err = 0;
18778a63
GP		 4424 break;
4425
7e0ef6ee 4426 case L2CAP_SAR_CONTINUE:
6f61fd47 4427 if (!chan->sdu)
84084a31 4428 break;
18778a63 4429
84084a31
MM		 4430 append_skb_frag(chan->sdu, skb,
4431 &chan->sdu_last_frag);
4432 skb = NULL;
18778a63 4433
84084a31
MM		 4434 if (chan->sdu->len >= chan->sdu_len)
4435 break;
4178ba46 4436
84084a31 4437 err = 0;
18778a63
GP		 4438 break;
4439
7e0ef6ee 4440 case L2CAP_SAR_END:
6f61fd47 4441 if (!chan->sdu)
84084a31 4442 break;
18778a63 4443
84084a31
MM		 4444 append_skb_frag(chan->sdu, skb,
4445 &chan->sdu_last_frag);
4446 skb = NULL;
4178ba46 4447
84084a31
MM		 4448 if (chan->sdu->len != chan->sdu_len)
4449 break;
18778a63 4450
80b98027 4451 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4452
84084a31
MM		 4453 if (!err) {
4454 /* Reassembly complete */
4455 chan->sdu = NULL;
4456 chan->sdu_last_frag = NULL;
4457 chan->sdu_len = 0;
1890d36b 4458 }
18778a63
GP		 4459 break;
4460 }
4461
84084a31
MM		 4462 if (err) {
4463 kfree_skb(skb);
4464 kfree_skb(chan->sdu);
4465 chan->sdu = NULL;
4466 chan->sdu_last_frag = NULL;
4467 chan->sdu_len = 0;
4468 }
18778a63 4469
84084a31 4470 return err;
18778a63
GP		 4471}
4472
61aa4f5b 4473void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4474{
61aa4f5b 4475 u8 event;
712132eb 4476
61aa4f5b
MM		 4477 if (chan->mode != L2CAP_MODE_ERTM)
4478 return;
712132eb 4479
61aa4f5b 4480 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4481 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4482}
4483
d2a7ac5d
MM		 4484static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4485{
63838725
MM		 4486 int err = 0;
4487 /* Pass sequential frames to l2cap_reassemble_sdu()
4488 * until a gap is encountered.
4489 */
4490
4491 BT_DBG("chan %p", chan);
4492
4493 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4494 struct sk_buff *skb;
4495 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4496 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4497
4498 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4499
4500 if (!skb)
4501 break;
4502
4503 skb_unlink(skb, &chan->srej_q);
4504 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4505 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4506 if (err)
4507 break;
4508 }
4509
4510 if (skb_queue_empty(&chan->srej_q)) {
4511 chan->rx_state = L2CAP_RX_STATE_RECV;
4512 l2cap_send_ack(chan);
4513 }
4514
4515 return err;
d2a7ac5d
MM		 4516}
4517
4518static void l2cap_handle_srej(struct l2cap_chan *chan,
4519 struct l2cap_ctrl *control)
4520{
f80842a8
MM		 4521 struct sk_buff *skb;
4522
4523 BT_DBG("chan %p, control %p", chan, control);
4524
4525 if (control->reqseq == chan->next_tx_seq) {
4526 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4527 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4528 return;
4529 }
4530
4531 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4532
4533 if (skb == NULL) {
4534 BT_DBG("Seq %d not available for retransmission",
4535 control->reqseq);
4536 return;
4537 }
4538
4539 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4540 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4541 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4542 return;
4543 }
4544
4545 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4546
4547 if (control->poll) {
4548 l2cap_pass_to_tx(chan, control);
4549
4550 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4551 l2cap_retransmit(chan, control);
4552 l2cap_ertm_send(chan);
4553
4554 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4555 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4556 chan->srej_save_reqseq = control->reqseq;
4557 }
4558 } else {
4559 l2cap_pass_to_tx_fbit(chan, control);
4560
4561 if (control->final) {
4562 if (chan->srej_save_reqseq != control->reqseq ||
4563 !test_and_clear_bit(CONN_SREJ_ACT,
4564 &chan->conn_state))
4565 l2cap_retransmit(chan, control);
4566 } else {
4567 l2cap_retransmit(chan, control);
4568 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4569 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4570 chan->srej_save_reqseq = control->reqseq;
4571 }
4572 }
4573 }
d2a7ac5d
MM		 4574}
4575
4576static void l2cap_handle_rej(struct l2cap_chan *chan,
4577 struct l2cap_ctrl *control)
4578{
fcd289df
MM		 4579 struct sk_buff *skb;
4580
4581 BT_DBG("chan %p, control %p", chan, control);
4582
4583 if (control->reqseq == chan->next_tx_seq) {
4584 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4585 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4586 return;
4587 }
4588
4589 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4590
4591 if (chan->max_tx && skb &&
4592 bt_cb(skb)->control.retries >= chan->max_tx) {
4593 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4594 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4595 return;
4596 }
4597
4598 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4599
4600 l2cap_pass_to_tx(chan, control);
4601
4602 if (control->final) {
4603 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4604 l2cap_retransmit_all(chan, control);
4605 } else {
4606 l2cap_retransmit_all(chan, control);
4607 l2cap_ertm_send(chan);
4608 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4609 set_bit(CONN_REJ_ACT, &chan->conn_state);
4610 }
d2a7ac5d
MM		 4611}
4612
4b51dae9
MM		 4613static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4614{
4615 BT_DBG("chan %p, txseq %d", chan, txseq);
4616
4617 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4618 chan->expected_tx_seq);
4619
4620 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4621 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4622 chan->tx_win) {
4623 /* See notes below regarding "double poll" and
4624 * invalid packets.
4625 */
4626 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4627 BT_DBG("Invalid/Ignore - after SREJ");
4628 return L2CAP_TXSEQ_INVALID_IGNORE;
4629 } else {
4630 BT_DBG("Invalid - in window after SREJ sent");
4631 return L2CAP_TXSEQ_INVALID;
4632 }
4633 }
4634
4635 if (chan->srej_list.head == txseq) {
4636 BT_DBG("Expected SREJ");
4637 return L2CAP_TXSEQ_EXPECTED_SREJ;
4638 }
4639
4640 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4641 BT_DBG("Duplicate SREJ - txseq already stored");
4642 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4643 }
4644
4645 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4646 BT_DBG("Unexpected SREJ - not requested");
4647 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4648 }
4649 }
4650
4651 if (chan->expected_tx_seq == txseq) {
4652 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4653 chan->tx_win) {
4654 BT_DBG("Invalid - txseq outside tx window");
4655 return L2CAP_TXSEQ_INVALID;
4656 } else {
4657 BT_DBG("Expected");
4658 return L2CAP_TXSEQ_EXPECTED;
4659 }
4660 }
4661
4662 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4663 __seq_offset(chan, chan->expected_tx_seq,
4664 chan->last_acked_seq)){
4665 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4666 return L2CAP_TXSEQ_DUPLICATE;
4667 }
4668
4669 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4670 /* A source of invalid packets is a "double poll" condition,
4671 * where delays cause us to send multiple poll packets. If
4672 * the remote stack receives and processes both polls,
4673 * sequence numbers can wrap around in such a way that a
4674 * resent frame has a sequence number that looks like new data
4675 * with a sequence gap. This would trigger an erroneous SREJ
4676 * request.
4677 *
4678 * Fortunately, this is impossible with a tx window that's
4679 * less than half of the maximum sequence number, which allows
4680 * invalid frames to be safely ignored.
4681 *
4682 * With tx window sizes greater than half of the tx window
4683 * maximum, the frame is invalid and cannot be ignored. This
4684 * causes a disconnect.
4685 */
4686
4687 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4688 BT_DBG("Invalid/Ignore - txseq outside tx window");
4689 return L2CAP_TXSEQ_INVALID_IGNORE;
4690 } else {
4691 BT_DBG("Invalid - txseq outside tx window");
4692 return L2CAP_TXSEQ_INVALID;
4693 }
4694 } else {
4695 BT_DBG("Unexpected - txseq indicates missing frames");
4696 return L2CAP_TXSEQ_UNEXPECTED;
4697 }
4698}
4699
d2a7ac5d
MM		 4700static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4701 struct l2cap_ctrl *control,
4702 struct sk_buff *skb, u8 event)
4703{
4704 int err = 0;
4705 bool skb_in_use = 0;
4706
4707 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4708 event);
4709
4710 switch (event) {
4711 case L2CAP_EV_RECV_IFRAME:
4712 switch (l2cap_classify_txseq(chan, control->txseq)) {
4713 case L2CAP_TXSEQ_EXPECTED:
4714 l2cap_pass_to_tx(chan, control);
4715
4716 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4717 BT_DBG("Busy, discarding expected seq %d",
4718 control->txseq);
4719 break;
4720 }
4721
4722 chan->expected_tx_seq = __next_seq(chan,
4723 control->txseq);
4724
4725 chan->buffer_seq = chan->expected_tx_seq;
4726 skb_in_use = 1;
4727
4728 err = l2cap_reassemble_sdu(chan, skb, control);
4729 if (err)
4730 break;
4731
4732 if (control->final) {
4733 if (!test_and_clear_bit(CONN_REJ_ACT,
4734 &chan->conn_state)) {
4735 control->final = 0;
4736 l2cap_retransmit_all(chan, control);
4737 l2cap_ertm_send(chan);
4738 }
4739 }
4740
4741 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4742 l2cap_send_ack(chan);
4743 break;
4744 case L2CAP_TXSEQ_UNEXPECTED:
4745 l2cap_pass_to_tx(chan, control);
4746
4747 /* Can't issue SREJ frames in the local busy state.
4748 * Drop this frame, it will be seen as missing
4749 * when local busy is exited.
4750 */
4751 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4752 BT_DBG("Busy, discarding unexpected seq %d",
4753 control->txseq);
4754 break;
4755 }
4756
4757 /* There was a gap in the sequence, so an SREJ
4758 * must be sent for each missing frame. The
4759 * current frame is stored for later use.
4760 */
4761 skb_queue_tail(&chan->srej_q, skb);
4762 skb_in_use = 1;
4763 BT_DBG("Queued %p (queue len %d)", skb,
4764 skb_queue_len(&chan->srej_q));
4765
4766 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4767 l2cap_seq_list_clear(&chan->srej_list);
4768 l2cap_send_srej(chan, control->txseq);
4769
4770 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4771 break;
4772 case L2CAP_TXSEQ_DUPLICATE:
4773 l2cap_pass_to_tx(chan, control);
4774 break;
4775 case L2CAP_TXSEQ_INVALID_IGNORE:
4776 break;
4777 case L2CAP_TXSEQ_INVALID:
4778 default:
4779 l2cap_send_disconn_req(chan->conn, chan,
4780 ECONNRESET);
4781 break;
4782 }
4783 break;
4784 case L2CAP_EV_RECV_RR:
4785 l2cap_pass_to_tx(chan, control);
4786 if (control->final) {
4787 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4788
4789 if (!test_and_clear_bit(CONN_REJ_ACT,
4790 &chan->conn_state)) {
4791 control->final = 0;
4792 l2cap_retransmit_all(chan, control);
4793 }
4794
4795 l2cap_ertm_send(chan);
4796 } else if (control->poll) {
4797 l2cap_send_i_or_rr_or_rnr(chan);
4798 } else {
4799 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4800 &chan->conn_state) &&
4801 chan->unacked_frames)
4802 __set_retrans_timer(chan);
4803
4804 l2cap_ertm_send(chan);
4805 }
4806 break;
4807 case L2CAP_EV_RECV_RNR:
4808 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4809 l2cap_pass_to_tx(chan, control);
4810 if (control && control->poll) {
4811 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4812 l2cap_send_rr_or_rnr(chan, 0);
4813 }
4814 __clear_retrans_timer(chan);
4815 l2cap_seq_list_clear(&chan->retrans_list);
4816 break;
4817 case L2CAP_EV_RECV_REJ:
4818 l2cap_handle_rej(chan, control);
4819 break;
4820 case L2CAP_EV_RECV_SREJ:
4821 l2cap_handle_srej(chan, control);
4822 break;
4823 default:
4824 break;
4825 }
4826
4827 if (skb && !skb_in_use) {
4828 BT_DBG("Freeing %p", skb);
4829 kfree_skb(skb);
4830 }
4831
4832 return err;
4833}
4834
4835static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4836 struct l2cap_ctrl *control,
4837 struct sk_buff *skb, u8 event)
4838{
4839 int err = 0;
4840 u16 txseq = control->txseq;
4841 bool skb_in_use = 0;
4842
4843 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4844 event);
4845
4846 switch (event) {
4847 case L2CAP_EV_RECV_IFRAME:
4848 switch (l2cap_classify_txseq(chan, txseq)) {
4849 case L2CAP_TXSEQ_EXPECTED:
4850 /* Keep frame for reassembly later */
4851 l2cap_pass_to_tx(chan, control);
4852 skb_queue_tail(&chan->srej_q, skb);
4853 skb_in_use = 1;
4854 BT_DBG("Queued %p (queue len %d)", skb,
4855 skb_queue_len(&chan->srej_q));
4856
4857 chan->expected_tx_seq = __next_seq(chan, txseq);
4858 break;
4859 case L2CAP_TXSEQ_EXPECTED_SREJ:
4860 l2cap_seq_list_pop(&chan->srej_list);
4861
4862 l2cap_pass_to_tx(chan, control);
4863 skb_queue_tail(&chan->srej_q, skb);
4864 skb_in_use = 1;
4865 BT_DBG("Queued %p (queue len %d)", skb,
4866 skb_queue_len(&chan->srej_q));
4867
4868 err = l2cap_rx_queued_iframes(chan);
4869 if (err)
4870 break;
4871
4872 break;
4873 case L2CAP_TXSEQ_UNEXPECTED:
4874 /* Got a frame that can't be reassembled yet.
4875 * Save it for later, and send SREJs to cover
4876 * the missing frames.
4877 */
4878 skb_queue_tail(&chan->srej_q, skb);
4879 skb_in_use = 1;
4880 BT_DBG("Queued %p (queue len %d)", skb,
4881 skb_queue_len(&chan->srej_q));
4882
4883 l2cap_pass_to_tx(chan, control);
4884 l2cap_send_srej(chan, control->txseq);
4885 break;
4886 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4887 /* This frame was requested with an SREJ, but
4888 * some expected retransmitted frames are
4889 * missing. Request retransmission of missing
4890 * SREJ'd frames.
4891 */
4892 skb_queue_tail(&chan->srej_q, skb);
4893 skb_in_use = 1;
4894 BT_DBG("Queued %p (queue len %d)", skb,
4895 skb_queue_len(&chan->srej_q));
4896
4897 l2cap_pass_to_tx(chan, control);
4898 l2cap_send_srej_list(chan, control->txseq);
4899 break;
4900 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4901 /* We've already queued this frame. Drop this copy. */
4902 l2cap_pass_to_tx(chan, control);
4903 break;
4904 case L2CAP_TXSEQ_DUPLICATE:
4905 /* Expecting a later sequence number, so this frame
4906 * was already received. Ignore it completely.
4907 */
4908 break;
4909 case L2CAP_TXSEQ_INVALID_IGNORE:
4910 break;
4911 case L2CAP_TXSEQ_INVALID:
4912 default:
4913 l2cap_send_disconn_req(chan->conn, chan,
4914 ECONNRESET);
4915 break;
4916 }
4917 break;
4918 case L2CAP_EV_RECV_RR:
4919 l2cap_pass_to_tx(chan, control);
4920 if (control->final) {
4921 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4922
4923 if (!test_and_clear_bit(CONN_REJ_ACT,
4924 &chan->conn_state)) {
4925 control->final = 0;
4926 l2cap_retransmit_all(chan, control);
4927 }
4928
4929 l2cap_ertm_send(chan);
4930 } else if (control->poll) {
4931 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4932 &chan->conn_state) &&
4933 chan->unacked_frames) {
4934 __set_retrans_timer(chan);
4935 }
4936
4937 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4938 l2cap_send_srej_tail(chan);
4939 } else {
4940 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4941 &chan->conn_state) &&
4942 chan->unacked_frames)
4943 __set_retrans_timer(chan);
4944
4945 l2cap_send_ack(chan);
4946 }
4947 break;
4948 case L2CAP_EV_RECV_RNR:
4949 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4950 l2cap_pass_to_tx(chan, control);
4951 if (control->poll) {
4952 l2cap_send_srej_tail(chan);
4953 } else {
4954 struct l2cap_ctrl rr_control;
4955 memset(&rr_control, 0, sizeof(rr_control));
4956 rr_control.sframe = 1;
4957 rr_control.super = L2CAP_SUPER_RR;
4958 rr_control.reqseq = chan->buffer_seq;
4959 l2cap_send_sframe(chan, &rr_control);
4960 }
4961
4962 break;
4963 case L2CAP_EV_RECV_REJ:
4964 l2cap_handle_rej(chan, control);
4965 break;
4966 case L2CAP_EV_RECV_SREJ:
4967 l2cap_handle_srej(chan, control);
4968 break;
4969 }
4970
4971 if (skb && !skb_in_use) {
4972 BT_DBG("Freeing %p", skb);
4973 kfree_skb(skb);
4974 }
4975
4976 return err;
4977}
4978
4979static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4980{
4981 /* Make sure reqseq is for a packet that has been sent but not acked */
4982 u16 unacked;
4983
4984 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4985 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4986}
4987
cec8ab6e
MM		 4988static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4989 struct sk_buff *skb, u8 event)
218bb9df 4990{
d2a7ac5d
MM		 4991 int err = 0;
4992
4993 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4994 control, skb, event, chan->rx_state);
4995
4996 if (__valid_reqseq(chan, control->reqseq)) {
4997 switch (chan->rx_state) {
4998 case L2CAP_RX_STATE_RECV:
4999 err = l2cap_rx_state_recv(chan, control, skb, event);
5000 break;
5001 case L2CAP_RX_STATE_SREJ_SENT:
5002 err = l2cap_rx_state_srej_sent(chan, control, skb,
5003 event);
5004 break;
5005 default:
5006 /* shut it down */
5007 break;
5008 }
5009 } else {
5010 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5011 control->reqseq, chan->next_tx_seq,
5012 chan->expected_ack_seq);
5013 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5014 }
5015
5016 return err;
cec8ab6e
MM		 5017}
5018
5019static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5020 struct sk_buff *skb)
5021{
4b51dae9
MM		 5022 int err = 0;
5023
5024 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5025 chan->rx_state);
5026
5027 if (l2cap_classify_txseq(chan, control->txseq) ==
5028 L2CAP_TXSEQ_EXPECTED) {
5029 l2cap_pass_to_tx(chan, control);
5030
5031 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5032 __next_seq(chan, chan->buffer_seq));
5033
5034 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5035
5036 l2cap_reassemble_sdu(chan, skb, control);
5037 } else {
5038 if (chan->sdu) {
5039 kfree_skb(chan->sdu);
5040 chan->sdu = NULL;
5041 }
5042 chan->sdu_last_frag = NULL;
5043 chan->sdu_len = 0;
5044
5045 if (skb) {
5046 BT_DBG("Freeing %p", skb);
5047 kfree_skb(skb);
5048 }
5049 }
5050
5051 chan->last_acked_seq = control->txseq;
5052 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5053
5054 return err;
cec8ab6e
MM		 5055}
5056
5057static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5058{
5059 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5060 u16 len;
5061 u8 event;
218bb9df 5062
b76bbd66
MM		 5063 __unpack_control(chan, skb);
5064
218bb9df
GP		 5065 len = skb->len;
5066
5067 /*
5068 * We can just drop the corrupted I-frame here.
5069 * Receiver will miss it and start proper recovery
cec8ab6e 5070 * procedures and ask for retransmission.
218bb9df 5071 */
47d1ec61 5072 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5073 goto drop;
5074
cec8ab6e 5075 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5076 len -= L2CAP_SDULEN_SIZE;
218bb9df 5077
47d1ec61 5078 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5079 len -= L2CAP_FCS_SIZE;
218bb9df 5080
47d1ec61 5081 if (len > chan->mps) {
8c1d787b 5082 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5083 goto drop;
5084 }
5085
cec8ab6e
MM		 5086 if (!control->sframe) {
5087 int err;
218bb9df 5088
cec8ab6e
MM		 5089 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5090 control->sar, control->reqseq, control->final,
5091 control->txseq);
218bb9df 5092
cec8ab6e
MM		 5093 /* Validate F-bit - F=0 always valid, F=1 only
5094 * valid in TX WAIT_F
5095 */
5096 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5097 goto drop;
cec8ab6e
MM		 5098
5099 if (chan->mode != L2CAP_MODE_STREAMING) {
5100 event = L2CAP_EV_RECV_IFRAME;
5101 err = l2cap_rx(chan, control, skb, event);
5102 } else {
5103 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5104 }
5105
cec8ab6e
MM		 5106 if (err)
5107 l2cap_send_disconn_req(chan->conn, chan,
5108 ECONNRESET);
218bb9df 5109 } else {
cec8ab6e
MM		 5110 const u8 rx_func_to_event[4] = {
5111 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5112 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5113 };
5114
5115 /* Only I-frames are expected in streaming mode */
5116 if (chan->mode == L2CAP_MODE_STREAMING)
5117 goto drop;
5118
5119 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5120 control->reqseq, control->final, control->poll,
5121 control->super);
5122
218bb9df
GP		 5123 if (len != 0) {
5124 BT_ERR("%d", len);
8c1d787b 5125 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5126 goto drop;
5127 }
5128
cec8ab6e
MM		 5129 /* Validate F and P bits */
5130 if (control->final && (control->poll ||
5131 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5132 goto drop;
5133
5134 event = rx_func_to_event[control->super];
5135 if (l2cap_rx(chan, control, skb, event))
5136 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5137 }
5138
5139 return 0;
5140
5141drop:
5142 kfree_skb(skb);
5143 return 0;
5144}
5145
1da177e4
LT		 5146static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
5147{
48454079 5148 struct l2cap_chan *chan;
1da177e4 5149
baa7e1fa 5150 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5151 if (!chan) {
1da177e4 5152 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 5153 /* Drop packet and return */
3379013b 5154 kfree_skb(skb);
6be36555 5155 return 0;
1da177e4
LT		 5156 }
5157
49208c9c 5158 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5159
89bc500e 5160 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5161 goto drop;
5162
0c1bc5c6 5163 switch (chan->mode) {
1c2acffb
GP		 5164 case L2CAP_MODE_BASIC:
5165 /* If socket recv buffers overflows we drop data here
5166 * which is *bad* because L2CAP has to be reliable.
5167 * But we don't have any other choice. L2CAP doesn't
5168 * provide flow control mechanism. */
1da177e4 5169
0c1bc5c6 5170 if (chan->imtu < skb->len)
1c2acffb 5171 goto drop;
1da177e4 5172
80b98027 5173 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5174 goto done;
5175 break;
5176
5177 case L2CAP_MODE_ERTM:
6840ed07 5178 case L2CAP_MODE_STREAMING:
cec8ab6e 5179 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5180 goto done;
5181
1c2acffb 5182 default:
0c1bc5c6 5183 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5184 break;
5185 }
1da177e4
LT		 5186
5187drop:
5188 kfree_skb(skb);
5189
5190done:
6be36555 5191 l2cap_chan_unlock(chan);
0139418c 5192
1da177e4
LT		 5193 return 0;
5194}
5195
8e036fc3 5196static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 5197{
23691d75 5198 struct l2cap_chan *chan;
1da177e4 5199
c2287681 5200 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5201 if (!chan)
1da177e4
LT		 5202 goto drop;
5203
5b4cedaa 5204 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5205
89bc500e 5206 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5207 goto drop;
5208
e13e21dc 5209 if (chan->imtu < skb->len)
1da177e4
LT		 5210 goto drop;
5211
80b98027 5212 if (!chan->ops->recv(chan, skb))
5b4cedaa 5213 return 0;
1da177e4
LT		 5214
5215drop:
5216 kfree_skb(skb);
5217
1da177e4
LT		 5218 return 0;
5219}
5220
d9b88702
AE		 5221static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5222 struct sk_buff *skb)
9f69bda6 5223{
23691d75 5224 struct l2cap_chan *chan;
9f69bda6 5225
c2287681 5226 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5227 if (!chan)
9f69bda6
GP		 5228 goto drop;
5229
5b4cedaa 5230 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5231
89bc500e 5232 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5233 goto drop;
5234
e13e21dc 5235 if (chan->imtu < skb->len)
9f69bda6
GP		 5236 goto drop;
5237
80b98027 5238 if (!chan->ops->recv(chan, skb))
5b4cedaa 5239 return 0;
9f69bda6
GP		 5240
5241drop:
5242 kfree_skb(skb);
5243
9f69bda6
GP		 5244 return 0;
5245}
5246
1da177e4
LT		 5247static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5248{
5249 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5250 u16 cid, len;
5251 __le16 psm;
1da177e4
LT		 5252
5253 skb_pull(skb, L2CAP_HDR_SIZE);
5254 cid = __le16_to_cpu(lh->cid);
5255 len = __le16_to_cpu(lh->len);
5256
1c2acffb
GP		 5257 if (len != skb->len) {
5258 kfree_skb(skb);
5259 return;
5260 }
5261
1da177e4
LT		 5262 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5263
5264 switch (cid) {
3300d9a9 5265 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5266 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5267 l2cap_sig_channel(conn, skb);
5268 break;
5269
8db4dc46 5270 case L2CAP_CID_CONN_LESS:
097db76c 5271 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 5272 skb_pull(skb, 2);
5273 l2cap_conless_channel(conn, psm, skb);
5274 break;
5275
9f69bda6
GP		 5276 case L2CAP_CID_LE_DATA:
5277 l2cap_att_channel(conn, cid, skb);
5278 break;
5279
b501d6a1
AB		 5280 case L2CAP_CID_SMP:
5281 if (smp_sig_channel(conn, skb))
5282 l2cap_conn_del(conn->hcon, EACCES);
5283 break;
5284
1da177e4
LT		 5285 default:
5286 l2cap_data_channel(conn, cid, skb);
5287 break;
5288 }
5289}
5290
5291/* ---- L2CAP interface with lower layer (HCI) ---- */
5292
686ebf28 5293int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5294{
5295 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5296 struct l2cap_chan *c;
1da177e4 5297
1da177e4
LT		 5298 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5299
5300 /* Find listening sockets and check their link_mode */
23691d75
GP		 5301 read_lock(&chan_list_lock);
5302 list_for_each_entry(c, &chan_list, global_l) {
5303 struct sock *sk = c->sk;
4343478f 5304
89bc500e 5305 if (c->state != BT_LISTEN)
1da177e4
LT		 5306 continue;
5307
5308 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5309 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5310 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5311 lm1 |= HCI_LM_MASTER;
1da177e4 5312 exact++;
2af6b9d5
MH		 5313 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5314 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5315 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5316 lm2 |= HCI_LM_MASTER;
5317 }
1da177e4 5318 }
23691d75 5319 read_unlock(&chan_list_lock);
1da177e4
LT		 5320
5321 return exact ? lm1 : lm2;
5322}
5323
686ebf28 5324int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5325{
0139418c
MH		 5326 struct l2cap_conn *conn;
5327
1da177e4
LT		 5328 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5329
1da177e4 5330 if (!status) {
1da177e4
LT		 5331 conn = l2cap_conn_add(hcon, status);
5332 if (conn)
5333 l2cap_conn_ready(conn);
0139418c 5334 } else
e175072f 5335 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5336
5337 return 0;
5338}
5339
686ebf28 5340int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5341{
5342 struct l2cap_conn *conn = hcon->l2cap_data;
5343
5344 BT_DBG("hcon %p", hcon);
5345
686ebf28 5346 if (!conn)
9f5a0d7b 5347 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5348 return conn->disc_reason;
5349}
5350
686ebf28 5351int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5352{
5353 BT_DBG("hcon %p reason %d", hcon, reason);
5354
e175072f 5355 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5356 return 0;
5357}
5358
4343478f 5359static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5360{
715ec005 5361 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5362 return;
5363
f62e4323 5364 if (encrypt == 0x00) {
4343478f 5365 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5366 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5367 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5368 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5369 } else {
4343478f 5370 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5371 __clear_chan_timer(chan);
f62e4323
MH		 5372 }
5373}
5374
686ebf28 5375int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5376{
0139418c 5377 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5378 struct l2cap_chan *chan;
1da177e4 5379
0139418c 5380 if (!conn)
1da177e4 5381 return 0;
0139418c 5382
1da177e4
LT		 5383 BT_DBG("conn %p", conn);
5384
160dc6ac 5385 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5386 if (!status && encrypt)
5387 smp_distribute_keys(conn, 0);
17cd3f37 5388 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5389 }
5390
3df91ea2 5391 mutex_lock(&conn->chan_lock);
1da177e4 5392
3df91ea2 5393 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5394 l2cap_chan_lock(chan);
1da177e4 5395
f1cb9af5
VCG		 5396 BT_DBG("chan->scid %d", chan->scid);
5397
5398 if (chan->scid == L2CAP_CID_LE_DATA) {
5399 if (!status && encrypt) {
5400 chan->sec_level = hcon->sec_level;
cf4cd009 5401 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5402 }
5403
6be36555 5404 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5405 continue;
5406 }
5407
c1360a1c 5408 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5409 l2cap_chan_unlock(chan);
6a8d3010
MH		 5410 continue;
5411 }
5412
89bc500e
GP		 5413 if (!status && (chan->state == BT_CONNECTED ||
5414 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5415 struct sock *sk = chan->sk;
5416
c5daa683 5417 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5418 sk->sk_state_change(sk);
5419
4343478f 5420 l2cap_check_encryption(chan, encrypt);
6be36555 5421 l2cap_chan_unlock(chan);
9719f8af
MH		 5422 continue;
5423 }
5424
89bc500e 5425 if (chan->state == BT_CONNECT) {
b1235d79 5426 if (!status) {
9b27f350 5427 l2cap_send_conn_req(chan);
b1235d79 5428 } else {
ba13ccd9 5429 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5430 }
89bc500e 5431 } else if (chan->state == BT_CONNECT2) {
6be36555 5432 struct sock *sk = chan->sk;
b1235d79 5433 struct l2cap_conn_rsp rsp;
df3c3931 5434 __u16 res, stat;
1da177e4 5435
6be36555
AE		 5436 lock_sock(sk);
5437
b1235d79 5438 if (!status) {
c5daa683
GP		 5439 if (test_bit(BT_SK_DEFER_SETUP,
5440 &bt_sk(sk)->flags)) {
df3c3931
JH		 5441 struct sock *parent = bt_sk(sk)->parent;
5442 res = L2CAP_CR_PEND;
5443 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5444 if (parent)
5445 parent->sk_data_ready(parent, 0);
df3c3931 5446 } else {
0e587be7 5447 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5448 res = L2CAP_CR_SUCCESS;
5449 stat = L2CAP_CS_NO_INFO;
5450 }
b1235d79 5451 } else {
0e587be7 5452 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5453 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5454 res = L2CAP_CR_SEC_BLOCK;
5455 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5456 }
5457
6be36555
AE		 5458 release_sock(sk);
5459
fe4128e0
GP		 5460 rsp.scid = cpu_to_le16(chan->dcid);
5461 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5462 rsp.result = cpu_to_le16(res);
5463 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5464 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5465 sizeof(rsp), &rsp);
2d369359
MM		 5466
5467 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5468 res == L2CAP_CR_SUCCESS) {
5469 char buf[128];
5470 set_bit(CONF_REQ_SENT, &chan->conf_state);
5471 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5472 L2CAP_CONF_REQ,
5473 l2cap_build_conf_req(chan, buf),
5474 buf);
5475 chan->num_conf_req++;
5476 }
b1235d79 5477 }
1da177e4 5478
6be36555 5479 l2cap_chan_unlock(chan);
1da177e4
LT		 5480 }
5481
3df91ea2 5482 mutex_unlock(&conn->chan_lock);
b1235d79 5483
1da177e4
LT		 5484 return 0;
5485}
5486
686ebf28 5487int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5488{
5489 struct l2cap_conn *conn = hcon->l2cap_data;
5490
5a08ecce
AE		 5491 if (!conn)
5492 conn = l2cap_conn_add(hcon, 0);
5493
5494 if (!conn)
1da177e4
LT		 5495 goto drop;
5496
5497 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5498
e702112f 5499 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5500 struct l2cap_hdr *hdr;
5501 int len;
5502
5503 if (conn->rx_len) {
5504 BT_ERR("Unexpected start frame (len %d)", skb->len);
5505 kfree_skb(conn->rx_skb);
5506 conn->rx_skb = NULL;
5507 conn->rx_len = 0;
5508 l2cap_conn_unreliable(conn, ECOMM);
5509 }
5510
aae7fe22
AE		 5511 /* Start fragment always begin with Basic L2CAP header */
5512 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5513 BT_ERR("Frame is too short (len %d)", skb->len);
5514 l2cap_conn_unreliable(conn, ECOMM);
5515 goto drop;
5516 }
5517
5518 hdr = (struct l2cap_hdr *) skb->data;
5519 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5520
5521 if (len == skb->len) {
5522 /* Complete frame received */
5523 l2cap_recv_frame(conn, skb);
5524 return 0;
5525 }
5526
5527 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5528
5529 if (skb->len > len) {
5530 BT_ERR("Frame is too long (len %d, expected len %d)",
5531 skb->len, len);
5532 l2cap_conn_unreliable(conn, ECOMM);
5533 goto drop;
5534 }
5535
5536 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5537 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5538 if (!conn->rx_skb)
1da177e4
LT		 5539 goto drop;
5540
d626f62b 5541 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5542 skb->len);
1da177e4
LT		 5543 conn->rx_len = len - skb->len;
5544 } else {
5545 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5546
5547 if (!conn->rx_len) {
5548 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5549 l2cap_conn_unreliable(conn, ECOMM);
5550 goto drop;
5551 }
5552
5553 if (skb->len > conn->rx_len) {
5554 BT_ERR("Fragment is too long (len %d, expected %d)",
5555 skb->len, conn->rx_len);
5556 kfree_skb(conn->rx_skb);
5557 conn->rx_skb = NULL;
5558 conn->rx_len = 0;
5559 l2cap_conn_unreliable(conn, ECOMM);
5560 goto drop;
5561 }
5562
d626f62b 5563 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5564 skb->len);
1da177e4
LT		 5565 conn->rx_len -= skb->len;
5566
5567 if (!conn->rx_len) {
5568 /* Complete frame received */
5569 l2cap_recv_frame(conn, conn->rx_skb);
5570 conn->rx_skb = NULL;
5571 }
5572 }
5573
5574drop:
5575 kfree_skb(skb);
5576 return 0;
5577}
5578
aef7d97c 5579static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5580{
23691d75 5581 struct l2cap_chan *c;
1da177e4 5582
333055f2 5583 read_lock(&chan_list_lock);
1da177e4 5584
23691d75
GP		 5585 list_for_each_entry(c, &chan_list, global_l) {
5586 struct sock *sk = c->sk;
101545f6 5587
903d343e 5588 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5589 batostr(&bt_sk(sk)->src),
5590 batostr(&bt_sk(sk)->dst),
89bc500e 5591 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5592 c->scid, c->dcid, c->imtu, c->omtu,
5593 c->sec_level, c->mode);
61e1b4b7 5594 }
1da177e4 5595
333055f2 5596 read_unlock(&chan_list_lock);
1da177e4 5597
aef7d97c 5598 return 0;
1da177e4
LT		 5599}
5600
aef7d97c
MH		 5601static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5602{
5603 return single_open(file, l2cap_debugfs_show, inode->i_private);
5604}
5605
5606static const struct file_operations l2cap_debugfs_fops = {
5607 .open = l2cap_debugfs_open,
5608 .read = seq_read,
5609 .llseek = seq_lseek,
5610 .release = single_release,
5611};
5612
5613static struct dentry *l2cap_debugfs;
1da177e4 5614
64274518 5615int __init l2cap_init(void)
1da177e4
LT		 5616{
5617 int err;
be9d1227 5618
bb58f747 5619 err = l2cap_init_sockets();
1da177e4
LT		 5620 if (err < 0)
5621 return err;
5622
aef7d97c
MH		 5623 if (bt_debugfs) {
5624 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5625 bt_debugfs, NULL, &l2cap_debugfs_fops);
5626 if (!l2cap_debugfs)
5627 BT_ERR("Failed to create L2CAP debug file");
5628 }
1da177e4 5629
1da177e4 5630 return 0;
1da177e4
LT		 5631}
5632
64274518 5633void l2cap_exit(void)
1da177e4 5634{
aef7d97c 5635 debugfs_remove(l2cap_debugfs);
bb58f747 5636 l2cap_cleanup_sockets();
1da177e4
LT		 5637}
5638
d1c4a17d
GP		 5639module_param(disable_ertm, bool, 0644);
5640MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)