projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Do not purge queue in Basic Mode
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
d1de6d46 60bool disable_ertm;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 74 struct l2cap_chan *chan, int err);
1da177e4 75
608bcc6d
MM		 76static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
77 struct sk_buff_head *skbs, u8 event);
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
baa7e1fa 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 93{
3df91ea2 94 struct l2cap_chan *c;
3d57dc68 95
3df91ea2
AE		 96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->scid == cid)
98 return c;
0139418c 99 }
3df91ea2 100 return NULL;
0139418c
MH		 101}
102
103/* Find channel with given SCID.
ef191ade 104 * Returns locked channel. */
baa7e1fa 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa 108
3df91ea2 109 mutex_lock(&conn->chan_lock);
baa7e1fa 110 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 111 if (c)
112 l2cap_chan_lock(c);
3df91ea2
AE		 113 mutex_unlock(&conn->chan_lock);
114
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
3df91ea2 120 struct l2cap_chan *c;
3d57dc68 121
3df91ea2
AE		 122 list_for_each_entry(c, &conn->chan_l, list) {
123 if (c->ident == ident)
124 return c;
0139418c 125 }
3df91ea2 126 return NULL;
0139418c
MH		 127}
128
23691d75 129static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 130{
23691d75 131 struct l2cap_chan *c;
9e4425ff 132
23691d75
GP		 133 list_for_each_entry(c, &chan_list, global_l) {
134 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 135 return c;
9e4425ff 136 }
250938cb 137 return NULL;
9e4425ff
GP		 138}
139
140int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
141{
73b2ec18
GP		 142 int err;
143
333055f2 144 write_lock(&chan_list_lock);
9e4425ff 145
23691d75 146 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 147 err = -EADDRINUSE;
148 goto done;
9e4425ff
GP		 149 }
150
73b2ec18
GP		 151 if (psm) {
152 chan->psm = psm;
153 chan->sport = psm;
154 err = 0;
155 } else {
156 u16 p;
157
158 err = -EINVAL;
159 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 160 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 161 chan->psm = cpu_to_le16(p);
162 chan->sport = cpu_to_le16(p);
163 err = 0;
164 break;
165 }
166 }
9e4425ff 167
73b2ec18 168done:
333055f2 169 write_unlock(&chan_list_lock);
73b2ec18 170 return err;
9e4425ff
GP		 171}
172
173int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
174{
333055f2 175 write_lock(&chan_list_lock);
9e4425ff
GP		 176
177 chan->scid = scid;
178
333055f2 179 write_unlock(&chan_list_lock);
9e4425ff
GP		 180
181 return 0;
182}
183
baa7e1fa 184static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 185{
8db4dc46 186 u16 cid = L2CAP_CID_DYN_START;
0139418c 187
8db4dc46 188 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 189 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 190 return cid;
191 }
192
193 return 0;
194}
195
0e587be7 196static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 197{
42d2d87c 198 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 199 state_to_string(state));
200
89bc500e
GP		 201 chan->state = state;
202 chan->ops->state_change(chan->data, state);
203}
204
0e587be7
AE		 205static void l2cap_state_change(struct l2cap_chan *chan, int state)
206{
207 struct sock *sk = chan->sk;
208
209 lock_sock(sk);
210 __l2cap_state_change(chan, state);
211 release_sock(sk);
212}
213
2e0052e4
AE		 214static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
215{
216 struct sock *sk = chan->sk;
217
218 sk->sk_err = err;
219}
220
221static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
222{
223 struct sock *sk = chan->sk;
224
225 lock_sock(sk);
226 __l2cap_chan_set_err(chan, err);
227 release_sock(sk);
228}
229
4239d16f
MM		 230static void __set_retrans_timer(struct l2cap_chan *chan)
231{
232 if (!delayed_work_pending(&chan->monitor_timer) &&
233 chan->retrans_timeout) {
234 l2cap_set_timer(chan, &chan->retrans_timer,
235 msecs_to_jiffies(chan->retrans_timeout));
236 }
237}
238
239static void __set_monitor_timer(struct l2cap_chan *chan)
240{
241 __clear_retrans_timer(chan);
242 if (chan->monitor_timeout) {
243 l2cap_set_timer(chan, &chan->monitor_timer,
244 msecs_to_jiffies(chan->monitor_timeout));
245 }
246}
247
608bcc6d
MM		 248static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
249 u16 seq)
250{
251 struct sk_buff *skb;
252
253 skb_queue_walk(head, skb) {
254 if (bt_cb(skb)->control.txseq == seq)
255 return skb;
256 }
257
258 return NULL;
259}
260
3c588192
MM		 261/* ---- L2CAP sequence number lists ---- */
262
263/* For ERTM, ordered lists of sequence numbers must be tracked for
264 * SREJ requests that are received and for frames that are to be
265 * retransmitted. These seq_list functions implement a singly-linked
266 * list in an array, where membership in the list can also be checked
267 * in constant time. Items can also be added to the tail of the list
268 * and removed from the head in constant time, without further memory
269 * allocs or frees.
270 */
271
272static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
273{
274 size_t alloc_size, i;
275
276 /* Allocated size is a power of 2 to map sequence numbers
277 * (which may be up to 14 bits) in to a smaller array that is
278 * sized for the negotiated ERTM transmit windows.
279 */
280 alloc_size = roundup_pow_of_two(size);
281
282 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
283 if (!seq_list->list)
284 return -ENOMEM;
285
286 seq_list->mask = alloc_size - 1;
287 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
288 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
289 for (i = 0; i < alloc_size; i++)
290 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
291
292 return 0;
293}
294
295static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
296{
297 kfree(seq_list->list);
298}
299
300static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
301 u16 seq)
302{
303 /* Constant-time check for list membership */
304 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
305}
306
307static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
308{
309 u16 mask = seq_list->mask;
310
311 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
312 /* In case someone tries to pop the head of an empty list */
313 return L2CAP_SEQ_LIST_CLEAR;
314 } else if (seq_list->head == seq) {
315 /* Head can be removed in constant time */
316 seq_list->head = seq_list->list[seq & mask];
317 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
318
319 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
320 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
321 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
322 }
323 } else {
324 /* Walk the list to find the sequence number */
325 u16 prev = seq_list->head;
326 while (seq_list->list[prev & mask] != seq) {
327 prev = seq_list->list[prev & mask];
328 if (prev == L2CAP_SEQ_LIST_TAIL)
329 return L2CAP_SEQ_LIST_CLEAR;
330 }
331
332 /* Unlink the number from the list and clear it */
333 seq_list->list[prev & mask] = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335 if (seq_list->tail == seq)
336 seq_list->tail = prev;
337 }
338 return seq;
339}
340
341static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
342{
343 /* Remove the head in constant time */
344 return l2cap_seq_list_remove(seq_list, seq_list->head);
345}
346
347static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
348{
f522ae36 349 u16 i;
3c588192 350
f522ae36
GP		 351 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
352 return;
353
354 for (i = 0; i <= seq_list->mask; i++)
355 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
356
357 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
358 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 359}
360
361static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
362{
363 u16 mask = seq_list->mask;
364
365 /* All appends happen in constant time */
366
f522ae36
GP		 367 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
368 return;
3c588192 369
f522ae36
GP		 370 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
371 seq_list->head = seq;
372 else
373 seq_list->list[seq_list->tail & mask] = seq;
374
375 seq_list->tail = seq;
376 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 377}
378
721c4181 379static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 380{
721c4181
GP		 381 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
382 chan_timer.work);
3df91ea2 383 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 384 int reason;
385
e05dcc32 386 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 387
3df91ea2 388 mutex_lock(&conn->chan_lock);
6be36555 389 l2cap_chan_lock(chan);
ab07801d 390
89bc500e 391 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 392 reason = ECONNREFUSED;
89bc500e 393 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 394 chan->sec_level != BT_SECURITY_SDP)
395 reason = ECONNREFUSED;
396 else
397 reason = ETIMEDOUT;
398
0f852724 399 l2cap_chan_close(chan, reason);
ab07801d 400
6be36555 401 l2cap_chan_unlock(chan);
ab07801d 402
ba3bd0ee 403 chan->ops->close(chan->data);
3df91ea2
AE		 404 mutex_unlock(&conn->chan_lock);
405
371fd835 406 l2cap_chan_put(chan);
ab07801d
GP		 407}
408
eef1d9b6 409struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 410{
411 struct l2cap_chan *chan;
412
413 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
414 if (!chan)
415 return NULL;
416
c03b355e
AE		 417 mutex_init(&chan->lock);
418
333055f2 419 write_lock(&chan_list_lock);
23691d75 420 list_add(&chan->global_l, &chan_list);
333055f2 421 write_unlock(&chan_list_lock);
23691d75 422
721c4181 423 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 424
89bc500e
GP		 425 chan->state = BT_OPEN;
426
71ba0e56
GP		 427 atomic_set(&chan->refcnt, 1);
428
2827011f
MM		 429 /* This flag is cleared in l2cap_chan_ready() */
430 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
431
eef1d9b6 432 BT_DBG("chan %p", chan);
abc545b8 433
48454079
GP		 434 return chan;
435}
436
23691d75 437void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 438{
333055f2 439 write_lock(&chan_list_lock);
23691d75 440 list_del(&chan->global_l);
333055f2 441 write_unlock(&chan_list_lock);
23691d75 442
371fd835 443 l2cap_chan_put(chan);
6ff5abbf
GP		 444}
445
bd4b1653
AE		 446void l2cap_chan_set_defaults(struct l2cap_chan *chan)
447{
448 chan->fcs = L2CAP_FCS_CRC16;
449 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
450 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
451 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
452 chan->sec_level = BT_SECURITY_LOW;
453
454 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
455}
456
14a28491 457static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 458{
af05b30b 459 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 460 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 461
9f5a0d7b 462 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 463
8c1d787b 464 chan->conn = conn;
0139418c 465
5491120e
AE		 466 switch (chan->chan_type) {
467 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 468 if (conn->hcon->type == LE_LINK) {
469 /* LE connection */
0c1bc5c6 470 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 471 chan->scid = L2CAP_CID_LE_DATA;
472 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 473 } else {
474 /* Alloc CID for connection-oriented socket */
fe4128e0 475 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 476 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 477 }
5491120e
AE		 478 break;
479
480 case L2CAP_CHAN_CONN_LESS:
0139418c 481 /* Connectionless socket */
fe4128e0
GP		 482 chan->scid = L2CAP_CID_CONN_LESS;
483 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 484 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 485 break;
486
487 default:
0139418c 488 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 489 chan->scid = L2CAP_CID_SIGNALING;
490 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 491 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 492 }
493
8f7975b1
AE		 494 chan->local_id = L2CAP_BESTEFFORT_ID;
495 chan->local_stype = L2CAP_SERV_BESTEFFORT;
496 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
497 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
498 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
499 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
500
371fd835 501 l2cap_chan_hold(chan);
baa7e1fa 502
3df91ea2 503 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 504}
505
14a28491 506static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 507{
508 mutex_lock(&conn->chan_lock);
509 __l2cap_chan_add(conn, chan);
3df91ea2 510 mutex_unlock(&conn->chan_lock);
0139418c
MH		 511}
512
4519de9a 513static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 514{
48454079 515 struct sock *sk = chan->sk;
8c1d787b 516 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 517 struct sock *parent = bt_sk(sk)->parent;
518
c9b66675 519 __clear_chan_timer(chan);
0139418c 520
49208c9c 521 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 522
8e87d142 523 if (conn) {
baa7e1fa 524 /* Delete from channel list */
3df91ea2 525 list_del(&chan->list);
3d57dc68 526
371fd835 527 l2cap_chan_put(chan);
baa7e1fa 528
8c1d787b 529 chan->conn = NULL;
0139418c
MH		 530 hci_conn_put(conn->hcon);
531 }
532
6be36555
AE		 533 lock_sock(sk);
534
0e587be7 535 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 536 sock_set_flag(sk, SOCK_ZAPPED);
537
538 if (err)
2e0052e4 539 __l2cap_chan_set_err(chan, err);
0139418c
MH		 540
541 if (parent) {
542 bt_accept_unlink(sk);
543 parent->sk_data_ready(parent, 0);
544 } else
545 sk->sk_state_change(sk);
c13ffa62 546
6be36555
AE		 547 release_sock(sk);
548
2827011f 549 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 550 return;
2ead70b8 551
ee556f66
GP		 552 switch(chan->mode) {
553 case L2CAP_MODE_BASIC:
554 break;
c13ffa62 555
ee556f66 556 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 557 __clear_retrans_timer(chan);
558 __clear_monitor_timer(chan);
559 __clear_ack_timer(chan);
c13ffa62 560
f1c6775b 561 skb_queue_purge(&chan->srej_q);
c13ffa62 562
3c588192
MM		 563 l2cap_seq_list_free(&chan->srej_list);
564 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 565
566 /* fall through */
567
568 case L2CAP_MODE_STREAMING:
569 skb_queue_purge(&chan->tx_q);
570 break;
c13ffa62 571 }
ee556f66
GP		 572
573 return;
0139418c
MH		 574}
575
4519de9a
GP		 576static void l2cap_chan_cleanup_listen(struct sock *parent)
577{
578 struct sock *sk;
579
580 BT_DBG("parent %p", parent);
581
582 /* Close not yet accepted channels */
0f852724 583 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 584 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 585
6be36555 586 l2cap_chan_lock(chan);
c9b66675 587 __clear_chan_timer(chan);
ba3bd0ee 588 l2cap_chan_close(chan, ECONNRESET);
6be36555 589 l2cap_chan_unlock(chan);
3df91ea2 590
ba3bd0ee 591 chan->ops->close(chan->data);
0f852724 592 }
4519de9a
GP		 593}
594
0f852724 595void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 596{
597 struct l2cap_conn *conn = chan->conn;
598 struct sock *sk = chan->sk;
599
e05dcc32
AE		 600 BT_DBG("chan %p state %s sk %p", chan,
601 state_to_string(chan->state), sk);
4519de9a 602
89bc500e 603 switch (chan->state) {
4519de9a 604 case BT_LISTEN:
6be36555 605 lock_sock(sk);
4519de9a 606 l2cap_chan_cleanup_listen(sk);
89bc500e 607
0e587be7 608 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 609 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 610 release_sock(sk);
4519de9a
GP		 611 break;
612
613 case BT_CONNECTED:
614 case BT_CONFIG:
715ec005 615 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 616 conn->hcon->type == ACL_LINK) {
c9b66675 617 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 618 l2cap_send_disconn_req(conn, chan, reason);
619 } else
620 l2cap_chan_del(chan, reason);
621 break;
622
623 case BT_CONNECT2:
715ec005 624 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 625 conn->hcon->type == ACL_LINK) {
626 struct l2cap_conn_rsp rsp;
627 __u16 result;
628
c5daa683 629 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 630 result = L2CAP_CR_SEC_BLOCK;
631 else
632 result = L2CAP_CR_BAD_PSM;
89bc500e 633 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 634
635 rsp.scid = cpu_to_le16(chan->dcid);
636 rsp.dcid = cpu_to_le16(chan->scid);
637 rsp.result = cpu_to_le16(result);
638 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
639 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
640 sizeof(rsp), &rsp);
641 }
642
643 l2cap_chan_del(chan, reason);
644 break;
645
646 case BT_CONNECT:
647 case BT_DISCONN:
648 l2cap_chan_del(chan, reason);
649 break;
650
651 default:
6be36555 652 lock_sock(sk);
4519de9a 653 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 654 release_sock(sk);
4519de9a
GP		 655 break;
656 }
657}
658
4343478f 659static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 660{
715ec005 661 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 662 switch (chan->sec_level) {
8556edd3
JH		 663 case BT_SECURITY_HIGH:
664 return HCI_AT_DEDICATED_BONDING_MITM;
665 case BT_SECURITY_MEDIUM:
666 return HCI_AT_DEDICATED_BONDING;
667 default:
668 return HCI_AT_NO_BONDING;
669 }
fe4128e0 670 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 671 if (chan->sec_level == BT_SECURITY_LOW)
672 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 673
4343478f 674 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 675 return HCI_AT_NO_BONDING_MITM;
00ae4af9 676 else
8556edd3 677 return HCI_AT_NO_BONDING;
00ae4af9 678 } else {
4343478f 679 switch (chan->sec_level) {
00ae4af9 680 case BT_SECURITY_HIGH:
8556edd3 681 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 682 case BT_SECURITY_MEDIUM:
8556edd3 683 return HCI_AT_GENERAL_BONDING;
00ae4af9 684 default:
8556edd3 685 return HCI_AT_NO_BONDING;
00ae4af9 686 }
0684e5f9 687 }
8556edd3
JH		 688}
689
690/* Service level security */
d45fc423 691int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 692{
8c1d787b 693 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 694 __u8 auth_type;
695
4343478f 696 auth_type = l2cap_get_auth_type(chan);
79d554a6 697
4343478f 698 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 699}
700
b5ad8b7f 701static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 702{
703 u8 id;
704
705 /* Get next available identificator.
706 * 1 - 128 are used by kernel.
707 * 129 - 199 are reserved.
708 * 200 - 254 are used by utilities like l2ping, etc.
709 */
710
333055f2 711 spin_lock(&conn->lock);
4e8402a3
MH		 712
713 if (++conn->tx_ident > 128)
714 conn->tx_ident = 1;
715
716 id = conn->tx_ident;
717
333055f2 718 spin_unlock(&conn->lock);
4e8402a3
MH		 719
720 return id;
721}
722
4519de9a 723static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 724{
725 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 726 u8 flags;
4e8402a3
MH		 727
728 BT_DBG("code 0x%2.2x", code);
729
730 if (!skb)
9a9c6a34 731 return;
4e8402a3 732
e702112f
AE		 733 if (lmp_no_flush_capable(conn->hcon->hdev))
734 flags = ACL_START_NO_FLUSH;
735 else
736 flags = ACL_START;
737
14b12d0b 738 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 739 skb->priority = HCI_PRIO_MAX;
14b12d0b 740
73d80deb
LAD		 741 hci_send_acl(conn->hchan, skb, flags);
742}
743
744static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
745{
746 struct hci_conn *hcon = chan->conn->hcon;
747 u16 flags;
748
749 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
750 skb->priority);
751
752 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
753 lmp_no_flush_capable(hcon->hdev))
754 flags = ACL_START_NO_FLUSH;
755 else
756 flags = ACL_START;
14b12d0b 757
73d80deb
LAD		 758 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
759 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 760}
761
b76bbd66
MM		 762static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
763{
764 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
765 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
766
767 if (enh & L2CAP_CTRL_FRAME_TYPE) {
768 /* S-Frame */
769 control->sframe = 1;
770 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
771 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
772
773 control->sar = 0;
774 control->txseq = 0;
775 } else {
776 /* I-Frame */
777 control->sframe = 0;
778 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
779 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
780
781 control->poll = 0;
782 control->super = 0;
783 }
784}
785
b76bbd66
MM		 786static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
787{
788 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
789 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
790
791 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
792 /* S-Frame */
793 control->sframe = 1;
794 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
795 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
796
797 control->sar = 0;
798 control->txseq = 0;
799 } else {
800 /* I-Frame */
801 control->sframe = 0;
802 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
803 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
804
805 control->poll = 0;
806 control->super = 0;
807 }
808}
809
810static inline void __unpack_control(struct l2cap_chan *chan,
811 struct sk_buff *skb)
812{
813 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
814 __unpack_extended_control(get_unaligned_le32(skb->data),
815 &bt_cb(skb)->control);
cec8ab6e 816 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 817 } else {
818 __unpack_enhanced_control(get_unaligned_le16(skb->data),
819 &bt_cb(skb)->control);
cec8ab6e 820 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 821 }
822}
823
b5c6aaed
MM		 824static u32 __pack_extended_control(struct l2cap_ctrl *control)
825{
826 u32 packed;
827
828 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
829 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
830
831 if (control->sframe) {
832 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
833 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
834 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
835 } else {
836 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
837 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
838 }
839
840 return packed;
841}
842
843static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
844{
845 u16 packed;
846
847 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
848 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
849
850 if (control->sframe) {
851 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
852 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
853 packed |= L2CAP_CTRL_FRAME_TYPE;
854 } else {
855 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
856 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
857 }
858
859 return packed;
860}
861
b76bbd66
MM		 862static inline void __pack_control(struct l2cap_chan *chan,
863 struct l2cap_ctrl *control,
864 struct sk_buff *skb)
865{
866 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
867 put_unaligned_le32(__pack_extended_control(control),
868 skb->data + L2CAP_HDR_SIZE);
869 } else {
870 put_unaligned_le16(__pack_enhanced_control(control),
871 skb->data + L2CAP_HDR_SIZE);
872 }
873}
874
a67d7f6f
MM		 875static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
876 u32 control)
b5c6aaed
MM		 877{
878 struct sk_buff *skb;
879 struct l2cap_hdr *lh;
a67d7f6f 880 int hlen;
b5c6aaed
MM		 881
882 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
883 hlen = L2CAP_EXT_HDR_SIZE;
884 else
885 hlen = L2CAP_ENH_HDR_SIZE;
886
887 if (chan->fcs == L2CAP_FCS_CRC16)
888 hlen += L2CAP_FCS_SIZE;
889
a67d7f6f 890 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 891
b5c6aaed 892 if (!skb)
a67d7f6f 893 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 894
895 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
896 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
897 lh->cid = cpu_to_le16(chan->dcid);
898
a67d7f6f
MM		 899 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
900 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
901 else
902 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 903
904 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 905 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 906 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
907 }
908
909 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 910 return skb;
911}
912
913static void l2cap_send_sframe(struct l2cap_chan *chan,
914 struct l2cap_ctrl *control)
915{
916 struct sk_buff *skb;
917 u32 control_field;
918
919 BT_DBG("chan %p, control %p", chan, control);
920
921 if (!control->sframe)
922 return;
923
924 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
925 !control->poll)
926 control->final = 1;
927
928 if (control->super == L2CAP_SUPER_RR)
929 clear_bit(CONN_RNR_SENT, &chan->conn_state);
930 else if (control->super == L2CAP_SUPER_RNR)
931 set_bit(CONN_RNR_SENT, &chan->conn_state);
932
933 if (control->super != L2CAP_SUPER_SREJ) {
934 chan->last_acked_seq = control->reqseq;
935 __clear_ack_timer(chan);
936 }
937
938 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
939 control->final, control->poll, control->super);
940
941 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
942 control_field = __pack_extended_control(control);
943 else
944 control_field = __pack_enhanced_control(control);
945
946 skb = l2cap_create_sframe_pdu(chan, control_field);
947 if (!IS_ERR(skb))
948 l2cap_do_send(chan, skb);
b5c6aaed
MM		 949}
950
c9e3d5e0 951static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 952{
c9e3d5e0
MM		 953 struct l2cap_ctrl control;
954
955 BT_DBG("chan %p, poll %d", chan, poll);
956
957 memset(&control, 0, sizeof(control));
958 control.sframe = 1;
959 control.poll = poll;
960
961 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
962 control.super = L2CAP_SUPER_RNR;
963 else
964 control.super = L2CAP_SUPER_RR;
b5c6aaed 965
c9e3d5e0
MM		 966 control.reqseq = chan->buffer_seq;
967 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 968}
969
b4450035 970static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 971{
c1360a1c 972 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 973}
974
9b27f350
AE		 975static void l2cap_send_conn_req(struct l2cap_chan *chan)
976{
977 struct l2cap_conn *conn = chan->conn;
978 struct l2cap_conn_req req;
979
980 req.scid = cpu_to_le16(chan->scid);
981 req.psm = chan->psm;
982
983 chan->ident = l2cap_get_ident(conn);
984
985 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
986
987 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
988}
989
9f0caeb1
VCG		 990static void l2cap_chan_ready(struct l2cap_chan *chan)
991{
992 struct sock *sk = chan->sk;
993 struct sock *parent;
994
995 lock_sock(sk);
996
997 parent = bt_sk(sk)->parent;
998
999 BT_DBG("sk %p, parent %p", sk, parent);
1000
2827011f 1001 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1002 chan->conf_state = 0;
1003 __clear_chan_timer(chan);
1004
1005 __l2cap_state_change(chan, BT_CONNECTED);
1006 sk->sk_state_change(sk);
1007
1008 if (parent)
1009 parent->sk_data_ready(parent, 0);
1010
1011 release_sock(sk);
1012}
1013
fc7f8a7e 1014static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1015{
8c1d787b 1016 struct l2cap_conn *conn = chan->conn;
79d554a6 1017
9f0caeb1
VCG		 1018 if (conn->hcon->type == LE_LINK) {
1019 l2cap_chan_ready(chan);
1020 return;
1021 }
1022
79d554a6 1023 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1024 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1025 return;
1026
d45fc423 1027 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 1028 __l2cap_no_conn_pending(chan))
1029 l2cap_send_conn_req(chan);
79d554a6
MH		 1030 } else {
1031 struct l2cap_info_req req;
1032 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1033
1034 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1035 conn->info_ident = l2cap_get_ident(conn);
1036
ba13ccd9 1037 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1038
1039 l2cap_send_cmd(conn, conn->info_ident,
1040 L2CAP_INFO_REQ, sizeof(req), &req);
1041 }
1042}
1043
cf6c2c0b
GP		 1044static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1045{
1046 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1047 if (!disable_ertm)
cf6c2c0b
GP		 1048 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1049
1050 switch (mode) {
1051 case L2CAP_MODE_ERTM:
1052 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1053 case L2CAP_MODE_STREAMING:
1054 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1055 default:
1056 return 0x00;
1057 }
1058}
1059
4519de9a 1060static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1061{
6be36555 1062 struct sock *sk = chan->sk;
22121fc9
GP		 1063 struct l2cap_disconn_req req;
1064
c13ffa62
GP		 1065 if (!conn)
1066 return;
1067
0c1bc5c6 1068 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1069 __clear_retrans_timer(chan);
1070 __clear_monitor_timer(chan);
1071 __clear_ack_timer(chan);
c13ffa62
GP		 1072 }
1073
fe4128e0
GP		 1074 req.dcid = cpu_to_le16(chan->dcid);
1075 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1076 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1077 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1078
6be36555 1079 lock_sock(sk);
0e587be7 1080 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1081 __l2cap_chan_set_err(chan, err);
6be36555 1082 release_sock(sk);
22121fc9
GP		 1083}
1084
1da177e4 1085/* ---- L2CAP connections ---- */
4e8402a3
MH		 1086static void l2cap_conn_start(struct l2cap_conn *conn)
1087{
3df91ea2 1088 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1089
1090 BT_DBG("conn %p", conn);
1091
3df91ea2 1092 mutex_lock(&conn->chan_lock);
4e8402a3 1093
3df91ea2 1094 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1095 struct sock *sk = chan->sk;
baa7e1fa 1096
6be36555 1097 l2cap_chan_lock(chan);
4e8402a3 1098
715ec005 1099 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1100 l2cap_chan_unlock(chan);
79d554a6
MH		 1101 continue;
1102 }
1103
89bc500e 1104 if (chan->state == BT_CONNECT) {
d45fc423 1105 if (!l2cap_chan_check_security(chan) ||
b4450035 1106 !__l2cap_no_conn_pending(chan)) {
6be36555 1107 l2cap_chan_unlock(chan);
47731de7
GP		 1108 continue;
1109 }
79d554a6 1110
c1360a1c
GP		 1111 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1112 && test_bit(CONF_STATE2_DEVICE,
1113 &chan->conf_state)) {
89bc500e 1114 l2cap_chan_close(chan, ECONNRESET);
6be36555 1115 l2cap_chan_unlock(chan);
47731de7 1116 continue;
b1235d79 1117 }
47731de7 1118
9b27f350 1119 l2cap_send_conn_req(chan);
47731de7 1120
89bc500e 1121 } else if (chan->state == BT_CONNECT2) {
79d554a6 1122 struct l2cap_conn_rsp rsp;
e9aeb2dd 1123 char buf[128];
fe4128e0
GP		 1124 rsp.scid = cpu_to_le16(chan->dcid);
1125 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1126
d45fc423 1127 if (l2cap_chan_check_security(chan)) {
6be36555 1128 lock_sock(sk);
c5daa683
GP		 1129 if (test_bit(BT_SK_DEFER_SETUP,
1130 &bt_sk(sk)->flags)) {
f66dc81f
MH		 1131 struct sock *parent = bt_sk(sk)->parent;
1132 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1133 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1134 if (parent)
1135 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1136
1137 } else {
0e587be7 1138 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1139 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1140 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1141 }
6be36555 1142 release_sock(sk);
79d554a6
MH		 1143 } else {
1144 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1145 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1146 }
1147
fc7f8a7e
GP		 1148 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1149 sizeof(rsp), &rsp);
e9aeb2dd 1150
c1360a1c 1151 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1152 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1153 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1154 continue;
1155 }
1156
c1360a1c 1157 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1158 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1159 l2cap_build_conf_req(chan, buf), buf);
1160 chan->num_conf_req++;
4e8402a3
MH		 1161 }
1162
6be36555 1163 l2cap_chan_unlock(chan);
4e8402a3
MH		 1164 }
1165
3df91ea2 1166 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1167}
1168
c2287681 1169/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1170 * Returns closest match, locked.
1171 */
d9b88702 1172static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1173 bdaddr_t *src,
1174 bdaddr_t *dst)
b62f328b 1175{
23691d75 1176 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1177
23691d75 1178 read_lock(&chan_list_lock);
b62f328b 1179
23691d75
GP		 1180 list_for_each_entry(c, &chan_list, global_l) {
1181 struct sock *sk = c->sk;
fe4128e0 1182
89bc500e 1183 if (state && c->state != state)
b62f328b
VT		 1184 continue;
1185
23691d75 1186 if (c->scid == cid) {
c2287681
IY		 1187 int src_match, dst_match;
1188 int src_any, dst_any;
1189
b62f328b 1190 /* Exact match. */
c2287681
IY		 1191 src_match = !bacmp(&bt_sk(sk)->src, src);
1192 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1193 if (src_match && dst_match) {
23691d75
GP		 1194 read_unlock(&chan_list_lock);
1195 return c;
1196 }
b62f328b
VT		 1197
1198 /* Closest match */
c2287681
IY		 1199 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1200 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1201 if ((src_match && dst_any) || (src_any && dst_match) ||
1202 (src_any && dst_any))
23691d75 1203 c1 = c;
b62f328b
VT		 1204 }
1205 }
280f294f 1206
23691d75 1207 read_unlock(&chan_list_lock);
b62f328b 1208
23691d75 1209 return c1;
b62f328b
VT		 1210}
1211
1212static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1213{
c916fbe4 1214 struct sock *parent, *sk;
23691d75 1215 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1216
1217 BT_DBG("");
1218
1219 /* Check if we have socket listening on cid */
23691d75 1220 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1221 conn->src, conn->dst);
23691d75 1222 if (!pchan)
b62f328b
VT		 1223 return;
1224
23691d75
GP		 1225 parent = pchan->sk;
1226
aa2ac881 1227 lock_sock(parent);
62f3a2cf 1228
b62f328b
VT		 1229 /* Check for backlog size */
1230 if (sk_acceptq_is_full(parent)) {
1231 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1232 goto clean;
1233 }
1234
80808e43
GP		 1235 chan = pchan->ops->new_connection(pchan->data);
1236 if (!chan)
b62f328b
VT		 1237 goto clean;
1238
80808e43 1239 sk = chan->sk;
5d41ce1d 1240
b62f328b
VT		 1241 hci_conn_hold(conn->hcon);
1242
b62f328b
VT		 1243 bacpy(&bt_sk(sk)->src, conn->src);
1244 bacpy(&bt_sk(sk)->dst, conn->dst);
1245
d1010240
GP		 1246 bt_accept_enqueue(parent, sk);
1247
3d57dc68 1248 l2cap_chan_add(conn, chan);
48454079 1249
c9b66675 1250 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1251
0e587be7 1252 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1253 parent->sk_data_ready(parent, 0);
1254
b62f328b 1255clean:
aa2ac881 1256 release_sock(parent);
b62f328b
VT		 1257}
1258
4e8402a3
MH		 1259static void l2cap_conn_ready(struct l2cap_conn *conn)
1260{
48454079 1261 struct l2cap_chan *chan;
4e8402a3 1262
79d554a6 1263 BT_DBG("conn %p", conn);
4e8402a3 1264
b62f328b
VT		 1265 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1266 l2cap_le_conn_ready(conn);
1267
160dc6ac
VCG		 1268 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1269 smp_conn_security(conn, conn->hcon->pending_sec_level);
1270
3df91ea2 1271 mutex_lock(&conn->chan_lock);
4e8402a3 1272
3df91ea2 1273 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1274
6be36555 1275 l2cap_chan_lock(chan);
4e8402a3 1276
63128451 1277 if (conn->hcon->type == LE_LINK) {
b501d6a1 1278 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1279 l2cap_chan_ready(chan);
acd7d370 1280
63128451 1281 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1282 struct sock *sk = chan->sk;
c9b66675 1283 __clear_chan_timer(chan);
6be36555 1284 lock_sock(sk);
0e587be7 1285 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1286 sk->sk_state_change(sk);
6be36555 1287 release_sock(sk);
b501d6a1 1288
89bc500e 1289 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1290 l2cap_do_start(chan);
4e8402a3 1291
6be36555 1292 l2cap_chan_unlock(chan);
4e8402a3 1293 }
79d554a6 1294
3df91ea2 1295 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1296}
1297
1298/* Notify sockets that we cannot guaranty reliability anymore */
1299static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1300{
48454079 1301 struct l2cap_chan *chan;
4e8402a3
MH		 1302
1303 BT_DBG("conn %p", conn);
1304
3df91ea2 1305 mutex_lock(&conn->chan_lock);
4e8402a3 1306
3df91ea2 1307 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1308 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1309 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1310 }
1311
3df91ea2 1312 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1313}
1314
f878fcad 1315static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1316{
f878fcad 1317 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1318 info_timer.work);
4e8402a3 1319
984947dc 1320 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1321 conn->info_ident = 0;
984947dc 1322
4e8402a3
MH		 1323 l2cap_conn_start(conn);
1324}
1325
5d3de7df
VCG		 1326static void l2cap_conn_del(struct hci_conn *hcon, int err)
1327{
1328 struct l2cap_conn *conn = hcon->l2cap_data;
1329 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1330
1331 if (!conn)
1332 return;
1333
1334 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1335
1336 kfree_skb(conn->rx_skb);
1337
3df91ea2
AE		 1338 mutex_lock(&conn->chan_lock);
1339
5d3de7df
VCG		 1340 /* Kill channels */
1341 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1342 l2cap_chan_hold(chan);
6be36555
AE		 1343 l2cap_chan_lock(chan);
1344
5d3de7df 1345 l2cap_chan_del(chan, err);
6be36555
AE		 1346
1347 l2cap_chan_unlock(chan);
1348
5d3de7df 1349 chan->ops->close(chan->data);
61d6ef3e 1350 l2cap_chan_put(chan);
5d3de7df
VCG		 1351 }
1352
3df91ea2
AE		 1353 mutex_unlock(&conn->chan_lock);
1354
73d80deb
LAD		 1355 hci_chan_del(conn->hchan);
1356
5d3de7df 1357 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1358 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1359
51a8efd7 1360 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1361 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1362 smp_chan_destroy(conn);
d26a2345 1363 }
5d3de7df
VCG		 1364
1365 hcon->l2cap_data = NULL;
1366 kfree(conn);
1367}
1368
6c9d42a1 1369static void security_timeout(struct work_struct *work)
5d3de7df 1370{
6c9d42a1
GP		 1371 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1372 security_timer.work);
5d3de7df
VCG		 1373
1374 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1375}
1376
1da177e4
LT		 1377static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1378{
0139418c 1379 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1380 struct hci_chan *hchan;
1da177e4 1381
0139418c 1382 if (conn || status)
1da177e4
LT		 1383 return conn;
1384
73d80deb
LAD		 1385 hchan = hci_chan_create(hcon);
1386 if (!hchan)
1387 return NULL;
1388
0139418c 1389 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1390 if (!conn) {
1391 hci_chan_del(hchan);
1da177e4 1392 return NULL;
73d80deb 1393 }
1da177e4
LT		 1394
1395 hcon->l2cap_data = conn;
1396 conn->hcon = hcon;
73d80deb 1397 conn->hchan = hchan;
1da177e4 1398
73d80deb 1399 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1400
acd7d370
VT		 1401 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1402 conn->mtu = hcon->hdev->le_mtu;
1403 else
1404 conn->mtu = hcon->hdev->acl_mtu;
1405
1da177e4
LT		 1406 conn->src = &hcon->hdev->bdaddr;
1407 conn->dst = &hcon->dst;
1408
4e8402a3
MH		 1409 conn->feat_mask = 0;
1410
1da177e4 1411 spin_lock_init(&conn->lock);
3df91ea2 1412 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1413
1414 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1415
5d3de7df 1416 if (hcon->type == LE_LINK)
6c9d42a1 1417 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1418 else
030013d8 1419 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1420
9f5a0d7b 1421 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1422
1da177e4
LT		 1423 return conn;
1424}
1425
1da177e4 1426/* ---- Socket interface ---- */
1da177e4 1427
c2287681 1428/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1429 * Returns closest match.
1430 */
c2287681
IY		 1431static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1432 bdaddr_t *src,
1433 bdaddr_t *dst)
1da177e4 1434{
23691d75 1435 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1436
23691d75 1437 read_lock(&chan_list_lock);
e0f0cb56 1438
23691d75
GP		 1439 list_for_each_entry(c, &chan_list, global_l) {
1440 struct sock *sk = c->sk;
fe4128e0 1441
89bc500e 1442 if (state && c->state != state)
1da177e4
LT		 1443 continue;
1444
23691d75 1445 if (c->psm == psm) {
c2287681
IY		 1446 int src_match, dst_match;
1447 int src_any, dst_any;
1448
1da177e4 1449 /* Exact match. */
c2287681
IY		 1450 src_match = !bacmp(&bt_sk(sk)->src, src);
1451 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1452 if (src_match && dst_match) {
a7567b20 1453 read_unlock(&chan_list_lock);
23691d75
GP		 1454 return c;
1455 }
1da177e4
LT		 1456
1457 /* Closest match */
c2287681
IY		 1458 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1459 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1460 if ((src_match && dst_any) || (src_any && dst_match) ||
1461 (src_any && dst_any))
23691d75 1462 c1 = c;
1da177e4
LT		 1463 }
1464 }
1da177e4 1465
23691d75 1466 read_unlock(&chan_list_lock);
e0f0cb56 1467
23691d75 1468 return c1;
1da177e4
LT		 1469}
1470
8e9f9892
AG		 1471int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1472 bdaddr_t *dst, u8 dst_type)
1da177e4 1473{
5d41ce1d 1474 struct sock *sk = chan->sk;
1da177e4 1475 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1476 struct l2cap_conn *conn;
1477 struct hci_conn *hcon;
1478 struct hci_dev *hdev;
09ab6f4c 1479 __u8 auth_type;
44d0e48e 1480 int err;
1da177e4 1481
8e9f9892
AG		 1482 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1483 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1484
af05b30b
GP		 1485 hdev = hci_get_route(dst, src);
1486 if (!hdev)
1da177e4
LT		 1487 return -EHOSTUNREACH;
1488
09fd0de5 1489 hci_dev_lock(hdev);
1da177e4 1490
6be36555 1491 l2cap_chan_lock(chan);
03a00194
GP		 1492
1493 /* PSM must be odd and lsb of upper byte must be 0 */
1494 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1495 chan->chan_type != L2CAP_CHAN_RAW) {
1496 err = -EINVAL;
1497 goto done;
1498 }
1499
1500 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1501 err = -EINVAL;
1502 goto done;
1503 }
1504
1505 switch (chan->mode) {
1506 case L2CAP_MODE_BASIC:
1507 break;
1508 case L2CAP_MODE_ERTM:
1509 case L2CAP_MODE_STREAMING:
1510 if (!disable_ertm)
1511 break;
1512 /* fall through */
1513 default:
1514 err = -ENOTSUPP;
1515 goto done;
1516 }
1517
6be36555
AE		 1518 lock_sock(sk);
1519
03a00194
GP		 1520 switch (sk->sk_state) {
1521 case BT_CONNECT:
1522 case BT_CONNECT2:
1523 case BT_CONFIG:
1524 /* Already connecting */
1525 err = 0;
6be36555 1526 release_sock(sk);
03a00194
GP		 1527 goto done;
1528
1529 case BT_CONNECTED:
1530 /* Already connected */
1531 err = -EISCONN;
6be36555 1532 release_sock(sk);
03a00194
GP		 1533 goto done;
1534
1535 case BT_OPEN:
1536 case BT_BOUND:
1537 /* Can connect */
1538 break;
1539
1540 default:
1541 err = -EBADFD;
6be36555 1542 release_sock(sk);
03a00194
GP		 1543 goto done;
1544 }
1545
1546 /* Set destination address and psm */
9219b2a0 1547 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1548
1549 release_sock(sk);
1550
03a00194
GP		 1551 chan->psm = psm;
1552 chan->dcid = cid;
1da177e4 1553
4343478f 1554 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1555
fe4128e0 1556 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1557 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1558 chan->sec_level, auth_type);
acd7d370 1559 else
8e9f9892 1560 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1561 chan->sec_level, auth_type);
acd7d370 1562
30e76272
VT		 1563 if (IS_ERR(hcon)) {
1564 err = PTR_ERR(hcon);
1da177e4 1565 goto done;
30e76272 1566 }
1da177e4
LT		 1567
1568 conn = l2cap_conn_add(hcon, 0);
1569 if (!conn) {
1570 hci_conn_put(hcon);
30e76272 1571 err = -ENOMEM;
1da177e4
LT		 1572 goto done;
1573 }
1574
9f0caeb1
VCG		 1575 if (hcon->type == LE_LINK) {
1576 err = 0;
1577
1578 if (!list_empty(&conn->chan_l)) {
1579 err = -EBUSY;
1580 hci_conn_put(hcon);
1581 }
1582
1583 if (err)
1584 goto done;
1585 }
1586
1da177e4
LT		 1587 /* Update source addr of the socket */
1588 bacpy(src, conn->src);
1589
6be36555 1590 l2cap_chan_unlock(chan);
48454079 1591 l2cap_chan_add(conn, chan);
6be36555 1592 l2cap_chan_lock(chan);
48454079 1593
6be36555 1594 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1595 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1596
1597 if (hcon->state == BT_CONNECTED) {
715ec005 1598 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1599 __clear_chan_timer(chan);
d45fc423 1600 if (l2cap_chan_check_security(chan))
6be36555 1601 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1602 } else
fc7f8a7e 1603 l2cap_do_start(chan);
1da177e4
LT		 1604 }
1605
30e76272
VT		 1606 err = 0;
1607
1da177e4 1608done:
6be36555 1609 l2cap_chan_unlock(chan);
09fd0de5 1610 hci_dev_unlock(hdev);
1da177e4
LT		 1611 hci_dev_put(hdev);
1612 return err;
1613}
1614
dcba0dba 1615int __l2cap_wait_ack(struct sock *sk)
6161c038 1616{
8c1d787b 1617 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1618 DECLARE_WAITQUEUE(wait, current);
1619 int err = 0;
1620 int timeo = HZ/5;
1621
2b0b05dd 1622 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1623 set_current_state(TASK_INTERRUPTIBLE);
1624 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1625 if (!timeo)
1626 timeo = HZ/5;
1627
1628 if (signal_pending(current)) {
1629 err = sock_intr_errno(timeo);
1630 break;
1631 }
1632
1633 release_sock(sk);
1634 timeo = schedule_timeout(timeo);
1635 lock_sock(sk);
a71a0cf4 1636 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1637
1638 err = sock_error(sk);
1639 if (err)
1640 break;
1641 }
1642 set_current_state(TASK_RUNNING);
2b0b05dd 1643 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1644 return err;
1645}
1646
721c4181 1647static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1648{
721c4181 1649 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1650 monitor_timer.work);
e90bac06 1651
525cd185 1652 BT_DBG("chan %p", chan);
0e98958d 1653
6be36555
AE		 1654 l2cap_chan_lock(chan);
1655
80909e04 1656 if (!chan->conn) {
6be36555 1657 l2cap_chan_unlock(chan);
8d7e1c7f 1658 l2cap_chan_put(chan);
e90bac06
GP		 1659 return;
1660 }
1661
80909e04 1662 l2cap_tx(chan, 0, 0, L2CAP_EV_MONITOR_TO);
e90bac06 1663
6be36555 1664 l2cap_chan_unlock(chan);
8d7e1c7f 1665 l2cap_chan_put(chan);
e90bac06
GP		 1666}
1667
721c4181 1668static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1669{
721c4181 1670 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1671 retrans_timer.work);
e90bac06 1672
49208c9c 1673 BT_DBG("chan %p", chan);
0e98958d 1674
6be36555
AE		 1675 l2cap_chan_lock(chan);
1676
80909e04
MM		 1677 if (!chan->conn) {
1678 l2cap_chan_unlock(chan);
1679 l2cap_chan_put(chan);
1680 return;
1681 }
6be36555 1682
80909e04 1683 l2cap_tx(chan, 0, 0, L2CAP_EV_RETRANS_TO);
6be36555 1684 l2cap_chan_unlock(chan);
8d7e1c7f 1685 l2cap_chan_put(chan);
e90bac06
GP		 1686}
1687
3733937d
MM		 1688static int l2cap_streaming_send(struct l2cap_chan *chan,
1689 struct sk_buff_head *skbs)
6840ed07 1690{
ccbb84af 1691 struct sk_buff *skb;
3733937d 1692 struct l2cap_ctrl *control;
6840ed07 1693
3733937d
MM		 1694 BT_DBG("chan %p, skbs %p", chan, skbs);
1695
1696 if (chan->state != BT_CONNECTED)
1697 return -ENOTCONN;
1698
1699 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1700
1701 while (!skb_queue_empty(&chan->tx_q)) {
1702
1703 skb = skb_dequeue(&chan->tx_q);
1704
1705 bt_cb(skb)->control.retries = 1;
1706 control = &bt_cb(skb)->control;
1707
1708 control->reqseq = 0;
1709 control->txseq = chan->next_tx_seq;
1710
1711 __pack_control(chan, control, skb);
6840ed07 1712
47d1ec61 1713 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1714 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1715 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1716 }
1717
4343478f 1718 l2cap_do_send(chan, skb);
6840ed07 1719
3733937d
MM		 1720 BT_DBG("Sent txseq %d", (int)control->txseq);
1721
836be934 1722 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1723 chan->frames_sent++;
6840ed07 1724 }
3733937d
MM		 1725
1726 return 0;
6840ed07
GP		 1727}
1728
67c9e840 1729static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1730{
1731 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1732 struct l2cap_ctrl *control;
1733 int sent = 0;
1734
1735 BT_DBG("chan %p", chan);
1c2acffb 1736
89bc500e 1737 if (chan->state != BT_CONNECTED)
c13ffa62 1738 return -ENOTCONN;
e90bac06 1739
94122bbe
MM		 1740 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1741 return 0;
1742
18a48e76
MM		 1743 while (chan->tx_send_head &&
1744 chan->unacked_frames < chan->remote_tx_win &&
1745 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1746
18a48e76 1747 skb = chan->tx_send_head;
e90bac06 1748
18a48e76
MM		 1749 bt_cb(skb)->control.retries = 1;
1750 control = &bt_cb(skb)->control;
95ffa978 1751
e2ab4353 1752 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1753 control->final = 1;
e2ab4353 1754
18a48e76
MM		 1755 control->reqseq = chan->buffer_seq;
1756 chan->last_acked_seq = chan->buffer_seq;
1757 control->txseq = chan->next_tx_seq;
1c2acffb 1758
18a48e76 1759 __pack_control(chan, control, skb);
e90bac06 1760
47d1ec61 1761 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1762 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1763 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1764 }
1765
18a48e76
MM		 1766 /* Clone after data has been modified. Data is assumed to be
1767 read-only (for locking purposes) on cloned sk_buffs.
1768 */
1769 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1770
18a48e76
MM		 1771 if (!tx_skb)
1772 break;
1c2acffb 1773
18a48e76 1774 __set_retrans_timer(chan);
836be934
AE		 1775
1776 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1777 chan->unacked_frames++;
6a026610 1778 chan->frames_sent++;
18a48e76 1779 sent++;
1c2acffb 1780
58d35f87
GP		 1781 if (skb_queue_is_last(&chan->tx_q, skb))
1782 chan->tx_send_head = NULL;
1c2acffb 1783 else
58d35f87 1784 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1785
1786 l2cap_do_send(chan, tx_skb);
1787 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1788 }
1789
18a48e76
MM		 1790 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1791 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1792
1793 return sent;
9e917af1
GP		 1794}
1795
e1fbd4c1
MM		 1796static void l2cap_ertm_resend(struct l2cap_chan *chan)
1797{
1798 struct l2cap_ctrl control;
1799 struct sk_buff *skb;
1800 struct sk_buff *tx_skb;
1801 u16 seq;
1802
1803 BT_DBG("chan %p", chan);
1804
1805 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1806 return;
1807
1808 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1809 seq = l2cap_seq_list_pop(&chan->retrans_list);
1810
1811 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1812 if (!skb) {
1813 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1814 seq);
1815 continue;
1816 }
1817
1818 bt_cb(skb)->control.retries++;
1819 control = bt_cb(skb)->control;
1820
1821 if (chan->max_tx != 0 &&
1822 bt_cb(skb)->control.retries > chan->max_tx) {
1823 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1824 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1825 l2cap_seq_list_clear(&chan->retrans_list);
1826 break;
1827 }
1828
1829 control.reqseq = chan->buffer_seq;
1830 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1831 control.final = 1;
1832 else
1833 control.final = 0;
1834
1835 if (skb_cloned(skb)) {
1836 /* Cloned sk_buffs are read-only, so we need a
1837 * writeable copy
1838 */
1839 tx_skb = skb_copy(skb, GFP_ATOMIC);
1840 } else {
1841 tx_skb = skb_clone(skb, GFP_ATOMIC);
1842 }
1843
1844 if (!tx_skb) {
1845 l2cap_seq_list_clear(&chan->retrans_list);
1846 break;
1847 }
1848
1849 /* Update skb contents */
1850 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1851 put_unaligned_le32(__pack_extended_control(&control),
1852 tx_skb->data + L2CAP_HDR_SIZE);
1853 } else {
1854 put_unaligned_le16(__pack_enhanced_control(&control),
1855 tx_skb->data + L2CAP_HDR_SIZE);
1856 }
1857
1858 if (chan->fcs == L2CAP_FCS_CRC16) {
1859 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1860 put_unaligned_le16(fcs, skb_put(tx_skb,
1861 L2CAP_FCS_SIZE));
1862 }
1863
1864 l2cap_do_send(chan, tx_skb);
1865
1866 BT_DBG("Resent txseq %d", control.txseq);
1867
1868 chan->last_acked_seq = chan->buffer_seq;
1869 }
1870}
1871
f80842a8
MM		 1872static void l2cap_retransmit(struct l2cap_chan *chan,
1873 struct l2cap_ctrl *control)
1874{
1875 BT_DBG("chan %p, control %p", chan, control);
1876
1877 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1878 l2cap_ertm_resend(chan);
1879}
1880
d2a7ac5d
MM		 1881static void l2cap_retransmit_all(struct l2cap_chan *chan,
1882 struct l2cap_ctrl *control)
1883{
e1fbd4c1
MM		 1884 struct sk_buff *skb;
1885
1886 BT_DBG("chan %p, control %p", chan, control);
1887
1888 if (control->poll)
1889 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1890
1891 l2cap_seq_list_clear(&chan->retrans_list);
1892
1893 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1894 return;
1895
1896 if (chan->unacked_frames) {
1897 skb_queue_walk(&chan->tx_q, skb) {
1898 if (bt_cb(skb)->control.txseq == control->reqseq ||
1899 skb == chan->tx_send_head)
1900 break;
1901 }
1902
1903 skb_queue_walk_from(&chan->tx_q, skb) {
1904 if (skb == chan->tx_send_head)
1905 break;
1906
1907 l2cap_seq_list_append(&chan->retrans_list,
1908 bt_cb(skb)->control.txseq);
1909 }
1910
1911 l2cap_ertm_resend(chan);
1912 }
d2a7ac5d
MM		 1913}
1914
0a0aba42 1915static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1916{
0a0aba42
MM		 1917 struct l2cap_ctrl control;
1918 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1919 chan->last_acked_seq);
1920 int threshold;
9e917af1 1921
0a0aba42
MM		 1922 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1923 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1924
0a0aba42
MM		 1925 memset(&control, 0, sizeof(control));
1926 control.sframe = 1;
dfc909be 1927
0a0aba42
MM		 1928 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1929 chan->rx_state == L2CAP_RX_STATE_RECV) {
1930 __clear_ack_timer(chan);
1931 control.super = L2CAP_SUPER_RNR;
1932 control.reqseq = chan->buffer_seq;
1933 l2cap_send_sframe(chan, &control);
1934 } else {
1935 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1936 l2cap_ertm_send(chan);
1937 /* If any i-frames were sent, they included an ack */
1938 if (chan->buffer_seq == chan->last_acked_seq)
1939 frames_to_ack = 0;
1940 }
dfc909be 1941
0a0aba42
MM		 1942 /* Ack now if the tx window is 3/4ths full.
1943 * Calculate without mul or div
1944 */
1945 threshold = chan->tx_win;
1946 threshold += threshold << 1;
1947 threshold >>= 2;
1948
1949 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1950 threshold);
1951
1952 if (frames_to_ack >= threshold) {
1953 __clear_ack_timer(chan);
1954 control.super = L2CAP_SUPER_RR;
1955 control.reqseq = chan->buffer_seq;
1956 l2cap_send_sframe(chan, &control);
1957 frames_to_ack = 0;
1958 }
1c2acffb 1959
0a0aba42
MM		 1960 if (frames_to_ack)
1961 __set_ack_timer(chan);
1962 }
b17e73bb
SJ		 1963}
1964
04124681
GP		 1965static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1966 struct msghdr *msg, int len,
1967 int count, struct sk_buff *skb)
1c2acffb 1968{
0952a57a 1969 struct l2cap_conn *conn = chan->conn;
1c2acffb 1970 struct sk_buff **frag;
90338947 1971 int sent = 0;
1da177e4 1972
59203a21 1973 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1974 return -EFAULT;
1da177e4
LT		 1975
1976 sent += count;
1977 len -= count;
1978
1979 /* Continuation fragments (no L2CAP header) */
1980 frag = &skb_shinfo(skb)->frag_list;
1981 while (len) {
fbe00700
GP		 1982 struct sk_buff *tmp;
1983
1da177e4
LT		 1984 count = min_t(unsigned int, conn->mtu, len);
1985
fbe00700
GP		 1986 tmp = chan->ops->alloc_skb(chan, count,
1987 msg->msg_flags & MSG_DONTWAIT);
1988 if (IS_ERR(tmp))
1989 return PTR_ERR(tmp);
1990
1991 *frag = tmp;
2f7719ce 1992
1c2acffb
GP		 1993 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1994 return -EFAULT;
1da177e4 1995
5e59b791
LAD		 1996 (*frag)->priority = skb->priority;
1997
1da177e4
LT		 1998 sent += count;
1999 len -= count;
2000
2d0ed3d5
GP		 2001 skb->len += (*frag)->len;
2002 skb->data_len += (*frag)->len;
2003
1da177e4
LT		 2004 frag = &(*frag)->next;
2005 }
1da177e4
LT		 2006
2007 return sent;
1c2acffb 2008}
1da177e4 2009
5e59b791
LAD		 2010static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2011 struct msghdr *msg, size_t len,
2012 u32 priority)
1c2acffb 2013{
8c1d787b 2014 struct l2cap_conn *conn = chan->conn;
1c2acffb 2015 struct sk_buff *skb;
03a51213 2016 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2017 struct l2cap_hdr *lh;
2018
6d5922b0 2019 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 2020
2021 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2022
2023 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2024 msg->msg_flags & MSG_DONTWAIT);
2025 if (IS_ERR(skb))
2026 return skb;
1c2acffb 2027
5e59b791
LAD		 2028 skb->priority = priority;
2029
1c2acffb
GP		 2030 /* Create L2CAP header */
2031 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2032 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2033 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2034 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2035
0952a57a 2036 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2037 if (unlikely(err < 0)) {
2038 kfree_skb(skb);
2039 return ERR_PTR(err);
2040 }
2041 return skb;
2042}
2043
5e59b791
LAD		 2044static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2045 struct msghdr *msg, size_t len,
2046 u32 priority)
1c2acffb 2047{
8c1d787b 2048 struct l2cap_conn *conn = chan->conn;
1c2acffb 2049 struct sk_buff *skb;
f2ba7fae 2050 int err, count;
1c2acffb
GP		 2051 struct l2cap_hdr *lh;
2052
6d5922b0 2053 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2054
f2ba7fae 2055 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2056
f2ba7fae 2057 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2058 msg->msg_flags & MSG_DONTWAIT);
2059 if (IS_ERR(skb))
2060 return skb;
1c2acffb 2061
5e59b791
LAD		 2062 skb->priority = priority;
2063
1c2acffb
GP		 2064 /* Create L2CAP header */
2065 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2066 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2067 lh->len = cpu_to_le16(len);
1c2acffb 2068
0952a57a 2069 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2070 if (unlikely(err < 0)) {
2071 kfree_skb(skb);
2072 return ERR_PTR(err);
2073 }
2074 return skb;
2075}
2076
ab0ff76d
LAD		 2077static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2078 struct msghdr *msg, size_t len,
94122bbe 2079 u16 sdulen)
1c2acffb 2080{
8c1d787b 2081 struct l2cap_conn *conn = chan->conn;
1c2acffb 2082 struct sk_buff *skb;
e4ca6d98 2083 int err, count, hlen;
1c2acffb
GP		 2084 struct l2cap_hdr *lh;
2085
6d5922b0 2086 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2087
0ee0d208
GP		 2088 if (!conn)
2089 return ERR_PTR(-ENOTCONN);
2090
e4ca6d98
AE		 2091 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2092 hlen = L2CAP_EXT_HDR_SIZE;
2093 else
2094 hlen = L2CAP_ENH_HDR_SIZE;
2095
c74e560c 2096 if (sdulen)
03a51213 2097 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2098
47d1ec61 2099 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2100 hlen += L2CAP_FCS_SIZE;
fcc203c3 2101
1c2acffb 2102 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2103
2104 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2105 msg->msg_flags & MSG_DONTWAIT);
2106 if (IS_ERR(skb))
2107 return skb;
1c2acffb
GP		 2108
2109 /* Create L2CAP header */
2110 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2111 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2112 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2113
18a48e76
MM		 2114 /* Control header is populated later */
2115 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2116 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2117 else
2118 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2119
c74e560c 2120 if (sdulen)
03a51213 2121 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2122
0952a57a 2123 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2124 if (unlikely(err < 0)) {
2125 kfree_skb(skb);
2126 return ERR_PTR(err);
2127 }
e90bac06 2128
18a48e76 2129 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2130 bt_cb(skb)->control.retries = 0;
1c2acffb 2131 return skb;
1da177e4
LT		 2132}
2133
94122bbe
MM		 2134static int l2cap_segment_sdu(struct l2cap_chan *chan,
2135 struct sk_buff_head *seg_queue,
2136 struct msghdr *msg, size_t len)
c74e560c 2137{
c74e560c 2138 struct sk_buff *skb;
94122bbe
MM		 2139 u16 sdu_len;
2140 size_t pdu_len;
2141 int err = 0;
2142 u8 sar;
c74e560c 2143
94122bbe 2144 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2145
94122bbe
MM		 2146 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2147 * so fragmented skbs are not used. The HCI layer's handling
2148 * of fragmented skbs is not compatible with ERTM's queueing.
2149 */
c74e560c 2150
94122bbe
MM		 2151 /* PDU size is derived from the HCI MTU */
2152 pdu_len = chan->conn->mtu;
c74e560c 2153
94122bbe
MM		 2154 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2155
2156 /* Adjust for largest possible L2CAP overhead. */
2157 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2158
2159 /* Remote device may have requested smaller PDUs */
2160 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2161
2162 if (len <= pdu_len) {
2163 sar = L2CAP_SAR_UNSEGMENTED;
2164 sdu_len = 0;
2165 pdu_len = len;
2166 } else {
2167 sar = L2CAP_SAR_START;
2168 sdu_len = len;
2169 pdu_len -= L2CAP_SDULEN_SIZE;
2170 }
2171
2172 while (len > 0) {
2173 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2174
c74e560c 2175 if (IS_ERR(skb)) {
94122bbe 2176 __skb_queue_purge(seg_queue);
c74e560c
GP		 2177 return PTR_ERR(skb);
2178 }
2179
94122bbe
MM		 2180 bt_cb(skb)->control.sar = sar;
2181 __skb_queue_tail(seg_queue, skb);
2182
2183 len -= pdu_len;
2184 if (sdu_len) {
2185 sdu_len = 0;
2186 pdu_len += L2CAP_SDULEN_SIZE;
2187 }
2188
2189 if (len <= pdu_len) {
2190 sar = L2CAP_SAR_END;
2191 pdu_len = len;
2192 } else {
2193 sar = L2CAP_SAR_CONTINUE;
2194 }
c74e560c 2195 }
c74e560c 2196
94122bbe 2197 return err;
c74e560c
GP		 2198}
2199
5e59b791
LAD		 2200int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2201 u32 priority)
9a91a04a 2202{
9a91a04a 2203 struct sk_buff *skb;
9a91a04a 2204 int err;
94122bbe 2205 struct sk_buff_head seg_queue;
9a91a04a
GP		 2206
2207 /* Connectionless channel */
715ec005 2208 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2209 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2210 if (IS_ERR(skb))
2211 return PTR_ERR(skb);
2212
2213 l2cap_do_send(chan, skb);
2214 return len;
2215 }
2216
2217 switch (chan->mode) {
2218 case L2CAP_MODE_BASIC:
2219 /* Check outgoing MTU */
2220 if (len > chan->omtu)
2221 return -EMSGSIZE;
2222
2223 /* Create a basic PDU */
5e59b791 2224 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2225 if (IS_ERR(skb))
2226 return PTR_ERR(skb);
2227
2228 l2cap_do_send(chan, skb);
2229 err = len;
2230 break;
2231
2232 case L2CAP_MODE_ERTM:
2233 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2234 /* Check outgoing MTU */
2235 if (len > chan->omtu) {
2236 err = -EMSGSIZE;
2237 break;
2238 }
9a91a04a 2239
94122bbe 2240 __skb_queue_head_init(&seg_queue);
9a91a04a 2241
94122bbe
MM		 2242 /* Do segmentation before calling in to the state machine,
2243 * since it's possible to block while waiting for memory
2244 * allocation.
2245 */
2246 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2247
94122bbe
MM		 2248 /* The channel could have been closed while segmenting,
2249 * check that it is still connected.
2250 */
2251 if (chan->state != BT_CONNECTED) {
2252 __skb_queue_purge(&seg_queue);
2253 err = -ENOTCONN;
9a91a04a
GP		 2254 }
2255
94122bbe 2256 if (err)
9a91a04a 2257 break;
9a91a04a 2258
3733937d 2259 if (chan->mode == L2CAP_MODE_ERTM)
608bcc6d
MM		 2260 err = l2cap_tx(chan, 0, &seg_queue,
2261 L2CAP_EV_DATA_REQUEST);
3733937d
MM		 2262 else
2263 err = l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2264
608bcc6d 2265 if (!err)
9a91a04a
GP		 2266 err = len;
2267
94122bbe
MM		 2268 /* If the skbs were not queued for sending, they'll still be in
2269 * seg_queue and need to be purged.
2270 */
2271 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2272 break;
2273
2274 default:
2275 BT_DBG("bad state %1.1x", chan->mode);
2276 err = -EBADFD;
2277 }
2278
2279 return err;
2280}
2281
d2a7ac5d
MM		 2282static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2283{
bed68bde
MM		 2284 struct l2cap_ctrl control;
2285 u16 seq;
2286
2287 BT_DBG("chan %p, txseq %d", chan, txseq);
2288
2289 memset(&control, 0, sizeof(control));
2290 control.sframe = 1;
2291 control.super = L2CAP_SUPER_SREJ;
2292
2293 for (seq = chan->expected_tx_seq; seq != txseq;
2294 seq = __next_seq(chan, seq)) {
2295 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2296 control.reqseq = seq;
2297 l2cap_send_sframe(chan, &control);
2298 l2cap_seq_list_append(&chan->srej_list, seq);
2299 }
2300 }
2301
2302 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2303}
2304
2305static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2306{
bed68bde
MM		 2307 struct l2cap_ctrl control;
2308
2309 BT_DBG("chan %p", chan);
2310
2311 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2312 return;
2313
2314 memset(&control, 0, sizeof(control));
2315 control.sframe = 1;
2316 control.super = L2CAP_SUPER_SREJ;
2317 control.reqseq = chan->srej_list.tail;
2318 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2319}
2320
2321static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2322{
bed68bde
MM		 2323 struct l2cap_ctrl control;
2324 u16 initial_head;
2325 u16 seq;
2326
2327 BT_DBG("chan %p, txseq %d", chan, txseq);
2328
2329 memset(&control, 0, sizeof(control));
2330 control.sframe = 1;
2331 control.super = L2CAP_SUPER_SREJ;
2332
2333 /* Capture initial list head to allow only one pass through the list. */
2334 initial_head = chan->srej_list.head;
2335
2336 do {
2337 seq = l2cap_seq_list_pop(&chan->srej_list);
2338 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2339 break;
2340
2341 control.reqseq = seq;
2342 l2cap_send_sframe(chan, &control);
2343 l2cap_seq_list_append(&chan->srej_list, seq);
2344 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2345}
2346
608bcc6d
MM		 2347static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2348{
2349 struct sk_buff *acked_skb;
2350 u16 ackseq;
2351
2352 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2353
2354 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2355 return;
2356
2357 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2358 chan->expected_ack_seq, chan->unacked_frames);
2359
2360 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2361 ackseq = __next_seq(chan, ackseq)) {
2362
2363 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2364 if (acked_skb) {
2365 skb_unlink(acked_skb, &chan->tx_q);
2366 kfree_skb(acked_skb);
2367 chan->unacked_frames--;
2368 }
2369 }
2370
2371 chan->expected_ack_seq = reqseq;
2372
2373 if (chan->unacked_frames == 0)
2374 __clear_retrans_timer(chan);
2375
2376 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2377}
2378
2379static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2380{
2381 BT_DBG("chan %p", chan);
2382
2383 chan->expected_tx_seq = chan->buffer_seq;
2384 l2cap_seq_list_clear(&chan->srej_list);
2385 skb_queue_purge(&chan->srej_q);
2386 chan->rx_state = L2CAP_RX_STATE_RECV;
2387}
2388
2389static int l2cap_tx_state_xmit(struct l2cap_chan *chan,
2390 struct l2cap_ctrl *control,
2391 struct sk_buff_head *skbs, u8 event)
2392{
2393 int err = 0;
2394
2395 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2396 event);
2397
2398 switch (event) {
2399 case L2CAP_EV_DATA_REQUEST:
2400 if (chan->tx_send_head == NULL)
2401 chan->tx_send_head = skb_peek(skbs);
2402
2403 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2404 l2cap_ertm_send(chan);
2405 break;
2406 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2407 BT_DBG("Enter LOCAL_BUSY");
2408 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2409
2410 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2411 /* The SREJ_SENT state must be aborted if we are to
2412 * enter the LOCAL_BUSY state.
2413 */
2414 l2cap_abort_rx_srej_sent(chan);
2415 }
2416
2417 l2cap_send_ack(chan);
2418
2419 break;
2420 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2421 BT_DBG("Exit LOCAL_BUSY");
2422 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2423
2424 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2425 struct l2cap_ctrl local_control;
2426
2427 memset(&local_control, 0, sizeof(local_control));
2428 local_control.sframe = 1;
2429 local_control.super = L2CAP_SUPER_RR;
2430 local_control.poll = 1;
2431 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2432 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2433
2434 chan->retry_count = 1;
2435 __set_monitor_timer(chan);
2436 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2437 }
2438 break;
2439 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2440 l2cap_process_reqseq(chan, control->reqseq);
2441 break;
2442 case L2CAP_EV_EXPLICIT_POLL:
2443 l2cap_send_rr_or_rnr(chan, 1);
2444 chan->retry_count = 1;
2445 __set_monitor_timer(chan);
2446 __clear_ack_timer(chan);
2447 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2448 break;
2449 case L2CAP_EV_RETRANS_TO:
2450 l2cap_send_rr_or_rnr(chan, 1);
2451 chan->retry_count = 1;
2452 __set_monitor_timer(chan);
2453 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2454 break;
2455 case L2CAP_EV_RECV_FBIT:
2456 /* Nothing to process */
2457 break;
2458 default:
2459 break;
2460 }
2461
2462 return err;
2463}
2464
2465static int l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2466 struct l2cap_ctrl *control,
2467 struct sk_buff_head *skbs, u8 event)
2468{
2469 int err = 0;
2470
2471 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2472 event);
2473
2474 switch (event) {
2475 case L2CAP_EV_DATA_REQUEST:
2476 if (chan->tx_send_head == NULL)
2477 chan->tx_send_head = skb_peek(skbs);
2478 /* Queue data, but don't send. */
2479 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2480 break;
2481 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2482 BT_DBG("Enter LOCAL_BUSY");
2483 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2484
2485 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2486 /* The SREJ_SENT state must be aborted if we are to
2487 * enter the LOCAL_BUSY state.
2488 */
2489 l2cap_abort_rx_srej_sent(chan);
2490 }
2491
2492 l2cap_send_ack(chan);
2493
2494 break;
2495 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2496 BT_DBG("Exit LOCAL_BUSY");
2497 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2498
2499 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2500 struct l2cap_ctrl local_control;
2501 memset(&local_control, 0, sizeof(local_control));
2502 local_control.sframe = 1;
2503 local_control.super = L2CAP_SUPER_RR;
2504 local_control.poll = 1;
2505 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2506 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2507
2508 chan->retry_count = 1;
2509 __set_monitor_timer(chan);
2510 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2511 }
2512 break;
2513 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2514 l2cap_process_reqseq(chan, control->reqseq);
2515
2516 /* Fall through */
2517
2518 case L2CAP_EV_RECV_FBIT:
2519 if (control && control->final) {
2520 __clear_monitor_timer(chan);
2521 if (chan->unacked_frames > 0)
2522 __set_retrans_timer(chan);
2523 chan->retry_count = 0;
2524 chan->tx_state = L2CAP_TX_STATE_XMIT;
2525 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2526 }
2527 break;
2528 case L2CAP_EV_EXPLICIT_POLL:
2529 /* Ignore */
2530 break;
2531 case L2CAP_EV_MONITOR_TO:
2532 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2533 l2cap_send_rr_or_rnr(chan, 1);
2534 __set_monitor_timer(chan);
2535 chan->retry_count++;
2536 } else {
2537 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2538 }
2539 break;
2540 default:
2541 break;
2542 }
2543
2544 return err;
2545}
2546
2547static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2548 struct sk_buff_head *skbs, u8 event)
2549{
2550 int err = 0;
2551
2552 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2553 chan, control, skbs, event, chan->tx_state);
2554
2555 switch (chan->tx_state) {
2556 case L2CAP_TX_STATE_XMIT:
2557 err = l2cap_tx_state_xmit(chan, control, skbs, event);
2558 break;
2559 case L2CAP_TX_STATE_WAIT_F:
2560 err = l2cap_tx_state_wait_f(chan, control, skbs, event);
2561 break;
2562 default:
2563 /* Ignore event */
2564 break;
2565 }
2566
2567 return err;
2568}
2569
4b51dae9
MM		 2570static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2571 struct l2cap_ctrl *control)
2572{
2573 BT_DBG("chan %p, control %p", chan, control);
2574 l2cap_tx(chan, control, 0, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2575}
2576
f80842a8
MM		 2577static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2578 struct l2cap_ctrl *control)
2579{
2580 BT_DBG("chan %p, control %p", chan, control);
2581 l2cap_tx(chan, control, 0, L2CAP_EV_RECV_FBIT);
2582}
2583
1da177e4
LT		 2584/* Copy frame to all raw sockets on that connection */
2585static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2586{
1da177e4 2587 struct sk_buff *nskb;
48454079 2588 struct l2cap_chan *chan;
1da177e4
LT		 2589
2590 BT_DBG("conn %p", conn);
2591
3df91ea2 2592 mutex_lock(&conn->chan_lock);
3d57dc68 2593
3df91ea2 2594 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2595 struct sock *sk = chan->sk;
715ec005 2596 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2597 continue;
2598
2599 /* Don't send frame to the socket it came from */
2600 if (skb->sk == sk)
2601 continue;
af05b30b
GP		 2602 nskb = skb_clone(skb, GFP_ATOMIC);
2603 if (!nskb)
1da177e4
LT		 2604 continue;
2605
23070494 2606 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2607 kfree_skb(nskb);
2608 }
3d57dc68 2609
3df91ea2 2610 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2611}
2612
2613/* ---- L2CAP signalling commands ---- */
2614static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2615 u8 code, u8 ident, u16 dlen, void *data)
2616{
2617 struct sk_buff *skb, **frag;
2618 struct l2cap_cmd_hdr *cmd;
2619 struct l2cap_hdr *lh;
2620 int len, count;
2621
af05b30b
GP		 2622 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2623 conn, code, ident, dlen);
1da177e4
LT		 2624
2625 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2626 count = min_t(unsigned int, conn->mtu, len);
2627
2628 skb = bt_skb_alloc(count, GFP_ATOMIC);
2629 if (!skb)
2630 return NULL;
2631
2632 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2633 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2634
2635 if (conn->hcon->type == LE_LINK)
2636 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2637 else
2638 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2639
2640 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2641 cmd->code = code;
2642 cmd->ident = ident;
aca3192c 2643 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2644
2645 if (dlen) {
2646 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2647 memcpy(skb_put(skb, count), data, count);
2648 data += count;
2649 }
2650
2651 len -= skb->len;
2652
2653 /* Continuation fragments (no L2CAP header) */
2654 frag = &skb_shinfo(skb)->frag_list;
2655 while (len) {
2656 count = min_t(unsigned int, conn->mtu, len);
2657
2658 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2659 if (!*frag)
2660 goto fail;
2661
2662 memcpy(skb_put(*frag, count), data, count);
2663
2664 len -= count;
2665 data += count;
2666
2667 frag = &(*frag)->next;
2668 }
2669
2670 return skb;
2671
2672fail:
2673 kfree_skb(skb);
2674 return NULL;
2675}
2676
2677static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2678{
2679 struct l2cap_conf_opt *opt = *ptr;
2680 int len;
2681
2682 len = L2CAP_CONF_OPT_SIZE + opt->len;
2683 *ptr += len;
2684
2685 *type = opt->type;
2686 *olen = opt->len;
2687
2688 switch (opt->len) {
2689 case 1:
2690 *val = *((u8 *) opt->val);
2691 break;
2692
2693 case 2:
bfaaeb3e 2694 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2695 break;
2696
2697 case 4:
bfaaeb3e 2698 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2699 break;
2700
2701 default:
2702 *val = (unsigned long) opt->val;
2703 break;
2704 }
2705
2706 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2707 return len;
2708}
2709
1da177e4
LT		 2710static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2711{
2712 struct l2cap_conf_opt *opt = *ptr;
2713
2714 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2715
2716 opt->type = type;
2717 opt->len = len;
2718
2719 switch (len) {
2720 case 1:
2721 *((u8 *) opt->val) = val;
2722 break;
2723
2724 case 2:
4f8b691c 2725 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2726 break;
2727
2728 case 4:
4f8b691c 2729 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2730 break;
2731
2732 default:
2733 memcpy(opt->val, (void *) val, len);
2734 break;
2735 }
2736
2737 *ptr += L2CAP_CONF_OPT_SIZE + len;
2738}
2739
f89cef09
AE		 2740static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2741{
2742 struct l2cap_conf_efs efs;
2743
1ec918ce 2744 switch (chan->mode) {
f89cef09
AE		 2745 case L2CAP_MODE_ERTM:
2746 efs.id = chan->local_id;
2747 efs.stype = chan->local_stype;
2748 efs.msdu = cpu_to_le16(chan->local_msdu);
2749 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2750 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2751 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2752 break;
2753
2754 case L2CAP_MODE_STREAMING:
2755 efs.id = 1;
2756 efs.stype = L2CAP_SERV_BESTEFFORT;
2757 efs.msdu = cpu_to_le16(chan->local_msdu);
2758 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2759 efs.acc_lat = 0;
2760 efs.flush_to = 0;
2761 break;
2762
2763 default:
2764 return;
2765 }
2766
2767 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2768 (unsigned long) &efs);
2769}
2770
721c4181 2771static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2772{
721c4181 2773 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2774 ack_timer.work);
2775 u16 frames_to_ack;
c1b4f43b 2776
2fb9b3d4
GP		 2777 BT_DBG("chan %p", chan);
2778
6be36555
AE		 2779 l2cap_chan_lock(chan);
2780
0362520b
MM		 2781 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2782 chan->last_acked_seq);
6be36555 2783
0362520b
MM		 2784 if (frames_to_ack)
2785 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2786
0362520b 2787 l2cap_chan_unlock(chan);
09bfb2ee 2788 l2cap_chan_put(chan);
c1b4f43b
GP		 2789}
2790
3c588192 2791static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2792{
3c588192
MM		 2793 int err;
2794
105bdf9e
MM		 2795 chan->next_tx_seq = 0;
2796 chan->expected_tx_seq = 0;
42e5c802 2797 chan->expected_ack_seq = 0;
6a026610 2798 chan->unacked_frames = 0;
42e5c802 2799 chan->buffer_seq = 0;
6a026610 2800 chan->frames_sent = 0;
105bdf9e
MM		 2801 chan->last_acked_seq = 0;
2802 chan->sdu = NULL;
2803 chan->sdu_last_frag = NULL;
2804 chan->sdu_len = 0;
2805
d34c34fb
MM		 2806 skb_queue_head_init(&chan->tx_q);
2807
105bdf9e
MM		 2808 if (chan->mode != L2CAP_MODE_ERTM)
2809 return 0;
2810
2811 chan->rx_state = L2CAP_RX_STATE_RECV;
2812 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2813
721c4181
GP		 2814 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2815 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2816 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2817
f1c6775b 2818 skb_queue_head_init(&chan->srej_q);
1890d36b 2819
3c588192
MM		 2820 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2821 if (err < 0)
2822 return err;
2823
9dc9affc
MM		 2824 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2825 if (err < 0)
2826 l2cap_seq_list_free(&chan->srej_list);
2827
2828 return err;
0565c1c2
GP		 2829}
2830
f2fcfcd6
GP		 2831static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2832{
2833 switch (mode) {
2834 case L2CAP_MODE_STREAMING:
2835 case L2CAP_MODE_ERTM:
2836 if (l2cap_mode_supported(mode, remote_feat_mask))
2837 return mode;
2838 /* fall through */
2839 default:
2840 return L2CAP_MODE_BASIC;
2841 }
2842}
2843
6327eb98
AE		 2844static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2845{
2846 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2847}
2848
f89cef09
AE		 2849static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2850{
2851 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2852}
2853
6327eb98
AE		 2854static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2855{
2856 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2857 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2858 /* use extended control field */
2859 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2860 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2861 } else {
6327eb98
AE		 2862 chan->tx_win = min_t(u16, chan->tx_win,
2863 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2864 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2865 }
6327eb98
AE		 2866}
2867
710f9b0a 2868static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2869{
1da177e4 2870 struct l2cap_conf_req *req = data;
0c1bc5c6 2871 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2872 void *ptr = req->data;
c8f79162 2873 u16 size;
1da177e4 2874
49208c9c 2875 BT_DBG("chan %p", chan);
1da177e4 2876
73ffa904 2877 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2878 goto done;
2879
0c1bc5c6 2880 switch (chan->mode) {
f2fcfcd6
GP		 2881 case L2CAP_MODE_STREAMING:
2882 case L2CAP_MODE_ERTM:
c1360a1c 2883 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2884 break;
85eb53c6 2885
f89cef09
AE		 2886 if (__l2cap_efs_supported(chan))
2887 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2888
2ba13ed6 2889 /* fall through */
f2fcfcd6 2890 default:
8c1d787b 2891 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2892 break;
2893 }
2894
2895done:
0c1bc5c6
GP		 2896 if (chan->imtu != L2CAP_DEFAULT_MTU)
2897 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2898
0c1bc5c6 2899 switch (chan->mode) {
65c7c491 2900 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2901 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2902 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2903 break;
2904
62547752
GP		 2905 rfc.mode = L2CAP_MODE_BASIC;
2906 rfc.txwin_size = 0;
2907 rfc.max_transmit = 0;
2908 rfc.retrans_timeout = 0;
2909 rfc.monitor_timeout = 0;
2910 rfc.max_pdu_size = 0;
2911
63406504
GP		 2912 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2913 (unsigned long) &rfc);
65c7c491
MH		 2914 break;
2915
2916 case L2CAP_MODE_ERTM:
2917 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2918 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2919 rfc.retrans_timeout = 0;
2920 rfc.monitor_timeout = 0;
c8f79162
AE		 2921
2922 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2923 L2CAP_EXT_HDR_SIZE -
2924 L2CAP_SDULEN_SIZE -
2925 L2CAP_FCS_SIZE);
2926 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2927
6327eb98
AE		 2928 l2cap_txwin_setup(chan);
2929
2930 rfc.txwin_size = min_t(u16, chan->tx_win,
2931 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2932
63406504
GP		 2933 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2934 (unsigned long) &rfc);
2935
f89cef09
AE		 2936 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2937 l2cap_add_opt_efs(&ptr, chan);
2938
8c1d787b 2939 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2940 break;
2941
47d1ec61 2942 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2943 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2944 chan->fcs = L2CAP_FCS_NONE;
2945 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2946 }
6327eb98
AE		 2947
2948 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2949 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2950 chan->tx_win);
f2fcfcd6
GP		 2951 break;
2952
2953 case L2CAP_MODE_STREAMING:
273759e2 2954 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2955 rfc.mode = L2CAP_MODE_STREAMING;
2956 rfc.txwin_size = 0;
2957 rfc.max_transmit = 0;
2958 rfc.retrans_timeout = 0;
2959 rfc.monitor_timeout = 0;
c8f79162
AE		 2960
2961 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2962 L2CAP_EXT_HDR_SIZE -
2963 L2CAP_SDULEN_SIZE -
2964 L2CAP_FCS_SIZE);
2965 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2966
63406504
GP		 2967 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2968 (unsigned long) &rfc);
2969
f89cef09
AE		 2970 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2971 l2cap_add_opt_efs(&ptr, chan);
2972
8c1d787b 2973 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2974 break;
2975
47d1ec61 2976 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2977 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2978 chan->fcs = L2CAP_FCS_NONE;
2979 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2980 }
65c7c491
MH		 2981 break;
2982 }
1da177e4 2983
fe4128e0 2984 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2985 req->flags = cpu_to_le16(0);
1da177e4
LT		 2986
2987 return ptr - data;
2988}
2989
73ffa904 2990static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2991{
5dee9e7c
MH		 2992 struct l2cap_conf_rsp *rsp = data;
2993 void *ptr = rsp->data;
73ffa904
GP		 2994 void *req = chan->conf_req;
2995 int len = chan->conf_len;
5dee9e7c
MH		 2996 int type, hint, olen;
2997 unsigned long val;
6464f35f 2998 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2999 struct l2cap_conf_efs efs;
3000 u8 remote_efs = 0;
861d6882 3001 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3002 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3003 u16 size;
1da177e4 3004
73ffa904 3005 BT_DBG("chan %p", chan);
820ae1b8 3006
5dee9e7c
MH		 3007 while (len >= L2CAP_CONF_OPT_SIZE) {
3008 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3009
589d2746 3010 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3011 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3012
3013 switch (type) {
3014 case L2CAP_CONF_MTU:
861d6882 3015 mtu = val;
5dee9e7c
MH		 3016 break;
3017
3018 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3019 chan->flush_to = val;
5dee9e7c
MH		 3020 break;
3021
3022 case L2CAP_CONF_QOS:
3023 break;
3024
6464f35f
MH		 3025 case L2CAP_CONF_RFC:
3026 if (olen == sizeof(rfc))
3027 memcpy(&rfc, (void *) val, olen);
3028 break;
3029
fcc203c3
GP		 3030 case L2CAP_CONF_FCS:
3031 if (val == L2CAP_FCS_NONE)
c1360a1c 3032 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3033 break;
fcc203c3 3034
42dceae2
AE		 3035 case L2CAP_CONF_EFS:
3036 remote_efs = 1;
3037 if (olen == sizeof(efs))
3038 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3039 break;
3040
6327eb98
AE		 3041 case L2CAP_CONF_EWS:
3042 if (!enable_hs)
3043 return -ECONNREFUSED;
fcc203c3 3044
6327eb98
AE		 3045 set_bit(FLAG_EXT_CTRL, &chan->flags);
3046 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3047 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3048 chan->remote_tx_win = val;
fcc203c3
GP		 3049 break;
3050
5dee9e7c
MH		 3051 default:
3052 if (hint)
3053 break;
3054
3055 result = L2CAP_CONF_UNKNOWN;
3056 *((u8 *) ptr++) = type;
3057 break;
3058 }
3059 }
3060
73ffa904 3061 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3062 goto done;
3063
0c1bc5c6 3064 switch (chan->mode) {
f2fcfcd6
GP		 3065 case L2CAP_MODE_STREAMING:
3066 case L2CAP_MODE_ERTM:
c1360a1c 3067 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3068 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 3069 chan->conn->feat_mask);
85eb53c6
GP		 3070 break;
3071 }
3072
42dceae2
AE		 3073 if (remote_efs) {
3074 if (__l2cap_efs_supported(chan))
3075 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3076 else
3077 return -ECONNREFUSED;
3078 }
3079
0c1bc5c6 3080 if (chan->mode != rfc.mode)
f2fcfcd6 3081 return -ECONNREFUSED;
742e519b 3082
f2fcfcd6 3083 break;
f2fcfcd6
GP		 3084 }
3085
3086done:
0c1bc5c6 3087 if (chan->mode != rfc.mode) {
f2fcfcd6 3088 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3089 rfc.mode = chan->mode;
f2fcfcd6 3090
73ffa904 3091 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3092 return -ECONNREFUSED;
3093
3094 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3095 sizeof(rfc), (unsigned long) &rfc);
3096 }
3097
5dee9e7c
MH		 3098 if (result == L2CAP_CONF_SUCCESS) {
3099 /* Configure output options and let the other side know
3100 * which ones we don't like. */
3101
f2fcfcd6
GP		 3102 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3103 result = L2CAP_CONF_UNACCEPT;
3104 else {
0c1bc5c6 3105 chan->omtu = mtu;
c1360a1c 3106 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3107 }
0c1bc5c6 3108 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3109
42dceae2
AE		 3110 if (remote_efs) {
3111 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3112 efs.stype != L2CAP_SERV_NOTRAFIC &&
3113 efs.stype != chan->local_stype) {
3114
3115 result = L2CAP_CONF_UNACCEPT;
3116
3117 if (chan->num_conf_req >= 1)
3118 return -ECONNREFUSED;
3119
3120 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3121 sizeof(efs),
42dceae2 3122 (unsigned long) &efs);
0e8b207e 3123 } else {
3e6b3b95 3124 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3125 result = L2CAP_CONF_PENDING;
3126 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3127 }
3128 }
3129
f2fcfcd6
GP		 3130 switch (rfc.mode) {
3131 case L2CAP_MODE_BASIC:
47d1ec61 3132 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3133 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3134 break;
3135
3136 case L2CAP_MODE_ERTM:
6327eb98
AE		 3137 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3138 chan->remote_tx_win = rfc.txwin_size;
3139 else
3140 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3141
2c03a7a4 3142 chan->remote_max_tx = rfc.max_transmit;
1c762159 3143
c8f79162
AE		 3144 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3145 chan->conn->mtu -
3146 L2CAP_EXT_HDR_SIZE -
3147 L2CAP_SDULEN_SIZE -
3148 L2CAP_FCS_SIZE);
3149 rfc.max_pdu_size = cpu_to_le16(size);
3150 chan->remote_mps = size;
f2fcfcd6 3151
10467e9e 3152 rfc.retrans_timeout =
4fd21a88 3153 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3154 rfc.monitor_timeout =
4fd21a88 3155 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3156
c1360a1c 3157 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3158
3159 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3160 sizeof(rfc), (unsigned long) &rfc);
3161
42dceae2
AE		 3162 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3163 chan->remote_id = efs.id;
3164 chan->remote_stype = efs.stype;
3165 chan->remote_msdu = le16_to_cpu(efs.msdu);
3166 chan->remote_flush_to =
3167 le32_to_cpu(efs.flush_to);
3168 chan->remote_acc_lat =
3169 le32_to_cpu(efs.acc_lat);
3170 chan->remote_sdu_itime =
3171 le32_to_cpu(efs.sdu_itime);
3172 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3173 sizeof(efs), (unsigned long) &efs);
3174 }
f2fcfcd6
GP		 3175 break;
3176
3177 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3178 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3179 chan->conn->mtu -
3180 L2CAP_EXT_HDR_SIZE -
3181 L2CAP_SDULEN_SIZE -
3182 L2CAP_FCS_SIZE);
3183 rfc.max_pdu_size = cpu_to_le16(size);
3184 chan->remote_mps = size;
f2fcfcd6 3185
c1360a1c 3186 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3187
3188 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3189 sizeof(rfc), (unsigned long) &rfc);
3190
f2fcfcd6
GP		 3191 break;
3192
3193 default:
5dee9e7c 3194 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3195
6464f35f 3196 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3197 rfc.mode = chan->mode;
f2fcfcd6 3198 }
6464f35f 3199
f2fcfcd6 3200 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3201 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3202 }
fe4128e0 3203 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 3204 rsp->result = cpu_to_le16(result);
3205 rsp->flags = cpu_to_le16(0x0000);
3206
3207 return ptr - data;
1da177e4
LT		 3208}
3209
b4450035 3210static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3211{
f2fcfcd6
GP		 3212 struct l2cap_conf_req *req = data;
3213 void *ptr = req->data;
3214 int type, olen;
3215 unsigned long val;
36e999a8 3216 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3217 struct l2cap_conf_efs efs;
f2fcfcd6 3218
fe4128e0 3219 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3220
3221 while (len >= L2CAP_CONF_OPT_SIZE) {
3222 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3223
3224 switch (type) {
3225 case L2CAP_CONF_MTU:
3226 if (val < L2CAP_DEFAULT_MIN_MTU) {
3227 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3228 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3229 } else
0c1bc5c6
GP		 3230 chan->imtu = val;
3231 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3232 break;
3233
3234 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3235 chan->flush_to = val;
f2fcfcd6 3236 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3237 2, chan->flush_to);
f2fcfcd6
GP		 3238 break;
3239
3240 case L2CAP_CONF_RFC:
3241 if (olen == sizeof(rfc))
3242 memcpy(&rfc, (void *)val, olen);
3243
c1360a1c 3244 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3245 rfc.mode != chan->mode)
f2fcfcd6
GP		 3246 return -ECONNREFUSED;
3247
47d1ec61 3248 chan->fcs = 0;
f2fcfcd6
GP		 3249
3250 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3251 sizeof(rfc), (unsigned long) &rfc);
3252 break;
6327eb98
AE		 3253
3254 case L2CAP_CONF_EWS:
3255 chan->tx_win = min_t(u16, val,
3256 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3257 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3258 chan->tx_win);
6327eb98 3259 break;
66af7aaf
AE		 3260
3261 case L2CAP_CONF_EFS:
3262 if (olen == sizeof(efs))
3263 memcpy(&efs, (void *)val, olen);
3264
3265 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3266 efs.stype != L2CAP_SERV_NOTRAFIC &&
3267 efs.stype != chan->local_stype)
3268 return -ECONNREFUSED;
3269
3270 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3271 sizeof(efs), (unsigned long) &efs);
3272 break;
f2fcfcd6
GP		 3273 }
3274 }
3275
0c1bc5c6 3276 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3277 return -ECONNREFUSED;
3278
0c1bc5c6 3279 chan->mode = rfc.mode;
6c2ea7a8 3280
0e8b207e 3281 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3282 switch (rfc.mode) {
3283 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3284 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3285 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3286 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3287
3288 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3289 chan->local_msdu = le16_to_cpu(efs.msdu);
3290 chan->local_sdu_itime =
3291 le32_to_cpu(efs.sdu_itime);
3292 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3293 chan->local_flush_to =
3294 le32_to_cpu(efs.flush_to);
3295 }
f2fcfcd6 3296 break;
66af7aaf 3297
f2fcfcd6 3298 case L2CAP_MODE_STREAMING:
47d1ec61 3299 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3300 }
3301 }
3302
fe4128e0 3303 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 3304 req->flags = cpu_to_le16(0x0000);
3305
3306 return ptr - data;
3307}
3308
fe4128e0 3309static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3310{
3311 struct l2cap_conf_rsp *rsp = data;
3312 void *ptr = rsp->data;
1da177e4 3313
fe4128e0 3314 BT_DBG("chan %p", chan);
1da177e4 3315
fe4128e0 3316 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3317 rsp->result = cpu_to_le16(result);
aca3192c 3318 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3319
3320 return ptr - data;
3321}
3322
8c1d787b 3323void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3324{
3325 struct l2cap_conn_rsp rsp;
8c1d787b 3326 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3327 u8 buf[128];
3328
fe4128e0
GP		 3329 rsp.scid = cpu_to_le16(chan->dcid);
3330 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 3331 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3332 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3333 l2cap_send_cmd(conn, chan->ident,
3334 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3335
c1360a1c 3336 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3337 return;
3338
710f9b0a
GP		 3339 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3340 l2cap_build_conf_req(chan, buf), buf);
3341 chan->num_conf_req++;
3342}
3343
47d1ec61 3344static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3345{
7b1c0049
GP		 3346 int type, olen;
3347 unsigned long val;
3348 struct l2cap_conf_rfc rfc;
3349
47d1ec61 3350 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3351
0c1bc5c6 3352 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3353 return;
3354
3355 while (len >= L2CAP_CONF_OPT_SIZE) {
3356 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3357
3358 switch (type) {
3359 case L2CAP_CONF_RFC:
3360 if (olen == sizeof(rfc))
3361 memcpy(&rfc, (void *)val, olen);
3362 goto done;
3363 }
3364 }
3365
36e999a8
MM		 3366 /* Use sane default values in case a misbehaving remote device
3367 * did not send an RFC option.
3368 */
3369 rfc.mode = chan->mode;
3370 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3371 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3372 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3373
3374 BT_ERR("Expected RFC option was not found, using defaults");
3375
7b1c0049
GP		 3376done:
3377 switch (rfc.mode) {
3378 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3379 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3380 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3381 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3382 break;
3383 case L2CAP_MODE_STREAMING:
47d1ec61 3384 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3385 }
3386}
3387
4e8402a3
MH		 3388static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3389{
e2fd318e 3390 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3391
e2fd318e 3392 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3393 return 0;
3394
3395 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3396 cmd->ident == conn->info_ident) {
17cd3f37 3397 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3398
3399 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3400 conn->info_ident = 0;
984947dc 3401
4e8402a3
MH		 3402 l2cap_conn_start(conn);
3403 }
3404
3405 return 0;
3406}
3407
1da177e4
LT		 3408static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3409{
1da177e4
LT		 3410 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3411 struct l2cap_conn_rsp rsp;
23691d75 3412 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3413 struct sock *parent, *sk = NULL;
e7c29cb1 3414 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3415
3416 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3417 __le16 psm = req->psm;
1da177e4 3418
097db76c 3419 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3420
3421 /* Check if we have socket listening on psm */
c2287681 3422 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3423 if (!pchan) {
1da177e4
LT		 3424 result = L2CAP_CR_BAD_PSM;
3425 goto sendresp;
3426 }
3427
23691d75
GP		 3428 parent = pchan->sk;
3429
3df91ea2 3430 mutex_lock(&conn->chan_lock);
aa2ac881 3431 lock_sock(parent);
e0f0cb56 3432
e7c29cb1
MH		 3433 /* Check if the ACL is secure enough (if not SDP) */
3434 if (psm != cpu_to_le16(0x0001) &&
3435 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3436 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3437 result = L2CAP_CR_SEC_BLOCK;
3438 goto response;
3439 }
3440
1da177e4
LT		 3441 result = L2CAP_CR_NO_MEM;
3442
3443 /* Check for backlog size */
3444 if (sk_acceptq_is_full(parent)) {
8e87d142 3445 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3446 goto response;
3447 }
3448
80808e43
GP		 3449 chan = pchan->ops->new_connection(pchan->data);
3450 if (!chan)
1da177e4
LT		 3451 goto response;
3452
80808e43
GP		 3453 sk = chan->sk;
3454
1da177e4 3455 /* Check if we already have channel with that dcid */
baa7e1fa 3456 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3457 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3458 chan->ops->close(chan->data);
1da177e4
LT		 3459 goto response;
3460 }
3461
3462 hci_conn_hold(conn->hcon);
3463
1da177e4
LT		 3464 bacpy(&bt_sk(sk)->src, conn->src);
3465 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3466 chan->psm = psm;
3467 chan->dcid = scid;
1da177e4 3468
d1010240
GP		 3469 bt_accept_enqueue(parent, sk);
3470
6be36555 3471 __l2cap_chan_add(conn, chan);
48454079 3472
fe4128e0 3473 dcid = chan->scid;
1da177e4 3474
c9b66675 3475 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3476
fc7f8a7e 3477 chan->ident = cmd->ident;
1da177e4 3478
984947dc 3479 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3480 if (l2cap_chan_check_security(chan)) {
c5daa683 3481 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3482 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3483 result = L2CAP_CR_PEND;
3484 status = L2CAP_CS_AUTHOR_PEND;
3485 parent->sk_data_ready(parent, 0);
3486 } else {
0e587be7 3487 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3488 result = L2CAP_CR_SUCCESS;
3489 status = L2CAP_CS_NO_INFO;
3490 }
79d554a6 3491 } else {
0e587be7 3492 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3493 result = L2CAP_CR_PEND;
3494 status = L2CAP_CS_AUTHEN_PEND;
3495 }
3496 } else {
0e587be7 3497 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3498 result = L2CAP_CR_PEND;
3499 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3500 }
3501
1da177e4 3502response:
aa2ac881 3503 release_sock(parent);
3df91ea2 3504 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3505
3506sendresp:
aca3192c
YH		 3507 rsp.scid = cpu_to_le16(scid);
3508 rsp.dcid = cpu_to_le16(dcid);
3509 rsp.result = cpu_to_le16(result);
3510 rsp.status = cpu_to_le16(status);
1da177e4 3511 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3512
3513 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3514 struct l2cap_info_req info;
3515 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3516
3517 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3518 conn->info_ident = l2cap_get_ident(conn);
3519
ba13ccd9 3520 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3521
3522 l2cap_send_cmd(conn, conn->info_ident,
3523 L2CAP_INFO_REQ, sizeof(info), &info);
3524 }
3525
c1360a1c 3526 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3527 result == L2CAP_CR_SUCCESS) {
3528 u8 buf[128];
c1360a1c 3529 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3530 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3531 l2cap_build_conf_req(chan, buf), buf);
3532 chan->num_conf_req++;
e9aeb2dd
GP		 3533 }
3534
1da177e4
LT		 3535 return 0;
3536}
3537
3538static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3539{
3540 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3541 u16 scid, dcid, result, status;
48454079 3542 struct l2cap_chan *chan;
1da177e4 3543 u8 req[128];
3df91ea2 3544 int err;
1da177e4
LT		 3545
3546 scid = __le16_to_cpu(rsp->scid);
3547 dcid = __le16_to_cpu(rsp->dcid);
3548 result = __le16_to_cpu(rsp->result);
3549 status = __le16_to_cpu(rsp->status);
3550
1b009c98
AE		 3551 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3552 dcid, scid, result, status);
1da177e4 3553
3df91ea2
AE		 3554 mutex_lock(&conn->chan_lock);
3555
1da177e4 3556 if (scid) {
3df91ea2
AE		 3557 chan = __l2cap_get_chan_by_scid(conn, scid);
3558 if (!chan) {
3559 err = -EFAULT;
3560 goto unlock;
3561 }
1da177e4 3562 } else {
3df91ea2
AE		 3563 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3564 if (!chan) {
3565 err = -EFAULT;
3566 goto unlock;
3567 }
1da177e4
LT		 3568 }
3569
3df91ea2
AE		 3570 err = 0;
3571
6be36555 3572 l2cap_chan_lock(chan);
48454079 3573
1da177e4
LT		 3574 switch (result) {
3575 case L2CAP_CR_SUCCESS:
89bc500e 3576 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3577 chan->ident = 0;
fe4128e0 3578 chan->dcid = dcid;
c1360a1c 3579 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3580
c1360a1c 3581 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3582 break;
3583
1da177e4 3584 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3585 l2cap_build_conf_req(chan, req), req);
3586 chan->num_conf_req++;
1da177e4
LT		 3587 break;
3588
3589 case L2CAP_CR_PEND:
c1360a1c 3590 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3591 break;
3592
3593 default:
48454079 3594 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3595 break;
3596 }
3597
6be36555 3598 l2cap_chan_unlock(chan);
3df91ea2
AE		 3599
3600unlock:
3601 mutex_unlock(&conn->chan_lock);
3602
3603 return err;
1da177e4
LT		 3604}
3605
47d1ec61 3606static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3607{
3608 /* FCS is enabled only in ERTM or streaming mode, if one or both
3609 * sides request it.
3610 */
0c1bc5c6 3611 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3612 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3613 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3614 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3615}
3616
88219a0f 3617static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3618{
3619 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3620 u16 dcid, flags;
3621 u8 rsp[64];
48454079 3622 struct l2cap_chan *chan;
3c588192 3623 int len, err = 0;
1da177e4
LT		 3624
3625 dcid = __le16_to_cpu(req->dcid);
3626 flags = __le16_to_cpu(req->flags);
3627
3628 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3629
baa7e1fa 3630 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3631 if (!chan)
1da177e4
LT		 3632 return -ENOENT;
3633
033b1142 3634 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3635 struct l2cap_cmd_rej_cid rej;
3636
3637 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3638 rej.scid = cpu_to_le16(chan->scid);
3639 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3640
df6bd743
GP		 3641 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3642 sizeof(rej), &rej);
354f60a9 3643 goto unlock;
df6bd743 3644 }
354f60a9 3645
5dee9e7c 3646 /* Reject if config buffer is too small. */
88219a0f 3647 len = cmd_len - sizeof(*req);
7ac28817 3648 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3649 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3650 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3651 L2CAP_CONF_REJECT, flags), rsp);
3652 goto unlock;
3653 }
3654
3655 /* Store config. */
73ffa904
GP		 3656 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3657 chan->conf_len += len;
1da177e4
LT		 3658
3659 if (flags & 0x0001) {
3660 /* Incomplete config. Send empty response. */
3661 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3662 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3663 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3664 goto unlock;
3665 }
3666
3667 /* Complete config. */
73ffa904 3668 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3669 if (len < 0) {
e92c8e70 3670 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3671 goto unlock;
f2fcfcd6 3672 }
1da177e4 3673
5dee9e7c 3674 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3675 chan->num_conf_rsp++;
5dee9e7c 3676
5dee9e7c 3677 /* Reset config buffer. */
73ffa904 3678 chan->conf_len = 0;
5dee9e7c 3679
c1360a1c 3680 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3681 goto unlock;
3682
c1360a1c 3683 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3684 set_default_fcs(chan);
fcc203c3 3685
89bc500e 3686 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3687
105bdf9e
MM		 3688 if (chan->mode == L2CAP_MODE_ERTM ||
3689 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3690 err = l2cap_ertm_init(chan);
3691
3692 if (err < 0)
3693 l2cap_send_disconn_req(chan->conn, chan, -err);
3694 else
3695 l2cap_chan_ready(chan);
0565c1c2 3696
876d9484
MH		 3697 goto unlock;
3698 }
3699
c1360a1c 3700 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3701 u8 buf[64];
1da177e4 3702 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3703 l2cap_build_conf_req(chan, buf), buf);
3704 chan->num_conf_req++;
1da177e4
LT		 3705 }
3706
0e8b207e
AE		 3707 /* Got Conf Rsp PENDING from remote side and asume we sent
3708 Conf Rsp PENDING in the code above */
3709 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3710 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3711
3712 /* check compatibility */
3713
3714 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3715 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3716
3717 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3718 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3719 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3720 }
3721
1da177e4 3722unlock:
6be36555 3723 l2cap_chan_unlock(chan);
3c588192 3724 return err;
1da177e4
LT		 3725}
3726
3727static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3728{
3729 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3730 u16 scid, flags, result;
48454079 3731 struct l2cap_chan *chan;
61386cba 3732 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3733 int err = 0;
1da177e4
LT		 3734
3735 scid = __le16_to_cpu(rsp->scid);
3736 flags = __le16_to_cpu(rsp->flags);
3737 result = __le16_to_cpu(rsp->result);
3738
61386cba
AE		 3739 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3740 result, len);
1da177e4 3741
baa7e1fa 3742 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3743 if (!chan)
1da177e4
LT		 3744 return 0;
3745
3746 switch (result) {
3747 case L2CAP_CONF_SUCCESS:
47d1ec61 3748 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3749 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3750 break;
3751
0e8b207e
AE		 3752 case L2CAP_CONF_PENDING:
3753 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3754
3755 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3756 char buf[64];
3757
3758 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3759 buf, &result);
3760 if (len < 0) {
3761 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3762 goto done;
3763 }
3764
3765 /* check compatibility */
3766
3767 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3768 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3769
3770 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3771 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3772 L2CAP_CONF_SUCCESS, 0x0000), buf);
3773 }
3774 goto done;
3775
1da177e4 3776 case L2CAP_CONF_UNACCEPT:
73ffa904 3777 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3778 char req[64];
3779
c2c77ec8 3780 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3781 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3782 goto done;
3783 }
3784
f2fcfcd6
GP		 3785 /* throw out any old stored conf requests */
3786 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3787 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3788 req, &result);
f2fcfcd6 3789 if (len < 0) {
e92c8e70 3790 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3791 goto done;
3792 }
3793
3794 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3795 L2CAP_CONF_REQ, len, req);
73ffa904 3796 chan->num_conf_req++;
f2fcfcd6
GP		 3797 if (result != L2CAP_CONF_SUCCESS)
3798 goto done;
3799 break;
1da177e4
LT		 3800 }
3801
8e87d142 3802 default:
6be36555 3803 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3804
ba13ccd9 3805 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3806 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3807 goto done;
3808 }
3809
3810 if (flags & 0x01)
3811 goto done;
3812
c1360a1c 3813 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3814
c1360a1c 3815 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3816 set_default_fcs(chan);
fcc203c3 3817
89bc500e 3818 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3819 if (chan->mode == L2CAP_MODE_ERTM ||
3820 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3821 err = l2cap_ertm_init(chan);
0565c1c2 3822
3c588192
MM		 3823 if (err < 0)
3824 l2cap_send_disconn_req(chan->conn, chan, -err);
3825 else
3826 l2cap_chan_ready(chan);
1da177e4
LT		 3827 }
3828
3829done:
6be36555 3830 l2cap_chan_unlock(chan);
3c588192 3831 return err;
1da177e4
LT		 3832}
3833
3834static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3835{
3836 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3837 struct l2cap_disconn_rsp rsp;
3838 u16 dcid, scid;
48454079 3839 struct l2cap_chan *chan;
1da177e4
LT		 3840 struct sock *sk;
3841
3842 scid = __le16_to_cpu(req->scid);
3843 dcid = __le16_to_cpu(req->dcid);
3844
3845 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3846
3df91ea2
AE		 3847 mutex_lock(&conn->chan_lock);
3848
3849 chan = __l2cap_get_chan_by_scid(conn, dcid);
3850 if (!chan) {
3851 mutex_unlock(&conn->chan_lock);
1da177e4 3852 return 0;
3df91ea2 3853 }
1da177e4 3854
6be36555
AE		 3855 l2cap_chan_lock(chan);
3856
48454079
GP		 3857 sk = chan->sk;
3858
fe4128e0
GP		 3859 rsp.dcid = cpu_to_le16(chan->scid);
3860 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3861 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3862
6be36555 3863 lock_sock(sk);
1da177e4 3864 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3865 release_sock(sk);
1da177e4 3866
61d6ef3e 3867 l2cap_chan_hold(chan);
48454079 3868 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3869
3870 l2cap_chan_unlock(chan);
1da177e4 3871
ba3bd0ee 3872 chan->ops->close(chan->data);
61d6ef3e 3873 l2cap_chan_put(chan);
3df91ea2
AE		 3874
3875 mutex_unlock(&conn->chan_lock);
3876
1da177e4
LT		 3877 return 0;
3878}
3879
3880static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3881{
3882 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3883 u16 dcid, scid;
48454079 3884 struct l2cap_chan *chan;
1da177e4
LT		 3885
3886 scid = __le16_to_cpu(rsp->scid);
3887 dcid = __le16_to_cpu(rsp->dcid);
3888
3889 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3890
3df91ea2
AE		 3891 mutex_lock(&conn->chan_lock);
3892
3893 chan = __l2cap_get_chan_by_scid(conn, scid);
3894 if (!chan) {
3895 mutex_unlock(&conn->chan_lock);
1da177e4 3896 return 0;
3df91ea2 3897 }
1da177e4 3898
6be36555 3899 l2cap_chan_lock(chan);
48454079 3900
61d6ef3e 3901 l2cap_chan_hold(chan);
48454079 3902 l2cap_chan_del(chan, 0);
6be36555
AE		 3903
3904 l2cap_chan_unlock(chan);
1da177e4 3905
ba3bd0ee 3906 chan->ops->close(chan->data);
61d6ef3e 3907 l2cap_chan_put(chan);
3df91ea2
AE		 3908
3909 mutex_unlock(&conn->chan_lock);
3910
1da177e4
LT		 3911 return 0;
3912}
3913
3914static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3915{
3916 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3917 u16 type;
3918
3919 type = __le16_to_cpu(req->type);
3920
3921 BT_DBG("type 0x%4.4x", type);
3922
f0709e03
MH		 3923 if (type == L2CAP_IT_FEAT_MASK) {
3924 u8 buf[8];
44dd46de 3925 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3926 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3927 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3928 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3929 if (!disable_ertm)
fcc203c3
GP		 3930 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3931 | L2CAP_FEAT_FCS;
a5fd6f30 3932 if (enable_hs)
6327eb98
AE		 3933 feat_mask |= L2CAP_FEAT_EXT_FLOW
3934 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3935
1b7bf4ed 3936 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3937 l2cap_send_cmd(conn, cmd->ident,
3938 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3939 } else if (type == L2CAP_IT_FIXED_CHAN) {
3940 u8 buf[12];
3941 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3942
3943 if (enable_hs)
3944 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3945 else
3946 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3947
e1027a7c
MH		 3948 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3949 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3950 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3951 l2cap_send_cmd(conn, cmd->ident,
3952 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3953 } else {
3954 struct l2cap_info_rsp rsp;
3955 rsp.type = cpu_to_le16(type);
3956 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3957 l2cap_send_cmd(conn, cmd->ident,
3958 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3959 }
1da177e4
LT		 3960
3961 return 0;
3962}
3963
3964static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3965{
3966 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3967 u16 type, result;
3968
3969 type = __le16_to_cpu(rsp->type);
3970 result = __le16_to_cpu(rsp->result);
3971
3972 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3973
e90165be
AE		 3974 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3975 if (cmd->ident != conn->info_ident ||
3976 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3977 return 0;
3978
17cd3f37 3979 cancel_delayed_work(&conn->info_timer);
4e8402a3 3980
adb08ede
VT		 3981 if (result != L2CAP_IR_SUCCESS) {
3982 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3983 conn->info_ident = 0;
3984
3985 l2cap_conn_start(conn);
3986
3987 return 0;
3988 }
3989
978c93b9
AE		 3990 switch (type) {
3991 case L2CAP_IT_FEAT_MASK:
83985319 3992 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3993
47ec1dcd 3994 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3995 struct l2cap_info_req req;
3996 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3997
3998 conn->info_ident = l2cap_get_ident(conn);
3999
4000 l2cap_send_cmd(conn, conn->info_ident,
4001 L2CAP_INFO_REQ, sizeof(req), &req);
4002 } else {
4003 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4004 conn->info_ident = 0;
4005
4006 l2cap_conn_start(conn);
4007 }
978c93b9
AE		 4008 break;
4009
4010 case L2CAP_IT_FIXED_CHAN:
4011 conn->fixed_chan_mask = rsp->data[0];
984947dc 4012 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4013 conn->info_ident = 0;
984947dc
MH		 4014
4015 l2cap_conn_start(conn);
978c93b9 4016 break;
984947dc 4017 }
4e8402a3 4018
1da177e4
LT		 4019 return 0;
4020}
4021
f94ff6ff
MM		 4022static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
4023 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4024 void *data)
4025{
4026 struct l2cap_create_chan_req *req = data;
4027 struct l2cap_create_chan_rsp rsp;
4028 u16 psm, scid;
4029
4030 if (cmd_len != sizeof(*req))
4031 return -EPROTO;
4032
4033 if (!enable_hs)
4034 return -EINVAL;
4035
4036 psm = le16_to_cpu(req->psm);
4037 scid = le16_to_cpu(req->scid);
4038
4039 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
4040
4041 /* Placeholder: Always reject */
4042 rsp.dcid = 0;
4043 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 4044 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4045 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 4046
4047 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4048 sizeof(rsp), &rsp);
4049
4050 return 0;
4051}
4052
4053static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
4054 struct l2cap_cmd_hdr *cmd, void *data)
4055{
4056 BT_DBG("conn %p", conn);
4057
4058 return l2cap_connect_rsp(conn, cmd, data);
4059}
4060
8d5a04a1
MM		 4061static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
4062 u16 icid, u16 result)
4063{
4064 struct l2cap_move_chan_rsp rsp;
4065
4066 BT_DBG("icid %d, result %d", icid, result);
4067
4068 rsp.icid = cpu_to_le16(icid);
4069 rsp.result = cpu_to_le16(result);
4070
4071 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4072}
4073
4074static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
4075 struct l2cap_chan *chan, u16 icid, u16 result)
4076{
4077 struct l2cap_move_chan_cfm cfm;
4078 u8 ident;
4079
4080 BT_DBG("icid %d, result %d", icid, result);
4081
4082 ident = l2cap_get_ident(conn);
4083 if (chan)
4084 chan->ident = ident;
4085
4086 cfm.icid = cpu_to_le16(icid);
4087 cfm.result = cpu_to_le16(result);
4088
4089 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4090}
4091
4092static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4093 u16 icid)
4094{
4095 struct l2cap_move_chan_cfm_rsp rsp;
4096
4097 BT_DBG("icid %d", icid);
4098
4099 rsp.icid = cpu_to_le16(icid);
4100 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4101}
4102
4103static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4104 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4105{
4106 struct l2cap_move_chan_req *req = data;
4107 u16 icid = 0;
4108 u16 result = L2CAP_MR_NOT_ALLOWED;
4109
4110 if (cmd_len != sizeof(*req))
4111 return -EPROTO;
4112
4113 icid = le16_to_cpu(req->icid);
4114
4115 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4116
4117 if (!enable_hs)
4118 return -EINVAL;
4119
4120 /* Placeholder: Always refuse */
4121 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4122
4123 return 0;
4124}
4125
4126static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4127 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4128{
4129 struct l2cap_move_chan_rsp *rsp = data;
4130 u16 icid, result;
4131
4132 if (cmd_len != sizeof(*rsp))
4133 return -EPROTO;
4134
4135 icid = le16_to_cpu(rsp->icid);
4136 result = le16_to_cpu(rsp->result);
4137
4138 BT_DBG("icid %d, result %d", icid, result);
4139
4140 /* Placeholder: Always unconfirmed */
4141 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4142
4143 return 0;
4144}
4145
4146static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4147 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4148{
4149 struct l2cap_move_chan_cfm *cfm = data;
4150 u16 icid, result;
4151
4152 if (cmd_len != sizeof(*cfm))
4153 return -EPROTO;
4154
4155 icid = le16_to_cpu(cfm->icid);
4156 result = le16_to_cpu(cfm->result);
4157
4158 BT_DBG("icid %d, result %d", icid, result);
4159
4160 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4161
4162 return 0;
4163}
4164
4165static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4166 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4167{
4168 struct l2cap_move_chan_cfm_rsp *rsp = data;
4169 u16 icid;
4170
4171 if (cmd_len != sizeof(*rsp))
4172 return -EPROTO;
4173
4174 icid = le16_to_cpu(rsp->icid);
4175
4176 BT_DBG("icid %d", icid);
4177
4178 return 0;
4179}
4180
e2174ca4 4181static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4182 u16 to_multiplier)
4183{
4184 u16 max_latency;
4185
4186 if (min > max || min < 6 || max > 3200)
4187 return -EINVAL;
4188
4189 if (to_multiplier < 10 || to_multiplier > 3200)
4190 return -EINVAL;
4191
4192 if (max >= to_multiplier * 8)
4193 return -EINVAL;
4194
4195 max_latency = (to_multiplier * 8 / max) - 1;
4196 if (latency > 499 || latency > max_latency)
4197 return -EINVAL;
4198
4199 return 0;
4200}
4201
4202static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4203 struct l2cap_cmd_hdr *cmd, u8 *data)
4204{
4205 struct hci_conn *hcon = conn->hcon;
4206 struct l2cap_conn_param_update_req *req;
4207 struct l2cap_conn_param_update_rsp rsp;
4208 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4209 int err;
de73115a
CT		 4210
4211 if (!(hcon->link_mode & HCI_LM_MASTER))
4212 return -EINVAL;
4213
4214 cmd_len = __le16_to_cpu(cmd->len);
4215 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4216 return -EPROTO;
4217
4218 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4219 min = __le16_to_cpu(req->min);
4220 max = __le16_to_cpu(req->max);
de73115a
CT		 4221 latency = __le16_to_cpu(req->latency);
4222 to_multiplier = __le16_to_cpu(req->to_multiplier);
4223
4224 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4225 min, max, latency, to_multiplier);
4226
4227 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4228
4229 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4230 if (err)
de73115a
CT		 4231 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4232 else
4233 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4234
4235 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4236 sizeof(rsp), &rsp);
4237
2ce603eb
CT		 4238 if (!err)
4239 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4240
de73115a
CT		 4241 return 0;
4242}
4243
3300d9a9
CT		 4244static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4245 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4246{
4247 int err = 0;
4248
4249 switch (cmd->code) {
4250 case L2CAP_COMMAND_REJ:
4251 l2cap_command_rej(conn, cmd, data);
4252 break;
4253
4254 case L2CAP_CONN_REQ:
4255 err = l2cap_connect_req(conn, cmd, data);
4256 break;
4257
4258 case L2CAP_CONN_RSP:
4259 err = l2cap_connect_rsp(conn, cmd, data);
4260 break;
4261
4262 case L2CAP_CONF_REQ:
4263 err = l2cap_config_req(conn, cmd, cmd_len, data);
4264 break;
4265
4266 case L2CAP_CONF_RSP:
4267 err = l2cap_config_rsp(conn, cmd, data);
4268 break;
4269
4270 case L2CAP_DISCONN_REQ:
4271 err = l2cap_disconnect_req(conn, cmd, data);
4272 break;
4273
4274 case L2CAP_DISCONN_RSP:
4275 err = l2cap_disconnect_rsp(conn, cmd, data);
4276 break;
4277
4278 case L2CAP_ECHO_REQ:
4279 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4280 break;
4281
4282 case L2CAP_ECHO_RSP:
4283 break;
4284
4285 case L2CAP_INFO_REQ:
4286 err = l2cap_information_req(conn, cmd, data);
4287 break;
4288
4289 case L2CAP_INFO_RSP:
4290 err = l2cap_information_rsp(conn, cmd, data);
4291 break;
4292
f94ff6ff
MM		 4293 case L2CAP_CREATE_CHAN_REQ:
4294 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4295 break;
4296
4297 case L2CAP_CREATE_CHAN_RSP:
4298 err = l2cap_create_channel_rsp(conn, cmd, data);
4299 break;
4300
8d5a04a1
MM		 4301 case L2CAP_MOVE_CHAN_REQ:
4302 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4303 break;
4304
4305 case L2CAP_MOVE_CHAN_RSP:
4306 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4307 break;
4308
4309 case L2CAP_MOVE_CHAN_CFM:
4310 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4311 break;
4312
4313 case L2CAP_MOVE_CHAN_CFM_RSP:
4314 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4315 break;
4316
3300d9a9
CT		 4317 default:
4318 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4319 err = -EINVAL;
4320 break;
4321 }
4322
4323 return err;
4324}
4325
4326static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4327 struct l2cap_cmd_hdr *cmd, u8 *data)
4328{
4329 switch (cmd->code) {
4330 case L2CAP_COMMAND_REJ:
4331 return 0;
4332
4333 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4334 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4335
4336 case L2CAP_CONN_PARAM_UPDATE_RSP:
4337 return 0;
4338
4339 default:
4340 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4341 return -EINVAL;
4342 }
4343}
4344
4345static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4346 struct sk_buff *skb)
1da177e4
LT		 4347{
4348 u8 *data = skb->data;
4349 int len = skb->len;
4350 struct l2cap_cmd_hdr cmd;
3300d9a9 4351 int err;
1da177e4
LT		 4352
4353 l2cap_raw_recv(conn, skb);
4354
4355 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4356 u16 cmd_len;
1da177e4
LT		 4357 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4358 data += L2CAP_CMD_HDR_SIZE;
4359 len -= L2CAP_CMD_HDR_SIZE;
4360
88219a0f 4361 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4362
88219a0f 4363 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4364
88219a0f 4365 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4366 BT_DBG("corrupted command");
4367 break;
4368 }
4369
3300d9a9
CT		 4370 if (conn->hcon->type == LE_LINK)
4371 err = l2cap_le_sig_cmd(conn, &cmd, data);
4372 else
4373 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4374
4375 if (err) {
e2fd318e 4376 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4377
4378 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4379
4380 /* FIXME: Map err to a valid reason */
e2fd318e 4381 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4382 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4383 }
4384
88219a0f
AV		 4385 data += cmd_len;
4386 len -= cmd_len;
1da177e4
LT		 4387 }
4388
4389 kfree_skb(skb);
4390}
4391
47d1ec61 4392static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4393{
4394 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4395 int hdr_size;
4396
4397 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4398 hdr_size = L2CAP_EXT_HDR_SIZE;
4399 else
4400 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4401
47d1ec61 4402 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4403 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4404 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4405 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4406
4407 if (our_fcs != rcv_fcs)
7a560e5c 4408 return -EBADMSG;
fcc203c3
GP		 4409 }
4410 return 0;
4411}
4412
6ea00485 4413static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4414{
e31f7633 4415 struct l2cap_ctrl control;
d5392c8f 4416
e31f7633 4417 BT_DBG("chan %p", chan);
d5392c8f 4418
e31f7633
MM		 4419 memset(&control, 0, sizeof(control));
4420 control.sframe = 1;
4421 control.final = 1;
4422 control.reqseq = chan->buffer_seq;
4423 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4424
e2ab4353 4425 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4426 control.super = L2CAP_SUPER_RNR;
4427 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4428 }
4429
e31f7633
MM		 4430 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4431 chan->unacked_frames > 0)
4432 __set_retrans_timer(chan);
d5392c8f 4433
e31f7633 4434 /* Send pending iframes */
525cd185 4435 l2cap_ertm_send(chan);
d5392c8f 4436
e2ab4353 4437 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4438 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4439 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4440 * send it now.
4441 */
4442 control.super = L2CAP_SUPER_RR;
4443 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4444 }
4445}
4446
84084a31
MM		 4447static void append_skb_frag(struct sk_buff *skb,
4448 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4449{
84084a31
MM		 4450 /* skb->len reflects data in skb as well as all fragments
4451 * skb->data_len reflects only data in fragments
4452 */
4453 if (!skb_has_frag_list(skb))
4454 skb_shinfo(skb)->frag_list = new_frag;
4455
4456 new_frag->next = NULL;
4457
4458 (*last_frag)->next = new_frag;
4459 *last_frag = new_frag;
4460
4461 skb->len += new_frag->len;
4462 skb->data_len += new_frag->len;
4463 skb->truesize += new_frag->truesize;
4464}
4465
4b51dae9
MM		 4466static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4467 struct l2cap_ctrl *control)
84084a31
MM		 4468{
4469 int err = -EINVAL;
18778a63 4470
4b51dae9 4471 switch (control->sar) {
7e0ef6ee 4472 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4473 if (chan->sdu)
4474 break;
18778a63 4475
84084a31
MM		 4476 err = chan->ops->recv(chan->data, skb);
4477 break;
18778a63 4478
7e0ef6ee 4479 case L2CAP_SAR_START:
84084a31
MM		 4480 if (chan->sdu)
4481 break;
18778a63 4482
6f61fd47 4483 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4484 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4485
84084a31
MM		 4486 if (chan->sdu_len > chan->imtu) {
4487 err = -EMSGSIZE;
4488 break;
4489 }
1890d36b 4490
84084a31
MM		 4491 if (skb->len >= chan->sdu_len)
4492 break;
18778a63 4493
84084a31
MM		 4494 chan->sdu = skb;
4495 chan->sdu_last_frag = skb;
18778a63 4496
84084a31
MM		 4497 skb = NULL;
4498 err = 0;
18778a63
GP		 4499 break;
4500
7e0ef6ee 4501 case L2CAP_SAR_CONTINUE:
6f61fd47 4502 if (!chan->sdu)
84084a31 4503 break;
18778a63 4504
84084a31
MM		 4505 append_skb_frag(chan->sdu, skb,
4506 &chan->sdu_last_frag);
4507 skb = NULL;
18778a63 4508
84084a31
MM		 4509 if (chan->sdu->len >= chan->sdu_len)
4510 break;
4178ba46 4511
84084a31 4512 err = 0;
18778a63
GP		 4513 break;
4514
7e0ef6ee 4515 case L2CAP_SAR_END:
6f61fd47 4516 if (!chan->sdu)
84084a31 4517 break;
18778a63 4518
84084a31
MM		 4519 append_skb_frag(chan->sdu, skb,
4520 &chan->sdu_last_frag);
4521 skb = NULL;
4178ba46 4522
84084a31
MM		 4523 if (chan->sdu->len != chan->sdu_len)
4524 break;
18778a63 4525
84084a31 4526 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4527
84084a31
MM		 4528 if (!err) {
4529 /* Reassembly complete */
4530 chan->sdu = NULL;
4531 chan->sdu_last_frag = NULL;
4532 chan->sdu_len = 0;
1890d36b 4533 }
18778a63
GP		 4534 break;
4535 }
4536
84084a31
MM		 4537 if (err) {
4538 kfree_skb(skb);
4539 kfree_skb(chan->sdu);
4540 chan->sdu = NULL;
4541 chan->sdu_last_frag = NULL;
4542 chan->sdu_len = 0;
4543 }
18778a63 4544
84084a31 4545 return err;
18778a63
GP		 4546}
4547
61aa4f5b 4548void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4549{
61aa4f5b 4550 u8 event;
712132eb 4551
61aa4f5b
MM		 4552 if (chan->mode != L2CAP_MODE_ERTM)
4553 return;
712132eb 4554
61aa4f5b
MM		 4555 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
4556 l2cap_tx(chan, 0, 0, event);
1890d36b
GP		 4557}
4558
d2a7ac5d
MM		 4559static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4560{
63838725
MM		 4561 int err = 0;
4562 /* Pass sequential frames to l2cap_reassemble_sdu()
4563 * until a gap is encountered.
4564 */
4565
4566 BT_DBG("chan %p", chan);
4567
4568 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4569 struct sk_buff *skb;
4570 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4571 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4572
4573 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4574
4575 if (!skb)
4576 break;
4577
4578 skb_unlink(skb, &chan->srej_q);
4579 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4580 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4581 if (err)
4582 break;
4583 }
4584
4585 if (skb_queue_empty(&chan->srej_q)) {
4586 chan->rx_state = L2CAP_RX_STATE_RECV;
4587 l2cap_send_ack(chan);
4588 }
4589
4590 return err;
d2a7ac5d
MM		 4591}
4592
4593static void l2cap_handle_srej(struct l2cap_chan *chan,
4594 struct l2cap_ctrl *control)
4595{
f80842a8
MM		 4596 struct sk_buff *skb;
4597
4598 BT_DBG("chan %p, control %p", chan, control);
4599
4600 if (control->reqseq == chan->next_tx_seq) {
4601 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4602 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4603 return;
4604 }
4605
4606 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4607
4608 if (skb == NULL) {
4609 BT_DBG("Seq %d not available for retransmission",
4610 control->reqseq);
4611 return;
4612 }
4613
4614 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4615 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4616 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4617 return;
4618 }
4619
4620 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4621
4622 if (control->poll) {
4623 l2cap_pass_to_tx(chan, control);
4624
4625 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4626 l2cap_retransmit(chan, control);
4627 l2cap_ertm_send(chan);
4628
4629 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4630 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4631 chan->srej_save_reqseq = control->reqseq;
4632 }
4633 } else {
4634 l2cap_pass_to_tx_fbit(chan, control);
4635
4636 if (control->final) {
4637 if (chan->srej_save_reqseq != control->reqseq ||
4638 !test_and_clear_bit(CONN_SREJ_ACT,
4639 &chan->conn_state))
4640 l2cap_retransmit(chan, control);
4641 } else {
4642 l2cap_retransmit(chan, control);
4643 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4644 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4645 chan->srej_save_reqseq = control->reqseq;
4646 }
4647 }
4648 }
d2a7ac5d
MM		 4649}
4650
4651static void l2cap_handle_rej(struct l2cap_chan *chan,
4652 struct l2cap_ctrl *control)
4653{
fcd289df
MM		 4654 struct sk_buff *skb;
4655
4656 BT_DBG("chan %p, control %p", chan, control);
4657
4658 if (control->reqseq == chan->next_tx_seq) {
4659 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4660 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4661 return;
4662 }
4663
4664 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4665
4666 if (chan->max_tx && skb &&
4667 bt_cb(skb)->control.retries >= chan->max_tx) {
4668 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4669 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4670 return;
4671 }
4672
4673 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4674
4675 l2cap_pass_to_tx(chan, control);
4676
4677 if (control->final) {
4678 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4679 l2cap_retransmit_all(chan, control);
4680 } else {
4681 l2cap_retransmit_all(chan, control);
4682 l2cap_ertm_send(chan);
4683 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4684 set_bit(CONN_REJ_ACT, &chan->conn_state);
4685 }
d2a7ac5d
MM		 4686}
4687
4b51dae9
MM		 4688static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4689{
4690 BT_DBG("chan %p, txseq %d", chan, txseq);
4691
4692 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4693 chan->expected_tx_seq);
4694
4695 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4696 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4697 chan->tx_win) {
4698 /* See notes below regarding "double poll" and
4699 * invalid packets.
4700 */
4701 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4702 BT_DBG("Invalid/Ignore - after SREJ");
4703 return L2CAP_TXSEQ_INVALID_IGNORE;
4704 } else {
4705 BT_DBG("Invalid - in window after SREJ sent");
4706 return L2CAP_TXSEQ_INVALID;
4707 }
4708 }
4709
4710 if (chan->srej_list.head == txseq) {
4711 BT_DBG("Expected SREJ");
4712 return L2CAP_TXSEQ_EXPECTED_SREJ;
4713 }
4714
4715 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4716 BT_DBG("Duplicate SREJ - txseq already stored");
4717 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4718 }
4719
4720 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4721 BT_DBG("Unexpected SREJ - not requested");
4722 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4723 }
4724 }
4725
4726 if (chan->expected_tx_seq == txseq) {
4727 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4728 chan->tx_win) {
4729 BT_DBG("Invalid - txseq outside tx window");
4730 return L2CAP_TXSEQ_INVALID;
4731 } else {
4732 BT_DBG("Expected");
4733 return L2CAP_TXSEQ_EXPECTED;
4734 }
4735 }
4736
4737 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4738 __seq_offset(chan, chan->expected_tx_seq,
4739 chan->last_acked_seq)){
4740 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4741 return L2CAP_TXSEQ_DUPLICATE;
4742 }
4743
4744 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4745 /* A source of invalid packets is a "double poll" condition,
4746 * where delays cause us to send multiple poll packets. If
4747 * the remote stack receives and processes both polls,
4748 * sequence numbers can wrap around in such a way that a
4749 * resent frame has a sequence number that looks like new data
4750 * with a sequence gap. This would trigger an erroneous SREJ
4751 * request.
4752 *
4753 * Fortunately, this is impossible with a tx window that's
4754 * less than half of the maximum sequence number, which allows
4755 * invalid frames to be safely ignored.
4756 *
4757 * With tx window sizes greater than half of the tx window
4758 * maximum, the frame is invalid and cannot be ignored. This
4759 * causes a disconnect.
4760 */
4761
4762 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4763 BT_DBG("Invalid/Ignore - txseq outside tx window");
4764 return L2CAP_TXSEQ_INVALID_IGNORE;
4765 } else {
4766 BT_DBG("Invalid - txseq outside tx window");
4767 return L2CAP_TXSEQ_INVALID;
4768 }
4769 } else {
4770 BT_DBG("Unexpected - txseq indicates missing frames");
4771 return L2CAP_TXSEQ_UNEXPECTED;
4772 }
4773}
4774
d2a7ac5d
MM		 4775static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4776 struct l2cap_ctrl *control,
4777 struct sk_buff *skb, u8 event)
4778{
4779 int err = 0;
4780 bool skb_in_use = 0;
4781
4782 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4783 event);
4784
4785 switch (event) {
4786 case L2CAP_EV_RECV_IFRAME:
4787 switch (l2cap_classify_txseq(chan, control->txseq)) {
4788 case L2CAP_TXSEQ_EXPECTED:
4789 l2cap_pass_to_tx(chan, control);
4790
4791 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4792 BT_DBG("Busy, discarding expected seq %d",
4793 control->txseq);
4794 break;
4795 }
4796
4797 chan->expected_tx_seq = __next_seq(chan,
4798 control->txseq);
4799
4800 chan->buffer_seq = chan->expected_tx_seq;
4801 skb_in_use = 1;
4802
4803 err = l2cap_reassemble_sdu(chan, skb, control);
4804 if (err)
4805 break;
4806
4807 if (control->final) {
4808 if (!test_and_clear_bit(CONN_REJ_ACT,
4809 &chan->conn_state)) {
4810 control->final = 0;
4811 l2cap_retransmit_all(chan, control);
4812 l2cap_ertm_send(chan);
4813 }
4814 }
4815
4816 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4817 l2cap_send_ack(chan);
4818 break;
4819 case L2CAP_TXSEQ_UNEXPECTED:
4820 l2cap_pass_to_tx(chan, control);
4821
4822 /* Can't issue SREJ frames in the local busy state.
4823 * Drop this frame, it will be seen as missing
4824 * when local busy is exited.
4825 */
4826 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4827 BT_DBG("Busy, discarding unexpected seq %d",
4828 control->txseq);
4829 break;
4830 }
4831
4832 /* There was a gap in the sequence, so an SREJ
4833 * must be sent for each missing frame. The
4834 * current frame is stored for later use.
4835 */
4836 skb_queue_tail(&chan->srej_q, skb);
4837 skb_in_use = 1;
4838 BT_DBG("Queued %p (queue len %d)", skb,
4839 skb_queue_len(&chan->srej_q));
4840
4841 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4842 l2cap_seq_list_clear(&chan->srej_list);
4843 l2cap_send_srej(chan, control->txseq);
4844
4845 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4846 break;
4847 case L2CAP_TXSEQ_DUPLICATE:
4848 l2cap_pass_to_tx(chan, control);
4849 break;
4850 case L2CAP_TXSEQ_INVALID_IGNORE:
4851 break;
4852 case L2CAP_TXSEQ_INVALID:
4853 default:
4854 l2cap_send_disconn_req(chan->conn, chan,
4855 ECONNRESET);
4856 break;
4857 }
4858 break;
4859 case L2CAP_EV_RECV_RR:
4860 l2cap_pass_to_tx(chan, control);
4861 if (control->final) {
4862 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4863
4864 if (!test_and_clear_bit(CONN_REJ_ACT,
4865 &chan->conn_state)) {
4866 control->final = 0;
4867 l2cap_retransmit_all(chan, control);
4868 }
4869
4870 l2cap_ertm_send(chan);
4871 } else if (control->poll) {
4872 l2cap_send_i_or_rr_or_rnr(chan);
4873 } else {
4874 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4875 &chan->conn_state) &&
4876 chan->unacked_frames)
4877 __set_retrans_timer(chan);
4878
4879 l2cap_ertm_send(chan);
4880 }
4881 break;
4882 case L2CAP_EV_RECV_RNR:
4883 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4884 l2cap_pass_to_tx(chan, control);
4885 if (control && control->poll) {
4886 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4887 l2cap_send_rr_or_rnr(chan, 0);
4888 }
4889 __clear_retrans_timer(chan);
4890 l2cap_seq_list_clear(&chan->retrans_list);
4891 break;
4892 case L2CAP_EV_RECV_REJ:
4893 l2cap_handle_rej(chan, control);
4894 break;
4895 case L2CAP_EV_RECV_SREJ:
4896 l2cap_handle_srej(chan, control);
4897 break;
4898 default:
4899 break;
4900 }
4901
4902 if (skb && !skb_in_use) {
4903 BT_DBG("Freeing %p", skb);
4904 kfree_skb(skb);
4905 }
4906
4907 return err;
4908}
4909
4910static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4911 struct l2cap_ctrl *control,
4912 struct sk_buff *skb, u8 event)
4913{
4914 int err = 0;
4915 u16 txseq = control->txseq;
4916 bool skb_in_use = 0;
4917
4918 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4919 event);
4920
4921 switch (event) {
4922 case L2CAP_EV_RECV_IFRAME:
4923 switch (l2cap_classify_txseq(chan, txseq)) {
4924 case L2CAP_TXSEQ_EXPECTED:
4925 /* Keep frame for reassembly later */
4926 l2cap_pass_to_tx(chan, control);
4927 skb_queue_tail(&chan->srej_q, skb);
4928 skb_in_use = 1;
4929 BT_DBG("Queued %p (queue len %d)", skb,
4930 skb_queue_len(&chan->srej_q));
4931
4932 chan->expected_tx_seq = __next_seq(chan, txseq);
4933 break;
4934 case L2CAP_TXSEQ_EXPECTED_SREJ:
4935 l2cap_seq_list_pop(&chan->srej_list);
4936
4937 l2cap_pass_to_tx(chan, control);
4938 skb_queue_tail(&chan->srej_q, skb);
4939 skb_in_use = 1;
4940 BT_DBG("Queued %p (queue len %d)", skb,
4941 skb_queue_len(&chan->srej_q));
4942
4943 err = l2cap_rx_queued_iframes(chan);
4944 if (err)
4945 break;
4946
4947 break;
4948 case L2CAP_TXSEQ_UNEXPECTED:
4949 /* Got a frame that can't be reassembled yet.
4950 * Save it for later, and send SREJs to cover
4951 * the missing frames.
4952 */
4953 skb_queue_tail(&chan->srej_q, skb);
4954 skb_in_use = 1;
4955 BT_DBG("Queued %p (queue len %d)", skb,
4956 skb_queue_len(&chan->srej_q));
4957
4958 l2cap_pass_to_tx(chan, control);
4959 l2cap_send_srej(chan, control->txseq);
4960 break;
4961 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4962 /* This frame was requested with an SREJ, but
4963 * some expected retransmitted frames are
4964 * missing. Request retransmission of missing
4965 * SREJ'd frames.
4966 */
4967 skb_queue_tail(&chan->srej_q, skb);
4968 skb_in_use = 1;
4969 BT_DBG("Queued %p (queue len %d)", skb,
4970 skb_queue_len(&chan->srej_q));
4971
4972 l2cap_pass_to_tx(chan, control);
4973 l2cap_send_srej_list(chan, control->txseq);
4974 break;
4975 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4976 /* We've already queued this frame. Drop this copy. */
4977 l2cap_pass_to_tx(chan, control);
4978 break;
4979 case L2CAP_TXSEQ_DUPLICATE:
4980 /* Expecting a later sequence number, so this frame
4981 * was already received. Ignore it completely.
4982 */
4983 break;
4984 case L2CAP_TXSEQ_INVALID_IGNORE:
4985 break;
4986 case L2CAP_TXSEQ_INVALID:
4987 default:
4988 l2cap_send_disconn_req(chan->conn, chan,
4989 ECONNRESET);
4990 break;
4991 }
4992 break;
4993 case L2CAP_EV_RECV_RR:
4994 l2cap_pass_to_tx(chan, control);
4995 if (control->final) {
4996 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4997
4998 if (!test_and_clear_bit(CONN_REJ_ACT,
4999 &chan->conn_state)) {
5000 control->final = 0;
5001 l2cap_retransmit_all(chan, control);
5002 }
5003
5004 l2cap_ertm_send(chan);
5005 } else if (control->poll) {
5006 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5007 &chan->conn_state) &&
5008 chan->unacked_frames) {
5009 __set_retrans_timer(chan);
5010 }
5011
5012 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5013 l2cap_send_srej_tail(chan);
5014 } else {
5015 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5016 &chan->conn_state) &&
5017 chan->unacked_frames)
5018 __set_retrans_timer(chan);
5019
5020 l2cap_send_ack(chan);
5021 }
5022 break;
5023 case L2CAP_EV_RECV_RNR:
5024 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5025 l2cap_pass_to_tx(chan, control);
5026 if (control->poll) {
5027 l2cap_send_srej_tail(chan);
5028 } else {
5029 struct l2cap_ctrl rr_control;
5030 memset(&rr_control, 0, sizeof(rr_control));
5031 rr_control.sframe = 1;
5032 rr_control.super = L2CAP_SUPER_RR;
5033 rr_control.reqseq = chan->buffer_seq;
5034 l2cap_send_sframe(chan, &rr_control);
5035 }
5036
5037 break;
5038 case L2CAP_EV_RECV_REJ:
5039 l2cap_handle_rej(chan, control);
5040 break;
5041 case L2CAP_EV_RECV_SREJ:
5042 l2cap_handle_srej(chan, control);
5043 break;
5044 }
5045
5046 if (skb && !skb_in_use) {
5047 BT_DBG("Freeing %p", skb);
5048 kfree_skb(skb);
5049 }
5050
5051 return err;
5052}
5053
5054static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5055{
5056 /* Make sure reqseq is for a packet that has been sent but not acked */
5057 u16 unacked;
5058
5059 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5060 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5061}
5062
cec8ab6e
MM		 5063static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5064 struct sk_buff *skb, u8 event)
218bb9df 5065{
d2a7ac5d
MM		 5066 int err = 0;
5067
5068 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5069 control, skb, event, chan->rx_state);
5070
5071 if (__valid_reqseq(chan, control->reqseq)) {
5072 switch (chan->rx_state) {
5073 case L2CAP_RX_STATE_RECV:
5074 err = l2cap_rx_state_recv(chan, control, skb, event);
5075 break;
5076 case L2CAP_RX_STATE_SREJ_SENT:
5077 err = l2cap_rx_state_srej_sent(chan, control, skb,
5078 event);
5079 break;
5080 default:
5081 /* shut it down */
5082 break;
5083 }
5084 } else {
5085 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5086 control->reqseq, chan->next_tx_seq,
5087 chan->expected_ack_seq);
5088 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5089 }
5090
5091 return err;
cec8ab6e
MM		 5092}
5093
5094static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5095 struct sk_buff *skb)
5096{
4b51dae9
MM		 5097 int err = 0;
5098
5099 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5100 chan->rx_state);
5101
5102 if (l2cap_classify_txseq(chan, control->txseq) ==
5103 L2CAP_TXSEQ_EXPECTED) {
5104 l2cap_pass_to_tx(chan, control);
5105
5106 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5107 __next_seq(chan, chan->buffer_seq));
5108
5109 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5110
5111 l2cap_reassemble_sdu(chan, skb, control);
5112 } else {
5113 if (chan->sdu) {
5114 kfree_skb(chan->sdu);
5115 chan->sdu = NULL;
5116 }
5117 chan->sdu_last_frag = NULL;
5118 chan->sdu_len = 0;
5119
5120 if (skb) {
5121 BT_DBG("Freeing %p", skb);
5122 kfree_skb(skb);
5123 }
5124 }
5125
5126 chan->last_acked_seq = control->txseq;
5127 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5128
5129 return err;
cec8ab6e
MM		 5130}
5131
5132static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5133{
5134 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5135 u16 len;
5136 u8 event;
218bb9df 5137
b76bbd66
MM		 5138 __unpack_control(chan, skb);
5139
218bb9df
GP		 5140 len = skb->len;
5141
5142 /*
5143 * We can just drop the corrupted I-frame here.
5144 * Receiver will miss it and start proper recovery
cec8ab6e 5145 * procedures and ask for retransmission.
218bb9df 5146 */
47d1ec61 5147 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5148 goto drop;
5149
cec8ab6e 5150 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5151 len -= L2CAP_SDULEN_SIZE;
218bb9df 5152
47d1ec61 5153 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5154 len -= L2CAP_FCS_SIZE;
218bb9df 5155
47d1ec61 5156 if (len > chan->mps) {
8c1d787b 5157 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5158 goto drop;
5159 }
5160
cec8ab6e
MM		 5161 if (!control->sframe) {
5162 int err;
218bb9df 5163
cec8ab6e
MM		 5164 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5165 control->sar, control->reqseq, control->final,
5166 control->txseq);
218bb9df 5167
cec8ab6e
MM		 5168 /* Validate F-bit - F=0 always valid, F=1 only
5169 * valid in TX WAIT_F
5170 */
5171 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5172 goto drop;
cec8ab6e
MM		 5173
5174 if (chan->mode != L2CAP_MODE_STREAMING) {
5175 event = L2CAP_EV_RECV_IFRAME;
5176 err = l2cap_rx(chan, control, skb, event);
5177 } else {
5178 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5179 }
5180
cec8ab6e
MM		 5181 if (err)
5182 l2cap_send_disconn_req(chan->conn, chan,
5183 ECONNRESET);
218bb9df 5184 } else {
cec8ab6e
MM		 5185 const u8 rx_func_to_event[4] = {
5186 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5187 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5188 };
5189
5190 /* Only I-frames are expected in streaming mode */
5191 if (chan->mode == L2CAP_MODE_STREAMING)
5192 goto drop;
5193
5194 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5195 control->reqseq, control->final, control->poll,
5196 control->super);
5197
218bb9df
GP		 5198 if (len != 0) {
5199 BT_ERR("%d", len);
8c1d787b 5200 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5201 goto drop;
5202 }
5203
cec8ab6e
MM		 5204 /* Validate F and P bits */
5205 if (control->final && (control->poll ||
5206 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5207 goto drop;
5208
5209 event = rx_func_to_event[control->super];
5210 if (l2cap_rx(chan, control, skb, event))
5211 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5212 }
5213
5214 return 0;
5215
5216drop:
5217 kfree_skb(skb);
5218 return 0;
5219}
5220
1da177e4
LT		 5221static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
5222{
48454079 5223 struct l2cap_chan *chan;
1da177e4 5224
baa7e1fa 5225 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5226 if (!chan) {
1da177e4 5227 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 5228 /* Drop packet and return */
3379013b 5229 kfree_skb(skb);
6be36555 5230 return 0;
1da177e4
LT		 5231 }
5232
49208c9c 5233 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5234
89bc500e 5235 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5236 goto drop;
5237
0c1bc5c6 5238 switch (chan->mode) {
1c2acffb
GP		 5239 case L2CAP_MODE_BASIC:
5240 /* If socket recv buffers overflows we drop data here
5241 * which is *bad* because L2CAP has to be reliable.
5242 * But we don't have any other choice. L2CAP doesn't
5243 * provide flow control mechanism. */
1da177e4 5244
0c1bc5c6 5245 if (chan->imtu < skb->len)
1c2acffb 5246 goto drop;
1da177e4 5247
23070494 5248 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 5249 goto done;
5250 break;
5251
5252 case L2CAP_MODE_ERTM:
6840ed07 5253 case L2CAP_MODE_STREAMING:
cec8ab6e 5254 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5255 goto done;
5256
1c2acffb 5257 default:
0c1bc5c6 5258 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5259 break;
5260 }
1da177e4
LT		 5261
5262drop:
5263 kfree_skb(skb);
5264
5265done:
6be36555 5266 l2cap_chan_unlock(chan);
0139418c 5267
1da177e4
LT		 5268 return 0;
5269}
5270
8e036fc3 5271static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 5272{
23691d75 5273 struct l2cap_chan *chan;
1da177e4 5274
c2287681 5275 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5276 if (!chan)
1da177e4
LT		 5277 goto drop;
5278
5b4cedaa 5279 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5280
89bc500e 5281 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5282 goto drop;
5283
e13e21dc 5284 if (chan->imtu < skb->len)
1da177e4
LT		 5285 goto drop;
5286
23070494 5287 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 5288 return 0;
1da177e4
LT		 5289
5290drop:
5291 kfree_skb(skb);
5292
1da177e4
LT		 5293 return 0;
5294}
5295
d9b88702
AE		 5296static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5297 struct sk_buff *skb)
9f69bda6 5298{
23691d75 5299 struct l2cap_chan *chan;
9f69bda6 5300
c2287681 5301 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5302 if (!chan)
9f69bda6
GP		 5303 goto drop;
5304
5b4cedaa 5305 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5306
89bc500e 5307 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5308 goto drop;
5309
e13e21dc 5310 if (chan->imtu < skb->len)
9f69bda6
GP		 5311 goto drop;
5312
23070494 5313 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 5314 return 0;
9f69bda6
GP		 5315
5316drop:
5317 kfree_skb(skb);
5318
9f69bda6
GP		 5319 return 0;
5320}
5321
1da177e4
LT		 5322static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5323{
5324 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5325 u16 cid, len;
5326 __le16 psm;
1da177e4
LT		 5327
5328 skb_pull(skb, L2CAP_HDR_SIZE);
5329 cid = __le16_to_cpu(lh->cid);
5330 len = __le16_to_cpu(lh->len);
5331
1c2acffb
GP		 5332 if (len != skb->len) {
5333 kfree_skb(skb);
5334 return;
5335 }
5336
1da177e4
LT		 5337 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5338
5339 switch (cid) {
3300d9a9 5340 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5341 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5342 l2cap_sig_channel(conn, skb);
5343 break;
5344
8db4dc46 5345 case L2CAP_CID_CONN_LESS:
097db76c 5346 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 5347 skb_pull(skb, 2);
5348 l2cap_conless_channel(conn, psm, skb);
5349 break;
5350
9f69bda6
GP		 5351 case L2CAP_CID_LE_DATA:
5352 l2cap_att_channel(conn, cid, skb);
5353 break;
5354
b501d6a1
AB		 5355 case L2CAP_CID_SMP:
5356 if (smp_sig_channel(conn, skb))
5357 l2cap_conn_del(conn->hcon, EACCES);
5358 break;
5359
1da177e4
LT		 5360 default:
5361 l2cap_data_channel(conn, cid, skb);
5362 break;
5363 }
5364}
5365
5366/* ---- L2CAP interface with lower layer (HCI) ---- */
5367
686ebf28 5368int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5369{
5370 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5371 struct l2cap_chan *c;
1da177e4 5372
1da177e4
LT		 5373 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5374
5375 /* Find listening sockets and check their link_mode */
23691d75
GP		 5376 read_lock(&chan_list_lock);
5377 list_for_each_entry(c, &chan_list, global_l) {
5378 struct sock *sk = c->sk;
4343478f 5379
89bc500e 5380 if (c->state != BT_LISTEN)
1da177e4
LT		 5381 continue;
5382
5383 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5384 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5385 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5386 lm1 |= HCI_LM_MASTER;
1da177e4 5387 exact++;
2af6b9d5
MH		 5388 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5389 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5390 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5391 lm2 |= HCI_LM_MASTER;
5392 }
1da177e4 5393 }
23691d75 5394 read_unlock(&chan_list_lock);
1da177e4
LT		 5395
5396 return exact ? lm1 : lm2;
5397}
5398
686ebf28 5399int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5400{
0139418c
MH		 5401 struct l2cap_conn *conn;
5402
1da177e4
LT		 5403 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5404
1da177e4 5405 if (!status) {
1da177e4
LT		 5406 conn = l2cap_conn_add(hcon, status);
5407 if (conn)
5408 l2cap_conn_ready(conn);
0139418c 5409 } else
e175072f 5410 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5411
5412 return 0;
5413}
5414
686ebf28 5415int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5416{
5417 struct l2cap_conn *conn = hcon->l2cap_data;
5418
5419 BT_DBG("hcon %p", hcon);
5420
686ebf28 5421 if (!conn)
9f5a0d7b 5422 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5423 return conn->disc_reason;
5424}
5425
686ebf28 5426int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5427{
5428 BT_DBG("hcon %p reason %d", hcon, reason);
5429
e175072f 5430 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5431 return 0;
5432}
5433
4343478f 5434static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5435{
715ec005 5436 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5437 return;
5438
f62e4323 5439 if (encrypt == 0x00) {
4343478f 5440 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5441 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5442 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5443 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5444 } else {
4343478f 5445 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5446 __clear_chan_timer(chan);
f62e4323
MH		 5447 }
5448}
5449
686ebf28 5450int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5451{
0139418c 5452 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5453 struct l2cap_chan *chan;
1da177e4 5454
0139418c 5455 if (!conn)
1da177e4 5456 return 0;
0139418c 5457
1da177e4
LT		 5458 BT_DBG("conn %p", conn);
5459
160dc6ac 5460 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5461 if (!status && encrypt)
5462 smp_distribute_keys(conn, 0);
17cd3f37 5463 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5464 }
5465
3df91ea2 5466 mutex_lock(&conn->chan_lock);
1da177e4 5467
3df91ea2 5468 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5469 l2cap_chan_lock(chan);
1da177e4 5470
f1cb9af5
VCG		 5471 BT_DBG("chan->scid %d", chan->scid);
5472
5473 if (chan->scid == L2CAP_CID_LE_DATA) {
5474 if (!status && encrypt) {
5475 chan->sec_level = hcon->sec_level;
cf4cd009 5476 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5477 }
5478
6be36555 5479 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5480 continue;
5481 }
5482
c1360a1c 5483 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5484 l2cap_chan_unlock(chan);
6a8d3010
MH		 5485 continue;
5486 }
5487
89bc500e
GP		 5488 if (!status && (chan->state == BT_CONNECTED ||
5489 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5490 struct sock *sk = chan->sk;
5491
c5daa683 5492 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5493 sk->sk_state_change(sk);
5494
4343478f 5495 l2cap_check_encryption(chan, encrypt);
6be36555 5496 l2cap_chan_unlock(chan);
9719f8af
MH		 5497 continue;
5498 }
5499
89bc500e 5500 if (chan->state == BT_CONNECT) {
b1235d79 5501 if (!status) {
9b27f350 5502 l2cap_send_conn_req(chan);
b1235d79 5503 } else {
ba13ccd9 5504 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5505 }
89bc500e 5506 } else if (chan->state == BT_CONNECT2) {
6be36555 5507 struct sock *sk = chan->sk;
b1235d79 5508 struct l2cap_conn_rsp rsp;
df3c3931 5509 __u16 res, stat;
1da177e4 5510
6be36555
AE		 5511 lock_sock(sk);
5512
b1235d79 5513 if (!status) {
c5daa683
GP		 5514 if (test_bit(BT_SK_DEFER_SETUP,
5515 &bt_sk(sk)->flags)) {
df3c3931
JH		 5516 struct sock *parent = bt_sk(sk)->parent;
5517 res = L2CAP_CR_PEND;
5518 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5519 if (parent)
5520 parent->sk_data_ready(parent, 0);
df3c3931 5521 } else {
0e587be7 5522 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5523 res = L2CAP_CR_SUCCESS;
5524 stat = L2CAP_CS_NO_INFO;
5525 }
b1235d79 5526 } else {
0e587be7 5527 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5528 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5529 res = L2CAP_CR_SEC_BLOCK;
5530 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5531 }
5532
6be36555
AE		 5533 release_sock(sk);
5534
fe4128e0
GP		 5535 rsp.scid = cpu_to_le16(chan->dcid);
5536 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5537 rsp.result = cpu_to_le16(res);
5538 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5539 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5540 sizeof(rsp), &rsp);
b1235d79 5541 }
1da177e4 5542
6be36555 5543 l2cap_chan_unlock(chan);
1da177e4
LT		 5544 }
5545
3df91ea2 5546 mutex_unlock(&conn->chan_lock);
b1235d79 5547
1da177e4
LT		 5548 return 0;
5549}
5550
686ebf28 5551int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5552{
5553 struct l2cap_conn *conn = hcon->l2cap_data;
5554
5a08ecce
AE		 5555 if (!conn)
5556 conn = l2cap_conn_add(hcon, 0);
5557
5558 if (!conn)
1da177e4
LT		 5559 goto drop;
5560
5561 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5562
e702112f 5563 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5564 struct l2cap_hdr *hdr;
5565 int len;
5566
5567 if (conn->rx_len) {
5568 BT_ERR("Unexpected start frame (len %d)", skb->len);
5569 kfree_skb(conn->rx_skb);
5570 conn->rx_skb = NULL;
5571 conn->rx_len = 0;
5572 l2cap_conn_unreliable(conn, ECOMM);
5573 }
5574
aae7fe22
AE		 5575 /* Start fragment always begin with Basic L2CAP header */
5576 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5577 BT_ERR("Frame is too short (len %d)", skb->len);
5578 l2cap_conn_unreliable(conn, ECOMM);
5579 goto drop;
5580 }
5581
5582 hdr = (struct l2cap_hdr *) skb->data;
5583 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5584
5585 if (len == skb->len) {
5586 /* Complete frame received */
5587 l2cap_recv_frame(conn, skb);
5588 return 0;
5589 }
5590
5591 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5592
5593 if (skb->len > len) {
5594 BT_ERR("Frame is too long (len %d, expected len %d)",
5595 skb->len, len);
5596 l2cap_conn_unreliable(conn, ECOMM);
5597 goto drop;
5598 }
5599
5600 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5601 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5602 if (!conn->rx_skb)
1da177e4
LT		 5603 goto drop;
5604
d626f62b 5605 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5606 skb->len);
1da177e4
LT		 5607 conn->rx_len = len - skb->len;
5608 } else {
5609 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5610
5611 if (!conn->rx_len) {
5612 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5613 l2cap_conn_unreliable(conn, ECOMM);
5614 goto drop;
5615 }
5616
5617 if (skb->len > conn->rx_len) {
5618 BT_ERR("Fragment is too long (len %d, expected %d)",
5619 skb->len, conn->rx_len);
5620 kfree_skb(conn->rx_skb);
5621 conn->rx_skb = NULL;
5622 conn->rx_len = 0;
5623 l2cap_conn_unreliable(conn, ECOMM);
5624 goto drop;
5625 }
5626
d626f62b 5627 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5628 skb->len);
1da177e4
LT		 5629 conn->rx_len -= skb->len;
5630
5631 if (!conn->rx_len) {
5632 /* Complete frame received */
5633 l2cap_recv_frame(conn, conn->rx_skb);
5634 conn->rx_skb = NULL;
5635 }
5636 }
5637
5638drop:
5639 kfree_skb(skb);
5640 return 0;
5641}
5642
aef7d97c 5643static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5644{
23691d75 5645 struct l2cap_chan *c;
1da177e4 5646
333055f2 5647 read_lock(&chan_list_lock);
1da177e4 5648
23691d75
GP		 5649 list_for_each_entry(c, &chan_list, global_l) {
5650 struct sock *sk = c->sk;
101545f6 5651
903d343e 5652 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5653 batostr(&bt_sk(sk)->src),
5654 batostr(&bt_sk(sk)->dst),
89bc500e 5655 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5656 c->scid, c->dcid, c->imtu, c->omtu,
5657 c->sec_level, c->mode);
61e1b4b7 5658 }
1da177e4 5659
333055f2 5660 read_unlock(&chan_list_lock);
1da177e4 5661
aef7d97c 5662 return 0;
1da177e4
LT		 5663}
5664
aef7d97c
MH		 5665static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5666{
5667 return single_open(file, l2cap_debugfs_show, inode->i_private);
5668}
5669
5670static const struct file_operations l2cap_debugfs_fops = {
5671 .open = l2cap_debugfs_open,
5672 .read = seq_read,
5673 .llseek = seq_lseek,
5674 .release = single_release,
5675};
5676
5677static struct dentry *l2cap_debugfs;
1da177e4 5678
64274518 5679int __init l2cap_init(void)
1da177e4
LT		 5680{
5681 int err;
be9d1227 5682
bb58f747 5683 err = l2cap_init_sockets();
1da177e4
LT		 5684 if (err < 0)
5685 return err;
5686
aef7d97c
MH		 5687 if (bt_debugfs) {
5688 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5689 bt_debugfs, NULL, &l2cap_debugfs_fops);
5690 if (!l2cap_debugfs)
5691 BT_ERR("Failed to create L2CAP debug file");
5692 }
1da177e4 5693
1da177e4 5694 return 0;
1da177e4
LT		 5695}
5696
64274518 5697void l2cap_exit(void)
1da177e4 5698{
aef7d97c 5699 debugfs_remove(l2cap_debugfs);
bb58f747 5700 l2cap_cleanup_sockets();
1da177e4
LT		 5701}
5702
d1c4a17d
GP		 5703module_param(disable_ertm, bool, 0644);
5704MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)