projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Enable ERTM by default
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
d1de6d46 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 74 struct l2cap_chan *chan, int err);
1da177e4 75
608bcc6d
MM		 76static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
77 struct sk_buff_head *skbs, u8 event);
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
baa7e1fa 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 93{
3df91ea2 94 struct l2cap_chan *c;
3d57dc68 95
3df91ea2
AE		 96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->scid == cid)
98 return c;
0139418c 99 }
3df91ea2 100 return NULL;
0139418c
MH		 101}
102
103/* Find channel with given SCID.
ef191ade 104 * Returns locked channel. */
baa7e1fa 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa 108
3df91ea2 109 mutex_lock(&conn->chan_lock);
baa7e1fa 110 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 111 if (c)
112 l2cap_chan_lock(c);
3df91ea2
AE		 113 mutex_unlock(&conn->chan_lock);
114
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
3df91ea2 120 struct l2cap_chan *c;
3d57dc68 121
3df91ea2
AE		 122 list_for_each_entry(c, &conn->chan_l, list) {
123 if (c->ident == ident)
124 return c;
0139418c 125 }
3df91ea2 126 return NULL;
0139418c
MH		 127}
128
23691d75 129static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 130{
23691d75 131 struct l2cap_chan *c;
9e4425ff 132
23691d75
GP		 133 list_for_each_entry(c, &chan_list, global_l) {
134 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 135 return c;
9e4425ff 136 }
250938cb 137 return NULL;
9e4425ff
GP		 138}
139
140int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
141{
73b2ec18
GP		 142 int err;
143
333055f2 144 write_lock(&chan_list_lock);
9e4425ff 145
23691d75 146 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 147 err = -EADDRINUSE;
148 goto done;
9e4425ff
GP		 149 }
150
73b2ec18
GP		 151 if (psm) {
152 chan->psm = psm;
153 chan->sport = psm;
154 err = 0;
155 } else {
156 u16 p;
157
158 err = -EINVAL;
159 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 160 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 161 chan->psm = cpu_to_le16(p);
162 chan->sport = cpu_to_le16(p);
163 err = 0;
164 break;
165 }
166 }
9e4425ff 167
73b2ec18 168done:
333055f2 169 write_unlock(&chan_list_lock);
73b2ec18 170 return err;
9e4425ff
GP		 171}
172
173int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
174{
333055f2 175 write_lock(&chan_list_lock);
9e4425ff
GP		 176
177 chan->scid = scid;
178
333055f2 179 write_unlock(&chan_list_lock);
9e4425ff
GP		 180
181 return 0;
182}
183
baa7e1fa 184static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 185{
8db4dc46 186 u16 cid = L2CAP_CID_DYN_START;
0139418c 187
8db4dc46 188 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 189 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 190 return cid;
191 }
192
193 return 0;
194}
195
0e587be7 196static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 197{
42d2d87c 198 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 199 state_to_string(state));
200
89bc500e
GP		 201 chan->state = state;
202 chan->ops->state_change(chan->data, state);
203}
204
0e587be7
AE		 205static void l2cap_state_change(struct l2cap_chan *chan, int state)
206{
207 struct sock *sk = chan->sk;
208
209 lock_sock(sk);
210 __l2cap_state_change(chan, state);
211 release_sock(sk);
212}
213
2e0052e4
AE		 214static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
215{
216 struct sock *sk = chan->sk;
217
218 sk->sk_err = err;
219}
220
221static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
222{
223 struct sock *sk = chan->sk;
224
225 lock_sock(sk);
226 __l2cap_chan_set_err(chan, err);
227 release_sock(sk);
228}
229
4239d16f
MM		 230static void __set_retrans_timer(struct l2cap_chan *chan)
231{
232 if (!delayed_work_pending(&chan->monitor_timer) &&
233 chan->retrans_timeout) {
234 l2cap_set_timer(chan, &chan->retrans_timer,
235 msecs_to_jiffies(chan->retrans_timeout));
236 }
237}
238
239static void __set_monitor_timer(struct l2cap_chan *chan)
240{
241 __clear_retrans_timer(chan);
242 if (chan->monitor_timeout) {
243 l2cap_set_timer(chan, &chan->monitor_timer,
244 msecs_to_jiffies(chan->monitor_timeout));
245 }
246}
247
608bcc6d
MM		 248static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
249 u16 seq)
250{
251 struct sk_buff *skb;
252
253 skb_queue_walk(head, skb) {
254 if (bt_cb(skb)->control.txseq == seq)
255 return skb;
256 }
257
258 return NULL;
259}
260
3c588192
MM		 261/* ---- L2CAP sequence number lists ---- */
262
263/* For ERTM, ordered lists of sequence numbers must be tracked for
264 * SREJ requests that are received and for frames that are to be
265 * retransmitted. These seq_list functions implement a singly-linked
266 * list in an array, where membership in the list can also be checked
267 * in constant time. Items can also be added to the tail of the list
268 * and removed from the head in constant time, without further memory
269 * allocs or frees.
270 */
271
272static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
273{
274 size_t alloc_size, i;
275
276 /* Allocated size is a power of 2 to map sequence numbers
277 * (which may be up to 14 bits) in to a smaller array that is
278 * sized for the negotiated ERTM transmit windows.
279 */
280 alloc_size = roundup_pow_of_two(size);
281
282 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
283 if (!seq_list->list)
284 return -ENOMEM;
285
286 seq_list->mask = alloc_size - 1;
287 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
288 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
289 for (i = 0; i < alloc_size; i++)
290 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
291
292 return 0;
293}
294
295static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
296{
297 kfree(seq_list->list);
298}
299
300static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
301 u16 seq)
302{
303 /* Constant-time check for list membership */
304 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
305}
306
307static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
308{
309 u16 mask = seq_list->mask;
310
311 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
312 /* In case someone tries to pop the head of an empty list */
313 return L2CAP_SEQ_LIST_CLEAR;
314 } else if (seq_list->head == seq) {
315 /* Head can be removed in constant time */
316 seq_list->head = seq_list->list[seq & mask];
317 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
318
319 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
320 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
321 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
322 }
323 } else {
324 /* Walk the list to find the sequence number */
325 u16 prev = seq_list->head;
326 while (seq_list->list[prev & mask] != seq) {
327 prev = seq_list->list[prev & mask];
328 if (prev == L2CAP_SEQ_LIST_TAIL)
329 return L2CAP_SEQ_LIST_CLEAR;
330 }
331
332 /* Unlink the number from the list and clear it */
333 seq_list->list[prev & mask] = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335 if (seq_list->tail == seq)
336 seq_list->tail = prev;
337 }
338 return seq;
339}
340
341static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
342{
343 /* Remove the head in constant time */
344 return l2cap_seq_list_remove(seq_list, seq_list->head);
345}
346
347static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
348{
f522ae36 349 u16 i;
3c588192 350
f522ae36
GP		 351 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
352 return;
353
354 for (i = 0; i <= seq_list->mask; i++)
355 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
356
357 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
358 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 359}
360
361static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
362{
363 u16 mask = seq_list->mask;
364
365 /* All appends happen in constant time */
366
f522ae36
GP		 367 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
368 return;
3c588192 369
f522ae36
GP		 370 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
371 seq_list->head = seq;
372 else
373 seq_list->list[seq_list->tail & mask] = seq;
374
375 seq_list->tail = seq;
376 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 377}
378
721c4181 379static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 380{
721c4181
GP		 381 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
382 chan_timer.work);
3df91ea2 383 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 384 int reason;
385
e05dcc32 386 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 387
3df91ea2 388 mutex_lock(&conn->chan_lock);
6be36555 389 l2cap_chan_lock(chan);
ab07801d 390
89bc500e 391 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 392 reason = ECONNREFUSED;
89bc500e 393 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 394 chan->sec_level != BT_SECURITY_SDP)
395 reason = ECONNREFUSED;
396 else
397 reason = ETIMEDOUT;
398
0f852724 399 l2cap_chan_close(chan, reason);
ab07801d 400
6be36555 401 l2cap_chan_unlock(chan);
ab07801d 402
ba3bd0ee 403 chan->ops->close(chan->data);
3df91ea2
AE		 404 mutex_unlock(&conn->chan_lock);
405
371fd835 406 l2cap_chan_put(chan);
ab07801d
GP		 407}
408
eef1d9b6 409struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 410{
411 struct l2cap_chan *chan;
412
413 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
414 if (!chan)
415 return NULL;
416
c03b355e
AE		 417 mutex_init(&chan->lock);
418
333055f2 419 write_lock(&chan_list_lock);
23691d75 420 list_add(&chan->global_l, &chan_list);
333055f2 421 write_unlock(&chan_list_lock);
23691d75 422
721c4181 423 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 424
89bc500e
GP		 425 chan->state = BT_OPEN;
426
71ba0e56
GP		 427 atomic_set(&chan->refcnt, 1);
428
2827011f
MM		 429 /* This flag is cleared in l2cap_chan_ready() */
430 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
431
eef1d9b6 432 BT_DBG("chan %p", chan);
abc545b8 433
48454079
GP		 434 return chan;
435}
436
23691d75 437void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 438{
333055f2 439 write_lock(&chan_list_lock);
23691d75 440 list_del(&chan->global_l);
333055f2 441 write_unlock(&chan_list_lock);
23691d75 442
371fd835 443 l2cap_chan_put(chan);
6ff5abbf
GP		 444}
445
bd4b1653
AE		 446void l2cap_chan_set_defaults(struct l2cap_chan *chan)
447{
448 chan->fcs = L2CAP_FCS_CRC16;
449 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
450 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
451 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
452 chan->sec_level = BT_SECURITY_LOW;
453
454 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
455}
456
14a28491 457static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 458{
af05b30b 459 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 460 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 461
9f5a0d7b 462 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 463
8c1d787b 464 chan->conn = conn;
0139418c 465
5491120e
AE		 466 switch (chan->chan_type) {
467 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 468 if (conn->hcon->type == LE_LINK) {
469 /* LE connection */
0c1bc5c6 470 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 471 chan->scid = L2CAP_CID_LE_DATA;
472 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 473 } else {
474 /* Alloc CID for connection-oriented socket */
fe4128e0 475 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 476 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 477 }
5491120e
AE		 478 break;
479
480 case L2CAP_CHAN_CONN_LESS:
0139418c 481 /* Connectionless socket */
fe4128e0
GP		 482 chan->scid = L2CAP_CID_CONN_LESS;
483 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 484 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 485 break;
486
487 default:
0139418c 488 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 489 chan->scid = L2CAP_CID_SIGNALING;
490 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 491 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 492 }
493
8f7975b1
AE		 494 chan->local_id = L2CAP_BESTEFFORT_ID;
495 chan->local_stype = L2CAP_SERV_BESTEFFORT;
496 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
497 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
498 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
499 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
500
371fd835 501 l2cap_chan_hold(chan);
baa7e1fa 502
3df91ea2 503 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 504}
505
14a28491 506static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 507{
508 mutex_lock(&conn->chan_lock);
509 __l2cap_chan_add(conn, chan);
3df91ea2 510 mutex_unlock(&conn->chan_lock);
0139418c
MH		 511}
512
4519de9a 513static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 514{
48454079 515 struct sock *sk = chan->sk;
8c1d787b 516 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 517 struct sock *parent = bt_sk(sk)->parent;
518
c9b66675 519 __clear_chan_timer(chan);
0139418c 520
49208c9c 521 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 522
8e87d142 523 if (conn) {
baa7e1fa 524 /* Delete from channel list */
3df91ea2 525 list_del(&chan->list);
3d57dc68 526
371fd835 527 l2cap_chan_put(chan);
baa7e1fa 528
8c1d787b 529 chan->conn = NULL;
0139418c
MH		 530 hci_conn_put(conn->hcon);
531 }
532
6be36555
AE		 533 lock_sock(sk);
534
0e587be7 535 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 536 sock_set_flag(sk, SOCK_ZAPPED);
537
538 if (err)
2e0052e4 539 __l2cap_chan_set_err(chan, err);
0139418c
MH		 540
541 if (parent) {
542 bt_accept_unlink(sk);
543 parent->sk_data_ready(parent, 0);
544 } else
545 sk->sk_state_change(sk);
c13ffa62 546
6be36555
AE		 547 release_sock(sk);
548
2827011f 549 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 550 return;
2ead70b8 551
58d35f87 552 skb_queue_purge(&chan->tx_q);
c13ffa62 553
0c1bc5c6 554 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 555 __clear_retrans_timer(chan);
556 __clear_monitor_timer(chan);
557 __clear_ack_timer(chan);
c13ffa62 558
f1c6775b 559 skb_queue_purge(&chan->srej_q);
c13ffa62 560
3c588192
MM		 561 l2cap_seq_list_free(&chan->srej_list);
562 l2cap_seq_list_free(&chan->retrans_list);
c13ffa62 563 }
0139418c
MH		 564}
565
4519de9a
GP		 566static void l2cap_chan_cleanup_listen(struct sock *parent)
567{
568 struct sock *sk;
569
570 BT_DBG("parent %p", parent);
571
572 /* Close not yet accepted channels */
0f852724 573 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 574 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 575
6be36555 576 l2cap_chan_lock(chan);
c9b66675 577 __clear_chan_timer(chan);
ba3bd0ee 578 l2cap_chan_close(chan, ECONNRESET);
6be36555 579 l2cap_chan_unlock(chan);
3df91ea2 580
ba3bd0ee 581 chan->ops->close(chan->data);
0f852724 582 }
4519de9a
GP		 583}
584
0f852724 585void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 586{
587 struct l2cap_conn *conn = chan->conn;
588 struct sock *sk = chan->sk;
589
e05dcc32
AE		 590 BT_DBG("chan %p state %s sk %p", chan,
591 state_to_string(chan->state), sk);
4519de9a 592
89bc500e 593 switch (chan->state) {
4519de9a 594 case BT_LISTEN:
6be36555 595 lock_sock(sk);
4519de9a 596 l2cap_chan_cleanup_listen(sk);
89bc500e 597
0e587be7 598 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 599 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 600 release_sock(sk);
4519de9a
GP		 601 break;
602
603 case BT_CONNECTED:
604 case BT_CONFIG:
715ec005 605 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 606 conn->hcon->type == ACL_LINK) {
c9b66675 607 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 608 l2cap_send_disconn_req(conn, chan, reason);
609 } else
610 l2cap_chan_del(chan, reason);
611 break;
612
613 case BT_CONNECT2:
715ec005 614 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 615 conn->hcon->type == ACL_LINK) {
616 struct l2cap_conn_rsp rsp;
617 __u16 result;
618
c5daa683 619 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 620 result = L2CAP_CR_SEC_BLOCK;
621 else
622 result = L2CAP_CR_BAD_PSM;
89bc500e 623 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 624
625 rsp.scid = cpu_to_le16(chan->dcid);
626 rsp.dcid = cpu_to_le16(chan->scid);
627 rsp.result = cpu_to_le16(result);
628 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
629 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
630 sizeof(rsp), &rsp);
631 }
632
633 l2cap_chan_del(chan, reason);
634 break;
635
636 case BT_CONNECT:
637 case BT_DISCONN:
638 l2cap_chan_del(chan, reason);
639 break;
640
641 default:
6be36555 642 lock_sock(sk);
4519de9a 643 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 644 release_sock(sk);
4519de9a
GP		 645 break;
646 }
647}
648
4343478f 649static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 650{
715ec005 651 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 652 switch (chan->sec_level) {
8556edd3
JH		 653 case BT_SECURITY_HIGH:
654 return HCI_AT_DEDICATED_BONDING_MITM;
655 case BT_SECURITY_MEDIUM:
656 return HCI_AT_DEDICATED_BONDING;
657 default:
658 return HCI_AT_NO_BONDING;
659 }
fe4128e0 660 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 661 if (chan->sec_level == BT_SECURITY_LOW)
662 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 663
4343478f 664 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 665 return HCI_AT_NO_BONDING_MITM;
00ae4af9 666 else
8556edd3 667 return HCI_AT_NO_BONDING;
00ae4af9 668 } else {
4343478f 669 switch (chan->sec_level) {
00ae4af9 670 case BT_SECURITY_HIGH:
8556edd3 671 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 672 case BT_SECURITY_MEDIUM:
8556edd3 673 return HCI_AT_GENERAL_BONDING;
00ae4af9 674 default:
8556edd3 675 return HCI_AT_NO_BONDING;
00ae4af9 676 }
0684e5f9 677 }
8556edd3
JH		 678}
679
680/* Service level security */
d45fc423 681int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 682{
8c1d787b 683 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 684 __u8 auth_type;
685
4343478f 686 auth_type = l2cap_get_auth_type(chan);
79d554a6 687
4343478f 688 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 689}
690
b5ad8b7f 691static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 692{
693 u8 id;
694
695 /* Get next available identificator.
696 * 1 - 128 are used by kernel.
697 * 129 - 199 are reserved.
698 * 200 - 254 are used by utilities like l2ping, etc.
699 */
700
333055f2 701 spin_lock(&conn->lock);
4e8402a3
MH		 702
703 if (++conn->tx_ident > 128)
704 conn->tx_ident = 1;
705
706 id = conn->tx_ident;
707
333055f2 708 spin_unlock(&conn->lock);
4e8402a3
MH		 709
710 return id;
711}
712
4519de9a 713static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 714{
715 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 716 u8 flags;
4e8402a3
MH		 717
718 BT_DBG("code 0x%2.2x", code);
719
720 if (!skb)
9a9c6a34 721 return;
4e8402a3 722
e702112f
AE		 723 if (lmp_no_flush_capable(conn->hcon->hdev))
724 flags = ACL_START_NO_FLUSH;
725 else
726 flags = ACL_START;
727
14b12d0b 728 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 729 skb->priority = HCI_PRIO_MAX;
14b12d0b 730
73d80deb
LAD		 731 hci_send_acl(conn->hchan, skb, flags);
732}
733
734static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
735{
736 struct hci_conn *hcon = chan->conn->hcon;
737 u16 flags;
738
739 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
740 skb->priority);
741
742 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
743 lmp_no_flush_capable(hcon->hdev))
744 flags = ACL_START_NO_FLUSH;
745 else
746 flags = ACL_START;
14b12d0b 747
73d80deb
LAD		 748 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
749 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 750}
751
b76bbd66
MM		 752static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
753{
754 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
755 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
756
757 if (enh & L2CAP_CTRL_FRAME_TYPE) {
758 /* S-Frame */
759 control->sframe = 1;
760 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
761 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
762
763 control->sar = 0;
764 control->txseq = 0;
765 } else {
766 /* I-Frame */
767 control->sframe = 0;
768 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
769 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
770
771 control->poll = 0;
772 control->super = 0;
773 }
774}
775
b76bbd66
MM		 776static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
777{
778 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
779 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
780
781 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
782 /* S-Frame */
783 control->sframe = 1;
784 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
785 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
786
787 control->sar = 0;
788 control->txseq = 0;
789 } else {
790 /* I-Frame */
791 control->sframe = 0;
792 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
793 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
794
795 control->poll = 0;
796 control->super = 0;
797 }
798}
799
800static inline void __unpack_control(struct l2cap_chan *chan,
801 struct sk_buff *skb)
802{
803 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
804 __unpack_extended_control(get_unaligned_le32(skb->data),
805 &bt_cb(skb)->control);
cec8ab6e 806 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 807 } else {
808 __unpack_enhanced_control(get_unaligned_le16(skb->data),
809 &bt_cb(skb)->control);
cec8ab6e 810 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 811 }
812}
813
b5c6aaed
MM		 814static u32 __pack_extended_control(struct l2cap_ctrl *control)
815{
816 u32 packed;
817
818 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
819 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
820
821 if (control->sframe) {
822 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
823 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
824 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
825 } else {
826 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
827 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
828 }
829
830 return packed;
831}
832
833static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
834{
835 u16 packed;
836
837 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
838 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
839
840 if (control->sframe) {
841 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
842 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
843 packed |= L2CAP_CTRL_FRAME_TYPE;
844 } else {
845 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
846 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
847 }
848
849 return packed;
850}
851
b76bbd66
MM		 852static inline void __pack_control(struct l2cap_chan *chan,
853 struct l2cap_ctrl *control,
854 struct sk_buff *skb)
855{
856 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
857 put_unaligned_le32(__pack_extended_control(control),
858 skb->data + L2CAP_HDR_SIZE);
859 } else {
860 put_unaligned_le16(__pack_enhanced_control(control),
861 skb->data + L2CAP_HDR_SIZE);
862 }
863}
864
a67d7f6f
MM		 865static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
866 u32 control)
b5c6aaed
MM		 867{
868 struct sk_buff *skb;
869 struct l2cap_hdr *lh;
a67d7f6f 870 int hlen;
b5c6aaed
MM		 871
872 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
873 hlen = L2CAP_EXT_HDR_SIZE;
874 else
875 hlen = L2CAP_ENH_HDR_SIZE;
876
877 if (chan->fcs == L2CAP_FCS_CRC16)
878 hlen += L2CAP_FCS_SIZE;
879
a67d7f6f 880 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 881
b5c6aaed 882 if (!skb)
a67d7f6f 883 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 884
885 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
886 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
887 lh->cid = cpu_to_le16(chan->dcid);
888
a67d7f6f
MM		 889 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
890 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
891 else
892 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 893
894 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 895 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 896 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
897 }
898
899 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 900 return skb;
901}
902
903static void l2cap_send_sframe(struct l2cap_chan *chan,
904 struct l2cap_ctrl *control)
905{
906 struct sk_buff *skb;
907 u32 control_field;
908
909 BT_DBG("chan %p, control %p", chan, control);
910
911 if (!control->sframe)
912 return;
913
914 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
915 !control->poll)
916 control->final = 1;
917
918 if (control->super == L2CAP_SUPER_RR)
919 clear_bit(CONN_RNR_SENT, &chan->conn_state);
920 else if (control->super == L2CAP_SUPER_RNR)
921 set_bit(CONN_RNR_SENT, &chan->conn_state);
922
923 if (control->super != L2CAP_SUPER_SREJ) {
924 chan->last_acked_seq = control->reqseq;
925 __clear_ack_timer(chan);
926 }
927
928 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
929 control->final, control->poll, control->super);
930
931 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
932 control_field = __pack_extended_control(control);
933 else
934 control_field = __pack_enhanced_control(control);
935
936 skb = l2cap_create_sframe_pdu(chan, control_field);
937 if (!IS_ERR(skb))
938 l2cap_do_send(chan, skb);
b5c6aaed
MM		 939}
940
c9e3d5e0 941static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 942{
c9e3d5e0
MM		 943 struct l2cap_ctrl control;
944
945 BT_DBG("chan %p, poll %d", chan, poll);
946
947 memset(&control, 0, sizeof(control));
948 control.sframe = 1;
949 control.poll = poll;
950
951 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
952 control.super = L2CAP_SUPER_RNR;
953 else
954 control.super = L2CAP_SUPER_RR;
b5c6aaed 955
c9e3d5e0
MM		 956 control.reqseq = chan->buffer_seq;
957 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 958}
959
b4450035 960static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 961{
c1360a1c 962 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 963}
964
9b27f350
AE		 965static void l2cap_send_conn_req(struct l2cap_chan *chan)
966{
967 struct l2cap_conn *conn = chan->conn;
968 struct l2cap_conn_req req;
969
970 req.scid = cpu_to_le16(chan->scid);
971 req.psm = chan->psm;
972
973 chan->ident = l2cap_get_ident(conn);
974
975 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
976
977 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
978}
979
9f0caeb1
VCG		 980static void l2cap_chan_ready(struct l2cap_chan *chan)
981{
982 struct sock *sk = chan->sk;
983 struct sock *parent;
984
985 lock_sock(sk);
986
987 parent = bt_sk(sk)->parent;
988
989 BT_DBG("sk %p, parent %p", sk, parent);
990
2827011f 991 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 992 chan->conf_state = 0;
993 __clear_chan_timer(chan);
994
995 __l2cap_state_change(chan, BT_CONNECTED);
996 sk->sk_state_change(sk);
997
998 if (parent)
999 parent->sk_data_ready(parent, 0);
1000
1001 release_sock(sk);
1002}
1003
fc7f8a7e 1004static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1005{
8c1d787b 1006 struct l2cap_conn *conn = chan->conn;
79d554a6 1007
9f0caeb1
VCG		 1008 if (conn->hcon->type == LE_LINK) {
1009 l2cap_chan_ready(chan);
1010 return;
1011 }
1012
79d554a6 1013 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1014 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1015 return;
1016
d45fc423 1017 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 1018 __l2cap_no_conn_pending(chan))
1019 l2cap_send_conn_req(chan);
79d554a6
MH		 1020 } else {
1021 struct l2cap_info_req req;
1022 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1023
1024 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1025 conn->info_ident = l2cap_get_ident(conn);
1026
ba13ccd9 1027 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1028
1029 l2cap_send_cmd(conn, conn->info_ident,
1030 L2CAP_INFO_REQ, sizeof(req), &req);
1031 }
1032}
1033
cf6c2c0b
GP		 1034static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1035{
1036 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1037 if (!disable_ertm)
cf6c2c0b
GP		 1038 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1039
1040 switch (mode) {
1041 case L2CAP_MODE_ERTM:
1042 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1043 case L2CAP_MODE_STREAMING:
1044 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1045 default:
1046 return 0x00;
1047 }
1048}
1049
4519de9a 1050static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1051{
6be36555 1052 struct sock *sk = chan->sk;
22121fc9
GP		 1053 struct l2cap_disconn_req req;
1054
c13ffa62
GP		 1055 if (!conn)
1056 return;
1057
0c1bc5c6 1058 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1059 __clear_retrans_timer(chan);
1060 __clear_monitor_timer(chan);
1061 __clear_ack_timer(chan);
c13ffa62
GP		 1062 }
1063
fe4128e0
GP		 1064 req.dcid = cpu_to_le16(chan->dcid);
1065 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1066 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1067 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1068
6be36555 1069 lock_sock(sk);
0e587be7 1070 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1071 __l2cap_chan_set_err(chan, err);
6be36555 1072 release_sock(sk);
22121fc9
GP		 1073}
1074
1da177e4 1075/* ---- L2CAP connections ---- */
4e8402a3
MH		 1076static void l2cap_conn_start(struct l2cap_conn *conn)
1077{
3df91ea2 1078 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1079
1080 BT_DBG("conn %p", conn);
1081
3df91ea2 1082 mutex_lock(&conn->chan_lock);
4e8402a3 1083
3df91ea2 1084 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1085 struct sock *sk = chan->sk;
baa7e1fa 1086
6be36555 1087 l2cap_chan_lock(chan);
4e8402a3 1088
715ec005 1089 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1090 l2cap_chan_unlock(chan);
79d554a6
MH		 1091 continue;
1092 }
1093
89bc500e 1094 if (chan->state == BT_CONNECT) {
d45fc423 1095 if (!l2cap_chan_check_security(chan) ||
b4450035 1096 !__l2cap_no_conn_pending(chan)) {
6be36555 1097 l2cap_chan_unlock(chan);
47731de7
GP		 1098 continue;
1099 }
79d554a6 1100
c1360a1c
GP		 1101 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1102 && test_bit(CONF_STATE2_DEVICE,
1103 &chan->conf_state)) {
89bc500e 1104 l2cap_chan_close(chan, ECONNRESET);
6be36555 1105 l2cap_chan_unlock(chan);
47731de7 1106 continue;
b1235d79 1107 }
47731de7 1108
9b27f350 1109 l2cap_send_conn_req(chan);
47731de7 1110
89bc500e 1111 } else if (chan->state == BT_CONNECT2) {
79d554a6 1112 struct l2cap_conn_rsp rsp;
e9aeb2dd 1113 char buf[128];
fe4128e0
GP		 1114 rsp.scid = cpu_to_le16(chan->dcid);
1115 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1116
d45fc423 1117 if (l2cap_chan_check_security(chan)) {
6be36555 1118 lock_sock(sk);
c5daa683
GP		 1119 if (test_bit(BT_SK_DEFER_SETUP,
1120 &bt_sk(sk)->flags)) {
f66dc81f
MH		 1121 struct sock *parent = bt_sk(sk)->parent;
1122 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1123 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1124 if (parent)
1125 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1126
1127 } else {
0e587be7 1128 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1129 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1130 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1131 }
6be36555 1132 release_sock(sk);
79d554a6
MH		 1133 } else {
1134 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1135 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1136 }
1137
fc7f8a7e
GP		 1138 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1139 sizeof(rsp), &rsp);
e9aeb2dd 1140
c1360a1c 1141 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1142 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1143 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1144 continue;
1145 }
1146
c1360a1c 1147 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1148 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1149 l2cap_build_conf_req(chan, buf), buf);
1150 chan->num_conf_req++;
4e8402a3
MH		 1151 }
1152
6be36555 1153 l2cap_chan_unlock(chan);
4e8402a3
MH		 1154 }
1155
3df91ea2 1156 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1157}
1158
c2287681 1159/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1160 * Returns closest match, locked.
1161 */
d9b88702 1162static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1163 bdaddr_t *src,
1164 bdaddr_t *dst)
b62f328b 1165{
23691d75 1166 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1167
23691d75 1168 read_lock(&chan_list_lock);
b62f328b 1169
23691d75
GP		 1170 list_for_each_entry(c, &chan_list, global_l) {
1171 struct sock *sk = c->sk;
fe4128e0 1172
89bc500e 1173 if (state && c->state != state)
b62f328b
VT		 1174 continue;
1175
23691d75 1176 if (c->scid == cid) {
c2287681
IY		 1177 int src_match, dst_match;
1178 int src_any, dst_any;
1179
b62f328b 1180 /* Exact match. */
c2287681
IY		 1181 src_match = !bacmp(&bt_sk(sk)->src, src);
1182 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1183 if (src_match && dst_match) {
23691d75
GP		 1184 read_unlock(&chan_list_lock);
1185 return c;
1186 }
b62f328b
VT		 1187
1188 /* Closest match */
c2287681
IY		 1189 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1190 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1191 if ((src_match && dst_any) || (src_any && dst_match) ||
1192 (src_any && dst_any))
23691d75 1193 c1 = c;
b62f328b
VT		 1194 }
1195 }
280f294f 1196
23691d75 1197 read_unlock(&chan_list_lock);
b62f328b 1198
23691d75 1199 return c1;
b62f328b
VT		 1200}
1201
1202static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1203{
c916fbe4 1204 struct sock *parent, *sk;
23691d75 1205 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1206
1207 BT_DBG("");
1208
1209 /* Check if we have socket listening on cid */
23691d75 1210 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1211 conn->src, conn->dst);
23691d75 1212 if (!pchan)
b62f328b
VT		 1213 return;
1214
23691d75
GP		 1215 parent = pchan->sk;
1216
aa2ac881 1217 lock_sock(parent);
62f3a2cf 1218
b62f328b
VT		 1219 /* Check for backlog size */
1220 if (sk_acceptq_is_full(parent)) {
1221 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1222 goto clean;
1223 }
1224
80808e43
GP		 1225 chan = pchan->ops->new_connection(pchan->data);
1226 if (!chan)
b62f328b
VT		 1227 goto clean;
1228
80808e43 1229 sk = chan->sk;
5d41ce1d 1230
b62f328b
VT		 1231 hci_conn_hold(conn->hcon);
1232
b62f328b
VT		 1233 bacpy(&bt_sk(sk)->src, conn->src);
1234 bacpy(&bt_sk(sk)->dst, conn->dst);
1235
d1010240
GP		 1236 bt_accept_enqueue(parent, sk);
1237
3d57dc68 1238 l2cap_chan_add(conn, chan);
48454079 1239
c9b66675 1240 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1241
0e587be7 1242 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1243 parent->sk_data_ready(parent, 0);
1244
b62f328b 1245clean:
aa2ac881 1246 release_sock(parent);
b62f328b
VT		 1247}
1248
4e8402a3
MH		 1249static void l2cap_conn_ready(struct l2cap_conn *conn)
1250{
48454079 1251 struct l2cap_chan *chan;
4e8402a3 1252
79d554a6 1253 BT_DBG("conn %p", conn);
4e8402a3 1254
b62f328b
VT		 1255 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1256 l2cap_le_conn_ready(conn);
1257
160dc6ac
VCG		 1258 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1259 smp_conn_security(conn, conn->hcon->pending_sec_level);
1260
3df91ea2 1261 mutex_lock(&conn->chan_lock);
4e8402a3 1262
3df91ea2 1263 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1264
6be36555 1265 l2cap_chan_lock(chan);
4e8402a3 1266
63128451 1267 if (conn->hcon->type == LE_LINK) {
b501d6a1 1268 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1269 l2cap_chan_ready(chan);
acd7d370 1270
63128451 1271 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1272 struct sock *sk = chan->sk;
c9b66675 1273 __clear_chan_timer(chan);
6be36555 1274 lock_sock(sk);
0e587be7 1275 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1276 sk->sk_state_change(sk);
6be36555 1277 release_sock(sk);
b501d6a1 1278
89bc500e 1279 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1280 l2cap_do_start(chan);
4e8402a3 1281
6be36555 1282 l2cap_chan_unlock(chan);
4e8402a3 1283 }
79d554a6 1284
3df91ea2 1285 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1286}
1287
1288/* Notify sockets that we cannot guaranty reliability anymore */
1289static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1290{
48454079 1291 struct l2cap_chan *chan;
4e8402a3
MH		 1292
1293 BT_DBG("conn %p", conn);
1294
3df91ea2 1295 mutex_lock(&conn->chan_lock);
4e8402a3 1296
3df91ea2 1297 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1298 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1299 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1300 }
1301
3df91ea2 1302 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1303}
1304
f878fcad 1305static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1306{
f878fcad 1307 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1308 info_timer.work);
4e8402a3 1309
984947dc 1310 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1311 conn->info_ident = 0;
984947dc 1312
4e8402a3
MH		 1313 l2cap_conn_start(conn);
1314}
1315
5d3de7df
VCG		 1316static void l2cap_conn_del(struct hci_conn *hcon, int err)
1317{
1318 struct l2cap_conn *conn = hcon->l2cap_data;
1319 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1320
1321 if (!conn)
1322 return;
1323
1324 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1325
1326 kfree_skb(conn->rx_skb);
1327
3df91ea2
AE		 1328 mutex_lock(&conn->chan_lock);
1329
5d3de7df
VCG		 1330 /* Kill channels */
1331 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1332 l2cap_chan_hold(chan);
6be36555
AE		 1333 l2cap_chan_lock(chan);
1334
5d3de7df 1335 l2cap_chan_del(chan, err);
6be36555
AE		 1336
1337 l2cap_chan_unlock(chan);
1338
5d3de7df 1339 chan->ops->close(chan->data);
61d6ef3e 1340 l2cap_chan_put(chan);
5d3de7df
VCG		 1341 }
1342
3df91ea2
AE		 1343 mutex_unlock(&conn->chan_lock);
1344
73d80deb
LAD		 1345 hci_chan_del(conn->hchan);
1346
5d3de7df 1347 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1348 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1349
51a8efd7 1350 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1351 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1352 smp_chan_destroy(conn);
d26a2345 1353 }
5d3de7df
VCG		 1354
1355 hcon->l2cap_data = NULL;
1356 kfree(conn);
1357}
1358
6c9d42a1 1359static void security_timeout(struct work_struct *work)
5d3de7df 1360{
6c9d42a1
GP		 1361 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1362 security_timer.work);
5d3de7df
VCG		 1363
1364 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1365}
1366
1da177e4
LT		 1367static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1368{
0139418c 1369 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1370 struct hci_chan *hchan;
1da177e4 1371
0139418c 1372 if (conn || status)
1da177e4
LT		 1373 return conn;
1374
73d80deb
LAD		 1375 hchan = hci_chan_create(hcon);
1376 if (!hchan)
1377 return NULL;
1378
0139418c 1379 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1380 if (!conn) {
1381 hci_chan_del(hchan);
1da177e4 1382 return NULL;
73d80deb 1383 }
1da177e4
LT		 1384
1385 hcon->l2cap_data = conn;
1386 conn->hcon = hcon;
73d80deb 1387 conn->hchan = hchan;
1da177e4 1388
73d80deb 1389 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1390
acd7d370
VT		 1391 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1392 conn->mtu = hcon->hdev->le_mtu;
1393 else
1394 conn->mtu = hcon->hdev->acl_mtu;
1395
1da177e4
LT		 1396 conn->src = &hcon->hdev->bdaddr;
1397 conn->dst = &hcon->dst;
1398
4e8402a3
MH		 1399 conn->feat_mask = 0;
1400
1da177e4 1401 spin_lock_init(&conn->lock);
3df91ea2 1402 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1403
1404 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1405
5d3de7df 1406 if (hcon->type == LE_LINK)
6c9d42a1 1407 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1408 else
030013d8 1409 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1410
9f5a0d7b 1411 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1412
1da177e4
LT		 1413 return conn;
1414}
1415
1da177e4 1416/* ---- Socket interface ---- */
1da177e4 1417
c2287681 1418/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1419 * Returns closest match.
1420 */
c2287681
IY		 1421static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1422 bdaddr_t *src,
1423 bdaddr_t *dst)
1da177e4 1424{
23691d75 1425 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1426
23691d75 1427 read_lock(&chan_list_lock);
e0f0cb56 1428
23691d75
GP		 1429 list_for_each_entry(c, &chan_list, global_l) {
1430 struct sock *sk = c->sk;
fe4128e0 1431
89bc500e 1432 if (state && c->state != state)
1da177e4
LT		 1433 continue;
1434
23691d75 1435 if (c->psm == psm) {
c2287681
IY		 1436 int src_match, dst_match;
1437 int src_any, dst_any;
1438
1da177e4 1439 /* Exact match. */
c2287681
IY		 1440 src_match = !bacmp(&bt_sk(sk)->src, src);
1441 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1442 if (src_match && dst_match) {
a7567b20 1443 read_unlock(&chan_list_lock);
23691d75
GP		 1444 return c;
1445 }
1da177e4
LT		 1446
1447 /* Closest match */
c2287681
IY		 1448 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1449 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1450 if ((src_match && dst_any) || (src_any && dst_match) ||
1451 (src_any && dst_any))
23691d75 1452 c1 = c;
1da177e4
LT		 1453 }
1454 }
1da177e4 1455
23691d75 1456 read_unlock(&chan_list_lock);
e0f0cb56 1457
23691d75 1458 return c1;
1da177e4
LT		 1459}
1460
8e9f9892
AG		 1461int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1462 bdaddr_t *dst, u8 dst_type)
1da177e4 1463{
5d41ce1d 1464 struct sock *sk = chan->sk;
1da177e4 1465 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1466 struct l2cap_conn *conn;
1467 struct hci_conn *hcon;
1468 struct hci_dev *hdev;
09ab6f4c 1469 __u8 auth_type;
44d0e48e 1470 int err;
1da177e4 1471
8e9f9892
AG		 1472 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1473 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1474
af05b30b
GP		 1475 hdev = hci_get_route(dst, src);
1476 if (!hdev)
1da177e4
LT		 1477 return -EHOSTUNREACH;
1478
09fd0de5 1479 hci_dev_lock(hdev);
1da177e4 1480
6be36555 1481 l2cap_chan_lock(chan);
03a00194
GP		 1482
1483 /* PSM must be odd and lsb of upper byte must be 0 */
1484 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1485 chan->chan_type != L2CAP_CHAN_RAW) {
1486 err = -EINVAL;
1487 goto done;
1488 }
1489
1490 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1491 err = -EINVAL;
1492 goto done;
1493 }
1494
1495 switch (chan->mode) {
1496 case L2CAP_MODE_BASIC:
1497 break;
1498 case L2CAP_MODE_ERTM:
1499 case L2CAP_MODE_STREAMING:
1500 if (!disable_ertm)
1501 break;
1502 /* fall through */
1503 default:
1504 err = -ENOTSUPP;
1505 goto done;
1506 }
1507
6be36555
AE		 1508 lock_sock(sk);
1509
03a00194
GP		 1510 switch (sk->sk_state) {
1511 case BT_CONNECT:
1512 case BT_CONNECT2:
1513 case BT_CONFIG:
1514 /* Already connecting */
1515 err = 0;
6be36555 1516 release_sock(sk);
03a00194
GP		 1517 goto done;
1518
1519 case BT_CONNECTED:
1520 /* Already connected */
1521 err = -EISCONN;
6be36555 1522 release_sock(sk);
03a00194
GP		 1523 goto done;
1524
1525 case BT_OPEN:
1526 case BT_BOUND:
1527 /* Can connect */
1528 break;
1529
1530 default:
1531 err = -EBADFD;
6be36555 1532 release_sock(sk);
03a00194
GP		 1533 goto done;
1534 }
1535
1536 /* Set destination address and psm */
9219b2a0 1537 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1538
1539 release_sock(sk);
1540
03a00194
GP		 1541 chan->psm = psm;
1542 chan->dcid = cid;
1da177e4 1543
4343478f 1544 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1545
fe4128e0 1546 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1547 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1548 chan->sec_level, auth_type);
acd7d370 1549 else
8e9f9892 1550 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1551 chan->sec_level, auth_type);
acd7d370 1552
30e76272
VT		 1553 if (IS_ERR(hcon)) {
1554 err = PTR_ERR(hcon);
1da177e4 1555 goto done;
30e76272 1556 }
1da177e4
LT		 1557
1558 conn = l2cap_conn_add(hcon, 0);
1559 if (!conn) {
1560 hci_conn_put(hcon);
30e76272 1561 err = -ENOMEM;
1da177e4
LT		 1562 goto done;
1563 }
1564
9f0caeb1
VCG		 1565 if (hcon->type == LE_LINK) {
1566 err = 0;
1567
1568 if (!list_empty(&conn->chan_l)) {
1569 err = -EBUSY;
1570 hci_conn_put(hcon);
1571 }
1572
1573 if (err)
1574 goto done;
1575 }
1576
1da177e4
LT		 1577 /* Update source addr of the socket */
1578 bacpy(src, conn->src);
1579
6be36555 1580 l2cap_chan_unlock(chan);
48454079 1581 l2cap_chan_add(conn, chan);
6be36555 1582 l2cap_chan_lock(chan);
48454079 1583
6be36555 1584 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1585 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1586
1587 if (hcon->state == BT_CONNECTED) {
715ec005 1588 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1589 __clear_chan_timer(chan);
d45fc423 1590 if (l2cap_chan_check_security(chan))
6be36555 1591 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1592 } else
fc7f8a7e 1593 l2cap_do_start(chan);
1da177e4
LT		 1594 }
1595
30e76272
VT		 1596 err = 0;
1597
1da177e4 1598done:
6be36555 1599 l2cap_chan_unlock(chan);
09fd0de5 1600 hci_dev_unlock(hdev);
1da177e4
LT		 1601 hci_dev_put(hdev);
1602 return err;
1603}
1604
dcba0dba 1605int __l2cap_wait_ack(struct sock *sk)
6161c038 1606{
8c1d787b 1607 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1608 DECLARE_WAITQUEUE(wait, current);
1609 int err = 0;
1610 int timeo = HZ/5;
1611
2b0b05dd 1612 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1613 set_current_state(TASK_INTERRUPTIBLE);
1614 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1615 if (!timeo)
1616 timeo = HZ/5;
1617
1618 if (signal_pending(current)) {
1619 err = sock_intr_errno(timeo);
1620 break;
1621 }
1622
1623 release_sock(sk);
1624 timeo = schedule_timeout(timeo);
1625 lock_sock(sk);
a71a0cf4 1626 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1627
1628 err = sock_error(sk);
1629 if (err)
1630 break;
1631 }
1632 set_current_state(TASK_RUNNING);
2b0b05dd 1633 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1634 return err;
1635}
1636
721c4181 1637static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1638{
721c4181 1639 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1640 monitor_timer.work);
e90bac06 1641
525cd185 1642 BT_DBG("chan %p", chan);
0e98958d 1643
6be36555
AE		 1644 l2cap_chan_lock(chan);
1645
80909e04 1646 if (!chan->conn) {
6be36555 1647 l2cap_chan_unlock(chan);
8d7e1c7f 1648 l2cap_chan_put(chan);
e90bac06
GP		 1649 return;
1650 }
1651
80909e04 1652 l2cap_tx(chan, 0, 0, L2CAP_EV_MONITOR_TO);
e90bac06 1653
6be36555 1654 l2cap_chan_unlock(chan);
8d7e1c7f 1655 l2cap_chan_put(chan);
e90bac06
GP		 1656}
1657
721c4181 1658static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1659{
721c4181 1660 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1661 retrans_timer.work);
e90bac06 1662
49208c9c 1663 BT_DBG("chan %p", chan);
0e98958d 1664
6be36555
AE		 1665 l2cap_chan_lock(chan);
1666
80909e04
MM		 1667 if (!chan->conn) {
1668 l2cap_chan_unlock(chan);
1669 l2cap_chan_put(chan);
1670 return;
1671 }
6be36555 1672
80909e04 1673 l2cap_tx(chan, 0, 0, L2CAP_EV_RETRANS_TO);
6be36555 1674 l2cap_chan_unlock(chan);
8d7e1c7f 1675 l2cap_chan_put(chan);
e90bac06
GP		 1676}
1677
3733937d
MM		 1678static int l2cap_streaming_send(struct l2cap_chan *chan,
1679 struct sk_buff_head *skbs)
6840ed07 1680{
ccbb84af 1681 struct sk_buff *skb;
3733937d 1682 struct l2cap_ctrl *control;
6840ed07 1683
3733937d
MM		 1684 BT_DBG("chan %p, skbs %p", chan, skbs);
1685
1686 if (chan->state != BT_CONNECTED)
1687 return -ENOTCONN;
1688
1689 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1690
1691 while (!skb_queue_empty(&chan->tx_q)) {
1692
1693 skb = skb_dequeue(&chan->tx_q);
1694
1695 bt_cb(skb)->control.retries = 1;
1696 control = &bt_cb(skb)->control;
1697
1698 control->reqseq = 0;
1699 control->txseq = chan->next_tx_seq;
1700
1701 __pack_control(chan, control, skb);
6840ed07 1702
47d1ec61 1703 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1704 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1705 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1706 }
1707
4343478f 1708 l2cap_do_send(chan, skb);
6840ed07 1709
3733937d
MM		 1710 BT_DBG("Sent txseq %d", (int)control->txseq);
1711
836be934 1712 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1713 chan->frames_sent++;
6840ed07 1714 }
3733937d
MM		 1715
1716 return 0;
6840ed07
GP		 1717}
1718
67c9e840 1719static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1720{
1721 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1722 struct l2cap_ctrl *control;
1723 int sent = 0;
1724
1725 BT_DBG("chan %p", chan);
1c2acffb 1726
89bc500e 1727 if (chan->state != BT_CONNECTED)
c13ffa62 1728 return -ENOTCONN;
e90bac06 1729
94122bbe
MM		 1730 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1731 return 0;
1732
18a48e76
MM		 1733 while (chan->tx_send_head &&
1734 chan->unacked_frames < chan->remote_tx_win &&
1735 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1736
18a48e76 1737 skb = chan->tx_send_head;
e90bac06 1738
18a48e76
MM		 1739 bt_cb(skb)->control.retries = 1;
1740 control = &bt_cb(skb)->control;
95ffa978 1741
e2ab4353 1742 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1743 control->final = 1;
e2ab4353 1744
18a48e76
MM		 1745 control->reqseq = chan->buffer_seq;
1746 chan->last_acked_seq = chan->buffer_seq;
1747 control->txseq = chan->next_tx_seq;
1c2acffb 1748
18a48e76 1749 __pack_control(chan, control, skb);
e90bac06 1750
47d1ec61 1751 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1752 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1753 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1754 }
1755
18a48e76
MM		 1756 /* Clone after data has been modified. Data is assumed to be
1757 read-only (for locking purposes) on cloned sk_buffs.
1758 */
1759 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1760
18a48e76
MM		 1761 if (!tx_skb)
1762 break;
1c2acffb 1763
18a48e76 1764 __set_retrans_timer(chan);
836be934
AE		 1765
1766 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1767 chan->unacked_frames++;
6a026610 1768 chan->frames_sent++;
18a48e76 1769 sent++;
1c2acffb 1770
58d35f87
GP		 1771 if (skb_queue_is_last(&chan->tx_q, skb))
1772 chan->tx_send_head = NULL;
1c2acffb 1773 else
58d35f87 1774 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1775
1776 l2cap_do_send(chan, tx_skb);
1777 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1778 }
1779
18a48e76
MM		 1780 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1781 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1782
1783 return sent;
9e917af1
GP		 1784}
1785
e1fbd4c1
MM		 1786static void l2cap_ertm_resend(struct l2cap_chan *chan)
1787{
1788 struct l2cap_ctrl control;
1789 struct sk_buff *skb;
1790 struct sk_buff *tx_skb;
1791 u16 seq;
1792
1793 BT_DBG("chan %p", chan);
1794
1795 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1796 return;
1797
1798 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1799 seq = l2cap_seq_list_pop(&chan->retrans_list);
1800
1801 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1802 if (!skb) {
1803 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1804 seq);
1805 continue;
1806 }
1807
1808 bt_cb(skb)->control.retries++;
1809 control = bt_cb(skb)->control;
1810
1811 if (chan->max_tx != 0 &&
1812 bt_cb(skb)->control.retries > chan->max_tx) {
1813 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1814 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1815 l2cap_seq_list_clear(&chan->retrans_list);
1816 break;
1817 }
1818
1819 control.reqseq = chan->buffer_seq;
1820 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1821 control.final = 1;
1822 else
1823 control.final = 0;
1824
1825 if (skb_cloned(skb)) {
1826 /* Cloned sk_buffs are read-only, so we need a
1827 * writeable copy
1828 */
1829 tx_skb = skb_copy(skb, GFP_ATOMIC);
1830 } else {
1831 tx_skb = skb_clone(skb, GFP_ATOMIC);
1832 }
1833
1834 if (!tx_skb) {
1835 l2cap_seq_list_clear(&chan->retrans_list);
1836 break;
1837 }
1838
1839 /* Update skb contents */
1840 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1841 put_unaligned_le32(__pack_extended_control(&control),
1842 tx_skb->data + L2CAP_HDR_SIZE);
1843 } else {
1844 put_unaligned_le16(__pack_enhanced_control(&control),
1845 tx_skb->data + L2CAP_HDR_SIZE);
1846 }
1847
1848 if (chan->fcs == L2CAP_FCS_CRC16) {
1849 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1850 put_unaligned_le16(fcs, skb_put(tx_skb,
1851 L2CAP_FCS_SIZE));
1852 }
1853
1854 l2cap_do_send(chan, tx_skb);
1855
1856 BT_DBG("Resent txseq %d", control.txseq);
1857
1858 chan->last_acked_seq = chan->buffer_seq;
1859 }
1860}
1861
f80842a8
MM		 1862static void l2cap_retransmit(struct l2cap_chan *chan,
1863 struct l2cap_ctrl *control)
1864{
1865 BT_DBG("chan %p, control %p", chan, control);
1866
1867 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1868 l2cap_ertm_resend(chan);
1869}
1870
d2a7ac5d
MM		 1871static void l2cap_retransmit_all(struct l2cap_chan *chan,
1872 struct l2cap_ctrl *control)
1873{
e1fbd4c1
MM		 1874 struct sk_buff *skb;
1875
1876 BT_DBG("chan %p, control %p", chan, control);
1877
1878 if (control->poll)
1879 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1880
1881 l2cap_seq_list_clear(&chan->retrans_list);
1882
1883 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1884 return;
1885
1886 if (chan->unacked_frames) {
1887 skb_queue_walk(&chan->tx_q, skb) {
1888 if (bt_cb(skb)->control.txseq == control->reqseq ||
1889 skb == chan->tx_send_head)
1890 break;
1891 }
1892
1893 skb_queue_walk_from(&chan->tx_q, skb) {
1894 if (skb == chan->tx_send_head)
1895 break;
1896
1897 l2cap_seq_list_append(&chan->retrans_list,
1898 bt_cb(skb)->control.txseq);
1899 }
1900
1901 l2cap_ertm_resend(chan);
1902 }
d2a7ac5d
MM		 1903}
1904
0a0aba42 1905static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1906{
0a0aba42
MM		 1907 struct l2cap_ctrl control;
1908 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1909 chan->last_acked_seq);
1910 int threshold;
9e917af1 1911
0a0aba42
MM		 1912 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1913 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1914
0a0aba42
MM		 1915 memset(&control, 0, sizeof(control));
1916 control.sframe = 1;
dfc909be 1917
0a0aba42
MM		 1918 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1919 chan->rx_state == L2CAP_RX_STATE_RECV) {
1920 __clear_ack_timer(chan);
1921 control.super = L2CAP_SUPER_RNR;
1922 control.reqseq = chan->buffer_seq;
1923 l2cap_send_sframe(chan, &control);
1924 } else {
1925 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1926 l2cap_ertm_send(chan);
1927 /* If any i-frames were sent, they included an ack */
1928 if (chan->buffer_seq == chan->last_acked_seq)
1929 frames_to_ack = 0;
1930 }
dfc909be 1931
0a0aba42
MM		 1932 /* Ack now if the tx window is 3/4ths full.
1933 * Calculate without mul or div
1934 */
1935 threshold = chan->tx_win;
1936 threshold += threshold << 1;
1937 threshold >>= 2;
1938
1939 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1940 threshold);
1941
1942 if (frames_to_ack >= threshold) {
1943 __clear_ack_timer(chan);
1944 control.super = L2CAP_SUPER_RR;
1945 control.reqseq = chan->buffer_seq;
1946 l2cap_send_sframe(chan, &control);
1947 frames_to_ack = 0;
1948 }
1c2acffb 1949
0a0aba42
MM		 1950 if (frames_to_ack)
1951 __set_ack_timer(chan);
1952 }
b17e73bb
SJ		 1953}
1954
04124681
GP		 1955static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1956 struct msghdr *msg, int len,
1957 int count, struct sk_buff *skb)
1c2acffb 1958{
0952a57a 1959 struct l2cap_conn *conn = chan->conn;
1c2acffb 1960 struct sk_buff **frag;
90338947 1961 int sent = 0;
1da177e4 1962
59203a21 1963 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1964 return -EFAULT;
1da177e4
LT		 1965
1966 sent += count;
1967 len -= count;
1968
1969 /* Continuation fragments (no L2CAP header) */
1970 frag = &skb_shinfo(skb)->frag_list;
1971 while (len) {
fbe00700
GP		 1972 struct sk_buff *tmp;
1973
1da177e4
LT		 1974 count = min_t(unsigned int, conn->mtu, len);
1975
fbe00700
GP		 1976 tmp = chan->ops->alloc_skb(chan, count,
1977 msg->msg_flags & MSG_DONTWAIT);
1978 if (IS_ERR(tmp))
1979 return PTR_ERR(tmp);
1980
1981 *frag = tmp;
2f7719ce 1982
1c2acffb
GP		 1983 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1984 return -EFAULT;
1da177e4 1985
5e59b791
LAD		 1986 (*frag)->priority = skb->priority;
1987
1da177e4
LT		 1988 sent += count;
1989 len -= count;
1990
2d0ed3d5
GP		 1991 skb->len += (*frag)->len;
1992 skb->data_len += (*frag)->len;
1993
1da177e4
LT		 1994 frag = &(*frag)->next;
1995 }
1da177e4
LT		 1996
1997 return sent;
1c2acffb 1998}
1da177e4 1999
5e59b791
LAD		 2000static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2001 struct msghdr *msg, size_t len,
2002 u32 priority)
1c2acffb 2003{
8c1d787b 2004 struct l2cap_conn *conn = chan->conn;
1c2acffb 2005 struct sk_buff *skb;
03a51213 2006 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2007 struct l2cap_hdr *lh;
2008
6d5922b0 2009 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 2010
2011 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2012
2013 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2014 msg->msg_flags & MSG_DONTWAIT);
2015 if (IS_ERR(skb))
2016 return skb;
1c2acffb 2017
5e59b791
LAD		 2018 skb->priority = priority;
2019
1c2acffb
GP		 2020 /* Create L2CAP header */
2021 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2022 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2023 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2024 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2025
0952a57a 2026 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2027 if (unlikely(err < 0)) {
2028 kfree_skb(skb);
2029 return ERR_PTR(err);
2030 }
2031 return skb;
2032}
2033
5e59b791
LAD		 2034static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2035 struct msghdr *msg, size_t len,
2036 u32 priority)
1c2acffb 2037{
8c1d787b 2038 struct l2cap_conn *conn = chan->conn;
1c2acffb 2039 struct sk_buff *skb;
f2ba7fae 2040 int err, count;
1c2acffb
GP		 2041 struct l2cap_hdr *lh;
2042
6d5922b0 2043 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2044
f2ba7fae 2045 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2046
f2ba7fae 2047 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2048 msg->msg_flags & MSG_DONTWAIT);
2049 if (IS_ERR(skb))
2050 return skb;
1c2acffb 2051
5e59b791
LAD		 2052 skb->priority = priority;
2053
1c2acffb
GP		 2054 /* Create L2CAP header */
2055 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2056 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2057 lh->len = cpu_to_le16(len);
1c2acffb 2058
0952a57a 2059 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2060 if (unlikely(err < 0)) {
2061 kfree_skb(skb);
2062 return ERR_PTR(err);
2063 }
2064 return skb;
2065}
2066
ab0ff76d
LAD		 2067static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2068 struct msghdr *msg, size_t len,
94122bbe 2069 u16 sdulen)
1c2acffb 2070{
8c1d787b 2071 struct l2cap_conn *conn = chan->conn;
1c2acffb 2072 struct sk_buff *skb;
e4ca6d98 2073 int err, count, hlen;
1c2acffb
GP		 2074 struct l2cap_hdr *lh;
2075
6d5922b0 2076 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2077
0ee0d208
GP		 2078 if (!conn)
2079 return ERR_PTR(-ENOTCONN);
2080
e4ca6d98
AE		 2081 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2082 hlen = L2CAP_EXT_HDR_SIZE;
2083 else
2084 hlen = L2CAP_ENH_HDR_SIZE;
2085
c74e560c 2086 if (sdulen)
03a51213 2087 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2088
47d1ec61 2089 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2090 hlen += L2CAP_FCS_SIZE;
fcc203c3 2091
1c2acffb 2092 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2093
2094 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2095 msg->msg_flags & MSG_DONTWAIT);
2096 if (IS_ERR(skb))
2097 return skb;
1c2acffb
GP		 2098
2099 /* Create L2CAP header */
2100 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2101 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2102 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2103
18a48e76
MM		 2104 /* Control header is populated later */
2105 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2106 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2107 else
2108 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2109
c74e560c 2110 if (sdulen)
03a51213 2111 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2112
0952a57a 2113 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2114 if (unlikely(err < 0)) {
2115 kfree_skb(skb);
2116 return ERR_PTR(err);
2117 }
e90bac06 2118
18a48e76 2119 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2120 bt_cb(skb)->control.retries = 0;
1c2acffb 2121 return skb;
1da177e4
LT		 2122}
2123
94122bbe
MM		 2124static int l2cap_segment_sdu(struct l2cap_chan *chan,
2125 struct sk_buff_head *seg_queue,
2126 struct msghdr *msg, size_t len)
c74e560c 2127{
c74e560c 2128 struct sk_buff *skb;
94122bbe
MM		 2129 u16 sdu_len;
2130 size_t pdu_len;
2131 int err = 0;
2132 u8 sar;
c74e560c 2133
94122bbe 2134 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2135
94122bbe
MM		 2136 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2137 * so fragmented skbs are not used. The HCI layer's handling
2138 * of fragmented skbs is not compatible with ERTM's queueing.
2139 */
c74e560c 2140
94122bbe
MM		 2141 /* PDU size is derived from the HCI MTU */
2142 pdu_len = chan->conn->mtu;
c74e560c 2143
94122bbe
MM		 2144 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2145
2146 /* Adjust for largest possible L2CAP overhead. */
2147 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2148
2149 /* Remote device may have requested smaller PDUs */
2150 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2151
2152 if (len <= pdu_len) {
2153 sar = L2CAP_SAR_UNSEGMENTED;
2154 sdu_len = 0;
2155 pdu_len = len;
2156 } else {
2157 sar = L2CAP_SAR_START;
2158 sdu_len = len;
2159 pdu_len -= L2CAP_SDULEN_SIZE;
2160 }
2161
2162 while (len > 0) {
2163 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2164
c74e560c 2165 if (IS_ERR(skb)) {
94122bbe 2166 __skb_queue_purge(seg_queue);
c74e560c
GP		 2167 return PTR_ERR(skb);
2168 }
2169
94122bbe
MM		 2170 bt_cb(skb)->control.sar = sar;
2171 __skb_queue_tail(seg_queue, skb);
2172
2173 len -= pdu_len;
2174 if (sdu_len) {
2175 sdu_len = 0;
2176 pdu_len += L2CAP_SDULEN_SIZE;
2177 }
2178
2179 if (len <= pdu_len) {
2180 sar = L2CAP_SAR_END;
2181 pdu_len = len;
2182 } else {
2183 sar = L2CAP_SAR_CONTINUE;
2184 }
c74e560c 2185 }
c74e560c 2186
94122bbe 2187 return err;
c74e560c
GP		 2188}
2189
5e59b791
LAD		 2190int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2191 u32 priority)
9a91a04a 2192{
9a91a04a 2193 struct sk_buff *skb;
9a91a04a 2194 int err;
94122bbe 2195 struct sk_buff_head seg_queue;
9a91a04a
GP		 2196
2197 /* Connectionless channel */
715ec005 2198 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2199 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2200 if (IS_ERR(skb))
2201 return PTR_ERR(skb);
2202
2203 l2cap_do_send(chan, skb);
2204 return len;
2205 }
2206
2207 switch (chan->mode) {
2208 case L2CAP_MODE_BASIC:
2209 /* Check outgoing MTU */
2210 if (len > chan->omtu)
2211 return -EMSGSIZE;
2212
2213 /* Create a basic PDU */
5e59b791 2214 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2215 if (IS_ERR(skb))
2216 return PTR_ERR(skb);
2217
2218 l2cap_do_send(chan, skb);
2219 err = len;
2220 break;
2221
2222 case L2CAP_MODE_ERTM:
2223 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2224 /* Check outgoing MTU */
2225 if (len > chan->omtu) {
2226 err = -EMSGSIZE;
2227 break;
2228 }
9a91a04a 2229
94122bbe 2230 __skb_queue_head_init(&seg_queue);
9a91a04a 2231
94122bbe
MM		 2232 /* Do segmentation before calling in to the state machine,
2233 * since it's possible to block while waiting for memory
2234 * allocation.
2235 */
2236 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2237
94122bbe
MM		 2238 /* The channel could have been closed while segmenting,
2239 * check that it is still connected.
2240 */
2241 if (chan->state != BT_CONNECTED) {
2242 __skb_queue_purge(&seg_queue);
2243 err = -ENOTCONN;
9a91a04a
GP		 2244 }
2245
94122bbe 2246 if (err)
9a91a04a 2247 break;
9a91a04a 2248
3733937d 2249 if (chan->mode == L2CAP_MODE_ERTM)
608bcc6d
MM		 2250 err = l2cap_tx(chan, 0, &seg_queue,
2251 L2CAP_EV_DATA_REQUEST);
3733937d
MM		 2252 else
2253 err = l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2254
608bcc6d 2255 if (!err)
9a91a04a
GP		 2256 err = len;
2257
94122bbe
MM		 2258 /* If the skbs were not queued for sending, they'll still be in
2259 * seg_queue and need to be purged.
2260 */
2261 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2262 break;
2263
2264 default:
2265 BT_DBG("bad state %1.1x", chan->mode);
2266 err = -EBADFD;
2267 }
2268
2269 return err;
2270}
2271
d2a7ac5d
MM		 2272static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2273{
bed68bde
MM		 2274 struct l2cap_ctrl control;
2275 u16 seq;
2276
2277 BT_DBG("chan %p, txseq %d", chan, txseq);
2278
2279 memset(&control, 0, sizeof(control));
2280 control.sframe = 1;
2281 control.super = L2CAP_SUPER_SREJ;
2282
2283 for (seq = chan->expected_tx_seq; seq != txseq;
2284 seq = __next_seq(chan, seq)) {
2285 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2286 control.reqseq = seq;
2287 l2cap_send_sframe(chan, &control);
2288 l2cap_seq_list_append(&chan->srej_list, seq);
2289 }
2290 }
2291
2292 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2293}
2294
2295static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2296{
bed68bde
MM		 2297 struct l2cap_ctrl control;
2298
2299 BT_DBG("chan %p", chan);
2300
2301 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2302 return;
2303
2304 memset(&control, 0, sizeof(control));
2305 control.sframe = 1;
2306 control.super = L2CAP_SUPER_SREJ;
2307 control.reqseq = chan->srej_list.tail;
2308 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2309}
2310
2311static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2312{
bed68bde
MM		 2313 struct l2cap_ctrl control;
2314 u16 initial_head;
2315 u16 seq;
2316
2317 BT_DBG("chan %p, txseq %d", chan, txseq);
2318
2319 memset(&control, 0, sizeof(control));
2320 control.sframe = 1;
2321 control.super = L2CAP_SUPER_SREJ;
2322
2323 /* Capture initial list head to allow only one pass through the list. */
2324 initial_head = chan->srej_list.head;
2325
2326 do {
2327 seq = l2cap_seq_list_pop(&chan->srej_list);
2328 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2329 break;
2330
2331 control.reqseq = seq;
2332 l2cap_send_sframe(chan, &control);
2333 l2cap_seq_list_append(&chan->srej_list, seq);
2334 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2335}
2336
608bcc6d
MM		 2337static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2338{
2339 struct sk_buff *acked_skb;
2340 u16 ackseq;
2341
2342 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2343
2344 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2345 return;
2346
2347 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2348 chan->expected_ack_seq, chan->unacked_frames);
2349
2350 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2351 ackseq = __next_seq(chan, ackseq)) {
2352
2353 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2354 if (acked_skb) {
2355 skb_unlink(acked_skb, &chan->tx_q);
2356 kfree_skb(acked_skb);
2357 chan->unacked_frames--;
2358 }
2359 }
2360
2361 chan->expected_ack_seq = reqseq;
2362
2363 if (chan->unacked_frames == 0)
2364 __clear_retrans_timer(chan);
2365
2366 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2367}
2368
2369static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2370{
2371 BT_DBG("chan %p", chan);
2372
2373 chan->expected_tx_seq = chan->buffer_seq;
2374 l2cap_seq_list_clear(&chan->srej_list);
2375 skb_queue_purge(&chan->srej_q);
2376 chan->rx_state = L2CAP_RX_STATE_RECV;
2377}
2378
2379static int l2cap_tx_state_xmit(struct l2cap_chan *chan,
2380 struct l2cap_ctrl *control,
2381 struct sk_buff_head *skbs, u8 event)
2382{
2383 int err = 0;
2384
2385 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2386 event);
2387
2388 switch (event) {
2389 case L2CAP_EV_DATA_REQUEST:
2390 if (chan->tx_send_head == NULL)
2391 chan->tx_send_head = skb_peek(skbs);
2392
2393 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2394 l2cap_ertm_send(chan);
2395 break;
2396 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2397 BT_DBG("Enter LOCAL_BUSY");
2398 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2399
2400 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2401 /* The SREJ_SENT state must be aborted if we are to
2402 * enter the LOCAL_BUSY state.
2403 */
2404 l2cap_abort_rx_srej_sent(chan);
2405 }
2406
2407 l2cap_send_ack(chan);
2408
2409 break;
2410 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2411 BT_DBG("Exit LOCAL_BUSY");
2412 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2413
2414 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2415 struct l2cap_ctrl local_control;
2416
2417 memset(&local_control, 0, sizeof(local_control));
2418 local_control.sframe = 1;
2419 local_control.super = L2CAP_SUPER_RR;
2420 local_control.poll = 1;
2421 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2422 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2423
2424 chan->retry_count = 1;
2425 __set_monitor_timer(chan);
2426 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2427 }
2428 break;
2429 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2430 l2cap_process_reqseq(chan, control->reqseq);
2431 break;
2432 case L2CAP_EV_EXPLICIT_POLL:
2433 l2cap_send_rr_or_rnr(chan, 1);
2434 chan->retry_count = 1;
2435 __set_monitor_timer(chan);
2436 __clear_ack_timer(chan);
2437 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2438 break;
2439 case L2CAP_EV_RETRANS_TO:
2440 l2cap_send_rr_or_rnr(chan, 1);
2441 chan->retry_count = 1;
2442 __set_monitor_timer(chan);
2443 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2444 break;
2445 case L2CAP_EV_RECV_FBIT:
2446 /* Nothing to process */
2447 break;
2448 default:
2449 break;
2450 }
2451
2452 return err;
2453}
2454
2455static int l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2456 struct l2cap_ctrl *control,
2457 struct sk_buff_head *skbs, u8 event)
2458{
2459 int err = 0;
2460
2461 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2462 event);
2463
2464 switch (event) {
2465 case L2CAP_EV_DATA_REQUEST:
2466 if (chan->tx_send_head == NULL)
2467 chan->tx_send_head = skb_peek(skbs);
2468 /* Queue data, but don't send. */
2469 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2470 break;
2471 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2472 BT_DBG("Enter LOCAL_BUSY");
2473 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2474
2475 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2476 /* The SREJ_SENT state must be aborted if we are to
2477 * enter the LOCAL_BUSY state.
2478 */
2479 l2cap_abort_rx_srej_sent(chan);
2480 }
2481
2482 l2cap_send_ack(chan);
2483
2484 break;
2485 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2486 BT_DBG("Exit LOCAL_BUSY");
2487 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2488
2489 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2490 struct l2cap_ctrl local_control;
2491 memset(&local_control, 0, sizeof(local_control));
2492 local_control.sframe = 1;
2493 local_control.super = L2CAP_SUPER_RR;
2494 local_control.poll = 1;
2495 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2496 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2497
2498 chan->retry_count = 1;
2499 __set_monitor_timer(chan);
2500 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2501 }
2502 break;
2503 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2504 l2cap_process_reqseq(chan, control->reqseq);
2505
2506 /* Fall through */
2507
2508 case L2CAP_EV_RECV_FBIT:
2509 if (control && control->final) {
2510 __clear_monitor_timer(chan);
2511 if (chan->unacked_frames > 0)
2512 __set_retrans_timer(chan);
2513 chan->retry_count = 0;
2514 chan->tx_state = L2CAP_TX_STATE_XMIT;
2515 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2516 }
2517 break;
2518 case L2CAP_EV_EXPLICIT_POLL:
2519 /* Ignore */
2520 break;
2521 case L2CAP_EV_MONITOR_TO:
2522 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2523 l2cap_send_rr_or_rnr(chan, 1);
2524 __set_monitor_timer(chan);
2525 chan->retry_count++;
2526 } else {
2527 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2528 }
2529 break;
2530 default:
2531 break;
2532 }
2533
2534 return err;
2535}
2536
2537static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2538 struct sk_buff_head *skbs, u8 event)
2539{
2540 int err = 0;
2541
2542 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2543 chan, control, skbs, event, chan->tx_state);
2544
2545 switch (chan->tx_state) {
2546 case L2CAP_TX_STATE_XMIT:
2547 err = l2cap_tx_state_xmit(chan, control, skbs, event);
2548 break;
2549 case L2CAP_TX_STATE_WAIT_F:
2550 err = l2cap_tx_state_wait_f(chan, control, skbs, event);
2551 break;
2552 default:
2553 /* Ignore event */
2554 break;
2555 }
2556
2557 return err;
2558}
2559
4b51dae9
MM		 2560static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2561 struct l2cap_ctrl *control)
2562{
2563 BT_DBG("chan %p, control %p", chan, control);
2564 l2cap_tx(chan, control, 0, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2565}
2566
f80842a8
MM		 2567static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2568 struct l2cap_ctrl *control)
2569{
2570 BT_DBG("chan %p, control %p", chan, control);
2571 l2cap_tx(chan, control, 0, L2CAP_EV_RECV_FBIT);
2572}
2573
1da177e4
LT		 2574/* Copy frame to all raw sockets on that connection */
2575static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2576{
1da177e4 2577 struct sk_buff *nskb;
48454079 2578 struct l2cap_chan *chan;
1da177e4
LT		 2579
2580 BT_DBG("conn %p", conn);
2581
3df91ea2 2582 mutex_lock(&conn->chan_lock);
3d57dc68 2583
3df91ea2 2584 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2585 struct sock *sk = chan->sk;
715ec005 2586 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2587 continue;
2588
2589 /* Don't send frame to the socket it came from */
2590 if (skb->sk == sk)
2591 continue;
af05b30b
GP		 2592 nskb = skb_clone(skb, GFP_ATOMIC);
2593 if (!nskb)
1da177e4
LT		 2594 continue;
2595
23070494 2596 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2597 kfree_skb(nskb);
2598 }
3d57dc68 2599
3df91ea2 2600 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2601}
2602
2603/* ---- L2CAP signalling commands ---- */
2604static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2605 u8 code, u8 ident, u16 dlen, void *data)
2606{
2607 struct sk_buff *skb, **frag;
2608 struct l2cap_cmd_hdr *cmd;
2609 struct l2cap_hdr *lh;
2610 int len, count;
2611
af05b30b
GP		 2612 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2613 conn, code, ident, dlen);
1da177e4
LT		 2614
2615 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2616 count = min_t(unsigned int, conn->mtu, len);
2617
2618 skb = bt_skb_alloc(count, GFP_ATOMIC);
2619 if (!skb)
2620 return NULL;
2621
2622 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2623 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2624
2625 if (conn->hcon->type == LE_LINK)
2626 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2627 else
2628 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2629
2630 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2631 cmd->code = code;
2632 cmd->ident = ident;
aca3192c 2633 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2634
2635 if (dlen) {
2636 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2637 memcpy(skb_put(skb, count), data, count);
2638 data += count;
2639 }
2640
2641 len -= skb->len;
2642
2643 /* Continuation fragments (no L2CAP header) */
2644 frag = &skb_shinfo(skb)->frag_list;
2645 while (len) {
2646 count = min_t(unsigned int, conn->mtu, len);
2647
2648 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2649 if (!*frag)
2650 goto fail;
2651
2652 memcpy(skb_put(*frag, count), data, count);
2653
2654 len -= count;
2655 data += count;
2656
2657 frag = &(*frag)->next;
2658 }
2659
2660 return skb;
2661
2662fail:
2663 kfree_skb(skb);
2664 return NULL;
2665}
2666
2667static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2668{
2669 struct l2cap_conf_opt *opt = *ptr;
2670 int len;
2671
2672 len = L2CAP_CONF_OPT_SIZE + opt->len;
2673 *ptr += len;
2674
2675 *type = opt->type;
2676 *olen = opt->len;
2677
2678 switch (opt->len) {
2679 case 1:
2680 *val = *((u8 *) opt->val);
2681 break;
2682
2683 case 2:
bfaaeb3e 2684 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2685 break;
2686
2687 case 4:
bfaaeb3e 2688 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2689 break;
2690
2691 default:
2692 *val = (unsigned long) opt->val;
2693 break;
2694 }
2695
2696 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2697 return len;
2698}
2699
1da177e4
LT		 2700static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2701{
2702 struct l2cap_conf_opt *opt = *ptr;
2703
2704 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2705
2706 opt->type = type;
2707 opt->len = len;
2708
2709 switch (len) {
2710 case 1:
2711 *((u8 *) opt->val) = val;
2712 break;
2713
2714 case 2:
4f8b691c 2715 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2716 break;
2717
2718 case 4:
4f8b691c 2719 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2720 break;
2721
2722 default:
2723 memcpy(opt->val, (void *) val, len);
2724 break;
2725 }
2726
2727 *ptr += L2CAP_CONF_OPT_SIZE + len;
2728}
2729
f89cef09
AE		 2730static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2731{
2732 struct l2cap_conf_efs efs;
2733
1ec918ce 2734 switch (chan->mode) {
f89cef09
AE		 2735 case L2CAP_MODE_ERTM:
2736 efs.id = chan->local_id;
2737 efs.stype = chan->local_stype;
2738 efs.msdu = cpu_to_le16(chan->local_msdu);
2739 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2740 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2741 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2742 break;
2743
2744 case L2CAP_MODE_STREAMING:
2745 efs.id = 1;
2746 efs.stype = L2CAP_SERV_BESTEFFORT;
2747 efs.msdu = cpu_to_le16(chan->local_msdu);
2748 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2749 efs.acc_lat = 0;
2750 efs.flush_to = 0;
2751 break;
2752
2753 default:
2754 return;
2755 }
2756
2757 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2758 (unsigned long) &efs);
2759}
2760
721c4181 2761static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2762{
721c4181 2763 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2764 ack_timer.work);
2765 u16 frames_to_ack;
c1b4f43b 2766
2fb9b3d4
GP		 2767 BT_DBG("chan %p", chan);
2768
6be36555
AE		 2769 l2cap_chan_lock(chan);
2770
0362520b
MM		 2771 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2772 chan->last_acked_seq);
6be36555 2773
0362520b
MM		 2774 if (frames_to_ack)
2775 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2776
0362520b 2777 l2cap_chan_unlock(chan);
09bfb2ee 2778 l2cap_chan_put(chan);
c1b4f43b
GP		 2779}
2780
3c588192 2781static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2782{
3c588192
MM		 2783 int err;
2784
105bdf9e
MM		 2785 chan->next_tx_seq = 0;
2786 chan->expected_tx_seq = 0;
42e5c802 2787 chan->expected_ack_seq = 0;
6a026610 2788 chan->unacked_frames = 0;
42e5c802 2789 chan->buffer_seq = 0;
6a026610 2790 chan->frames_sent = 0;
105bdf9e
MM		 2791 chan->last_acked_seq = 0;
2792 chan->sdu = NULL;
2793 chan->sdu_last_frag = NULL;
2794 chan->sdu_len = 0;
2795
d34c34fb
MM		 2796 skb_queue_head_init(&chan->tx_q);
2797
105bdf9e
MM		 2798 if (chan->mode != L2CAP_MODE_ERTM)
2799 return 0;
2800
2801 chan->rx_state = L2CAP_RX_STATE_RECV;
2802 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2803
721c4181
GP		 2804 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2805 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2806 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2807
f1c6775b 2808 skb_queue_head_init(&chan->srej_q);
1890d36b 2809
3c588192
MM		 2810 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2811 if (err < 0)
2812 return err;
2813
9dc9affc
MM		 2814 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2815 if (err < 0)
2816 l2cap_seq_list_free(&chan->srej_list);
2817
2818 return err;
0565c1c2
GP		 2819}
2820
f2fcfcd6
GP		 2821static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2822{
2823 switch (mode) {
2824 case L2CAP_MODE_STREAMING:
2825 case L2CAP_MODE_ERTM:
2826 if (l2cap_mode_supported(mode, remote_feat_mask))
2827 return mode;
2828 /* fall through */
2829 default:
2830 return L2CAP_MODE_BASIC;
2831 }
2832}
2833
6327eb98
AE		 2834static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2835{
2836 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2837}
2838
f89cef09
AE		 2839static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2840{
2841 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2842}
2843
6327eb98
AE		 2844static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2845{
2846 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2847 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2848 /* use extended control field */
2849 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2850 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2851 } else {
6327eb98
AE		 2852 chan->tx_win = min_t(u16, chan->tx_win,
2853 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2854 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2855 }
6327eb98
AE		 2856}
2857
710f9b0a 2858static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2859{
1da177e4 2860 struct l2cap_conf_req *req = data;
0c1bc5c6 2861 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2862 void *ptr = req->data;
c8f79162 2863 u16 size;
1da177e4 2864
49208c9c 2865 BT_DBG("chan %p", chan);
1da177e4 2866
73ffa904 2867 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2868 goto done;
2869
0c1bc5c6 2870 switch (chan->mode) {
f2fcfcd6
GP		 2871 case L2CAP_MODE_STREAMING:
2872 case L2CAP_MODE_ERTM:
c1360a1c 2873 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2874 break;
85eb53c6 2875
f89cef09
AE		 2876 if (__l2cap_efs_supported(chan))
2877 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2878
2ba13ed6 2879 /* fall through */
f2fcfcd6 2880 default:
8c1d787b 2881 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2882 break;
2883 }
2884
2885done:
0c1bc5c6
GP		 2886 if (chan->imtu != L2CAP_DEFAULT_MTU)
2887 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2888
0c1bc5c6 2889 switch (chan->mode) {
65c7c491 2890 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2891 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2892 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2893 break;
2894
62547752
GP		 2895 rfc.mode = L2CAP_MODE_BASIC;
2896 rfc.txwin_size = 0;
2897 rfc.max_transmit = 0;
2898 rfc.retrans_timeout = 0;
2899 rfc.monitor_timeout = 0;
2900 rfc.max_pdu_size = 0;
2901
63406504
GP		 2902 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2903 (unsigned long) &rfc);
65c7c491
MH		 2904 break;
2905
2906 case L2CAP_MODE_ERTM:
2907 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2908 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2909 rfc.retrans_timeout = 0;
2910 rfc.monitor_timeout = 0;
c8f79162
AE		 2911
2912 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2913 L2CAP_EXT_HDR_SIZE -
2914 L2CAP_SDULEN_SIZE -
2915 L2CAP_FCS_SIZE);
2916 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2917
6327eb98
AE		 2918 l2cap_txwin_setup(chan);
2919
2920 rfc.txwin_size = min_t(u16, chan->tx_win,
2921 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2922
63406504
GP		 2923 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2924 (unsigned long) &rfc);
2925
f89cef09
AE		 2926 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2927 l2cap_add_opt_efs(&ptr, chan);
2928
8c1d787b 2929 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2930 break;
2931
47d1ec61 2932 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2933 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2934 chan->fcs = L2CAP_FCS_NONE;
2935 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2936 }
6327eb98
AE		 2937
2938 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2939 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2940 chan->tx_win);
f2fcfcd6
GP		 2941 break;
2942
2943 case L2CAP_MODE_STREAMING:
273759e2 2944 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2945 rfc.mode = L2CAP_MODE_STREAMING;
2946 rfc.txwin_size = 0;
2947 rfc.max_transmit = 0;
2948 rfc.retrans_timeout = 0;
2949 rfc.monitor_timeout = 0;
c8f79162
AE		 2950
2951 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2952 L2CAP_EXT_HDR_SIZE -
2953 L2CAP_SDULEN_SIZE -
2954 L2CAP_FCS_SIZE);
2955 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2956
63406504
GP		 2957 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2958 (unsigned long) &rfc);
2959
f89cef09
AE		 2960 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2961 l2cap_add_opt_efs(&ptr, chan);
2962
8c1d787b 2963 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2964 break;
2965
47d1ec61 2966 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2967 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2968 chan->fcs = L2CAP_FCS_NONE;
2969 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2970 }
65c7c491
MH		 2971 break;
2972 }
1da177e4 2973
fe4128e0 2974 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2975 req->flags = cpu_to_le16(0);
1da177e4
LT		 2976
2977 return ptr - data;
2978}
2979
73ffa904 2980static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2981{
5dee9e7c
MH		 2982 struct l2cap_conf_rsp *rsp = data;
2983 void *ptr = rsp->data;
73ffa904
GP		 2984 void *req = chan->conf_req;
2985 int len = chan->conf_len;
5dee9e7c
MH		 2986 int type, hint, olen;
2987 unsigned long val;
6464f35f 2988 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2989 struct l2cap_conf_efs efs;
2990 u8 remote_efs = 0;
861d6882 2991 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2992 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2993 u16 size;
1da177e4 2994
73ffa904 2995 BT_DBG("chan %p", chan);
820ae1b8 2996
5dee9e7c
MH		 2997 while (len >= L2CAP_CONF_OPT_SIZE) {
2998 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2999
589d2746 3000 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3001 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3002
3003 switch (type) {
3004 case L2CAP_CONF_MTU:
861d6882 3005 mtu = val;
5dee9e7c
MH		 3006 break;
3007
3008 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3009 chan->flush_to = val;
5dee9e7c
MH		 3010 break;
3011
3012 case L2CAP_CONF_QOS:
3013 break;
3014
6464f35f
MH		 3015 case L2CAP_CONF_RFC:
3016 if (olen == sizeof(rfc))
3017 memcpy(&rfc, (void *) val, olen);
3018 break;
3019
fcc203c3
GP		 3020 case L2CAP_CONF_FCS:
3021 if (val == L2CAP_FCS_NONE)
c1360a1c 3022 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3023 break;
fcc203c3 3024
42dceae2
AE		 3025 case L2CAP_CONF_EFS:
3026 remote_efs = 1;
3027 if (olen == sizeof(efs))
3028 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3029 break;
3030
6327eb98
AE		 3031 case L2CAP_CONF_EWS:
3032 if (!enable_hs)
3033 return -ECONNREFUSED;
fcc203c3 3034
6327eb98
AE		 3035 set_bit(FLAG_EXT_CTRL, &chan->flags);
3036 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3037 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3038 chan->remote_tx_win = val;
fcc203c3
GP		 3039 break;
3040
5dee9e7c
MH		 3041 default:
3042 if (hint)
3043 break;
3044
3045 result = L2CAP_CONF_UNKNOWN;
3046 *((u8 *) ptr++) = type;
3047 break;
3048 }
3049 }
3050
73ffa904 3051 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3052 goto done;
3053
0c1bc5c6 3054 switch (chan->mode) {
f2fcfcd6
GP		 3055 case L2CAP_MODE_STREAMING:
3056 case L2CAP_MODE_ERTM:
c1360a1c 3057 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3058 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 3059 chan->conn->feat_mask);
85eb53c6
GP		 3060 break;
3061 }
3062
42dceae2
AE		 3063 if (remote_efs) {
3064 if (__l2cap_efs_supported(chan))
3065 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3066 else
3067 return -ECONNREFUSED;
3068 }
3069
0c1bc5c6 3070 if (chan->mode != rfc.mode)
f2fcfcd6 3071 return -ECONNREFUSED;
742e519b 3072
f2fcfcd6 3073 break;
f2fcfcd6
GP		 3074 }
3075
3076done:
0c1bc5c6 3077 if (chan->mode != rfc.mode) {
f2fcfcd6 3078 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3079 rfc.mode = chan->mode;
f2fcfcd6 3080
73ffa904 3081 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3082 return -ECONNREFUSED;
3083
3084 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3085 sizeof(rfc), (unsigned long) &rfc);
3086 }
3087
5dee9e7c
MH		 3088 if (result == L2CAP_CONF_SUCCESS) {
3089 /* Configure output options and let the other side know
3090 * which ones we don't like. */
3091
f2fcfcd6
GP		 3092 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3093 result = L2CAP_CONF_UNACCEPT;
3094 else {
0c1bc5c6 3095 chan->omtu = mtu;
c1360a1c 3096 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3097 }
0c1bc5c6 3098 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3099
42dceae2
AE		 3100 if (remote_efs) {
3101 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3102 efs.stype != L2CAP_SERV_NOTRAFIC &&
3103 efs.stype != chan->local_stype) {
3104
3105 result = L2CAP_CONF_UNACCEPT;
3106
3107 if (chan->num_conf_req >= 1)
3108 return -ECONNREFUSED;
3109
3110 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3111 sizeof(efs),
42dceae2 3112 (unsigned long) &efs);
0e8b207e 3113 } else {
3e6b3b95 3114 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3115 result = L2CAP_CONF_PENDING;
3116 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3117 }
3118 }
3119
f2fcfcd6
GP		 3120 switch (rfc.mode) {
3121 case L2CAP_MODE_BASIC:
47d1ec61 3122 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3123 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3124 break;
3125
3126 case L2CAP_MODE_ERTM:
6327eb98
AE		 3127 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3128 chan->remote_tx_win = rfc.txwin_size;
3129 else
3130 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3131
2c03a7a4 3132 chan->remote_max_tx = rfc.max_transmit;
1c762159 3133
c8f79162
AE		 3134 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3135 chan->conn->mtu -
3136 L2CAP_EXT_HDR_SIZE -
3137 L2CAP_SDULEN_SIZE -
3138 L2CAP_FCS_SIZE);
3139 rfc.max_pdu_size = cpu_to_le16(size);
3140 chan->remote_mps = size;
f2fcfcd6 3141
10467e9e 3142 rfc.retrans_timeout =
4fd21a88 3143 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3144 rfc.monitor_timeout =
4fd21a88 3145 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3146
c1360a1c 3147 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3148
3149 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3150 sizeof(rfc), (unsigned long) &rfc);
3151
42dceae2
AE		 3152 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3153 chan->remote_id = efs.id;
3154 chan->remote_stype = efs.stype;
3155 chan->remote_msdu = le16_to_cpu(efs.msdu);
3156 chan->remote_flush_to =
3157 le32_to_cpu(efs.flush_to);
3158 chan->remote_acc_lat =
3159 le32_to_cpu(efs.acc_lat);
3160 chan->remote_sdu_itime =
3161 le32_to_cpu(efs.sdu_itime);
3162 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3163 sizeof(efs), (unsigned long) &efs);
3164 }
f2fcfcd6
GP		 3165 break;
3166
3167 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3168 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3169 chan->conn->mtu -
3170 L2CAP_EXT_HDR_SIZE -
3171 L2CAP_SDULEN_SIZE -
3172 L2CAP_FCS_SIZE);
3173 rfc.max_pdu_size = cpu_to_le16(size);
3174 chan->remote_mps = size;
f2fcfcd6 3175
c1360a1c 3176 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3177
3178 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3179 sizeof(rfc), (unsigned long) &rfc);
3180
f2fcfcd6
GP		 3181 break;
3182
3183 default:
5dee9e7c 3184 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3185
6464f35f 3186 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3187 rfc.mode = chan->mode;
f2fcfcd6 3188 }
6464f35f 3189
f2fcfcd6 3190 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3191 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3192 }
fe4128e0 3193 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 3194 rsp->result = cpu_to_le16(result);
3195 rsp->flags = cpu_to_le16(0x0000);
3196
3197 return ptr - data;
1da177e4
LT		 3198}
3199
b4450035 3200static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3201{
f2fcfcd6
GP		 3202 struct l2cap_conf_req *req = data;
3203 void *ptr = req->data;
3204 int type, olen;
3205 unsigned long val;
36e999a8 3206 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3207 struct l2cap_conf_efs efs;
f2fcfcd6 3208
fe4128e0 3209 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3210
3211 while (len >= L2CAP_CONF_OPT_SIZE) {
3212 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3213
3214 switch (type) {
3215 case L2CAP_CONF_MTU:
3216 if (val < L2CAP_DEFAULT_MIN_MTU) {
3217 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3218 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3219 } else
0c1bc5c6
GP		 3220 chan->imtu = val;
3221 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3222 break;
3223
3224 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3225 chan->flush_to = val;
f2fcfcd6 3226 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3227 2, chan->flush_to);
f2fcfcd6
GP		 3228 break;
3229
3230 case L2CAP_CONF_RFC:
3231 if (olen == sizeof(rfc))
3232 memcpy(&rfc, (void *)val, olen);
3233
c1360a1c 3234 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3235 rfc.mode != chan->mode)
f2fcfcd6
GP		 3236 return -ECONNREFUSED;
3237
47d1ec61 3238 chan->fcs = 0;
f2fcfcd6
GP		 3239
3240 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3241 sizeof(rfc), (unsigned long) &rfc);
3242 break;
6327eb98
AE		 3243
3244 case L2CAP_CONF_EWS:
3245 chan->tx_win = min_t(u16, val,
3246 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3247 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3248 chan->tx_win);
6327eb98 3249 break;
66af7aaf
AE		 3250
3251 case L2CAP_CONF_EFS:
3252 if (olen == sizeof(efs))
3253 memcpy(&efs, (void *)val, olen);
3254
3255 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3256 efs.stype != L2CAP_SERV_NOTRAFIC &&
3257 efs.stype != chan->local_stype)
3258 return -ECONNREFUSED;
3259
3260 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3261 sizeof(efs), (unsigned long) &efs);
3262 break;
f2fcfcd6
GP		 3263 }
3264 }
3265
0c1bc5c6 3266 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3267 return -ECONNREFUSED;
3268
0c1bc5c6 3269 chan->mode = rfc.mode;
6c2ea7a8 3270
0e8b207e 3271 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3272 switch (rfc.mode) {
3273 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3274 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3275 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3276 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3277
3278 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3279 chan->local_msdu = le16_to_cpu(efs.msdu);
3280 chan->local_sdu_itime =
3281 le32_to_cpu(efs.sdu_itime);
3282 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3283 chan->local_flush_to =
3284 le32_to_cpu(efs.flush_to);
3285 }
f2fcfcd6 3286 break;
66af7aaf 3287
f2fcfcd6 3288 case L2CAP_MODE_STREAMING:
47d1ec61 3289 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3290 }
3291 }
3292
fe4128e0 3293 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 3294 req->flags = cpu_to_le16(0x0000);
3295
3296 return ptr - data;
3297}
3298
fe4128e0 3299static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3300{
3301 struct l2cap_conf_rsp *rsp = data;
3302 void *ptr = rsp->data;
1da177e4 3303
fe4128e0 3304 BT_DBG("chan %p", chan);
1da177e4 3305
fe4128e0 3306 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3307 rsp->result = cpu_to_le16(result);
aca3192c 3308 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3309
3310 return ptr - data;
3311}
3312
8c1d787b 3313void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3314{
3315 struct l2cap_conn_rsp rsp;
8c1d787b 3316 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3317 u8 buf[128];
3318
fe4128e0
GP		 3319 rsp.scid = cpu_to_le16(chan->dcid);
3320 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 3321 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3322 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3323 l2cap_send_cmd(conn, chan->ident,
3324 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3325
c1360a1c 3326 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3327 return;
3328
710f9b0a
GP		 3329 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3330 l2cap_build_conf_req(chan, buf), buf);
3331 chan->num_conf_req++;
3332}
3333
47d1ec61 3334static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3335{
7b1c0049
GP		 3336 int type, olen;
3337 unsigned long val;
3338 struct l2cap_conf_rfc rfc;
3339
47d1ec61 3340 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3341
0c1bc5c6 3342 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3343 return;
3344
3345 while (len >= L2CAP_CONF_OPT_SIZE) {
3346 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3347
3348 switch (type) {
3349 case L2CAP_CONF_RFC:
3350 if (olen == sizeof(rfc))
3351 memcpy(&rfc, (void *)val, olen);
3352 goto done;
3353 }
3354 }
3355
36e999a8
MM		 3356 /* Use sane default values in case a misbehaving remote device
3357 * did not send an RFC option.
3358 */
3359 rfc.mode = chan->mode;
3360 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3361 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3362 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3363
3364 BT_ERR("Expected RFC option was not found, using defaults");
3365
7b1c0049
GP		 3366done:
3367 switch (rfc.mode) {
3368 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3369 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3370 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3371 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3372 break;
3373 case L2CAP_MODE_STREAMING:
47d1ec61 3374 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3375 }
3376}
3377
4e8402a3
MH		 3378static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3379{
e2fd318e 3380 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3381
e2fd318e 3382 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3383 return 0;
3384
3385 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3386 cmd->ident == conn->info_ident) {
17cd3f37 3387 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3388
3389 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3390 conn->info_ident = 0;
984947dc 3391
4e8402a3
MH		 3392 l2cap_conn_start(conn);
3393 }
3394
3395 return 0;
3396}
3397
1da177e4
LT		 3398static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3399{
1da177e4
LT		 3400 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3401 struct l2cap_conn_rsp rsp;
23691d75 3402 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3403 struct sock *parent, *sk = NULL;
e7c29cb1 3404 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3405
3406 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3407 __le16 psm = req->psm;
1da177e4 3408
097db76c 3409 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3410
3411 /* Check if we have socket listening on psm */
c2287681 3412 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3413 if (!pchan) {
1da177e4
LT		 3414 result = L2CAP_CR_BAD_PSM;
3415 goto sendresp;
3416 }
3417
23691d75
GP		 3418 parent = pchan->sk;
3419
3df91ea2 3420 mutex_lock(&conn->chan_lock);
aa2ac881 3421 lock_sock(parent);
e0f0cb56 3422
e7c29cb1
MH		 3423 /* Check if the ACL is secure enough (if not SDP) */
3424 if (psm != cpu_to_le16(0x0001) &&
3425 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3426 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3427 result = L2CAP_CR_SEC_BLOCK;
3428 goto response;
3429 }
3430
1da177e4
LT		 3431 result = L2CAP_CR_NO_MEM;
3432
3433 /* Check for backlog size */
3434 if (sk_acceptq_is_full(parent)) {
8e87d142 3435 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3436 goto response;
3437 }
3438
80808e43
GP		 3439 chan = pchan->ops->new_connection(pchan->data);
3440 if (!chan)
1da177e4
LT		 3441 goto response;
3442
80808e43
GP		 3443 sk = chan->sk;
3444
1da177e4 3445 /* Check if we already have channel with that dcid */
baa7e1fa 3446 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3447 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3448 chan->ops->close(chan->data);
1da177e4
LT		 3449 goto response;
3450 }
3451
3452 hci_conn_hold(conn->hcon);
3453
1da177e4
LT		 3454 bacpy(&bt_sk(sk)->src, conn->src);
3455 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3456 chan->psm = psm;
3457 chan->dcid = scid;
1da177e4 3458
d1010240
GP		 3459 bt_accept_enqueue(parent, sk);
3460
6be36555 3461 __l2cap_chan_add(conn, chan);
48454079 3462
fe4128e0 3463 dcid = chan->scid;
1da177e4 3464
c9b66675 3465 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3466
fc7f8a7e 3467 chan->ident = cmd->ident;
1da177e4 3468
984947dc 3469 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3470 if (l2cap_chan_check_security(chan)) {
c5daa683 3471 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3472 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3473 result = L2CAP_CR_PEND;
3474 status = L2CAP_CS_AUTHOR_PEND;
3475 parent->sk_data_ready(parent, 0);
3476 } else {
0e587be7 3477 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3478 result = L2CAP_CR_SUCCESS;
3479 status = L2CAP_CS_NO_INFO;
3480 }
79d554a6 3481 } else {
0e587be7 3482 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3483 result = L2CAP_CR_PEND;
3484 status = L2CAP_CS_AUTHEN_PEND;
3485 }
3486 } else {
0e587be7 3487 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3488 result = L2CAP_CR_PEND;
3489 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3490 }
3491
1da177e4 3492response:
aa2ac881 3493 release_sock(parent);
3df91ea2 3494 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3495
3496sendresp:
aca3192c
YH		 3497 rsp.scid = cpu_to_le16(scid);
3498 rsp.dcid = cpu_to_le16(dcid);
3499 rsp.result = cpu_to_le16(result);
3500 rsp.status = cpu_to_le16(status);
1da177e4 3501 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3502
3503 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3504 struct l2cap_info_req info;
3505 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3506
3507 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3508 conn->info_ident = l2cap_get_ident(conn);
3509
ba13ccd9 3510 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3511
3512 l2cap_send_cmd(conn, conn->info_ident,
3513 L2CAP_INFO_REQ, sizeof(info), &info);
3514 }
3515
c1360a1c 3516 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3517 result == L2CAP_CR_SUCCESS) {
3518 u8 buf[128];
c1360a1c 3519 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3520 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3521 l2cap_build_conf_req(chan, buf), buf);
3522 chan->num_conf_req++;
e9aeb2dd
GP		 3523 }
3524
1da177e4
LT		 3525 return 0;
3526}
3527
3528static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3529{
3530 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3531 u16 scid, dcid, result, status;
48454079 3532 struct l2cap_chan *chan;
1da177e4 3533 u8 req[128];
3df91ea2 3534 int err;
1da177e4
LT		 3535
3536 scid = __le16_to_cpu(rsp->scid);
3537 dcid = __le16_to_cpu(rsp->dcid);
3538 result = __le16_to_cpu(rsp->result);
3539 status = __le16_to_cpu(rsp->status);
3540
1b009c98
AE		 3541 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3542 dcid, scid, result, status);
1da177e4 3543
3df91ea2
AE		 3544 mutex_lock(&conn->chan_lock);
3545
1da177e4 3546 if (scid) {
3df91ea2
AE		 3547 chan = __l2cap_get_chan_by_scid(conn, scid);
3548 if (!chan) {
3549 err = -EFAULT;
3550 goto unlock;
3551 }
1da177e4 3552 } else {
3df91ea2
AE		 3553 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3554 if (!chan) {
3555 err = -EFAULT;
3556 goto unlock;
3557 }
1da177e4
LT		 3558 }
3559
3df91ea2
AE		 3560 err = 0;
3561
6be36555 3562 l2cap_chan_lock(chan);
48454079 3563
1da177e4
LT		 3564 switch (result) {
3565 case L2CAP_CR_SUCCESS:
89bc500e 3566 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3567 chan->ident = 0;
fe4128e0 3568 chan->dcid = dcid;
c1360a1c 3569 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3570
c1360a1c 3571 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3572 break;
3573
1da177e4 3574 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3575 l2cap_build_conf_req(chan, req), req);
3576 chan->num_conf_req++;
1da177e4
LT		 3577 break;
3578
3579 case L2CAP_CR_PEND:
c1360a1c 3580 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3581 break;
3582
3583 default:
48454079 3584 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3585 break;
3586 }
3587
6be36555 3588 l2cap_chan_unlock(chan);
3df91ea2
AE		 3589
3590unlock:
3591 mutex_unlock(&conn->chan_lock);
3592
3593 return err;
1da177e4
LT		 3594}
3595
47d1ec61 3596static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3597{
3598 /* FCS is enabled only in ERTM or streaming mode, if one or both
3599 * sides request it.
3600 */
0c1bc5c6 3601 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3602 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3603 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3604 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3605}
3606
88219a0f 3607static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3608{
3609 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3610 u16 dcid, flags;
3611 u8 rsp[64];
48454079 3612 struct l2cap_chan *chan;
3c588192 3613 int len, err = 0;
1da177e4
LT		 3614
3615 dcid = __le16_to_cpu(req->dcid);
3616 flags = __le16_to_cpu(req->flags);
3617
3618 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3619
baa7e1fa 3620 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3621 if (!chan)
1da177e4
LT		 3622 return -ENOENT;
3623
033b1142 3624 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3625 struct l2cap_cmd_rej_cid rej;
3626
3627 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3628 rej.scid = cpu_to_le16(chan->scid);
3629 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3630
df6bd743
GP		 3631 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3632 sizeof(rej), &rej);
354f60a9 3633 goto unlock;
df6bd743 3634 }
354f60a9 3635
5dee9e7c 3636 /* Reject if config buffer is too small. */
88219a0f 3637 len = cmd_len - sizeof(*req);
7ac28817 3638 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3639 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3640 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3641 L2CAP_CONF_REJECT, flags), rsp);
3642 goto unlock;
3643 }
3644
3645 /* Store config. */
73ffa904
GP		 3646 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3647 chan->conf_len += len;
1da177e4
LT		 3648
3649 if (flags & 0x0001) {
3650 /* Incomplete config. Send empty response. */
3651 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3652 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3653 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3654 goto unlock;
3655 }
3656
3657 /* Complete config. */
73ffa904 3658 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3659 if (len < 0) {
e92c8e70 3660 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3661 goto unlock;
f2fcfcd6 3662 }
1da177e4 3663
5dee9e7c 3664 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3665 chan->num_conf_rsp++;
5dee9e7c 3666
5dee9e7c 3667 /* Reset config buffer. */
73ffa904 3668 chan->conf_len = 0;
5dee9e7c 3669
c1360a1c 3670 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3671 goto unlock;
3672
c1360a1c 3673 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3674 set_default_fcs(chan);
fcc203c3 3675
89bc500e 3676 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3677
105bdf9e
MM		 3678 if (chan->mode == L2CAP_MODE_ERTM ||
3679 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3680 err = l2cap_ertm_init(chan);
3681
3682 if (err < 0)
3683 l2cap_send_disconn_req(chan->conn, chan, -err);
3684 else
3685 l2cap_chan_ready(chan);
0565c1c2 3686
876d9484
MH		 3687 goto unlock;
3688 }
3689
c1360a1c 3690 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3691 u8 buf[64];
1da177e4 3692 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3693 l2cap_build_conf_req(chan, buf), buf);
3694 chan->num_conf_req++;
1da177e4
LT		 3695 }
3696
0e8b207e
AE		 3697 /* Got Conf Rsp PENDING from remote side and asume we sent
3698 Conf Rsp PENDING in the code above */
3699 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3700 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3701
3702 /* check compatibility */
3703
3704 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3705 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3706
3707 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3708 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3709 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3710 }
3711
1da177e4 3712unlock:
6be36555 3713 l2cap_chan_unlock(chan);
3c588192 3714 return err;
1da177e4
LT		 3715}
3716
3717static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3718{
3719 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3720 u16 scid, flags, result;
48454079 3721 struct l2cap_chan *chan;
61386cba 3722 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3723 int err = 0;
1da177e4
LT		 3724
3725 scid = __le16_to_cpu(rsp->scid);
3726 flags = __le16_to_cpu(rsp->flags);
3727 result = __le16_to_cpu(rsp->result);
3728
61386cba
AE		 3729 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3730 result, len);
1da177e4 3731
baa7e1fa 3732 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3733 if (!chan)
1da177e4
LT		 3734 return 0;
3735
3736 switch (result) {
3737 case L2CAP_CONF_SUCCESS:
47d1ec61 3738 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3739 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3740 break;
3741
0e8b207e
AE		 3742 case L2CAP_CONF_PENDING:
3743 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3744
3745 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3746 char buf[64];
3747
3748 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3749 buf, &result);
3750 if (len < 0) {
3751 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3752 goto done;
3753 }
3754
3755 /* check compatibility */
3756
3757 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3758 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3759
3760 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3761 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3762 L2CAP_CONF_SUCCESS, 0x0000), buf);
3763 }
3764 goto done;
3765
1da177e4 3766 case L2CAP_CONF_UNACCEPT:
73ffa904 3767 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3768 char req[64];
3769
c2c77ec8 3770 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3771 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3772 goto done;
3773 }
3774
f2fcfcd6
GP		 3775 /* throw out any old stored conf requests */
3776 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3777 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3778 req, &result);
f2fcfcd6 3779 if (len < 0) {
e92c8e70 3780 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3781 goto done;
3782 }
3783
3784 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3785 L2CAP_CONF_REQ, len, req);
73ffa904 3786 chan->num_conf_req++;
f2fcfcd6
GP		 3787 if (result != L2CAP_CONF_SUCCESS)
3788 goto done;
3789 break;
1da177e4
LT		 3790 }
3791
8e87d142 3792 default:
6be36555 3793 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3794
ba13ccd9 3795 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3796 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3797 goto done;
3798 }
3799
3800 if (flags & 0x01)
3801 goto done;
3802
c1360a1c 3803 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3804
c1360a1c 3805 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3806 set_default_fcs(chan);
fcc203c3 3807
89bc500e 3808 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3809 if (chan->mode == L2CAP_MODE_ERTM ||
3810 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3811 err = l2cap_ertm_init(chan);
0565c1c2 3812
3c588192
MM		 3813 if (err < 0)
3814 l2cap_send_disconn_req(chan->conn, chan, -err);
3815 else
3816 l2cap_chan_ready(chan);
1da177e4
LT		 3817 }
3818
3819done:
6be36555 3820 l2cap_chan_unlock(chan);
3c588192 3821 return err;
1da177e4
LT		 3822}
3823
3824static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3825{
3826 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3827 struct l2cap_disconn_rsp rsp;
3828 u16 dcid, scid;
48454079 3829 struct l2cap_chan *chan;
1da177e4
LT		 3830 struct sock *sk;
3831
3832 scid = __le16_to_cpu(req->scid);
3833 dcid = __le16_to_cpu(req->dcid);
3834
3835 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3836
3df91ea2
AE		 3837 mutex_lock(&conn->chan_lock);
3838
3839 chan = __l2cap_get_chan_by_scid(conn, dcid);
3840 if (!chan) {
3841 mutex_unlock(&conn->chan_lock);
1da177e4 3842 return 0;
3df91ea2 3843 }
1da177e4 3844
6be36555
AE		 3845 l2cap_chan_lock(chan);
3846
48454079
GP		 3847 sk = chan->sk;
3848
fe4128e0
GP		 3849 rsp.dcid = cpu_to_le16(chan->scid);
3850 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3851 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3852
6be36555 3853 lock_sock(sk);
1da177e4 3854 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3855 release_sock(sk);
1da177e4 3856
61d6ef3e 3857 l2cap_chan_hold(chan);
48454079 3858 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3859
3860 l2cap_chan_unlock(chan);
1da177e4 3861
ba3bd0ee 3862 chan->ops->close(chan->data);
61d6ef3e 3863 l2cap_chan_put(chan);
3df91ea2
AE		 3864
3865 mutex_unlock(&conn->chan_lock);
3866
1da177e4
LT		 3867 return 0;
3868}
3869
3870static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3871{
3872 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3873 u16 dcid, scid;
48454079 3874 struct l2cap_chan *chan;
1da177e4
LT		 3875
3876 scid = __le16_to_cpu(rsp->scid);
3877 dcid = __le16_to_cpu(rsp->dcid);
3878
3879 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3880
3df91ea2
AE		 3881 mutex_lock(&conn->chan_lock);
3882
3883 chan = __l2cap_get_chan_by_scid(conn, scid);
3884 if (!chan) {
3885 mutex_unlock(&conn->chan_lock);
1da177e4 3886 return 0;
3df91ea2 3887 }
1da177e4 3888
6be36555 3889 l2cap_chan_lock(chan);
48454079 3890
61d6ef3e 3891 l2cap_chan_hold(chan);
48454079 3892 l2cap_chan_del(chan, 0);
6be36555
AE		 3893
3894 l2cap_chan_unlock(chan);
1da177e4 3895
ba3bd0ee 3896 chan->ops->close(chan->data);
61d6ef3e 3897 l2cap_chan_put(chan);
3df91ea2
AE		 3898
3899 mutex_unlock(&conn->chan_lock);
3900
1da177e4
LT		 3901 return 0;
3902}
3903
3904static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3905{
3906 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3907 u16 type;
3908
3909 type = __le16_to_cpu(req->type);
3910
3911 BT_DBG("type 0x%4.4x", type);
3912
f0709e03
MH		 3913 if (type == L2CAP_IT_FEAT_MASK) {
3914 u8 buf[8];
44dd46de 3915 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3916 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3917 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3918 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3919 if (!disable_ertm)
fcc203c3
GP		 3920 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3921 | L2CAP_FEAT_FCS;
a5fd6f30 3922 if (enable_hs)
6327eb98
AE		 3923 feat_mask |= L2CAP_FEAT_EXT_FLOW
3924 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3925
1b7bf4ed 3926 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3927 l2cap_send_cmd(conn, cmd->ident,
3928 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3929 } else if (type == L2CAP_IT_FIXED_CHAN) {
3930 u8 buf[12];
3931 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3932
3933 if (enable_hs)
3934 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3935 else
3936 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3937
e1027a7c
MH		 3938 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3939 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3940 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3941 l2cap_send_cmd(conn, cmd->ident,
3942 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3943 } else {
3944 struct l2cap_info_rsp rsp;
3945 rsp.type = cpu_to_le16(type);
3946 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3947 l2cap_send_cmd(conn, cmd->ident,
3948 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3949 }
1da177e4
LT		 3950
3951 return 0;
3952}
3953
3954static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3955{
3956 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3957 u16 type, result;
3958
3959 type = __le16_to_cpu(rsp->type);
3960 result = __le16_to_cpu(rsp->result);
3961
3962 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3963
e90165be
AE		 3964 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3965 if (cmd->ident != conn->info_ident ||
3966 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3967 return 0;
3968
17cd3f37 3969 cancel_delayed_work(&conn->info_timer);
4e8402a3 3970
adb08ede
VT		 3971 if (result != L2CAP_IR_SUCCESS) {
3972 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3973 conn->info_ident = 0;
3974
3975 l2cap_conn_start(conn);
3976
3977 return 0;
3978 }
3979
978c93b9
AE		 3980 switch (type) {
3981 case L2CAP_IT_FEAT_MASK:
83985319 3982 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3983
47ec1dcd 3984 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3985 struct l2cap_info_req req;
3986 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3987
3988 conn->info_ident = l2cap_get_ident(conn);
3989
3990 l2cap_send_cmd(conn, conn->info_ident,
3991 L2CAP_INFO_REQ, sizeof(req), &req);
3992 } else {
3993 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3994 conn->info_ident = 0;
3995
3996 l2cap_conn_start(conn);
3997 }
978c93b9
AE		 3998 break;
3999
4000 case L2CAP_IT_FIXED_CHAN:
4001 conn->fixed_chan_mask = rsp->data[0];
984947dc 4002 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4003 conn->info_ident = 0;
984947dc
MH		 4004
4005 l2cap_conn_start(conn);
978c93b9 4006 break;
984947dc 4007 }
4e8402a3 4008
1da177e4
LT		 4009 return 0;
4010}
4011
f94ff6ff
MM		 4012static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
4013 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4014 void *data)
4015{
4016 struct l2cap_create_chan_req *req = data;
4017 struct l2cap_create_chan_rsp rsp;
4018 u16 psm, scid;
4019
4020 if (cmd_len != sizeof(*req))
4021 return -EPROTO;
4022
4023 if (!enable_hs)
4024 return -EINVAL;
4025
4026 psm = le16_to_cpu(req->psm);
4027 scid = le16_to_cpu(req->scid);
4028
4029 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
4030
4031 /* Placeholder: Always reject */
4032 rsp.dcid = 0;
4033 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 4034 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4035 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 4036
4037 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4038 sizeof(rsp), &rsp);
4039
4040 return 0;
4041}
4042
4043static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
4044 struct l2cap_cmd_hdr *cmd, void *data)
4045{
4046 BT_DBG("conn %p", conn);
4047
4048 return l2cap_connect_rsp(conn, cmd, data);
4049}
4050
8d5a04a1
MM		 4051static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
4052 u16 icid, u16 result)
4053{
4054 struct l2cap_move_chan_rsp rsp;
4055
4056 BT_DBG("icid %d, result %d", icid, result);
4057
4058 rsp.icid = cpu_to_le16(icid);
4059 rsp.result = cpu_to_le16(result);
4060
4061 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4062}
4063
4064static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
4065 struct l2cap_chan *chan, u16 icid, u16 result)
4066{
4067 struct l2cap_move_chan_cfm cfm;
4068 u8 ident;
4069
4070 BT_DBG("icid %d, result %d", icid, result);
4071
4072 ident = l2cap_get_ident(conn);
4073 if (chan)
4074 chan->ident = ident;
4075
4076 cfm.icid = cpu_to_le16(icid);
4077 cfm.result = cpu_to_le16(result);
4078
4079 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4080}
4081
4082static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4083 u16 icid)
4084{
4085 struct l2cap_move_chan_cfm_rsp rsp;
4086
4087 BT_DBG("icid %d", icid);
4088
4089 rsp.icid = cpu_to_le16(icid);
4090 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4091}
4092
4093static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4094 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4095{
4096 struct l2cap_move_chan_req *req = data;
4097 u16 icid = 0;
4098 u16 result = L2CAP_MR_NOT_ALLOWED;
4099
4100 if (cmd_len != sizeof(*req))
4101 return -EPROTO;
4102
4103 icid = le16_to_cpu(req->icid);
4104
4105 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4106
4107 if (!enable_hs)
4108 return -EINVAL;
4109
4110 /* Placeholder: Always refuse */
4111 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4112
4113 return 0;
4114}
4115
4116static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4117 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4118{
4119 struct l2cap_move_chan_rsp *rsp = data;
4120 u16 icid, result;
4121
4122 if (cmd_len != sizeof(*rsp))
4123 return -EPROTO;
4124
4125 icid = le16_to_cpu(rsp->icid);
4126 result = le16_to_cpu(rsp->result);
4127
4128 BT_DBG("icid %d, result %d", icid, result);
4129
4130 /* Placeholder: Always unconfirmed */
4131 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4132
4133 return 0;
4134}
4135
4136static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4137 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4138{
4139 struct l2cap_move_chan_cfm *cfm = data;
4140 u16 icid, result;
4141
4142 if (cmd_len != sizeof(*cfm))
4143 return -EPROTO;
4144
4145 icid = le16_to_cpu(cfm->icid);
4146 result = le16_to_cpu(cfm->result);
4147
4148 BT_DBG("icid %d, result %d", icid, result);
4149
4150 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4151
4152 return 0;
4153}
4154
4155static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4156 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4157{
4158 struct l2cap_move_chan_cfm_rsp *rsp = data;
4159 u16 icid;
4160
4161 if (cmd_len != sizeof(*rsp))
4162 return -EPROTO;
4163
4164 icid = le16_to_cpu(rsp->icid);
4165
4166 BT_DBG("icid %d", icid);
4167
4168 return 0;
4169}
4170
e2174ca4 4171static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4172 u16 to_multiplier)
4173{
4174 u16 max_latency;
4175
4176 if (min > max || min < 6 || max > 3200)
4177 return -EINVAL;
4178
4179 if (to_multiplier < 10 || to_multiplier > 3200)
4180 return -EINVAL;
4181
4182 if (max >= to_multiplier * 8)
4183 return -EINVAL;
4184
4185 max_latency = (to_multiplier * 8 / max) - 1;
4186 if (latency > 499 || latency > max_latency)
4187 return -EINVAL;
4188
4189 return 0;
4190}
4191
4192static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4193 struct l2cap_cmd_hdr *cmd, u8 *data)
4194{
4195 struct hci_conn *hcon = conn->hcon;
4196 struct l2cap_conn_param_update_req *req;
4197 struct l2cap_conn_param_update_rsp rsp;
4198 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4199 int err;
de73115a
CT		 4200
4201 if (!(hcon->link_mode & HCI_LM_MASTER))
4202 return -EINVAL;
4203
4204 cmd_len = __le16_to_cpu(cmd->len);
4205 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4206 return -EPROTO;
4207
4208 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4209 min = __le16_to_cpu(req->min);
4210 max = __le16_to_cpu(req->max);
de73115a
CT		 4211 latency = __le16_to_cpu(req->latency);
4212 to_multiplier = __le16_to_cpu(req->to_multiplier);
4213
4214 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4215 min, max, latency, to_multiplier);
4216
4217 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4218
4219 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4220 if (err)
de73115a
CT		 4221 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4222 else
4223 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4224
4225 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4226 sizeof(rsp), &rsp);
4227
2ce603eb
CT		 4228 if (!err)
4229 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4230
de73115a
CT		 4231 return 0;
4232}
4233
3300d9a9
CT		 4234static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4235 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4236{
4237 int err = 0;
4238
4239 switch (cmd->code) {
4240 case L2CAP_COMMAND_REJ:
4241 l2cap_command_rej(conn, cmd, data);
4242 break;
4243
4244 case L2CAP_CONN_REQ:
4245 err = l2cap_connect_req(conn, cmd, data);
4246 break;
4247
4248 case L2CAP_CONN_RSP:
4249 err = l2cap_connect_rsp(conn, cmd, data);
4250 break;
4251
4252 case L2CAP_CONF_REQ:
4253 err = l2cap_config_req(conn, cmd, cmd_len, data);
4254 break;
4255
4256 case L2CAP_CONF_RSP:
4257 err = l2cap_config_rsp(conn, cmd, data);
4258 break;
4259
4260 case L2CAP_DISCONN_REQ:
4261 err = l2cap_disconnect_req(conn, cmd, data);
4262 break;
4263
4264 case L2CAP_DISCONN_RSP:
4265 err = l2cap_disconnect_rsp(conn, cmd, data);
4266 break;
4267
4268 case L2CAP_ECHO_REQ:
4269 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4270 break;
4271
4272 case L2CAP_ECHO_RSP:
4273 break;
4274
4275 case L2CAP_INFO_REQ:
4276 err = l2cap_information_req(conn, cmd, data);
4277 break;
4278
4279 case L2CAP_INFO_RSP:
4280 err = l2cap_information_rsp(conn, cmd, data);
4281 break;
4282
f94ff6ff
MM		 4283 case L2CAP_CREATE_CHAN_REQ:
4284 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4285 break;
4286
4287 case L2CAP_CREATE_CHAN_RSP:
4288 err = l2cap_create_channel_rsp(conn, cmd, data);
4289 break;
4290
8d5a04a1
MM		 4291 case L2CAP_MOVE_CHAN_REQ:
4292 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4293 break;
4294
4295 case L2CAP_MOVE_CHAN_RSP:
4296 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4297 break;
4298
4299 case L2CAP_MOVE_CHAN_CFM:
4300 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4301 break;
4302
4303 case L2CAP_MOVE_CHAN_CFM_RSP:
4304 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4305 break;
4306
3300d9a9
CT		 4307 default:
4308 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4309 err = -EINVAL;
4310 break;
4311 }
4312
4313 return err;
4314}
4315
4316static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4317 struct l2cap_cmd_hdr *cmd, u8 *data)
4318{
4319 switch (cmd->code) {
4320 case L2CAP_COMMAND_REJ:
4321 return 0;
4322
4323 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4324 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4325
4326 case L2CAP_CONN_PARAM_UPDATE_RSP:
4327 return 0;
4328
4329 default:
4330 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4331 return -EINVAL;
4332 }
4333}
4334
4335static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4336 struct sk_buff *skb)
1da177e4
LT		 4337{
4338 u8 *data = skb->data;
4339 int len = skb->len;
4340 struct l2cap_cmd_hdr cmd;
3300d9a9 4341 int err;
1da177e4
LT		 4342
4343 l2cap_raw_recv(conn, skb);
4344
4345 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4346 u16 cmd_len;
1da177e4
LT		 4347 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4348 data += L2CAP_CMD_HDR_SIZE;
4349 len -= L2CAP_CMD_HDR_SIZE;
4350
88219a0f 4351 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4352
88219a0f 4353 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4354
88219a0f 4355 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4356 BT_DBG("corrupted command");
4357 break;
4358 }
4359
3300d9a9
CT		 4360 if (conn->hcon->type == LE_LINK)
4361 err = l2cap_le_sig_cmd(conn, &cmd, data);
4362 else
4363 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4364
4365 if (err) {
e2fd318e 4366 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4367
4368 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4369
4370 /* FIXME: Map err to a valid reason */
e2fd318e 4371 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4372 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4373 }
4374
88219a0f
AV		 4375 data += cmd_len;
4376 len -= cmd_len;
1da177e4
LT		 4377 }
4378
4379 kfree_skb(skb);
4380}
4381
47d1ec61 4382static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4383{
4384 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4385 int hdr_size;
4386
4387 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4388 hdr_size = L2CAP_EXT_HDR_SIZE;
4389 else
4390 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4391
47d1ec61 4392 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4393 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4394 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4395 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4396
4397 if (our_fcs != rcv_fcs)
7a560e5c 4398 return -EBADMSG;
fcc203c3
GP		 4399 }
4400 return 0;
4401}
4402
6ea00485 4403static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4404{
e31f7633 4405 struct l2cap_ctrl control;
d5392c8f 4406
e31f7633 4407 BT_DBG("chan %p", chan);
d5392c8f 4408
e31f7633
MM		 4409 memset(&control, 0, sizeof(control));
4410 control.sframe = 1;
4411 control.final = 1;
4412 control.reqseq = chan->buffer_seq;
4413 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4414
e2ab4353 4415 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4416 control.super = L2CAP_SUPER_RNR;
4417 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4418 }
4419
e31f7633
MM		 4420 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4421 chan->unacked_frames > 0)
4422 __set_retrans_timer(chan);
d5392c8f 4423
e31f7633 4424 /* Send pending iframes */
525cd185 4425 l2cap_ertm_send(chan);
d5392c8f 4426
e2ab4353 4427 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4428 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4429 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4430 * send it now.
4431 */
4432 control.super = L2CAP_SUPER_RR;
4433 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4434 }
4435}
4436
84084a31
MM		 4437static void append_skb_frag(struct sk_buff *skb,
4438 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4439{
84084a31
MM		 4440 /* skb->len reflects data in skb as well as all fragments
4441 * skb->data_len reflects only data in fragments
4442 */
4443 if (!skb_has_frag_list(skb))
4444 skb_shinfo(skb)->frag_list = new_frag;
4445
4446 new_frag->next = NULL;
4447
4448 (*last_frag)->next = new_frag;
4449 *last_frag = new_frag;
4450
4451 skb->len += new_frag->len;
4452 skb->data_len += new_frag->len;
4453 skb->truesize += new_frag->truesize;
4454}
4455
4b51dae9
MM		 4456static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4457 struct l2cap_ctrl *control)
84084a31
MM		 4458{
4459 int err = -EINVAL;
18778a63 4460
4b51dae9 4461 switch (control->sar) {
7e0ef6ee 4462 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4463 if (chan->sdu)
4464 break;
18778a63 4465
84084a31
MM		 4466 err = chan->ops->recv(chan->data, skb);
4467 break;
18778a63 4468
7e0ef6ee 4469 case L2CAP_SAR_START:
84084a31
MM		 4470 if (chan->sdu)
4471 break;
18778a63 4472
6f61fd47 4473 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4474 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4475
84084a31
MM		 4476 if (chan->sdu_len > chan->imtu) {
4477 err = -EMSGSIZE;
4478 break;
4479 }
1890d36b 4480
84084a31
MM		 4481 if (skb->len >= chan->sdu_len)
4482 break;
18778a63 4483
84084a31
MM		 4484 chan->sdu = skb;
4485 chan->sdu_last_frag = skb;
18778a63 4486
84084a31
MM		 4487 skb = NULL;
4488 err = 0;
18778a63
GP		 4489 break;
4490
7e0ef6ee 4491 case L2CAP_SAR_CONTINUE:
6f61fd47 4492 if (!chan->sdu)
84084a31 4493 break;
18778a63 4494
84084a31
MM		 4495 append_skb_frag(chan->sdu, skb,
4496 &chan->sdu_last_frag);
4497 skb = NULL;
18778a63 4498
84084a31
MM		 4499 if (chan->sdu->len >= chan->sdu_len)
4500 break;
4178ba46 4501
84084a31 4502 err = 0;
18778a63
GP		 4503 break;
4504
7e0ef6ee 4505 case L2CAP_SAR_END:
6f61fd47 4506 if (!chan->sdu)
84084a31 4507 break;
18778a63 4508
84084a31
MM		 4509 append_skb_frag(chan->sdu, skb,
4510 &chan->sdu_last_frag);
4511 skb = NULL;
4178ba46 4512
84084a31
MM		 4513 if (chan->sdu->len != chan->sdu_len)
4514 break;
18778a63 4515
84084a31 4516 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4517
84084a31
MM		 4518 if (!err) {
4519 /* Reassembly complete */
4520 chan->sdu = NULL;
4521 chan->sdu_last_frag = NULL;
4522 chan->sdu_len = 0;
1890d36b 4523 }
18778a63
GP		 4524 break;
4525 }
4526
84084a31
MM		 4527 if (err) {
4528 kfree_skb(skb);
4529 kfree_skb(chan->sdu);
4530 chan->sdu = NULL;
4531 chan->sdu_last_frag = NULL;
4532 chan->sdu_len = 0;
4533 }
18778a63 4534
84084a31 4535 return err;
18778a63
GP		 4536}
4537
61aa4f5b 4538void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4539{
61aa4f5b 4540 u8 event;
712132eb 4541
61aa4f5b
MM		 4542 if (chan->mode != L2CAP_MODE_ERTM)
4543 return;
712132eb 4544
61aa4f5b
MM		 4545 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
4546 l2cap_tx(chan, 0, 0, event);
1890d36b
GP		 4547}
4548
d2a7ac5d
MM		 4549static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4550{
63838725
MM		 4551 int err = 0;
4552 /* Pass sequential frames to l2cap_reassemble_sdu()
4553 * until a gap is encountered.
4554 */
4555
4556 BT_DBG("chan %p", chan);
4557
4558 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4559 struct sk_buff *skb;
4560 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4561 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4562
4563 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4564
4565 if (!skb)
4566 break;
4567
4568 skb_unlink(skb, &chan->srej_q);
4569 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4570 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4571 if (err)
4572 break;
4573 }
4574
4575 if (skb_queue_empty(&chan->srej_q)) {
4576 chan->rx_state = L2CAP_RX_STATE_RECV;
4577 l2cap_send_ack(chan);
4578 }
4579
4580 return err;
d2a7ac5d
MM		 4581}
4582
4583static void l2cap_handle_srej(struct l2cap_chan *chan,
4584 struct l2cap_ctrl *control)
4585{
f80842a8
MM		 4586 struct sk_buff *skb;
4587
4588 BT_DBG("chan %p, control %p", chan, control);
4589
4590 if (control->reqseq == chan->next_tx_seq) {
4591 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4592 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4593 return;
4594 }
4595
4596 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4597
4598 if (skb == NULL) {
4599 BT_DBG("Seq %d not available for retransmission",
4600 control->reqseq);
4601 return;
4602 }
4603
4604 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4605 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4606 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4607 return;
4608 }
4609
4610 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4611
4612 if (control->poll) {
4613 l2cap_pass_to_tx(chan, control);
4614
4615 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4616 l2cap_retransmit(chan, control);
4617 l2cap_ertm_send(chan);
4618
4619 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4620 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4621 chan->srej_save_reqseq = control->reqseq;
4622 }
4623 } else {
4624 l2cap_pass_to_tx_fbit(chan, control);
4625
4626 if (control->final) {
4627 if (chan->srej_save_reqseq != control->reqseq ||
4628 !test_and_clear_bit(CONN_SREJ_ACT,
4629 &chan->conn_state))
4630 l2cap_retransmit(chan, control);
4631 } else {
4632 l2cap_retransmit(chan, control);
4633 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4634 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4635 chan->srej_save_reqseq = control->reqseq;
4636 }
4637 }
4638 }
d2a7ac5d
MM		 4639}
4640
4641static void l2cap_handle_rej(struct l2cap_chan *chan,
4642 struct l2cap_ctrl *control)
4643{
fcd289df
MM		 4644 struct sk_buff *skb;
4645
4646 BT_DBG("chan %p, control %p", chan, control);
4647
4648 if (control->reqseq == chan->next_tx_seq) {
4649 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4650 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4651 return;
4652 }
4653
4654 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4655
4656 if (chan->max_tx && skb &&
4657 bt_cb(skb)->control.retries >= chan->max_tx) {
4658 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4659 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4660 return;
4661 }
4662
4663 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4664
4665 l2cap_pass_to_tx(chan, control);
4666
4667 if (control->final) {
4668 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4669 l2cap_retransmit_all(chan, control);
4670 } else {
4671 l2cap_retransmit_all(chan, control);
4672 l2cap_ertm_send(chan);
4673 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4674 set_bit(CONN_REJ_ACT, &chan->conn_state);
4675 }
d2a7ac5d
MM		 4676}
4677
4b51dae9
MM		 4678static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4679{
4680 BT_DBG("chan %p, txseq %d", chan, txseq);
4681
4682 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4683 chan->expected_tx_seq);
4684
4685 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4686 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4687 chan->tx_win) {
4688 /* See notes below regarding "double poll" and
4689 * invalid packets.
4690 */
4691 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4692 BT_DBG("Invalid/Ignore - after SREJ");
4693 return L2CAP_TXSEQ_INVALID_IGNORE;
4694 } else {
4695 BT_DBG("Invalid - in window after SREJ sent");
4696 return L2CAP_TXSEQ_INVALID;
4697 }
4698 }
4699
4700 if (chan->srej_list.head == txseq) {
4701 BT_DBG("Expected SREJ");
4702 return L2CAP_TXSEQ_EXPECTED_SREJ;
4703 }
4704
4705 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4706 BT_DBG("Duplicate SREJ - txseq already stored");
4707 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4708 }
4709
4710 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4711 BT_DBG("Unexpected SREJ - not requested");
4712 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4713 }
4714 }
4715
4716 if (chan->expected_tx_seq == txseq) {
4717 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4718 chan->tx_win) {
4719 BT_DBG("Invalid - txseq outside tx window");
4720 return L2CAP_TXSEQ_INVALID;
4721 } else {
4722 BT_DBG("Expected");
4723 return L2CAP_TXSEQ_EXPECTED;
4724 }
4725 }
4726
4727 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4728 __seq_offset(chan, chan->expected_tx_seq,
4729 chan->last_acked_seq)){
4730 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4731 return L2CAP_TXSEQ_DUPLICATE;
4732 }
4733
4734 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4735 /* A source of invalid packets is a "double poll" condition,
4736 * where delays cause us to send multiple poll packets. If
4737 * the remote stack receives and processes both polls,
4738 * sequence numbers can wrap around in such a way that a
4739 * resent frame has a sequence number that looks like new data
4740 * with a sequence gap. This would trigger an erroneous SREJ
4741 * request.
4742 *
4743 * Fortunately, this is impossible with a tx window that's
4744 * less than half of the maximum sequence number, which allows
4745 * invalid frames to be safely ignored.
4746 *
4747 * With tx window sizes greater than half of the tx window
4748 * maximum, the frame is invalid and cannot be ignored. This
4749 * causes a disconnect.
4750 */
4751
4752 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4753 BT_DBG("Invalid/Ignore - txseq outside tx window");
4754 return L2CAP_TXSEQ_INVALID_IGNORE;
4755 } else {
4756 BT_DBG("Invalid - txseq outside tx window");
4757 return L2CAP_TXSEQ_INVALID;
4758 }
4759 } else {
4760 BT_DBG("Unexpected - txseq indicates missing frames");
4761 return L2CAP_TXSEQ_UNEXPECTED;
4762 }
4763}
4764
d2a7ac5d
MM		 4765static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4766 struct l2cap_ctrl *control,
4767 struct sk_buff *skb, u8 event)
4768{
4769 int err = 0;
4770 bool skb_in_use = 0;
4771
4772 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4773 event);
4774
4775 switch (event) {
4776 case L2CAP_EV_RECV_IFRAME:
4777 switch (l2cap_classify_txseq(chan, control->txseq)) {
4778 case L2CAP_TXSEQ_EXPECTED:
4779 l2cap_pass_to_tx(chan, control);
4780
4781 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4782 BT_DBG("Busy, discarding expected seq %d",
4783 control->txseq);
4784 break;
4785 }
4786
4787 chan->expected_tx_seq = __next_seq(chan,
4788 control->txseq);
4789
4790 chan->buffer_seq = chan->expected_tx_seq;
4791 skb_in_use = 1;
4792
4793 err = l2cap_reassemble_sdu(chan, skb, control);
4794 if (err)
4795 break;
4796
4797 if (control->final) {
4798 if (!test_and_clear_bit(CONN_REJ_ACT,
4799 &chan->conn_state)) {
4800 control->final = 0;
4801 l2cap_retransmit_all(chan, control);
4802 l2cap_ertm_send(chan);
4803 }
4804 }
4805
4806 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4807 l2cap_send_ack(chan);
4808 break;
4809 case L2CAP_TXSEQ_UNEXPECTED:
4810 l2cap_pass_to_tx(chan, control);
4811
4812 /* Can't issue SREJ frames in the local busy state.
4813 * Drop this frame, it will be seen as missing
4814 * when local busy is exited.
4815 */
4816 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4817 BT_DBG("Busy, discarding unexpected seq %d",
4818 control->txseq);
4819 break;
4820 }
4821
4822 /* There was a gap in the sequence, so an SREJ
4823 * must be sent for each missing frame. The
4824 * current frame is stored for later use.
4825 */
4826 skb_queue_tail(&chan->srej_q, skb);
4827 skb_in_use = 1;
4828 BT_DBG("Queued %p (queue len %d)", skb,
4829 skb_queue_len(&chan->srej_q));
4830
4831 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4832 l2cap_seq_list_clear(&chan->srej_list);
4833 l2cap_send_srej(chan, control->txseq);
4834
4835 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4836 break;
4837 case L2CAP_TXSEQ_DUPLICATE:
4838 l2cap_pass_to_tx(chan, control);
4839 break;
4840 case L2CAP_TXSEQ_INVALID_IGNORE:
4841 break;
4842 case L2CAP_TXSEQ_INVALID:
4843 default:
4844 l2cap_send_disconn_req(chan->conn, chan,
4845 ECONNRESET);
4846 break;
4847 }
4848 break;
4849 case L2CAP_EV_RECV_RR:
4850 l2cap_pass_to_tx(chan, control);
4851 if (control->final) {
4852 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4853
4854 if (!test_and_clear_bit(CONN_REJ_ACT,
4855 &chan->conn_state)) {
4856 control->final = 0;
4857 l2cap_retransmit_all(chan, control);
4858 }
4859
4860 l2cap_ertm_send(chan);
4861 } else if (control->poll) {
4862 l2cap_send_i_or_rr_or_rnr(chan);
4863 } else {
4864 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4865 &chan->conn_state) &&
4866 chan->unacked_frames)
4867 __set_retrans_timer(chan);
4868
4869 l2cap_ertm_send(chan);
4870 }
4871 break;
4872 case L2CAP_EV_RECV_RNR:
4873 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4874 l2cap_pass_to_tx(chan, control);
4875 if (control && control->poll) {
4876 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4877 l2cap_send_rr_or_rnr(chan, 0);
4878 }
4879 __clear_retrans_timer(chan);
4880 l2cap_seq_list_clear(&chan->retrans_list);
4881 break;
4882 case L2CAP_EV_RECV_REJ:
4883 l2cap_handle_rej(chan, control);
4884 break;
4885 case L2CAP_EV_RECV_SREJ:
4886 l2cap_handle_srej(chan, control);
4887 break;
4888 default:
4889 break;
4890 }
4891
4892 if (skb && !skb_in_use) {
4893 BT_DBG("Freeing %p", skb);
4894 kfree_skb(skb);
4895 }
4896
4897 return err;
4898}
4899
4900static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4901 struct l2cap_ctrl *control,
4902 struct sk_buff *skb, u8 event)
4903{
4904 int err = 0;
4905 u16 txseq = control->txseq;
4906 bool skb_in_use = 0;
4907
4908 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4909 event);
4910
4911 switch (event) {
4912 case L2CAP_EV_RECV_IFRAME:
4913 switch (l2cap_classify_txseq(chan, txseq)) {
4914 case L2CAP_TXSEQ_EXPECTED:
4915 /* Keep frame for reassembly later */
4916 l2cap_pass_to_tx(chan, control);
4917 skb_queue_tail(&chan->srej_q, skb);
4918 skb_in_use = 1;
4919 BT_DBG("Queued %p (queue len %d)", skb,
4920 skb_queue_len(&chan->srej_q));
4921
4922 chan->expected_tx_seq = __next_seq(chan, txseq);
4923 break;
4924 case L2CAP_TXSEQ_EXPECTED_SREJ:
4925 l2cap_seq_list_pop(&chan->srej_list);
4926
4927 l2cap_pass_to_tx(chan, control);
4928 skb_queue_tail(&chan->srej_q, skb);
4929 skb_in_use = 1;
4930 BT_DBG("Queued %p (queue len %d)", skb,
4931 skb_queue_len(&chan->srej_q));
4932
4933 err = l2cap_rx_queued_iframes(chan);
4934 if (err)
4935 break;
4936
4937 break;
4938 case L2CAP_TXSEQ_UNEXPECTED:
4939 /* Got a frame that can't be reassembled yet.
4940 * Save it for later, and send SREJs to cover
4941 * the missing frames.
4942 */
4943 skb_queue_tail(&chan->srej_q, skb);
4944 skb_in_use = 1;
4945 BT_DBG("Queued %p (queue len %d)", skb,
4946 skb_queue_len(&chan->srej_q));
4947
4948 l2cap_pass_to_tx(chan, control);
4949 l2cap_send_srej(chan, control->txseq);
4950 break;
4951 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4952 /* This frame was requested with an SREJ, but
4953 * some expected retransmitted frames are
4954 * missing. Request retransmission of missing
4955 * SREJ'd frames.
4956 */
4957 skb_queue_tail(&chan->srej_q, skb);
4958 skb_in_use = 1;
4959 BT_DBG("Queued %p (queue len %d)", skb,
4960 skb_queue_len(&chan->srej_q));
4961
4962 l2cap_pass_to_tx(chan, control);
4963 l2cap_send_srej_list(chan, control->txseq);
4964 break;
4965 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4966 /* We've already queued this frame. Drop this copy. */
4967 l2cap_pass_to_tx(chan, control);
4968 break;
4969 case L2CAP_TXSEQ_DUPLICATE:
4970 /* Expecting a later sequence number, so this frame
4971 * was already received. Ignore it completely.
4972 */
4973 break;
4974 case L2CAP_TXSEQ_INVALID_IGNORE:
4975 break;
4976 case L2CAP_TXSEQ_INVALID:
4977 default:
4978 l2cap_send_disconn_req(chan->conn, chan,
4979 ECONNRESET);
4980 break;
4981 }
4982 break;
4983 case L2CAP_EV_RECV_RR:
4984 l2cap_pass_to_tx(chan, control);
4985 if (control->final) {
4986 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4987
4988 if (!test_and_clear_bit(CONN_REJ_ACT,
4989 &chan->conn_state)) {
4990 control->final = 0;
4991 l2cap_retransmit_all(chan, control);
4992 }
4993
4994 l2cap_ertm_send(chan);
4995 } else if (control->poll) {
4996 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4997 &chan->conn_state) &&
4998 chan->unacked_frames) {
4999 __set_retrans_timer(chan);
5000 }
5001
5002 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5003 l2cap_send_srej_tail(chan);
5004 } else {
5005 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5006 &chan->conn_state) &&
5007 chan->unacked_frames)
5008 __set_retrans_timer(chan);
5009
5010 l2cap_send_ack(chan);
5011 }
5012 break;
5013 case L2CAP_EV_RECV_RNR:
5014 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5015 l2cap_pass_to_tx(chan, control);
5016 if (control->poll) {
5017 l2cap_send_srej_tail(chan);
5018 } else {
5019 struct l2cap_ctrl rr_control;
5020 memset(&rr_control, 0, sizeof(rr_control));
5021 rr_control.sframe = 1;
5022 rr_control.super = L2CAP_SUPER_RR;
5023 rr_control.reqseq = chan->buffer_seq;
5024 l2cap_send_sframe(chan, &rr_control);
5025 }
5026
5027 break;
5028 case L2CAP_EV_RECV_REJ:
5029 l2cap_handle_rej(chan, control);
5030 break;
5031 case L2CAP_EV_RECV_SREJ:
5032 l2cap_handle_srej(chan, control);
5033 break;
5034 }
5035
5036 if (skb && !skb_in_use) {
5037 BT_DBG("Freeing %p", skb);
5038 kfree_skb(skb);
5039 }
5040
5041 return err;
5042}
5043
5044static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5045{
5046 /* Make sure reqseq is for a packet that has been sent but not acked */
5047 u16 unacked;
5048
5049 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5050 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5051}
5052
cec8ab6e
MM		 5053static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5054 struct sk_buff *skb, u8 event)
218bb9df 5055{
d2a7ac5d
MM		 5056 int err = 0;
5057
5058 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5059 control, skb, event, chan->rx_state);
5060
5061 if (__valid_reqseq(chan, control->reqseq)) {
5062 switch (chan->rx_state) {
5063 case L2CAP_RX_STATE_RECV:
5064 err = l2cap_rx_state_recv(chan, control, skb, event);
5065 break;
5066 case L2CAP_RX_STATE_SREJ_SENT:
5067 err = l2cap_rx_state_srej_sent(chan, control, skb,
5068 event);
5069 break;
5070 default:
5071 /* shut it down */
5072 break;
5073 }
5074 } else {
5075 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5076 control->reqseq, chan->next_tx_seq,
5077 chan->expected_ack_seq);
5078 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5079 }
5080
5081 return err;
cec8ab6e
MM		 5082}
5083
5084static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5085 struct sk_buff *skb)
5086{
4b51dae9
MM		 5087 int err = 0;
5088
5089 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5090 chan->rx_state);
5091
5092 if (l2cap_classify_txseq(chan, control->txseq) ==
5093 L2CAP_TXSEQ_EXPECTED) {
5094 l2cap_pass_to_tx(chan, control);
5095
5096 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5097 __next_seq(chan, chan->buffer_seq));
5098
5099 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5100
5101 l2cap_reassemble_sdu(chan, skb, control);
5102 } else {
5103 if (chan->sdu) {
5104 kfree_skb(chan->sdu);
5105 chan->sdu = NULL;
5106 }
5107 chan->sdu_last_frag = NULL;
5108 chan->sdu_len = 0;
5109
5110 if (skb) {
5111 BT_DBG("Freeing %p", skb);
5112 kfree_skb(skb);
5113 }
5114 }
5115
5116 chan->last_acked_seq = control->txseq;
5117 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5118
5119 return err;
cec8ab6e
MM		 5120}
5121
5122static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5123{
5124 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5125 u16 len;
5126 u8 event;
218bb9df 5127
b76bbd66
MM		 5128 __unpack_control(chan, skb);
5129
218bb9df
GP		 5130 len = skb->len;
5131
5132 /*
5133 * We can just drop the corrupted I-frame here.
5134 * Receiver will miss it and start proper recovery
cec8ab6e 5135 * procedures and ask for retransmission.
218bb9df 5136 */
47d1ec61 5137 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5138 goto drop;
5139
cec8ab6e 5140 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5141 len -= L2CAP_SDULEN_SIZE;
218bb9df 5142
47d1ec61 5143 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5144 len -= L2CAP_FCS_SIZE;
218bb9df 5145
47d1ec61 5146 if (len > chan->mps) {
8c1d787b 5147 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5148 goto drop;
5149 }
5150
cec8ab6e
MM		 5151 if (!control->sframe) {
5152 int err;
218bb9df 5153
cec8ab6e
MM		 5154 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5155 control->sar, control->reqseq, control->final,
5156 control->txseq);
218bb9df 5157
cec8ab6e
MM		 5158 /* Validate F-bit - F=0 always valid, F=1 only
5159 * valid in TX WAIT_F
5160 */
5161 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5162 goto drop;
cec8ab6e
MM		 5163
5164 if (chan->mode != L2CAP_MODE_STREAMING) {
5165 event = L2CAP_EV_RECV_IFRAME;
5166 err = l2cap_rx(chan, control, skb, event);
5167 } else {
5168 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5169 }
5170
cec8ab6e
MM		 5171 if (err)
5172 l2cap_send_disconn_req(chan->conn, chan,
5173 ECONNRESET);
218bb9df 5174 } else {
cec8ab6e
MM		 5175 const u8 rx_func_to_event[4] = {
5176 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5177 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5178 };
5179
5180 /* Only I-frames are expected in streaming mode */
5181 if (chan->mode == L2CAP_MODE_STREAMING)
5182 goto drop;
5183
5184 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5185 control->reqseq, control->final, control->poll,
5186 control->super);
5187
218bb9df
GP		 5188 if (len != 0) {
5189 BT_ERR("%d", len);
8c1d787b 5190 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5191 goto drop;
5192 }
5193
cec8ab6e
MM		 5194 /* Validate F and P bits */
5195 if (control->final && (control->poll ||
5196 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5197 goto drop;
5198
5199 event = rx_func_to_event[control->super];
5200 if (l2cap_rx(chan, control, skb, event))
5201 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5202 }
5203
5204 return 0;
5205
5206drop:
5207 kfree_skb(skb);
5208 return 0;
5209}
5210
1da177e4
LT		 5211static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
5212{
48454079 5213 struct l2cap_chan *chan;
1da177e4 5214
baa7e1fa 5215 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5216 if (!chan) {
1da177e4 5217 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 5218 /* Drop packet and return */
3379013b 5219 kfree_skb(skb);
6be36555 5220 return 0;
1da177e4
LT		 5221 }
5222
49208c9c 5223 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5224
89bc500e 5225 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5226 goto drop;
5227
0c1bc5c6 5228 switch (chan->mode) {
1c2acffb
GP		 5229 case L2CAP_MODE_BASIC:
5230 /* If socket recv buffers overflows we drop data here
5231 * which is *bad* because L2CAP has to be reliable.
5232 * But we don't have any other choice. L2CAP doesn't
5233 * provide flow control mechanism. */
1da177e4 5234
0c1bc5c6 5235 if (chan->imtu < skb->len)
1c2acffb 5236 goto drop;
1da177e4 5237
23070494 5238 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 5239 goto done;
5240 break;
5241
5242 case L2CAP_MODE_ERTM:
6840ed07 5243 case L2CAP_MODE_STREAMING:
cec8ab6e 5244 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5245 goto done;
5246
1c2acffb 5247 default:
0c1bc5c6 5248 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5249 break;
5250 }
1da177e4
LT		 5251
5252drop:
5253 kfree_skb(skb);
5254
5255done:
6be36555 5256 l2cap_chan_unlock(chan);
0139418c 5257
1da177e4
LT		 5258 return 0;
5259}
5260
8e036fc3 5261static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 5262{
23691d75 5263 struct l2cap_chan *chan;
1da177e4 5264
c2287681 5265 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5266 if (!chan)
1da177e4
LT		 5267 goto drop;
5268
5b4cedaa 5269 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5270
89bc500e 5271 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5272 goto drop;
5273
e13e21dc 5274 if (chan->imtu < skb->len)
1da177e4
LT		 5275 goto drop;
5276
23070494 5277 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 5278 return 0;
1da177e4
LT		 5279
5280drop:
5281 kfree_skb(skb);
5282
1da177e4
LT		 5283 return 0;
5284}
5285
d9b88702
AE		 5286static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5287 struct sk_buff *skb)
9f69bda6 5288{
23691d75 5289 struct l2cap_chan *chan;
9f69bda6 5290
c2287681 5291 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5292 if (!chan)
9f69bda6
GP		 5293 goto drop;
5294
5b4cedaa 5295 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5296
89bc500e 5297 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5298 goto drop;
5299
e13e21dc 5300 if (chan->imtu < skb->len)
9f69bda6
GP		 5301 goto drop;
5302
23070494 5303 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 5304 return 0;
9f69bda6
GP		 5305
5306drop:
5307 kfree_skb(skb);
5308
9f69bda6
GP		 5309 return 0;
5310}
5311
1da177e4
LT		 5312static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5313{
5314 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5315 u16 cid, len;
5316 __le16 psm;
1da177e4
LT		 5317
5318 skb_pull(skb, L2CAP_HDR_SIZE);
5319 cid = __le16_to_cpu(lh->cid);
5320 len = __le16_to_cpu(lh->len);
5321
1c2acffb
GP		 5322 if (len != skb->len) {
5323 kfree_skb(skb);
5324 return;
5325 }
5326
1da177e4
LT		 5327 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5328
5329 switch (cid) {
3300d9a9 5330 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5331 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5332 l2cap_sig_channel(conn, skb);
5333 break;
5334
8db4dc46 5335 case L2CAP_CID_CONN_LESS:
097db76c 5336 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 5337 skb_pull(skb, 2);
5338 l2cap_conless_channel(conn, psm, skb);
5339 break;
5340
9f69bda6
GP		 5341 case L2CAP_CID_LE_DATA:
5342 l2cap_att_channel(conn, cid, skb);
5343 break;
5344
b501d6a1
AB		 5345 case L2CAP_CID_SMP:
5346 if (smp_sig_channel(conn, skb))
5347 l2cap_conn_del(conn->hcon, EACCES);
5348 break;
5349
1da177e4
LT		 5350 default:
5351 l2cap_data_channel(conn, cid, skb);
5352 break;
5353 }
5354}
5355
5356/* ---- L2CAP interface with lower layer (HCI) ---- */
5357
686ebf28 5358int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5359{
5360 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5361 struct l2cap_chan *c;
1da177e4 5362
1da177e4
LT		 5363 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5364
5365 /* Find listening sockets and check their link_mode */
23691d75
GP		 5366 read_lock(&chan_list_lock);
5367 list_for_each_entry(c, &chan_list, global_l) {
5368 struct sock *sk = c->sk;
4343478f 5369
89bc500e 5370 if (c->state != BT_LISTEN)
1da177e4
LT		 5371 continue;
5372
5373 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5374 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5375 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5376 lm1 |= HCI_LM_MASTER;
1da177e4 5377 exact++;
2af6b9d5
MH		 5378 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5379 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5380 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5381 lm2 |= HCI_LM_MASTER;
5382 }
1da177e4 5383 }
23691d75 5384 read_unlock(&chan_list_lock);
1da177e4
LT		 5385
5386 return exact ? lm1 : lm2;
5387}
5388
686ebf28 5389int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5390{
0139418c
MH		 5391 struct l2cap_conn *conn;
5392
1da177e4
LT		 5393 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5394
1da177e4 5395 if (!status) {
1da177e4
LT		 5396 conn = l2cap_conn_add(hcon, status);
5397 if (conn)
5398 l2cap_conn_ready(conn);
0139418c 5399 } else
e175072f 5400 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5401
5402 return 0;
5403}
5404
686ebf28 5405int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5406{
5407 struct l2cap_conn *conn = hcon->l2cap_data;
5408
5409 BT_DBG("hcon %p", hcon);
5410
686ebf28 5411 if (!conn)
9f5a0d7b 5412 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5413 return conn->disc_reason;
5414}
5415
686ebf28 5416int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5417{
5418 BT_DBG("hcon %p reason %d", hcon, reason);
5419
e175072f 5420 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5421 return 0;
5422}
5423
4343478f 5424static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5425{
715ec005 5426 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5427 return;
5428
f62e4323 5429 if (encrypt == 0x00) {
4343478f 5430 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5431 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5432 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5433 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5434 } else {
4343478f 5435 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5436 __clear_chan_timer(chan);
f62e4323
MH		 5437 }
5438}
5439
686ebf28 5440int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5441{
0139418c 5442 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5443 struct l2cap_chan *chan;
1da177e4 5444
0139418c 5445 if (!conn)
1da177e4 5446 return 0;
0139418c 5447
1da177e4
LT		 5448 BT_DBG("conn %p", conn);
5449
160dc6ac 5450 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5451 if (!status && encrypt)
5452 smp_distribute_keys(conn, 0);
17cd3f37 5453 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5454 }
5455
3df91ea2 5456 mutex_lock(&conn->chan_lock);
1da177e4 5457
3df91ea2 5458 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5459 l2cap_chan_lock(chan);
1da177e4 5460
f1cb9af5
VCG		 5461 BT_DBG("chan->scid %d", chan->scid);
5462
5463 if (chan->scid == L2CAP_CID_LE_DATA) {
5464 if (!status && encrypt) {
5465 chan->sec_level = hcon->sec_level;
cf4cd009 5466 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5467 }
5468
6be36555 5469 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5470 continue;
5471 }
5472
c1360a1c 5473 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5474 l2cap_chan_unlock(chan);
6a8d3010
MH		 5475 continue;
5476 }
5477
89bc500e
GP		 5478 if (!status && (chan->state == BT_CONNECTED ||
5479 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5480 struct sock *sk = chan->sk;
5481
c5daa683 5482 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5483 sk->sk_state_change(sk);
5484
4343478f 5485 l2cap_check_encryption(chan, encrypt);
6be36555 5486 l2cap_chan_unlock(chan);
9719f8af
MH		 5487 continue;
5488 }
5489
89bc500e 5490 if (chan->state == BT_CONNECT) {
b1235d79 5491 if (!status) {
9b27f350 5492 l2cap_send_conn_req(chan);
b1235d79 5493 } else {
ba13ccd9 5494 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5495 }
89bc500e 5496 } else if (chan->state == BT_CONNECT2) {
6be36555 5497 struct sock *sk = chan->sk;
b1235d79 5498 struct l2cap_conn_rsp rsp;
df3c3931 5499 __u16 res, stat;
1da177e4 5500
6be36555
AE		 5501 lock_sock(sk);
5502
b1235d79 5503 if (!status) {
c5daa683
GP		 5504 if (test_bit(BT_SK_DEFER_SETUP,
5505 &bt_sk(sk)->flags)) {
df3c3931
JH		 5506 struct sock *parent = bt_sk(sk)->parent;
5507 res = L2CAP_CR_PEND;
5508 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5509 if (parent)
5510 parent->sk_data_ready(parent, 0);
df3c3931 5511 } else {
0e587be7 5512 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5513 res = L2CAP_CR_SUCCESS;
5514 stat = L2CAP_CS_NO_INFO;
5515 }
b1235d79 5516 } else {
0e587be7 5517 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5518 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5519 res = L2CAP_CR_SEC_BLOCK;
5520 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5521 }
5522
6be36555
AE		 5523 release_sock(sk);
5524
fe4128e0
GP		 5525 rsp.scid = cpu_to_le16(chan->dcid);
5526 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5527 rsp.result = cpu_to_le16(res);
5528 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5529 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5530 sizeof(rsp), &rsp);
b1235d79 5531 }
1da177e4 5532
6be36555 5533 l2cap_chan_unlock(chan);
1da177e4
LT		 5534 }
5535
3df91ea2 5536 mutex_unlock(&conn->chan_lock);
b1235d79 5537
1da177e4
LT		 5538 return 0;
5539}
5540
686ebf28 5541int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5542{
5543 struct l2cap_conn *conn = hcon->l2cap_data;
5544
5a08ecce
AE		 5545 if (!conn)
5546 conn = l2cap_conn_add(hcon, 0);
5547
5548 if (!conn)
1da177e4
LT		 5549 goto drop;
5550
5551 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5552
e702112f 5553 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5554 struct l2cap_hdr *hdr;
5555 int len;
5556
5557 if (conn->rx_len) {
5558 BT_ERR("Unexpected start frame (len %d)", skb->len);
5559 kfree_skb(conn->rx_skb);
5560 conn->rx_skb = NULL;
5561 conn->rx_len = 0;
5562 l2cap_conn_unreliable(conn, ECOMM);
5563 }
5564
aae7fe22
AE		 5565 /* Start fragment always begin with Basic L2CAP header */
5566 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5567 BT_ERR("Frame is too short (len %d)", skb->len);
5568 l2cap_conn_unreliable(conn, ECOMM);
5569 goto drop;
5570 }
5571
5572 hdr = (struct l2cap_hdr *) skb->data;
5573 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5574
5575 if (len == skb->len) {
5576 /* Complete frame received */
5577 l2cap_recv_frame(conn, skb);
5578 return 0;
5579 }
5580
5581 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5582
5583 if (skb->len > len) {
5584 BT_ERR("Frame is too long (len %d, expected len %d)",
5585 skb->len, len);
5586 l2cap_conn_unreliable(conn, ECOMM);
5587 goto drop;
5588 }
5589
5590 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5591 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5592 if (!conn->rx_skb)
1da177e4
LT		 5593 goto drop;
5594
d626f62b 5595 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5596 skb->len);
1da177e4
LT		 5597 conn->rx_len = len - skb->len;
5598 } else {
5599 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5600
5601 if (!conn->rx_len) {
5602 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5603 l2cap_conn_unreliable(conn, ECOMM);
5604 goto drop;
5605 }
5606
5607 if (skb->len > conn->rx_len) {
5608 BT_ERR("Fragment is too long (len %d, expected %d)",
5609 skb->len, conn->rx_len);
5610 kfree_skb(conn->rx_skb);
5611 conn->rx_skb = NULL;
5612 conn->rx_len = 0;
5613 l2cap_conn_unreliable(conn, ECOMM);
5614 goto drop;
5615 }
5616
d626f62b 5617 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5618 skb->len);
1da177e4
LT		 5619 conn->rx_len -= skb->len;
5620
5621 if (!conn->rx_len) {
5622 /* Complete frame received */
5623 l2cap_recv_frame(conn, conn->rx_skb);
5624 conn->rx_skb = NULL;
5625 }
5626 }
5627
5628drop:
5629 kfree_skb(skb);
5630 return 0;
5631}
5632
aef7d97c 5633static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5634{
23691d75 5635 struct l2cap_chan *c;
1da177e4 5636
333055f2 5637 read_lock(&chan_list_lock);
1da177e4 5638
23691d75
GP		 5639 list_for_each_entry(c, &chan_list, global_l) {
5640 struct sock *sk = c->sk;
101545f6 5641
903d343e 5642 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5643 batostr(&bt_sk(sk)->src),
5644 batostr(&bt_sk(sk)->dst),
89bc500e 5645 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5646 c->scid, c->dcid, c->imtu, c->omtu,
5647 c->sec_level, c->mode);
61e1b4b7 5648 }
1da177e4 5649
333055f2 5650 read_unlock(&chan_list_lock);
1da177e4 5651
aef7d97c 5652 return 0;
1da177e4
LT		 5653}
5654
aef7d97c
MH		 5655static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5656{
5657 return single_open(file, l2cap_debugfs_show, inode->i_private);
5658}
5659
5660static const struct file_operations l2cap_debugfs_fops = {
5661 .open = l2cap_debugfs_open,
5662 .read = seq_read,
5663 .llseek = seq_lseek,
5664 .release = single_release,
5665};
5666
5667static struct dentry *l2cap_debugfs;
1da177e4 5668
64274518 5669int __init l2cap_init(void)
1da177e4
LT		 5670{
5671 int err;
be9d1227 5672
bb58f747 5673 err = l2cap_init_sockets();
1da177e4
LT		 5674 if (err < 0)
5675 return err;
5676
aef7d97c
MH		 5677 if (bt_debugfs) {
5678 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5679 bt_debugfs, NULL, &l2cap_debugfs_fops);
5680 if (!l2cap_debugfs)
5681 BT_ERR("Failed to create L2CAP debug file");
5682 }
1da177e4 5683
1da177e4 5684 return 0;
1da177e4
LT		 5685}
5686
64274518 5687void l2cap_exit(void)
1da177e4 5688{
aef7d97c 5689 debugfs_remove(l2cap_debugfs);
bb58f747 5690 l2cap_cleanup_sockets();
1da177e4
LT		 5691}
5692
d1c4a17d
GP		 5693module_param(disable_ertm, bool, 0644);
5694MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)